Assembly

Tiny Malware PoC: Malware Without IAT, DATA OR Resource Section

  • Posted on: 13 August 2014
  • By: siteadm

Have you ever wondered about having an EXE without any entry in IAT (Import Address Table) at all? Well, I knew that it's possible, but never saw an actual exe file without IAT entry. So I developed an application which is 1,536 bytes and still does basic annoying malware things. So to summarize, this tiny app:

- Enumerates following APIs:

Kernel32

Shellcode - Module Unloader

  • Posted on: 3 August 2014
  • By: siteadm

Have you ever dealt with malwares that inject their DLLs into other processes? Sometimes they inject their DLL into some critical processes like csrss.exe (like recent Soraya malware), you are in middle of a hundred breakpoint placed Ollydbg, several IDAs loaded and you are deep in analysis, you just can't restart computer and you can't let malware running in csrss.exe. So I decided to write a basic shellcode to unload any given DLL (module), so I can inject this shellcode into infected process to unload malware or any DLL.