Skip navigation.

Owning a GINA Hook

I recently took a break from poking at Storm to do real work on some custom malware recovered in a compromise here.

This analysis is of a MS GINA hook that encrypts its log file with RC4. I'm light on mechanical details of the reversing and instead have focused on screenshots, an overview of the investigation, and some perl code to do the decrypting.

You can get the analysis here:
Owning a GINA Hook

You can get the malware here:

This is my first public reversing work outside of the limited details published in a few Storm papers so I hope it passes muster...




Looks really interesting :) Nice work and thanks for sharing the info


Really good work Brandon, keep it up!

as i see, you did work

as i see, you did work without debugger or other tool,
so you seems have quite tricky head!

as for "how load DLL", there is quite famoZe tool: LordPE..
it has option "Break & enter";
(means you will break in debugger)...