A forum for reverse engineering, OS internals and malware analysis 

Search found 27 matches

 Go to advanced search

Re: Automated Malware Environments

 by rnd.usr ¦  Thu Dec 11, 2014 5:08 pm ¦  Forum: Malware ¦  Topic: Automated Malware Environments ¦  Replies: 12 ¦  Views: 9794

Drakvuf - https://tklengyel.github.io/drakvuf/

DRAKVUF is an agentless dynamic malware analysis system built on Xen, LibVMI, Volatility and Rekall.
It allows for in-depth execution tracing of malware samples, extracting deleted files from memory and more.

WinNT/Phase - fileless trojan

 by rnd.usr ¦  Tue Dec 09, 2014 2:40 pm ¦  Forum: Malware ¦  Topic: WinNT/Phase - fileless trojan ¦  Replies: 28 ¦  Views: 27283

Hi, found a new trojan which call itself fileless. It injects RC4 encrypted code into explorer.exe, hooks NtQueryDirectoryFile with HLT-hook for hiding, uses (base64-decoded) Powershell stored in regedit and it's encrypted with RC4 and random key. Uses same technique as Poweliks for startup in reged...

Re: Win32/Poweliks

 by rnd.usr ¦  Wed Nov 19, 2014 3:58 pm ¦  Forum: Malware ¦  Topic: Win32/Poweliks ¦  Replies: 36 ¦  Views: 110155

Anyone have a sample that is detected as "Poweliks.B"?

Thanks

Re: OnionDuke APT

 by rnd.usr ¦  Sat Nov 15, 2014 11:13 am ¦  Forum: Malware ¦  Topic: OnionDuke APT ¦  Replies: 1 ¦  Views: 3019

The data in the parameter is encrypted and then base64-encoded, the key can be found in the config.

The question is: what encryption is OnionDuke using here, RC4? XOR?

Re: [request] User-mode hooks detection tool

 by rnd.usr ¦  Tue Nov 04, 2014 8:49 am ¦  Forum: Tools/Software ¦  Topic: [request] User-mode hooks detection tool ¦  Replies: 5 ¦  Views: 9180

Re: Patching SSDT using Sign Driver

 by rnd.usr ¦  Wed Oct 29, 2014 6:22 pm ¦  Forum: General Discussion ¦  Topic: Patching SSDT using Sign Driver ¦  Replies: 4 ¦  Views: 7000

AV engines can just look at the driver filters list. Each device will have a .sys-file linked to it.

This is correct, right?

Re: Can you cahnge the memory protection?

 by rnd.usr ¦  Fri Sep 05, 2014 11:56 am ¦  Forum: Newbie Questions ¦  Topic: Can you cahnge the memory protection? ¦  Replies: 5 ¦  Views: 6283

I think so. Or does VirtualProtect(Ex) reports you an error when you try it? Why don't you wipe out the MZ signature (and probably other parts of the PE structure that are not relevant after its startup)? Hi, sorry for late answer. No, I'am not coding anything yet, I was just thinking for a method ...

Re: Malware infecting 'restore points' and recovery(re.wim)

 by rnd.usr ¦  Thu Aug 28, 2014 1:14 pm ¦  Forum: Malware ¦  Topic: Malware infecting 'restore points' and recovery(re.wim) ¦  Replies: 3 ¦  Views: 3288

If I'am correct the late Cryptolocker family does this.

Re: Can you cahnge the memory protection?

 by rnd.usr ¦  Sun Aug 24, 2014 12:40 pm ¦  Forum: Newbie Questions ¦  Topic: Can you cahnge the memory protection? ¦  Replies: 5 ¦  Views: 6283

Hello, if you mean a code (or a DLL) injected into a user mode process, there is a function named VirtualProtect (or VirtualProtectEx) that is capable of changing memory protection (on the paging basis). However, I am not sure how you want to use this function to make the malware undetectable. In t...

Can you cahnge the memory protection?

 by rnd.usr ¦  Sun Aug 24, 2014 7:07 am ¦  Forum: Newbie Questions ¦  Topic: Can you cahnge the memory protection? ¦  Replies: 5 ¦  Views: 6283

Hello. Is it possible to change the protection in the newly injected memory in a process? Let's say from RWX to RX. If it's possible, can you name a malware that does this? I know it's possible to strip the "MZ" header but if you also change the protection there should be no way to detect an injecte...