http://www.phreedom.org/solar/code/tinype/tiny.webdav.133/tiny.exe

Well its very old hardcoded PE file ... but interesting thing that it bypasses some of best firewalls due to Svchost.exe default settings...

And now the phun part.. I tried to open it in olly (reflex) ... it get executed on even higher priv. (SYSTEM)... (silent execute)

Someone explain me what a heck is going on ?

from my experience, it looks to be using NtSetInformationThread with HideThreadFromDebugger option..it also doesnt have a normal PEB.. this is a very interesting target.. though it is not vulnerable to Olly it is to a HexViewer...Im pretty sure it uses TLS to hide it thread..so break on TLS with olly

Heh how it is vuln to HexViewer anyway ?

I tried to break on TLS callback with Poison plugin ..it same it tries to get DLL (the dll) ... very cool trick ... I havent realised this when I saw tinyPE project back then

ps. RAMODBG (themida mod)

PE-header is incorrect (but XP does not checks). SizeOfOptionalHeader is 4; num of Directory is 0.
4 byte code is at offset 4;
address \\66.93.68.6\z not responds

if you're looking for documentation on this, try http://www.phreedom.org/solar/code/tinype/

Everythingi is fine with it but... why and how to avoid it in olly is my issue now .. I informed Olly about this