SANS Digital Forensics and Incident Response Blog: Tag - reversing

'Free Download Manager' Log Extraction

Recently I worked on a case that required I reverse engineer some file formats used by the 'Free Download Manager' application. This is a popular download management application available from www.freedownloadmanager.org.

The version of the application I analyzed stores its logs under 'userprofile\\Application Data\\Free Download Manager'. It uses a number of files to handle different logs and track various in-process tasks. Here's a list of the files I found there:

  • dlmgrsi.sav - This is actually a short executable of some description. Not sure what it's for.
  • downloads.his.sav - Log file using the following format: Starts with the null-terminated header "FDM Downloads History". Then 8 bytes of unknown data, followed by a list of records as follows,

...


Reverse Enginnering Java

You have just come across a site compromise. You believe that the client was impacted due to a malicious java .class file on a rogue website that they visited. The class file is compiled, what can you do?

Luckily, java class files are simple to reverse engineer. In fact, using just the native JDK, the process could not be much simpler (the setting of classpath and ensuring that your java JDK is configured correctly is critical).

At the simplest, the process would be to use the command:

  • javac -c classfile

The '-c' option is used to specify that you want to decompile the java bytecode.

The term 'classfile' is where you specify the file that you are seeking to decode.

When reversing java based malware, the chances are that the code will have been obscured. This means that the stages above are not the totality of accessing the code. Compression and cryptors are some of the methods deployed. This will add a layer of

... Continue reading Reverse Enginnering Java