Welcome

This Blog is for Malware Researching, Reverse Engineering and System Programming

Pokas Emulator 1.1 (Cross Platform) & PokasDbg

Posted by AmrThabet on 9:02 PM
Hi everyone. Today I want to announce a new release of Pokas x86 Emulator
This version support Reconstructing The Import Table and Support working on Linux


about Reconstructing The Import Table:
-------------------------------------
it traces GetProcAddress & LoadLibraryA and then searches for Addresses in the imagebase
and after that it creates a new Section with a new Import Table
at this link

http://www.sourceforge.com/projects/x86emu/

I want also to intreduce a new application named PokasDbg
this is a GUI interface for Pokas emulator created by wxWidgets

this is a screenshot:


To download:
http://www.sourceforge.com/projects/pokasdbg/

Win32/Virut.A Malware Analysis Paper

Posted by AmrThabet on 3:00 PM
Hi again

This time I write my first malware analysis paper with the dumped source full commented .I also add a Detection and Disinfection utility that capable of detecting the infected file with Virut.A containing the signature of the virus

The link to it is here :

Virut.A.rar

CodeProject: "Write your own Unpacker"

Posted by AmrThabet on 1:31 PM
Hi everyone

some people ask me why you write only about your works in the blog and I reply that this blog is named AmrThabet so it doesn't talk about anything except me :)

maybe I'll create another blog with another name to post everything related to viruses
OK

That's the first time I join CodeProject. I love this website very much and its articles and that's the first time I join it's community

I write a practical tutorial about my emulator (Pokas x86 Emulator) to help it spread widely name "Write your own Unpacker"

at this link:
http://www.codeproject.com/KB/DLL/ownunpacker.aspx

have fun

Google Knol: "The Secrets of Viruses and Antiviruses"

Posted by AmrThabet on 1:13 PM
in 27/5/2009 I decided to join Google Arabic Knol to support Arabic articles so I wrote "The Secrets of Viruses and Antiviruses"
They said that I should not talk technically and should everyonle could understand what I'm saying.

it's the first time I write an Article in the formal shape and the first article in Arabic so it makes many problem for me. it's at this link
http://knol.google.com/k/أسرار-فيروسات-الكومبيوتر-ومضاداتها#

it took rate 5/5 and the took the highest quality prize

If you can read Arabic I hope you enjoy it

EgitMagazine Talked about me in Cairo Security Camp 2010

Posted by AmrThabet on 4:55 PM
Hi again

Here EgitMagazine talked about Cairo Secuirty Camp 2010 and talk about me in this event

see the link here :
http://www.egitmagazine.com/2010/07/28/bluekaizens-cairo-security-camp-when-egypts-it-tsecurity-experts-meet-at-one-place/

I become a Speaker in Cairo Security Camp 2010

Posted by AmrThabet on 4:22 PM

I have been chosen to be a speaker in Cairo Security Camp 2010 at Nile University in Cairo
I talked about my Emulator in a presentation named "Pokas x86 Emulator for Generic Unpacking"
I talked all in English and that's so hard but I do good with no problem
all the videos will be available at http://bluekaizen.org/index.php?option=com_content&view=article&id=95:cairo-security-camp-poster&catid=49

the presentation is in http://sourceforge.net/projects/x86emu/files/

have a cool feel ;)

Pokas x86 PE Emulator for Generic Unpacking

Posted by AmrThabet on 7:24 PM
I want to introduce a new application named Pokas Emulator
Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus detection algorithms.

it emulates the PE Executable Files 32-bits versions and monitor all memory writes and include many features . some of them are:
1. Has an assembler and a disassembler from and to mnemonics.
2. Support adding new APIs and adding the emulation function to them.
3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition.
4. Support seh and support tib, teb, peb and peb_ldr_data.
5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.
6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect.
7. With all of these it's FREE and open source.

It successfully emulates:
1. UPX
2. FSG
3. MEW
4. Aspack
5. PECompact
6. Morphine

But it does contain bugs and it still in the beta version. It surely will be fixed soon ith the help of your feedback.

It still doesn't support multithreading and doesn't support Linux ELF executables.
It's still working only on windows but the Linux version will be available soon.

you can download it from https://sourceforge.net/projects/x86emu/