Search found 384 matches

by Tigzy
Tue Oct 03, 2017 6:54 am
Forum: Tools/Software
Topic: RogueKillerPE
Replies: 5
Views: 21841

Re: RogueKillerPE

Version 2.0 is online. V2.0.0 10/02/2017 ========================= - Updated EULA - NEW! Dump RT_ICON as true image - NEW! DLL characteristics as checkboxes - NEW! Sections flags as checkboxes - NEW! Dos Stub, Rich string - Refactored dashboard - NEW! Binary image - Added VBA symbols table - Added m...
by Tigzy
Wed Mar 15, 2017 3:55 pm
Forum: Tools/Software
Topic: RogueKillerPE
Replies: 5
Views: 21841

Re: RogueKillerPE

Hello,
Just to notify you, the soft has evolved A LOT.
New download link: http://www.adlice.com/download/roguekillerpe/
by Tigzy
Mon Jan 04, 2016 4:59 pm
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 570612

Re: ZeroAccess (alias MaxPlus, Sirefef)

I guess this is copy/paste of unicode characters... Will double check.
EDIT: This is from a text log, the RTL character is removed, so yeah the path might be a little bit different.
by Tigzy
Mon Jan 04, 2016 4:28 pm
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 570612

Re: ZeroAccess (alias MaxPlus, Sirefef)

Persistence item after dropper installed (Windows XP) [Suspicious.Path|VT.Trojan:Win32/Dynamer!ac] HKEY_USERS\S-1-5-21-823518204-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce | !|29d1dda3786d78cb1d5da5cbc32bf1c0 : "C:\Documents and Settings\tigzy\Local Settings\Applicati...
by Tigzy
Wed Dec 23, 2015 2:11 pm
Forum: Tools/Software
Topic: RogueKillerPE
Replies: 5
Views: 21841

Re: RogueKillerPE

Hey, thanks for the post, and feedback :) @l0wlevel Our PE parser isn't new actually (even if RKPE is), we've being improving the engine for 4 years now as part of our SDK. RKPE sits on top of that mature SDK, so it should be pretty stable (of course we never know, and new bypass way can show up). B...
by Tigzy
Mon Jan 19, 2015 10:25 am
Forum: User-Mode Development
Topic: ATA pass through read
Replies: 8
Views: 17918

Re: ATA pass through read

An important thing I discovered, if the sector count is higher than 4096 bytes, *sometimes* (I haven't found why) the DeviceIOControl fails with error ERROR_NOACCESS. Looks like I'm not the only one to have the issue: https://social.msdn.microsoft.com/Forums/en-US/2ee6d62d-6fd5-40fe-8975-3a76cdd92be...
by Tigzy
Tue Jan 13, 2015 10:11 am
Forum: Malware
Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)
Replies: 83
Views: 118207

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Yeah, already done. I also read this:
http://thestarman.narod.ru/asm/mbr/W7VBR.htm
http://thestarman.narod.ru/asm/mbr/NTFSBR.htm
http://thestarman.narod.ru/asm/mbr/VistaVBR.htm

I've seen they are different with OSs.
I also forgot to tell: machine A and B are same OS.
by Tigzy
Tue Jan 13, 2015 8:38 am
Forum: Malware
Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)
Replies: 83
Views: 118207

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

1) Why do you wasting your time on this crap? This legacy BIOS crap VBR IPL code is no longer used in modern OS and hardware, only volume geometry data. I know I'm late, but it's mostly for educational. Having it in my product is just a bonus. 2) What you doing is unwise, because VBR ($Boot) contai...
by Tigzy
Mon Jan 12, 2015 5:57 pm
Forum: Malware
Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)
Replies: 83
Views: 118207

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Assuming we have a Rovnix infection on a computer A, do you think it's safe to fix VBR with a VBR gotten from a computer B (same OS).
If I had to fix automatically, do you think I'd need a VBR copy of every OS?