Symantec paper: http://www.symantec.com/content/en/us/e ... ex_ed2.pdf
A forum for reverse engineering, OS internals and malware analysis
Tried that... but error msg prompt 'xxxx is not a valid win32 file' appeared. Checked the file type. They are MZ. Could the files be corrupted ? Thanks.
They are DLLs. You'll need to to use a DLL loader to test them.
Doing a quick run of the first file, it tries to load system32\xfemdhb.dll.. I don't know if this is one of the other DLLs, but I'm sure you can figure it out.
Edit:
The DLL actually expects itself to be named xfemdhb.dll and to be in the system32 directory.
Doing a quick run of the first file, it tries to load system32\xfemdhb.dll.. I don't know if this is one of the other DLLs, but I'm sure you can figure it out.
Edit:
The DLL actually expects itself to be named xfemdhb.dll and to be in the system32 directory.
hi
I analyze a sample of conficker, and I found there is method this malware used to hiding service registry's entrys
there is no UserMode/KernelMode API/SysCall hook as I seen by tools like Rootkit Unhooker,XueTr, gmer, ... relate to Registry
and also I looking for Registry filter driver by using XueTr and Kernel Detective, but Unfortunately with no luck.
if anyone analyze this malware can help to understand what technique used.
the hash of my sample is: c3852074ee50da92c2857d24471747d9,
thanks
I analyze a sample of conficker, and I found there is method this malware used to hiding service registry's entrys
there is no UserMode/KernelMode API/SysCall hook as I seen by tools like Rootkit Unhooker,XueTr, gmer, ... relate to Registry
and also I looking for Registry filter driver by using XueTr and Kernel Detective, but Unfortunately with no luck.
if anyone analyze this malware can help to understand what technique used.
the hash of my sample is: c3852074ee50da92c2857d24471747d9,
thanks
As far as I can see, the service start entry is not hidden. The key has only SYSTEM permissions.
Change the permissions and you'll see the values and subkey.
Change the permissions and you'll see the values and subkey.
OH, thanks, I see that, what was i thought :D
Has someone succeded running Kido under VM and how? I downloaded 10 samples and none works...
I downloaded 10 samples and none works...Maybe debug them and patch the antivm stuff ?
MAXS wrote:Has someone succeded running Kido under VM and how? I downloaded 10 samples and none works...Which file(s)?
Ring0 - the source of inspiration
Samples from this topic --> http://www.kernelmode.info/forum/viewto ... =Conficker
I always get the message not a valid Win32 application...
I always get the message not a valid Win32 application...