Analysis of functions used to encode strings in Flame (GDB script)

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Analysis of functions used to encode strings in Flame (GDB script)
Analysis of functions used to encode strings Flame.png
Botnet Flame
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012/06/21
Editor/Conference Malware.lu
Link http://code.google.com/p/malware-lu/wiki/en flame analysis with script gdb (Archive copy)
Author RootBSD
Type

Abstract

Introduction

This article deals with another way to reuse ASM instruction based on GDB script. The idea is to launch a executable in a sandbox and control its flow.

  • Tools
  • Cygwin
  • LordPE
  • IDA 5.0 free
  • GDB

GDB provides python API. We can use it thougth Cygwin on Windows. In the laster version GDB in Cygwin don't contain the gdb server. But we can get an old package (6.8) provide the server. It's still available on some mirror:

Bibtex

 @misc{RootBSD2012BFR1052,
   editor = {Malware.lu},
   author = {RootBSD},
   title = {Analysis of functions used to encode strings in Flame (GDB script)},
   date = {21},
   month = Jun,
   year = {2012},
   howpublished = {\url{http://code.google.com/p/malware-lu/wiki/en_flame_analysis_with_script_gdb}},
 }