+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Ancient Versions (https://hashcat.net/forum/forum-46.html)
+--- Forum: Very old oclHashcat-plus Support (https://hashcat.net/forum/forum-23.html)
+--- Thread: cap2hccap — it's malware... (/thread-2252.html)
cap2hccap — it's malware... - smedley - 04-22-2013
https://hashcat.net/cap2hccap/:
"This site is using cap2hccap for converting. It is intended for users who dont want to struggle with compiling SVN version of cap2hccap."
Here's an debug of the executable: http://i.imgur.com/xOS0M6C
Edit: Nope.. OP is a newb. Disregard.
RE: cap2hccap — it's malware... - radix - 04-22-2013
why would you provide a screenshot of disassembly when you could just point the code out?
RE: cap2hccap — it's malware... - epixoip - 04-22-2013
what precisely is leading you to conclude it's malware...? especially when the source is available?
RE: cap2hccap — it's malware... - smedley - 04-22-2013
Call me crazy, but are you guys looking at the same screenshot I am? I haven't looked at any source, just looking at the windows executable. I wouldn't have thought a simple parser needs to manipulate memory and Norton signatures.
RE: cap2hccap — it's malware... - atom - 04-22-2013
What makes you think it is manipulating memory and Norton signatures?
RE: cap2hccap — it's malware... - undeath - 04-22-2013
watch out, we got a security pro over here.
RE: cap2hccap — it's malware... - D3ad0ne - 04-22-2013
Norton injects itself into running processes to check it for malware. It doesn't mean that's it is malware.
Example: http://social.msdn.microsoft.com/Forums/en-US/vcgeneral/thread/a00ed805-e836-4ecc-a0ae-692eb95249c5/
RE: cap2hccap — it's malware... - smedley - 04-22-2013
Welp I guess I'm wrong. I'm still new at debugging, but hey.. at least I'm trying, right? :-)
I had run the executable and started getting errors, so I freaked out and tried to take a closer look. I should have approached the question from a position of curiosity rather than accusation. Sorry about that.
RE: cap2hccap — it's malware... - epixoip - 04-22-2013
so that you know, all that your debugger was telling you was that umengx86.dll was loaded by the current process, along with a few other shared libraries. there was nothing to indicate that anything was being modified.
umengx86.dll is part of Norton's heuristic scanning engine, so as d3ad0ne stated, your av should be injecting this dll into every running process.
and always remember to use the source: http://sourceforge.net/p/cap2hccap/svn/HEAD/tree/trunk/