Results 1 to 5 of 5

Thread: how to set BP on writing a file on usb memory stick...

  1. #1

    how to set BP on writing a file on usb memory stick...

    hi!

    There is a PG which is called "USB Security PG(not commercial name)" in my office PC.

    "USB Security PG" protected me to write, delete, modify a file on a Portable USB memory stick...
    "USB Security PG" starts up when XP starts up and is designed not to be deleted and stopped...


    but I have reversed that... then now I can write, delete, modify a file on a Portable USB memory stick while "USB Security PG" is working on XP.

    But Still there is a problem with this PG...
    whenever I insert a portable usb memory stick in my office PC, "ooo.bin" file is created (ex - F:\ooo.bin). It looks really terrible...

    So I found the dirctory that "USB Security PG" is located(C:\Program Files\...), but there are so many .exe, .dll, .ocx files.
    I tried to find a Ascii string, "ooo.bin" in those files... and found in several files... but there is no position that write "ooo.bin" on USB.

    So here my question.. how can I set a BP when "USB Security PG" write "ooo.bin" on USB?

    The point is that I couldn't find which .exe write "ooo.bin" on USB...

    thanks for reading...
    Last edited by p0lly; September 24th, 2010 at 02:57.

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    >>thanks for reading...
    no-no-no! instead: thank you for your great writing! ~:

    before help, are you doing good thing or bad thing?

  3. #3
    did you use a filemonitor ? sometimes helps
    if not you set breakpoint on windows api specific functions

  4. #4

    Thank you Elenil..

    I'll try that...

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Sorry for the late answer, but if all you want is to disable the writing of that file, I'd just patch that string at all found locations, so that it contains an invalid file name character (e.g. ":" or whatever).

    Most likely, either you'll get a bluescreen, or it will work nicely.

    If you still want to understand the code deeper, setting a memory breakpoint at those found string locations, or XREF-tracing them with IDA, will probably be good starting points too.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. some malware got on my usb-stick
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: January 5th, 2014, 09:46
  2. How to analyze the full dump memory file of a process
    By akovid in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: August 13th, 2013, 10:31
  3. Replies: 21
    Last Post: August 17th, 2011, 00:33
  4. Patch works in memory but not in executable file!
    By yyzyyz in forum The Newbie Forum
    Replies: 7
    Last Post: June 26th, 2008, 06:51
  5. BPM doesnt stick?
    By crUsAdEr in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: April 7th, 2004, 02:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •