Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Rogue dll

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
Locked
User avatar
mint77
Posts: 88
Joined: Wed Dec 12, 2012 3:50 pm
Location: Seabrook

Rogue dll

Post by mint77 »

I have stored safely away a "rogue dll."

It was caught because it masqueraded as a system dll and had a recent file date and had no version info.

Virusinfo misidentified it.

It's been renamed and the file extension as well.

I would like to study it safely with something similar to a debugger or maybe a passive type of analyzer.

I also use Linux, but could not find anything that can debug Windows PEs.

I would appreciate any recommendations.

Thanks.
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

IDA x86 Emulator plugin maybe? That would at least feed it system values which might make it behave normally for a time.

http://www.idabook.com/x86emu/
User avatar
mint77
Posts: 88
Joined: Wed Dec 12, 2012 3:50 pm
Location: Seabrook

Post by mint77 »

Thanks, I will check it out.

I have set up a Virtual Box with XP as the O.S.

I found some excellent info on malware forensic analysis at

xxxx-http://fumalwareanalysis.blogspot.com/2 ... verse.html

I have set up a guest account to study the "rogue item" using Windows Debugger and some other tools.

Back to bug hunting and dissection,
Andy
Locked