flat assembler
Message board for the users of flat assembler.

Index > Windows > always pain about the stack

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
bitRAKE



Joined: 21 Jul 2003
Posts: 4073
Location: vpcmpistri
bitRAKE 13 Jan 2010, 10:24
charme wrote:
i just use tasm or masm ever for virus.........just for interests! not damage!!

so,,i'm a new for fasm and also fo x64

but i want study the virus technology in x64!!
x64 is fun, but there is no need to take anything apart when so much is left to be built. Just grab anything you are comfortable with and take small steps. Sounds like you want to study Windows internals - not virii.

http://technet.microsoft.com/zh-cn/sysinternals/default.aspx (chinese)

http://technet.microsoft.com/en-us/sysinternals/default.aspx (english)

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 13 Jan 2010, 10:24
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 13 Jan 2010, 10:41
Quote:
High bit of Export RVA for ordinal export, huh? Maybe:
No, sorry, of import RVA Smile

Quote:
(2) and (3) require much more.
Indeed they do Smile

#2 is something you really do have to handle, since there's no telling which exports might end up being forwarded - a lot of stuff has been forwarded to NTDLL for several years, and I guess the whole MinWin refactoring effort could result in a lot more.

#3 is only necessary to handle if you're fixing up an apps IAT (depackers, decrypters, ...) and aren't storing the looked-up symbol directly (adding profiling code, obfuscation trampolines, ...), so not that relevant in this case - mentioned it anyway because it's a thing I bumped my head on back in the days Smile
Post 13 Jan 2010, 10:41
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2465
Location: Bucharest, Romania
Borsuc 13 Jan 2010, 17:03
What about hash collisions? I find this pretty unreliable -- you never know when a new added function might resolve to the same hash, or is the hash very good?
Post 13 Jan 2010, 17:03
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 14 Jan 2010, 01:34
Borsuc wrote:
What about hash collisions? I find this pretty unreliable -- you never know when a new added function might resolve to the same hash, or is the hash very good?
Yeah, it's a somewhat risky way to do imports - I used it in my (unreleased) packer/krypter, but dunno if I'd use something like it today, unless going for a pretty strong hash.

But malware writers don't really care - their code is usually limited to a single (or few) target windows versions.

_________________
Image - carpe noctem
Post 14 Jan 2010, 01:34
View user's profile Send private message Visit poster's website Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme 14 Jan 2010, 02:25
revolution wrote:
charme wrote:
i just use tasm or masm ever for virus.........just for interests! not damage!!

...

but i want study the virus technology in x64!!
Sure, they all say that! "No damage", "no problems" etc.
charme wrote:
so something maybe not suit talk aout here!!hoho:)
Yes indeed. I would imagine that now you have stated your intentions that you will get a lot less help from people here.


i'm only for intrest..belive me!!

_________________
do it,do our best!
----------------------------------------------------------
http://chx4.net
Post 14 Jan 2010, 02:25
View user's profile Send private message ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.