A forum for reverse engineering, OS internals and malware analysis 

Search found 36 matches

 Go to advanced search

IDE For DDK

 by NOP ¦  Mon Jul 04, 2011 6:04 pm ¦  Forum: Kernel-Mode Development ¦  Topic: IDE For DDK ¦  Replies: 3 ¦  Views: 3542

Hi guys. Is there any way of getting the WinDDK working with Visual C++ 2010 Express? DDKWizard doesn't work with 2010 and VisualDDK says it can't find a file when installing(maybe due to it being the Express version?). Since I'm still a total noob with all this kernel mode stuff it would really hel...

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 by NOP ¦  Wed Mar 30, 2011 4:27 pm ¦  Forum: Malware ¦  Topic: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik) ¦  Replies: 595 ¦  Views: 641517

@markusg: I don't think there is any point in posting the same repacked sample over and over. The last 2 files you posted are identical except slightly different (probably polymorphic) packer code.

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 by NOP ¦  Wed Mar 30, 2011 3:11 pm ¦  Forum: Malware ¦  Topic: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik) ¦  Replies: 595 ¦  Views: 641517

@freyr: The easiest to to unpack the dropper is when you get to the decompression(aPlib?) code which is decrypted into some allocated memory, note the address after the MOV EDI, ... instruction. Then BP POPAD and go to that address you noted in a hex dump. Right click the hex dump and select backup ...

Re: Another ARK

 by NOP ¦  Fri Nov 05, 2010 3:53 pm ¦  Forum: Tools/Software ¦  Topic: Another ARK ¦  Replies: 14 ¦  Views: 17139

For some unknown reason they decided to pack it with Themida. Nobody is not interested in cracking/reversing such stuff. Nobody is interested in reversing/cracking licensed software? *cough* SnD *cough* :roll: 2010 10 28 Internet Download Manager 6.xx v0.2 keygen BytePlayeR Malwarebytes Anti-Malwar...

Re: GBOT - Crashes rKu

 by NOP ¦  Sun Oct 17, 2010 12:16 pm ¦  Forum: Malware ¦  Topic: Win32/Cycbot ¦  Replies: 16 ¦  Views: 14330

EP_X0FF wrote:The code I've changed wasn't changed since 2007.
Yeah that makes sense, I was using an older version when I first got the crash.

Win32/Cycbot

 by NOP ¦  Sat Oct 16, 2010 1:50 pm ¦  Forum: Malware ¦  Topic: Win32/Cycbot ¦  Replies: 16 ¦  Views: 14330

This sample crashes rKu when you do a code hook scan. I call it GBOT because of the internal PDB paths of the 3 dropped files, some AV's label it as a FakeAV.

http://i56.tinypic.com/9jhd3t.png

Re: Rogue antimalware (FakeAV, FakeAlert)

 by NOP ¦  Thu Oct 07, 2010 4:55 pm ¦  Forum: Malware ¦  Topic: Rogue Antimalware (FakeAV, 2010 year) ¦  Replies: 71 ¦  Views: 53897

Re: Device Driver Development for Beginners - Reloaded

 by NOP ¦  Wed Oct 06, 2010 5:01 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Device Driver Development for Beginners - Reloaded ¦  Replies: 24 ¦  Views: 107558

Great post! Its just a shame that DDKWizard isn't compatable with VC++ 2010. :cry:

Re: Win32/TrojanDropper.Microjoin.C

 by NOP ¦  Wed Sep 15, 2010 9:20 pm ¦  Forum: Malware ¦  Topic: Win32/TrojanDropper.Microjoin.C ¦  Replies: 1 ¦  Views: 3471

This is packed with Mystic Compressor. http://i56.tinypic.com/2py2jo3.jpg A MicroJoined file has been seen packed with that before. http://blog.novirusthanks.org/2010/01/unpacking-mystic-compressor-used-to-pack-rogue-software/ PS: You should learn not to call things like this exploits, since it is n...

Re: Badly detected malware driver

 by NOP ¦  Tue Aug 31, 2010 1:27 pm ¦  Forum: Malware ¦  Topic: Backdoor:Win32/Atadommoc.B ¦  Replies: 4 ¦  Views: 5120

xqrzd wrote:Maybe it detected my VM?
It can detect VM's.
Code: Select all
VIRTUALBOX..VideoBiosVersion....HARDWARE\DESCRIPTION\System.\\.\PhysicalDrive%d.VIRTUAL.VBOX....VMWARE..QEMU
It also tries to detect Sandboxie, CWSandbox(which always loads pstorec.dll) and Wireshark.
Code: Select all
SbieDll.dll.pstorec.dll.wireshark.exe