Pcre perl compatible regular expression notation
OllyDbg, continued
premature termination oftransferring execution to, 386 unpacking stub and, 384
viewing threads and stacks, overanalysis, danger of, 308
185–186 overloading, 430–431
getting correct, 665 408–409
sniffing, 53 pipe symbol (|), in Snort, 304
analyzing with Process Explorer, 50 polling, 239
objects created for, 716
PDF Tools, 471
PE Explorer, 26, 471
unpacking plug-ins, 388
PE file format. See Portable Execut- able (PE) file format
PEB (Process Environment Block) structure, 352, 591–592
documented, 354PEiD, 471, 478, 479–480
detecting packers with, 14examining file structure, 486
header vulnerabilities, OllyDbg,persistence, 241–245, 572 385
AppInit_DLLs for, 575
DLL load-order hijacking, 244–245 of registry, 139
trojanized system binaries, 243–244examining PE files with, 22–24 crash, 364
finding base address with, 545
original and trojanized versions of cisvc.exe, 584–585
PhantOm plug-in, 354, 658, 659, 665 | 408–409 | INDEX | 755 |
---|