Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Friday, July 20 2018 @ 04:46 PM CEST
Unpacking NTKrnl Protect 0.1 | 5 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Unpacking NTKrnl Protect 0.1
Authored by: nbrulez on Tuesday, February 13 2007 @ 07:57 PM CET
Good tutorial from the author.

A little correction:

I wasn't complaining about RDTSC itself, but the whole copy pasting of the cpuid/rdtsc prior to the SEH, then exception, grabing info from context, then cpuid/rdtsc again and the detection.

The code is a copy paste.

Also, noone used cpuid/rdtsc before, the only reason to use cpuid is, on recent cpu, because of Out Of Order Execution feature.

The other detection that they copy pasted was the BPX detection.. I could care less, but they copy pasted the whole snippet .I wasn't checking for 0xCC but using some "obfuscated" number, using a SHR or something like that and a scasb.. and they just copy pasted it, they didn't even change the numbers i had taken, nor the way to check the bytes.

That make it even weaker, if you use already published code, that you just pasted into your source.

NtKrnl wasn't a problem to unpack for my skype trojan analysis, and i made an unpacker that worked on all files i had my hands on.

 Copyright © 2018 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.05 seconds