A forum for reverse engineering, OS internals and malware analysis 

Search found 4314 matches

 Go to advanced search

As continuation of this thread https://www.kernelmode.info/forum/viewtopic.php?f=13&t=5496. Features + Unpack VDM containers of Windows Defender/Microsoft Security Essentials; + Decrypt VDM container embedded in Malicious software Remotal Tool (MRT.exe); + Extract all PE images from unpacked/decrypt...

Re: Windows Defender DB dump and VDLL's

 by EP_X0FF ¦  Fri Apr 19, 2019 5:35 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Windows Defender DB dump and VDLL's ¦  Replies: 5 ¦  Views: 487

Done, moved project to separate github repository.

https://github.com/hfiref0x/WDExtract

Re: Windows Defender DB dump and VDLL's

 by EP_X0FF ¦  Wed Apr 17, 2019 7:03 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Windows Defender DB dump and VDLL's ¦  Replies: 5 ¦  Views: 487

This code need corrections, like pointed above plus MRT database support. Malicious removal tool database is not packed but instead it is obfuscated with XOR algorithm implemented as chains of data xored, where data type is unique xor key for block. Updated extractor will be posted later. Also, here...

Re: My AV says my router is infected

 by EP_X0FF ¦  Tue Apr 16, 2019 12:32 pm ¦  Forum: Newbie Questions ¦  Topic: My AV says my router is infected ¦  Replies: 6 ¦  Views: 710

ignacystein wrote: Tue Apr 16, 2019 11:14 am What to do after rebooting the router because I am still facing the issue.
Reset your router to factory defaults.

Re: Windows Defender DB dump and VDLL's

 by EP_X0FF ¦  Wed Apr 03, 2019 7:09 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Windows Defender DB dump and VDLL's ¦  Replies: 5 ¦  Views: 487

Just for fun. Here is the VFS contents dumped. This virtual file system used by WD during code emulation and exist only in memory. Can be found inside mpasbase.vdm. Majority of these files are just empty stubs, however some (like for example default.wab) contain additional data. C:\Documents and Set...

Re: Windows Defender DB dump and VDLL's

 by EP_X0FF ¦  Sat Mar 30, 2019 1:20 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Windows Defender DB dump and VDLL's ¦  Replies: 5 ¦  Views: 487

I rewrote this script to C++ making it much faster because I basically can go away, drink some covfefe, watch tv, and this powershell still do something. Usage wdextract <vdm filename> This program distributed as-is, copyleft. It uses ZLIB Data Compression Library (https://github.com/madler/zlib), c...

Windows Defender DB dump and VDLL's

 by EP_X0FF ¦  Fri Mar 29, 2019 6:26 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Windows Defender DB dump and VDLL's ¦  Replies: 5 ¦  Views: 487

The following script -> https://gist.github.com/mattifestation/3af5a472e11b7e135273e71cb5fed866 can be used to decompress Windows Defender database files (*.vdm). Aside from signatures you will be able also extract so-called VDLL's - the environment used by Windows Defender emulator engine. There ar...

Re: Overwrite a file using WinAPI functions VB.NET

 by EP_X0FF ¦  Thu Mar 28, 2019 3:31 pm ¦  Forum: Newbie Questions ¦  Topic: Overwrite a file using WinAPI functions VB.NET ¦  Replies: 9 ¦  Views: 267

Oh, I see what you did there. I never thought of that. how does &H40000000 work as an integer, though? BTW, Thanks for the help. It is hexademical representation of GENERIC_WRITE constant (0x40000000). https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/data-typ...

Re: Overwrite a file using WinAPI functions VB.NET

 by EP_X0FF ¦  Thu Mar 28, 2019 3:17 pm ¦  Forum: Newbie Questions ¦  Topic: Overwrite a file using WinAPI functions VB.NET ¦  Replies: 9 ¦  Views: 267

Your VB prototypes are wrong I guess. Try this one (it is also not 100% correct, but enough for example). Set path to your file. <DllImport("KERNEL32.DLL", EntryPoint:="CreateFileW", SetLastError:=True, CharSet:=CharSet.Unicode, ExactSpelling:=True, CallingConvention:=CallingConvention.StdCall)> Pub...

Re: ShadowHammer

 by EP_X0FF ¦  Thu Mar 28, 2019 2:27 pm ¦  Forum: Malware ¦  Topic: ShadowHammer ¦  Replies: 7 ¦  Views: 795
  • 1
  • 2
  • 3
  • 4
  • 5
  • 432