The Mental Driller
29a [6]
March 2002
Guess what! Microsoft has bugs in the Kernel!! (oh, really????). Have you ever wonder why your polymorphic engine works fine and your virus not sometimes and what it's failing is the call to GetModuleHandle()? Well, one of the reasons can be the #@&$! bug that I realized to be even in Win2k: the direction flag (usually set to 1 with STD or cleared with CLD). Be sure that when you call to GetModuleHandle the flag is clear! This care must be special if we are coding polymorphic viruses (since it's a standard garbage instruction). What I wonder is WHY the programmers at Micro$oft relied at this fact when using LODS?/CMPS?/etc. (block instructions). Just test it: call GetModuleHandle passing "kernel32.dll" but first make STD. Exception for sure! And not an exception in our code, but in the kernel!