Log in

View Full Version : tinyPE reversing


replica
June 11th, 2009, 08:14
http://www.phreedom.org/solar/code/tinype/tiny.webdav.133/tiny.exe

Well its very old hardcoded PE file ... but interesting thing that it bypasses some of best firewalls due to Svchost.exe default settings...

And now the phun part.. I tried to open it in olly (reflex) ... it get executed on even higher priv. (SYSTEM)... (silent execute)

Someone explain me what a heck is going on ?

BanMe
June 11th, 2009, 15:31
from my experience, it looks to be using NtSetInformationThread with HideThreadFromDebugger option..it also doesnt have a normal PEB.. this is a very interesting target.. though it is not vulnerable to Olly it is to a HexViewer...Im pretty sure it uses TLS to hide it thread..so break on TLS with olly

replica
June 11th, 2009, 17:22
Heh how it is vuln to HexViewer anyway ?

I tried to break on TLS callback with Poison plugin ..it same it tries to get DLL (the dll) ... very cool trick ... I havent realised this when I saw tinyPE project back then

ps. RAMODBG (themida mod)

evaluator
June 12th, 2009, 04:03
PE-header is incorrect (but XP does not checks). SizeOfOptionalHeader is 4; num of Directory is 0.
4 byte code is at offset 4;
address \\66.93.68.6\z not responds

disavowed
June 16th, 2009, 21:39
if you're looking for documentation on this, try http://www.phreedom.org/solar/code/tinype/

replica
June 19th, 2009, 04:46
Everythingi is fine with it but... why and how to avoid it in olly is my issue now .. I informed Olly about this