Thursday, June 20, 2013

Hacking a Trojan Horse

I get all kinds of Trojan Horses by email, and sometimes I wonder what they do.  This morning I had a few extra minutes, so I decided to start taking a look at one.

First, I installed binutils and configured it with the --enable-targets=all option, because these Trojan Horses are inevitably in PE/COFF format, and I don't do this kind of thing on Windows.

Then I disassembled my most recent Trojan Horse.  The executable section boils down to a mere 1781 lines of x86 assembly, so not really very large at all, with a bunch of small routines.  I haven't had a chance to look too closely at it yet, but it looks like it has some obfuscated chunk of something (executable) as an embedded resource.  I'll have to see if I can sort that out.

No comments:

Post a Comment