Like Men at Work once asked, ‘Who can it be knocking at my door‘? The smashed glass window next to the door probably suggests that when they knocked, they not only missed the door but also knocked a bit harder than was necessary to get someone’s attention. Unfortunately it’s not just an attempt at a witty opening, but a lead in to a story about a physical break in that occurred at a friend’s work place. I likened it to an APT in IT, and used it as an excuse to use IT to help with physical security — cue the ZoneMinder software. Continue Reading
If your computer, mobile phone, or any other piece of I.T. equipment starts behaving differently, then it is probably wise to investigate further as it could indicate a malware infection. I remembered this lesson on Friday when I was left stranded by the side of the road, due to car trouble after ignoring what I suspect with hindsight, was a subtle change in my car’s behaviour. Continue Reading
‘Self Modifying Code: Changing Memory Protection‘ described how self modifying code first needs to add write permissions to the memory page(s) before it can modify the code. There is another way of creating self modifying code which doesn’t require a call to VirtualProtect() — modify the characteristics of the .text (code) section in the EXE file. Continue Reading
Self modifying code is a phrase used to describe programs that are able to change themselves. Using self modifying code can make it harder to reverse engineer a program, largely because the ‘actual code may differ from that shown’. That is, the actual code that ends up executing may be different from the code that is first shown during disassembly. Join me as I attempt to relive my youth and create some self modifying code, only this time it will have to work under the memory protection schemes implemented by the 80×86 processors and MS Windows. Continue Reading
I am a believer of the ‘just because you can do something, doesn’t necessarily mean that you should‘ mentality, and I was reminded of this again this morning when I read ‘Malware Analysis as a function of intelligence and counterintelligence operations.‘.
As I start my first blog, I am grappling with the matter of what to blog about, what not to blog about, what to do, and what not to do; lest my actions potentially say more than I wanted to say. The idea that your actions (or sometimes inaction) can say more than you wish to say, isn’t new to me and is, in fact, something which I would like to blog about later — software/devices (and people for that matter) often leak information which, while not explicitly disclosing information, can sometimes allow for (potentially undesirable) inferences. Passive operating system fingerprinting is an example of this. Continue Reading
Welcome to Malware Musings.
I’m your host, Karl, and this is my blog for sharing thoughts and ideas about malware analysis, reverse engineering, and some of the things that malware gets up to when it thinks we’re not looking.
Thinking about reverse engineering malware and malware analysis can be a tad daunting. After all, it is a bit like finding a list of instructions such as:
- Keep taking a step forward until you get to the end of the path
- Turn left
- Take fifty steps forward
- Turn right
and working out that it is actually a list of instructions for popping down to the shop for some milk. Continue Reading