A forum for reverse engineering, OS internals and malware analysis 

Search found 4316 matches

 Go to advanced search

Re: Overwrite a file using WinAPI functions VB.NET

 by EP_X0FF ¦  Thu Mar 28, 2019 3:17 pm ¦  Forum: Newbie Questions ¦  Topic: Overwrite a file using WinAPI functions VB.NET ¦  Replies: 9 ¦  Views: 281

Your VB prototypes are wrong I guess. Try this one (it is also not 100% correct, but enough for example). Set path to your file. <DllImport("KERNEL32.DLL", EntryPoint:="CreateFileW", SetLastError:=True, CharSet:=CharSet.Unicode, ExactSpelling:=True, CallingConvention:=CallingConvention.StdCall)> Pub...

Re: ShadowHammer

 by EP_X0FF ¦  Thu Mar 28, 2019 2:27 pm ¦  Forum: Malware ¦  Topic: ShadowHammer ¦  Replies: 7 ¦  Views: 828

Re: Overwrite a file using WinAPI functions VB.NET

 by EP_X0FF ¦  Thu Mar 28, 2019 2:12 pm ¦  Forum: Newbie Questions ¦  Topic: Overwrite a file using WinAPI functions VB.NET ¦  Replies: 9 ¦  Views: 281

CreateFileW("*filepathhere", "GENERIC_ALL", "FILE_SHARE_READ | FILE_SHARE_WRITE", "NULL", "OPEN_EXISTING", "NULL", "NULL") Repalce GENERIC_ALL with GENERIC_WRITE FILE_SHARE_READ | FILE_SHARE_WRITE with 0 or if want to replace the bytes of the file with null (basically overwrite the file) simple use ...

Re: Overwrite a file using WinAPI functions VB.NET

 by EP_X0FF ¦  Thu Mar 28, 2019 4:38 am ¦  Forum: Newbie Questions ¦  Topic: Overwrite a file using WinAPI functions VB.NET ¦  Replies: 9 ¦  Views: 281

It depends on how you open this file with CreateFile, dwDesiredAccess, dwShareMode and dwCreationDisposition parameters. Show your code.

Re: ShadowHammer

 by EP_X0FF ¦  Wed Mar 27, 2019 1:35 pm ¦  Forum: Malware ¦  Topic: ShadowHammer ¦  Replies: 7 ¦  Views: 828

Does anyone tried to convert these MD5 back to MAC?

Re: ShadowHammer

 by EP_X0FF ¦  Wed Mar 27, 2019 1:26 pm ¦  Forum: Malware ¦  Topic: ShadowHammer ¦  Replies: 7 ¦  Views: 828

Would be interesting to look on payload. I guess it is target specific. Also interesting to know what all these ~600 people share in common. Perhaps Kaspersky will shed some light on this in near future.

Re: Restart windows without update.

 by EP_X0FF ¦  Wed Mar 27, 2019 8:28 am ¦  Forum: Newbie Questions ¦  Topic: Restart windows without update. ¦  Replies: 1 ¦  Views: 132

Install this Windows version with network disabled for VM. Shutdown windows update service and block it from start. Reenable network if you need it later. If this is Enterprise edition updates can be blocked with gpedit Computer Configuration -> Administrative Templates -> System -> Internet Communi...

ShadowHammer

 by EP_X0FF ¦  Tue Mar 26, 2019 5:00 am ¦  Forum: Malware ¦  Topic: ShadowHammer ¦  Replies: 7 ¦  Views: 828

https://www.kaspersky.com/blog/shadow-hammer-teaser/26149/ Injected code called inside MS VC CRT code part, __crtExitProcess of Setup.exe Itself represent an encrypted shellcode. Dumped shellcode also in attach. Uses hashes for API search. Lookup table. query kernel32!LoadLibraryExW query kernel32!G...

Re: Detecting protected processes

 by EP_X0FF ¦  Thu Mar 21, 2019 8:29 am ¦  Forum: Newbie Questions ¦  Topic: Detecting protected processes ¦  Replies: 1 ¦  Views: 197

"Critical process" is the process that upon unexpected termination breaks into kernel debugger if it present or simple cause bugcheck with "critical process terminated" message if dbg not present. This is stored in ERPOCESS flags as PS_PROCESS_FLAGS_BREAK_ON_TERMINATION value. You can query this val...

Re: Global ATM Malware Wall

 by EP_X0FF ¦  Mon Mar 18, 2019 4:12 am ¦  Forum: General Discussion ¦  Topic: Global ATM Malware Wall ¦  Replies: 1 ¦  Views: 337

Looks cool, also I added link to it here List of Malware Sources

  • 1
  • 2
  • 3
  • 4
  • 5
  • 432