Reverse Engineering Win32 Trojans on Linux

slackrootcyc writes "A post (and previous article) give a detailed examination of the reversing process, using a trojan found in the wild. Later on in the story it discusses some techniques for reversing Windows-native code entirely under Linux."

Another reason why linux sucks!

Add it to the list, 80 to go!

I wish I had (non-computer) viruses

[PhysicsScholar]

I don't have use Win32 platforms or do virus work, but I use GNU/Linux and can't get a girlfriend, no
matter what I do. From what I can tell, not too many of you have girlfriends
either; I must make it clear right now that I do not want advice from you. I am
seeking the advice of those who have consentual, regular, heterosexual
intercourse with a well adjusted woman.

You may be wondering why I placed so many restrictions on the type of sexual
intercourse. Being a GNU/Linux user, I can get all the men I want, but my ass
hurts from years of anal sex. I am tired of pillow-biting. I have met women at
Linux User Groups (LUGs) but they didnt want sex the way I wanted it - they
brought their strap on and rode my chute like the men did. The date would end
with her taking me to a gay bar and selling my ass to a drunk and bearded
kernel hacker.

I am convinced, therefore, that I need to meet women that do not use GNU/Linux.

I have tried dating regular women, but find it hard to make conversation. I was
surprised that regular women do not give a shit about Free Software or the
Microsoft monopoly which leaves me with nothing to discuss. Some women tried to
talk about the weather, but I don't keep up with the weather from my mums'
basement.

I have had some success, I dated one girl several times. She picked me up from
home, mum liked her. I am sure dad would have too, but he left us soon after I
installed Slackware on the family computer. I can still hear him crying and see
him moping around the house, saying "I knew he was different; I could handle a
gay son, but this .... a fucking GNU/Linux hippy". He sounded so defeated. She
wanted to go to the beach, but my skin is not adjusted to the sun and my skin
peels while at the beach. This was not a turn on for her and when she came back
to my mum's basement that night we were going to have sex but the raw skin was
too much for her.

Going out at night for a meal can be difficult too; all restaurants refuse to
serve smelly GNU/Linux hippies. The only place we can go for food is the
McDonald's drive through, but she doesnt like waiting in her car in the heat of
the day when I tend to smell the most. She doesn't like the stares she gets
from the drive through staff.

I could go on, but I won't. I now seek your advice.

Too bad no one here cares about ASM...

[SexyKellyOsbourne]

This is some pretty neat stuff: the author details how to find a needle in a haystack for a virus establishing a TCP connection from nothing more than raw dissassembly, and then how to use breakpoints in the WINE program to get gdb to work with it.

Though you can do that with a simple netstat, it opens up ways to find everything else about the trojan, too, without the risk of raping your native environment Windows system.

Too bad most nu-geek slashdotters would rather hear about someone putting a neon rope light inside their computer case.

Not a big deal. But could get expensive.

[FreeLinux]

Doing assembly dumps on object code isn't terribly exciting. Doing this on trojans is perhaps even less so, even on Linux.

But, referring to doing this on native Windows code is not a good idea at all. Remember the EULA, simply having the Windows code on your disk constitutes acceptance of the EULA and reverse engineering by assembly dumps is explicitly defined as a violation of the EULA. In other words you are setting yourself in a position for major legal problems.

The only legitimate way to reverse engineer software is the method used by the Samba team. You must look at the input and look at the output and then determine your OWN method of achieving the same result.

This is the only legal way to do it. If you even glance at an assembly dump of the actual software, you are no longer virgin. Thus ANYTHING that you produce afterwards the even vaguely resembles the operation of the original software will place you in a losing position, legally.

Avoid assembly dumps of MS code!

New Trolltalk Address REVEALED!

Plea for forgiveness... (Score:0)
by Anonymous Coward on Saturday November 16, @02:46PM (#4686623)
I have a problem.

I used to be a regular at geekizoid. I make no excuses -- at the time it was a fun place. People posted random thoughts... nonsense articles... flamed each other with wanton abandon. It wasn't full of stuck up dickless wonders like certain other sites. Amazing as it may sound now, this haven of juvenile fun was hosted by Vladinator, aka Scott Lockwood, aka Fat Fucking Loser.

Things changed, of course, because nothing involving a brain-dead obesity like Lockwood can remain fun for long. Sure enough, the drooling fat fool tried to make geekizoid into a more "serious" site, and offer commercial hosting to other piss-poor attempts at slash/scoop sites -- amusing to anyone familiar with the long history of hilarious incompetence shown by the band of half-wits administering his systems. It is at this point that anyone bar a few determined Lockwood mockers and his pet cock-suckers left *.geekizoid for good.

This is my problem. I was once a geekizoidian. I now hate and despise Lardinator and all those associating with him. How do I remove this taint from my soul and rejoin the troll brotherhood? Am I doomed to wander, anonymously, the wastelands of 20721, forever excluded from decent troll society?

Please help. [ezboard.com]
[ Reply to This | Parent ]
!!Troll Gespräch Auswahlsterndatum JETZT (Score:0)
by Anonymous Coward on Saturday November 16, @02:19PM (#4686455)

Collection Stardate di Trolltalk TODAY (Score:-1, Troll) from Anonymous Coward the 16 saturday November, @12:02PM (# 4685796) That is pathetic (Score:0) from gnillort (myslashdotemailaccount@yahoo.com) the 16 saturday November, @10:5ÂM (# 4685513) (customer #617577 Info | last newspaper: Wednesdays October 23, @07:53PM) rather than it eliminates the infuence of Vlad that crapflooding and the cabal/AVT/CUNT/CLIT/Klerck that crapflooding, yo [ the fatasses of slashdot.org]u are based here. I have an alternative perfectly good [ ezboard.com ] all the putting to point. Why not diagli a test? [ answer to this | parent ] YOOOOU Is TEH GAY! (Score:0) from Anonymous Coward the 16 saturday November, @10:4ÀM (# 4685454) in A.D. Faggotry 2002 was beginning. AV3: Which thing happens? Boy 1 Of The Telephone: Someone them pump on boy 2 of the extremity telephone: We do not obtain lubricating AV3: That what! Boy 2 Of The Telephone: Hard main turn AV3 of the tap: He is You!! Vlad: As you are fagmasters!! Vlad: All your females are belong to we Vlad: You are on the sense to the dead women from AIDS AV3: That what you say!! Vlad: You do not have probability to survive smoke your Vlad pole: IT HAS HAS HAS HAS.... AV3: It removes every AV3 ' cockring ': You know that what you that fairies AV3: It moves ' jizcatcher ' the AV3: For justice great [ answer this | parent ] to 1 January 2003: daily count down. (Score:0) from Anonymous Coward the 16 saturday November, @07:01AM (# 4684935) the count down: 45 days [ answer to the srings of this trolltalk | of the parent ] to life! (Score:0) from Anonymous Coward the 16 saturday November, @06:49AM (# 4684907) who on earth could carry therefore unexpected of tide-fluctuates of the vitalità of new to this justification cruddy for a sid secret? why, momochrome naturally! only its brightness could possibly king-corroborate therefore condition sad of the degeneration and to newly breathe the new life within this justification weak person for a troll collective. All hail the momochrome! [ answer to srings of this | the parent ] Re:trolltalk to life! (Score:0) from Anonymous Coward the 16 saturday November, @06:59AM (# 4684931) moreover, "of tide-fluctuates of the vitalità" had been continuous for a enough sure time before that the sig. Momochrome has been sormontato with the jealousy that popolano was speaking about someone except he and decided therefore to throw its hat in the ring. It is nothing. Washed - in on-state. To the day today, who even remembers itself of who Momochrome was? The sure one not sweeping in order to remember itself of and has been in the hardcore of troll-scene of Slashdor from when before the scene has existed. Momochrome was a famous one to piè of page of the a-line to page 4,275 of the history of trolling and the greater part of people has not been taken care to read that page, and many less notes to piè of page. Momochrome who? Not squilla one flange [ answer to srings of this | the parent ] Re:trolltalk to life! (Score:0) from Anonymous Coward the 16 saturday the November, @07:0ÃM excuses (# 4684944) Excuses \A*pol"o*gy \, n.; pl. Excuses. [ apology of the L., gr.; from +: cfr. apologies of the F.. See Apologetic. ] 1. Something said or written in the defense or the justification of that what appears badly to others, or of that what can be responsible to the disapprobation; justification; axis, excuses of the Tertullian for christianity. It is not my intention to excuse for mine poem; some will think it do not have need of justification and others will not receive any. -- Dryden. 2. An acknowledgment planned like atonement for one sure observation or improper or injurious action; an admission to an other of a wrong one or a discourtesy made he, accompanied from an expression of the sorrow. 3. Qualche.cosa supplied like substitute; a espediente. It goes to work inventing the excuses for stretches them of the window. -- Dickens. Syn [slashdot.org]

Read the rest of this comment... by
[ Reply to This | Parent ]
Warning to Crapflooders (Score:1)
by gbwd on Saturday November 16, @02:33PM (#4686546)
(User #626693 Info)
Hi everybody (Dubya here),

i am logging the IP addresses of everybody who posts to this here trolltalk forum. if you are a crapflooder i WILL turn you in to the authorities.
[ Reply to This | Parent ]
You only popped up yesterday (Score:0)
by Anonymous Coward on Saturday November 16, @02:39PM (#4686594)
You fuck the dick mister.
If you really want to avoid crapflooding, go join chainrust.
[ Reply to This | Parent ]
A note to the Vladequacy/AVT CRAPFLOODERS (Score:0)
by Anonymous Coward on Saturday November 16, @01:49PM (#4686311)
Fucking stop it already.

plz die k thx
[ Reply to This | Parent ]
This is pathetic (Score:0)
by gnillort (myslashdotemailaccount@yahoo.com) on Saturday November 16, @10:54AM (#4685513)
(User #617577 Info | Last Journal: Wednesday October 23, @07:53PM)
Rather than get rid of the influence of Vlad crapflooding and the cabal/AVT/CUNT/CLIT/Klerck crapflooding, you fatasses sit here. I have a perfectly good alternative [ezboard.com] all set up. Why not give it a try?
[ Reply to This | Parent ]
GOD DAMMIT CHAINRUST (Score:1)
by gbwd on Saturday November 16, @02:25PM (#4686490)
(User #626693 Info)
Hi everybody (Dubya here),

dear Mr. Chainrust, please stop trying to attract attention to yourself. it is painfully obvious you are not welcome under any name you choose for yourself. instead of wasting your time here trying to be "cool" with us trolls, someone your age should be spending his time with real other people at his age and developmental level. why don't you go partake in some time-honored American extracurricular activities? you could go and join the Boy Scouts, sign up for ROTC (the War on Terror needs you), or if you're one of them new-age sensitive guys [www.dobi.nu], you can learn some Home Ec or something. just stop gallavanting around here like a damn fool.
[ Reply to This | Parent ]
Re:This is pathetic (Score:0)
by Anonymous Coward on Saturday November 16, @12:39PM (#4685992)
I just LOVE Klerck's site [klerck.org]! Especially the "fash" section [klerck.org], where I learned to cut the bottom off of an old pair of testicles to use as a hair enhancement! Oh, and the "fetish party" photos [klerck.org]!

Of course, don't forget to read Klerck's emails [rotten.com]! Here you will discover how truly difficult it is to decide what to do on the weekends... have an orgy? A mass rape party? Go to the mall and sodomize yourself with splintery broomsticks? Autofellate or autoeroticasphixyate yourself?

In short, if you haven't checked out Klerck's site [goatse.cx], you don't know what you're missing!
[ Reply to This | Parent ]
YOOOOU ARE TEH GAY! (Score:0)
by Anonymous Coward on Saturday November 16, @10:42AM (#4685454)
In A.D. 2002
Faggotry was beginning.
AV3: What happen?
Phone Boy 1: Somebody pump us up the butt
Phone Boy 2: We get no lubricant
AV3: What!
Phone Boy 2: Main cock turn hard
AV3: It's You!!
Vlad: How are you fagmasters!!
Vlad: All your females are belong to us
Vlad: You are on the way to death by aids
AV3: What you say!!
Vlad: You have no chance to survive smoke your pole
Vlad: HA HA HA HA....
AV3: Take off every 'cockring'
AV3: You know what you doing
AV3: Move 'jizcatcher'
AV3: For great justice
[ Reply to This | Parent ]
January 1st, 2003: daily countdown. (Score:0)
by Anonymous Coward on Saturday November 16, @07:01AM (#4684935)
The countdown: 45 days

More useful links

http://goatse.cx
http://pub56.ezboard.com/btrolltalk