Reverse Engineering Win32 Trojans on Linux

slackrootcyc writes "A post (and previous article) give a detailed examination of the reversing process, using a trojan found in the wild. Later on in the story it discusses some techniques for reversing Windows-native code entirely under Linux."

Too bad no one here cares about ASM...

[SexyKellyOsbourne]

This is some pretty neat stuff: the author details how to find a needle in a haystack for a virus establishing a TCP connection from nothing more than raw dissassembly, and then how to use breakpoints in the WINE program to get gdb to work with it.

Though you can do that with a simple netstat, it opens up ways to find everything else about the trojan, too, without the risk of raping your native environment Windows system.

Too bad most nu-geek slashdotters would rather hear about someone putting a neon rope light inside their computer case.

Not a big deal. But could get expensive.

[FreeLinux]

Doing assembly dumps on object code isn't terribly exciting. Doing this on trojans is perhaps even less so, even on Linux.

But, referring to doing this on native Windows code is not a good idea at all. Remember the EULA, simply having the Windows code on your disk constitutes acceptance of the EULA and reverse engineering by assembly dumps is explicitly defined as a violation of the EULA. In other words you are setting yourself in a position for major legal problems.

The only legitimate way to reverse engineer software is the method used by the Samba team. You must look at the input and look at the output and then determine your OWN method of achieving the same result.

This is the only legal way to do it. If you even glance at an assembly dump of the actual software, you are no longer virgin. Thus ANYTHING that you produce afterwards the even vaguely resembles the operation of the original software will place you in a losing position, legally.

Avoid assembly dumps of MS code!