BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
 Posted: Wed Feb 25, 2009 9:27 pm Post subject: Taking Control of BaseThreadStart Function ... |
 |
|
ok so ive been going over some old code thats been on my computer and i love reapplying the uses of old code into new tools.. so what i was thinking of doing creating a injectable dll at "Program Load Time" in order to hook BaseThreadStartThunk Function.. by doing this we can get a list of Branchs of the Executing thread before it actuall executes.. and by using branch offset pattern match by Storeing the Thread Start Address + Branch offset away from start address by minusing Start Address from Branch Address to obtain offset we can store the offsets and check them against future runs of the program.thus creating somewhat of a behavioral recogition based on code patterning.. we can also determine Thread Function Total legth for additional matching capabilities..i think this combined with a slightly modified version of Skype's memalyzer and a separate LPC Message Server capable of relaying messages and code to the client via a Shared Section.. in further version i also want to add a SEH Stack peaker to peak into the stack and gather information about stack values.. or i could just use stackwalk64 but that way is lame..
most of the major functionality for this project of mine is done but i am seeking further ideas from 'knowing' individuals regarding new options and ideas for further improvents in this novell idea.. ;}
regards BanMe
| Code: |
typedef struct CC_TREE
{
SIZE_T MemTotalSize;
LPVOID MemStart;
DWORD NumTotalEntry;
DWORD NumEntry;
}CC_TREE;
typedef struct CCEX_TREE
{
CC_TREE CC_Tree;
void* BranchOffset[255];
DWORD ThreadStartAddress;
LPVOID Param;
DWORD *Eip;
DWORD szEip;
}CCEX_TREE;
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
