Reversing : The Hacker's Guide to Reverse Engineering

see that it points somewhere into NTDLL’s header (the specific value is likely to change with each new update of the operating s ...

from the address at ESIto the address at EDIuntil ECXis zero. For each DWORDthat is copied ECXis decremented once, and ESI and E ...

Figure 11.15 The layout of Defender’s memory copy of NTDLL. The function is taking the +4 offset of the found entry (remember th ...

The code at 7FFE0300to which this function calls is essentially a call to the NTDLL API KiFastSystemCall, which is just a generi ...

up with a kernel debugger if you’re serious about reversing—certain reversing scenarios are just undoable without a kernel debug ...

SoftICE’s Disappearance The first call being made in this sequence is again to NtDelayExecution, but here you run into a little ...

Looking at the address 402EEF, you can see that it indeed contains code. This must be our thread routine. A quick glance shows t ...

0040306F MOV DWORD PTR SS:[EBP-60],EAX 00403072 MOV DWORD PTR SS:[EBP-5C],ECX 00403075 JNZ SHORT Defender.00403080 00403077 CMP ...

one another using SBB(subtract with borrow). SBBsubtracts the two integers and treats the carry flag (CF) as a borrow indicator ...

encrypted—you must either modify the encrypted data or eliminate the encryption altogether. Neither of these options is particul ...

After KERNEL32.DLL is loaded, Defender goes through the familiar sequence of allocating a random address in memory and produces ...

If you look closely at the address that the JMPat 004041F4is going to you’ll notice that it’s very far from where you are at the ...

00404219 TEST EAX,EAX 0040421B JNZ SHORT Defender.0040420D 0040421D XOR ECX,ECX 0040421F PUSH Defender.0040322E 00404224 CALL EC ...

Let’s proceed to investigate the newly decrypted function. It starts with two calls to the traditional NtDelayExecution. Then th ...

has a pure user-mode implementation, which forces you to use the function index method. It turns out the API is GetCommandLineW. ...

004029C9 6D 65 3E 20 3C 31 36 2D me> <16- 004029D1 64 69 67 69 74 20 68 65 digit he 004029D9 78 61 64 65 63 69 6D 61 xadec ...

After the 64-bit left-shifting function returns, you get into the following code: 00402B1C ADD EAX,DWORD PTR SS:[EBP-190] 00402B ...

Let’s step into this function at 401D18to determine how it produces the decryption key. As soon as you enter this function, you ...

Unlocking the Code It looks like you’ve run into a bit of a problem. You simply don’t have the key that is needed in order to de ...

encrypted code contained code that sets it back to zero and jumps back to that address. If you go back to look at every encrypte ...