A forum for reverse engineering, OS internals and malware analysis
rever_ser wrote:excuse me sir!http://www.kernelmode.info/forum/viewto ... ?f=13&t=31
can you guide me what are the base knowledge about unpacking that I should be learn ?
because as I said I am junior in malware analysis. I want to know Which kind of practices should I do ?
I am very interesting to become an expert malware Unpacker.
thanks for your attention.
rever_ser wrote:as you said in last post "This crapware(zeus) uses CreateProcess for cmd.exe to stop certain Windows services"Do you seriously cannot figure it yourself?
could you say witch services stop by this malware? and why?
EP_X0FF wrote:Unrelated, but what is the font and color scheme you are using? I like it a lot!rever_ser wrote:as you said in last post "This crapware(zeus) uses CreateProcess for cmd.exe to stop certain Windows services"Do you seriously cannot figure it yourself?
could you say witch services stop by this malware? and why?
[Appearance]
CPU scheme=0
CPU Disassembler=1,4,0,0,2
CPU Dump=1,4,1,0,4353,0
CPU Stack=1,7,1,0
CPU Info=1,0,0,0
CPU Registers=1,7,1,0
Patches=1,0,1,0,0
Call stack=1,0,1,0,0
References=1,0,1,0,0
Memory map=1,0,1,0,0
Executable modules=1,0,1,0,0
Log data=1,0,1,0,0
Windows=1,0,1,0,0
Threads=1,0,1,0,0
Run trace=1,0,1,0,0
Breakpoints=1,0,1,0,0
Handles=1,0,1,0,0
Call tree=1,0,1,0,0
Script Log Window=1,0,1,0,0
Script Execution=1,0,1,0,0
Source=1,0,0,0,0
Source files=1,0,1,0,0
[Columns]
CPU Disassembler=54,102,240,1536
CPU Dump=54,288,102
CPU Stack=54,60,1536
Patches=54,30,48,192,192,1536
Call stack=54,54,216,168,54
References=54,240,1536
Memory map=54,54,54,54,72,30,48,48,1536
Executable modules=54,54,54,54,96,1536
Log data=54,1536
Windows=78,192,54,54,54,54,54,54,54,1536
Threads=54,54,66,108,60,54,72,72
Run trace=54,54,54,54,192,1536
Breakpoints=54,54,150,216,1536
Handles=54,90,36,54,18,72,1536
Call tree=192,192,192,192
Script Log Window=54,780
Script Execution=30,410,90,54,600
Source=48,1536
Source files=54,96,1536
[Colours]
Scheme[0]=0,12,8,18,7,8,7,13
Scheme name[0]=Black on white
Scheme[1]=14,12,7,1,3,7,3,13
Scheme name[1]=Yellow on blue
Scheme[2]=1,12,3,11,14,2,7,13
Scheme name[2]=Marine
Scheme[3]=15,12,7,0,8,11,7,13
Scheme name[3]=Mostly black
Scheme[4]=1,15,0,7,8,4,1,15
Scheme name[4]=Scheme 4
Scheme[5]=14,12,7,1,3,7,3,13
Scheme name[5]=Scheme 5
Scheme[6]=1,12,3,11,14,2,7,13
Scheme name[6]=Scheme 6
Scheme[7]=15,14,7,0,8,11,7,13
Scheme name[7]=Scheme 7
[Fonts]
Font[0]=12,8,400,0,0,0,255,2,49,0
Face name[0]=Terminal
Font name[0]=OEM fixed font
Font[1]=9,6,700,0,0,0,255,0,48,4
Face name[1]=Terminal
Font name[1]=Terminal 6
Font[2]=15,8,400,0,0,0,178,2,49,0
Face name[2]=Fixedsys
Font name[2]=System fixed font
Font[3]=14,0,400,0,0,0,1,2,5,0
Face name[3]=Courier New
Font name[3]=Courier (UNICODE)
Font[4]=10,6,400,0,0,0,1,2,5,0
Face name[4]=Lucida Console
Font name[4]=Lucida (UNICODE)
Font[5]=9,6,700,0,0,0,255,0,48,0
Face name[5]=Terminal
Font name[5]=Font 5
Font[6]=15,8,400,0,0,0,178,2,49,0
Face name[6]=Fixedsys
Font name[6]=Font 6
Font[7]=14,0,400,0,0,0,1,2,5,0
Face name[7]=Courier New
Font name[7]=Font 7
[Syntax]
Commands[0]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[0]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[0]=No highlighting
Commands[1]=0,4,124,112,9,64,64,13,111,8,12,0,0,0
Operands[1]=1,0,4,13,65,1,112,6,0,0,0,0,0,0
Scheme name[1]=Christmas tree
Commands[2]=1,0,124,112,9,64,80,13,12,1,15,0,0,0
Operands[2]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[2]=Jumps'n'calls
Commands[3]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[3]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[3]=Hilite 3
Commands[4]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[4]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[4]=Hilite 4