Posts: 3
Threads: 1
Joined: Apr 2013
04-22-2013, 04:13 AM
(This post was last modified: 04-22-2013, 04:22 PM by smedley.)
https://hashcat.net/cap2hccap/:
"This site is using
cap2hccap for converting. It is intended for users who dont want to struggle with compiling SVN version of cap2hccap."
Here's an debug of the executable:
http://i.imgur.com/xOS0M6C
Edit: Nope.. OP is a newb. Disregard.
Posts: 649
Threads: 18
Joined: Nov 2010
why would you provide a screenshot of disassembly when you could just point the code out?
Posts: 2,936
Threads: 12
Joined: May 2012
what precisely is leading you to conclude it's malware...? especially when the source is available?
Posts: 3
Threads: 1
Joined: Apr 2013
04-22-2013, 04:59 AM
(This post was last modified: 04-22-2013, 04:59 AM by smedley.)
Call me crazy, but are you guys looking at the same screenshot I am? I haven't looked at any source, just looking at the windows executable. I wouldn't have thought a simple parser needs to manipulate memory and Norton signatures.
Posts: 5,185
Threads: 230
Joined: Apr 2010
What makes you think it is manipulating memory and Norton signatures?
Posts: 2,301
Threads: 11
Joined: Jul 2010
watch out, we got a security pro over here.
Posts: 47
Threads: 6
Joined: Jul 2010
04-22-2013, 12:58 PM
(This post was last modified: 04-22-2013, 12:58 PM by D3ad0ne.)
Norton injects itself into running processes to check it for malware. It doesn't mean that's it is malware.
Example:
http://social.msdn.microsoft.com/Forums/...eb95249c5/
Posts: 3
Threads: 1
Joined: Apr 2013
Welp I guess I'm wrong. I'm still new at debugging, but hey.. at least I'm trying, right? :-)
I had run the executable and started getting errors, so I freaked out and tried to take a closer look. I should have approached the question from a position of curiosity rather than accusation. Sorry about that.
Posts: 2,936
Threads: 12
Joined: May 2012
so that you know, all that your debugger was telling you was that umengx86.dll was loaded by the current process, along with a few other shared libraries. there was nothing to indicate that anything was being modified.
umengx86.dll is part of Norton's heuristic scanning engine, so as d3ad0ne stated, your av should be injecting this dll into every running process.
and always remember to use the source:
http://sourceforge.net/p/cap2hccap/svn/HEAD/tree/trunk/