Search found 36 matches

by NOP
Mon Jul 04, 2011 6:04 pm
Forum: Kernel-Mode Development
Topic: IDE For DDK
Replies: 3
Views: 3454

IDE For DDK

Hi guys. Is there any way of getting the WinDDK working with Visual C++ 2010 Express? DDKWizard doesn't work with 2010 and VisualDDK says it can't find a file when installing(maybe due to it being the Express version?). Since I'm still a total noob with all this kernel mode stuff it would really hel...
by NOP
Wed Mar 30, 2011 4:27 pm
Forum: Malware
Topic: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)
Replies: 595
Views: 633461

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

@markusg: I don't think there is any point in posting the same repacked sample over and over. The last 2 files you posted are identical except slightly different (probably polymorphic) packer code.
by NOP
Wed Mar 30, 2011 3:11 pm
Forum: Malware
Topic: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)
Replies: 595
Views: 633461

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

@freyr: The easiest to to unpack the dropper is when you get to the decompression(aPlib?) code which is decrypted into some allocated memory, note the address after the MOV EDI, ... instruction. Then BP POPAD and go to that address you noted in a hex dump. Right click the hex dump and select backup ...
by NOP
Fri Nov 05, 2010 3:53 pm
Forum: Tools/Software
Topic: Another ARK
Replies: 14
Views: 16897

Re: Another ARK

For some unknown reason they decided to pack it with Themida. Nobody is not interested in cracking/reversing such stuff. Nobody is interested in reversing/cracking licensed software? *cough* SnD *cough* :roll: 2010 10 28 Internet Download Manager 6.xx v0.2 keygen BytePlayeR Malwarebytes Anti-Malwar...
by NOP
Sun Oct 17, 2010 12:16 pm
Forum: Malware
Topic: Win32/Cycbot
Replies: 16
Views: 14021

Re: GBOT - Crashes rKu

EP_X0FF wrote:The code I've changed wasn't changed since 2007.
Yeah that makes sense, I was using an older version when I first got the crash.
by NOP
Sat Oct 16, 2010 1:50 pm
Forum: Malware
Topic: Win32/Cycbot
Replies: 16
Views: 14021

Win32/Cycbot

This sample crashes rKu when you do a code hook scan. I call it GBOT because of the internal PDB paths of the 3 dropped files, some AV's label it as a FakeAV.

http://i56.tinypic.com/9jhd3t.png
by NOP
Wed Oct 06, 2010 5:01 pm
Forum: Kernel-Mode Development
Topic: Device Driver Development for Beginners - Reloaded
Replies: 24
Views: 103479

Re: Device Driver Development for Beginners - Reloaded

Great post! Its just a shame that DDKWizard isn't compatable with VC++ 2010. :cry:
by NOP
Wed Sep 15, 2010 9:20 pm
Forum: Malware
Topic: Win32/TrojanDropper.Microjoin.C
Replies: 1
Views: 3356

Re: Win32/TrojanDropper.Microjoin.C

This is packed with Mystic Compressor. http://i56.tinypic.com/2py2jo3.jpg A MicroJoined file has been seen packed with that before. http://blog.novirusthanks.org/2010/01/unpacking-mystic-compressor-used-to-pack-rogue-software/ PS: You should learn not to call things like this exploits, since it is n...
by NOP
Tue Aug 31, 2010 1:27 pm
Forum: Malware
Topic: Backdoor:Win32/Atadommoc.B
Replies: 4
Views: 4993

Re: Badly detected malware driver

xqrzd wrote:Maybe it detected my VM?
It can detect VM's.

Code: Select all

VIRTUALBOX..VideoBiosVersion....HARDWARE\DESCRIPTION\System.\\.\PhysicalDrive%d.VIRTUAL.VBOX....VMWARE..QEMU
It also tries to detect Sandboxie, CWSandbox(which always loads pstorec.dll) and Wireshark.

Code: Select all

SbieDll.dll.pstorec.dll.wireshark.exe