View Full Version : PoC: Hiding the caller.

January 7th, 2011, 07:35
o The detector can not detect the caller through an analysis of the stack.
o Processing of SEH outside of modules(also hidden).


January 7th, 2011, 22:31
Works of 'black' art is still art,http://www.darkscenario.com/darkgallery/index-1.html.(a far reference to evaluators reply?)

Nice work Indy.

January 8th, 2011, 04:11
Segment of code caller the API will be detected rootkit detector, which takes the return address from the stack. Such a model makes the call, this detection is not possible. In a complex environment is not is acceptable procedural of branching in the module. This is the standard call model AV expect from us

January 8th, 2011, 13:54
1. i not understood description
2. this program does crash on
0040132B: mov [7C97C9DC], eax

what now?

January 8th, 2011, 15:06
Description is not required, since this is the code. It is very simple.
It should crash, as this PoC. Two addresses are given constant (the gateway as well), these values you have any other. Code to study, not to run.

Here is a working example 2397

January 8th, 2011, 15:22
ok, that works.
ok, there i see nothing to comment.