RE: Malicious Code Analysis

["mike king" <ngiles () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for all the feedback. I have always taken the poor mans
approach to this since its not really my job, but a fun hobby on
the side.

regards mike

On Fri, 05 Aug 2005 02:49:49 -0700 Peter Kruse <pkr () csis dk> wrote:
> Hey,
>
> > These were not submitted to any AV vendors since Norton did
> > flag them. In the past I have submitted unknown trojans/
> > viruses like these to Symantec when clients have been owned,
> > but what can I say they are hardly 0day more like 300 day.
>
> 8-)
>
> > http://www.bitsum.com/pec2.asp
>
> Yes, I already have this tool in my box. Pretty useful for first
> glance.
>
> > Could you share your methodology on how you go about reverse
> > engineering/ disassembling a malicious piece of code that has
> > had a packer ran on it?
>
> There are many off-the self unpackers out there that will do the
> job just
> fine, but lately malware writters rather modify or use
> enhanced/hacked
> version of popular PE-packers. Either way a compressed binary will

> have to
> uncompress itself using the compressor stub in order to run. In
> order to
> unpack look for the call that jumps from the stub to unpacked
> code. When the
> jmp address is located modify so the jmp goes to esi. This will
> put the code
> in a loop. Next procdump.
>
> There are plenty of good tutorials. One of these are associated
> with IDA:
> http://www.datarescue.com/idabase/unpack_pe/
>
> I hope this helps you getting started.
>
> Regards
> Peter Kruse
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkLzNy8ACgkQUjm7xSZSd8GYjACeIoBxJOXEqi4omXslFRpJRGF7Vw0A
n3tB9zvUITpeklmYRUG0GQN8Gxjs
=rUI8
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/