OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: April 29, 2009 12:42 CDT by x0rr0x .

Any public research on this available?
Only thing that comes close to what I'd be looking for would be the process stalker in paimei. But that relies entirely on the pida dump output.
tools providing more info on the internal functions of an (possibly packed) executable are always helpful...
thanks in advance

Sellmi		May 1, 2009 04:49.21 CDT
http://www.pintool.org/

mugg		May 3, 2009 00:07.56 CDT
Various api loggers and reversing tutz are available online. What exactly are you looking for, a pre-built open source system? Pin is ok. Threatexpert provides summarized info and suggestions about the recognized behavior in its reports too. www.threatexpert.com If open source is what yer lookin fer, you might check out 0wine. http://zerowine.sourceforge.net/ Packer support and general malware support seems to be somewhat unreliable: "Zero wine runs malware quite well overall, however, it has problems with various packers (in example, wine fails almost always with PE programs packed with Armadillo) and sometimes you will get no data for both �Report� and �Signature� sections. Anyway, the �Headers� and �Strings� report's sections will appear giving you interesting information about the binary (although not the behavior of the malware)." I can't imagine interesting malware distributed without being packed/obfuscated in some manner. Good luck.

x0rr0x		May 5, 2009 10:14.42 CDT
pintool rocks! though it doesn't work for kernel mode afaic are there any public libraries/toolsets for kernel-mode profiling? cheers!

x0rr0x		May 17, 2009 18:37.18 CDT
browsing gamedeceptions (gamedeception.net) forums i found this very interesting link on the subject. http://www.woodmann.com/forum/showthread.php?t=11306 gd has some pretty nice stuff on reversing btw. unless you are looking for malware specific stuff. cheers!

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit