[Dailydave] VPC

[Jared DeMott]

Dave Aitel wrote:
> So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat
> Federal, I learned the hard way that VPC moves memory all around and
> your previously great universal addresses don't work. So you'll end up
> trying really hard to find an address that defeats SafeSEH on 2003 SP0
> in 15 minutes or less.
>
> Also I notice there are a lot of companies doing automated Incident
> Response or malware analysis now.
>
> Zynamic's VxClass is obviously one of my favorites.
> HBGary has retooled Inspector into a tool ("Responder") that can read
> and analyze physical memory dumps.
> Mandiant has their new tool out.
> Norman had a softice-looking sandbox-like thing on display.
> There's another one called CWSandbox that has a free web form you can
> send exe's to. 
Actually Norman and CW both have a web interface.  However, I believe CW 
to be a bit better -- based on one case study of newer malware.  I just 
did some research and wrote a paper/created slides for a talk I'm giving 
at a local west Michigan sec group.  I put the slides up on my site if 
anyone would like to take a peek:
http://www.vdalabs.com/tools/malware.html

I'm relatively new to the malware scene, so I'd appreciate constructive 
feedback.
Cheers,
Jared