Salutations! Just wanted to share a couple things. First off, I encountered some clever malware. By checking to see if an audio device is enabled (by adjusting the volume), the malware knows not to run if it can’t. Because honestly, who enables audio drivers on their VM? Other than that, I whipped up a little […]
Howdy all! Time for an update. Today I went through and re-did my McAfee BUP file decrypt-er thingy. I got rid of the guy with sunglasses, modified the decryption sequence to cut off the first 2048 junk bytes, added drag-n-drop capabilities, and added a hex view. Old: New: I guess this looks more professional. You […]
Howdy all! Been a great few weeks. Lots of ideas flowing and lots more malware to work on. I got it down to a science now. What I’ve been digging into lately is taking advantage of the Python shell inside immunity debugger. The library is feature rich and combines the capabilities of Immunity with the […]
Howdy all! What exploit code do you think I run into on a daily basis? Java! Every day, its the same 2 exploits. I’ve stated this before, but today I’m going to post the code. Most of the time, malware distributors are smarter and obfuscate their exploit code as much as possible as to avoid […]
Howdy fellow h4x0rs & Cr4x0rs alike! Today I ran into some vmware aware malware and it threw me off until I ran procmon and apispy. I had to patch the program to skip the checks, but I don’t want to get into that. Instead, let’s cover what this malware was checking. First off, it was […]
Greetings fellow crackers and reversers! Happy new year and all that junk. Today I decided to add a UDP option to my TCP flooder for windows. I guess its no longer a TCP flooder and now more of just an IP flooder. Oh well. You can download an updated version of it ZeroLengthWindow_Dos. The password […]
I came across this one individual’s page whom is an avid reverse engineer with some great material. Check out his pdf cheat sheet on anti-debugging. There were a few in there I didn’t know about like the ‘csr’ trick which involves calling an undocumented ‘CsrGetProcessId’ function within OpenProcess. CsrGetProcessId is a native API that returns […]
Hello all! I’m cracking away on various projects and trying to keep focus. As I was going through my old notes, I came across a talk I wanted to give but could not due to my car accident and the subsequent down time caused me to forget. I wanted to cover making your own debugger […]
Greetings and salutations. Today I’m going to be going over some malware I found in the wild. I found it after doing a search for ‘hack’ on the ‘rapidshare’ section of 4chan. With the name ‘SteamHackCount.exe’, being about 350 kb, and having the Apple icon? Totally legit right??? Opening the program in IDA showed the […]
Hello again! It’s been a busy week at work. Lots of unique malware. As you may or may not know, malware uses non-conventional things to stay hidden and throw off heuristic analysis. I see weird stuff. Instructions that make no sense in context like the ‘out’ instruction, blocks of code which perform floating point arithmetic […]