http://forum.tuts4you.com/ http://forum.tuts4you.com Wed, 22 Feb 2012 18:26:45 +0000 0 http://forum.tuts4you.com/topic/28468-game-review-darkness-2/
This week, Zero Punctuation reviews Darkness 2.

View the full article]]> Wed, 22 Feb 2012 18:26:45 +0000 http://forum.tuts4you.com/topic/28468-game-review-darkness-2/ http://forum.tuts4you.com/topic/28469-ted-shilo-shiv-suleman-using-tech-to-enable-dreaming-shilo-shiv-suleman-2011/
View the full article]]> Wed, 22 Feb 2012 16:59:48 +0000 http://forum.tuts4you.com/topic/28469-ted-shilo-shiv-suleman-using-tech-to-enable-dreaming-shilo-shiv-suleman-2011/ http://forum.tuts4you.com/topic/28467-bbc-tech-eu-court-to-rule-on-acta-legality/
View the full article]]> Wed, 22 Feb 2012 13:03:23 +0000 http://forum.tuts4you.com/topic/28467-bbc-tech-eu-court-to-rule-on-acta-legality/ http://forum.tuts4you.com/topic/28466-kasp-lab-ddos-attacks-in-h2-2011/
View the full article]]> Wed, 22 Feb 2012 11:11:07 +0000 http://forum.tuts4you.com/topic/28466-kasp-lab-ddos-attacks-in-h2-2011/ http://forum.tuts4you.com/topic/28465-defcon-def-con-20-contest-event-rfi/
View the full article]]> Wed, 22 Feb 2012 03:07:22 +0000 http://forum.tuts4you.com/topic/28465-defcon-def-con-20-contest-event-rfi/ http://forum.tuts4you.com/topic/28464-bbc-tech-megaupload-founder-granted-bail/
View the full article]]> Wed, 22 Feb 2012 01:24:12 +0000 http://forum.tuts4you.com/topic/28464-bbc-tech-megaupload-founder-granted-bail/ http://forum.tuts4you.com/topic/28463-hitb-fake-riaa-copyright-violation-notification-serves-malware/



First spotted nearly a week ago, notifications of copyright violation supposedly sent by the Recording Industry Association of America are still hitting inboxes around the world.
The sender's email address is spoofed to make the message seem legitimate, and the email contains a warning and an attachment that the user is asked to open in order to see details of the violation.

Tags:

Industry News
Viruses & Malware

View the full article]]> Wed, 22 Feb 2012 00:40:17 +0000 http://forum.tuts4you.com/topic/28463-hitb-fake-riaa-copyright-violation-notification-serves-malware/ http://forum.tuts4you.com/topic/28462-bbc-tech-late-playbook-os-upgrade-released/
View the full article]]> Tue, 21 Feb 2012 20:11:06 +0000 http://forum.tuts4you.com/topic/28462-bbc-tech-late-playbook-os-upgrade-released/ http://forum.tuts4you.com/topic/28459-ollydbg-fake-imagename-bug/
The psapi "EnumProcesses" function is called to get the list of process identifiers (PIDs). For each PID, the psapi "EnumProcessModules" and "GetModuleFileNameExA" functions are called to extract the image base and full name of the main executable.

As i have shown in previous posts, the values in PEB.LoaderData can easily be manipulated. In this case i will manipulate only the full name of the main executable to be of an existing but malformed file. Surprisingly, OllyDbg trusts the new file name and starts to extract essential information from it. Information extracted includes MZ signature, optional header values, section table data, etc.

The interesting thing about the forged executable is that it is rejected by the OS loader but still used by OllyDbg.

To create a one-file demo for this bug, i had to embed the malformed executable into the original one as a binary resource.

As you can see in the image below, the number of sections is set to 0xFFFF (malformed executable).

The demo can be found here.
http://ollytlscatch....ttach_to_me.exe
The virustotal report can be found here.
https://www.virustot...sis/1329795141/
N.B. This has been tested on OllyDbg v1.10 only.

Update:
Another demo, that crashes OllyDbg upon debugging or attaching, has been created. You can find it here.
http://ollytlscatch....es/Debug_me.exe]]> Tue, 21 Feb 2012 17:20:19 +0000 http://forum.tuts4you.com/topic/28459-ollydbg-fake-imagename-bug/ http://forum.tuts4you.com/topic/28460-ted-chris-bliss-comedy-is-translation-chris-bliss-2011/
View the full article]]> Tue, 21 Feb 2012 16:54:58 +0000 http://forum.tuts4you.com/topic/28460-ted-chris-bliss-comedy-is-translation-chris-bliss-2011/