Wanted to share this with the world:
e 0:0 cc
e 100 c4 c4 54 27
This entry was posted on Sunday, February 1st, 2009 at 11:24 am and is filed under Assembly, Debugging, Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
I don’t get it :(
Then probably it’s not for you ;)
Ho no! my NTVDM ! :P
Spoiler
It’s the VDM Debugger interface. WinDbg supports it, too.
Check my Anti-Unpacker 2 paper part 2. :-)
You can make it remove breakpoints and other cool things.
V. interesting, link us please ;)
:-)
Looking into NTVDM.EXE, I see why the crash happens.
The table is only 0x1e entries large, and the index is not checked, so any value larger than 0x1e will make it go somewhere unexpected.
The environment is ring3 32-bit flat memory at that point, but only the DOS memory is mapped in.
Then if a crash occurs, you get the VDM Debugger DLL (ntvdmd.dll) loaded.
Yep, thanks for saving me the description.
I meant, give us a link to your paper. :)
It’s on pferrie.tripod.com.
If I give a direct link, you might miss the other interesting things. ;-)