It’s been a dog’s age. I’ve been busy with work and personal things. I enjoyed a brief 3 month relationship only to return to a life of loneliness. For now anyways.
CactusCon went well. Had a nice turn out for my work shop. Hopefully the attendees learned something as I tried to make it as interactive as possible.
Now for the good stuff:
I’ve been browsing the source code for Zues. Since its source code publication, many copycats have spawned. The part I was interested in was its VM detection, specifically virtualbox (since that’s what I use).
I recently discovered the holy grail of anti-debugging techniques. 150 pages of awesome and I’m trying to go through it all.
I’ve also figured out how to do the EBFE trick in my C programs:
The “emit” pseudo-function lets you insert 1 byte at a time into programs. It’s a bit more graceful than just jumping to a random place in memory and crashing.
This allows me to insert asm instructions which may or may not be recognized by the compiler, but are accepted by the CPU. ICEBP comes to mind (0xF1).
This of course works best with Pelles C compiler. It’s a bit different when using something like MingW with CodeBlocks as it has to conform to *nix standards. Since there is no ‘__emit’ function / keyword on Linux, you have to do the following:
Aside from that, my work continues on my anti-virus program with strides being made in the driver. Expecting an alpha release just in time for blackhat / HOPE (which I am presenting at).