Erika2d ago
how many IDA Pro windows is too many?
1. packed dll
2. dll embedded in 1
3. exe in whose context I can observe unpacking of 1
4. merge of 1 and 2
5. simpler exe to test 4 in
Show threadErika
it's for ASProtect which has apparently been studied by many, and microsoft has even written an unpacker for it (so that Defender can peek inside) but for which seemingly no one seems to have published any tools (just some hacky ollydbg workflows)
Mar 21 at 10:02amWeb
Show threadErika2d ago
and this I learned about because Microsoft had a bug in their implementation that allowed an attacker to perform a memcpy as the Defender process
https://www.pixiepointsecurity.com/blog/nday-cve-2021-31985/
Exploiting the Windows Defender `AsProtect` Heap Overflow Vulnerability | PixiePoint Security

In the security updates of June 2021, Microsoft patched a heap buffer overflow in the Windows Defender mpengine.dll assigned as CVE-2021-31985. The vulnerability was found by Google Project Zero (GP0) and reported on May 25, 2021. The Windows …

PixiePoint Security