February 21st, 2010
Something I really hate to do when analyzing PDF malware exploits is to manually extract the streams and manually decode them to see the, typically, hidden JavaScript code, so I decided to extend the PDF plugin for Pyew to automatically see them. Now, with the new version of the plugin (download it from the Mercurial repository) we can see what filters are used in the exploit and, the most important thing, we can see the decoded streams, independently of how many filters are being used.
Continue reading →
December 2nd, 2009
Today, while analyzing a family of malwares (the familiy called by some vendors as “Krap”) I noticed a good and new, at least for me, antiemulation technique. What do you think this sample code does?
some_func:
; Do stuff...
start:
push offset some_func
jmp edx
Continue reading →