Pdump is now available for download.
Pdump is a process memory dumper that dumps the whole process memory.
Each allocated memory page is dumped into it’s own file, and you can load them easily into IDA Pro or similar tool later on for analysis.
The tool can be downloaded from here:
KMFCopy is a small utility that copies files in kernel-mode. As such, it need administrative privileges.
(more…)
This is a runtime unpacker for PolyCryptPE. Being a runtime unpacker, you have every chance of toasting your buttocks since I cannot promise the executable won’t escape. I have tried to add a few safeguards to it, but you still need to be careful. Also, it’s not a perfect unpacker since the imports will be broken in the dumped image. (more…)
I’ve decided to release some of the tools I’ve made in the past. I won’t release them all, as few of them are more useful as private ones. I’ll be mostly releasing runtime unpackers, but if you have a tool in mind, ping me at toni(_at_)teamfurry.com
Analyzing malware is a tedious task sometimes. Without proper tools, you can never know what packer surrounds the malware or how to bypass it. Or maybe you’re just getting whacked by the sheer volume of incoming malicious samples. (more…)
There’s a nifty (or nasty, depends on which side you are on) tool being offered for download. The tool (called zxarps) is a hacking tool mostly used in China.
StormWorm has been spreading for quite a bit for now. Otherwise known as win32.tibs, win32.zhelatin or Trojan.Peacomm, it has been a widespread pesk for a long time.
I got tired of malwares moving all around process memory and modifying system dlls and so on. So, I decided to do a dumper that’ll dump the whole process memory on disk. (more…)
I was troubleshooting a weird positive signature hit that AllapleRemover detected.
The weird thing was the signature was found inside the nod32krn.exe process, which is the kernel process belonging to NOD32 antivirus scanner(www.eset.com).
After checking out some dumps on the process memory it was quite easy to see what was causing the hits. The signatures themselves are solid and working. The problem was that NOD32 copies files into memory a new process is starting, and scans the process-to-be before letting it run. NOD32 didn’t flush the copied memory fast enough if at all which caused the AllapleRemover to effectively detect itself inside the nod32krn.exe process :)
Even though I could build a kludge to bypass this, I won’t. I don’t feel any burning need to make the program complicated by fixing these kind of mishaps. Allaple does _not_ inject itself anywhere, so if you get a hit on an anti-virus application, just let it drop :)
Excerpt:
The Change Analysis Diagnostic simplifies the identification of recent
changes to computers running Windows XP. The diagnostic checks for
recent changes to the following:
• Operating system components, such as patches, that are installed as
hotfixes or downloads from Windows Update.
• Installed application entries listed in the Add or Remove Programs
control panel.
• All kernel mode device and file system drivers.
• Browser helper objects loaded by Internet Explorer.
• ActiveX controls loaded by Internet Explorer.
• Programs loaded automatically during Windows XP startup.
• Programs and Dynamic Link Libraries (DLLs) loaded when an application
starts.
For complete article see:
Microsoft downloads
http://support.microsoft.com/kb/924732