By ro0ted | February 12, 2015 - 13:21 | Posted in /b/ | Comments Off on #ro0ted #OpNewblood What the blackhats don’t want you to know: Visual Basic Binaries Brief Walk Through
#ro0ted #OpNewblood What the blackhats don’t want you to know: Visual Basic Binaries Brief Walk Through
Today in What the blackhats don’t want you to know we will go over Visual Basic Binaries. As one day you will come across malware written in Visual Basic as Visual Basic is the number one most over used code by novice users. – https://twitter.com/ro0ted/
Visual Basic Binaries Walk Through Part 1 +
This will be a walk through of understanding Visual Basic Binaries. You are a spectator. Consider this an online lecture. #ro0ted
Okay first we run the target in ExeinfoPE which is an exe analyzer.
Let’s investigate the header before we run Ollydbg.
Click import. Which will reveal dependencies it uses.
Let’s if it edits the registry or makes any registry entries:
This is how we can tell this an indeed a fake program or just really packed. Let’s run it in CFF Explorer Suite. Another .exe analyzer.
Okay let’s open the target in Ollydbg. Keep in mind I’m using a modified Ollydbg with every plugin.
If this was a C++ or C program if you viewed All Reference Strings it won’t show anything worth reviewing. As for Visual Basic that isn’t the case. Example:
Another hindrance to reversing is the fact that the method calls are completely different in a VB executable. Instead of calls to such things as RegisterWindowEx and MessageBoxA, VB uses its own API calls, embedded in the runtime DLL:
Let’s open the executable modules.
conclusion ollydbg reveals a lot but nothing mouth watering so best bet is always decompiling the vb program. IllSpy & .NETReflector won’t show anything sometimes. Use Vb Decompiler pro or lite. Next we will discuss patching vb programs next tutorial. This is just a brief discussion.
(Visited 522 times, 1 visits today)
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.