I am a student going for my BS in Network Engineering, and recently at my job I have been getting into Malware Analysis. Last week I managed to obtain a sample of the recent FBI moneypak virus that has been going around. It was in an .exe format so I figured it would be simply to run it through PEview to see whats up and then a debugger like Ollydbg to look under the hood.
Unfortunately the .exe is a 16-bit DOS executable. I think. When I first opened it with PEview, it only displayed the message "This program cannot be run in DOS mode". So I thought that it must be a packed 32-bit app somehow. But then I tried to run it through Ollydbg and after about 20 minutes I realized I was looking at NTVDM.exe and something called kernalba ( I think its actually kernalbase but for some reason ollydbg only showed kernalba), not the actual program.
Then I tried a short dynamic analysis to see what ran, and sure enough NTVDM.exe ran. I didn't see anything else so I wiped the computer and started over.
So now that I know I have a 16-bit DOS exe that I need to debug and I am looking for a debugger program. I heard that the IDA trial won't let me debug 16-bit and I have no clue what command I use to load this file into GRDB or even debug.exe
Do any of you guys know of a place that has GRDB or debug.exe tutorials? Or of a GUI 16-bit debugger?
0 · ·