A forum for reverse engineering, OS internals and malware analysis 

Search found 25 matches

 Go to advanced search

Re: Nuclear Bot

 by TheExecuter ¦  Mon Feb 13, 2017 9:45 am ¦  Forum: Malware ¦  Topic: Nuclear Bot ¦  Replies: 3 ¦  Views: 15313

The main file shouldn't execute properly.
RtlAdjustPrivilege's 4th param is null. It'll crash for access violation.
how'd you extract the dlls?

Re: Malware Families Using Raw Syscalls

 by TheExecuter ¦  Tue Feb 10, 2015 4:09 am ¦  Forum: Newbie Questions ¦  Topic: Malware Families Using Raw Syscalls ¦  Replies: 21 ¦  Views: 27169

If we consider we're in a hooked system state, then even walking EAT/IAT will possibly leads to wrong data. In that situation, just simply do a file mapping with SEC_IMAGE or LoadLibraryEx with DONT_RESOLVE_DLL_REFERENCES or manually map it and it will just work. As long as ZwCreateFile is not hook...

Re: Malware Families Using Raw Syscalls

 by TheExecuter ¦  Mon Feb 09, 2015 9:36 am ¦  Forum: Newbie Questions ¦  Topic: Malware Families Using Raw Syscalls ¦  Replies: 21 ¦  Views: 27169

pfn = GetProcAddress(hNtdll, NtServiceName); if (pfn) { #ifdef _WIN64 c = 4; #else c = 1; #endif ServiceIndex = *(ULONG *)((BYTE *)pfn + c); } Sorry for the confusion, it seems i didnt make myself clear nor did i understand previously what you meant. Allow me to reply now, @0xff & @t4l: That pfn+c ...

Re: Malware Families Using Raw Syscalls

 by TheExecuter ¦  Mon Feb 09, 2015 9:26 am ¦  Forum: Newbie Questions ¦  Topic: Malware Families Using Raw Syscalls ¦  Replies: 21 ¦  Views: 27169

i didn't mean structure literally. :P
that #define will make sure you get syscall no from current ntdll (hardcoding for the OS compiled on)
while what we require is 1 code which can run across different OS and get syscall no without hardcoding.

Re: Malware Families Using Raw Syscalls

 by TheExecuter ¦  Fri Feb 06, 2015 9:58 am ¦  Forum: Newbie Questions ¦  Topic: Malware Families Using Raw Syscalls ¦  Replies: 21 ¦  Views: 27169

@0xFF: NtServiceName is not available in ntdll.dll for windows 7 x64
@t4l: i dont recognize that structure due to my limited knowledge in KM. But i am sure what OP wanted was not to call Any API and still get value for EAX during syscall in UM.

Re: Malware Families Using Raw Syscalls

 by TheExecuter ¦  Fri Feb 06, 2015 8:55 am ¦  Forum: Newbie Questions ¦  Topic: Malware Families Using Raw Syscalls ¦  Replies: 21 ¦  Views: 27169

haha, i wish i could. don't need the code actually. This is what he does for x86. working: list all exports of ntdll.dll if first two characters of api offset are Nt, then calculate address by walking EAT and place that address in a list. After list is populated, sort them in ascending order of thei...

Re: Malware Families Using Raw Syscalls

 by TheExecuter ¦  Fri Feb 06, 2015 7:11 am ¦  Forum: Newbie Questions ¦  Topic: Malware Families Using Raw Syscalls ¦  Replies: 21 ¦  Views: 27169

- The more Windows versions you're willing to support the more syscall numbers you have to figure out and to hardcode. https://github.com/r41p41/snippets/blob/master/GetSysCallNo_FromName.c https://github.com/r41p41/snippets/blob/master/GetSysCallNo_FromName_x64.c don't know if this code works, but...

Re: WinNT/Phase - fileless trojan

 by TheExecuter ¦  Wed Dec 24, 2014 5:21 pm ¦  Forum: Malware ¦  Topic: WinNT/Phase - fileless trojan ¦  Replies: 28 ¦  Views: 27336

MalwareTech wrote:Too bad they patched the SQL injection yesterday.
It seems you have a vendetta against this particular Turd'ware :D

Re: Trojan:WinNT/Regin

 by TheExecuter ¦  Tue Nov 25, 2014 5:38 am ¦  Forum: Malware ¦  Topic: WinNT/Regin ¦  Replies: 27 ¦  Views: 34190

Any other sample which is 'not' a driver?
an executable perhaps. It could give more insight.

Win32/CoinMiner (Lecpetex)

 by TheExecuter ¦  Sat May 10, 2014 10:02 pm ¦  Forum: Malware ¦  Topic: Win32/CoinMiner (Lecpetex) ¦  Replies: 1 ¦  Views: 2788

Hi, my friend's pc was infected with a malware spawning multiple explorer 32bit processes connection to 107.6.122.154:3333 any idea which malware is it? i'd do the handiwork myself but i am not at my pc for next 7-8 days and i am really uncomfortable with this laptop. seems like all kinds of malware...