Back to list
Driver circumventing checksum based tamper-resistance in user-space exes..
Nov 17 2006 05:40AM
Vinay A. Mahadik (vamahadik fastmail fm)
This is based on Shadow Walker(idea and code both)/"inverse-Pax" applied
to user-space executables instead. Idea can be used to reverse ring3
executables that have self-checksums in place for tamper resistance.
Basically, user-space exes can be code-patched arbitrarily - the exe's
self-checksums do not fail; however, the exe executes the patched-code
instead. Pretty handy in reversing armoured malware and "DRM
Working code and flash demo here:
Tested only on Windows XP SP2, non-PAE, uniprocessor system.. doesN't
work under VMWare etc.
[ reply ]
Copyright 2010, SecurityFocus