RE: [Full-disclosure] Malicious Code Analysis
From: mike king (ngiles_at_hushmail.com)
Date: Fri, 5 Aug 2005 03:04:06 -0700 To: <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org>
-----BEGIN PGP SIGNED MESSAGE-----
Thanks for all the feedback. I have always taken the poor mans
approach to this since its not really my job, but a fun hobby on
On Fri, 05 Aug 2005 02:49:49 -0700 Peter Kruse <email@example.com> wrote:
>> These were not submitted to any AV vendors since Norton did
>> flag them. In the past I have submitted unknown trojans/
>> viruses like these to Symantec when clients have been owned,
>> but what can I say they are hardly 0day more like 300 day.
>Yes, I already have this tool in my box. Pretty useful for first
>> Could you share your methodology on how you go about reverse
>> engineering/ disassembling a malicious piece of code that has
>> had a packer ran on it?
>There are many off-the self unpackers out there that will do the
>fine, but lately malware writters rather modify or use
>version of popular PE-packers. Either way a compressed binary will
>uncompress itself using the compressor stub in order to run. In
>unpack look for the call that jumps from the stub to unpacked
>code. When the
>jmp address is located modify so the jmp goes to esi. This will
>put the code
>in a loop. Next procdump.
>There are plenty of good tutorials. One of these are associated
>I hope this helps you getting started.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/