Research Blog

Hiding Strings from Disassemblers

Developers attempt to obscure or obfuscate any reverse engineers view of strings through the use of compile-time encryption techniques, packing, virtualization, and the like. In this post, I briefly describe a method to prevent strings from entering the .rdata segment of the executable by using a method of indirect initialization forcing the various characters and […]

Read More

SizeOfStackReserve Denial of Service

In this post I will be referencing information I’ve found through reversing and through waleedassars blog article titled SizeOfStackReserve Anti-Attaching Trick. It should be noted that the following was tested on Windows 10. The routine RtlCreateUserStack in ntoskrnl.exe is called following a call to CreateRemoteThread, CreateThread, and/or of course NtCreateThreadEx. The RtlCreateUserStack is called far later in a […]

Read More

Using Flags of RTL_USER_PROCESS_PARAMETERS for Anti-Debugging

OverviewThere are various flags in the PEB associated with a specific process such as the CrossProcessFlags, the BitField (4th member of the PEB), AppCompatFlags, and so forth. I’d always tried looking for differences in the flags when operating in a standard runtime environment vs. a debugged runtime environment and after many failed attempts to find […]

Read More