Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: [Full-disclosure] Malicious Code Analysis
From: Peter Kruse (krusekrusesecurity.dk)
Date: Fri Aug 05 2005 - 05:00:19 CDT
> These were not submitted to any AV vendors since Norton did flag them.
> In the past I have submitted unknown trojans/ viruses like these to
> Symantec when clients have been owned, but what can I say they are
> hardly 0day more like 300 day.
Yes, I already have this tool in my box. Pretty useful for first glance.
> Could you share your methodology on how you go about reverse
> engineering/ disassembling a malicious piece of code that has had a
> packer ran on it?
There are many off-the self unpackers out there that will do the job just
fine, but lately malware writers rather modify or use enhanced/hacked
version of popular PE-packers.
Either way, a compressed binary will have to uncompress itself using the
compressor stub in order to run. To unpack the code look for the call that
jumps from the stub to the unpacked code. When the jmp address is located
you should modify, so the jmp goes to esi. This will put the code in a loop.
Next up procdump.
There are plenty of good tutorials. One of these are associated with IDA:
I hope this helps you getting started.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/