NTCore: interesting site about about system internals and software security
Posted by jpluimers on 2014/09/30
At a client without my own VMs, I wanted to create a DebugBreak like function in Delphi, which I remembered from my Turbo Pascal days to be something like Inline($CC). So searching for both Delphi and INT 3, I found an EXE injection page at NTCore.
In Delphi, you can do this with a procedure like this, which cannot be inlined because it has an asm block:
(Reminder to self: sort out what to do here to break on an iOS device; Xcode has an alternative)
The site has information about system internals and software security posted as articles until 2009, when he switched to blog posts. Besides that, he has written a bunch of interesting articles at CodeProject.
An important product on his site is the Explorer Suite:
A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86 and x64.
It is a great tool aimed at the Windows PE format, and a prelude to the commercial Cerbero profiler at iCerbero.com which covers many more file formats and tools that can aid for instance in analyzing malware. Daniel has moved to Frankfurt, Germany and now is a security expert doing great work.
Daniel also as a great twitter feed where he refers to posts from others.
For instance, malware usually runs in the user context, which is one of the reasons you should be really careful storing passwords locally. So I was glad that Daniel pointed to all of your browser password stores are straightforward to decrypt.