Analysis of functions used to encode strings in Flame (GDB script)
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
(Publication) Google search: [1]
| Analysis of functions used to encode strings in Flame (GDB script) | |
|---|---|
| |
| Botnet | Flame |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 2012/06/21 |
| Editor/Conference | Malware.lu |
| Link | http://code.google.com/p/malware-lu/wiki/en flame analysis with script gdb (Archive copy) |
| Author | RootBSD |
| Type | |
Abstract
“ Introduction
This article deals with another way to reuse ASM instruction based on GDB script. The idea is to launch a executable in a sandbox and control its flow.
- Tools
- Cygwin
- LordPE
- IDA 5.0 free
- GDB
GDB provides python API. We can use it thougth Cygwin on Windows. In the laster version GDB in Cygwin don't contain the gdb server. But we can get an old package (6.8) provide the server. It's still available on some mirror:
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1052,
editor = {Malware.lu},
author = {RootBSD},
title = {Analysis of functions used to encode strings in Flame (GDB script)},
date = {21},
month = Jun,
year = {2012},
howpublished = {\url{http://code.google.com/p/malware-lu/wiki/en_flame_analysis_with_script_gdb}},
}