Want to Join Us ?

you'll be able to discuss, share and send private messages.

Kernel Extracting the Powelik's DLL from the Registry by Sketchymoose

Discussion in 'Reverse engineering' started by storm shadow, Oct 3, 2015.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    • RegDecoder by Digital Forensics Solutions: Wonderful registry tool for analysis
    • Scrdec by Mr.Brownstone: JScript decoder
    • PDFStreamDumper by David Zimmer for prettifying the code
    • CygWin to add some *nix functionality to Windows, these additional packages were added
      • xxd -> hex editor
      • binutils -> strings
    • MAP by iDefense for the Shell Extensions of strings and submitting to VirusTotal
    • Foremost for carving
    For those who just want to cut to the chase (you know who you are, you TLDR people), here are the steps:

    1. Copy the data from the registry key holding the JScript encoded data ( it's somewhere in HKCU/Software/Microsoft/Windows/CurrentVersionRun)
    2. Decrypt with scrdec
    3. Extract & decode the base64
    4. Extract & decode the 2nd base64
    5. Carve the DLL
    The next video I will show extracting the DLL from a memory dump. Hope everyone enjoys!

    Rip Cord likes this.