Internet Newsgroup Discussion Forums


Discussion Group
grc.securitynow

Subject:Re: wmf temporary fix
Date:Sat, 31 Dec 2005 17:10:28 -0800
From:Steve Gibson <news2005@grc.com>


[for the unabridged version, see "maloney" <this is not my real 
email 633@gmail.com>'s post above]

> I have windows vista beta 2 and the patch appears to be compatible.

Cool.

The way the patch works is that IF it sees that a system is at 
least Windows 2000 or later, it looks at the function entrypoint 
for GDI32's ESCAPE function.  If it finds a sequence of bytes 
that it can confidently understand (this is what Ilfak and I 
expanded upon just a bit by teaching it about Windows 2000), it 
then dynamically patches the front of GDI32's ESCAPE function 
with a jump to its own replacement "stub" which simply checks to 
see whether the ESCAPE function being called is "SetAbort" (sub 
function number 9) and, if so, returns to the original caller.  
For all other functions it emulates the replaced code then 
returns to the ESCAPE function processing.

The point of what became an overly long explanation is that the 
dynamic patcher will likely be able to run and fix any version 
of GDI with recognizable GDI entrypoints.  It knows about two 
types right now, and it's moderately unlikely that the code will 
be changing a lot among sub-versions.


> However if some one could post the link to the infected site
> I could verify that it is working on vista. Make sure the you
> put danger beside the link or something. By the way excellent
> job on the fast response. 

Time is everything on this.  :)

-- 
________________________________________________________________
Steve.


You are invited to participate in our online community:

Newsgroups
 news

 news.feedback

 news.latestversions

 leaktest

 privacy

 shieldsup

 spam

 sqrl

 scifi
 security

 security.hardware

 security.software

 security.wireless

 securitynow

 techtalk.cryptography

 techtalk.packetsniffing

 techtalk.localproxies

 spinrite.dev
 shieldsup

 spinrite

 spyware

 techtalk

 techtalk.dns

 techtalk.linux

 thinktank

 linkfarm

 wizmo

Click on the group name to choose the current group postings.

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page