From a long time for those days (BHO is supported since IE 4.0) malware writers exploit BHO functionality to bully on IE users.
Mostly evil BHO has two functionality ( for sure if we talk about bankers):
- monitoring/logging requests sending by browser
POST dump - password stealing
- HTML page code dynamic modification
HTML code injection - used for e.g - adding additional form fields intended to obtain, more amount of TAN codes or generally some
Read entire post here: BHO Reversing
I recently returned to an idea of an OllyDbg plug-in which would provide functionality similar like in an IDA related with inter alia :changing name of functions or setting more readable form for global variables.
I think that the best way to present its adoption and functionality is to see it in an action:
More info here:
NameChanger ver 1.0 – OllyDbg plugin
Maybe you are one of persons who belived for this moment that maximal length of path in Windows is equal to MAX_PATH ( 260 signs). Nothing further from the truth !!!.
In document which you can download below I have described inter alia:
- what is the maximum path length and from which it follows
- in how achieve possibility to create paths longer than MAX_PATH
- details related with WinApi, where path length and it’s type is tested
Messing a little bit recently with a gmer’s code I discovered logical bug which can cause abnormal behavior of an random applications.
[+]Localization of a problem
If some file can’t be deleted in the usual way, gmer will try to close all opened handlers related with this file and after it delete file.
In my opinion implementation of this procedure has not been thought out correctly.
More info here
During some research which results I’m going to publish in near future, I discovered a bug in a gmer win32 application causes a buffer overflow.
(un)Fortunatelly because of existing security cookies in code and it’s character near function where BO appears, it’s not possible to
achieve code exec.
Although couples of my tries to contact with gmer’s author I didn’t get any response for this day and unfortunatelly bug has not been fixed yet also. So , only thing I can do now is to share with you an advisories, which you can download from here:
Another release in short time ;).
This time I want present you my 'multimedia trojan' disinfector.
Little automatic tool which will give you possibility to cure infected files.
Analysis of infected files is based on signatures located in :
%temp%\dis_signatures.ini ,default file contain one good known url address added by GetCodec :
More info(spanish) you can find here: