About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
OpenRCE Articles
Memoryze Memory Forensics Tool
Created: Wednesday, November 26 2008 20:06.40 CST
Author:
peter
# Views:
93633
The goal of this article is to demonstrate how simple malware analysis can be using Memoryze and some good old fashion common sense. Readers should have some knowledge of how malware works, and be somewhat familiar with
Memoryze
. A good place to familiarize yourself with Memoryze is the user guide included in the installer.
Memoryze is designed to aid in memory analysis in incident response scenarios. However, it has many useful features that can be utilized when doing malware analysis. Memoryze is special in that it does not rely on API calls. Instead Memoryze parses the operating systems' internal structures to determine for itself what the operating system and its running processes and drivers are doing.
Full Article ...
Printer Friendly ...
Write Comment
|
View Complete Comments
Username
Comment Excerpt
Date
firebits
good job,thx
Sunday, December 7 2014 07:41.08 CST
cirix
good job,thx
Wednesday, August 8 2012 21:33.24 CDT
zezo010
I'm waite for next lessons. Nice work, thanks!
Sunday, August 14 2011 04:26.00 CDT
eaescob
Very nice work, thanks!
Monday, June 27 2011 19:28.08 CDT
slolurner
For folks coming late to the party like me, I w...
Monday, October 25 2010 10:40.36 CDT
The Molecular Virology of Lexotan32: Metamorphism Illustrated
Created: Thursday, August 16 2007 16:58.00 CDT
Author:
orr
# Views:
68371
This paper is a direct descendent of my previous one regarding the metamorphic engine of the
W32.Evol
virus. I advise you to take a look at it before reading this one, or at least be acquainted with the subject of metamorphism. The focus of this paper is the special engine of the
Lexotan32
virus.
The virus was released in 29A#6 Virus Magazine in 2002, the Annus Mirabilis of metamorphic viruses. The virus was created by the prolific VX coder,
Vecna
, and was one of the last complex creations of this kind. I could further elaborate on the genealogy of this virus, but I think it is sufficient to say that this virus is a culmination of many of the techniques developed throughout the author's career.
Full Article ...
Printer Friendly ...
Write Comment
|
View Complete Comments
Username
Comment Excerpt
Date
live2skull
amazing article :)
Sunday, May 8 2016 00:28.54 CDT
redbone
good information ....
Tuesday, July 12 2011 02:56.10 CDT
tgnice
cool :)
Saturday, June 18 2011 03:18.50 CDT
lazyworm
very nice!I need it.
Wednesday, June 30 2010 20:25.49 CDT
m4dnut
it's so cool~! thnaks for your effots. i alway...
Wednesday, July 9 2008 20:32.17 CDT
Defeating HyperUnpackMe2 With an IDA Processor Module
Created: Thursday, February 22 2007 19:21.58 CST
Author:
RolfRolles
# Views:
96401
This article is about breaking modern executable protectors. The target, a crackme known as
HyperUnpackMe2
, is modern in the sense that it does not follow the standard packer model of yesteryear wherein the contents of the executable in memory, minus the import information, are eventually restored to their original forms.
Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.
This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill.
Full Article ...
Printer Friendly ...
Write Comment
|
View Complete Comments
Username
Comment Excerpt
Date
ndaj3
RolfRolles: Thank you for Writing an Great tuto...
Friday, September 4 2009 01:25.09 CDT
eirc
Wow thanks a lot��
Saturday, October 11 2008 05:00.28 CDT
h4x0r
comprehensive analysis, thanks. for those no...
Tuesday, May 15 2007 04:15.56 CDT
PoincareLei
good analysis.. expecting RolfRolles to wri...
Wednesday, April 4 2007 06:26.45 CDT
bLaCkeye
Impressive display of reverse engineering and c...
Friday, February 23 2007 19:47.13 CST
The Viral Darwinism of W32.Evol
Created: Tuesday, February 6 2007 14:26.08 CST
Author:
Orr
# Views:
70034
The W32.Evol virus was discovered around July 2000. Its name is derived from a string found in the virus, but much more can be implied from the name. Up until then, most of the viruses were using Polymorphic engines in order to hide themselves from Anti-Virus scanners. The engine would encrypt the virus with a different key on every generation, and would generate a small, variant decryptor that would consist of different operations but remain functionally equivalent. This technique was beginning to wear out as AV scanners would trace virus-decryption until it was decrypted in memory, visible and clear.
This article explores the features and functionality of the metamorphic engine of the Evol virus, the first virus to utilize a 'true' metamorphic engine according to Symantec.
Full Article ...
Printer Friendly ...
Write Comment
|
View Complete Comments
Username
Comment Excerpt
Date
nEINEI
good work~~
Friday, November 27 2009 04:04.08 CST
adityaks
nice one man
Wednesday, June 20 2007 06:07.58 CDT
Orr
The mistake is in the paper and not in the engi...
Friday, April 6 2007 16:02.00 CDT
eraser
You are right MazeGen. [code] EB cb JMP cb ...
Wednesday, April 4 2007 13:33.07 CDT
MazeGen
Very interesting article, thanks. There's on...
Friday, March 30 2007 02:57.38 CDT
Kernel User-Mode Debugging Support (Dbgk)
Created: Wednesday, January 31 2007 12:05.10 CST
Author:
AlexIonescu
# Views:
51970
In part three of this three part article series, the kernel-mode interface to Windows debugging is dissected in detail. The reader is expected to have some basic knowledge of C and general NT Kernel architecture and semantics. Also, this is not an introduction on what debugging is or how to write a debugger. It is meant as a reference for experienced debugger writers, or curious security experts. The reader is expected to have some basic knowledge of C and general NT Kernel architecture and semantics. Also, this is not an introduction on what debugging is or how to write a debugger. It is meant as a reference for experienced debugger writers, or curious security experts.
Full Article ...
Printer Friendly ...
Write Comment
|
View Complete Comments
Username
Comment Excerpt
Date
praveendarshanam
good articles!! all partz r amazing!!!
Friday, September 18 2009 15:18.19 CDT
flyingkisser
very good,very powerful!So,where is part I and ...
Tuesday, January 15 2008 20:17.43 CST
anonymouse
so this is how some of the functions in syser o...
Thursday, February 1 2007 23:35.29 CST
MohammadHosein
thank you for these excellent series of articles
Thursday, February 1 2007 15:29.03 CST
JasonGeffner
Awesome job! I want a "part four"! :)
Thursday, February 1 2007 13:56.34 CST
Windows Native Debugging Internals
Created: Monday, November 13 2006 13:14.18 CST
Author:
AlexIonescu
# Views:
50895
In part two of this three part article series, the native interface to Windows debugging is dissected in detail. The reader is expected to have some basic knowledge of C and general NT Kernel architecture and semantics. Also, this is not an introduction on what debugging is or how to write a debugger. It is meant as a reference for experienced debugger writers, or curious security experts.
Full Article ...
Printer Friendly ...
Write Comment
|
View Complete Comments
Username
Comment Excerpt
Date
halsten
Thanks for sharing this! Keep it up (Y). -- ...
Monday, January 22 2007 01:55.32 CST
msuiche
That's a very pretty paper you wrote again ther...
Monday, November 13 2006 15:40.46 CST
Windows User Mode Debugging Internals
Created: Tuesday, October 31 2006 18:02.31 CST
Author:
AlexIonescu
# Views:
52318
The internal mechanisms of what allows user-mode debugging to work have rarely ever been fully explained. Even worse, these mechanisms have radically changed in Windows XP, when much of the support was re-written, as well as made more subsystem portable by including most of the routines in ntdll, as part of the Native API. This three part series will explain this functionality, starting from the Win32 (kernel32) viewpoint all the way down (or up) to the NT Kernel (ntoskrnl) component responsible for this support, called Dbgk, while taking a stop to the NT System Library (ntdll) and its DbgUi component.
The reader is expected to have some basic knowledge of C and general NT Kernel architecture and semantics. Also, this is not an introduction on what debugging is or how to write a debugger. It is meant as a reference for experienced debugger writers, or curious security experts.
Full Article ...
Printer Friendly ...
Write Comment
|
View Complete Comments
Username
Comment Excerpt
Date
securex0
Awesome jobs! I am waiting next instruction.
Sunday, April 15 2012 21:55.51 CDT
Civa
Great article Alex! I wonder If you can explai...
Tuesday, March 9 2010 05:07.34 CST
shijiaoan
great
Monday, May 4 2009 21:48.06 CDT
NeOXQuiCk
Nice,thx for sharing.. its helped me a lot.. ...
Tuesday, April 3 2007 17:55.47 CDT
tinybyte
Nice stuff! Waiting for the sequels :)
Friday, December 8 2006 15:25.33 CST
Archived Articles
Archived
Title
Author
# Views
Publish Date
Reversing Microsoft Visual C++ Part II: Classes, Methods and RTTI
igorsk
271835
September 21 2006
Microsoft Patching Internals
EliCZ
50943
April 26 2006
Reversing Microsoft Visual C++ Part I: Exception Handling
igorsk
176686
March 6 2006
Technical Analysis of MS06-001
stephanc
35168
February 6 2006
FUTo
peter
51071
January 5 2006
Plausible Deniability
joestewart
34720
November 17 2005
Reverse Engineering Microsoft OLE
joestewart
63933
September 12 2005
File Format Reversing - EverQuest II VPK
daeken
65210
September 6 2005
WINLDRA.EXE: Reversing a Basic Encryption Algorithm
Gerry
57246
August 23 2005
Reversing HDSpoof - A Tutorial
smidgeonsoft
76268
August 2 2005
Creating IDA Plug-ins with C# or VB6
dzzie
57468
July 15 2005
Process Stalker vs. MS05-030
pedram
52426
July 6 2005
Introduction to IDAPython
ero
97758
June 24 2005
OpenRCE Site Launch
pedram
27671
June 17 2005
There are
31,320
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit