PDA

View Full Version : Need Help: convert any exe file to hex to asm??



s1ayer
05-26-2011, 11:25 AM
Hello guys,

I know there are many dessemblers out in the market which can do this... but is there any package in java or c/c++ which can do it for me.
I mean I want to write it from scratch , so how to do it??

thanks in advance

"vinnu"
05-27-2011, 11:15 AM
They are free with your development kit.
With Visual Studio Dumpbin.exe and with Java SDK (JDK) it is javaw.exe..."vinnu"

s1ayer
05-27-2011, 02:33 PM
I guess these files are used to make executables..... but i want hex from executables...... hvnt tried them yet.... will do n update in b/w..... can dumpbin.exe used seperatly??

thnks for help

"vinnu"
05-30-2011, 09:03 AM
Yep dumpbin is a very handy tool in binary analysis.

Dumpbin /disasm abs.exe > asm.txt

will dissemble the file along with its hex bytes.

It can also separate different memory sections of a binary and PE header too.

dumpbin comes bundled with visual studio.
CALL IT DIRECTLY FROM CONSOLE OTHERWISE EDIT THE path VARIABLE IN ENVIORONMENT TO SET IT FOR BIN FOLDER OF UR VISUAL STUDIO..."VINNU"

webdevil
05-30-2011, 08:51 PM
@s1ayer, you should search on disassembling. Then you will get an understanding.

s1ayer
05-30-2011, 10:12 PM
@vinnu bro n webdevil bro......... thnks for the help....
but i have got one more concern...... can we get the database of virus.... latest or virus..... or is it possible to extract the dabase of virus of nod kaspersky mcafee....... from their updates....... as they all have different extension like poc is used by nod....... etc....

abhaythehero
05-31-2011, 12:22 AM
can we get the database of virus.... latest or virus.....

That will be one hard task. Have a look at open source clamAV (www.clamav.net) . I think they provide database of virus signatures....

neo
05-31-2011, 11:31 AM
@vinnu bro n webdevil bro......... thnks for the help....
but i have got one more concern...... can we get the database of virus.... latest or virus..... or is it possible to extract the dabase of virus of nod kaspersky mcafee....... from their updates....... as they all have different extension like poc is used by nod....... etc....

Well this is going of the topic is it ??

If tell what exactly is your final aim it would be easy for people to provide you info.

s1ayer
05-31-2011, 08:44 PM
@neo bro: no its not off topic...... wht i was thinking.... was to first build an antivirus.... then evolve it into firewall as a total protection suite....... each step one by one....... now for making anti virus... we need signatures of the virus to be matched with hex values of files...(basic concept) so... first step .... was to find hex values... tht with the help of vinnu bro n google..... i got it.. now whn i went to second step.. to get the db of virus signature... again i got stuck...... as i was unable to read the diff extensions of different anti virus... obviously i cannt.. but i was wondering whether there is anything called universal library for virus...
Second... i also wanted to evolve tht project into intelligent antivirus.... as an algorithm has been given to find the hex signature of virus by which researchers find the signatures.....
This was the initial idea.. I know its very long term..... but each thing is done step by step.....;)

"vinnu"
06-01-2011, 09:10 AM
Namaste
Ok i got it. You want to make an antivirus. But you want the signatures of virii/malware from other antivirii. This will be a little harder than making your own such database.

This is because every database of every different vendor is in different form depending upon the av engine.

And the av engines algorithms are the most secret+sacred thing for each av vendor.

But you can develop ur own av engine and make ur own database too if u can program.

One more thing, none of mostly used antivirus like Kasp.., Nort.., Mcaf.., AV.., Avas..., Avir..., TrendM...,Quic...,K#...,nod128...,pan..., or u name it can withstand any highly advanced & intelligent cyber espionage attack.
All/most of them are dumb.
So if you are going to develop one, then it may be small but develop good one.

For further development concerns, we may procede in this thread..."vinnu"

s1ayer
06-01-2011, 12:40 PM
yes sure bro... actually wht i read abt virus signature was tht: these are extracted manually..... so its not possible for one to two person to make all those huge database again.... but ya.. if some algorithm could be presented... which can identify the affected file... then probably we can come up the automated script which can give us the signature.... or

we have approcah this problem in a totally different way ........ like focusing on only those program which is unwanted and trying to attach itself with system files or something other.... so if u could share something on this...

@abhay thnks bro.... is there database sufficiently large and continously updated.........??

s1ayer
06-01-2011, 12:43 PM
One paper by reading which i was trying to process is at http://www.research.ibm.com/antivirus/SciPapers/Kephart/VB94/vb94.html

its pretty old... but gave a good overiew of anti-virus working :/

abhaythehero
06-01-2011, 01:18 PM
@abhay thnks bro.... is there database sufficiently large and continously updated.........??
Not sure about that. As they are open source , they will be behind their commercial counterparts. The database contains generic ones and are no match to huge databases of commercial anti-viruses which update almost every hour.

That is why it is hard to make signature based AVs as a project. 1 of my friend actually tried to make a fast engine on CUDA , but he too had the same problem of getting signatures.Large companies deploy large labs and manpower to analyze them and they won't be giving it for free.
Maybe you should have a look at heuristic side.

s1ayer
06-01-2011, 03:16 PM
^^^
probably u r right...... from all the disucssions with g4h guys and google... heuristic seems to be better approach
:)
let vinnu bro come.....

"vinnu"
06-02-2011, 02:44 PM
Yep, you are on the track now.most of antivirus lack better heuristics based detection and this is where strategic exploitation succeeds even without any minimal alerts being fired.

This is where all huge databases of several hundred MBs fail and becomes just heap of garbage if system gets infiltrated.

So a best option is make a better heuristics engine.
The heuristics engines still need a database but it is comparably of very small size.

..."vinnu"

s1ayer
06-02-2011, 02:53 PM
Again we came back at DATABASE...... ok i got the point ...... heuristic engines are better ones... but problem remains same Database... from where can get this database......?? :/

also second problem crops up: I dont know abt heuristic engine's algorithm.... so by which algorithm we shld proceed?

thnks

"vinnu"
06-03-2011, 08:53 AM
Dont get scared with database thing, it needs to be prepared manually, but is critical for foiling the techniques.

The heuristics engine doesnt search for virii signatures rather it tries to discover the different exploitation techniques and ways to infect and interrupts the malicious execution if anything suspicious found.
First thing for this is, ur engine must execute with higher previliges and must have access to all the processes executing with user privileges.
And basically It also utilizes the hooks and for each and every process, it checks the API's being called..."vinnu"

s1ayer
06-03-2011, 12:14 PM
ok... i got the point bro.....do we have any open algorithm to start with.... i know.. all the companies have their own algo... which is locked down in their some locker..... In order to start....... can u provide any algorithm paper that will be very helpful.......
I m trying but not getting any :(

Anant Shrivastava
06-03-2011, 12:35 PM
not sure but you can have a look at clamav source code ..... that might help in starting....

"vinnu"
06-03-2011, 12:55 PM
The engine has different modules and most of them executing in separate threads.
One best technique and the minimal for each and every heuristics engine will be to set hooks on every suspecious API chain and check the arguments etc.
First of all maike some good list (entry in database) of malicious api chains and hook them, if they are called in same manner, then it will be malware and u can stop its execution.
The heuristics engine can hook all those APIa and whenever called, it can note it down in its own table and if the next call for the second entry goes, then increase the index until the threshold is reached, once the threshold is reached; it must stop the execution. Most important thing here is that the threshold must lie before the final api call and the malicious wizard might not complete its all steps successfully for better results and the engine must stop it before malware's success.

..."vinnu"

"vinnu"
06-03-2011, 01:28 PM
You can also check the API strings in PE header for preliminary scans and just grab the handle to the process and pause its execution until ur priliminary scans finishes..."vinnu"

s1ayer
06-03-2011, 03:06 PM
:) vl start working on it.........