Hard Disk Hacking (2013) - spritesmods.com/?art=hddhack&page=1
thanks for your feedbacks so far.
Today I found a new strange behavior of WD!Right now I did started my PC and see that WD did update already a new def file see the version..
....now I do the same as yesterday and did copy the BAD files from my rar package into a free folder.So remember, when I did this yesterday WD did prevent it because of alert etc but today oh wonder it does work and WD dosent say anything!=?So I got 2 diffrent file versions of the same file which got yesterday detected on my main OS but today all is fine.But I also see some diffrents.One file gets marked with that WD shield icon on icon (dont remember anymore what that means etc) but the other file dosent get that shileld icon on icon.Another diffrent to yesterday is that both files had missing entrys in the details tab (right mouse / details) but today all details are present!=?Whats this?How can this be?Do you have any clues about that?Yesterday all bad (main OS only) and today all fine.Hm.Maybe you are right atom0s with that scan thing there.
So I am using same setting for WD in VM too.Just enabled realtime scan option and manipulution option.The other cloud stuff / sending examples I have disabled.
So what app should I use in first place then?
Also Windows Defender might have options to do live cloud verification or other levels of threat verification like generic heuristics. Is the web connection enabled in the VM and all Windows Defender settings the same? Virustotal style hash checking and stuff are becoming more common in antivirus apps lately for having access to a more up to date and broader database that allows vendors to find viruses earlier as well. Could even be some random spyware setting in your Windows account profile usually under the title of "help Microsoft improve our products and user experience" type of option.
Or Windows Defender is so smart that it knows when you are in a VM or sandbox probably you are studying the viruses and do not want to block them. But doubt it
Interesting .. because with a x86 app running under WoW I can force the mem base of the loaded exe to 0x10000
this is mapped as RW but allows code execution as though RWX
First two images shows a typical standard dll characteristic which random mem maps
the other two I forced a dll characteristic of 0 and force it to 0x10000 and I can execute any opcode despite the RW mapping
1) Since it is mapped as RW shouldnt DEP prevent any execution?
By seeing the number of imports on your screenshot and the ollydbg.exe in upper case i would guess you tried this on ollydbg v1.10, not on ollyv2
The description don't mention it here but that thing is for v2, if you look inside the readme of the archive, it says (in french) that the code has been rewrote for olly 2.
So try with v2, or recompile the dll for v1.
Also i'm checking the src and this can really be improved more. Especially for the v2 as if you rename ollydbg.exe to blabla.exe,