Security Alerts & News
by Tymoteusz A. Góral

History
#1814 Bypassing exploit protection of NORTON Security
Norton could detect only StackPivots, and it's done with help of ring3 hooks on critical functions, like LoadLibrary, VirtualProtect and VirtualAlloc. So they have injected their JUMPS in function's prologue and intercept all calls. In their handler they can check if current stack frame is "original". If not, then they raising an exception like on that screenshot. So if during exploit there are no Stack Pivotings happened (let's say simple BoF where ROP and shellcode in the same stack) then attack will be not stopped and detected.
Read more
#1815 Practical reverse engineering part 5 - digging through the firmware
#1814 Bypassing exploit protection of NORTON Security
#1813 The banker that encrypted files
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12