Hey Riley, all, RH> Research AV/VX trends from the late 80's and early 90's. First off, thanks for this line. Reading some old VX magazines could do some good here. The fact that most shellcodes still use hardcoded addresses to retrieve GetProcAddress/GetModuleHandle should make everyone think -- VLAD Boza (the first PE infector ever) did the same, and was thus not very successful. VX folks abandoned the concept of hardcoding offsets for KERNEL32 in about 1996-97. Ahwell. It's just 5-6 years. And it's not like you have to have clever ideas yourself, it's all in easy-to-digest tutorial format. Thanks for addressing the bogus idea of hooking GetProcAddress(), too. Most serious win32 shellcodes do not use it anymore but do their own PE parsing anyhow, so this would be (aside from being easily bypassed otherwise) completely ineffective. User-mode policy enforcement (e.g. doing policy enforcement on the same privilege level as the malicious code) is bound to fail. Concerning information on TIB and PEB: If you're too lazy to learn russian/polish, you might consider taking (a) the wine header files (which attempt to document parts of these structures) and (b) a debugger and go spellunking yourself. Oh, and MS does provide some limited information: http://msdn.microsoft.com/msdnmag/issues/02/08/EscapefromDLLHell/default.aspx Cheers, dullien@gmx.de
