Detect one virii method (only one of multi...).

Virii find APIs without import, see virii_method.asm.
We can catch them when access 'MZ' signature at begin of kernel32.dll loaded into memory.

1.
Debuggee -> Open Executable -> protected.exe

2. look at Log:
Process created. ProcessId=0000000000000FD4h ThreadId=0000000000000AB4h ImageFileHandle=0000000000000164h ProcessHandle=000000000000017Ch ThreadHandle=000000000000015Ch BaseOfImage=0000000100000000-0000000100002000h ThreadLocalBase=000007FFFFFDE000h ThreadStartAddress=0000000100001000h
Loaded dll. ProcessId=0000000000000FD4h ThreadId=0000000000000AB4h dllHandle=0000000000000168h BaseOfDll=0000000078EC0000-0000000078FF9000h DllName=C:\WINDOWS\system32\ntdll.dll
Loaded dll. ProcessId=0000000000000FD4h ThreadId=0000000000000AB4h dllHandle=0000000000000178h BaseOfDll=0000000078D40000-0000000078EB2000h DllName=C:\WINDOWS\system32\kernel32.dll
Remember BaseOfDll of kernel32.dll (or select hexa value with mouse and use CTRL+C).

3.
Breakpoint -> Hardware Breakpoints -> set read/write breakpoint at base of kernel32.dll (=0000000078D40000)

4.
F9 (run)

5.
protected.exe is halted in decrypted process after access 'MZ' at 0000000078D40000
Now we can check, if process will do some non-fair job!
