Reversing.DK

Manuals on Optimizing

GeneralPosted by reversing.dk Tue, March 31, 2009 14:25:06
hello again :) busy times but i did managed to dig up some gold browsing the interwebs , while surfing at work i stumbled over these very nice manuals on Optimizing code , very nicely written , and full of good information give it a read!

http://www.agner.org/optimize/

• Comments(0)http://www.reversing.dk/#post6

Generating Random seeds with 1 instruction

GeneralPosted by reversing.dk Mon, February 23, 2009 00:55:20
this is a neat "trick" i recent saw in a protector , i was a bit puzzled as i had never seen it before , but its a very nice and effective way of generating random seeds , this is nothing new but might be unknown to moste people.

the instruction in question is a x86 instruction present on intel and AMD cpu's , the instruction is RDTSC it retrives the number of CPU ticks , since reset this provides us with a nice varying amount of random seeds , which change constantly , and all just in 1 instruction , here is an exsampel of how it could be use to generate random numbers:

void Main()
{
int Seed = 0;
__asm
{
rdtsc
mov Seed,eax
}
srand(Seed);
printf("%d\n",rand());
}

this is defenetly a nice and easy way to increase the randomness of your rand call. the protector in which i saw this "trick" dident use it with rand , but it is one of the possible ways to use it.

• Comments(0)http://www.reversing.dk/#post5

JL/JGE Intel CPU bug as anti-reversing trick

GeneralPosted by reversing.dk Tue, February 17, 2009 21:54:12
that crazy russian kris / nezumi is at it again , this time he blogs about something very interesting , a bug in the intel cpu relatet to jl/jge not checking the zero flag , this results in the possability of using this as a nice trick , combined with some debug checking.

you can read more about this at the original site:


Nezumi Labs

• Comments(0)http://www.reversing.dk/#post4

.net GAC and Malicious Files

GeneralPosted by reversing.dk Wed, January 14, 2009 00:08:23
not many people think about this , but the .net GAC ( Global Assembly cache ) is a very dangerous place , with .net becoming more and more standard on the microsoft platform , this will become a more and more targeted technology , and proof of concepts has already been made , but not much attention has been given too it , atleast to my knowledge.

so i have dug up a paper i read a while back , which describes how to use the GAC for malicious intents so check it out.

Backdoors Into your Framework

• Comments(0)http://www.reversing.dk/#post3

Top 25 Moste Dangerous Programming Errors

GeneralPosted by reversing.dk Tue, January 13, 2009 23:44:40
a list made up by some of the top players in the field of Programming , has come up with a list of the moste dangerous programming errors , the link also has the why's and how they made the list , worth checking out

Top 25 List

• Comments(0)http://www.reversing.dk/#post2

cool tools

GeneralPosted by reversing.dk Tue, January 13, 2009 23:35:11
a friend of mine has createt some really nice and usefull tools , so im gonna advertise a bit here

1) Protection Force

an Extremely accurate and fast protection scanner , detectes moste modern protections , and if possible with Version number aswell , more info can be found here

ProtectionForce

2)DebugTest Force

this is a nice tool , for testing how well your debugger is hidden it implements a host of debug detection methods , as is always in development , so give it a look and see how well your debugger is hidden.

DebugTest Force

3)

i also know that he is currently working , on scriptable Debug / PE engine , which will enable you to make unpacking and orther scripts , to preform advanced task's on a .exe its based on the Squirrel script language which is C++ like , will be a very cool project from what i tell , after having testet the beta rls, sadly its not public yet , but will advertise here when it is.

to check out the squirrel script language go here:

Squirrel Wiki
Official Site

its very cool and light wieght and if your familiar with c/c++ is very fast to learn.
and ofcourse fully open-source :)

• Comments(0)http://www.reversing.dk/#post1

Unpinning Importet .dll's

GeneralPosted by reversing.dk Tue, January 13, 2009 20:00:46
HI.

ever wantet to unload a .dll from memory which was importet via the Import Table ? no , well i have , and turns out that windows prevents you from doing this , for security obiviously , as it would be pretty bad to unload a .dll by accident youd later need :) , but none the less i did some research and found out its more then possible if you preform a little magic , so here are the steps described which are required to do this.

1) Unpinning dll's

when windows Loads a .dll into your process space , the .dll is added to the PEB to be more exact in the PEB->LoaderData this Double linked list contains all the Modules Loaded into our image space , lets take a look what it looks like.

typedef struct _PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
}
PEB_LDR_DATA, *PPEB_LDR_DATA;

now you see it contains multiple things , for this article the only ones we are interestet in are the 3 LIST_ENTRY's , these 3 are pointers to double linked lists , each entry in the double linked lists contains 1

typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress; PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount; SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE

now all this , is various info about our .dll , but lets go back to when Windows Loads a .dll , Everytime you call LoadLibraryA("mydll.dll") windows will add a entry ( if it doesent excist already) and increase the LoadCount by 1 , now what happens when it loads a .dll via our ImportTable ?

well more or less the same except it sets LoadCount to -1 , which means the .dll is pinned , and if this is the case windows will refuse to unload the .dll from memory.

So how do we change this ? well take a look at this code:

bool Mem_Manager::UnPinnAlldlls() {
OutputDebugStringA("UnPinning All Dll's");
DWORD PebAddr = 0;
__asm
{
mov eax,DWORD PTR FS:[0x18]
mov eax,DWORD PTR DS:[eax+0x30]
mov PebAddr,eax
}
PPEB Peb = (PPEB)PebAddr;
_LDR_MODULE *peb_ldr_module;
peb_ldr_module = (_LDR_MODULE*)Peb->Ldr->InLoadOrderModuleList.Flink;
// Go through each modules one by one in their load order. DWORD First = 0; while((DWORD)peb_ldr_module != First)
{
if(First == 0)
{
First = (DWORD)peb_ldr_module;
}
peb_ldr_module->LoadCount = 1;
peb_ldr_module = (_LDR_MODULE*)peb_ldr_module->InLoadOrderModuleList.Flink;
}

return true;
}

what happens is:
1. Gets Addr of PEB via __asm{} block
2. Access PEB->PEB_LDR_DATA
3. Get First Loaded Module via : Peb->Ldr->InLoadOrderModuleList.Flink
4. Log Address of First Entry ( as its a Recursive Double linked list , so we stop once we been all the way round)
5. Set RefCount of LoadedModule to 1 , so we can unload it with FreeLibrary
6. Get Next LoadedModule Via: peb_ldr_module->InLoadOrderModuleList.Flink

so once , these steps have been preformed , you can unload any .dll with a simpel call to FreeLibrary("dllName.dll") and it will be free'd from memory

hope this was interesting , plz register to leave a comment or if you have any suggestions.

• Comments(0)http://www.reversing.dk/#post0