 |
 |
 |
 |
 |
||||||||||
|
||||||||||||||
Hello,
With Vista many Forensics analysis need to be reviewed, so SecurityFocus published a paper where new Vista’s features and relative Forensics analysis.
http://www.securityfocus.com/infocus/1889
http://www.securityfocus.com/infocus/1890
Useful to learn how to hide/discover “something” in this new Environment
Have a nice Day
Me and my friend sgrakkyu (ciao sgra 
) were talking about this nice feature to go to ring0 from ring3, altough it is not useable for evil or tricky purposes There are some tricks to go to ring0 from ring3 (\device\phisicalmemory, some debug api related overflows etc), unluckily they require admin privilege (so this causes those tricks to be quite useless!). There is a way to go to r0 from r3 whenever you want, still i have to use the word “unluckily”, because you can’t use this feature to make whatever you want!
Well the thing is easy, we are just talking about conforming and non conforming segments. We usually deal with non conforming segments, that is, when you go to ring0 code without using a valid call gate you get a general protection exception. What about if the segment is conforming? Then we can call r0 code without raising exceptions, and without having to use legal call gates. How does this work? First of all, only code segments can be conforming, data segments are NON conforming. A conforming segment simply allow the execution to use ring 0 code. The caller DOES NOT change its cpl, so if you are on ring3, your cpl remains 3! In addition the conforming segment can specify the dpl permised to go to r0, so for example you can limit this execution only to r2. Since data segments are NON conforming, you can’t use this feature to execute code that modifies kernel data structures or other data. So, what does this conforming segments are used for??? Well you can use thi feature for example for math functions, so you must not have the code of such routines twice (both r0 and r3), you keep only one copy of the code in r0 code, and access them with conforming segments
This isn’t really a useful trick, it would be nice to see if it can be somehow exploited on win or lin to obtain r0 privileges, although i don’t think conforming segments are used. I’ll have to study this a bit, meanwhile any information is appreciated
Bye!
AndreaGeddon
A pseudo vulnerability which can be achieved using multi-transfer between two identities on Yahoo Messenger and social engineering.No practical attack but interesting none the less.
Attached is a paper describing the attack and an implementation.
All the best,
bLaCk
There is a nice paper about a research on windows vista new networking stack
http://www.securityfocus.com/brief/260
by the way, i was working on vmware, i have casually found it uses always the same “physical memory” address ranges to map bios and pci stuff (F0000000 - F0FFF000 and FE000000 - FE1FFFFF) on an emulated windows xp sp2. The physical machine was a xpsp2 too. I have found this on three different machines, so maybe this could be a vmware detection trick. Not useful at all! Its plenty of easier tricks, but its just a curiosity I was having. I tried google but i didnt find anything, maybe i googled badly
Anyone who can confirm or deny this is welcome!
Bye
AndreaGeddon
ps. those ranges should not be windows specific, i tried to look at the memory in not emulated windows and the bios/pci etc are mapped at different addresses, but i did not make accurate tests, so i may be wrong
a friend posted me this stuff, which is a snippet of code used to retrieve the eip of the first instruction line. This is a common shellcode used in metasploit
D9 EE FLDZ
D9 74 24 F4 FNSTENV BYTE PTR [ESP - 0C]
5B POP EBX
fldz loads a zero into the first fpu stack register (st(0)). Then the FNSTENV is executed, which loads the fpu environment status, in which there is also the pointer to the last fpu instruction that was executed. The memory layout of the environment structure is
00: control word
04: status word
08: tag word
12: fpu instruction pointer offset
16: fpu instruction pointer selector
20: fpu operand pointer offset
24: fpu operand pointer selector
(some reserved bits are missing, see intel maunals for more details)
in struct+12 there is the pointer to the last fpu instruction that was executed. So after the fnstenv [esp-c] we will have in [esp] the pointer to the fldz instruction.
Nothing strange for now, its just like a standard
call @@2
@@2: pop ebx
however the interesting part is that if you trace the fpu code with olly you will not get the address of the fldz in ebx, but you will get 0 or some garbage address. This probably happen because if you execute a single step the int01 is invoked and the kernel executes some code, so for you the single step is transparent but the for the fpu its not.
So in one word this could be a nice anti tracing trick
Byez!
AndreaGeddon
Reversing applies to everything, not only to software or hardware. What about if we reverse our “reality” to understand how it works? Well usually this is the work of a physicist
Let’s see some trick! What we can feel with our senses is just information, what about this information? Could it be a “simulation”, is a matrix scenario really so far from us? We can see some nice things about information of our reality.
We can study our universe in two directions: the macroscopic world, or the microscopic world. Let’s start from macroscopic one. How big is the universe? has it a size? Scientists already gave us an answer. Ok, we are here on earth, what if we want to move inside the universe? We can’t. Relativity tells us that there is a maximum speed (the speed of light) we can use, and even using that maximum speed, it would require too much time to travel even to the nearest star (alpha centauri is about 4 light years far from us, it would require 4 years to go there at the speed of light!). This pratically means we are blocked in our solar system. The important thing is that INFORMATION follows these rules too! There can’t be information propagation faster than the speed of light. Our universe is about 13 or 14 billion light years big: actually THERE IS something that is 1 billion light years far from us, but what’s happening NOW there? We don’t know, we can’t know it NOW. We will now it after 1 billion years (the time it takes to light to come to us). Even when you look at the sun, you are looking something that happened 8 minutes earlier. Inside our solar system we can see things and know informations really fast. Outside we can’t. Information is limited.
Now we go to the microscopic world. Quantum Mechanics has been introduced to study this world, since the laws of classical physics can’t be applied to a small scale such the atom’s one. Ok, we can dig into the matter, we always study smaller matter, smaller matter, we arrive to the subatomic world. Let’s suppose we want to know the spin of an electron. We can know it. Ok. Why the electron has such a spin? We must study more things to know what brought the electron to have its spin. It’s like seeing a ball that falls on the ground, we can study why it fell, what made it fall, what created the event that made it fall, what created the event that created the event that made it fall, and so on. It seems it could be an infinite recursion? Let’s come back to the electron. Why the electron has its spin? We can’t answer. That is, we can, but we can’t ask any more questions. Quantum mechanics tells us that the electron was in a linear superposition of states: its spin was both 1/2 and -1/2 at the same time. Once the information on its state was determined, it was determined with the probability of 1/2 being spin1/2, and proability of 1/2 being spin-1/2. Again, the INFORMATION is limited here, it is just given by a probability! You can’t study any deeper, there are no formulas that make things, only probabilities make things!
Ok what’s the sense of all this? If some “computer” is simulating our reality, there MUST exist limits. Computation capability can’t be infinite. The limits are what we already have seen. The matter is created in a subatomic world, its state is determined in a random way. This is faster and easier than making tons (maybe infinite!) of recursive formulas that makes the matter. But the universe is sooooo big… how can something calculate it all? Easy… what is being seen is calculated NOW. The rest has been pre-calculated! Have you ever seen a 3d videogame? A quite used tecnique is to avoid the drawing of too distant polygons. The mouse i am using is being calculated NOW. The star i can observe, that is distant 1 billion light years has been pre-calculated, and i see the work done maybe a lot of time ago. What is happening now in a point 1 billion light years far from me is being calculated maybe in a second time, it doesn’t matter, since i only will see the results next billion years!! This permits the system to focus the simulation to my nearest space. Why should a limit speed exist? When i talk of speed i talk of v = ds/dt, assuming s and t being in a continuous space. But if it is so there should be no problem in traveling to whatever speed i want, since EVERY ds/dt value IS mathematically possible. There is now a problem… continous space? If we are talking of a simulation it can’t be used. It is impossible for a computer to compute a continuous space. Are we instead in a discrete world? In quantum mechanichs we often think in discrete terms! If we are in a discrete world the problem of the speed could have a sense. Let’s make en experiment: in a time quantum t1 an object is in the space quantum s1. In the following time quantum t2 the object is in the space quantum s10, that is it moved of 10 space quantums in ONE time quantum. This is teleport! Since in a discrete world can’t exist an intermediate time between t1 and t2, the object “jumped” from s1 to s10 without existing in the intermediate space quantums s2 … s9. This could mean i can’t travel faster than 1 quantum space in 1 quantum time. That would explain WHY the speed of light exists as a limit. It would be more probable that a computer would simulate a discrete timespace and not a continuous one!
of course this is only an interpretation, i don’t really think we are in matrix! And the discrete limited speed has not really sense, since if we think in a quantum world we cant think at speed in a classical way! This stuff is just an interpretation that enjoyed me, do not take it too serious!
Bye!
AndreaGeddon
I was working on a small app to hook the keyboard, i used SetWindowsHookEx function to set a WH_KEYBOARD hook. My intent was to hook the “on screen keyboard” usage. So i write my dll with my nice hook procedure, but something goes wrong. Hook seems not to work properly! My dll was made as follows:
in DllMain, case DLL_PROCESS_ATTACH:
Pointer = Open_An_Existing_File_Mapping
in hook proc:
Pointer[i] = current char;
when “typing” a key on the osk, this dll is injected in the osk process, but guess? Is the dll mapped and DllMain executed? No The dll is mapped, but the hook function is executed BEFORE dllmain. As a result my pointer is null, and hookprocedure crashes. Well, not really, you don’t see the standard application crash dialog! The dll crashes silently and is unmapped, so the hook won’t work. To avoid this problem i had to put dll initialization in hook procedure
Maybe this is due to mgrier explanations (http://blogs.msdn.com/mgrier).
Bye!
AndreaGeddon
Here is a nice tutorial on how to completely defeat TheMida
Thanks to rce for this link!
Enjoy 
AndreaGeddon
I was working on execryptor and the relative license manager, based on Hardkey4, an asymmetric algorithm. The packer itself is nice, the polmorphic engine is wonderful, there are several anti-debugging tricks:
PEB.BeingDebugged
PEB.NtGlobalFlag
Static tls callbacks
Crc on exe file (not image)
CheckRemoteDebuggerPresent (only >xpsp1)
FindWindow (searches for ollydebug registered class name)
Olly Exe exports (searches in every running process the ET to find olly api exports)
Format string bof (OutputDebugString with a %s%s%s%s… string, crashes olly)
Redundant LOCK prefixes which interfer with olly (LOCK INT1, LOCK INT3)
Also anti filemon, regmon, ida etc tricks are present
Finding OEP is really difficult, since the packer makes a lot of jumps in code section before reaching oep. When the app is running, still some portions of the exe are encrypted, and decrypted only at runtime if valid serial is present.
In my program a unique ID is generated for the pc in which its executed, and you need a valid serial corresponding to such ID to register the program. However if you already have a valid ID / Serial information (for example you have a valid serial on your pc, and you want to run the program your laptop) you can easily fool execryptor: i simply made these steps:
save my valid ID / Serial information
run with olly the program in another pc, that has another ID (lets call it ID2)
during this execution, i search in memory where the string ID2 is located
it seems ONLY ONE location is important to keep the ID2 string, so i restart the process and bpm on it
once the program writes in that location the ID2, i replace it with ID ( well i replace EVERY occurrence of ID2 in memory with ID )
once this is done, the program runs and if you insert the valid serial you have for ID, the program accepts it
Now i must test if the program FULLY works, or if somewhere he can find my trick
This is a really easy way to bypass an otherwise hard protection scheme!
Every comment to add information on this protection system is welcome
Bye
AndreaGeddon
–ps thanx stingduk for his suggestion that made me go faster in reversing execryptor, and his wonderful plugin NtGlobalFlag which makes you handle tls and a lot of other things easily!
(http://www.reversing.be/article.php?story=20050603193932184)
–pps i fooled the FindWindow trick with Crudd’s RePair, nice work Crudd!!! You can find the tool in the tools section
Zeelock recently brought it to my attention the matter of a Hack convention in the Netherlands is currently in discussions with the mayor of the location they wish to use over cancellation of the event. This website is not about hacking but I figure quite a number of visitors will be interested to see this and perhaps go to the event if it eventually comes to pass.
The event has been scheduled for July 28, 2005 to run to July 31, outside of a small village Liempde, near Boxtel, in the Netherlands.
Here is an excerpt from the website:
———–begin————–
We still find it hard to believe, but we have to accept the fact that it is true. The mayor of Boxtel, the municipality under which the location for ‘What The Hack’ resides, seems to be refusing a permit for our gathering, citing “grave fear that the organisation of this event will endanger law and order as well as public safety”.
A fairly literal (and by no means legally approved) translation would say:
Dear Sir, Madam,
I have received word that you intend to organize an event “What The Hack” from July 28th 2005 through July 31st 2005 on Landgoed Velder in Liempde.
In order to organize such an event, you will need to obtain a permit ex art. 2.2.2. of Boxtel local ordinance 2004.
In light of the fact that there is grave fear that this event will endanger law and order as well as public safety, I, in my capacity as an authorized official, am herewith informing you that I will not issue such a permit.
A copy of this letter will be sent to the owners of the Landgoed Velder estate.
I assume that I have sufficiently informed you.
Yours truly,
MAYOR OF BOXTEL,
J.A.M. van Homelen
————-end—————
For more information, visit the website at: http://www.whatthehack.org/news/index_html
cheers,
-DR
