Reverse engineering/forensics with autoit based malware
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Reverse engineering/forensics with autoit based malware

Hybrid View

  1. #1
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027

    Reverse engineering/forensics with autoit based malware

    Anyone here have any experience with this?

    Some context:
    I'm looking into some software that was developed with the autoit package. Autoit allows users to develop code using their scripting language and provides utilities that can wrap that script and the vm required into a binary executable. The script is obfuscated in the binary and isn't actually compiled until the application is run so that makes dissecting it with an editor/ida pro that much more annoying.

    I've found a decompiler that should handle the software in question but it is of course having issues. Has anyone here ever dealt with this or something similar? Does anyone want to poke at this problem with me?
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Quote Originally Posted by Juridian View Post

    and provides utilities that can wrap that script and the vm required into a binary executable. The script is obfuscated in the binary and isn't actually compiled until the application is run so that makes dissecting it with an editor/ida pro that much more annoying.
    All I can say is .... holy siht!!!


    /
    Does anyone want to poke at this problem with me?
    I wish I knew enough to

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    If nothing else, I'm compiling all of the resources I find and documenting what I'm doing so I can stick it up on my blog. I can kick you a link later if you want to poke around with it.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  4. #4
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Juridian,

    I can't say I have much experience with reversing AutoIt... but I do have some experience with reversing and some experience with AutoIt...

    I'd actually be really interested in seeing the executable you're working with and taking a stab at it.

    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I am totally interested in this....I just dont have experience enough to contribute much.

    Makes the case of not running as admin of the machine ...as I believe it would need the permisions to edit the registry.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    I used to write some autoit stuff, pm me what ever you are working on and ill take a look.

  7. #7
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Not much of a programmer however it looks very interesting.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    So wouldnt this type of program...if someone wrote it to be malicious in nature be hard for an av to detect until the malware was active.

    Isnt this how that AV2008 crap gets onto machines???

    I have seen it on machines with updated AV software and then had to remove using a different tool.

    Very interesting...

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hmmmm,


    I haven't used it for ages, but it used to have a decompiler shipped with it. Then the author took it out with later versions.

    This might work, but like I said its been a long time and I haven't tried it:

    http://myauttoexe.angelfire.com/index2.html
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    Yes it still comes with the decompiler, but you can password protect them with a passphrase so they "cannot" be decrypted with out it.

Similar Threads

  1. Replies: 2
    Last Post: June 21st, 2008, 07:51 PM
  2. Reverse DNS mapping delegation
    By nske in forum Network Security Discussions
    Replies: 8
    Last Post: June 7th, 2004, 07:29 PM
  3. The history of the Mac line of Operating systems
    By gore in forum Operating Systems
    Replies: 3
    Last Post: March 7th, 2004, 07:02 AM
  4. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 02:03 AM
  5. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 07:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides