The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming

    20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now

    20140424-Windows-7-free-disk-space

    More Photos
  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,757 other followers

NTCore: interesting site about about system internals and software security

Posted by jpluimers on 2014/09/30

I recently bumped into the NTCore website by Daniel Pisti.

At a client without my own VMs, I wanted to create a DebugBreak like function in Delphi, which I remembered from my Turbo Pascal days to be something like Inline($CC). So searching for both Delphi and INT 3, I found an EXE injection page at NTCore.

In Delphi, you can do this with a procedure like this, which cannot be inlined because it has an asm block:

procedure DebugBreak();
asm
  int 3
end;

(Reminder to self: sort out what to do here to break on an iOS device; Xcode has an alternative)

The site has information about system internals and software security posted as articles until 2009,  when he switched to blog posts. Besides that, he has written a bunch of interesting articles at CodeProject.

An important product on his site is the Explorer Suite:

A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86 and x64.

It is a great tool aimed at the Windows PE format, and a prelude to the commercial Cerbero profiler at iCerbero.com which covers many more file formats and tools that can aid for instance in analyzing malware. Daniel has moved to Frankfurt, Germany and now is a security expert doing great work.

Daniel also as a great twitter feed where he refers to posts from others.

For instance, malware usually runs in the user context, which is one of the reasons you should be really careful storing passwords locally. So I was glad that Daniel pointed to all of your browser password stores are straightforward to decrypt.

–jeroen

Further reading:

3 Responses to “NTCore: interesting site about about system internals and software security”

  1. gabr42 said

    asm int 3 end; is not good for 64 bit. I’m using:

    {$IFDEF CPUX64}
    procedure X64AsmBreak;
    asm
    .NOFRAME
    INT 3
    end; { X64AsmBreak }
    {$ENDIF CPUX64}

    procedure DebugBreak(triggerBreak: boolean = true);
    begin
    {$IFDEF DEBUG}
    if triggerBreak and (DebugHook 0) then
    {$IFDEF CPUX64}
    X64AsmBreak;
    {$ELSE}
    asm int 3 end;
    {$ENDIF ~CPUX64}
    {$ENDIF DEBUG}
    end; { DebugBreak }

  2. David M said

    Fascinating site… I’ve been browsing it for hours now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: