A forum for reverse engineering, OS internals and malware analysis 

Search found 25 matches

 Go to advanced search

Re: Why use FltReadFile in miniFilter will cause system slow

 by ithurricane ¦  Thu Feb 16, 2017 2:53 am ¦  Forum: Kernel-Mode Development ¦  Topic: Why use FltReadFile in miniFilter will cause system slowly? ¦  Replies: 1 ¦  Views: 9384

I found the reason,
It seems FLTFL_IO_OPERATION_NON_CACHED affects performance.

Why use FltReadFile in miniFilter will cause system slowly?

 by ithurricane ¦  Thu Feb 09, 2017 5:22 am ¦  Forum: Kernel-Mode Development ¦  Topic: Why use FltReadFile in miniFilter will cause system slowly? ¦  Replies: 1 ¦  Views: 9384

Hi there, I use FltReadFile in miniFilter at PostCreate, sometime cause system very slowly. status = FltReadFile( Instance, FileObject, &offset, length, buffer, FLTFL_IO_OPERATION_NON_CACHED | FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET, &bytesRead, NULL, NULL ); as same as Windows-driver-samples\f...

sample request for CVE-2015-6172 BadWinmail

 by ithurricane ¦  Tue Dec 29, 2015 11:37 am ¦  Forum: Completed Malware Requests ¦  Topic: sample request for CVE-2015-6172 BadWinmail ¦  Replies: 1 ¦  Views: 2495

Hi, I'm looking for md5 fab9cfbc629fb3c3eb541fdaf8169ee1 https://www.virustotal.com/en/file/588976379922cde55a06eecfa195cf8ff182193308c1a34ca8c16f15a41cb537/analysis/ md5 20e184a415cd71eee1cea83df262f814 https://www.virustotal.com/en/file/59b068bff97d4042c6741c6c14cc206a87291d095f8b5380e4fdf3ea75202...

Re: I'm looking for the sample of Emdivi RAT

 by ithurricane ¦  Wed Jul 01, 2015 6:40 am ¦  Forum: Completed Malware Requests ¦  Topic: I'm looking for the sample of Emdivi RAT ¦  Replies: 3 ¦  Views: 4833

Thank you very much!

I'm looking for the sample of Emdivi RAT

 by ithurricane ¦  Wed Jul 01, 2015 2:24 am ¦  Forum: Completed Malware Requests ¦  Topic: I'm looking for the sample of Emdivi RAT ¦  Replies: 3 ¦  Views: 4833

Hi, I'm looking for the sample of Emdivi RAT MD5: b4b1e15c0d92706ed813e0f3f71287d3 https://www.virustotal.com/en/file/5e3ec0d77c21fc20811590ad6e34ad2726c48b3926c5e839e58969fa84886002/analysis/ 3b2b36edbf2934c7a872e32c5bfcde2a https://www.virustotal.com/en/file/8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079...

Re: Adware.Variant.Kazy

 by ithurricane ¦  Mon May 25, 2015 1:03 am ¦  Forum: Malware ¦  Topic: TrojanSpy/Injector ¦  Replies: 5 ¦  Views: 5752

It looks like some Zbot variant. The autorun entry gets written to HKCU\Software\Microsoft\Windows\CurrentVersion\Run Play with it a bit more to discover how and when the entry gets written ;) Thank you for your answer, maybe when os shutdown, it written to HKCU\Software\Microsoft\Windows\CurrentVe...

TrojanSpy/Injector

 by ithurricane ¦  Sat May 23, 2015 7:09 am ¦  Forum: Malware ¦  Topic: TrojanSpy/Injector ¦  Replies: 5 ¦  Views: 5752

The virus on VT: https://www.virustotal.com/en/file/8f35f6f780acccfb406b918db6ef01111dd2c5200a16e97f25d35f76e2532e6d/analysis/1432362743/ The virus inject many process like it: http://oi62.tinypic.com/e1esdt.jpg but I cann't found how it autostart. When OS restarted, it start itself via explorer.exe...

Re: Win32/Poweliks

 by ithurricane ¦  Wed Nov 19, 2014 2:59 am ¦  Forum: Malware ¦  Topic: Win32/Poweliks ¦  Replies: 36 ¦  Views: 110089

POWELIKS Levels Up With New Autostart Mechanism

http://blog.trendmicro.com/trendlabs-se ... mechanism/

Re: Ransomware infecting user32.dll

 by ithurricane ¦  Mon Sep 01, 2014 7:05 am ¦  Forum: Completed Malware Requests ¦  Topic: Ransomware infecting user32.dll ¦  Replies: 3 ¦  Views: 3036

raiden wrote:in attachment:

https://www.virustotal.com/en/file/3af4 ... /analysis/
Thanx!
13E418BF18B03AC80580DB69ADA305A2B7093DFED00692DCF91A99D2526D3A73
is a new variant, can you upload it?

Ransomware infecting user32.dll

 by ithurricane ¦  Mon Sep 01, 2014 5:50 am ¦  Forum: Completed Malware Requests ¦  Topic: Ransomware infecting user32.dll ¦  Replies: 3 ¦  Views: 3036

Hello, I'm looking for particular sample of a) infected user32.dll b) MD5 3AF4FA2BFFAAB37FD557AE8146AE0A29BA0FAF6D99AD8A1A8D5BF598AC9A23D1 3A061EE07D87A6BB13E613E000E9F685CBFFB96BD7024A9E7B4CB0BE9A4AF38C 7DD93123078B383EC179C4C381F9119F4EAC4EFB287FE8F538A82E7336DFA4CA 13E418BF18B03AC80580DB69ADA305A...