System Programming

Faking KERNEL32.DLL - an Amateur Sandbox

2012-03-06T21:31:00.000+03:00

As a part of my work (read "fun") of maintaining this blog, I am constantly checking the statistic information on traffic sources and keywords (it's nice to know that people are getting here via Google) in order to see whether my readers are getting what they are looking for (personally, I see no reason in simply "streaming my consciousness to the masses" as this is not the point of this blog).

Trivial Artificial Neural Network in Assembly Language

2012-03-04T19:41:00.000+03:00

Source code for this article may be found here. Note for nerds: The code shown in this article may be incomplete and may not contain all the security checks you would usually perform in your code as it is given here for demonstration purposes only. Downloadable source code may contain bugs (there is no software without bugs at all). It is provided as is without any warranty. You may use and

Defeating Packers for Static Analysis of Malicious Code

2012-03-02T17:35:00.000+03:00

I doubt whether there is anybody in either AV industry or among reverse engineers who does not know what a software packer is (for those who don't - this article may help). Malware research and reverse engineering forums are full of packers' related questions, descriptions thereof, unpacking suggestions and links to both packers and unpackers. In short - people have been doing a lot of precious

Dynamic Code Encryption as an Anti Dump and Anti Reverse Engineering measure

2012-03-02T00:01:00.000+03:00

Source code for this article may be found here. There has been said and written too much on how software vendors do not protect their products, so let me skip this. Instead, in this article, I would like to concentrate on those relatively easy steps, which software vendors have to take in order to enhance their protection (using packers and protectors is good, but certainly not enough) by not

Vectored Exception Handling for Linux

2012-02-29T22:05:00.000+03:00

Source code for this article may be found here. The title of this article may look weird. In deed, why would someone want to use Vectored Exception Handling in Linux, while this OS provides a perfectly working mechanism - signals? Well, there are several possible answers: Many programmers, who started their career with Windows programming, are getting a bit frustrated when it comes to

Basics of Executable Code Obfuscation

2012-02-27T18:42:00.000+03:00

Source code for this article may be found here. The problem of software security has already been raised in my previous articles more that once. This article is not an exception. Majority of software vendors position themselves as number one in the industry, even though there are always more then 1 number 1. But what unites them all (well, almost all) in reality, it the fact that they all

Merry Christmas!

2011-12-25T01:50:00.000+03:00

Simple Virtual Machine

2011-12-22T01:16:00.000+03:00

Sample code for this article may be found here. In computing, Virtual Machine (VM) is a software implementation of either existing or a fictional hardware platform. VM's are generally divided into two classes - system VM (VM which is capable of running an operating system) and process VM (the one that only can run one executable, roughly saying). Anyway, if you are just interested in the

Listing Loaded Shared Objects in Linux

2011-12-19T21:57:00.000+03:00

I have recently come across several posts on the Internet where guys keep asking for Linux analogs of Windows API. One of the most frequent one is something like "EnumProcessModules for Linux". As usual, most of the replies are looking like "why do you need that?" or "Linux is not Windows". Although, the last one is totally true, it is completely useless. As to "why do you need that?" - why do

Executable Code Injection the Interesting Way

2011-12-16T00:50:00.001+03:00

So. Executable code injection. In general, this term is associated with malicious intent. It is true in many cases, but in, at least, as many, it is not. Being malware researcher for the most of my career, I can assure you, that this technique appears to be very useful when researching malicious software, as it allows (in most cases) to defeat its protection and gather much of the needed

Pseudo Experts or Who's the Troll

2011-12-11T18:21:00.001+03:00

Internet has currently become the most available source of consultation and tutorials then anything else. At least, because the closest library is a couple of blocks away while the Internet is at your fingertips (wanted to say "at your desk", but it may be a laptop or a mobile device). It is hard to find someone who hasn't ever posted a question or an issue on one of the numerous forums or

Flat Assembler "Export" Macro with Custom Ordinal Base

2011-12-09T14:20:00.001+03:00

I have recently come across the need to build dynamic link libraries with custom ordinal base (different from 1). After searching the net and seeing lots of people writing their own export macros, I came to a conclusion that Occam's Razor principle still works here and decided to make simple modifications to the original export macro provided with FASM package. The modifications are marked with

Hiding Injected DLL in Windows

2011-12-08T18:03:00.001+03:00

Errare humanum est... For some reasons, I have missed an important aspect of DLL injection in my previous article. Namely - hiding your injected DLL. It may be unnecessary when you inject DLL into your own process (e.g. for debugging purposes), but what if you are a tough malware researcher trying to trace the activity of some bad executable? In such case, the less you inform the malware you

Advanced DLL Injection

2011-11-26T19:03:00.001+03:00

It has been a while since my last article. Special thanks to those who decided to stay with me despite the long break and welcome to new readers! In this article I am going to cover such a trivial (as it may seem) subject as DLL injection. For some reason, most of the tutorials on the web only give us a brief coverage of the topic, mostly limited to invocation of LoadLibraryA/W Windows API

Dennis Ritchie, R.I.P.

2011-10-13T19:10:00.000+03:00

Dennis Ritchie, the father of C language and co-creator of Unix has passed away this week...

Hijack Linux System Calls: Part III. System Call Table

2011-10-13T12:49:00.000+03:00

This is the last part of the Hijack Linux System Calls series. By now, we have created a simple loadable kernel module which registers a miscellaneous character device. This means, that we have everything we need in order to patch the system call table. Almost everything, to be honest. We still have to fill the our_ioctl function and add a couple of declarations to our source file. By the end

Hijack Linux System Calls: Part II. Miscellaneous Character Drivers

2011-10-12T21:00:00.001+03:00

We all know what device drivers are - the hands of the operating system that make it possible for the kernel to handle hardware. We also know that there are two types of devices - character and block, depending on the way they handle data transmissions, but what does "miscellaneous" device mean? To put it simple - it means what it means. On one hand, this may be a driver that handles simple

Hijack Linux System Calls: Part I. Modules

2011-10-12T03:38:00.001+03:00

Have you ever tried to google for "patching Linux system call table"? There are hundreds, if not thousands, of posts regarding this problem. Most of them are outdated, as they refer to older kernels (those, that still exported sys_call_table), others are about adding custom system call and recompiling the kernel. There are a few covering modern kernels, but those are brief and, mostly, only

Interfacing Linux Signals

2011-10-09T00:53:00.000+03:00

NOTE: All information provided here is related to x86 and IA64 and may be incorrect in regard of other platforms. More than that, it may not be the same on every x86/IA64, so check your kernel/libc sources first. All source file paths are relative to your Linux Kernel source directory (most probably "/usr/src/linux") unless it is mentioned otherwise. Sample code for this article may be

Stealth Import of Windows API

2011-10-04T17:47:00.000+03:00

At good old times, memory was an expensive resource and developers had to take care of the size of the programs they create. Imagine how hard they had to work before there were high level languages (like C), before compilers became smart enough to handle all size optimization issues. Speed was also among the concerns, as the hardware was not as fast as it is now. Another headache was the need to

Windows Structured and Vectored Exception Handling Mechanisms

2011-10-04T03:44:00.002+03:00

We are all familiar with try - except constructs from C++ (or Java, etc.) code and we all know what this construct is used for. However, I will try to take us deeper into the exception handling mechanism in this post. Structured Exception Handling aka SEH The MSDN definition of SEH is "Structured exception handling is a mechanism for handling both hardware and software exceptions. Therefore,