A forum for reverse engineering, OS internals and malware analysis 

Search found 252 matches

 Go to advanced search

Re: Powershell_ise crashes when i try to open it.

 by R136a1 ¦  Wed Jul 17, 2019 6:38 pm ¦  Forum: Newbie Questions ¦  Topic: Powershell_ise crashes when i try to open it. ¦  Replies: 5 ¦  Views: 809

Try to reinstall/update .NET framework. If that doesn't help try to reinstall Powershell. If that doesn't help, good chance to dump your current environment and move to a supported OS with up to date tools.

Re: For The Delphi Malware Unpack req.

 by R136a1 ¦  Sun Jul 14, 2019 2:38 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: For The Delphi Malware Unpack req. ¦  Replies: 2 ¦  Views: 1238

Here's that GhostAV sample unpacked. It uses RunPE overwriting original image in memory + UPX packed at the end.

Re: Powershell_ise crashes when i try to open it.

 by R136a1 ¦  Sun Jul 14, 2019 2:02 pm ¦  Forum: Newbie Questions ¦  Topic: Powershell_ise crashes when i try to open it. ¦  Replies: 5 ¦  Views: 809

You can start by looking at the exception description to get an idea what might caused this: https://docs.microsoft.com/en-us/dotnet/api/system.dllnotfoundexception?view=netframework-4.8 (look at the remarks) As powershell_ise.exe is a .NET application, you can throw it into a decompiler like dnSpy ...

Re: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96)

 by R136a1 ¦  Tue Jun 11, 2019 9:26 am ¦  Forum: Tools/Software ¦  Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96) ¦  Replies: 99 ¦  Views: 354726

As already became clear, development of this tool stopped in November 2017 with WIN64AST 1.19 (Support WIN10-16299) being the last version. Quote from m5home: Announcement: WIN64AST will NOT be updated anymore. I don't want to follow tempo of Microsoft to do an endless job forever. It wastes my time...

Phorpiex extortion mailer module

 by R136a1 ¦  Thu May 30, 2019 11:42 am ¦  Forum: Malware ¦  Topic: Phorpiex extortion mailer module ¦  Replies: 0 ¦  Views: 618

Hi, brief analysis of an extortion mailer module spread via Phorpiex botnet. Background is this tweet: https://twitter.com/P3pperP0tts/status/1133897358402564096 Initial sample: https://www.virustotal.com/#/file/9e76dfc23658b0add86da8b7bc9b078a3c89bd88dc5782104a5fad1fc7c33248/ Initial sample is an o...

Re: [IDAPython] VirtualAlloc of ctypes returns 0

 by R136a1 ¦  Thu May 30, 2019 8:04 am ¦  Forum: Newbie Questions ¦  Topic: [IDAPython] VirtualAlloc of ctypes returns 0 ¦  Replies: 11 ¦  Views: 1310

That's a good question. I would contact Hex-Rays and report to them. They seem to fix IDA Python bugs regularly by looking at IDA Pro version history.

Re: [IDAPython] VirtualAlloc of ctypes returns 0

 by R136a1 ¦  Sun May 26, 2019 10:58 am ¦  Forum: Newbie Questions ¦  Topic: [IDAPython] VirtualAlloc of ctypes returns 0 ¦  Replies: 11 ¦  Views: 1310

You're on Windows 10, right? I have tested your set up on Windows 7 and Windows 10 and can confirm. On Windows 7, all of the above examples work. On Windows 10, only the last example works. I have also tested latest IDA Pro (7.2) on Windows 10 and it suffers from the sam issue. I guess the bug is in...

Re: [IDAPython] VirtualAlloc of ctypes returns 0

 by R136a1 ¦  Sat May 25, 2019 10:28 am ¦  Forum: Newbie Questions ¦  Topic: [IDAPython] VirtualAlloc of ctypes returns 0 ¦  Replies: 11 ¦  Views: 1310

If you want to check if you have the same issue, just execute the following lines on IDA's Python command line (assuming you have IDAPython) : import ctypes lpAddress = 0 size = 0x100 flAllocationType = 0x1000 flProtect = 0x40 mem = ctypes.windll.kernel32.VirtualAlloc(lpAddress, size, flAllocationT...

Re: WannaOof Ransomware Sample

 by R136a1 ¦  Tue May 07, 2019 1:49 pm ¦  Forum: Completed Malware Requests ¦  Topic: WannaOof Ransomware Sample ¦  Replies: 1 ¦  Views: 525

Attached.

Re: Pirpi / Bemstour / Filensfer (Buckeye)

 by R136a1 ¦  Tue May 07, 2019 1:32 pm ¦  Forum: Malware ¦  Topic: Pirpi / Bemstour / Filensfer (Buckeye) ¦  Replies: 1 ¦  Views: 742

The blog author also found a possible version of the C# implementation of Filesnfer: 6972ba198ed0d30de9f66be5777ecdba2d657078f138325ee6db225c20b29e6e Source code: using System; using System.Net.Sockets; using System.Net; using System.Net.Security; using System.Threading; using System.Security.Crypto...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 26