Updates! Updates! Updates!

Howdy all!

It’s been a dog’s age. I’ve been busy with work and personal things. I enjoyed a brief 3 month relationship only to return to a life of loneliness. For now anyways.
CactusCon went well. Had a nice turn out for my work shop. Hopefully the attendees learned something as I tried to make it as interactive as possible.

Now for the good stuff:

I’ve been browsing the source code for Zues. Since its source code publication, many copycats have spawned. The part I was interested in was its VM detection, specifically virtualbox (since that’s what I use).

	if (!CheckReg("HARDWARE\\DESCRIPTION\\System","SystemBiosVersion", szBuf, BUF_SIZE)) return true;
	if (STR::Pos("VBOX", szBuf)) return true;

Seems like it only checks the registry. Good to know , but I wish they went into more depth. Check out the fill file here or the whole thing on
github.

I recently discovered the holy grail of anti-debugging techniques. 150 pages of awesome and I’m trying to go through it all.

I’ve also figured out how to do the EBFE trick in my C programs:

#define jump2self __asm _emit 0xEB __asm _emit 0xFE

The “emit” pseudo-function lets you insert 1 byte at a time into programs. It’s a bit more graceful than just jumping to a random place in memory and crashing.
This allows me to insert asm instructions which may or may not be recognized by the compiler, but are accepted by the CPU. ICEBP comes to mind (0xF1).

#define iceBP __asm _emit 0xF1

This of course works best with Pelles C compiler. It’s a bit different when using something like MingW with CodeBlocks as it has to conform to *nix standards. Since there is no ‘__emit’ function / keyword on Linux, you have to do the following:

    asm __volatile__ (".byte 0xEB");
    asm __volatile__ (".byte 0xFE");

    asm __volatile__ (".byte 0xF1");

Aside from that, my work continues on my anti-virus program with strides being made in the driver. Expecting an alpha release just in time for blackhat / HOPE (which I am presenting at).

I promise to have a more comprehensive blog post next time. Until next time, hack on!
1219376966785

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.