-
October 16th, 2008, 12:32 AM
#1
Reverse engineering/forensics with autoit based malware
Anyone here have any experience with this?
Some context:
I'm looking into some software that was developed with the autoit package. Autoit allows users to develop code using their scripting language and provides utilities that can wrap that script and the vm required into a binary executable. The script is obfuscated in the binary and isn't actually compiled until the application is run so that makes dissecting it with an editor/ida pro that much more annoying.
I've found a decompiler that should handle the software in question but it is of course having issues. Has anyone here ever dealt with this or something similar? Does anyone want to poke at this problem with me?
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
October 16th, 2008, 04:01 AM
#2
Originally Posted by Juridian
and provides utilities that can wrap that script and the vm required into a binary executable. The script is obfuscated in the binary and isn't actually compiled until the application is run so that makes dissecting it with an editor/ida pro that much more annoying.
All I can say is .... holy siht!!!
/
Does anyone want to poke at this problem with me?
I wish I knew enough to
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 16th, 2008, 06:04 AM
#3
If nothing else, I'm compiling all of the resources I find and documenting what I'm doing so I can stick it up on my blog. I can kick you a link later if you want to poke around with it.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
October 16th, 2008, 06:29 AM
#4
Hey Juridian,
I can't say I have much experience with reversing AutoIt... but I do have some experience with reversing and some experience with AutoIt...
I'd actually be really interested in seeing the executable you're working with and taking a stab at it.
HT
-
October 16th, 2008, 11:50 AM
#5
I am totally interested in this....I just dont have experience enough to contribute much.
Makes the case of not running as admin of the machine ...as I believe it would need the permisions to edit the registry.
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 16th, 2008, 10:59 PM
#6
I used to write some autoit stuff, pm me what ever you are working on and ill take a look.
-
October 17th, 2008, 11:47 AM
#7
Not much of a programmer however it looks very interesting.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 17th, 2008, 02:36 PM
#8
So wouldnt this type of program...if someone wrote it to be malicious in nature be hard for an av to detect until the malware was active.
Isnt this how that AV2008 crap gets onto machines???
I have seen it on machines with updated AV software and then had to remove using a different tool.
Very interesting...
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 19th, 2008, 07:44 PM
#9
Hmmmm,
I haven't used it for ages, but it used to have a decompiler shipped with it. Then the author took it out with later versions.
This might work, but like I said its been a long time and I haven't tried it:
http://myauttoexe.angelfire.com/index2.html
-
October 19th, 2008, 10:12 PM
#10
Yes it still comes with the decompiler, but you can password protect them with a passphrase so they "cannot" be decrypted with out it.
Similar Threads
-
By billy786 in forum The Security Tutorials Forum
Replies: 2
Last Post: June 21st, 2008, 07:51 PM
-
By nske in forum Network Security Discussions
Replies: 8
Last Post: June 7th, 2004, 07:29 PM
-
By gore in forum Operating Systems
Replies: 3
Last Post: March 7th, 2004, 08:02 AM
-
By qod in forum The Security Tutorials Forum
Replies: 6
Last Post: February 27th, 2004, 03:03 AM
-
By gore in forum Newbie Security Questions
Replies: 11
Last Post: December 29th, 2003, 08:01 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|