Indy
January 7th, 2011, 07:35
o The detector can not detect the caller through an analysis of the stack.
o Processing of SEH outside of modules(also hidden).
2395
o Processing of SEH outside of modules(also hidden).
2395
View Full Version : PoC: Hiding the caller.
BanMe
January 7th, 2011, 22:31
Works of 'black' art is still art,http://www.darkscenario.com/darkgallery/index-1.html.(a far reference to evaluators reply?)
Nice work Indy.
Nice work Indy.
Indy
January 8th, 2011, 04:11
Segment of code caller the API will be detected rootkit detector, which takes the return address from the stack. Such a model makes the call, this detection is not possible. In a complex environment is not is acceptable procedural of branching in the module. This is the standard call model AV expect from us 
evaluator
January 8th, 2011, 13:54
1. i not understood description
2. this program does crash on
0040132B: mov [7C97C9DC], eax
what now?
2. this program does crash on
0040132B: mov [7C97C9DC], eax
what now?
Indy
January 8th, 2011, 15:06
evaluator
Description is not required, since this is the code. It is very simple.
It should crash, as this PoC. Two addresses are given constant (the gateway as well), these values you have any other. Code to study, not to run.
Here is a working example 2397
Description is not required, since this is the code. It is very simple.
It should crash, as this PoC. Two addresses are given constant (the gateway as well), these values you have any other. Code to study, not to run.
Here is a working example 2397
evaluator
January 8th, 2011, 15:22
ok, that works.
ok, there i see nothing to comment.
ok, there i see nothing to comment.
Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.