Search found 90 matches

by rinn
Fri Sep 02, 2016 7:36 pm
Forum: Tools/Software
Topic: VBoxAntiVMDetectHardened mitigation X64 only
Replies: 249
Views: 1744198

Re: VBoxAntiVMDetectHardened mitigation X64 only (19/08/16)

Hello. You may try rebuild ACPI table to remove BAT0 from it. At your own risk :) I'm unsure how exactly battery presense fact can be used to identify VM. Best Regards, -rin Thanks! Is there any way to block access to a battery for VM? My virtual machine is running on the laptop, and I see that it h...
by rinn
Thu Jun 23, 2016 4:11 am
Forum: Tools/Software
Topic: UACMe - Defeating Windows User Account Control
Replies: 136
Views: 438333

Re: UACMe - Defeating Windows User Account Control

Hi. I would also suggest: a) deny write access to %systemroot%\system32\inetsrv folder for anyone except TrustedInstaller or harden InetMgr.exe to load all of it dependencies from system32. This will disable UACMe #19 method and disallow InetMgr.exe dll hijacking. b) detect multiple elevation attemp...
by rinn
Tue Jan 26, 2016 5:40 am
Forum: Tools/Software
Topic: VBoxAntiVMDetectHardened mitigation X64 only
Replies: 249
Views: 1744198

Re: VBoxAntiVMDetectHardened mitigation X64 only (07/01/16)

Hello,
dsefix embedded in this vbox loader, you don't need to use it twice.

Best Regards,
-rin
by rinn
Fri Jan 08, 2016 7:27 am
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 567068

Re: ZeroAccess (alias MaxPlus, Sirefef)

Hello. Despite this 11) AntiMSE/WindowsDefender code completely removed, well actually lot of code removed too. several Microsoft services still stopped and removed by dropper. if ( !result ) { result = OpenSCManagerW(0, 0, 0xF003Fu); v2 = result; if ( result ) { v3 = OpenServiceW(result, L"mpssvc",...
by rinn
Sun Jan 03, 2016 4:01 pm
Forum: General Discussion
Topic: Happy New Year :)
Replies: 15
Views: 25343

Re: Happy New Year :)

Happy New Year :-)
by rinn
Sun Jan 03, 2016 4:00 pm
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 567068

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Hi.

NtOpenFile ( ... GENERIC_ALL ...), NtSetInformationFile(... FileRenameInformation ...); NtClose; - Shift+Del :) Also closing it handles inside svchost.exe result in delayed reboot.

Best Regards,
-rin
by rinn
Sat Apr 11, 2015 12:54 pm
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 122548

Re: Win32/Xswkit (alias Gootkit)

Hello, EP_X0FF. Just did a quick looking on that exe, seems reproducible. Should we again try to recover it? :) If only it can work on Win10... int __fastcall sub_102DE7(int a1, int a2, int a3) { int v3; // ebx@1 int v4; // esi@1 int v5; // edi@1 char v6; // al@2 int result; // eax@4 void *v8; // ea...
by rinn
Sun Mar 29, 2015 5:13 am
Forum: Tools/Software
Topic: UACMe - Defeating Windows User Account Control
Replies: 136
Views: 438333

Re: UACMe - Defeating Windows User Account Control

@EP_X0FF

You should definitely try this method :) Along with looking on APPINFO.DLL whitelist.
by rinn
Thu Jan 15, 2015 6:45 am
Forum: Malware
Topic: WinNT/Simda
Replies: 43
Views: 56943

Re: WinNT/Simda

Hello.

Just to mention - memory allocated for SDDL string after ISecurityEditor->GetSecurity call must be freed with LocalFree when pps variable is no longer needed. So for your usage extend shellcode to include LocalFree and use it.

Best Regards,
-rin
by rinn
Wed Jan 07, 2015 8:56 am
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 122548

Re: Win32/Xswkit (alias Gootkit)

Hello. During this sample reverse engineering I came across very familiar code. Bot itself uses high number of obfuscated system calls, here they .text:00403EDF NtAllocateVirtualMemoryStub .text:00403FDF NtCloseStub .text:0040421F NtCreateFileStub .text:0040409F NtCreateKeyStub .text:0040401F NtDele...