A forum for reverse engineering, OS internals and malware analysis 

Search found 4316 matches

 Go to advanced search

Re: RkUnhooker 3.8 SR2 public beta test

 by EP_X0FF ¦  Wed Mar 17, 2010 1:44 pm ¦  Forum: Tools/Software ¦  Topic: RkUnhooker 3.8 SR2 public beta test ¦  Replies: 154 ¦  Views: 132399

Thanks for report.

This is caused by callgates detector. More debug required :)

Re: RkUnhooker 3.8 SR2 public beta test

 by EP_X0FF ¦  Wed Mar 17, 2010 6:26 am ¦  Forum: Tools/Software ¦  Topic: RkUnhooker 3.8 SR2 public beta test ¦  Replies: 154 ¦  Views: 132399

Thank you.

Can you please reproduce this deadlock also on Vista if you have it? :)
And another deadlock, mentioned by Twister? I'm testing fix for this right now.

Re: Packed.Win32.TDSS.z

 by EP_X0FF ¦  Wed Mar 17, 2010 2:33 am ¦  Forum: Malware ¦  Topic: Rootkit TDL 3 (alias TDSS, Alureon.CT, Olmarik) ¦  Replies: 395 ¦  Views: 284892

Hello, 1268479347.exe is TDL 3.273 dropper. [main] quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody version=3.273 installdate=17.3.2010 2:18:39 builddate=13.3.2010 11:22:25 [injector] *=tdlcmd.dll [tdlcmd] servers=https://zz87jhfda88.com/;https://91.212.226.65/;https://19...

Backdoor.Win32.Agent.aoyq

 by EP_X0FF ¦  Tue Mar 16, 2010 6:51 pm ¦  Forum: Malware ¦  Topic: Backdoor.Win32.Agent.aoyq ¦  Replies: 0 ¦  Views: 5408

Dropper packed with UPX. Installs rootkit driver aec<random chars>.sys into system3\drivers folder (some social engineering to fool users because of legitimate aec.sys present in Windows installation). In my case rootkit driver was named aecq.sys. Inside driver contains payload dll to be injected in...

Trojan.Winlock - Lock Em All

 by EP_X0FF ¦  Tue Mar 16, 2010 6:51 pm ¦  Forum: Malware ¦  Topic: Trojan.Winlock - Lock Em All ¦  Replies: 48 ¦  Views: 58152

This trojan blocker prevents all software execution by displaying all top window that constantly redraws. To remove the Trojan (and unlock windows), infected users need to enter a valid serial number. Named Lock Em All because of the specific window name. http://img225.imageshack.us/img225/2631/lolz...

Old Malware Requests, part 1

 by EP_X0FF ¦  Tue Mar 16, 2010 6:51 pm ¦  Forum: Completed Malware Requests ¦  Topic: Malware Requests ¦  Replies: 97 ¦  Views: 121254

Hello, this is special thread about malware samples requests. Thread posting rules. 1. Asking for malware sample assumes by default - You know how to deal with them (at least how to make them work on test environment) 2. Malware request must in following format: a) Malware name (s) which you want (m...

Rootkits

 by EP_X0FF ¦  Tue Mar 16, 2010 6:51 pm ¦  Forum: Malware ¦  Topic: Rootkits ¦  Replies: 0 ¦  Views: 13015

Below is the list of rootkit samples available here (only most notorious). Follow the links for download. Several malware listed here not really rootkits in terms of original meaning of this word, but malware with driver agents. Win32 Rootkits Demo Rootkits (not malicious) Collection of old malware ...

Re: [ Sample Application ] NtQuerySystemInformation

 by EP_X0FF ¦  Tue Mar 16, 2010 1:38 pm ¦  Forum: Newbie Questions ¦  Topic: [ Sample Application ] NtQuerySystemInformation ¦  Replies: 6 ¦  Views: 12103

Hi, EP, why you are working with the 5.0 version? I simple don't need more. I don't need new syntax, new functions, new databases support, new components. I'm using Delphi mostly in cases when it is necessarily to quickly build something with GUI and in projects where our internals rtl is needed. Un...

Re: [ Sample Application ] NtQuerySystemInformation

 by EP_X0FF ¦  Tue Mar 16, 2010 11:20 am ¦  Forum: Newbie Questions ¦  Topic: [ Sample Application ] NtQuerySystemInformation ¦  Replies: 6 ¦  Views: 12103

Hello, this is sample application and library written by Igor Shevshenko.They demonstrates how to use ntdll Native API in typical Delphi projects. This sample was written on Delphi <= 5 version. I was able to compile and successfully start with Delphi5 and after some quick additions compile and star...

Re: CreateProcess Native (x86-32 NT5.x)

 by EP_X0FF ¦  Tue Mar 16, 2010 1:20 am ¦  Forum: User-Mode Development ¦  Topic: CreateProcess Native (x86-32 NT5.x) ¦  Replies: 8 ¦  Views: 14666

Practical value is none :)
Maybe just to learn how to create threads with Native in user mode.

  • 1
  • 427
  • 428
  • 429
  • 430
  • 431
  • 432