I wear my crown of thorns, on my liar's chair

a bit of nostalgia (virii)
my first contact with a computer virus was Ping-Pong, which infected our 10 Mhz 8086. Hopefully, a magazine was giving the solution (for free!): they were giving the hex sequence to search and replace !!!
While it was a working solution, it was not exactly 'user-friendly': Hey Grandma, launch PCTools 4.30, open the hex editor, then.... err, nevermind !

My 2nd interaction with a virus was Tequila: it kept re-infecting our computer. However, because our 20 Mb hard disk was very noisy, I could eventually recognize the sound of the virus infecting the MBR ! Instant detection, but once again, not exactly the most user friendly !

Hopefully, Anti-Virus softwares are now a bit better than 'listen to your hard disk' or 'search and replace yourself' !

Mais je me lâche la main, je m’éloigne de moi...

unpacking drivers in user-mode (2)

Following my previous post on the topic, I came up with a few more tricks:

• since packed drivers typically use ExAllocatePool*, you need a user-mode equivalent to extract the packed driver. So I just made my fake ntoskrnl call VirtualAlloc* for the trick
• they often use RtlImageNtHeader, so I added a redirection for it in the fake ntoskrnl.
  
• some drivers import HAL.DLL and CLASSPNP.SYS, I made fake ones for them too.
• some drivers load ntoskrnl.exe manually. in this case, i'd use (under OllyDbg) multimate-assembler, with a standard snippet.
• it's important to recognize when the driver is trying to locate ntoskrnl, to be able to correct execution. Here are the various ways that I can recall:

1. calling SIDT will give you the IDT, which is present in ntoskrnl.
2. calling RDMSR with ECX=176 gives you Sysenter address, you can then locate ntoskrnl header.
3. standard range checking:

mov eax, 0ffdff12ch

mov eax, [eax]

loop:

and ax, f001

dec eax

cmp [eax], 5a4d

jnz loop

As usual, I included the (minimal) sources - happy unpacking!
Sources and binaries