IDA, why are you doing this?
I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?
As a malware analyst I sometimes receive Microsoft files which have been manipulated.
E.g. infected by a virus and cleaned afterwards.
Here are some indicators to recognize PE file manipulation. 🧵
Tips to stay safe while working with malware samples.
1. Use different OS on the host machine than your analysis VM
--> most malware will not be able to run there
RE Tip. If you want to decrypt obfuscated .NET strings, just call them from Powershell. E.g. this is xWorm config decryption.
File: virustotal.com/gui/file/cb0a5…
Good tip of my colleague:
This is how you can recognize 64 bit code wrongly interpreted as 32 bit code. It has lots of dec eax instructions because 0x48 is also used to signify 64 bit operand size.
(32 bit interpretation is first picture, 64 bit second)