OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: April 19, 2007 22:30 CDT by spx2 .

just installed ida,vmware,ollydbg
suppose i have a malware,should i put it inside vmware,and then analyse it with ollydbg(with ollydbg running inside
vmware) ?
with ida should i analyse the malware inside vmware or from outside it ?
does vmware have any feature related to saving a snapshot
of the current image of the guest os(if so where can i find that?) ? - everytime the malware gets out of control under the vmware should i use that snapshot to restore it ?
i do have to mention that i am for now thinking about what
should i do when i do start.
also i must mention that i have 196mb of ram and 1600mhz cpu and not much
chances of upgrading so what can i do to optimize the speed
at wich vmware is running ?
is there a malware wich i could start with analysis?
by that i mean,is there a malware wich does little harm
and that i could start analysing ?

dennis		April 20, 2007 01:19.49 CDT
generally, if you want to debug the code, it is being executed. of course you could do that on your host machine ("outside" vmware), but in general it is better to debug the code inside vmware. if you want to disassemble it with ida, you can also do that in a vm (since IDA has a debugger as well) - depends on how you like it. about your very last question: doesn't matter which malware, malware usually DOES harm ;-) just be sure to install a firewall inside your vm as well (or at least temporarily disable the virtual vmware network adapter) - the malware could use exploits to spread over network for example.

Aram		April 20, 2007 01:28.06 CDT
> spx2: just installed ida,vmware,ollydbg > suppose i have a malware,should i put it inside vmware,and then analyse it with ollydbg(with ollydbg running inside > vmware) ? OllyDbg is a debugger and the code running in it must be under control if it suppose a threat (vmware or virtualPC). > with ida should i analyse the malware inside vmware or from outside it ? IDA is a tool for static analisys (but it has a debugger too) that allow running it outside vmware (for static analisys purposes). > does vmware have any feature related to saving a snapshot > of the current image of the guest os(if so where can i find that?) ? - everytime the malware gets out of control under the vmware should i use that snapshot to restore it ? The Workstation version from VMware has snapshot management (works like a SaveState in emulators) this allows restore to a previos saved point. > also i must mention that i have 196mb of ram and 1600mhz cpu and not much > chances of upgrading so what can i do to optimize the speed > at wich vmware is running ? It's a "small" machine for that but it's possible run vmware (sloooooooooooooow). > is there a malware wich i could start with analysis? > by that i mean,is there a malware wich does little harm > and that i could start analysing ? If you're start learning RE, you must begin with another type of examples, tutorials, crackme's, ... Sorry for my bad English :P Salu2

anonymouse		April 20, 2007 02:44.34 CDT
well i consistently use microsofts virtual pc from the time it was declared a free software (from v 2004 to now 2007 beta) it has performed verywell for me in very very low memory systems as well 128 mb p3s for host xp and 32 mb for target of w2k pro for snapshots vpc offers a differancing disk but i usually have a seperate copy of clean vhd for debugging you should always do it inside a virtual environment as it is high risk as for disassembling you have a lower probabilty of infecting your real machine (yeah there exisits some explotis that could send a inordinately long exe file name and end up in a buffer overflow executing code even while disassembling) so keep in mind it is still not safe to do anything in a real machine as far as possible use minimal risk machines to perform malware analysis a simple old harmless prank malware could possibly be a decoy and it could really be 0Day wreaking havoc btw if you are just starting out sharpen your knives on crackmes (www.crackmes.de) and reversemes before delving into unknown and potentially harmfull stuff

PSUJobu		April 21, 2007 18:56.30 CDT
Great comments from everyone so far, so I'll only add one tidbit regarding VMware and snapshots. The non-free VMware Workstation has an excellent "Snapshot Manager" that provides all sorts of snapshotting options. It would allow you to do precisely what you talk about. VMware Server (free) offers only a single snapshot, and taking a new snapshot overwrites the previous one. That would still allow you to "rewind" the VM to a pre-infection state, but not to save multiple states as VMware Workstation allows. Okay, one more tidbit: When you "graduate" to malware, be particularly careful of malware that is VM-aware or actually messes with VMware. I don't know if any malware actively exploited any of the reported security holes in VMware, but you would do well to listen to the advice of most malware researchers: treat any machine on which you run malware as "disposable." Malware can theoretically break out of the VM and attack the host, whether via VMware (or VPC) exploits or via the network. Not to mention that the malware could attack other PCs on your home network, your ISP, etc. You wouldn't want them blocking your access or anything because you're actively exploiting your neighbors, and you wouldn't want your only PC to be infected if you use it for anything "important".

Aram		April 23, 2007 05:54.35 CDT
If you want to debug a "malware" you may tray to debug a Demo-Rootkit (like vanquish or something similar) In advance this rootkit inject code in another process to load a dll in such process and hide files. In www.rootkit.com you can found this and another samples.

ZuTLe		April 26, 2007 06:22.15 CDT
Malware that is aware of virtual systems is a very real threat. In fact, code to detect VMware has already been seen in Agobot and others. There are two ways that malware can escape from the "isolated", virtual environment in which the programs run under VMware. One is through the standard networking interface (VMware Bridge Protocol); This is what you use when you tunnel your guest out (if you need internet connection for your guest...). The other way is by using VMware's "undocumented" backdoor. Which works locally (it does not communicate with any network adapter at all), by loading instructions and data into registers, and then reads or writes to a local, dedicated i/o port. If the code causes an exception, it means that the program is running on a real system. If not, VMware is detected. So, you see, it would be quite naive to believe that malware authors don't know how to use this backdoor, as they are already using it. You can read a great description of this backdoor from VM Back's pages (http://chitchat.at.infoseek.co.jp/vmware/backdoor.html#top). VM Back provides command line services like vmrun in "VMware tools", that probably uses this interface as well. It is however possible to patch the VMware binary, either to change the "magic word", or to simply disable it. (This "magic word" is kept within the VMware binary, and when the backdoor code executes, it checks if the two values are equal). Honeynet related sites can give you more info on this, as they are already using VMware in honeypots. VMware Workstation 6 has great snapshot support btw; It even adopts and adds to the VIX interface providing API support (like VixVM_ListProcessesInGuest(), VixVM_CreateSnapshot(), VixVM_GetCurrentSnapshot() ... and yes VixVM_RevertToSnapshot() :) You can do this manually using the GUI as well (very intuitive and easy.. xp style q:D ) .. and yeah, you can download the beta of VMware Workstation 6 from VMware's own site(s) for free. ..but baby think twice :P

PSUJobu		April 26, 2007 07:14.02 CDT
Great link, ZuTLe - very interesting!

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit