.

Stuck with Honeynet Project - Forensic Challenge 8 "Malware Reverse Engineering"

<<

satyr

User avatar

Newbie
Newbie

Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Thu Dec 22, 2011 3:11 pm

Stuck with Honeynet Project - Forensic Challenge 8 "Malware Reverse Engineering"

Going through the solution to understand what the winners have done. Forgive if this is a noob question but I did not understand how the solution for this question was answered

Q. Describe the API hooking mechanism used by the sample
Ans: The malware uses a data structure for each hooked function that looks like the following:

DWORD FunctionAddress 
DWORD HookFunctionAddress
BYTE  ModifiedOriginalFunctionStart[44]
DWORD Unknown
BYTE  Unknown
BYTE  OriginalFunctionStart[44]
DWORD Unknown
DWORD ModuleHandle
DWORD Unknown
BYTE  JumpCode[8]
DWORD CriticalSection[6]
DWORD CriticalSectionInitialized
BYTE  ModuleName[260]
DWORD Unknown[2]


If possible please refer the solution here
http://www.honeynet.org/files/131212301 ... ge%208.zip


Is there a place where I can understand this process via tutorials or examples if possible ?

Any help is highly appreciated.
<<

satyr

User avatar

Newbie
Newbie

Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Thu Dec 22, 2011 5:54 pm

Re: Stuck with Honeynet Project - Forensic Challenge 8 "Malware Reverse Engineering"

a general question here. It is a common observation that a malware creates a file temporarily and then deletes it after a while, generally after performing a set of operations.

Running capturebat when the malware is running enables us to have a backup of the file which is created temporarily. What are other tools which have this capability.

a question specific to this challenge, i was able to see the record of a folder being created 'algonic' but it was not saved when the malware deleted it. Any thoughts on this ?

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software