System Programming

Genetic Algorithms. Lame Example - Solving Quadratic Equation

2013-01-10T15:37:00.000+03:00

Source code to this article may be found here. There are numerous resources on the Internet, that provide description of the theory of Genetic Algorithms and theoretical explanation thereof. I, however, have found a bit more then none giving a real example (I may have not searched that good, though). Therefore, I decided to try and implement the theory into a live example. While there are

Anti Piracy? The insider's view

2013-01-07T12:58:00.000+03:00

<!--[if gte mso 9]>

Exception Driven "Debugging": Getting behind anti debugging tricks.

2012-10-22T17:20:00.001+03:00

Of course, every debugging is exception driven. At least because a breakpoint generates debug exception wich is passed to debugger. In this article, however, I will refer to regular exceptions. There are tens if not hundreds of software protectors used by software vendors around the globe. Some are good, some are less good, in either case, vendors rarely use them in a proper way, thinking

Method of Computer Virus Detection. Sad story of a patent application

2012-10-18T19:52:00.000+03:00

It was quite a long time ago (an epoch ago by terms of software development). Around the end of 2005 and beginning of 2006. I was then working for Aladdin Knowledge Systems' eSafe unit as a computer virus researcher (my first formal RE job). Detection methods were quite poor at that time, even heuristic ones (not that they are THAT good these days). There was quite a lot noise about the

Time Series Analysis and Forecasting. Programming Approach - thoughts

2012-09-04T19:49:00.000+03:00

"Certain things are impossible... Until an ignoramus appears, who is not aware of that". Time Series - a sequence of data points, measured typically at successive time instants spaced at uniform time intervals. There are quite a lot of things that may fit this definition. For example, air temperature changes throughout the day (let's say, hourly measured), distance from the Earth to the

Emulation of Hardware. CPU & Memory

2012-08-31T20:35:00.000+03:00

There are tens of hardware platforms (although, some people would say that there is only one - computer ;-) ). Each one has its own advantages over others and disadvantages as well. For example Intel is the most used platform for desktops, ARM and MIPS are widely used in embedded systems and so on. Sometimes, a need may arise to test/debug executable code written for platform other then the one

CreateRemoteThread. Bypass Windows 7 Session Separation

2012-05-30T04:36:00.000+03:00

Internet is full of programmers' forums and those forums are full with questions about CreateRemoteThread Windows API function not working on Windows 7 (when trying to inject a DLL). Those posts made by lucky people, somehow, redirect you to the MSDN page dedicated to this API, which says: "Terminal Services isolates each terminal session by design. Therefore, CreateRemoteThread fails if the

Passing Events to a Virtual Machine

2012-05-23T18:57:00.000+03:00

The source code for this article may be found here. Virtual machines and Software Frameworks are an initial part of our digital life. There are complex VM and simple Software Frameworks. These two articles (Simple Virtual Machine and Simple Runtime Framework by Example) show how easy it may be to implement one yourself. I did my best to describe the way VM code may interact with native code

Simple Runtime Framework by Example

2012-05-19T17:53:00.001+03:00

Source code for this article may be found here. These days we are simply surrounded by different software frameworks. Just to name a few: Java, .Net and, actually, many more. Have you ever wondered how those work or have you ever wanted or needed to implement one? In this article, I will cover a simple or even trivial runtime framework. As usual - note for nerds: The source code given in

Basics of Data Obfuscation

2012-05-17T22:30:00.000+03:00

Source code for this article may be found here. One of the aspects of software anti RE (reverse engineering) protection is the need to protect sensitive data (for example decryption or license keys, etc.) There is quite a common practice of storing such data in encrypted form and using it by passing to a certain routine for decryption. I am not going to say, that this is not a good idea, but

Linux Threads Through a Magnifier: Remote Threads

2012-03-21T23:40:00.001+03:00

Source code for this article may be found here. Sometimes, a need may rise to start a thread in a separate process and the need is not necessarily malicious. For example, one may want to replace library functions or to place some code between the executable and a library function. However, Linux does not provide a system call that would do anything similar to CreateRemoteThread Windows API

Linux Threads Through a Magnifier: Local Threads

2012-03-17T20:10:00.000+03:00

Source code for this article is here. Threads are everywhere. Even now, when you browse this page, threads are involved in the process. Most likely, you have more than one tab opened in the browser and each one has at least one thread associated with it. The server supplying this page runs several threads in order to serve multiple connections simultaneously. There may be unnumbered examples

Faking KERNEL32.DLL - an Amateur Sandbox

2012-03-06T21:31:00.000+03:00

As a part of my work (read "fun") of maintaining this blog, I am constantly checking the statistic information on traffic sources and keywords (it's nice to know that people are getting here via Google) in order to see whether my readers are getting what they are looking for (personally, I see no reason in simply "streaming my consciousness to the masses" as this is not the point of this blog).

Trivial Artificial Neural Network in Assembly Language

2012-03-04T19:41:00.000+03:00

Source code for this article may be found here. Note for nerds: The code shown in this article may be incomplete and may not contain all the security checks you would usually perform in your code as it is given here for demonstration purposes only. Downloadable source code may contain bugs (there is no software without bugs at all). It is provided as is without any warranty. You may use and

Defeating Packers for Static Analysis of Malicious Code

2012-03-02T17:35:00.000+03:00

I doubt whether there is anybody in either AV industry or among reverse engineers who does not know what a software packer is (for those who don't - this article may help). Malware research and reverse engineering forums are full of packers' related questions, descriptions thereof, unpacking suggestions and links to both packers and unpackers. In short - people have been doing a lot of precious

Dynamic Code Encryption as an Anti Dump and Anti Reverse Engineering measure

2012-03-02T00:01:00.000+03:00

Source code for this article may be found here. There has been said and written too much on how software vendors do not protect their products, so let me skip this. Instead, in this article, I would like to concentrate on those relatively easy steps, which software vendors have to take in order to enhance their protection (using packers and protectors is good, but certainly not enough) by not

Vectored Exception Handling for Linux

2012-02-29T22:05:00.000+03:00

Source code for this article may be found here. The title of this article may look weird. In deed, why would someone want to use Vectored Exception Handling in Linux, while this OS provides a perfectly working mechanism - signals? Well, there are several possible answers: Many programmers, who started their career with Windows programming, are getting a bit frustrated when it comes to

Basics of Executable Code Obfuscation

2012-02-27T18:42:00.000+03:00

Source code for this article may be found here. The problem of software security has already been raised in my previous articles more that once. This article is not an exception. Majority of software vendors position themselves as number one in the industry, even though there are always more then 1 number 1. But what unites them all (well, almost all) in reality, it the fact that they all

Merry Christmas!

2011-12-25T01:50:00.000+03:00

Simple Virtual Machine

2011-12-22T01:16:00.000+03:00

Sample code for this article may be found here. In computing, Virtual Machine (VM) is a software implementation of either existing or a fictional hardware platform. VM's are generally divided into two classes - system VM (VM which is capable of running an operating system) and process VM (the one that only can run one executable, roughly saying). Anyway, if you are just interested in the

Listing Loaded Shared Objects in Linux

2011-12-19T21:57:00.000+03:00

I have recently come across several posts on the Internet where guys keep asking for Linux analogs of Windows API. One of the most frequent one is something like "EnumProcessModules for Linux". As usual, most of the replies are looking like "why do you need that?" or "Linux is not Windows". Although, the last one is totally true, it is completely useless. As to "why do you need that?" - why do

Executable Code Injection the Interesting Way

2011-12-16T00:50:00.001+03:00

So. Executable code injection. In general, this term is associated with malicious intent. It is true in many cases, but in, at least, as many, it is not. Being malware researcher for the most of my career, I can assure you, that this technique appears to be very useful when researching malicious software, as it allows (in most cases) to defeat its protection and gather much of the needed

Pseudo Experts or Who's the Troll

2011-12-11T18:21:00.001+03:00

Internet has currently become the most available source of consultation and tutorials then anything else. At least, because the closest library is a couple of blocks away while the Internet is at your fingertips (wanted to say "at your desk", but it may be a laptop or a mobile device). It is hard to find someone who hasn't ever posted a question or an issue on one of the numerous forums or

Flat Assembler "Export" Macro with Custom Ordinal Base

2011-12-09T14:20:00.001+03:00

I have recently come across the need to build dynamic link libraries with custom ordinal base (different from 1). After searching the net and seeing lots of people writing their own export macros, I came to a conclusion that Occam's Razor principle still works here and decided to make simple modifications to the original export macro provided with FASM package. The modifications are marked with

Hiding Injected DLL in Windows

2011-12-08T18:03:00.001+03:00

Errare humanum est... For some reasons, I have missed an important aspect of DLL injection in my previous article. Namely - hiding your injected DLL. It may be unnecessary when you inject DLL into your own process (e.g. for debugging purposes), but what if you are a tough malware researcher trying to trace the activity of some bad executable? In such case, the less you inform the malware you