The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers
«
»

NTCore: interesting site about about system internals and software security

Posted by jpluimers on 2014/09/30

I recently bumped into the NTCore website by Daniel Pisti.

At a client without my own VMs, I wanted to create a DebugBreak like function in Delphi, which I remembered from my Turbo Pascal days to be something like Inline($CC). So searching for both Delphi and INT 3, I found an EXE injection page at NTCore.

In Delphi, you can do this with a procedure like this, which cannot be inlined because it has an asm block:

procedure DebugBreak();
asm
  int 3
end;

(Reminder to self: sort out what to do here to break on an iOS device; Xcode has an alternative)

The site has information about system internals and software security posted as articles until 2009,  when he switched to blog posts. Besides that, he has written a bunch of interesting articles at CodeProject.

An important product on his site is the Explorer Suite:

A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86 and x64.

It is a great tool aimed at the Windows PE format, and a prelude to the commercial Cerbero profiler at iCerbero.com which covers many more file formats and tools that can aid for instance in analyzing malware. Daniel has moved to Frankfurt, Germany and now is a security expert doing great work.

Daniel also as a great twitter feed where he refers to posts from others.

For instance, malware usually runs in the user context, which is one of the reasons you should be really careful storing passwords locally. So I was glad that Daniel pointed to all of your browser password stores are straightforward to decrypt.

–jeroen

Further reading:

This entry was posted on 2014/09/30 at 06:00 and is filed under Delphi, Development, Pascal, Power User, Software Development, Turbo Pascal, Windows, xCode/Mac/iPad/iPhone/iOS/cocoa. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “NTCore: interesting site about about system internals and software security”

  1. gabr42's avatar

    gabr42 said

    2014/10/02 at 15:32

    asm int 3 end; is not good for 64 bit. I’m using:

    {$IFDEF CPUX64}
    procedure X64AsmBreak;
    asm
    .NOFRAME
    INT 3
    end; { X64AsmBreak }
    {$ENDIF CPUX64}

    procedure DebugBreak(triggerBreak: boolean = true);
    begin
    {$IFDEF DEBUG}
    if triggerBreak and (DebugHook 0) then
    {$IFDEF CPUX64}
    X64AsmBreak;
    {$ELSE}
    asm int 3 end;
    {$ENDIF ~CPUX64}
    {$ENDIF DEBUG}
    end; { DebugBreak }

    Reply
  2. David M's avatar

    David M said

    2014/10/01 at 10:11

    Fascinating site… I’ve been browsing it for hours now.

    Reply

Leave a reply to David M Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»