So if you want some support for dcu loader for this version - you can share all dcu & dcc32/dcc64.exe
среда, 22 мая 2013 г.
delphi xe4
I know you may not believe me but this zombie is still alive
So if you want some support for dcu loader for this version - you can share all dcu & dcc32/dcc64.exeand pay me thousands of dollars, he-he
So if you want some support for dcu loader for this version - you can share all dcu & dcc32/dcc64.exe
четверг, 16 мая 2013 г.
qmake - wtf ?
I tried today build fresh eql from git and got 16815 errors from linker !
After a comparison with the old version I found that qmake generating different Makefile.Release:
Yes, was used the same version of qmake in both cases
Wtf ?
Update: I found real reason of such behaviour - it`s bcs I forgot add DEFINES += QT_NAMESPACE=QT to each of eql .pro files. I think this is very annoying and error-prone to fix every .pro file
After a comparison with the old version I found that qmake generating different Makefile.Release:
< DEFINES = -DUNICODE -DWIN32 -DQT_LARGEFILE_SUPPORT -DEQL_LIBRARY -DQT_NAMESPACE=QT -DQT_DLL -DQT_NO_DEBUG -DQT_NO_KEYWOR
DS -DQT_XML_LIB -DQT_GUI_LIB -DQT_CORE_LIB -DQT_HAVE_MMX -DQT_HAVE_3DNOW -DQT_HAVE_SSE -DQT_HAVE_MMXEXT -DQT_HAVE_SSE2 -DQT_THRE
AD_SUPPORT
---
> DEFINES = -DUNICODE -DWIN32 -DQT_LARGEFILE_SUPPORT -DEQL_LIBRARY -DQT_DLL -DQT_NO_DEBUG -DQT_NO_KEYWORDS -DQT_XML_LIB -D
QT_GUI_LIB -DQT_CORE_LIB -DQT_HAVE_MMX -DQT_HAVE_3DNOW -DQT_HAVE_SSE -DQT_HAVE_MMXEXT -DQT_HAVE_SSE2 -DQT_THREAD_SUPPORT
Yes, was used the same version of qmake in both cases
Wtf ?
Update: I found real reason of such behaviour - it`s bcs I forgot add DEFINES += QT_NAMESPACE=QT to each of eql .pro files. I think this is very annoying and error-prone to fix every .pro file
четверг, 9 мая 2013 г.
how Rootkit.Avatar looks like in wincheck logs
Many thanks to Anton Cherepanov for wincheck log from infected machine
Detailed description of avatar can be found here
1) FS Change notifiers
2) Pnp Notifiers
3) numerous driver patches
Detailed description of avatar can be found here
1) FS Change notifiers
FS Change notifiers: 3 (actual 3)
DriverObj 8B6A31B8 addr 8362CBDA \SystemRoot\system32\drivers\fltmgr.sys
DriverObj 8BEC91B8 addr 8C477D40 UNKNOWN
DriverObj 8B6A31B8 addr 8362CBDA \SystemRoot\system32\drivers\fltmgr.sys
2) Pnp Notifiers
Pnp Notifiers: total 19, readed 19
...
Pnp[6] CategoryHardwareProfileChange DEVINTERFACE_MT_COMPOSITE addr 92FE793A \SystemRoot\system32\DRIVERS\CompositeBus.sys
Pnp[7] CategoryHardwareProfileChange DEVINTERFACE_DISK addr 8B618180 UNKNOWN
Pnp[8] CategoryHardwareProfileChange DEVINTERFACE_HIDDEN_VOLUME addr 8356D3E0 \SystemRoot\system32\DRIVERS\volmgr.sys
3) numerous driver patches
вторник, 7 мая 2013 г.
понедельник, 6 мая 2013 г.
windows 8.1 interrupts
I just try to find some differences from w8 rtm:
w8 rtm _KiTrap02:
w8.1 _KiTrap02:
Also it seems that w8.1 requires processor with SSE - check for example w8.1 _KiTrap03:
w8 rtm _KiTrap02:
cli
mov eax, large fs:40h
w8.1 _KiTrap02:
cli
clts
mov eax, large fs:40h
Also it seems that w8.1 requires processor with SSE - check for example w8.1 _KiTrap03:
stmxcsr dword ptr [ebp+48h]
ldmxcsr large dword ptr fs:8
sub esp, 80h
and esp, 0FFFFFFF0h
mov esi, esp
movaps oword ptr [esi], xmm0
movaps oword ptr [esi+10h], xmm1
movaps oword ptr [esi+20h], xmm2
movaps oword ptr [esi+30h], xmm3
movaps oword ptr [esi+40h], xmm4
movaps oword ptr [esi+50h], xmm5
movaps oword ptr [esi+60h], xmm6
movaps oword ptr [esi+70h], xmm7
воскресенье, 5 мая 2013 г.
RPat another update
суббота, 4 мая 2013 г.
dcu2pat
I wrote today some simple hack tool for creating signatures from delphi .dcu files for IDA flair
The main idea is very simple - flair expects .pat file to produce .sig file with signatures. So I just add some logic to my .dcu files loader to generate .pat files in right format
Supported Delphi versions:
signatures for delphi 2007
.pat files
Sample of using:
The main idea is very simple - flair expects .pat file to produce .sig file with signatures. So I just add some logic to my .dcu files loader to generate .pat files in right format
Supported Delphi versions:
- Delphi 2007 (v12)
- Delphi 2009 (v14)
- Delphi 2010 (v15)
- Delphi XE (v16)
- Delphi XE2 (v17)
signatures for delphi 2007
.pat files
Sample of using: