Hi Carbon :
about Computer_Angel target don't care about it, scylla is the best and it Does not need any fix for handle virtual devices.
this sample is an tricky Target
it write false size for IMAGE_EXPORT_DIRECTORY which make it very very big so can't handle it with
bufferExportTable = new BYTE[readSize];
so Computer_Angel it is as an anti scylla (or other IAT re builder ) technique
.
Quote:
10001036 |. 50 push eax ; /pOldProtect
10001037 |. 6A 40 push 0x40 ; |NewProtect = PAGE_EXECUTE_READWRITE
10001039 |. 8B3E mov edi, dword ptr [esi] ; |
1000103B |. 6A 04 push 0x4 ; |Size = 0x4
1000103D |. 56 push esi ; |Address
1000103E |. FF15 0>call near dword ptr [<&KERNEL32.VirtualP>; \VirtualProtect
10001044 |. E8 AE0>call scyllacr.100010F7
10001049 |. 0FB6C0 movzx eax, al
1000104C |. 69C0 0>imul eax, eax, 0x1010101
10001052 |. 8906 mov dword ptr [esi], eax
10001054 |. 8946 0>mov dword ptr [esi+0x4], eax <<<<<< very bad
|
Computer_Angel just one thing ,pls where u get like this targets ,every time u surprise us with this kind of targets ,I work with a lot of targets never get my hand on targets like which u bring it to us .....
Computer_Angel
