http://www.openrce.org/rss/feeds/articles OpenRCE: The Open Reverse Code Engineering Community Wed, 26 Nov 2008 20:06:40 -0600 https://www.openrce.org/articles/full_view/32 peter <email-suppressed@example.com> The goal of this article is to demonstrate how simple malware analysis can be using Memoryze and some good old fashion common sense. Readers should have some knowledge of how malware works, and be somewhat familiar with <a href="http://www.mandiant.com/software/memoryze.htm">Memoryze</a>. A good place to familiarize yourself with Memoryze is the user guide included in the installer. <br><br> Memoryze is designed to aid in memory analysis in incident response scenarios. However, it has many useful features that can be utilized when doing malware analysis. Memoryze is special in that it does not rely on API calls. Instead Memoryze parses the operating systems' internal structures to determine for itself what the operating system and its running processes and drivers are doing. Wed, 26 Nov 2008 08:46:13 -0600 https://www.openrce.org/articles/full_view/31 PeterSilberman <email-suppressed@example.com> The goal of this article is to demonstrate how simple malware analysis can be using Memoryze and some good old fashion common sense. Readers should have some knowledge of how malware works, and be somewhat familiar with <a href="http://www.mandiant.com/software/memoryze.htm">Memoryze</a>. A good place to familiarize yourself with Memoryze is the user guide included in the installer. <br> Memoryze is designed to aid in memory analysis in incident response scenarios. However, it has many useful features that can be utilized when doing malware analysis. Memoryze is special in that it does not rely on API calls. Instead Memoryze parses the operating systems' internal structures to determine for itself what the operating system and its running processes and drivers are doing. Wed, 26 Nov 2008 08:40:05 -0600 https://www.openrce.org/articles/full_view/30 PeterSilberman <email-suppressed@example.com> The goal of this article is to demonstrate how simple malware analysis can be using Memoryze and some good old fashion common sense. Readers should have some knowledge of how malware works, and be somewhat familiar with <a href="http://www.mandiant.com/software/memoryze.htm">Memoryze</a>. A good place to familiarize yourself with Memoryze is the user guide included in the installer. <br> Memoryze is designed to aid in memory analysis in incident response scenarios. However, it has many useful features that can be utilized when doing malware analysis. Memoryze is special in that it does not rely on API calls. Instead Memoryze parses the operating systems’ internal structures to determine for itself what the operating system and its running processes and drivers are doing. Thu, 16 Aug 2007 16:58:00 -0500 https://www.openrce.org/articles/full_view/29 orr <email-suppressed@example.com> This paper is a direct descendent of my previous one regarding the metamorphic engine of the <a href="/articles/full_view/27">W32.Evol</a> virus. I advise you to take a look at it before reading this one, or at least be acquainted with the subject of metamorphism. The focus of this paper is the special engine of the <b>Lexotan32</b> virus. <br><br> The virus was released in 29A#6 Virus Magazine in 2002, the Annus Mirabilis of metamorphic viruses. The virus was created by the prolific VX coder, <b>Vecna</b>, and was one of the last complex creations of this kind. I could further elaborate on the genealogy of this virus, but I think it is sufficient to say that this virus is a culmination of many of the techniques developed throughout the author's career. Thu, 22 Feb 2007 19:21:58 -0600 https://www.openrce.org/articles/full_view/28 RolfRolles <email-suppressed@example.com> This article is about breaking modern executable protectors. The target, a crackme known as <a href="http://crackmes.de/users/thehyper/hyperunpackme2/">HyperUnpackMe2</a>, is modern in the sense that it does not follow the standard packer model of yesteryear wherein the contents of the executable in memory, minus the import information, are eventually restored to their original forms. <br><br> Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased. <br><br> This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill.