First I will not take any credit for this tool. I only saw the talk on Black Hat and thought it was a good idea.

Main idea:
Watch all memory writes. First time a instruction that has been written is
executed in. Mark as possible OEP.

From authors:
"Track written memory
If that memory is executed, it’s unpacked
Must monitor:
–Memory writes
–Memory Executions
Automate the process"

Read more on http://offensivecomputing.net/?q=node/492

wrong

hmm just to name some trick for exception logging : hook kiuserexceptiondispatcher and get all exceptions, hook ntoskrnl!KeUserExceptionDispatcher and UserSharedData to avoid any detection of kiuser hook... edit: I see they mention unahdled exception, well hook UnhandledExceptionFilter

btw for stealth tracing is not needed to play with TLB. It is only enough to watch P bit for paged out pages and use U/S bit for those that are paged in. sure SwapContext has to be hooked to have control over process switch and paged out/in pages.

deroko you should give a talk at conferences surrounding the technology/concepts behind doer

there is nothing revolutionary in it, everything is documented in IA32 manual, so I wrote all of that into driver, except PAE special case handling where windows doesn't set W flag in writable page but maintains it internaly in reserved bits of PAE PTE. kinda cool trick I don't know if this is general behaviour with PAE on x86 windows, but it surely occured in all targets I have tested.

Saffron is nothing new.. Even OllyBone wasn't new.