Friday, October 28, 2011

Using NtGlobalFlag

This is probably not the right way to go about implementing a NtGlobalFlag check in a exe; I looked around a bit but couldn't find anything else so I decided to go about using Ollydbg to do some manual patching. Like I said, probably not the best way - I just did this for fun. If you know a better way to do this, it would be awesome if you could take a few minutes and let me know in the comments section below.


I did not wanna write assembly from the scratch so I compiled the following code.

#include<stdio.h>
void blah() {
int x,y,z;
}
int main() {
blah();
printf("no debugger present\n");
return 0;
printf("debugger present\n");
getchar();
}
Did a binary patch and fill the rest with NOPs ...

and ran it ...

There are loads of posts out there describing ways to circumvent this - so yeah thats about it for this post.


[UPDATE]
Using inline assembly is probably the right way to go about doing this.

Sunday, October 16, 2011

github repository

From now on I've decided to upload all the malware analysis files into github repositories. Find them here.

Thursday, October 13, 2011

analyzing 8008bf0a06a0ba4dca1c881f4955acc8


Recently, I started analyzing pdf-malware. I got myself a pdf to analyze from malwaredomainlist.com; the hash of the pdf is 8008bf0a06a0ba4dca1c881f4955acc8