All posts tagged Skill:API:Win32

Self Modifying Code: Changing Memory Protection‘ described how self modifying code first needs to add write permissions to the memory page(s) before it can modify the code. There is another way of creating self modifying code which doesn’t require a call to VirtualProtect() — modify the characteristics of the .text (code) section in the EXE file. Continue Reading

Self modifying code is a phrase used to describe programs that are able to change themselves. Using self modifying code can make it harder to reverse engineer a program, largely because the ‘actual code may differ from that shown’. That is, the actual code that ends up executing may be different from the code that is first shown during disassembly. Join me as I attempt to relive my youth and create some self modifying code, only this time it will have to work under the memory protection schemes implemented by the 80×86 processors and MS Windows. Continue Reading

Examining a piece of malware for strings (sequences of printable characters) can reveal a few clues about what the malware does, or what it is capable of doing. Part two predicted the behaviour of some functions, based on which strings they referenced. Part three will start to disassemble these functions to see how closely the predicted behaviour  matches their actual behaviour. Continue Reading