A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #3373  by spaceman
 Sun Nov 07, 2010 3:02 pm
What tools/techniques do people use to view the TDL3 config.ini information, like version number, install date, etc.? The analysis articles that I've seen don't do a very good job of walking you through the process of decoding it.
 #3374  by EP_X0FF
 Sun Nov 07, 2010 3:24 pm
How about this http://www.kernelmode.info/forum/viewto ... f=10&t=253 ?

addition:

Usually such files recovered from encrypted TDL file system by internal tools/dumpers or from memory by special memory forensic tools. As you may understand publishing them will lead (sooner or later) to their bypassing by tdl authors. So you need to write/do it yourself.
 #3384  by Cr4sh
 Mon Nov 08, 2010 12:21 pm
TDL3_extract.exe tool, that can exctract files from all of the TDL3 (except bootkit versins) volumes can be found in eSage Lab TDSS Remover package:
http://esagelab.com/resources.php?s=tdss_remover

Usage example (in Russian, use google translate):
http://cr4sh-0x48k.livejournal.com/43746.html

Also I attached binary and source files of the tool, for extraction files from TDL3+ (bootkit) volumes (active infection must be cured befor use it).
Attachments
(38.14 KiB) Downloaded 47 times