Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > invades the examination > Content
Hot Articles
ForensicSIM Toolkit gets
Serv-U bounce attack and
To the Image File Execut
Based on CallStack count
To a some music website
How to use double WAN ro
pcshare official net exa
Security precious book m
Honey jar and honey net
The invasion examination
pcshare official net exa
Tomcat invasion examinat
Bypasses the CallStack f
Ten big invasion examina
The network invasion exa
Recommend Articles
Only opens 80 port's saf
Bypasses the web key wor
Bypasses the CallStack f
Security precious book m
Based on CallStack count
pcshare official net exa
SQL Server SA idle talk
Honey jar and honey net
The invasion examines th
Four next generation inv
An accidental invasion e
The invasion examines (I
How to use IDS to invade
The invasion examination
A winding safe examinati
New Articles
TEA guidelines for risk
Training for medical per
JSIC Security Forum 2001
SITO includes E-Learning
The rationale for choosi
Drink and drug driving c
BTEC is Tavcom Training
International trade issu
1 in 5 companies is unli
New compact PD-350 for F
sharp rise in prices of
Passfaces strong authent
T3i teams with Passfaces
Comodo Two Factor Authen
Comfortable two-factor a
To the Image File Execution Options examination flow
  Add date: 08/12/2008   Publishing date: 08/12/2008   Hits: 385
Total 2 pages, Current page:1, Jump to page:
 
Image File Execution Options, said that familiar is also strange, for one year everybody mentions the reflection kidnaps, is its Debugger key value question. Realizes IFEO to kidnap, is only writes a key in the registry, with ease to not technique content. However, how does the system is distinguish, or, does system's this function, how is cause it to walk into the snare?

Gave the computer newspaper to write one early to discuss simply IFEO the article, at that time held everybody to look for a material, TK turned to MSDN in the related description, pointed out explicitly “, when the father advancement was not affected the child process the debugger, CreateProcess in its user condition part examines Image File Execution the Options item”. At that time wanted to say this finally in the article, as well as why these system essential advancement not by the IFEO influence. As soon as but came at that time too the vegetable, simply did not understand looked CreateProcess the code debugged, therefore could also not confirm. Simultaneously that article is also for the common user looked that said senselessly let them crash into the dense fog the thing, therefore relinquished.

But recently in this 2-3 days, because in preceding blog mentions looked that shellcode the xor encryption code's drive, to assembled the reversion debugging to be interested suddenly, therefore stared at OD to look at the counter-assembly code all day. Today meets a seeking help, he hid carelessly the D plate under the resources supervisor, therefore teaches him to change from the group strategy. Finally spoke thoughtlessly said “the system should be inspects this key value in FindFirstFile and the FindNextFile user condition part, hid the driver, as for did not arrive transfers NATIVE API even entered when ring0 only then examines, looked like CreateProcess to be the same in user condition examination IFEO”.

Therefore has the idea suddenly, why not to confirm?

One write a script, in button onclick simply CreateProcess.

Opens the registry editor, kidnaps cmd.exe SREngPS.exe to IFEO.

OD writes down the movement, neglects all exceptionally, operation.

Looked at CreateProcessA, WinExec, ShellExecuteA these functions first, really all was the interior transfers CreateProcessInternalA to complete, but the latter transferred its UNICODE edition, namely CreateProcessInternalW, completed the actual work.

Broke under the CreateProcessInternalW exit, breaks, a group with got down. This time key point lies in discovers “the system to judge the father advancement whether for child process's debugger, is then examines the IFEO item” corresponding code.

That is, must find the system to carry on to dwCreationFlags examines and decided whether to enter the IFEO examination the code.

The father advancement becomes the child process debugger's dwCreationFlags parameter to have two:

DEBUG_PROCESS = 1;

DEBUG_ONLY_THIS_PROCESS = 2;

Has looked for the half of the day, this function needs to do the step is not general many really, transferred NATIVE the API foundation advancement object the order not to be careful looked, will wait later, now is not these with emphasis. Finally finally joy after sorrow:

 
Other pages: : 1 * 2 * Next>>
Prev:Resists the heuristic code simulation examination technical analysis Next:Omni-directional examination based on JSP website

Comment:

Category: Home > invades the examination
Home