Friday, January 23, 2009

Possible PE file trick

I was reading this: pefile and LOAD_CONFIG and took a look at the structure: IMAGE_LOAD_CONFIG_DIRECTORY Structure. Some things which I found interesting:

  • GlobalFlagsClear - The global flags that control system behavior. For more information, see Gflags.exe.
  • GlobalFlagsSet - The global flags that control system behavior. For more information, see Gflags.exe.
  • LockPrefixTable - The VA of a list of addresses where the LOCK prefix is used. These will be replaced by NOP on single-processor systems. This member is available only for x86.

The first two might be interesting to turn off some debuggers, or conversely, register itself as a debugger and launch a new process with this... The last one might be similar with the TLS trick because it can (in theory) overwrite arbitrary bytes (although only with the fixed value of 0x90 and I don't know if it check that the byte is 0xF0). I couldn't manage to get it to work, probably because I'm not giving the list correctly...

No comments:

Post a Comment