Results 1 to 5 of 5

Thread: Saffron, fast OEP finder

  1. #1

    Saffron, fast OEP finder

    First I will not take any credit for this tool. I only saw the talk on Black Hat and thought it was a good idea.

    Main idea:
    Watch all memory writes. First time a instruction that has been written is
    executed in. Mark as possible OEP.

    From authors:
    "Track written memory
    If that memory is executed, it’s unpacked
    Must monitor:
    –Memory writes
    –Memory Executions
    Automate the process"


  2. #2
    By triggering SEH exceptions the stack of a malware
    program is unwound until an appropriate handler is found. Due to
    the nature of the debugging interface, the debugger will insert its
    own SEH handling onto this stack.

    hmm just to name some trick for exception logging : hook kiuserexceptiondispatcher and get all exceptions, hook ntoskrnl!KeUserExceptionDispatcher and UserSharedData to avoid any detection of kiuser hook... edit: I see they mention unahdled exception, well hook UnhandledExceptionFilter

    btw for stealth tracing is not needed to play with TLB. It is only enough to watch P bit for paged out pages and use U/S bit for those that are paged in. sure SwapContext has to be hooked to have control over process switch and paged out/in pages.
    Last edited by deroko; August 5th, 2007 at 09:20.

  3. #3
    deroko you should give a talk at conferences surrounding the technology/concepts behind doer
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    there is nothing revolutionary in it, everything is documented in IA32 manual, so I wrote all of that into driver, except PAE special case handling where windows doesn't set W flag in writable page but maintains it internaly in reserved bits of PAE PTE. kinda cool trick I don't know if this is general behaviour with PAE on x86 windows, but it surely occured in all targets I have tested.

  5. #5
    Registered User
    Join Date
    Oct 2002
    Saffron is nothing new.. Even OllyBone wasn't new.

Similar Threads

  1. LINK: API Hooking: a new and fast technique
    By Kayaker in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: October 6th, 2005, 04:31
  2. Replies: 15
    Last Post: March 21st, 2005, 03:07
  3. FSG 2.0 oep finder
    By cooper in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: June 15th, 2004, 04:21
  4. MEW 10 - OEP finder (my first script)
    By Anonymous in forum OllyScript Plugin
    Replies: 3
    Last Post: June 6th, 2004, 20:24
  5. Emulate a fast-eye dongle
    By grep in forum The Newbie Forum
    Replies: 1
    Last Post: January 2nd, 2004, 03:06


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts