http://www.openrce.org/rss/feeds/blog OpenRCE: The Open Reverse Code Engineering Community Sun, 21 Dec 2008 12:03:22 -0600 https://www.openrce.org/blog/view/1332/IOCTL-Proxy g <email-suppressed@example.com> This is a POC of IOCTL fuzzer. It gave surprisingly good results.<br /> <br /> IOCTL-Proxy works by hooking NtDeviceIoControlFile, manipulating its' parameters and feeding them to the real function.<br /> <br /> Load the driver and simply click around in application you want to test. <br /> <br /> You will get a lot of BSODS, be careful.<br /> <br /> PreviousMode==KernelMode is ignored, since we are only interested in calls from UserMode to KernelMode, not Kernel-&gt;Kernel.<br /> <br /> Get it here:<br /> <a href="http://www.orange-bat.com">http://www.orange-bat.com</a> Tue, 16 Dec 2008 10:10:14 -0600 https://www.openrce.org/blog/view/1330/Command_line_version_of_OSR's_DeviceTree g <email-suppressed@example.com> Get it here: <a href="http://orange-bat.com/code/device.tree.cmd.rar">http://orange-bat.com/code/device.tree.cmd.rar</a><br /> <br /> Sample output:<br /> <br /> <code><br /> Unloading ObjInfo driver<br /> Loading driver: D:\tools\devicetree\i386\OBJINFO.SYS<br /> No service, creating...<br /> Service not running, starting...<br /> Service started.<br /> Driver object: 0x89c98a08<br /> Service name: nvata<br /> Device name: \Device\00000138, type: 0x00000007<br /> Device name: \Device\NvAta2, type: 0x00000001<br /> Device name: \Device\NvAta1, type: 0x00000001<br /> Device name: \Device\NvAta0, type: 0x00000001<br /> <br /> Driver object: 0x89c8a8d0<br /> Service name: NDIS<br /> Device name: \Device\Ndis, type: 0x00000012<br /> <br /> Driver object: 0x89cdad28<br /> Service name: KSecDD<br /> Device name: \Device\KsecDD, type: 0x00000039<br /> <br /> Driver object: 0x8897b218<br /> Service name: Beep<br /> Device name: \Device\Beep, type: 0x00000001<br /> <br /> Driver object: 0x899e7418<br /> Service name: Raspti<br /> Device name: \Device\{AA56C973-4F1C-4D19-8BAC-4FA6F14D80CB}, type: 0x00000017<br /> <br /> Driver object: 0x89aab928<br /> Service name: Mouclass<br /> Device name: \Device\PointerClass1, type: 0x0000000f<br /> Device name: \Device\PointerClass0, type: 0x00000000<br /> .<br /> .<br /> .<br /> </code> Tue, 19 Aug 2008 12:27:29 -0500 https://www.openrce.org/blog/view/1248/Fighting_Oreans'__VM_(code_virtualizer_flavour) g <email-suppressed@example.com> If you don't know what code virtualizer is, or how it works, you should read this first:<br /> <a href="http://rapidshare.com/files/16968098/Inside_Code_Virtualizer.rar">http://rapidshare.com/files/16968098/Inside_Code_Virtualizer.rar</a><br /> (Inside Code Virtualizer by scherzo)<br /> <br /> Now, as you probably already know from paper by scherzo ;), one possible way recover virtualized code is to identify each mutated handler (find corresponding non-mutated version). After this done, we can trace virtual opcodes and &quot;decompile&quot; them to VM instructions. Having &quot;clean&quot; decompiled output, we can translate it to x86 assembly. I consider the last step, to be simple &quot;find and replace&quot; job with flex/yacc. <br /> <br /> The problem is, oreans' vm engine can be a bitch. Consider this piece of code:<br /> <br /> continued at:<br /> <br /> <a href="http://www.woodmann.com/forum/showthread.php?t=12015">http://www.woodmann.com/forum/showthread.php?t=12015</a>