HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 40 guests online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Malwarearrow Stuck with Honeynet Project - Forensic Challenge 8 "Malware Reverse Engineering"
EH-Net
May 21, 2013, 05:32:00 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Stuck with Honeynet Project - Forensic Challenge 8 "Malware Reverse Engineering"  (Read 4254 times)
0 Members and 1 Guest are viewing this topic.
satyr
Newbie
*
Offline Offline

Posts: 41



View Profile
« on: December 22, 2011, 02:11:31 PM »
Going through the solution to understand what the winners have done. Forgive if this is a noob question but I did not understand how the solution for this question was answered

Q. Describe the API hooking mechanism used by the sample
Ans: The malware uses a data structure for each hooked function that looks like the following:

DWORD FunctionAddress 
DWORD HookFunctionAddress
BYTE  ModifiedOriginalFunctionStart[44]
DWORD Unknown
BYTE  Unknown
BYTE  OriginalFunctionStart[44]
DWORD Unknown
DWORD ModuleHandle
DWORD Unknown
BYTE  JumpCode[8]
DWORD CriticalSection[6]
DWORD CriticalSectionInitialized
BYTE  ModuleName[260]
DWORD Unknown[2]


If possible please refer the solution here
http://www.honeynet.org/files/1312123013_lutz_dot_schildt_at_googlemail_dot_com_Forensic%20Challenge%202011%20-%20Challenge%208.zip


Is there a place where I can understand this process via tutorials or examples if possible ?

Any help is highly appreciated.
Logged
satyr
Newbie
*
Offline Offline

Posts: 41



View Profile
« Reply #1 on: December 22, 2011, 04:54:08 PM »
a general question here. It is a common observation that a malware creates a file temporarily and then deletes it after a while, generally after performing a set of operations.

Running capturebat when the malware is running enables us to have a backup of the file which is created temporarily. What are other tools which have this capability.

a question specific to this challenge, i was able to see the record of a folder being created 'algonic' but it was not saved when the malware deleted it. Any thoughts on this ?
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.061 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.