Map and projects (the most frequently updated page of this blog)


I wear my crown of thorns, on my liar's chair

a bit of nostalgia (virii)
my first contact with a computer virus was Ping-Pong, which infected our 10 Mhz 8086. Hopefully, a magazine was giving the solution (for free!): they were giving the hex sequence to search and replace !!!
While it was a working solution, it was not exactly 'user-friendly': Hey Grandma, launch PCTools 4.30, open the hex editor, then.... err, nevermind !

My 2nd interaction with a virus was Tequila: it kept re-infecting our computer. However, because our 20 Mb hard disk was very noisy, I could eventually recognize the sound of the virus infecting the MBR ! Instant detection, but once again, not exactly the most user friendly !

Hopefully, Anti-Virus softwares are now a bit better than 'listen to your hard disk' or 'search and replace yourself' !

Mais je me lâche la main, je m’éloigne de moi...

unpacking drivers in user-mode (2)

Following my previous post on the topic, I came up with a few more tricks:
  • since packed drivers typically use ExAllocatePool*, you need a user-mode equivalent to extract the packed driver. So I just made my fake ntoskrnl call VirtualAlloc* for the trick
  • they often use RtlImageNtHeader, so I added a redirection for it in the fake ntoskrnl.
  • some drivers import HAL.DLL and CLASSPNP.SYS, I made fake ones for them too.
  • some drivers load ntoskrnl.exe manually. in this case, i'd use (under OllyDbg) multimate-assembler, with a standard snippet.
  • it's important to recognize when the driver is trying to locate ntoskrnl, to be able to correct execution. Here are the various ways that I can recall:
  1. calling SIDT will give you the IDT, which is present in ntoskrnl.
  2. calling RDMSR with ECX=176 gives you Sysenter address, you can then locate ntoskrnl header.
  3. standard range checking:
mov eax, 0ffdff12ch
mov eax, [eax]
and ax, f001
dec eax
cmp [eax], 5a4d
jnz loop

As usual, I included the (minimal) sources - happy unpacking!
Sources and binaries