Skip navigation.

Icewall's blog

BHO Reversing


From a long time for those days (BHO is supported since IE 4.0) malware writers exploit BHO functionality to bully on IE users.
Mostly evil BHO has two functionality ( for sure if we talk about bankers):

- monitoring/logging requests sending by browser
POST dump - password stealing
- HTML page code dynamic modification
HTML code injection - used for e.g - adding additional form fields intended to obtain, more amount of TAN codes or generally some


Read entire post here: BHO Reversing

NameChanger ver 1.0 – OllyDbg plugin

I recently returned to an idea of an OllyDbg plug-in which would provide functionality similar like in an IDA related with inter alia :changing name of functions or setting more readable form for global variables.
I think that the best way to present its adoption and functionality is to see it in an action:
More info here:
NameChanger ver 1.0 – OllyDbg plugin

Extended length paths in Windows

Maybe you are one of persons who belived for this moment that maximal length of path in Windows is equal to MAX_PATH ( 260 signs). Nothing further from the truth !!!.

In document which you can download below I have described inter alia:

- what is the maximum path length and from which it follows
- in how achieve possibility to create paths longer than MAX_PATH
- details related with WinApi, where path length and it’s type is tested

entire post you can find here:

Logical bug in <= gmer.sys [1, 0, 15, 4809 built by: WinDDK]

Messing a little bit recently with a gmer’s code I discovered logical bug which can cause abnormal behavior of an random applications.

[+]Localization of a problem
If some file can’t be deleted in the usual way, gmer will try to close all opened handlers related with this file and after it delete file.
In my opinion implementation of this procedure has not been thought out correctly.

More info here

<= GMER Buffer overflow 0day

During some research which results I’m going to publish in near future, I discovered a bug in a gmer win32 application causes a buffer overflow.
(un)Fortunatelly because of existing security cookies in code and it’s character near function where BO appears, it’s not possible to
achieve code exec.
Although couples of my tries to contact with gmer’s author I didn’t get any response for this day and unfortunatelly bug has not been fixed yet also. So , only thing I can do now is to share with you an advisories, which you can download from here:


Another release in short time ;).
This time I want present you my 'multimedia trojan' disinfector.
Little automatic tool which will give you possibility to cure infected files.
Analysis of infected files is based on signatures located in :
%temp%\dis_signatures.ini ,default file contain one good known url address added by GetCodec :

More info(spanish) you can find here:

Detalles sobre el troyano multimedia GetCodec


MD5...: 914adbbfaae6f87a6f758bf4ba1efd6d
SHA1..: 0861ed42ffc175c668f53050e22baa38d2c5ba04


Multimedia trojan analysis

I just released my analysis about good knowed lately 'multimedia trojan' ,called also:
Symantec - Trojan.Brisv.A
Sophos - W32/GetCodec-A

You can download this paper in two language versions:
I hope you will enjoy it.

Syndicate content