![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
Virtob.F is n't overly new, but it was recently the first clip I looked at it. I ran it in my imitator and it promptly crashed.
A bit review and I saw it was employing the return reference on the stack from the EntryPoint codification. At least in Aspect, the entry point is named like a regular mapping fromkernel32.dll. The PEB Is passed as an statement. If the map returns, so one of the Rtl ExitProcess mappings is named to end ( applying % eax as an statement ). This points clearly to the fact that someplace inkernel32.dll take charge of the mapping firstly, belike with the entry point of the progrgram and the PEB as an statement. I hold n't investigate bay furthur beyond dismantling the company of the entry point.
In any example,Virtob.F took the return reference ( [ ESP ] at plan start ], deducted 15 from it, and checked the contents of that memory reference against the value 8. Ifit maked n't gibe, it would ramify to a non existant reference and do an exception/crash.
Turns out on XP and Panorama, the naming codification of the entry point modified. On XP, the value depicted above is so 8. In Aspect, it Holds something else.
I likewise inherited another interesting anti-debugging tricks with another baggers. An early version of telock ( as placed by peid ) was overwriting its ain direction with a rep stosb; a prefetch trick. My ape and tracer make n't support that yet, but I might implementthat today A couple of baggers were applying anti-emulation cringles; one piece of malware desired to restate through a grummet that modified memory 53 million times.
Peradventure this station was n't blog worthyafterall.. hopefully somebody will happen it mildly interesting 
Related posts:
Increasing/Decreasing Term Insurance
Inexperienced driver insurance
GoToAssist Express Forums
Creature Collective
My launching album is out
