Archive for January, 2010

Windows 7 GodMode

Posted in Uncategorized with tags , on 8 January, 2010 by __fastcall

This on is a cool easter-egg I suppose, from Redmond. It is an about:config (see Firefox) of Windows in a folder. I’d like to add that this one is know as early as nWin95. Random name.{guid of shell namespace provider} will give you a folder with that namespace. There are many such providers in the system. For example, you could create “Bin.{645FF040-5081-101B-9F08-00AA002F954E}”, which is a new recycle bin. For others, the NameSpace folder is located in Registry at HLKM\Softwares\Microsoft\Windows\CurrentVersion\Explorer\NameSpace. The post can be found here

Continue reading


Safeboot keys

Posted in Windows API with tags , on 7 January, 2010 by __fastcall

This one will be quick. I just read in Didier Stevens blog about the SafeBoot key. It seems that some malware removes the specific registry key (HKLM\System\CurrentControlSet\Control\Safeboot)  in order to prevent the system booting in Safe Mode. Didier uploaded some pure SafeBoot reg files from default Windows installations. I have uploaded the files here, (remove the .ppt extension WordPress does not allow .zip file upload). Moreover Didier suggests to remove the “delete” permission from Administrators in order to prevent injected malware from deleting this key. I love this quick neat and clean tips I also love this sadistic malware defense mechanisms. 😉

PDF file loader to extract and analyse shellcode

Posted in Reversing with tags , , on 7 January, 2010 by __fastcall

Ok happy new year!
This one is preaty cool I found it in HexBlog, you know the blog about IDA pro. So here it is…

One of the new features in IDA Pro 5.6 is the possibility to write file loaders using scripts such as IDC or Python.
To illustrate this new feature, we are going to explain how to write a file loader using IDC and then we will write a file loader (in Python) that can extract shell code from malicious PDF files.

Writing a loader script for BIOS images

Before writing file loaders we need to understand the file format in question. For demonstration purposes we chose to write a loader for BIOS image files statisfying these conditions:

  • Should be no more than 64kb in size
  • Contain the far jump instruction at 0xFFF0
  • Contain a date string at 0xFFF5

Each file loader should define at least the two functions: accept_file() and load_file(). The former decides whether the file format is supported and the latter loads the previously accepted file and populates the database. Continue reading