Debugger Omission

Whereas some false positives can be considered soft debugger bugs (page 90) false negatives can have more severe impact on software behavior analysis especially in malware analysis. Typical example here is current .imgscan command which according to documentation should by default scan virtual process space for MZ/PE signatures. Unfortunately it doesn't detect such signatures in resource pages (we haven't checked stack regions yet):

0000000000fd0000 image base


SECTION HEADER #4
.rsrc name
6430 virtual size
4000 virtual address
6600 size of raw data
1600 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
(no align specified)
Read Only

0:000> .imgscan /r 00000000`00fd4000 L200


0:000> s -[l2]sa 00000000`00fd4000 l200
00000000`00fd40b0  "MZ"
00000000`00fd40fd  "!This program cannot be run in D"
00000000`00fd411d  "OS mode."
00000000`00fd4188  "Rich"
00000000`00fd4198  "PE"

0:000> !dh 00000000`00fd40b0


File Type: DLL
FILE HEADER VALUES
14C machine (i386)
3 number of sections
time date stamp Fri Jan 18 21:27:25 2013

0 file pointer to symbol table
0 number of symbols
E0 size of optional header
2102 characteristics
Executable

32 bit word machine
DLL
[...]

Other analysis scenarios include !analyze -v that shows us a breakpoint instead of an exception violation from a parallel thread.