HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 95 guests and 1 member online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Malwarearrow Stuck with Honeynet Project - Forensic Challenge 8 "Malware Reverse Engineering"
EH-Net
May 26, 2012, 08:31:52 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Stuck with Honeynet Project - Forensic Challenge 8 "Malware Reverse Engineering"  (Read 2266 times)
0 Members and 1 Guest are viewing this topic.
satyr
Newbie
*
Offline Offline

Posts: 41



View Profile
« on: December 22, 2011, 02:11:31 PM »
Going through the solution to understand what the winners have done. Forgive if this is a noob question but I did not understand how the solution for this question was answered

Q. Describe the API hooking mechanism used by the sample
Ans: The malware uses a data structure for each hooked function that looks like the following:

DWORD FunctionAddress 
DWORD HookFunctionAddress
BYTE  ModifiedOriginalFunctionStart[44]
DWORD Unknown
BYTE  Unknown
BYTE  OriginalFunctionStart[44]
DWORD Unknown
DWORD ModuleHandle
DWORD Unknown
BYTE  JumpCode[8]
DWORD CriticalSection[6]
DWORD CriticalSectionInitialized
BYTE  ModuleName[260]
DWORD Unknown[2]


If possible please refer the solution here
http://www.honeynet.org/files/1312123013_lutz_dot_schildt_at_googlemail_dot_com_Forensic%20Challenge%202011%20-%20Challenge%208.zip


Is there a place where I can understand this process via tutorials or examples if possible ?

Any help is highly appreciated.
Logged
satyr
Newbie
*
Offline Offline

Posts: 41



View Profile
« Reply #1 on: December 22, 2011, 04:54:08 PM »
a general question here. It is a common observation that a malware creates a file temporarily and then deletes it after a while, generally after performing a set of operations.

Running capturebat when the malware is running enables us to have a backup of the file which is created temporarily. What are other tools which have this capability.

a question specific to this challenge, i was able to see the record of a folder being created 'algonic' but it was not saved when the malware deleted it. Any thoughts on this ?
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 1.572 seconds with 22 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge: Build Security Skills to Protect & Defend

els_130x200fixed2.gif
eLearnSecurity Student Course Now Live!
5% Off with Code
ELS-EH-5

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.