A forum for reverse engineering, OS internals and malware analysis 

Search found 22 matches

 Go to advanced search

Re: Hooking rundll32.exe

 by Munsta ¦  Fri Sep 16, 2016 2:30 pm ¦  Forum: Newbie Questions ¦  Topic: Hooking rundll32.exe ¦  Replies: 3 ¦  Views: 7829

WOuldn't it be better to make an IAT hook on GetProcecAddress (I assume rundll uses this routine to find the target function) and change the result of the original call when string "FakeFunc" is entered? Apparently snx90 want's to call his dll with random rundll32 argument. FakeFunc is non-existing...

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

 by Munsta ¦  Mon May 23, 2016 8:28 pm ¦  Forum: Malware ¦  Topic: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit) ¦  Replies: 66 ¦  Views: 256700

From Swiss, https://www.melani.admin.ch/melani/en/h ... _ruag.html

TL;DR They made small mistake in paper, they wrote that it abuses VMWare instead of VBox.

Re: Powershell post-exploitation framework ~ Empire

 by Munsta ¦  Sun May 22, 2016 7:29 pm ¦  Forum: Tools/Software ¦  Topic: Powershell post-exploitation framework ~ Empire ¦  Replies: 2 ¦  Views: 10120

p4r4n0id wrote:What do u mean by "without the need of powershell.exe" ? PS process is executed by the installer and also by all agents.....
You can but you need another C#.exe that references the PS System.Automation.dll assembly and does what powershell.exe is doing anyway - pointless if we talk about anti-DFIR.

Re: Worried about suspicious link

 by Munsta ¦  Sun Mar 06, 2016 12:30 pm ¦  Forum: Newbie Questions ¦  Topic: Worried about suspicious link ¦  Replies: 5 ¦  Views: 6310

I think someone is testing Skype worm/spammer. Acquiring performance via short url stats probably :)

Re: Analyzing a com dll

 by Munsta ¦  Thu Jan 07, 2016 6:36 pm ¦  Forum: Newbie Questions ¦  Topic: Analyzing a com dll ¦  Replies: 4 ¦  Views: 6346

This is little gem to give you an inspiration.
Merry Christmas to soviet friends here :)
https://pbs.twimg.com/media/B7GuAlaCMAAzuvK.jpg:large

Re: W8.1/W10 Bootkit

 by Munsta ¦  Tue Sep 08, 2015 6:03 pm ¦  Forum: Kernel-Mode Development ¦  Topic: W8.1/W10 Bootkit ¦  Replies: 10 ¦  Views: 14835

What if no one can detect those :P

Re: Trusting updates after 1st August 2015.

 by Munsta ¦  Tue Sep 01, 2015 9:10 pm ¦  Forum: Tools/Software ¦  Topic: Trusting updates after 1st August 2015. ¦  Replies: 3 ¦  Views: 7210

Microsoft have no guns, people with guns collect metadata, if that metadata shows you are an interesting person -> Critical update count++

Its that simple :)

Re: [PoC] Bypassing UM Hooks By Bruteforcing Intel Syscalls

 by Munsta ¦  Thu Aug 27, 2015 9:34 am ¦  Forum: User-Mode Development ¦  Topic: [PoC] Bypassing UM Hooks By Bruteforcing Intel Syscalls ¦  Replies: 9 ¦  Views: 21614

Hi MicroWave89, I can only assume part of your interests in this subject matter lies here based on your mentioned time frame of interest http://www.kernelmode.info/forum/viewtopic.php?f=10&t=3723&start=10 ? Thanks for the shared code, it's still interesting considering such bruteforce behavior is s...

Re: [Poll] What is your home AV? (part II)

 by Munsta ¦  Thu Mar 12, 2015 9:11 am ¦  Forum: General Discussion ¦  Topic: [Poll] What is your home AV? (part II) ¦  Replies: 22 ¦  Views: 36881

You really expect me (others) to use Windows backdoored sh1t without some agressive anoying filters? (ZDI posts anyone?) lolwut? Are you using backdoored Windows shit and backdoored Windows HIPS? I have to, MSDNAA and its not up to me, Im happy that I talked people I work for not to use Java haha, ...