10.03.2008
Just updated the ClassAndInterfaceToNames package. The classes and interfaces list has grown a lot. Thanx to Sirmabus for adding all these new entries.
Sorry for being lazy at the moment, but since some weeks i have permanent problems with my spinal disk, making it impossible to do some cool research. I really hope the doctors get this fixed very soon.
19.02.2008
Just added some links to interesting sites. Check them out in the links area.
14.02.2008
With "More advanced unpacking - Part II" i show you how to decrypt an infamous reallife malware called WSNPOEM aka Infostealer.Banker.C The binaries are usually created with a tool called ZEUS Builder and there exist lots of different versions in the wild. I found samples with and without rootkit functionality, as well as ontop packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways. - 1. Manual unpacking + import fixing - 2. Manual unpacking + Auto import fixing - 3. Auto unpacking/import fixing - Stage 2 introduces a nice tool called "Universal Import Fixer" and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.
More advanced unpacking - Part II.zip
21.01.2008
Unbelievable but true. After 4 months of getting owned by other things making my life mad, i finally managed to release a new unpacking tutorial. This one goes far more into depth as the beginners tutorial i have released last year. It aims to show some generic tricks and tools, that can be used on many other protectors. Enjoy!
More advanced unpacking - Part I.zip
21.09.2007
No, i'm not dead. Just too busy in the last weeks. But today i have a new paper for you. It's an analysis of the malware Peacomm.C aka StormWorm. It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.
Peacomm.C - Cracking the nutshell.zip
17.07.2007
Right after finishing my COM reconstruction helpers, i present you today a movie, that aims to be a practical COM code reconstruction tutorial. The analysed function of this malware dumps the windows protected storage to steal account data like member site passes, outlook express accounts, autocomplete fields and so forth. And as it makes heavy use of the COM interface, it was the perfect candidate to show you how this nasty code can be restored to a far better readable code. Enjoy!
Practical COM code reconstruction.swf
16.07.2007
On the flight back from New York i had some time to write a small python script, which generates IDAPython code from vtable structures inside the include files of the Microsoft PSDK 2003-R2. The generated script adds all known vtable structures from the PSDK to an IDB file to save time while reconstructing COM code. Hope it's useful for others as well. Enjoy!
VtablesStructuresFromPSDK2003R2.zip
16.06.2007
This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA
03.06.2007
MFC42Ord2FuncNames is a small IDAPython script which converts MFC42 functions into its realnames. Normally IDA Pro should do this automatically, but in some cases the IDA auto-analysis fails. Watch the short flash movie included in the package for details.
14.05.2007
Brian Krebs from "The Washington Post" wrote a nice article on his blog about BITS here:
New Attack Piggybacks on Microsoft's Patch Service
13.05.2007
VMEDetect v0.1 is a small commandline tool written in assembly, which makes use of the RDTSC trick to check for the presence of VMWare and VirtualPC.
11.05.2007
This is a little proof of concept code to test, if your application-firewall alerts when bitscode.exe tries to download and execute fwbypassalert.exe from this site.
Also check out Elia Florio's blog for more information on this problem.
Malware Update with Windows Update
22.03.2007
There's a new version of SYSER available, a SoftICE like kernel debugger with a nice GUI. Supported OSes are Windows 2000, XP, 2003 and VISTA!!! Software and Documentation can be found here:
http://www.sysersoft.com/download/
Also check out the Links section. Added a bunch of nice sites.
21.01.2007
I put a new paper online. It is an analysis of the Rustock.B rootkit. The rootkit used several proprietary obfuscation/packing methods to hide the native driver code from prying eyes. I have divided the paper into two main parts. The first part, which is divided in three stages, describes how to extract the native rootkit driver code without the use of kernel debuggers or other ring0 tools. The second part basically does the same, but much faster and with lesser efforts using the SoftICE kernel debugger. Each part shows various possibilities for solving the different problems facing the researcher when analyzing Rustock. All the code and IDB files are included in the package!
13.12.2006
There's a new flash movie on manual unpacking and Auto-IAT fixing UPX and Aspack in the papers section. This might be useful for people who are new to malware analysis and don't have a clue how to unpack and repair a binary.
10.12.2006
IDAAPIHelp v0.3 is ready for download! The API database has grown a lot (16,1 MB) and includes Windows Platform SDK, DDK, NTundoc as well as MSCRT APIS like free, memset, malloc, fopen etc. now.
17.10.2006
Today i have a small IDAPython script for you, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile. The package can be found in the ccode section.
12.10.2006
It seems that Oleh Yuschuk strikes back in the near future with a new release of his rocking debugger Ollydbg, but read by yourself.
http://www.ollydbg.de/version2.html
13.07.2006
After some lazy months i've finally found the time to release something. Superkill is a is small tool to kill processes, which are normally protected from being stopped on application level. After starting Superkill it detaches its driver from the RC_DATA resource area, installs it as service and runs the driver. Communication between applevel code and driver is being handled through the DeviceIoControl() function. Full source code included. Flip to the ccode section for downloading.
26.05.2006
Just read Matt Pietrek's blog and i'm completely aghasted at the moment. Compuware retired Driverstudio and therefore SoftICE, my beloved debugger. This is a really sad day for me and i'll booze as hell on the PH-Neutral conference tonight, to quickly forget what i read some minutes ago.
here's the link to the blog post:
http://blogs.msdn.com/matt_pietrek/archive/2006/04/07/570927.aspx
as well as an obituary from one of its parents:
http://blogs.msdn.com/matt_pietrek/archive/2006/04/11/573621.aspx
18.03.2006
My first paper is a step by step guidance how to use the world's best debugger called SoftICE, which is part of Compuwares Driverstudio. This essay discusses the installation & configuration of the debugger, the most useful commands SoftICE offers, a rocking extension called IceExt, as well a categorized list of good breakpoints. For a better understanding screenshots are placed at distinctive points. Flip to the papers section for further reading.
13.03.2006
Welcome to my little site. Here you'll find several papers & code regarding reverse engineering which is hopefully useful for others as well. Feel free to discover the different sections and download some stuff of my work. Don't miss to visit the other cool links to friends and other good reverser sites. I'll try to update this site on a regular basis, but remember that i do this in my very spare time. So don't blame me if there's a month without an update. Now enjoy the content here and just drop me some lines if you have questions regarding this page or constructive reviews of my work(email can be found in the about section).
cheers, frank