Skip navigation.


Paper: Hunting rootkits with Windbg

Here are the slides to my talk "Hunting rootkits with Windbg" at the Ruhr University of Bochum yesterday. I'll introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts. Enjoy! rootkits with Windbg.pdf

The Windbg script shown in the slides to grab Kernelcallbacks can be found here:

please help regarding bot worms..

Hello Everybody,
I have recently setup a honeynet lab and i'm looking for help for sources whre i can get some worms so that i can inject them on my honeypots.....My research is on irc bots so plz help me

Releasing malpdfobj (malicious PDF described in a JSON object)

| |

About a month ago I posted a blog describing research I was doing on malicious PDF files. As part of this research I needed a way to represent a malicious PDF file in a queryable form. I ultimately decided on MongoDB as my backend and therefore wanted to get the malicious file in a JSON form so I could store it.

The tool I just released today is a composite of tools from myself and Didier Stevens. Didier's PDF tools have done a lot of the heavy lifting, but my glue code brings multiple pieces of data into a single object. As of right now the object contains the following details:

VERA 0.3 Released

VERA 0.3 has been released. This new version contains a bunch of new features and API improvements. The two biggest updates are the addition of the trace file parsing and analysis inside of the GUI. This alleviates the need for the gengraph.exe program. The next big feature is the integration with IDA Pro. Currently it only supports version 5.6 and 6.0 versions of IDA. Finally, VERA now includes documentation.

Download VERA 0.3 MSI File
Download VERA Documentation (PDF)

Please feel free to email me (dquist at this domain) if you have any comments. Those of you that have responded thank you very much.


* Added processing of trace files without having to use gengraph via new wizard
* Better handling of low memory situations
* Major code cleanup, refactoring, and new buzzwordy sounding tasks
* Added a toolbar, because everyone loves those
* Added IDA integration and IDA Pro module
* Fixed a bug involving parsing of non-traditional Ether trace files
* Now should support larger and more complicated graphs
* I'm getting paid to write and support VERA. :)

At Shmoocon 2011 I'll be rolling out the next version of VERA, complete with new features.

Detecting Malicious PDF Files

| |

For the past few days I have been completely immersing myself in PDF research in hopes to find better ways to detect malicious PDF files. I have collected a pretty good random sample set (15K) of PDF data and have a bunch of malicious files with the same statistics. I have wrote some basic tools to aid in my research and it would be nice to get some input on the results I have found so far.

The outline of the project can be found here:

The blog with all the research, data and tools that have been released can be found here:

NameChanger ver 1.0 – OllyDbg plugin

I recently returned to an idea of an OllyDbg plug-in which would provide functionality similar like in an IDA related with inter alia :changing name of functions or setting more readable form for global variables.
I think that the best way to present its adoption and functionality is to see it in an action:
More info here:
NameChanger ver 1.0 – OllyDbg plugin

Reversing the source of the ZeroAccess crimeware rootkit

| |

We recently undertook a project to update the hands-on labs in our Reverse Engineering Malware course, and one of our InfoSec Resources Authors, Giuseppe "Evilcry" Bonfa, defeated all of the anti-debugging and anti-forensics features of ZeroAccess and traced the source of this crimeware rootkit:

Part 1

InfoSec Institute would classify ZeroAccess as a sophisticated, advanced rootkit. It has 4 main components that we will reverse in great detail in this series of articles. ZeroAccess is a compartmentalized crimeware rootkit that serves as a platform for installing various malicious programs onto victim computers. It also supports features to make itself and the installed malicious programs impossible for power-users to remove and very difficult security experts to forensically analyze.

New Feed Alliance Created

Hi Guys,

i want to announce that our new malware feeds alliance was lunched.
we are open for feeds exchange for the solely purpose of research.

we already have 8 different vendors which we all ready exchanging data with, we also work with 6 different sensors deployed around several different geographical hosting services.
we have more the 8,000,000 samples all ready.

we will lunch Dissect||PE Smart threat analysis framework on January 1. 2011.

Windows "DbgHelp.dll" Export name stack overflow vulnerability

The malwares in wild are exploiting this vulnerability. This vulnerabilty allows remote code to be executed while a debugger loads a specially crafted executable using Microsoft's Dbghelp.dll(ver 5.x).

When I was trying to load the malware that uses this trick it made olly debugger to exit. The below link has some interesting stuff about this vulnerability.

Extended length paths in Windows

Maybe you are one of persons who belived for this moment that maximal length of path in Windows is equal to MAX_PATH ( 260 signs). Nothing further from the truth !!!.

In document which you can download below I have described inter alia:

- what is the maximum path length and from which it follows
- in how achieve possibility to create paths longer than MAX_PATH
- details related with WinApi, where path length and it’s type is tested

entire post you can find here:

Syndicate content