A forum for reverse engineering, OS internals and malware analysis 

Search found 90 matches

 Go to advanced search

Re: VBoxAntiVMDetectHardened mitigation X64 only (19/08/16)

 by rinn ¦  Fri Sep 02, 2016 7:36 pm ¦  Forum: Tools/Software ¦  Topic: VBoxAntiVMDetectHardened mitigation X64 only ¦  Replies: 249 ¦  Views: 1747612

Hello. You may try rebuild ACPI table to remove BAT0 from it. At your own risk :) I'm unsure how exactly battery presense fact can be used to identify VM. Best Regards, -rin Thanks! Is there any way to block access to a battery for VM? My virtual machine is running on the laptop, and I see that it h...

Re: UACMe - Defeating Windows User Account Control

 by rinn ¦  Thu Jun 23, 2016 4:11 am ¦  Forum: Tools/Software ¦  Topic: UACMe - Defeating Windows User Account Control ¦  Replies: 136 ¦  Views: 440846

Hi. I would also suggest: a) deny write access to %systemroot%\system32\inetsrv folder for anyone except TrustedInstaller or harden InetMgr.exe to load all of it dependencies from system32. This will disable UACMe #19 method and disallow InetMgr.exe dll hijacking. b) detect multiple elevation attemp...

Re: VBoxAntiVMDetectHardened mitigation X64 only (07/01/16)

 by rinn ¦  Tue Jan 26, 2016 5:40 am ¦  Forum: Tools/Software ¦  Topic: VBoxAntiVMDetectHardened mitigation X64 only ¦  Replies: 249 ¦  Views: 1747612

Hello,
dsefix embedded in this vbox loader, you don't need to use it twice.

Best Regards,
-rin

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by rinn ¦  Fri Jan 08, 2016 7:27 am ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 571122

Hello. Despite this 11) AntiMSE/WindowsDefender code completely removed, well actually lot of code removed too. several Microsoft services still stopped and removed by dropper. if ( !result ) { result = OpenSCManagerW(0, 0, 0xF003Fu); v2 = result; if ( result ) { v3 = OpenServiceW(result, L"mpssvc",...

Re: Happy New Year :)

 by rinn ¦  Sun Jan 03, 2016 4:01 pm ¦  Forum: General Discussion ¦  Topic: Happy New Year :) ¦  Replies: 15 ¦  Views: 25430

Happy New Year :-)

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

 by rinn ¦  Sun Jan 03, 2016 4:00 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 571122

Hi.

NtOpenFile ( ... GENERIC_ALL ...), NtSetInformationFile(... FileRenameInformation ...); NtClose; - Shift+Del :) Also closing it handles inside svchost.exe result in delayed reboot.

Best Regards,
-rin

Re: Win32/Xswkit (alias Gootkit)

 by rinn ¦  Sat Apr 11, 2015 12:54 pm ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123405

Hello, EP_X0FF. Just did a quick looking on that exe, seems reproducible. Should we again try to recover it? :) If only it can work on Win10... int __fastcall sub_102DE7(int a1, int a2, int a3) { int v3; // ebx@1 int v4; // esi@1 int v5; // edi@1 char v6; // al@2 int result; // eax@4 void *v8; // ea...

Re: UACMe - Defeating Windows User Account Control

 by rinn ¦  Sun Mar 29, 2015 5:13 am ¦  Forum: Tools/Software ¦  Topic: UACMe - Defeating Windows User Account Control ¦  Replies: 136 ¦  Views: 440846

@EP_X0FF

You should definitely try this method :) Along with looking on APPINFO.DLL whitelist.

Re: WinNT/Simda

 by rinn ¦  Thu Jan 15, 2015 6:45 am ¦  Forum: Malware ¦  Topic: WinNT/Simda ¦  Replies: 43 ¦  Views: 57390

Hello.

Just to mention - memory allocated for SDDL string after ISecurityEditor->GetSecurity call must be freed with LocalFree when pps variable is no longer needed. So for your usage extend shellcode to include LocalFree and use it.

Best Regards,
-rin

Re: Win32/Xswkit (alias Gootkit)

 by rinn ¦  Wed Jan 07, 2015 8:56 am ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123405

Hello. During this sample reverse engineering I came across very familiar code. Bot itself uses high number of obfuscated system calls, here they .text:00403EDF NtAllocateVirtualMemoryStub .text:00403FDF NtCloseStub .text:0040421F NtCreateFileStub .text:0040409F NtCreateKeyStub .text:0040401F NtDele...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 9