Send Dailydave mailing list submissions to
dailydave@lists.immunitysec.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.immunitysec.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dailydave digest..."
Today's Topics:
1. Re: VPC (Jared DeMott)
2. Re: VPC ([EMAIL PROTECTED])
3. Re: VPC (Joanna Rutkowska)
4. SandMan 1.0.080226 is out! (Matthieu Suiche)
5. Re: VPC (Halvar Flake)
6. Owning Citrix & Terminal Services Clients (DSquare Security)
7. Re: VPC (Anthony Lineberry)
8. Re: Owning Citrix & Terminal Services Clients (Dave Korn)
9. Re: VPC (Matt Richard)
10. Re: VPC (Jon Oberheide)
11. Re: VPC (Rodrigo Rubira Branco (BSDaemon))
----------------------------------------------------------------------
Message: 1
Date: Sun, 24 Feb 2008 13:43:28 -0500
From: Jared DeMott <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] VPC
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
J.M. Seitz wrote:
> Hey since everyone is having such a lively debate, and we all seem like
> we wanna help, why not contribute? BoB (from PEid glory) and myself have
> started a Malware and Unpacking Framework for ImmunityDebugger (MUFFI)
> to help automate malware analysis tasks.
>
> Some things that are in there so far:
>
> - lots of anti-anti debugging routines
> - VMWare cloaking
> - ummm...some other stuff
>
> It's all done in Python and uses the native ImmDbg libraries to do its
> business. We never really "released" it but we are always looking for
> people to contribute to the source tree. If a piece of malware is using
> a specific mechanism to do VM/sandbox detection, then write the reverse
> and send us a patch!
>
> http://muffi.googlecode.com/
>
> JS
Awesome as always JS. :) One slight thing that can sometimes be an
issue; 1st responders can only spend so much time down in the weeds.
Check out Steve's work:
> http://code.google.com/p/rapier/
>
> Freeware information gathering tool
>
------------------------------
Message: 2
Date: Mon, 25 Feb 2008 18:05:13 -0500
From: [EMAIL PROTECTED]
Subject: Re: [Dailydave] VPC
To: [EMAIL PROTECTED]
Cc: dailydave@lists.immunitysec.com
Message-ID: <[EMAIL PROTECTED]>
|
| While it might be true that *today* some malware behaves
| differently depending on whether it detects a presence of
| a VMM (e.g. VMWare), this is not expected to be true anymore
| in the near future.
|
Might this be relevant to the conversation?
http://northsecuritylabs.com/
--dan
------------------------------
Message: 3
Date: Tue, 26 Feb 2008 00:34:39 +0100
From: Joanna Rutkowska <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] VPC
To: [EMAIL PROTECTED]
Cc: dailydave@lists.immunitysec.com
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[EMAIL PROTECTED] wrote:
| |
| | While it might be true that *today* some malware behaves
| | differently depending on whether it detects a presence of
| | a VMM (e.g. VMWare), this is not expected to be true anymore
| | in the near future.
| |
|
|
| Might this be relevant to the conversation?
|
| http://northsecuritylabs.com/
|
doubtful. see this:
http://theinvisiblethings.blogspot.com/2007/08/virtualization-detection-vs-blue-pill.html
j.
-----BEGIN PGP SIGNATURE-----
iQEVAwUBR8NQjcwG7MOLAMOlAQKArQf/YALvKKayc2RogfPb8r0qOpr/oAVFsqjH
DlqYu1zyoRpCDO1yqWCN34ZeWdCiJP492vfSMukdSjGFheEWg3/jiUcpZRURdv4m
oYlNnE4qdvNO7p82WWm9k9opjzcm1d2jYhSSJPdG/Ia+DOWjdb8wojZeV8RrNlR4
1F7zuFpoBUFLh4yR5BZDSR8h8mGt8YCFrg1sD+6xXpuQY+gUilbC/vtuhNN/IBLU
JNJLzYSwhi1Q25tI38LVzGE5F1XeXHurmJ0ET89G3g4jAXW2Vz5sLr0e4uOOxF1z
hdeTfPPZ7PaLNzLVIDdSWVvKYt7uvn76f+OrHKJAxDZAsl2dUpLTCA==
=uKky
-----END PGP SIGNATURE-----
------------------------------
Message: 4
Date: Tue, 26 Feb 2008 20:53:35 +0100
From: "Matthieu Suiche" <[EMAIL PROTECTED]>
Subject: [Dailydave] SandMan 1.0.080226 is out!
To: dailydave@lists.immunitysec.com
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Hi everybody!
What is SandMan?
- SandMan is a framework providing a C library and a python portage to make
readable and writable the Windows hibernation file.
- SandMan is released under GPLv3 licence.
- Actually, Only 32bits version of the hibernation file from Windows XP to
Windows 2008 are supported.
SandMan was firstly introduced at PacSec'07 and it is available at the
following link : http://sandman.msuiche.net <http://sandman.msuiche.net./>
Cheers,!
--
Matthieu Suiche
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.immunitysec.com/pipermail/dailydave/attachments/20080226/09141a0f/attachment-0001.htm
------------------------------
Message: 5
Date: Tue, 26 Feb 2008 11:46:03 +0100
From: Halvar Flake <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] VPC
To: Thorsten Holz <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
Thorsten Holz wrote:
> On Thu, Feb 21, 2008 at 1:54 PM, Dave Aitel <[EMAIL PROTECTED]> wrote:
>
>
>> There's another one called CWSandbox that has a free web form you can
>> send exe's to.
>>
>
> You can either send a sample to <https://cwsandbox.org/?page=submit>
> or <http://research.sunbelt-software.com/submit.aspx>
> More info about the tool is available in an article
> (<http://pi1.informatik.uni-mannheim.de/filepool/publications/j2holz.pdf>)
> and an example report is
> <https://cwsandbox.org/?page=details&id=156851&password=iokop>
>
>
>> (They hook a bunch of things but I think you can escape
>> the hooking by calling system calls directly?)
>>
>
> But then you are not platform independent. CWSandbox was originally
> designed to automatically analyze the malware we capture with the help
> of honeypots (worms, bots, ...), but has evolved a lot since then
>
OS-version independent API-hook bypassing is a very old hat (late 90's
?). Aside from checking for such hooks
(which many common packers do out-of-the-box, and have been doing since
... uhm ... almost a decade?),
the attacker has many choices to bypass the hook. I have seen many
variants of hook bypasses of various
quality over the years -- some samples include:
* Checks for the exact OS version to then differentiate which exact
syscalls to use, then using syscalls
* Inlining the first few bytes of OS functions into the executable,
then jumping to API+X
* Packers that inline entire OS functions into the executable
None of these are entirely rocket science (altho (3) is kinda cute), and
platform-independence can be achieved
easily if one is willing to sacrifice Win9x (and, perhabs, Win2k)
compatibility.
Empirically, it is likely true that very little malware takes these
countermeasures. That just means that the authors
have decided that the cost of taking countermeasures (virtually zero)
isn't worth incurring yet.
It constantly amazes me in how many guises API hooks will cross my path
in my life -- I have
seen bad IPS based on it 7 years ago, then again 4 years ago etc. etc.
API hooking is great if you're dealing with a nonadversarial target. For
everything else, it's
useful as long as nobody decides it's worth 3 hours to deal with it
Cheers,
Halvar
PS: "Nobody will break into my house -- I put paper in front of my door.
No burglar has ever been
seen cutting paper in order to break in !" :-P
------------------------------
Message: 6
Date: Wed, 27 Feb 2008 12:17:32 -0600
From: DSquare Security <[EMAIL PROTECTED]>
Subject: [Dailydave] Owning Citrix & Terminal Services Clients
To: dailydave@lists.immunitysec.com
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Several vulnerabilities can help you to compromise a Citrix server or
a Terminal Services server. So the question is: what can you do when
you have a privileged access on these Citrix and Terminal Services
servers? The answer is simple: try to compromise Citrix and TS clients.
There are at least two interesting ways to access client data
1) Spying his session to get passwords from a published application
2) Accessing his local drives if they are mapped in the session
D2CiTerm is designed to help you in this kind of work. Here are two
demonstrations of this tool:
1) From a remote SYSTEM access after the exploitation of Citrix MPS 4.0
IMA Service Heap overflow: http://www.d2sec.com/d2citerm_1.htm
2) From a privileged Citrix session: http://www.d2sec.com/d2citerm_2.htm
This tool will be released in the next update of D2 Exploitation Pack.
--
DSquare Security, LLC
http://www.d2sec.com
------------------------------
Message: 7
Date: Mon, 25 Feb 2008 19:34:24 -0800
From: "Anthony Lineberry" <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] VPC
To: "Dave Aitel" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Feb 21, 2008 at 4:54 AM, Dave Aitel <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat
> Federal, I learned the hard way that VPC moves memory all around and
> your previously great universal addresses don't work. So you'll end up
> trying really hard to find an address that defeats SafeSEH on 2003 SP0
> in 15 minutes or less.
>
> Also I notice there are a lot of companies doing automated Incident
> Response or malware analysis now.
>
> Zynamic's VxClass is obviously one of my favorites.
> HBGary has retooled Inspector into a tool ("Responder") that can read
> and analyze physical memory dumps.
> Mandiant has their new tool out.
> Norman had a softice-looking sandbox-like thing on display.
> There's another one called CWSandbox that has a free web form you can
> send exe's to. (They hook a bunch of things but I think you can escape
> the hooking by calling system calls directly?)
>
> And let me also put it this way: If you have a source code analyzer
> product booth, and you don't let people write little C programs and have
> them analyzed, it's really annoying.
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHvXRstehAhL0gheoRApfGAJ9Bqr7bW57kHPSxkoExDbLs+kQ3eQCdE5Of
> o+Wc9Ml2BVcy2h0aoFJC630=
> =lAdf
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
Is this sandboxing running outside of the hypervisor or inside?
One thing i've been messing with is lately is sandboxing from outside the guest
os by modifying a hypervisor to manipulate the kernel through external
hooks. I'm really curious is this has been done before and if i'm just
reinventing the wheel?
--
Anthony Lineberry
http://www.dtors.org
------------------------------
Message: 8
Date: Thu, 28 Feb 2008 14:32:49 -0000
From: "Dave Korn" <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] Owning Citrix & Terminal Services Clients
To: "'DSquare Security'" <[EMAIL PROTECTED]>,
<dailydave@lists.immunitysec.com>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
On 27 February 2008 18:18, DSquare Security wrote:
> There are at least two interesting ways to access client data
> 1) Spying his session to get passwords from a published application
> 2) Accessing his local drives if they are mapped in the session
Not to mention the IPC$ share and all those pipes you can't get at (because
of RestrictAnonymous=1 these days) without being authenticated.
cheers,
DaveK
--
Can't think of a witty .sigline today....
------------------------------
Message: 9
Date: Thu, 28 Feb 2008 18:43:57 -0500
From: "Matt Richard" <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] VPC
To: "Anthony Lineberry" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], Dave Aitel <[EMAIL PROTECTED]>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
On Mon, Feb 25, 2008 at 10:34 PM, Anthony Lineberry
<[EMAIL PROTECTED]> wrote:
> Is this sandboxing running outside of the hypervisor or inside?
> One thing i've been messing with is lately is sandboxing from outside the
> guest
> os by modifying a hypervisor to manipulate the kernel through external
> hooks. I'm really curious is this has been done before and if i'm just
> reinventing the wheel?
I have only seen defensive implementations such as the work of
Garfinkel and Rosenblum at Stanford. Their use case is a modified
hypervisor that can monitor critical OS data structures. One of their
implementations watches the Linux system call table and can prevent
modification to thwart rootkits.
http://www.cs.fit.edu/%7Epkc/id/related/garfinkel03ndssVM.pdf
I think it's a great idea, I'd be interested in seeing any published
work you have on the topic.
Regards,
Matt
------------------------------
Message: 10
Date: Fri, 29 Feb 2008 09:57:45 -0500
From: Jon Oberheide <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] VPC
To: Matt Richard <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], Dave Aitel <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
On Thu, 2008-02-28 at 18:43 -0500, Matt Richard wrote:
> On Mon, Feb 25, 2008 at 10:34 PM, Anthony Lineberry
> <[EMAIL PROTECTED]> wrote:
> > Is this sandboxing running outside of the hypervisor or inside?
> > One thing i've been messing with is lately is sandboxing from outside the
> > guest
> > os by modifying a hypervisor to manipulate the kernel through external
> > hooks. I'm really curious is this has been done before and if i'm just
> > reinventing the wheel?
>
> I have only seen defensive implementations such as the work of
> Garfinkel and Rosenblum at Stanford. Their use case is a modified
> hypervisor that can monitor critical OS data structures. One of their
> implementations watches the Linux system call table and can prevent
> modification to thwart rootkits.
In related news, VMware just recently announced VMsafe:
http://www.vmware.com/overview/security/vmsafe.html
--
Jon Oberheide <[EMAIL PROTECTED]>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.immunitysec.com/pipermail/dailydave/attachments/20080229/fad7fd91/attachment-0001.pgp
------------------------------
Message: 11
Date: Fri, 29 Feb 2008 12:56:11 -0000
From: "Rodrigo Rubira Branco (BSDaemon)" <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] VPC
To: "Matt Richard" <[EMAIL PROTECTED]>, "Anthony Lineberry"
<[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], Dave Aitel <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1";
> I have only seen defensive implementations such as the work of
> Garfinkel and Rosenblum at Stanford. Their use case is a modified
> hypervisor that can monitor critical OS data structures. One of their
> implementations watches the Linux system call table and can prevent
> modification to thwart rootkits.
>
> I think it's a great idea, I'd be interested in seeing any published
> work you have on the topic.
StMichael running in SMM tries to accomplish the same in architectures where
virtualization is not supported:
http://www.kernelhacking.com/rodrigo/docs/H2HCIV.pdf
The idea is to port it also to be implemented using the hypervisor support
of the modern processors...
cya,
Rodrigo (BSDaemon)
--
www.kernelhacking.com/rodrigo
------------------------------
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
End of Dailydave Digest, Vol 31, Issue 8
****************************************
