Working on a dump.....

I am doing some analysis on some random malware sample i received a while ago, and upon unpacking it i found a binary deep inside the computer's memory. Since ghex was the slow alternative i decided to look at other possibilities to extract the executable from the memory dump.
As seen below, the memory dump starts at 0x00140000, and the DOS header begins at 164c59.

Since we know the offset to the mz header i used pcalc and tail to clean out the garbage and create a unpacked file.

Alternatively, one could use grep -abno MZ to match the MZ string, but this will sometimes create a huge list like in my case - since the dumped size is quite large.

FakeDNS.rb

This weekend i made a simple "FakeDNS" to use in my malware lab environment. There are already a few scripts out there which does the same - but this didnt stop me building my own as the worst would happen is that i would learn something new.....

I found a great source (along with RFC1035)  at networksorcery.com which pretty much explains the DNS protocol. Using those resources along with Wireshark to see how a response is done made it easy to fake a DNS response...

This is what i ended up with when using dig, and it works pretty well as seen below.

Yet another tool in my toolbox, yay!

Download it here: https://github.com/terjehaarstad/fakedns