Hi all,
deorko hit another time with another impressive extensive complex and head-smashing tutorial with all the sources too.

This time to pay is The Mida

TheMida_defeating_ring0_by_deroko
TheMida 1.0.0.5 with offensive ring0 driver is not very used nowadays. But still it doesn’t mean that we shouldn’t pay attention to it. Even more, when something is not researched and written about it is more fun to play with such protection. I have nothing more to say about it, I will show you my research and all I have done to repair dump.

take it from our usual tutorials cave


..and also see for those of you who missed the previous announcements..

Activemark V5.x Process Dumper By Condzero
ActiveMARK Process Dumper (AMDUMPER). Package includes the complete sources (C) and a tutorial on how it works and how to use it.

Visual Protect License Generation By Anorganix
How-To generate valid licences fot any Visagesoft Visual Protect protected application

Anti-anti Dump And Nonintrusive Tracers By Deroko
A novel method to manage new anti-dump buffer-based protections used by latest protectors as AsProtect SKE, Armadillo etc (sources included)

Have phun,
Shub

From the last tutorial you listed:
"It points to PE in all of my viruses allowing me fast access to any needed filed of PE file during infection"

Too bad Deroko can't use his skills for good rather than evil

what do you consider "good" ? reverse code engineering ? cracking ? do you think the developer of an app you are reversing/cracking considers your action good ? depends on the point of view what is good.who says that he spreads his virii anyway and if he does who cares...

*what do you consider "good"

Spreading virus is bad so fuck it!!!!!

Please be the first to get infected then...

sry i didnt want to say that spreading virii is good.i just dont understand that some ppl who are cracking/reversing are so much against virii no matter whether they get spread or not.if they hear virii they start screaming about how bad they are whithout knowing if the person is just coding them for fun and knowledge or to spread them.you can learn a lot from coding virii just like from reversing.i actually dont like ppl who spread virii just like ppl who release cracks.

if

Aah, I suppose it's much the same as rootkits. Fun to code and you learn a lot, but I sure as hell don't want to see a real one running on my computer.

I don't think its that easy to bundle every virus writer into the same group. The first time I heard about tls callback was from a virus ezine then later someone found it was incorporated into execryptor. Some great papers on ring0 and api hooking. y0da has his papers in vx zines, he even links to some vx sites. I doubt it's because he likes to be infected. But rather there is a wealth of information these groups provide.
I think we all agree that spreading a virus is almost always bad. But taking the time to research and develop code that will run undetected, modify OS features, etc... has implications even outside of the vx community, namely ours. because I can guarantee that the protection authors are reading up on the vx zines.

sHice, gabri3l - I agree.

Studying and even coding virii is good to gain knowledge, and is full of interesting challenges, some of them very similar to activities related here as RCE.
Olthough coding virii for windows somehow isn't it allready too boring?

spreading them is lame ass!

don't worry, you can't be infected with source code

hehe,

not with sourcecode, true. but ie with something from here ... http://www.woodmann.com/0xf001/#virii

just wanted to say that, sorry for being a bit off topic probably.

regards, 0xf001

ps: virii + 0day == possible && evil

Reverse engineering for white-hat purposes, such as anti-virus work and white-hat vulnerability analysis.

Well, virus coding is a way to practice and keep in shape...

Also, much better for people like deroko to code new viruses and only release source code, so that they can be studied and countered, instead of having someone with malicious intent write new viruses and just spread them, making a nightmare.

He who is inspiring to write these viruses to wreck havok also gains knowledge from this sort of thing. What is seen as harmless to some is ammunition for others.

I'm glad that disavowed read whole article. I hope that everyone else who read it have also enjoyed it...

over and out...

I read the whole article too,

and it's a great paper. Hope so more stuff like that from you soon

Cheers,

PAPi

Because of ongoing issues with creating a test forum with the current database files for use in setting up the OllyForum, which will be opening here soon, I have inadvertantly overwritten this Forum several times with the 05.23.06 backup file. I finally figured out how to effectively change the backup file so that it correctly "restored" to the database I wanted, rather than to the database (this one) IT wanted to choose.

In this process, I have inadvertantly overwritten a couple of Posts by disavowed and by dELTA and maybe a response by deroko in this Thread. I'm finally through screwing up the current Forum's database (oh thank God) so, hopefully some of your comments can be reposted and, this time, actually last more than a couple of hours.

Our test forum is currently running with th 05.24.06 backup from this Forum and Kayaker and I are going to practice importing the running vbulletin version of the OllyForum to make sure that process works as expected. Once that is worked out, we will have this Forum fully functional in the v3.5.4 format, with the OllyForum as an integrated part of our regular Forum.

Sorry for the problems while this process was worked through. It appears to be all solved now but the testing of the import of the OllyForum into the test Forum.

Regards,

For the third time...


Practice what? Doing malicious things?


1. That's like saying, "it's better for someone to buy a gun and shoot 10 people than to buy a bomb and kill 100 people." Neither are good... don't try to defend something bad by saying that it could be worse.
2. Most AV companies don't care much about virus source code since it can change plenty between variants. And by releasing source code, the author makes it easier for variants to be created (by script kiddies, etc.) and harder for AV companies to detect/clean them (since there are multiple variants in the wild and the AV companies may not have all of them).

It was a good article and you're definitely a smart guy. I'd just like it if you used your skills for productive work instead of potentially destructive work.

Well, for the second time then, and in a much shorter version:

People can do whatever they like with the information they learn here, it is impossible to stop, so we should not yell at people for their interests. Just like reversing, virus coding/research can be very educating, also for the "good guys". Unless people explicitly say that they are going to do something ill-intended, leave them alone, at least on this board, ok?

For the second time then, and in a much shorter version from me...

I have nothing against the spread of knowledge. My problem was with the fact that deroko is writing viruses.

For the, well, first time then, since I didn't get to write it before the thread was nuked...

I have no problem with you having a problem. My problem is that if someone has a personal problem with someone else, they should take it somewhere else than this board. We don't want personal attacks, and we don't want flamewars.

Ahh.

Point taken

[edited]

ok I respect the "no flamewars note" and have deleted my posts

i wanted to express that writing virii alone imho is not a bad thing per se, more the opposite for people who do it to learn

regards, 0xf001

you are completely right

Regards

As I said above, we don't want any flamewars here, this thread is now closed.

We appreciate your efforts deroko, keep up the good work!