This isn't going to stop malware! It'll just reduce the speed of them.

Before malware coders worked out how to use the now age-old SEH techniques for finding the kernel base address they used the technique of searching for it in memory at 64k page displacement. For example:

mov ebx, 0x78000000

.loop:

dec ebx

xor bx, bx

cmp [ebx], 'ZM'

jnz .loop

...

from there we just traverse the PE headers with error checking and make sure the PE we find exports a kernel32 API. If it doesn't we just continue searching.

It's just set them back to using that technique again. A small price to pay for being able to infect Vista aswell, wouldn't you say?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/222/1433#1433