Anatomy of a Malware
 carib <firstcarib gmail com> |
Tuesday, January 9 2007 14:43.01 CST |
Hi everyone,
I just put up that paper on line. If you're interested in reverse engineering malicious codes, you might wanna check it out:
Anatomy of a Malware
You can post your comments on the blog if you have some,
Cheers.
Comments
 carib |
Posted: Wednesday, January 10 2007 14:43.21 CST |
|
One stupid thing I realized today at work is that the section '.newIID' is actually created by OllyDump. It contains the Import Directory and Import names that where resolved by the plugin when dumping the executable. Note that OllyDump only resolves addresses when used in 'call [api]' and 'jmp [api]', other ways to call an API might not get resolved. For instance, two APIs in this malware were not resolved: malloc and memset exported by msvcrt. The compiler generated code like: In this case, OllyDump does not resolve @1. Obviously, obfuscated or tricky calls will not be resolved as well. |
|