Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › viewing code of .exe file
New Posts  All Forums:Forum Nav:

viewing code of .exe file - Page 2

post #11 of 14
Quote:
Originally Posted by NameUnknown View Post

I managed to get it opened via a hex editor plugin for Notepad++ The Hex is normal but the dump still shows a lot of gibberish in it.

Also, there is an associated Service with iReport, but it has no description. It does have a description though if you go through services.msc. The service is described as being a PC Firewall configuration monitoring tool.

Kill the process and see if it comes back.
post #12 of 14
Thread Starter 
Quote:
Originally Posted by Poisoner View Post

Quote:
Originally Posted by NameUnknown View Post

I managed to get it opened via a hex editor plugin for Notepad++ The Hex is normal but the dump still shows a lot of gibberish in it.

Also, there is an associated Service with iReport, but it has no description. It does have a description though if you go through services.msc. The service is described as being a PC Firewall configuration monitoring tool.

Kill the process and see if it comes back.

When its killed it comes back. Thats how I got it from using 46% to <1%
Ever Evolving
(18 items)
 
   
CPUMotherboardGraphicsRAM
Phenom II 1090T Black Edition Gigabyte GA-890FXA-UD5 Diamond R9 280X Crucial Ballistix Sport 16GB VLP DDR3 1600 CL9 ... 
Hard DriveHard DriveHard DriveOptical Drive
Vertex 3 120GB SSD  2x WD 1TB Caviar Black SATA3 WD Caviar Black 640GB SATA2 HP DVD-RW 1170i 
CoolingCoolingCoolingOS
Prolimatech Megahalem 2x Delta AFB1212SHE  7x Cooler Master SickleFlow R4 fans Windows 7 Professional 64bit 
MonitorKeyboardPowerCase
2x Samsung SyncMaster E2420 23.6" 1920x1080 Logitech G15 Corsair HX1000W Cooler Master HAF932 (Fan Mod) 
MouseMouse Pad
Logitech G400 Generic 
CPUMotherboardGraphicsRAM
3.0GHz P4 w/HT Asus P5GDC-V deluxe ATI HD 3450 2GB DDR400 
Hard DriveOptical DriveOSMonitor
1x WD 360GB 1x WD 120GB 3xDead LiteOn DVDROM LiteON DVDRW XP SP3 x86 AG Neovo 17" (Sceptre 21" 1080p died) 
PowerCaseMouse Pad
Ultra 550W oldschool MGE case what mouse pad? 
  hide details  
Reply
Ever Evolving
(18 items)
 
   
CPUMotherboardGraphicsRAM
Phenom II 1090T Black Edition Gigabyte GA-890FXA-UD5 Diamond R9 280X Crucial Ballistix Sport 16GB VLP DDR3 1600 CL9 ... 
Hard DriveHard DriveHard DriveOptical Drive
Vertex 3 120GB SSD  2x WD 1TB Caviar Black SATA3 WD Caviar Black 640GB SATA2 HP DVD-RW 1170i 
CoolingCoolingCoolingOS
Prolimatech Megahalem 2x Delta AFB1212SHE  7x Cooler Master SickleFlow R4 fans Windows 7 Professional 64bit 
MonitorKeyboardPowerCase
2x Samsung SyncMaster E2420 23.6" 1920x1080 Logitech G15 Corsair HX1000W Cooler Master HAF932 (Fan Mod) 
MouseMouse Pad
Logitech G400 Generic 
CPUMotherboardGraphicsRAM
3.0GHz P4 w/HT Asus P5GDC-V deluxe ATI HD 3450 2GB DDR400 
Hard DriveOptical DriveOSMonitor
1x WD 360GB 1x WD 120GB 3xDead LiteOn DVDROM LiteON DVDRW XP SP3 x86 AG Neovo 17" (Sceptre 21" 1080p died) 
PowerCaseMouse Pad
Ultra 550W oldschool MGE case what mouse pad? 
  hide details  
Reply
post #13 of 14
You can debug it in assembly mode or look at the assembly in IDA. It doesn't take great skill unless they use anti-debugging techniques, but it's not just something you can decide to do one day either. You need to understand assembly and how compilers and linkers work.

In any case, if you really want to see what it's doing - use Process Monitor from Sysinternals, and netstat to see connections it might have, and then you can also sniff its traffic with Wireshark. Disassembly is useful when you want to know exactly what a program is doing, but often you just want to know what kind of stuff it's doing: what files and registry it's modifying, what it's doing on the network.

What you should really do if you suspect it of being malicious is submit it to a virus scan service like http://virusscan.jotti.org which submits samples to antivirus vendors, then just remove it from your computer. It's probably just benign ad/spyware you got with some installation of software you installed - some checkmark you forgot to untick.

Use net stop "service name" to stop a service and sc delete "service name" to uninstall it.
Akiyama Mio
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6420 @ stock, 0.98v Asus P5N-E SLI Gainward GTX 460 1GB @ 800/1600/1900 2x2GB Kingston @ 800MHz 5-5-5-15 2T 
Hard DriveOptical DriveOSMonitor
WD 250GB, 320GB SATA/3, 16MB Cache, Seagate 1TB LG GSA-H62N 18x SATA Ubuntu 9.10 x86 & Win7 x86 Asus VW222U 
KeyboardPowerCase
Logitech Classic Corsair 650HX NZXT Apollo Black 
  hide details  
Reply
Akiyama Mio
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6420 @ stock, 0.98v Asus P5N-E SLI Gainward GTX 460 1GB @ 800/1600/1900 2x2GB Kingston @ 800MHz 5-5-5-15 2T 
Hard DriveOptical DriveOSMonitor
WD 250GB, 320GB SATA/3, 16MB Cache, Seagate 1TB LG GSA-H62N 18x SATA Ubuntu 9.10 x86 & Win7 x86 Asus VW222U 
KeyboardPowerCase
Logitech Classic Corsair 650HX NZXT Apollo Black 
  hide details  
Reply
post #14 of 14
if you are trying to decompile it to see what it does because you think it is malware then you should take some previous steps before attempting to disassemble it... especially if you have little to no experience in machine code.

i have a small set of go to applications when i am quickly trying to decipher what a application is doing/is meant to do.

firstly there is BinTxtScan. this application allows you to drag and drop an executable and it will dump all printable strings for you to search through. this is incredibly useful to find poorly written malware because most of the time people who write them dont attempt to try to hide their strings such as server names or remote kernel calls (for such things as a binary encrypter which is meant to obfuscate malware).

secondly is ResHack. Most of the time when you are dealing with encrypted malware the authors almost always attach the encrypted binary to the resources of a stub loader which reads its own resource files and injects the malware byte code into a new thread in a remote process. this tool allows you to view the resource data of a binary.

thirdly are some tools i dont use that often but they have their uses. Processmonitor and fport. they should be self explanatory.

so far all the listed processes do not actually run the file but merely work with its data. if you cannot come to a complete conclusion using these applications and you need a quick fix InstallWatchPro is a great application. install it on a virtual machine and launch it, and then tell it to run the binary in question. it will make before and after snapshots of the registry, and file system and tell you any changes that happened after running the application.

i normally dont bother actually decompiling or viewing the assembly of malware unless it is something that interests me like a poorly written botnet.

hope some of this information helps.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Coding and Programming
Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › viewing code of .exe file