Binary Analysis
Driver circumventing checksum based tamper-resistance in user-space exes.. Nov 17 2006 05:40AM
Vinay A. Mahadik (vamahadik fastmail fm)
This is based on Shadow Walker(idea and code both)/"inverse-Pax" applied
to user-space executables instead. Idea can be used to reverse ring3
executables that have self-checksums in place for tamper resistance.
Basically, user-space exes can be code-patched arbitrarily - the exe's
self-checksums do not fail; however, the exe executes the patched-code
instead. Pretty handy in reversing armoured malware and "DRM
protections".

Working code and flash demo here:

http://www.vinay-mahadik.info/ReverseEngineering/crcVert/crcVertDemo.htm
l

Tested only on Windows XP SP2, non-PAE, uniprocessor system.. doesN't
work under VMWare etc.

Vinay.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus