By ro0ted | February 12, 2015 - 13:21 | Posted in /b/ | 16 Comments
#ro0ted #OpNewblood What the blackhats don’t want you to know: Visual Basic Binaries Brief Walk Through

Today in What the blackhats don’t want you to know we will go over Visual Basic Binaries. As one day you will come across malware written in Visual Basic as Visual Basic is the number one most over used code by novice users. – https://twitter.com/ro0ted/

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1 +

 

Tools used:

ExeinfoPE

Ollydbg modified

This will be a walk through of understanding Visual Basic Binaries. You are a spectator. Consider this an online lecture. #ro0ted

 

Okay first we run the target in ExeinfoPE which is an exe analyzer.

Untitled

Let’s investigate the header before we run Ollydbg.

Untitled

Click import. Which will reveal dependencies it uses.

Untitled

Let’s if it edits the registry or makes any registry entries:

UntitledUntitled

This is how we can tell this an indeed a fake program or just really packed. Let’s run it in CFF Explorer Suite. Another .exe analyzer.

Untitled

Okay let’s open the target in Ollydbg. Keep in mind I’m using a modified Ollydbg with every plugin.

Untitled

If this was a C++ or C program if you viewed All Reference Strings it won’t show anything worth reviewing. As for Visual Basic that isn’t the case. Example:

Untitled

Another hindrance to reversing is the fact that the method calls are completely different in a VB executable. Instead of calls to such things as RegisterWindowEx and MessageBoxA, VB uses its own API calls, embedded in the runtime DLL:

Untitled

Let’s open the executable modules.

Untitled

Untitled

Untitled

Untitled

Untitled

Untitled

conclusion ollydbg reveals a lot but nothing mouth watering so best bet is always decompiling the vb program. IllSpy & .NETReflector won’t show anything sometimes. Use Vb Decompiler pro or lite. Next we will discuss patching vb programs next tutorial. This is just a brief discussion.

ro0ted

 

 

 

 

 

 

 

 

(Visited 514 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.