The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,860 other followers

NTCore: interesting site about about system internals and software security

Posted by jpluimers on 2014/09/30

I recently bumped into the NTCore website by Daniel Pisti.

At a client without my own VMs, I wanted to create a DebugBreak like function in Delphi, which I remembered from my Turbo Pascal days to be something like Inline($CC). So searching for both Delphi and INT 3, I found an EXE injection page at NTCore.

In Delphi, you can do this with a procedure like this, which cannot be inlined because it has an asm block:

procedure DebugBreak();
  int 3

(Reminder to self: sort out what to do here to break on an iOS device; Xcode has an alternative)

The site has information about system internals and software security posted as articles until 2009,  when he switched to blog posts. Besides that, he has written a bunch of interesting articles at CodeProject.

An important product on his site is the Explorer Suite:

A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86 and x64.

It is a great tool aimed at the Windows PE format, and a prelude to the commercial Cerbero profiler at which covers many more file formats and tools that can aid for instance in analyzing malware. Daniel has moved to Frankfurt, Germany and now is a security expert doing great work.

Daniel also as a great twitter feed where he refers to posts from others.

For instance, malware usually runs in the user context, which is one of the reasons you should be really careful storing passwords locally. So I was glad that Daniel pointed to all of your browser password stores are straightforward to decrypt.


Further reading:

3 Responses to “NTCore: interesting site about about system internals and software security”

  1. gabr42 said

    asm int 3 end; is not good for 64 bit. I’m using:

    {$IFDEF CPUX64}
    procedure X64AsmBreak;
    INT 3
    end; { X64AsmBreak }
    {$ENDIF CPUX64}

    procedure DebugBreak(triggerBreak: boolean = true);
    if triggerBreak and (DebugHook 0) then
    {$IFDEF CPUX64}
    asm int 3 end;
    {$ENDIF ~CPUX64}
    end; { DebugBreak }

  2. David M said

    Fascinating site… I’ve been browsing it for hours now.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: