All Questions
19
questions
0
votes
0
answers
272
views
How can i reconstruct a full PE from a memory injected PE that only has IAT + sections content?
I have a injected PE (kernel mode rootkit to be exact) that only has the IAT table, which basically only stores the addresses of some kernel functions in an array which is referenced inside its code, ...
- 518
0
votes
3
answers
300
views
What is the best way to change the call-graph of a PE file without changing its real behavior and without packing it?
What i want to do is take a PE file, extract its call-graph, and then inject a junk function in it, so for example by injecting a junk function inside of it, and changing a call instruction's opcode ...
- 518
-1
votes
1
answer
135
views
malware analysis [closed]
I tried to use process monitor to find out what program 4.exe did on my system. However, I could not find what changes were made.
I believe that this program modifies some files and the registry, but ...
- 1
0
votes
1
answer
94
views
what does BYTES_REVERSED_HI and BYTES_REVERSED_LO in an PE signify
How can these pe attributes be used to identify malware.
I was going though a paper link at page 10 he mentioned.
"BYTES_REVERSED_HI and BYTES_REVERSED_LO both make ideal candidates as a primary ...
- 103
1
vote
1
answer
4k
views
How to convert Unexplored data in IDA Pro to code?
I am analyzing a malware, it has a lot of confusing methods, I wrote an idc script to remove confusion, use the MakeCode() function to convert some Unexplored data into code, but there are still some ...
- 11
5
votes
3
answers
229
views
Finding a malware object inside PE file
Today my AV found an antique piece of malware called Win9X.CIH.dam.
Instead of just removing it I would like to make a little research for fun.
What does "data0513" exactly mean? I can't understand ...
- 51
0
votes
1
answer
129
views
Identifying code that accesses encrypted overlay in PE
I’m reviewing a malware sample that stores an encrypted PE file in its overlay. I’m attempting to identify in IDA pieces of x86 that may be responsible for accessing the overlay and performing the ...
- 21
1
vote
1
answer
886
views
bypassing anti-VM inside protected samples
This is a good starting point.
As you know:
Sandboxes and virtual environments (hypervisors) are full of artifacts that betray their analysis environment. Malware can protect itself against these by ...
- 163
2
votes
2
answers
2k
views
Packed PE file and weird Header
I'm new to reverse engineering, so I don't know if my question will be easy or not.
Right now I have an exe file, but it seems packed. In the hex Dump I do have the followings :
000003d0: 0055 5058 ...
- 21
8
votes
1
answer
5k
views
How tools like PEiD find out the compiler and its version.
How tools like PEiD and CFF explorer find out the compiler and its version.
I am analyzing a executable file. Which shows: Borland Delphi 3.0
But the section names .text .rsrc. Which is usually ...
- 81
3
votes
1
answer
2k
views
What conditions can create the "Not a Valid Win32 Application" error message upon load?
I'm doing research on the PE format/Windows Loader and I am unable to locate specifics as to what creates the error "Not a valid Win32 Application" followed by a failure to load.
I've tried changing ...
- 1,880
6
votes
2
answers
1k
views
What PE anomalies can crash the Windows Loader or cause a file to not load?
I do malware analysis on Windows. I run hundreds of Windows PEs per day and it is actually relatively common for a file to not run (or sometimes not run on just one specific version of Windows) and I ...
- 1,880
0
votes
1
answer
892
views
Restoring an Infected appending virus EXE file by
I'm trying to restore a file that was infected by a virus (gaelicum or tenga)
It's an appending virus.
This is the warning I get when opening it in OllyDbg
: ---------------------------
Entry Point ...
- 103
0
votes
1
answer
845
views
Malware samples to analyze with existing disassembly?
Hopefully this question isn't get marked as Duplicate, since it differs from the following question:
Where can I, as an individual, get malware samples to analyze?
I'm looking for samples (ideally ...
- 1,257
2
votes
1
answer
974
views
Why does an exe's import Table have two refrences to kernel32.dll (or any other dll)?
According to what I know, Import Descriptor table is made of an array of _IMAGE_IMPORT_DESCRIPTOR structures. There is one _IMAGE_IMPORT_DESCRIPTOR for every dll that is imported.
I have an exe which ...
- 391