rkhunter wrote:I would say it hooks CreateProcess API and I do not see it listed in that post. :-?Buster_BSA wrote:Could someone put a list of hooked APIs, please?http://www.kernelmode.info/forum/viewto ... =10#p14221
Additional question: how many bytes are changed for the JMP?
A forum for reverse engineering, OS internals and malware analysis
Buster_BSA wrote:If I am not wrong this malware (MD5: 3e50b76c0066c314d224f4fd4cbf14d5) does API hooking.Yes.
Could someone put a list of hooked APIs, please? I need the information for an improvement in Buster Sandbox Analyzer.
[1176]explorer.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71A94C27-->02100000 [unknown_code_page]
[1176]explorer.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71A968FA-->02120000 [unknown_code_page]
[1672]IEXPLORE.EXE-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71A94C27-->02FC0000 [unknown_code_page]
[1672]IEXPLORE.EXE-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71A968FA-->02FD0000 [unknown_code_page]
Additional question: how many bytes are changed for the JMP?Depends on how implemented this JMP. It can be instruction patch, short-to-long jump or complete code overwrite. For most common at x86-32 it will be size of address + JMP instruction -> 5 bytes.
I would say it hooks CreateProcess API and I do not see it listed in that post.It does not hook this API.
Ring0 - the source of inspiration
New Facebook malware . ZIP file:
Attachments
password: infected
(164.63 KiB) Downloaded 65 times
(164.63 KiB) Downloaded 65 times
http://www.secureworks.com/research/thr ... _Requests/
sorry for the mistake, It is Pushdo downloader, not Pushbot.
sorry for the mistake, It is Pushdo downloader, not Pushbot.
One more malware from facebook.
https://www.virustotal.com/file/d9b96ae ... /analysis/
https://www.virustotal.com/file/d9b96ae ... /analysis/
Attachments
Pass: infected
(168.64 KiB) Downloaded 67 times
(168.64 KiB) Downloaded 67 times
