Map and projects (the most frequently updated page of this blog)

2010/02/28

And when I start to come undone, stitch me together

Exception triggers
Structured Exceptions Handling is a complex mechanism that makes many anti-debuggers / anti-emulators possible. After setting a handler (check Subtle SEH for exotic ways, but never used in the wild), you trigger the exception. And typically, packers rely blindly on the trigger itself, such as the actual error code: in short, trigger the wrong exception, and execution will fail (tampering is deected).
The most common ones are:
Int3 BREAKPOINT 080000003h
mov [0], ... ACCESS_VIOLATION 0c0000005h
But what about the rest?

I put together common exception triggers. There is no point listing all of them and all possible triggers, just common ones found in packers or malware, or the ones with a non-obvious behavior.

Access violation

This is probably the most common one, as it can happen 'naturally'. Access a wrong address, and it will trigger. Note that would also happen on trying to write a readonly address.
Also, most interrupts, including CD01 Int 1 and CD20 int 20h, will trigger this exception. This is different from F1 IceBP, which is sometimes written Int1, and triggers a Single step exception, and Int 20h used to be for VxdCalls under Windows 9x, so this is not relevant today anymore.

2010/02/26

I have legalised robbery - called it belief

Real life security (fails?)
How secure is your network if your front door is wide open?

Lock

Like software protection (and, say, virtualization), a different design in locks can bring added protection and extra features. If you are interested in your own front door security, I advise reading about the fascinating Geminy Lock and Abloy articles here. It's impressive to see that a Geminy withstood more than 30 minutes of continuous attacks, and that an Abloy can have 2 different keys (one to open and one to close).
Also, even more fascinating (analysed in the 'Abloy special products' PDF), the Rosengrens RKL-10, which is resettable: lost your keys? order a new set and reset the lock! But this unique feature doesn't make it necessarily weaker.

Hotel room

Following the video about the Dubai assassination,

2010/02/25

Combien d'échecs avant que l'on comprenne? et d'autos brûlées, pour voter...

Libdasm downloads
I don't have much time lately for Libdasm, but it's not a reason to ignore it totally.
I think it was a bad idea to remove downloads (and binaries?), let me know what you think!
On one hand, it's handy to just have source in one click, but on the other hand, I don't think it's that relevant to bundle binaries,
because they depend on your compiler or OS, and if you code, well, you're likely to have the compiler (and it compiles quickly and easily).

Let me know what you think, by commenting or replying in the group

In the meantime I added the original archive, and the current source as downloads.

2010/02/23

None can outrun or equal ... the power ... of Megablast

a graphical representation of the packers landscape
I created a graphical representation of the packers' landscape. It's certainly far from complete (could it ever be, honestly ?), but it might be useful to you.

Comments are welcome!

PDF svg

2010/02/17

Just remember, it's not so long since you were young

English only?
I removed the previous poll since it looks like it was not worth it - my twitter will stay suspended ;)

However, now I'm asking you if you're ok with this blog being bilingual, English first then French.
It might annoy English reader, or fustrate french readers. Or maybe French readers only read the english part.
the 3 possible conclusions of that poll would be:
- keep as is
- split french into another blog
- remove french

the poll is on your right.

2010/02/13

葉っぱ一枚あればいい

Drivers in user-mode

Ever wanted to trace a driver directly from OllyDbg, without the usual
Unable to start file 'driver.sys'

Why

I already introduced the basics of a driver, at PE level.
It might be interesting to run a driver in user-mode, for example, to unpack it:
On one hand, if a driver is packed, you just won't be able to quickly run and dump it the usual way, so you'd have to use a kernel debugger.
On the other hand, typically, packed drivers unpack themselves with no or few API calls, no or few privileged instruction, which makes you think:
'this is standard user-mode code that just runs inside a driver to unpack itself, if only I could just run it the usual way'.


Loading the driver

But there are 2 things that prevent Driver.sys from loading under a user-mode debugger:

2010/02/09

Militant quotidien de l'inhumanité

TLS and Imports

When is an apparently incorrect TLS entry actually executing a file ?

I already introduced TLS:
before execution of the Entrypoint, each callback is taken as is - since it's a VA - and executed, until a null entry or an exception occurs.

linked to Imports

But if you make the callbacks point to one of the imports:
AddressOfCallBacks dd __imp__WinExec

2010/02/08

If you want to strike me down in anger

Messing with loops
Do you understand these snippets?
setz ah setnz cl
aad 11 xor eax, eax
add eax,04000f3 mov fs:[eax], esp
jmp eax ror cl, 01
into


the problem

When reversing a program, fast forwarding by skipping loops is important - no one wants to step through each iteration. Also, detecting loop behavior is important in emulators, especially when extra loops are inserted to make them time out.


Let's take a simple example:

2010/02/06

You're so fine, lose my mind, and the world seems to...

I moved non-technical blog entries here to keep this blog coherent.

J'ai mis tous les posts non techniques ici pour que ce blog reste cohérent.

2010/02/03

Et puis celles qu'on doit pas...

Undocumented opcodes and behaviors

Ever seen this before?
00400181 0F1F ??? ; Unknown command

As my opcode file is now close to completion, I made a working test executable with undocumented or uncommon opcodes, that you could use to test your own emulator or disassembler.

Note that if you use an older tool, opcodes might not be disassembled at all. If you're using Ollydbg (1.1), get a copy of BeatriX' FullDisasm to add support for the latest opcodes.
Let's start: