H D Moore and I's Blackhat/Defcon talk materials including slides, paper and videos are up and available on the Metasploit Site
Enjoy, and if you have any questions or ideas, let one of us know.
These are the presentation materials we presented at Blackhat USA 2007 and Defcon 15. Thanks to everyone who came to the talks.
Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this paper we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.
Read more for the release notes for Saffron DI.
The Blue Pill PoC published finally.
i was wondering if it was bad to create viruses if you have never and or have no intention to set it off/distrube to other computers? but just out of plain curisosity.
if anyone has any replies to this plz send.
(and i have not created any viruses...)
We are finishing putting the final touches on our presentations for next week. Saffron, which will be demoed at Blackhat and Defcon, is in good working order. The results are amazing and we hope you'll be able to make our talk. If you can't feel free to catch us around the conference.
Covert Debugging: Circumventing Software Armoring Techniques is on Thursday at 10am in the Augustus 1+2 Ballroom. We'll be giving the same talk, although somewhat shorter at Defcon on Friday at 2pm in the Track 1 speaking area.
Valsmith and HD Moore will also be giving their Tactical Exploitation talk at 1:45pm on Wednesday in the Tiberius Ballroom 3+4+7+8 and again at Defcon on Friday at 4pm in the Track 1 speaking area.
Valsmith and Delchi will speak on Malware Secrets at Defcon, 11am on Saturday in the Track 2 speaking area.
We hope to see you there!
Hey all, here's a link to my primary blog (http://iamhalsten.thecoderblogs.com) where it contains an extensive analysis for a malware I have reversed lately. Hope you enjoy reading it.
Simple backdoor source code. OC hash: 12c4938b3375227416af892494884bb5
Hello, since I have used this site as a great resource of malware, I would like to post my analysis and pseudocode / code of "Worm.IRC.Lamirc" which I picked up right here on the OC website. This is a simple IRC-controlled backdoor. It was not hard to RE, and it might not be anything new to the users of this website. Still, this source code is good for learning purposes. The code does not compile and I was not interested in compiling it (I didn't try). Where the functions look redundant/weird is because IDA analyzed them this was or because the original writer/compiler of the code made it this way.
Once executed, malware.exe (which Im guessing was originally called "GOLD.exe"), copies itself into "c:\iaatbp.exe" to mask its presence as supposedly system-looking file. Then it fills a few mIRC ini files with script event triggers. When mIRC is started by a user, these get executed, below is more description of what each does. These files are read & their content is executed on MIRC startup (remote.ini, scripts.ini)
Thanks to Delchi for organizing this.
Rob Lemos contacted the MPack author and interviewed them. He writes, "In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites."
Since more and more malware are using the COM interface I thought it was time to write some reconstruction helpers and creating a video tutorial how to use it on a real life malware. You'll see how a complete function which uses the COM interface will be translated into far more readable code than before. The code itself dumps the windows protected storage to steal account data like member site passes, outlook express accounts, autocomplete fields and so forth. The IDAPython scripts are indeed also available on my site.
Practical COM Code Reconstruction at Reconstructer.org