Defeating malware’s Anti-VM techniques (CPUID-Based Instructions)

  Introduction You should by now be aware of everything, cause the topic’s title clearly describes the contents of this post. As you know, almost all of the modern malware programs use some bunch of packers or protectors and using such tools cause malware to be weaponized with Anti-VM techniques which makes it impossible for […]

Inside Windows Page Frame Number (PFN) – Part 2

Converting Physical Address to Virtual Address and  Virtual Address to Physical Address MmGetVirtualForPhysical (PA -> VA) One of the purposes of using PFN database is for converting physical address to virtual address but in Windows, you can simply call nt!MmGetVirtualForPhysical and convert your physical address to virtual address, you can see a complete list of Memory […]

PyKD Tutorial – part 2

  Breakpoints Breakpoints are such useful things and can give you the power of analyzing programs in a better and easier way by using PyKD. In the API Reference they introduce setBp function in the following way :

As you can see, setBp can give a pointer as its first argument and a python function as the […]

How to get every detail about SSDT , GDT , IDT in a blink of an eye

  In a few days ago I was looking for something to show me the SSDT and GDT (Which is really important in malware analyzing because most of rootkits are interested in hooking and changing this stuffs.) • SSDT (System Service Descriptor Table) • GDT (Global Descriptor Table) • IDT (Interrupt Descriptor Table) They’re really […]

Change User-Mode application’s virtual address through Kernel Debugging

Well, it’s somehow an odd topic but sometimes it could be really helpful in some situations. So what are the situations? Imagine sometimes you need to access windows stuffs that aren’t available from user-mode debuggers like ollydbg or through user-mode debugging (e.g memory after 0x7fffffff). In my experience I see some conditions that protectors make […]