Dailydave mailing list archives

Re: VPC

From: Jared DeMott <demottja () msu edu>
Date: Thu, 21 Feb 2008 10:01:04 -0500

Dave Aitel wrote:

So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat
Federal, I learned the hard way that VPC moves memory all around and
your previously great universal addresses don't work. So you'll end up
trying really hard to find an address that defeats SafeSEH on 2003 SP0
in 15 minutes or less.

Also I notice there are a lot of companies doing automated Incident
Response or malware analysis now.

Zynamic's VxClass is obviously one of my favorites.
HBGary has retooled Inspector into a tool ("Responder") that can read
and analyze physical memory dumps.
Mandiant has their new tool out.
Norman had a softice-looking sandbox-like thing on display.
There's another one called CWSandbox that has a free web form you can
send exe's to.

Actually Norman and CW both have a web interface.  However, I believe CW 
to be a bit better -- based on one case study of newer malware.  I just 
did some research and wrote a paper/created slides for a talk I'm giving 
at a local west Michigan sec group.  I put the slides up on my site if 
anyone would like to take a peek:
http://www.vdalabs.com/tools/malware.html

I'm relatively new to the malware scene, so I'd appreciate constructive 
feedback.
Cheers,
Jared
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

VPC Dave Aitel (Feb 21)
- Re: VPC Jared DeMott (Feb 21)
  - Re: VPC Thierry Zoller (Feb 22)
    - Re: VPC Thierry Zoller (Feb 22)
    - Re: VPC Jared DeMott (Feb 22)
    - Re: VPC Andrew R. Reiter (Feb 22)
    - Re: VPC Eduardo Tongson (Feb 22)
    - Re: VPC Jared DeMott (Feb 22)
    - Re: VPC Thierry Zoller (Feb 23)
    - Re: VPC Joanna Rutkowska (Feb 25)
    - Re: VPC dan (Feb 25)
    - Re: VPC Joanna Rutkowska (Feb 25)

(Thread continues...)