tag:blogger.com,1999:blog-14788166.post6759082786781427384..comments2010-03-09T10:33:05.691+01:00Ero Carrerahttp://www.blogger.com/profile/12212132879580765574noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-14788166.post-32061998108307020972007-11-19T21:42:00.000+01:002007-11-19T21:42:00.000+01:00Thanks for sharing this information. I was searching for the explanation of this behavior for 2 days. I thought that my program had the bug.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-14788166.post-91418268545320331262007-05-24T13:40:55.240+02:002007-05-24T13:40:55.240+02:00Thanks for the info. I didn't know that the windows loader was so forgiving in that case.Ero Carrerahttp://www.blogger.com/profile/12212132879580765574noreply@blogger.comtag:blogger.com,1999:blog-14788166.post-7898701895698524032007-05-24T13:30:00.000+02:002007-05-24T13:30:00.000+02:00Also, FYI, the Windows loader (which IMHO is as brainded as it can be and tries to load anything that even looks like PE without performing validation - probably in the name of "backwards compatibility") executes TLS even if in the Data Directory the size is specified as zero, but IDA doesn't show it in this case (of course you can always patch it with a hex editor ;-)).cdman83http://www.blogger.com/profile/05030326541176171725noreply@blogger.comtag:blogger.com,1999:blog-14788166.post-59616696514632732612007-05-21T07:59:00.000+02:002007-05-21T07:59:00.000+02:00http://www.amazon.com/Computer-Virus-Research-Defense-Symantec/dp/0321304543/ref=sr_1_1/002-1556081-5220863?ie=UTF8&s=books&qid=1179727152&sr=8-1<BR/><BR/>using TLS as entry point. just a quick mention - not sure if it is worth to buy the book just to read about it :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-14788166.post-73099552337884846382007-05-02T18:53:00.000+02:002007-05-02T18:53:00.000+02:00I don't know if you have read this but here's an interesting article discussing the Shrug aka Chifton Virus <A HREF="http://pferrie.tripod.com/papers/chiton.pdf" REL="nofollow">LINK</A>Alexhttp://ihatealex.org/WordPress/noreply@blogger.comtag:blogger.com,1999:blog-14788166.post-77874743360479858452007-04-01T23:33:08.095+02:002007-04-01T23:33:08.095+02:00<A HREF="http://www.symantec.com/security_response/writeup.jsp?docid=2002-031314-2134-99&tabid=2" REL="nofollow">According to Symantec</A> the virus W32.Shrug was the first know to use TLSEro Carrerahttp://www.blogger.com/profile/12212132879580765574noreply@blogger.comtag:blogger.com,1999:blog-14788166.post-47384064164177631072007-03-20T23:42:15.474+01:002007-03-20T23:42:15.474+01:00Could you elaborate a bit more on that please?Ero Carrerahttp://www.blogger.com/profile/12212132879580765574noreply@blogger.comtag:blogger.com,1999:blog-14788166.post-36965903059963496482007-03-20T22:33:00.000+01:002007-03-20T22:33:00.000+01:00FYI: virii use TLS' entry points too.<BR/><BR/>"comparing execution paths..." respect.Anonymousnoreply@blogger.com