Размещено 08.10.2012 17:31:03
Этой утилитой кто-нибудь пользуется? что она умеет делать?
Боюсь Santy ты будешь первопроходцем 
Hidden File System Reader , Hidden File System Reader tool for TDSS, Cidox,ZeroAccess, etc.
1
Размещено 08.10.2012 17:50:43
Прошел по ссылке, только на Скачать нажал и восьмерка повесилась
Правильно заданный вопрос - это уже половина ответа
Размещено 08.10.2012 18:02:27
Это наверное, Матросова утилита. вроде как против tdss заточена. скрытые файловые системы ищет.
° ESET Hidden File System Reader °
° 1.0.2.2 beta (Sep 20 2012 13:07:27) °
° Copyright © 1992-2012 ESET, spol. s r.o. All rights reserved. °
° HfsReader.exe [params] [export_path] °
° Params: °
° /help or /? - print help message °
° /no-output - no output to command line °
° /no-export - do not export files from file system(s) °
° /export-txt - export file list from file system(s) to text file °
° /mbr - make mbr dump °
° /vbr - make active drive vbr dump °
° /dump=<o>,<s> - make hard drive dump °
° <o> - offset from beginning or "end" °
° <s> - size °
° Examples: °
° /dump=515,1024 °
° /dump=end,4096 °
° ESET Hidden File System Reader °
° 1.0.2.2 beta (Sep 20 2012 13:07:27) °
° Copyright © 1992-2012 ESET, spol. s r.o. All rights reserved. °
° HfsReader.exe [params] [export_path] °
° Params: °
° /help or /? - print help message °
° /no-output - no output to command line °
° /no-export - do not export files from file system(s) °
° /export-txt - export file list from file system(s) to text file °
° /mbr - make mbr dump °
° /vbr - make active drive vbr dump °
° /dump=<o>,<s> - make hard drive dump °
° <o> - offset from beginning or "end" °
° <s> - size °
° Examples: °
° /dump=515,1024 °
° /dump=end,4096 °
Изменено: santy - 08.10.2012 18:03:09
Размещено 14.10.2012 11:09:59
Hidden File System Reader tool
Implementing hidden storage makes forensic analysis more difficult since:
Malicious files are not stored in the file system (difficult to extract)
Hidden storage cannot be decrypted without malware analysis
Typical forensic tools do not work out of the box
To tackle the problem of retrieving the contents of the hidden storage areas one needs to perform malware analysis and reconstruct algorithms used to handle the data stored inside it. In the course of our research into complex threats we have developed a tool intended to recover the contents of hidden storage used by such complex threats as:
TDL3 and modifications
TDL4 and modifications
Olmasco
Rovnix.A
Rovnix.B
Sirefef (ZeroAccess)
Goblin (XPAJ)
Flame (dump decrypted resource section)
The tool is very useful in incident response and threat analysis and monitoring. It is able to dump the malware’s hidden storage, as well as to dump any desired range of sectors of the hard drive. In the next figure a screenshot of the tool’s output is presented:
Implementing hidden storage makes forensic analysis more difficult since:
Malicious files are not stored in the file system (difficult to extract)
Hidden storage cannot be decrypted without malware analysis
Typical forensic tools do not work out of the box
To tackle the problem of retrieving the contents of the hidden storage areas one needs to perform malware analysis and reconstruct algorithms used to handle the data stored inside it. In the course of our research into complex threats we have developed a tool intended to recover the contents of hidden storage used by such complex threats as:
TDL3 and modifications
TDL4 and modifications
Olmasco
Rovnix.A
Rovnix.B
Sirefef (ZeroAccess)
Goblin (XPAJ)
Flame (dump decrypted resource section)
The tool is very useful in incident response and threat analysis and monitoring. It is able to dump the malware’s hidden storage, as well as to dump any desired range of sectors of the hard drive. In the next figure a screenshot of the tool’s output is presented:
1
Читают тему (гостей: 1)