Malware Domain List

Malware Related => Malware Analysis => Topic started by: kristofer_nolen on May 25, 2010, 05:38:13 pm

Title: How to reach escript.api in Malicious pdf file
Post by: kristofer_nolen on May 25, 2010, 05:38:13 pm
Hello,

I am very keen to know how to reach escript.api which is responsible for executing malicious java scripts embedded with malicious PDF files.

I came to know this through a blog which is http://traversecode.com/2010/03/08/from-pdfexploit-to-zeustrojan-subject-steals-bank-credentials/

Its a good one however the author did not explain how to reach escript.api through ollydbg as his explanation is very simple on this.

Any help on this would be much appreciated.

Thanks in advance
Kris 
Title: Re: How to reach escript.api in Malicious pdf file
Post by: ratsoul on May 25, 2010, 06:15:29 pm
Hi Kris,

escript.api is located here: <Adobe Dir>\Reader\plug_ins\ .

Regards,
 - ratsoul
Title: Re: How to reach escript.api in Malicious pdf file
Post by: shivtheone on June 10, 2010, 05:40:09 pm
Hey Kris,

I am the Author of this Blog (www.traversecode.com). To reach escript.api, load adobe.exe in Olly Debugger and then open malicious pdf file using adobe which is loaded inside the Olly. Now click 'E' in Olly which shows you the currently loaded modules. Here you can find escript.api. Double click on that and place breakpoint on the calls for further analysis.

Regards,
Shiv
Title: Re: How to reach escript.api in Malicious pdf file
Post by: kristofer_nolen on June 18, 2010, 02:16:34 am
Thanks Shiva!!!!! :)