Skip to content
/ fanbot_rev Public

Reverse engineering and decompilation of a 2003 sample used by apt30

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

m3f157O/fanbot_rev

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
DKOM.c
DKOM.c
 
 
DKOM.h
DKOM.h
 
 
README.md
README.md
 
 
downloader.c
downloader.c
 
 
downloader.h
downloader.h
 
 
main.c
main.c
 
 

Repository files navigation

fanbot_rev

Reverse engineering and decompilation of a 2003 sample used by apt30

dropper

The program repeatedly checks that a specified program is running. If not, the program is downloaded, its file attributes are set to "hidden" and the program is run

dkom

If the program is running on specific versions of Windows XP and Vista, it will use ZwOpenSection and ZwMapViewOfFile to manually mount a mapping of the whole kernel image into the process virtual menory. Then, via hardcoded offsets, the program is able to retrieve its own EPROCESS structure, and to unlink itself from the ActiveProcessLinks list, which would hold all the processes visible via normal Windows APIs

About

Reverse engineering and decompilation of a 2003 sample used by apt30

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages