Comments for Network Forensics Blog

Comment on Using WinDbg to Begin Reverse Engineering Unknown Malware from Memory by Curt Wilson

Curt Wilson — Fri, 14 Oct 2011 02:22:26 +0000

Nice work Gary! This does look like TDL4 and this blog entry is the first example I’ve found via google after obtaining a sample of what’s supposedly a new variant. The strings you found were from the config file that’s contained in TDL’s own file system. Got the MD5 of this malware and the date that it was found? Also, it may been useful to use the foremost utility for carving out PE’s from data streams, disk dumps, etc. which I found to be a major time saver as it was able to re-assemble and dump the PE file very quickly without the need for any sort of manual calculation. Thanks

Comment on Using WinDbg to Begin Reverse Engineering Unknown Malware from Memory by David

David — Fri, 19 Aug 2011 21:49:40 +0000

Great 2 part series. Very interesting using Mutexes to find rootkits. I would love to see part 3 and reverse engineer a new Malware variant.

Comment on Kneber Update by Eddie

Eddie — Sun, 24 Jul 2011 12:44:10 +0000

There’s a terirfic amount of knowledge in this article!

Comment on Mutex Analysis: The Canary in the Coal Mine (and Discovering New Families of Malware?) by Frankie

Frankie — Sat, 23 Jul 2011 16:22:54 +0000

Agree Mutux is important in analyzing malware, especially for quick identification and locating the malware.

Comment on Using WinDbg to Begin Reverse Engineering Unknown Malware from Memory by Gary Golomb

Gary Golomb — Tue, 28 Jun 2011 12:49:35 +0000

Hey test – There’s actually two ways to automate this. Well, one and a half. The least elegant way is to write something to manually carve PE files from DMP files. I actually started working on a quick tool over the weekend to do this and had planned on posting it Sunday night, but realized WinDbg takes care of alignment magic for you that I have to deal with when manually parsing DMP files (and need to fix in the tool).

Anyways, this should probably be done is using WinDbg scripts. I’ll try to post one as a follow-on to this post. Here’s some good info about scripting in WinDbg: http://www.dumpanalysis.org/WCDA/WCDA-Sample-Chapter.pdf

Also, slightly off-topic, here’s a very cool trick for using WinDbg that shows just how much you can do with it. http://www.dumpanalysis.org/blog/index.php/2008/09/18/cmdtreetxt-for-cda-checklist/

Comment on Using WinDbg to Begin Reverse Engineering Unknown Malware from Memory by test

test — Tue, 28 Jun 2011 05:45:07 +0000

Yes very interesting. I wish there was a way to do this type of thing automatically.

Comment on Mutex Analysis: The Canary in the Coal Mine (and Discovering New Families of Malware?) by Fitblip

Fitblip — Wed, 22 Jun 2011 22:09:17 +0000

Nice stuff! Very clear about a lot of functionality in tools that I use all the time (and some I haven’t, but will start)

Comment on Using WinDbg to Begin Reverse Engineering Unknown Malware from Memory by Thomas

Thomas — Wed, 22 Jun 2011 20:56:15 +0000

Thanks for the read, very interesting.

Comment on Using WinDbg to Begin Reverse Engineering Unknown Malware from Memory by Juan

Juan — Tue, 21 Jun 2011 21:20:59 +0000

again awesome write up…. can i come work with you… i swear if i didnt have bills to pay i come work for free =)

Comment on Mutex Analysis: The Canary in the Coal Mine (and Discovering New Families of Malware?) by Juan

Juan — Tue, 21 Jun 2011 21:03:26 +0000

Gary I always enjoy your post man! so full of resources and love how you take the time to go step by step as much as you can. To be honest i dont care if you have 30pages.. ill read them. Great talk at thotcon btw.. i was there.