Full Disclosure mailing list archives
RE: Malicious Code Analysis
From: "mike king" <ngiles () hushmail com>
Date: Fri, 5 Aug 2005 03:04:06 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for all the feedback. I have always taken the poor mans approach to this since its not really my job, but a fun hobby on the side. regards mike On Fri, 05 Aug 2005 02:49:49 -0700 Peter Kruse <pkr () csis dk> wrote:
Hey,These were not submitted to any AV vendors since Norton did flag them. In the past I have submitted unknown trojans/ viruses like these to Symantec when clients have been owned, but what can I say they are hardly 0day more like 300 day.8-)http://www.bitsum.com/pec2.aspYes, I already have this tool in my box. Pretty useful for first glance.Could you share your methodology on how you go about reverse engineering/ disassembling a malicious piece of code that has had a packer ran on it?There are many off-the self unpackers out there that will do the job just fine, but lately malware writters rather modify or use enhanced/hacked version of popular PE-packers. Either way a compressed binary will
have to uncompress itself using the compressor stub in order to run. In order to unpack look for the call that jumps from the stub to unpacked code. When the jmp address is located modify so the jmp goes to esi. This will put the code in a loop. Next procdump. There are plenty of good tutorials. One of these are associated with IDA: http://www.datarescue.com/idabase/unpack_pe/ I hope this helps you getting started. Regards Peter Kruse
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkLzNy8ACgkQUjm7xSZSd8GYjACeIoBxJOXEqi4omXslFRpJRGF7Vw0A n3tB9zvUITpeklmYRUG0GQN8Gxjs =rUI8 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Malicious Code Analysis M4ch3T3 Hax (Aug 04)
- Re: Malicious Code Analysis Dunceor . (Aug 05)
- Re: Malicious Code Analysis Ty Bodell (Aug 05)
- Re: Malicious Code Analysis Willem Koenings (Aug 05)
- <Possible follow-ups>
- Re: Malicious Code Analysis mike king (Aug 04)
- RE: Malicious Code Analysis Peter Kruse (Aug 05)
- RE: Malicious Code Analysis mike king (Aug 05)
- RE: Malicious Code Analysis Peter Kruse (Aug 05)
- RE: Malicious Code Analysis mike king (Aug 05)
- Re: Malicious Code Analysis Willem Koenings (Aug 05)