begood Posted May 8, 2010 Report Posted May 8, 2010 Kernel32.dll is a dynamic link library present in all 32-bit and 64-bit versions of Microsoft Windows. It exposes to applications most of the Win32 base APIs, such as memory management, input/output operations, (process and thread) creation, and synchronization functions. In this video Spiffomatic64 shows us how to patch Kernel32 by using OllyDbg. He demonstrates the power of patching with a simple example where he swaps filenames in a function call with the DLL. The patching mechanism works by putting an unconditional jump instruction in the beginning of the function to be patched and then points the jump to a location in the .text segment where the attacker's code resides. Once the attacker's code is executed, control is transfered back to the original function code. Of course, the attacker's code needs to ensure that all the state (registers, flags etc) are saved before his code executes and then restored back to their original state before returning control to the original function code. He also needs to execute the code he replaced with the unconditional jump instruction before passing control back. This will ensure that the system does not crash or behave unexpectedly when control is given back. Spiffomatic64 demos this entire process in depth and detail. This video is very important in understanding rootkits, as most of them use similar techniques to take control and camouflage their presence in an infected system. There is a fair bit if assembly language involved in this video. If you are unfamiliar with Assembly Language programming, then begin with the 12 part Assembly Language Primer for Hackers which we created a while back. It is important to note that our tutorial used the AT&T syntax while this video uses the Intel syntax for Assembly language. Thanks go out to Spiffomatic64 for submitting this video to SecurityTube. You can visit his site here. This is recommended watch for people interested in rootkits and other malware. Patching Kernel32 for Fun and Profit Tutorial Quote
Memesis Posted May 8, 2010 Report Posted May 8, 2010 e o laba trista.si video ala e de...negasit. Quote
prodil89 Posted May 8, 2010 Report Posted May 8, 2010 Copile esti retardat rau.... [url=http://securitytube.net/Patching-Kernel32-for-Fun-and-Profit-video.aspx]Patching Kernel32 for Fun and Profit Tutorial[/url] Quote
