среда, 22 мая 2013 г.

delphi xe4

I know you may not believe me but this zombie is still alive
So if you want some support for dcu loader for this version - you can share all dcu & dcc32/dcc64.exe and pay me thousands of dollars, he-he

четверг, 16 мая 2013 г.

qmake - wtf ?

I tried today build fresh eql from git and got 16815 errors from linker !
After a comparison with the old version I found that qmake generating different Makefile.Release:
< DEFINES       = -DUNICODE -DWIN32 -DQT_LARGEFILE_SUPPORT -DEQL_LIBRARY -DQT_NAMESPACE=QT -DQT_DLL -DQT_NO_DEBUG -DQT_NO_KEYWOR
DS -DQT_XML_LIB -DQT_GUI_LIB -DQT_CORE_LIB -DQT_HAVE_MMX -DQT_HAVE_3DNOW -DQT_HAVE_SSE -DQT_HAVE_MMXEXT -DQT_HAVE_SSE2 -DQT_THRE
AD_SUPPORT
---
> DEFINES       = -DUNICODE -DWIN32 -DQT_LARGEFILE_SUPPORT -DEQL_LIBRARY -DQT_DLL -DQT_NO_DEBUG -DQT_NO_KEYWORDS -DQT_XML_LIB -D
QT_GUI_LIB -DQT_CORE_LIB -DQT_HAVE_MMX -DQT_HAVE_3DNOW -DQT_HAVE_SSE -DQT_HAVE_MMXEXT -DQT_HAVE_SSE2 -DQT_THREAD_SUPPORT


Yes, was used the same version of qmake in both cases
Wtf ?

Update: I found real reason of such behaviour - it`s bcs I forgot add DEFINES     += QT_NAMESPACE=QT to each of eql .pro files. I think this is very annoying and error-prone to fix every .pro file

четверг, 9 мая 2013 г.

how Rootkit.Avatar looks like in wincheck logs

Many thanks to Anton Cherepanov for wincheck log from infected machine
Detailed description of avatar can be found here

1) FS Change notifiers
FS Change notifiers: 3 (actual 3)
DriverObj 8B6A31B8 addr 8362CBDA \SystemRoot\system32\drivers\fltmgr.sys
DriverObj 8BEC91B8 addr 8C477D40 UNKNOWN
DriverObj 8B6A31B8 addr 8362CBDA \SystemRoot\system32\drivers\fltmgr.sys


2) Pnp Notifiers
Pnp Notifiers: total 19, readed 19
...
 Pnp[6] CategoryHardwareProfileChange DEVINTERFACE_MT_COMPOSITE addr 92FE793A \SystemRoot\system32\DRIVERS\CompositeBus.sys
 Pnp[7] CategoryHardwareProfileChange DEVINTERFACE_DISK addr 8B618180 UNKNOWN
 Pnp[8] CategoryHardwareProfileChange DEVINTERFACE_HIDDEN_VOLUME addr 8356D3E0 \SystemRoot\system32\DRIVERS\volmgr.sys
 

3) numerous driver patches

понедельник, 6 мая 2013 г.

windows 8.1 interrupts

I just try to find some differences from w8 rtm:
w8 rtm _KiTrap02:
 cli
 mov     eax, large fs:40h
 
w8.1 _KiTrap02:
 cli
 clts
 mov     eax, large fs:40h

Also it seems that w8.1 requires processor with SSE - check for example w8.1 _KiTrap03:
  stmxcsr dword ptr [ebp+48h]
  ldmxcsr large dword ptr fs:8
  sub   esp, 80h
  and   esp, 0FFFFFFF0h
  mov   esi, esp
  movaps oword ptr [esi], xmm0
  movaps oword ptr [esi+10h], xmm1
  movaps oword ptr [esi+20h], xmm2
  movaps oword ptr [esi+30h], xmm3
  movaps oword ptr [esi+40h], xmm4
  movaps oword ptr [esi+50h], xmm5
  movaps oword ptr [esi+60h], xmm6
  movaps oword ptr [esi+70h], xmm7

воскресенье, 5 мая 2013 г.

RPat another update

I rebuild today RPat with mingw gcc 4.6.2 and binutils 2.23.2
Fresh version can be downloaded here
New object files formats was added in binutils 2.23.2:
  • elf32-epiphany
  • elf32-powerpc-freebsd
  • elf32-rl78
  • elf32-tilegx-be
  • elf32-tilegx-le
  • elf32-xgate

суббота, 4 мая 2013 г.

dcu2pat

I wrote today some simple hack tool for creating signatures from delphi .dcu files for IDA flair
The main idea is very simple - flair expects .pat file to produce .sig file with signatures. So I just add some logic to my .dcu files loader to generate .pat files in right format
Supported Delphi versions:
  • Delphi 2007 (v12)
  • Delphi 2009 (v14)
  • Delphi 2010 (v15)
  • Delphi XE (v16)
  • Delphi XE2 (v17)
Download
signatures for delphi 2007
.pat files
Sample of using: