 Good afternoon everybody. Hello from Russia. Well, my name is Vitaly Kamluk, and I'm a Senior Virus Analyst. I work at Kaspersky Lab. Well, what I do is deal with viruses and hacker attacks. So my presentation is going to be kind of entertaining. I hope so. And I'm going to show you some quite advanced techniques. Of working in the Windows system that can help you to fight malware on your own. So let's begin. Well, these are five reasons of why you need to know how to fight malware on your own. That might be reasons for users. You know, users can touch 100% of protection themselves if they use antivirus solutions. And it protects them for 99%. And 1% they can add themselves by using their own knowledge. And they can be prepared for attacks. Well, they don't need to maybe download the freshest software because they are prepared for attacks and they can fight with attacks and with viruses on their own. Also they maintain confidentiality so they do not need to send their very important files which can contain some personal information to any virus labs for analysis. And the very important thing is the ability to restore your system here and now. When you don't have any other third party tools, you can restore your system using just only Windows tools. And that's what I'm going to talk about. How to restore your system, how to fight malware using only Windows. No third party tools and imagine that you don't have any Internet connection so you cannot download anything. All you have is your, you know, pure Windows system and nothing else. Well, and sometimes time really matters. And if you do not react immediately, you can lose your system, lose your data. And time is very, very important. So I don't want to, well, say a lot, to tell a lot of abstract things. I want to show you several examples. Well, let's see what's available on Windows XP. Well, it's system tools like Explorer that you all know, task manager, registry editor and signature verifier. Well, we have also some console utils, like netstat, desklist, reg, util and expand. We have interpreters like batch interpreter or JavaScript with visual basic script. Well, there are some text editors like notepad, wordpad, edit and edlin that came from those times. Well, the only binary editing tool available on Windows currently is debug exact tool. That is not the specialized tool for editing binary files, but that's the only way how you can create, how you can view and create binary files. Well, that's kind of dirty hack on Windows, but still this tool works and it is part of Windows. Well, I'll talk about it a little bit later, because Microsoft decided to remove this tool from Windows Vista. Well, also you have symbolic debugger. In T symbolic debugger, it is a part of operating system starting from the NT4.0. And you have all the repositories that you can use. Let's go further. Let's see an example. Well, the example is email worm win32varezov. This is an email worm that was detected last year, and it is quite kind of very fast mutating worm that produced more than 400 of modifications, which is more than 25,000 of files. So for one year, we have received this number of files. Well, we suspect that it mutates on the server side, so there is no mechanism in the worm that allows the worm to mutate itself. And it downloads additional models from the Internet and hides itself from task manager. Let's see how the usual user can infect his system. Well, he just needs to open a file that looks like a text message by clicking it. Of course, it is application. We just don't see the extension, and usual user doesn't also. Well, what he sees in the open file is kind of trash that makes no sense. But if you will be attentive, you will look at the title of this window. It is 2TMP, and we opened a slightly different file. And this file, 2TMP, is created in the same directory. It's kind of anomalous activity. So the attentive user will try to maybe download some antivirus solutions. For example, here it is KAV, which is Kaspersky antivirus. Well, if he even tried to do that, he will see the phone picture. He clicks on the application shortcut, but nothing happens. Well, the user might think that there may be a error or mistake, some kind of bug in the installation package, or maybe his system doesn't satisfy the system requirements. But let's see in the other side of Windows. By the way, is there any Microsoft employees in this room? These riser heads. Come on! No Microsoft employees, good. Because I'm going to show you the backstage of Windows. Again, let's do that. What happens when the user clicks the shortcut? Well, all the messages, everything is processed by Explorer Xer process. And it constantly executes some code, handling input messages coming from mouse and keyboard. Well, what Explorer Xer does is preparing a new application for launching. It prepares the environment, sets all the necessary settings, and then launches the shell execute X function to create a new instance of process. So, here it goes. This is the installation process. The first thing the system does is loading necessary libraries into the other space of the process. Among those libraries there is a malicious one that first decrypts strings in it, and here we got string KAV, which corresponds to Kaspersky antivirus, and if it checks that it has been in the other space of KF process, it just calls exit process function to terminate the application. So, this is what is happening on the user system. Okay, what can we do with it? How to help user to install antivirus? Well, we have to inspect what happened. The first thing we should do is carefully check the access date and time of the source malicious file. We will need this information a little bit later. After that, we have to find all the files that were created or accessed today. So, we check that we select searching for all files by date, specify the access date, set it for today, and check the option to search hidden files and folders. It is necessary, I think you understand why. So, when we get the list, it's kind of a very, very long list. And the first thing we should do is to sort it by creation date. And after this, we can see the list of files created after opening the source malicious application. And here are the files. You can see this original message file, and some more files like surface there, which copied itself to C Windows folder. And it is also an application, and it has the same size as the source one. It is placed in system folder. So, it can show us that we launched the Trojan application, or malicious one. The first thing we can try to do is to delete this application from Windows folder. But we got access denied message. So, this file is locked by some other application, or maybe it is just running on our system. If you check the list of processes in Windows Task Manager, we cannot find this process. What does it mean? That may be the reason, that may be caused by active rootkit present on our system, or just by looking by another process. So, if we get the alternative list of the processes, we can see that surface there is running, but we couldn't find it in Task Manager. So, it got to be a rootkit working on our system. Well, to terminate the process, we can use the task queue command, which is also part of Windows XP system. Not many people know about it. I don't know why. Well, we terminate the process, and after that we can try to delete, we can try deleting additional files coming with this Trojan. E1 DLL. We try to delete it and get the same message, access denied. So, the DLL is locked by some other process, or it can be loaded into the other space of the process. Let's try to check it. We use the same command Task List. Specify the particular options for getting the list of the processes, which loaded E1 DLL. And here's the list. You can see here, among the other DLLs, E1 DLL. It is already loaded in our Task List example that we use for getting this information. So, it must be loaded into every processes that is starting in our system. So, to find out how this malicious file does this, of course we should check the registry. We open the registry editor and try to find this E1 DLL string. And here it goes. The key is Ashkylaco Machines of Fair Microsoft Windows in the current version of Windows app in E-DLLs. This key is used by operating system when the new instance of the process is created. And the system loads all the DLLs listed in this parameter into other space of the process being created. Okay, I guess all of you must know how to find this malicious application right now. Well, please, raise your hands who knows what to do in order to remove this application, in order to remove the library and executable. Please, raise your hands. Okay, very, very few. I showed everything for these. And here, let's see. Well, it's very easy, really. Well, all we have to do is just to prevent this E1 DLL from being loaded into every process. So, to do that, we just need to open registry editor again and modify registry settings. Nothing more. So, we just open this key and remove the value. We also need to check where the surf-exer... Well, where it changed the registry values in order to start after a system reboot. So, we have to search the registry for this surf-exer value and to remove it as well. After that, we can easily reboot our system and check if the malicious application is still present. It's that easy. I guess everybody, everyone present here will find this way himself when he will make this malicious application on his system. Well, when we reboot the system, to check if everything is okay, we can just try to run the antivirus installation again. And here it goes. Everything seems to be okay. So, after that, we can automate removal of malicious files using antivirus or just delete the files ourselves. Well, we have published this information on our site, which is www.viruslist.com. And these instructions were published for users who cannot install the antivirus solution. So, the malware creator read this message as well and he saw that it is too easy for a user to prevent, to stop his malware on his system. So, he tried to create a kind of resistance to manual removal. Let's see how it works. So, when the user delays the value from the registry and reboots his system, he's trying to run the antivirus solution. And he gets nothing. Seems like the malicious application continues to work on his system. Well, let's check first the list of the processes. With the task list command, we can do that easily, and we do not find surface error process. But E1DLL might be still working in the other space of each process started in the system. Let's check the registry. Yeah, you got it. We need the LLsValue contains E1DLL. We tried to delete it and check it again. Open the registry editor and what we see, the value is returned. So, let's try to analyze what happened. And what can we do? The first thing we notice is that malware stores the registry values when the application terminates, when the E1DLL is maybe unloaded from the edit process. And there are set of the processes running and closing from time to time on our system. But the routine that restores the value is called several times. But the value is restored only once if it is not present in that key. So it looks like the malware uses one of the following functions that are used for searching substring in the specified string. So what can we do with this information? We can hack the malware removal resistance mechanism. Please, those of you who know how to hack it based on this information, please raise your hands. Okay, not very, very many. Then let's see how to do that. It is very easy. It is based on the way malware checks for the value. It checks for presence of substring in this text. And what we have to do is to add some trash to this string. Well, when the malware calls this function of searching for substring, the function returns true. Yes, this E1DLL is really present in this value. But when the system is trying to load this module, it couldn't find this module. It can't find this module and nothing is loaded. So we can easily, after that, reboot our system and, well, delete the malicious files. Okay, let's talk about the other example, which is Trojan Win32 agent, ACH, which was made in Japan. And it was detected on December of 2006. Well, after running, it silently removes itself and it's destructive functionality till the next Friday. After that, it disables pressing control of delete, disables running any executable file from shell, disables system shutdown and reboot functions. And if you try to hurt reboot, it disables loading your system in any valuable mode. So, let's see how it works. Well, the infecting of the system is quite obvious. As usual, you receive the file in the mail attachment or just find it in the network. You launch the application, it disappears. Of course, it looks like a Trojan activity, so you have to be very attentive and when you see such kind of things, please check everything. Well, how infection symptoms look like? Well, we are trying to launch our favorite applications, maybe. Outlook Express doesn't run Windows, Windows Media Player doesn't run, Remote Assistance doesn't run. When we try to launch Notepad using start run menu, nothing happens. The same with registry editor. Well, this is the case when time really matters. Because if you try to, you know, postpone the curing routines, curing procedures, you will lose your system. So, you have to do something immediately. If you reboot your system, you will lose it. That is the result of heart reset. You will get this picture on your screen and nothing will boot. No save mode, no any other way. All you can do is just using some, you know, maybe live CDs if you got one. But if you have only Windows system and nothing else, you can't do anything. So, you have to do the curing, to apply curing procedures immediately. Let's see what we can do. Let's inspect our system. Well, Task Manager is still available, despite of the other applications cannot be run. We can see the alien processes in the process list. Well, my computer explorer is still available and we can run internet explorer. Well, but one more thing, find files is working. So, the first thing we must do is just to find the alien files on our system. And here they are in Windows system 32 folder. As usual for Trojans and malicious applications. So, we have found both files. But we must access the registry editor to find where, what has happened. This allows us running registry editor in usual way, so we will use a kind of unusual one. We will use internet explorer for launching a new process. Here is a little simple script written in JavaScript for launching a new process from the address bar of internet explorer. This is very easy. It creates an object of Wscript.shell and calls one of its functions, which is exact function. Here we go. We launch the registry editor. Now we must search for the files, the name of the files that we have found. And here they are. The path is ht-classes-root-exe-files-shell-open-command. If we open the neighboring value, which is run-as-command, we see that it is not modified. So, it tells us that we still can launch any process on our system, but in an alternative way. Not using open, but using run-as. Specifying the current user and the application to launch. Then we must find the second file executable. And we find it in the ht-locom-machine-software-microsoft-windows-int current-version-vnlagon-ui-host-value, which is used by operating system when you boot your system. So, these malware modify this value, and when you rabble the system, the system uses this value to launch this process. And if the process belongs to a system one, it will continue booting your system. But in this case, the booting of system will be stopped to be prevented. So, there's a way how this stretching works. Well, how to remove it? It's very easy, I guess, when you got all this information, when you did the inspecting. Okay, we just need to run the registry editor using this way that I showed before. We run it and we must just restore all the values that were modified that we have found. Well, I think that we will not pay so much attention to it because it's quite obvious. We just need to restore the original values, which are not that complicated that you might know of them. So, let's go further. Control check is already... It's obvious, though. It really works, we will skip it because of lack of time. Well, virus VIN32 suburex A. This is the place in my presentation where I must wear this cap. Crazy. It is written in here. So, here is the most interesting part of my presentation. It starts. Well, it is an executable virus suburex. It was detected last year and the virus infects executables, files located on her disk partition which is selected at random. So, it infects random files. It injects the value into every process that has visible window. It makes screenshots of running of opened windows and it sends them to the Internet. So, this is all about this virus. Let's see what we can do in order to cure the executable virus on our own from scratch. The first thing we must do is to get the code of the virus. To do that, we must use NTSDU2. Let us assume that we have this infected application. It is code-accumulating there, which is part of Windows. Well, it is infected. We know that. Let us get the code of the virus from this application. We use NTSDU2, which is part of Windows, to get the assembly code of the application. The first thing we must do is to view the API header. We must specify the base address of the application and check the address of entry point. After that, unassemble a piece of code starting from entry point. Usually, viruses put their code right there. The same is with sub-Urex virus. Here is the assembly listing. Instead of names of API functions, we get only the offsets of addresses of these functions. In order to get more or less readable code, we must patch it and put the names of the API functions. I will show you how to do that. We use the address, which is used for call operation, and we can check what is placed at that address. This is getModuleFileNameA API function. After that, we apply a small patch to the place where this function is called. That's all. Print the unassembled listing. You can see here that we have now this getModuleFileNameA name. It's quite readable. The other calls. After all, we get the code listing. It's not that large, as you see it. Only maybe five screens. This is all the code that you need for analysis. After analyzing the code, you can see the clear picture of what this virus does. Sorry for my English. By analyzing the source code, we can reveal the following picture. The virus uses the source file. It cuts the header of the source file, compresses it, and stores at the end of the file. It replaces the header of the source file with its own header and its own virus section, which contains executable code. Also, it attaches a compressed virus module in the end of the file. In order to cure the infected file, we have to remove all these pieces of code and pieces of data which were added by the virus. But after that, it's the most difficult thing. We have to decompress the chunk of the source file and put it in the beginning. Well, in the case of Suburex, we are quite lucky because it uses the algorithm of packing cap files. And Microsoft operating system includes the tool for decompressing these cap files that we will use. But to create the solution of our own small, tiny antivirus for curing these files, we have to build our own PE application, PE file. Well, it will be quite obvious. It will contain only PE header and one section. Well, in the section there should be placed import directory table, import lookup table, and import address table. This is obligatory. Also, there must be import names which are the names of API functions that we will use. Some piece of user data and user code which we will create right now. Okay. Let's see how it looks like. Programming the pure machine code in Notepad. First we have to do is to plan our actions. Here is a short plan. Zero field work area, create import list, create import tables, prepare space for our variables, create user code, create PE header, and write to file. That's all. That's easy, right? Well, the second thing we must just put as nodes in Notepad is the map of the memory that we use for our resolution. In order not to get messed in all of these memory addresses, we have to mark every space that we use. Something is for PE header, some for work area, the space for import status tables, and so on. Some space for user variables and of course for the code. Well, let's start. Let the show begin. This is a scenario actually for debug XZ2 which is part of Windows system, I repeat. So this is the coding in Hex. We just build the import tables. We set our variables, the initial values, and here go the user code. This is machine code in Hex. Well, it's not that difficult, really, and I coded myself in Notepad and all you have to remember is maybe a dozen of opcodes. Like conditional jumps, the codes of the functions and pushing parameters and popping them from the stack. And if you even forgot the opcode, you can always use this in TSD tool to assemble or disassemble the code. So you can get the opcodes just remembering how they sound in Assembler. I used not more than 10 different opcodes here in this code. So what we do is open the file, cut and remove the infected parts and extract those parts, that part that was compressed by the virus. Okay, let's save now this file. But before we have to remove our comments, they were just useful for creation of this file. We save it as a text file and after that the magic scene converting the text file to executable. We just call debug redirecting the input from this text file. And that's all. We got some errors here because of our comments, but it doesn't matter because the file is created. It is actually a .bin file. You see cure.bin here. Three kilobytes size. This is the smallest antivirus solution I've ever seen. After that we rename these bin files to execute and execute it. Oh, not really executed because it doesn't contain the compression routine. So we now have to build another file for calling this decompression routine. Well, we have to build one more file, which is batch file. What we do here is copy our source file that was infected to file.in, cover our curing solution to remove the infected parts of the file and to extract compressed one. If we extract compressed one, there will be a file team ppart1.cap. If it is not found in this directory, that means that the original file was not infected. So we have a check here in order not to cure not infected file. So if the file is extracted, we just call the expand util that this cap file into temporary bin file, which will be used further. After that, we glue two parts of the file and got the clean executable. Okay, let's save it and run. Here we go. Here are our files. We just run the batch file and the executant stops. Here it is. We got codec image xz.clean, which differs from the original infected files by 30 kilobytes. So the infected parts took 30 kilobytes. And this application, this new file is clean and ready to run. Let's check it. Well, it runs okay, but oh, wow, wow, wow. Sorry. It runs okay. It just requires some additional DLLs while running, while being run, so it just output this Master Box. Well, let's see a system evolution of Microsoft operating systems. Well, as for Microsoft systems, well, Microsoft included more and more utilities and newer operating systems, maybe for compatibility issues. But as for Vista, here we got different picture because several very useful utilities for such kind of hacks maybe were removed, such utility as NTSD and Debug Exel were removed from Windows Vista. And now, the number of useful utilities in Windows Vista is lower than in Windows XP. And as for Unix, it was always based on tools and there is a great number of tools that can be used for creating your custom solution. So as for Vista, we had a set picture here. But what can we do on Vista? Vista includes Microsoft.NET as a part of operating system. And this technology can be used for our needs. Well, the problem with Microsoft.NET is the commutation is not included into operating system as an opposite to, you know, main pages in Unix. So, we have to do something. And what we can do is use this .NET reflection mechanism. It allows us to browse the classes, to browse the libraries and to see the members of the classes. And it is everything what we need. For example, I need for creating any application on .NET. So, we build this text file compiler of C sharp, which is part of Windows Vista. And after that, we call our application specifying the necessary class that we are interested in. So, we can browse the framework. Here it is system.io.file. Here are the file functions. The members of class that is devoted to working with files. And we can see not only the names of the methods, but the parameters and the types and the return types of functions. And this is enough for creating any custom application without documentation. Well, let me show you examples of using this .NET for creating some custom solutions from scratch. Well, it is very interesting to sniff malware communication. The other thing we can do is to analyze what Windows Network Monitor says. It is a part of Task Manager. And it is not enough. We sometimes need to catch DNS requests, catch HTTP requests and even implement our own IP packet filter because it is not included in Windows. It is very useful to track, to trace downloaders or vectors that are used for building for creating dummy networks. Well, let's see what we can find. We can add the Trojan Downloader. Let us assume that we have a Trojan Downloader application running. It is called malware. It tries to download something, but we do not know what exactly and what server it uses. Let us assume that we have located the file. And now let's try to see what can we do with network communication. Well, I used Microsoft tool-back adapter here. If the network is unavailable, you can use this adapter for your network experiments. So what we do is set DNS server IP address to our local host IP address. After that we have to build listener on our local system, which will listen for any connections to the port 53, which is DNS service port. And we will output all the data coming to this port. Here is it. One screen lens. This is it. We create IP endpoint on port 53. We open the socket. Listen to new packets in the loop and output every incoming data. That's it. Easy, right? You can do that, right? Well, let's compile our source. To do that we must specify in pass environment variable the correct pass to the framework binaries. So we do that with set command. After that, we run the compiler. Got some yours. It's okay. Run it again. Okay. Here is it. DNS network there. This needs for any incoming DNS requests and prints to the console. Here we go. DNS request. It tries to find V-P-A-D host, which is used for web proxy auto detection. After that, it tries to connect to the target server, which is www.woodpoundco.com. Here is it. We got the address of the server which the malware is trying to connect to. What we need now is to look into the request server we will send after finding the server. And to do that we must full malware again. We open the host file and add a new string there. We specify our local IP address and this name of the server which malware is trying to connect to. So when the malware will try to find the server our system will put our local IP address. So the DNS request will be not used because we have a record in our host file. So the malware will try to connect to to this web server. Now we have to build this web sniffing solution that will open on our local host the port of AT and we will print all the requests. We do the same, just compile this application and run it. By the way, before running we must terminate the downloader if it has any delays in it. So we must rerun it. We start our web sniffer, run the malware and wait for a while. First it try to resolve WPAD host name and after that it connects to our server. Here is the request get LDR, index PHP blah blah blah and one more useful thing it uses Microsoft Beats service. It is a part of the operating system and it uses it for loading files from internet. So we get a scenario and the address of the files, address of the server which are used for the loading malware. But it is not enough because just imagine if the malware doesn't use DNS at all it has, for example hard coded IP addresses in the source and it doesn't try to search any names. So we must use in this case total IP packet filtering. Well, we will fly for a while. This is how operating system can be imagined. The columns are the processes. Here are the familiar names. SVC host services Xer and any other. And we get malware Xer running in our system. Well, every process consists of modules and they can use any communication interfaces in our system. Well, the process consist of executable file which are marked with white color and with blue color are marked which are used by the process. This is how operating system can look from inside. Well, every process is based on system libraries which are kernel 32dll it can be user 32dll and ad-vip 32dll which are parts of operating system and kernel 32 you know kernel is a kernel of operating system. When the malware is trying to connect somewhere it generates IP packet which will be sent to the network so the usual way it generates packet and sends to the one trying to reach the destination but what we are interested in is the content of this IP packet so to get the content we must filter all packets that are going out from our system and we must implement we must build our own process that will help with it I call it IPXA it is a small application very simple this process will help us to do that it will happen like this when the malware generates new IP packet and sends it to the network our application will build a packet filter and redirect the IP packet this IP packet will come to our application and it will absorb it and analyze it let's see how it looks in our usual way in operating system well let's check this example Backdoor Win32 RSC bot this Backdoor is used for creating zombie networks so it's dangerous enough so we must trace where it tries to connect to and we create this source code for our application IPXA there is a text document IPTXT and we also created a WebTXT file it is the same web sniffer we will use it so we check the network activity it is zero level and after running malware XA it is about zero so something is happening on the network so to trace it we must compile our application analyze not that big but not that small let's compile we compile the source code some URL we have to specify unsafe option because we call API functions directly well after that we run our application and wait for packets to be very zero but in order to fool the malware we must specify the gateway because the packets are sent to the gateway the packets that are for any any host that is out of our LAN so we just specify the IP address of the gateway the same as our local IP and here we got a packet of your market right now that is for host that is out of our LAN and the port is AT which is web server after that we can use web server emulation and to listen to incoming packets specify the IP address to the one that is needed for malware and sniff for requests we have a lot of time there are more interesting things some advanced techniques out of UPE header, ways of terminating alternative terminating process and so on to UPE header you need to use NTSD tool specify the path to the target file locate image base after running this tool and use DH command to print the header here how it looks like well ways of terminating processes here task list plus task queue that I have already shown showed WMI technology we can use windows scripting host to create our JavaScript to get the list of the processes and to kill them we can use WVB EMTEST application which is part of operating system which helps to communicate with WMI interface directly we can use NTSD to attach the debugger to running process to invoke queue function to terminate the process we also can build a PSQ like own utility in machine code using the same techniques that I already showed but to get the speed of the process you must use some other tools we can also build our own PSList like utility but we can use existing solutions like Q process MSN432 and performance monitor I will show you the most interesting ones task list plus task queue is obvious WMI plus WSH this is actually JavaScript small sources that can be used we create an application in JavaScript that contains only two lines and it is enough for getting the list of the processes and to kill the specified process all the sources that are in this demonstration this presentation can be found on the cities that you already got I hope they are in a folder with my presentation so you can check everything on your systems ok I will skip it because we don't have much time here is one more interesting way using WBEM test utility we just use WBEM test here we go this is application which is a part of Windows XP only Windows XP it's not a part of Windows 2000 we connect to repository and specify SQL like request to find the necessary process it is select all from WIN32 process where name like we want to terminate notepad the exact application here we go we got the list with only one item then we must copy the pass of the object in the repository and we will use a Twitter copy after that we must execute method of this object we click the button execute method specify the object just paste what we copied here we go the object and we call the method terminate execute the methods and the notepad disappears this is it let's see in TSD I will skip it because it's quite obvious we just need to attach to the running process and queue it well I want to in machine code we can implement it and here is the source code it's very very small for but to get the PID we must use some external tools which are actually parts of operating system there is a tool queue process which outpads the list of the processes with PIDs the second way is to use MS in 432 the tool which can tell us a lot about our operating system and we can find the list of running processes in running tasks section we can find our process notepad here is the PID 2008 and the most interesting and tricky method is to use performance counter to get the PID well it's very unusual even for me that's why I call it crazy sometimes well we run the performance monitor remove any existing counters come on do it faster I got a small PC sorry we remove the counters and add a new one well I don't know why but Microsoft included a lot of different counters and different objects into performance monitor there sometimes you are quite silly like this one the process with performance counter for process ID the process ID never changes during the running one application we can find our application here select the instance of the process notepad and we get the constant value 2008 very interesting well sometimes applications are packed and we can dump a process any process on windows system to do that we must use familiar to in TSD well I guess I don't have enough time to show all this I will describe it just in words what we have to do is open in TSD application attach to a process all the data that is actually that is present now in the process memory but unfortunately in TSD application included in Windows XP is quite old and it doesn't allow us to dump it directly so we have to use the log feature of in TSD we have to log all the output of in TSD and save it to a text file and after that transform our text file into a binary using the batch and debug exit tool that's the scenario here is one demonstration of compressing of packing the notepad X there with UPX and dumping it after that well it works if you want to check it you can find this video file on a CD let's keep it and see what we got well very useful technique is extract string data from the binary what we need to do is just grab all sequences of bytes from a given file that form a string consisting of three or more ASCII characters here is the Jscript implementation of this technique so we can build a simple Jscript file like this and apply it to any binary here is a demonstration here is a Trojan which applies which makes very significant changes to system registry and system policies we don't have for example file menu in this Internet Explorer window here is our start menu we cannot run command prompt it is disabled by our administrator but what we can run is notepad this is enough we are kind of notepad hackers well we open notepad and with the help of open file window we can browse the file system we can try to launch register editor of course it is disabled but to enable it we can use reg.exe tool to do that we must specify some parameters and to be able to do that we have to create a shortcut to reg.exe and specify these parameters these parameters tells the system tells the reg.exe file application to remove disabled registry tools value from the registry well we just run this shortcut and this value is removed after that we can run register editor so after that it is easy you can delete the values from the registry that you already know that you are familiar to some system policies but if you do not know some changes that were applied to your system you can find it out easily by viewing the strings of the source malware application that is you have to use this Jscript file that I showed you before there is a demonstration of it that you can watch on your own on a CD and we will skip it because we don't have time so the results the ordinary user can touch 100% of protection and he is ready to be in attack you can preserve your confidentiality and you can restore your system here now you know why time matters because you can lose your data if you postpone the procedures well the questions can be asked in room 109 after my presentation so may the first be with you thank you very much