A forum for reverse engineering, OS internals and malware analysis 

Search found 384 matches

 Go to advanced search

Re: SynAck ransomware

 by Tigzy ¦  Fri May 11, 2018 12:52 pm ¦  Forum: Completed Malware Requests ¦  Topic: SynAck ransomware ¦  Replies: 4 ¦  Views: 2270

Re: RogueKillerPE

 by Tigzy ¦  Tue Oct 03, 2017 6:54 am ¦  Forum: Tools/Software ¦  Topic: RogueKillerPE ¦  Replies: 5 ¦  Views: 22037

Version 2.0 is online. V2.0.0 10/02/2017 ========================= - Updated EULA - NEW! Dump RT_ICON as true image - NEW! DLL characteristics as checkboxes - NEW! Sections flags as checkboxes - NEW! Dos Stub, Rich string - Refactored dashboard - NEW! Binary image - Added VBA symbols table - Added m...

Re: RogueKillerPE

 by Tigzy ¦  Wed Mar 15, 2017 3:55 pm ¦  Forum: Tools/Software ¦  Topic: RogueKillerPE ¦  Replies: 5 ¦  Views: 22037

Hello,
Just to notify you, the soft has evolved A LOT.
New download link: http://www.adlice.com/download/roguekillerpe/

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by Tigzy ¦  Mon Jan 04, 2016 4:59 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 572003

I guess this is copy/paste of unicode characters... Will double check.
EDIT: This is from a text log, the RTL character is removed, so yeah the path might be a little bit different.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by Tigzy ¦  Mon Jan 04, 2016 4:28 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 572003

Persistence item after dropper installed (Windows XP) [Suspicious.Path|VT.Trojan:Win32/Dynamer!ac] HKEY_USERS\S-1-5-21-823518204-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce | !|29d1dda3786d78cb1d5da5cbc32bf1c0 : "C:\Documents and Settings\tigzy\Local Settings\Applicati...

Re: RogueKillerPE

 by Tigzy ¦  Wed Dec 23, 2015 2:11 pm ¦  Forum: Tools/Software ¦  Topic: RogueKillerPE ¦  Replies: 5 ¦  Views: 22037

Hey, thanks for the post, and feedback :) @l0wlevel Our PE parser isn't new actually (even if RKPE is), we've being improving the engine for 4 years now as part of our SDK. RKPE sits on top of that mature SDK, so it should be pretty stable (of course we never know, and new bypass way can show up). B...

Re: ATA pass through read

 by Tigzy ¦  Mon Jan 19, 2015 10:25 am ¦  Forum: User-Mode Development ¦  Topic: ATA pass through read ¦  Replies: 8 ¦  Views: 17989

An important thing I discovered, if the sector count is higher than 4096 bytes, *sometimes* (I haven't found why) the DeviceIOControl fails with error ERROR_NOACCESS. Looks like I'm not the only one to have the issue: https://social.msdn.microsoft.com/Forums/en-US/2ee6d62d-6fd5-40fe-8975-3a76cdd92be...

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

 by Tigzy ¦  Tue Jan 13, 2015 10:11 am ¦  Forum: Malware ¦  Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader) ¦  Replies: 83 ¦  Views: 118606

Yeah, already done. I also read this:
http://thestarman.narod.ru/asm/mbr/W7VBR.htm
http://thestarman.narod.ru/asm/mbr/NTFSBR.htm
http://thestarman.narod.ru/asm/mbr/VistaVBR.htm

I've seen they are different with OSs.
I also forgot to tell: machine A and B are same OS.

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

 by Tigzy ¦  Tue Jan 13, 2015 8:38 am ¦  Forum: Malware ¦  Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader) ¦  Replies: 83 ¦  Views: 118606

1) Why do you wasting your time on this crap? This legacy BIOS crap VBR IPL code is no longer used in modern OS and hardware, only volume geometry data. I know I'm late, but it's mostly for educational. Having it in my product is just a bonus. 2) What you doing is unwise, because VBR ($Boot) contai...

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

 by Tigzy ¦  Mon Jan 12, 2015 5:57 pm ¦  Forum: Malware ¦  Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader) ¦  Replies: 83 ¦  Views: 118606

Assuming we have a Rovnix infection on a computer A, do you think it's safe to fix VBR with a VBR gotten from a computer B (same OS).
If I had to fix automatically, do you think I'd need a VBR copy of every OS?

  • 1
  • 2
  • 3
  • 4
  • 5
  • 39