Please click here to download dcopy

A screen shot of dcopy:

(continue reading…)

这是我2003年写的一个老古董软件，当时是参考Codeproject一篇文章写的，今天整理电脑的时候居然发现了那份源代码。我重新编译了一下，放出来，说不定有同志需要。

功能介绍：

DirMon的功能类似于FILEMON，不同之处在于DirMon是通过调用ring 3的函数来实现目录的监控，指定目录下的所有写操作包括文件的添加，删除和修改都会被记录下来。

DirMon操作简单，使用方便，占用系统资源少。但DirMon并不是一个底层的驱动级监控工具，只是一个应用层的小监控工具，这个软件已经到此为止了，放在这里或许只是为了纪念。

请点此处下载DirMon。

EICAR 2010: RAINY DAYS IN PARIS

Eddy Willems

G Data Software and EICAR, Belgium

The 19th EICAR conference took place last month in the heart of the beautiful city of Paris at the école Supérieure d’Informatique, Electronique, Automatique (ESIEA). The second International Alternative Workshop on Aggressive Computing and Security (iAWACS’10) was held immediately before the conference at the same venue, and EICAR delegates were also able to attend this event. iAWACS’10 included workshops on smart cards and crash courses on securing PLC networks, but the most noteworthy item on the agenda was the anti-virus evaluation challenge ‘PWN2KILL’, the aim of which was to attempt to bypass anti-virus software and evaluate its effectiveness in practical terms. A technical summary is available on the iAWACS website. [David Harley shares his views on the challenge on p.2 – Ed.]

GETTING STARTED

After an official EICAR members meeting and welcome party on the Sunday evening, the real meat of the conference began on Monday morning with an opening address from the chairman of EICAR, Rainer Fahs, continuing with a keynote from Christophe Devine – better known as the father of ‘Aircrack’ – about problems related to AV testing. He described a series of tests and rated their usefulness. Devine believes that, in most cases, careful inspection reveals no real winners, and several tests are not even relevant to the real world. He proposed an initiative called AVerify, an open-source anti-virus test suite which would facilitate the creation of reproducible, more reliable tests. AVerify would be inspired by the EICAR test file, maintained independently of EICAR but following the same code of conduct.

(continue reading…)

I will attend EICAR 2010 in Paris from 7th May to 15th May. Wish I could lucky enough to meet some guys who are also interested in ARK and have tried SysReveal.

If you have seen the WRK, you will find out that the NtLoadKeyEx prototype is as following:

NTSTATUS __stdcall NtLoadKeyEx
(
__in POBJECT_ATTRIBUTES TargetKey,
__in POBJECT_ATTRIBUTES SourceFile,
__in ULONG Flags,
__in_opt HANDLE TrustClassKey
);

But when you attempt to hook this function as this prototype, there must be a critical error.
What’s wrong?
(continue reading…)

在重写SysReveal文件系统解析的工程中，我参考了ReactOS freeldr fs部分的代码，NTFS-3G以及FatFS。其他又参看了PEDIY论坛sudami以及ProgmBoy的提供的一些代码。

(continue reading…)

(Original URL: http://www.citforum.ru/operating_systems/windows/ntfs/)

Artem Baranov

Content

General

General concepts NTFS

Table MFT

Attributes

Catalogs

Common attributes

Links

 

(continue reading…)

Okey, I have been criticized by Niucool & Bananas as there is none post in this blog from me.
Feeling shamed~~~
So I decided to post something to let your guys know that I am alive.

Do you interesting antivirus engine? Do you wanna know what is it?
Hmmm, I think that I can not give u the answer. It’s a kidding

Many people think that eset nod32 is a good antivirus, and … so do I.
Hereby, I intend to play with it and give you a short info about it.
(continue reading…)

Goolbot, another Bredolab like malware. The name came from its binary which has the strings “Google Bot”,  filled the “User-Agent” in the initial communication request. Surprisingly, it’s quite straight-forward, no fancy encryption, just plain text http.  That’s why i love it.

Server response on 30th Jan.

Server response on 3rd Feb.

You may find that, the list changed. Yes, that is the most important characteristic of GoolBot. It will download massive malware onto your computer, turn it to multi-function bot. Usually, it will download FakeAV downloader, Pushdo/Cutwail, Zbot, etc.  For the simple solution, you could just block the domain name – klitar.cn.

Yet again we arrived to witness the Pushdo’s aftermath. After it spread with its old friend Bredolab(v10), new friend GoolBot(v9). Now, it’s only a few days before the Valentine’s Day. Pushdo will not let this opp slip away, it(v11) started to spread the love once again.  As usual,  Russia is an exception.

The Pushdo advanced installer doesn’t change. Same routine, same communication protocol, same custom encryption. It just changed a coat(custom stub+UPX 3.03).  The attachment myphoto.exe could be FakeAv downloader. In this case, it will download fixer_sdgareh_b.exe which is fakeav.