Olly Debugger is a free one with source code available, and a GUI interface. I used it alot while trying to reverse engineer binary code.
Printable View
Olly Debugger is a free one with source code available, and a GUI interface. I used it alot while trying to reverse engineer binary code.
What I would do is have the virii run in a virtual environment, with a sniffer on the nic tracking all of the traffic in/out on the card, and have the gateway firewall drop all incoming/outgoing packets to the virtual machine....tcpreplay, ethereal, virtual pc/vmware are great tools for this..
For $DIETY's sake, if you're gonna go through with this, do it in a virtual environment running on a secured platform. For example, a Linux host with a Windows guest OS.
Not to be offensive, but are you sure you know WTF you're doing? This is *NOT* a good idea, unless you are a skilled and competent code, network, and systems analyst. And even then, it's probably a bad idea. From the content of your posts in this thread, I don't get the impression that you are an uber-techno-wizard, so this sort of behavior is probably a BAD IDEA(C)
Zen:
Give the guy a bit of a break here..... ;)
It sounds like he wants to learn....
Sgt: You goal might be worthy but you need to know your virus before your start. It's not good enough to just get yourself a virus and fire it off in the hope that you can undo the damage. You need to get your virus, identify it, research _exactly_ what it can/will do and then come up with your mitigating techniques. For the most part this can be done on a standalone machine using the tools I pointed you at. Worst case you may want to connect this box to another with a crossover cable and a sniffer so that you can see what the virus sends out. In both cases I would have the drives imaged so that you can return the box to a "sensible" state.
This isn't something you take on casually.... Think before you act... If you don't have a solution for a problem the virus would present you with then the exercise ends right there... you don't activate the thing..... capiche?
what is a competent idea(C)?
simple rule:
tools:
disassembler
Hunter tasks
Surfase Memory Scanner
Services Hunter (maybe integrated onto Hunter Task id or memset runtimer)
Decrypter (just in case)
scenario:
Infected Enviroment of Course!!!
NOTE: there tools not be need system dlls (or kernell)
NOTE 2: make your own conclusion
Best Wishes
Quote:
Originally posted here by zencoder
For $DIETY's sake, if you're gonna go through with this, do it in a virtual environment running on a secured platform. For example, a Linux host with a Windows guest OS.
Not to be offensive, but are you sure you know WTF you're doing? This is *NOT* a good idea, unless you are a skilled and competent code, network, and systems analyst. And even then, it's probably a bad idea. From the content of your posts in this thread, I don't get the impression that you are an uber-techno-wizard, so this sort of behavior is probably a BAD IDEA(C)
Hey Zencoder; I have to say that when I started into the virus research field, I didn't know what I was doing. I started way back in 1991 - 92 and started by getting ahold of Michelangelo (at the time a rather nasty bug). I used softice to decompile it and read it's code, ran the virus on my system and debugged/traced its route through my 'puter and then cleaned it off. Back until about 2001 the only virus I ever was unable to get rid of - even with a lowlevel format - was the jackal virus. At that time I didn't know about virtual machines (I was running in DOS and Windows 3.11 for WorkGroups) and just ran it on my system. Of course I had backups, but they didn't help with a virus that infected everything... and I mean EVERYTHING
So as far as being a technowiz, skilled code/network/systems analyst, that I wasn't. Noone gets to that point unless they are willing to learn and try things that - yeah - sometimes might just totally screw their system. Bad idea? what's so bad about wanting to learn?
Quote:
Originally posted here by Tiger Shark
Zen:
Give the guy a bit of a break here..... ;)
It sounds like he wants to learn....
Sgt: You goal might be worthy but you need to know your virus before your start. It's not good enough to just get yourself a virus and fire it off in the hope that you can undo the damage. You need to get your virus, identify it, research _exactly_ what it can/will do and then come up with your mitigating techniques. For the most part this can be done on a standalone machine using the tools I pointed you at. Worst case you may want to connect this box to another with a crossover cable and a sniffer so that you can see what the virus sends out. In both cases I would have the drives imaged so that you can return the box to a "sensible" state.
This isn't something you take on casually.... Think before you act... If you don't have a solution for a problem the virus would present you with then the exercise ends right there... you don't activate the thing..... capiche?
Well, Tiger, I guess I failed your suggestion ;) (see above).
Seriously, though, you make a valid point. After being in the virus research field for the past 13 years, I would never do what I did back then to research viruses. I agree that you NEED to know exactly what it can/will do and have a plan to stop/block it if it appears to be getting out of control. Had I done that with Jackal, I would have saved a $2000.00 computer system that had to be trashed (at the time I didn't know you could just replace the HDD and such). Now I use a win98SE system crossed to my primary, with firewall and AV blocking to avoid infecting the primary. With the setup I have I can run it on my old system, and use the main to watch what happens.
Blessings;
Carenath
I've done testing of viruses like netsky and bagle on old Windows boxes, mostly to study network behavior and testing cleaning tools. Spyware, too.
You want to make sure your test machine is on your network's DMZ. I've used Smoothwall and IPcop for several years and both those gateways have solid DMZ's where the computer assigned to the DMZ is unable to reach back into the rest of the network. The DMZ's on some routers is a joke, specifically Belkins. Linksys's DMZ seemed OK, but I'm not sure I trust any DMZ that shares an ip address in the same range as the rest of the network. Fwiw.
Is there a reason people like posting on old threads to make other people mad? at least make a new thread if you have new ideas or somthing..this just gets old and annoying.
1. Since the thread was originally posted in June of '05 I figured that by replying to the thread it would give people the opportunity to see what had come before.Quote:
Originally posted here by mandraketux
Is there a reason people like posting on old threads to make other people mad? at least make a new thread if you have new ideas or somthing..this just gets old and annoying.
2. I really don't know how to reference a thread in another post, so I used this method to get my comment accross.
3. while I can see your point in posting to old threads, giving negs for that seens to be a little extreme in getting [B/your[/B] point across since you can do the same by PMing the person involved and giving them a chance to either correct or learn from their mistakes.
I will also be posting this into the same thread since you felt it important enough to not only neg me, but post in the same thread to try and get your pooint across. Seens a little hypocritical to me, but that is just MHO.
God Bless;
Carenath
