DDK / Windbg / IDA Pro

Saturday, June 11, 2011

Anonymous warns of Spain arrest revenge

According to HTIB News press about Anonymous members whom arrested in spain

Anonymous has warned about repercussions following arrests of three individuals suspected of being key members of the hacking group.

Arrests of the unnamed men were made in three Spanish cities - Barcelona, Valencia and Almeria - earlier this week. On both a blog and a Twitter post from AnonOps, the hacking group, referencing events in Spain, simply wrote: “Expect us.”

Spain's Technological Investigation Brigade (BIT) alleged the men had operated a cell of Anonymous, helping run attacks against notable firms like Sony as well as on websites run by Governments of various nations, including Egypt and Iran. BIT also posted images on Twitter of IRC conversations appearing to show plans to attack Spanish police websites and the electoral board with DDoS attacks.

What are you thinking about anonymous movement ;-) ?

Thursday, September 2, 2010

pHide_Ex [ reversing point of view ]

Hi, in this post I will introduce some aspects of phide_ex demo Rootkit .

introduction phide_ex firstly was appeared in october 2006, phide_ex was just an example of ultimate process hiding & it's not aid to apply in the wild as other security pros maybe already know that . When it was appeared, It could bypass all security products like famous Rootkit Unhooker, GMER , IceSword , bitdefender & such products because of robust technique that it was implemented as the main technique for process hiding . Well, after almost 4 years (or nearby 5 years) it was an old technique which malicious rootkits could be used for hiding it's presence. it was a special & advanced rootkit but as times going techniques also will going more advance & now it's not an effective solution to real professional Rootkits . I just don't want to write up something for giving you the experience for writing a rootkit just like phide_ex, this post & maybe the next post is a little study case for this specimen, but as a reverse engineering point of view .
Well, if you're interested to having a sample of this treasure then feel free to comment out & I will put the example for further investigation . We will begin by the first part of reverse engineering with investigation of phide_ex.exe file which is the main usermode code for this demo rootkit .

First of all, let's see what's this specimen want to do in your machine :

The first routine that this demo rootkit will do is Getting the full path of your windows directory through using Standard Windows Function, second parameter is 104h which is equals to 260 in decimal format & will push in stack after the first parameter with name of Buffer & identifies the buffer which contains the full path of windows directory & because it's an _in parameter in standard windows library it can be use for showing a value .

After that, as you may see , the author used the old 16-bit function format for Creating, Writing & Closing a standard text file (& in this case it's better to say log file) . _lcreate is a function which is equals to CreateFile in standard win32 library, it contains two parameters as follow according to ms documentation :

LONG _lcreat(
LPCSTR lpszFileName,
int fnAttribute
);

so the path of the file which is identical to lpszFileName & it pushed to the stack as
the first parameter & the second parameter which identifies the attribute of the file
is set to 0.

_lwrite is also 16 bit function format which writes data to the specific file .

& finally it will close the file .
after these steps the rootkit will using standard CreateFileA function to
create the log file in this path : "C:\phide_ex.log" file .


This is the log file which is generated by phide_ex for producing the output
as an evident for presence of this rootkit on the test system .

& in the next post I will go into more details about this rootkit (I will not promise but
I might go to deep analysing of this rootkit & will write up about it's kernel driver
in the future).

stay tuned ... .

Wednesday, August 11, 2010

Mirror's Edge | Another sensational game from EA Games

Hi, except from other entries on this blog, this entry is aimed for a game . Playing new games is one of my pastimes during a day . Electronid Arts is a famous game studio, once again with a perfect game . Mirro's Edge is the name of this game, it's based on a sport named "Parkour". The game is quite interesting & full of cute missions, actually it has a few direct involvement with enemy , you should jump from different & too long locations on skyscrappers .
sometimes, you might afraid from the jumps & movements you made to the character you're playing with .

Also , there's some special actions the girl will taking on different situations like grabbing the gun from enemy & make it empty .
some missions need more thinking & they're like crux, & not simple once, difficult crux that might make you nervous, but because of attractive actions, different & really amazing missions, it's worth to play & enjoy .

But with different attractive things that make a palyer happy it has a few lack in my opinion .

The game needs more direct involvements with enemies, always escaping & not to involve with enemy made me vervous
The game is not a third person game, it's first person which is not a good idea, according to different movements the player takes, & related to parkour, EA game must made it a third person playing game. the results are quite different in this case .

There's nothing else that can be considered as a lack in this game . If yoy're playing new & attractive games, I highly recommend this game to you .

Manual inspection of service dispatch table (SSDT) for hook detection

Not always you have all the tools needed for detecting rootkits or such malicious activities for your customer .
A forensics investigator must be ready for all situations, reverse engineers knew this entry already (Specially in case of their activities for malware industry) .
Well, you might already know generally, rootkits have dealing with low-level & in fact kernel components, SSDT (system service dispatch table) is a well-known table in windows that points to proper addresses for specified kernel services .
also, you already know that basically, most of rootkits for stealth purposes will modify this table for setting a kernel-level hook (aka ring0 hook) in windows kernel substructure & then install themselves as a device driver for better stealth, whether it comes to processes, files, registry entries or even network connections .
This type of modification is an almost well-known and old technique which is described by Greg Hoglund in "Rootkits, subverting the windows kernel" book, but as greg stated at Open-RCE, nevertheless of the oldness related to SSDT modifcation of rootkits, most computer general user didn't aware about it, & in today malwares it can be effective yet .

Nowadays, Different variant of malwares, implement this technique for stealth pruposes .

There are various tools for analyzing & deep level inspection of your system, basically this tools called "Anti-Rootkits", however there maybe others tools in this area that not call anti-Rootkits but will scan low-level system components for detect hooks , or table modifications related to high critical system components (p.s : SSDT, Shadow SSDT , IAT, IDT, IVT, ....) .

I'm writing this entry for situations you have not a ready to use tool for scanning & reporting system modification, but just have a kernel debugger (Microsoft Windbg).
Windbg is a kernel-level debugger which can debug and step through both user-mode & kernel-mode codes .

You know, in 32-bit system virtual memory devided into 2 segments, 2-GB for user space & 2-GB for kernel space (however it can be modify ...) & according to this concept, User-Space have addresses between 0x00000000 upto 0x7FFFFFFF and kernel-Space addresses have addresses ranges from 0x80000000 to 0xFFFFFFFF.

by this short description I'm going to shoot my debugger out & inspect some cool stuff with it .

First of all, before we dive into internals related to ssdt, I'll advice you to setup your symbol path as the following :

srv*D:\Kernel Symbols*http://msdl.microsoft.com/download/symbols

where "D:\Kernel Symbols" in upside is my hard drive path for saving required symbols & you can change it to your desired path .

Ok, let's dive in it .

The command required for see what's going on within SSDT is as follow :

dps nt!KiServiceTable l11c

let me show it to you :

Click on image to resize

In this image as you see there're bunch on well-known Ntxx functions with their addresses in Ntoskrnl.exe.

Output is as follow :

8082c96c 808cc106 nt!NtAcceptConnectPort
8082c970 80918390 nt!NtAccessCheck
8082c974 8091bbc6 nt!NtAccessCheckAndAuditAlarm
8082c978 809183c2 nt!NtAccessCheckByType
8082c97c 8091bc00 nt!NtAccessCheckByTypeAndAuditAlarm
8082c980 809183f8 nt!NtAccessCheckByTypeResultList
8082c984 8091bc44 nt!NtAccessCheckByTypeResultListAndAuditAlarm
8082c988 8091bc88 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
8082c98c 8093cbcc nt!NtAddAtom
8082c990 8093d900 nt!NtSetBootOptions
8082c994 80913740 nt!NtAdjustGroupsToken
8082c998 80913398 nt!NtAdjustPrivilegesToken
8082c99c 808fc3d4 nt!NtAlertResumeThread
8082c9a0 808fc384 nt!NtAlertThread
8082c9a4 8093d1f2 nt!NtAllocateLocallyUniqueId
8082c9a8 808dd9fa nt!NtAllocateUserPhysicalPages
8082c9ac 8093c80e nt!NtAllocateUuids
8082c9b0 808d0590 nt!NtAllocateVirtualMemory
8082c9b4 808d800e nt!NtAreMappedFilesTheSame
8082c9b8 89be5580
8082c9bc 80829dd4 nt!NtCallbackReturn
8082c9c0 8093de3e nt!NtDeleteBootEntry
8082c9c4 8089e96c nt!NtCancelIoFile
8082c9c8 80860e4e nt!NtCancelTimer
8082c9cc 80935e16 nt!NtClearEvent
8082c9d0 b9f8e818 d347bus+0xd818
8082c9d4 8091c100 nt!NtCloseObjectAuditAlarm
8082c9d8 8094ad12 nt!NtCompactKeys
8082c9dc 80920614 nt!NtCompareTokens
8082c9e0 808cc7f4 nt!NtCompleteConnectPort
8082c9e4 8094af66 nt!NtCompressKey
8082c9e8 808cc0a6 nt!NtConnectPort
8082c9ec 8086d104 nt!NtContinue
8082c9f0 809691c6 nt!NtCreateDebugObject
8082c9f4 808e5e28 nt!NtCreateDirectoryObject
8082c9f8 80935e66 nt!NtCreateEvent
8082c9fc 8093e184 nt!NtCreateEventPair
8082ca00 808a0eca nt!NtCreateFile
8082ca04 8089f75c nt!NtCreateIoCompletion
8082ca08 808fce5c nt!NtCreateJobObject
8082ca0c 808fcb94 nt!NtCreateJobSet
8082ca10 b9f8e7d0 d347bus+0xd7d0
8082ca14 808a0fd8 nt!NtCreateMailslotFile
8082ca18 8093e57c nt!NtCreateMutant
8082ca1c 808a0f04 nt!NtCreateNamedPipeFile
8082ca20 b9f82a20 d347bus+0x1a20
8082ca24 808ccbc2 nt!NtCreatePort
8082ca28 808f8ae4 nt!NtCreateProcess
8082ca2c 808f8a2e nt!NtCreateProcessEx
8082ca30 8093e99c nt!NtCreateProfile
8082ca34 808d2e9e nt!NtCreateSection
8082ca38 8093bf2c nt!NtCreateSemaphore
8082ca3c 808ec6a8 nt!NtCreateSymbolicLinkObject
8082ca40 808f88cc nt!NtCreateThread
8082ca44 8093de4c nt!NtCreateTimer
8082ca48 809209bc nt!NtCreateToken
8082ca4c 808ccbe6 nt!NtCreateWaitablePort
8082ca50 89be6100
8082ca54 8096a3f2 nt!NtDebugContinue
8082ca58 8093d850 nt!NtDelayExecution
8082ca5c 8093d082 nt!NtDeleteAtom
8082ca60 8093de3e nt!NtDeleteBootEntry
8082ca64 8089eab2 nt!NtDeleteFile
8082ca68 8094b5de nt!NtDeleteKey
8082ca6c 8091c20c nt!NtDeleteObjectAuditAlarm
8082ca70 8094b7ae nt!NtDeleteValueKey
8082ca74 808a1090 nt!NtDeviceIoControlFile
8082ca78 80939eaa nt!NtDisplayString
8082ca7c 89be5b30
8082ca80 809145de nt!NtDuplicateToken
8082ca84 8093d900 nt!NtSetBootOptions
8082ca88 b9f832a8 d347bus+0x22a8
8082ca8c 8093d8f2 nt!NtEnumerateSystemEnvironmentValuesEx
8082ca90 b9f8e910 d347bus+0xd910
8082ca94 808db71a nt!NtExtendSection
8082ca98 8091478a nt!NtFilterToken
8082ca9c 8093ce36 nt!NtFindAtom
8082caa0 8089eb7e nt!NtFlushBuffersFile
8082caa4 808de28e nt!NtFlushInstructionCache
8082caa8 8094be62 nt!NtFlushKey
8082caac 808d41d8 nt!NtFlushVirtualMemory
8082cab0 808de230 nt!NtFlushWriteBuffer
8082cab4 808ddd9c nt!NtFreeUserPhysicalPages
8082cab8 808da9f6 nt!NtFreeVirtualMemory
8082cabc 808a10c4 nt!NtFsControlFile
8082cac0 808f8dde nt!NtGetContextThread
8082cac4 808effc8 nt!NtGetDevicePowerState
8082cac8 808c0e76 nt!NtGetPlugPlayEvent
8082cacc 80849498 nt!NtGetWriteWatch
8082cad0 80920308 nt!NtImpersonateAnonymousToken
8082cad4 808ccc50 nt!NtImpersonateClientOfPort
8082cad8 808ff058 nt!NtImpersonateThread
8082cadc 80949106 nt!NtInitializeRegistry
8082cae0 808efdae nt!NtInitiatePowerAction
8082cae4 808fca58 nt!NtIsProcessInJob
8082cae8 808effb4 nt!NtIsSystemResumeAutomatic
8082caec 808cce5c nt!NtListenPort
8082caf0 808abea6 nt!NtLoadDriver
8082caf4 8094ce9a nt!NtLoadKey
8082caf8 8094cae4 nt!NtLoadKey2
8082cafc 808a10f8 nt!NtLockFile
8082cb00 8093a49c nt!NtLockProductActivationKeys
8082cb04 8094b012 nt!NtLockRegistryKey
8082cb08 808de396 nt!NtLockVirtualMemory
8082cb0c 808e5c1e nt!NtMakePermanentObject
8082cb10 808e4018 nt!NtMakeTemporaryObject
8082cb14 808dce5a nt!NtMapUserPhysicalPages
8082cb18 808dd3aa nt!NtMapUserPhysicalPagesScatter
8082cb1c 808d9a7e nt!NtMapViewOfSection
8082cb20 8093de3e nt!NtDeleteBootEntry
8082cb24 808a1d10 nt!NtNotifyChangeDirectoryFile
8082cb28 8094ce64 nt!NtNotifyChangeKey
8082cb2c 8094bf64 nt!NtNotifyChangeMultipleKeys
8082cb30 808e5efa nt!NtOpenDirectoryObject
8082cb34 80935f66 nt!NtOpenEvent
8082cb38 8093e25c nt!NtOpenEventPair
8082cb3c 808a1fc8 nt!NtOpenFile
8082cb40 8089f834 nt!NtOpenIoCompletion
8082cb44 808fcfe2 nt!NtOpenJobObject
8082cb48 b9f8e794 d347bus+0xd794
8082cb4c 8093e654 nt!NtOpenMutant
8082cb50 8091bcce nt!NtOpenObjectAuditAlarm
8082cb54 89be4cc0
8082cb58 80914fd6 nt!NtOpenProcessToken
8082cb5c 80914bdc nt!NtOpenProcessTokenEx
8082cb60 808d1ec2 nt!NtOpenSection
8082cb64 8093c026 nt!NtOpenSemaphore
8082cb68 808ec88e nt!NtOpenSymbolicLinkObject
8082cb6c 89be4fc0
8082cb70 80914ff4 nt!NtOpenThreadToken
8082cb74 80914d4c nt!NtOpenThreadTokenEx
8082cb78 8093df6e nt!NtOpenTimer
8082cb7c 8096c494 nt!NtPlugPlayControl
8082cb80 808f0dfc nt!NtPowerInformation
8082cb84 8091f3ba nt!NtPrivilegeCheck
8082cb88 8091afe0 nt!NtPrivilegeObjectAuditAlarm
8082cb8c 8091b1cc nt!NtPrivilegedServiceAuditAlarm
8082cb90 89be59c0
8082cb94 8093601e nt!NtPulseEvent
8082cb98 8089ed5c nt!NtQueryAttributesFile
8082cb9c 8093d900 nt!NtSetBootOptions
8082cba0 8093d900 nt!NtSetBootOptions
8082cba4 80867e36 nt!NtQueryDebugFilterState
8082cba8 80937bf0 nt!NtQueryDefaultLocale
8082cbac 80938850 nt!NtQueryDefaultUILanguage
8082cbb0 808a1caa nt!NtQueryDirectoryFile
8082cbb4 808e5f9a nt!NtQueryDirectoryObject
8082cbb8 808a1ff8 nt!NtQueryEaFile
8082cbbc 809360e6 nt!NtQueryEvent
8082cbc0 8089ee94 nt!NtQueryFullAttributesFile
8082cbc4 8093d0aa nt!NtQueryInformationAtom
8082cbc8 808a2864 nt!NtQueryInformationFile
8082cbcc 808fd4b4 nt!NtQueryInformationJobObject
8082cbd0 808cceba nt!NtQueryInformationPort
8082cbd4 808f4862 nt!NtQueryInformationProcess
8082cbd8 808f3490 nt!NtQueryInformationThread
8082cbdc 809150d4 nt!NtQueryInformationToken
8082cbe0 80937fee nt!NtQueryInstallUILanguage
8082cbe4 8093ee1e nt!NtQueryIntervalProfile
8082cbe8 8089f8dc nt!NtQueryIoCompletion
8082cbec b9f832c8 d347bus+0x22c8
8082cbf0 8094a310 nt!NtQueryMultipleValueKey
8082cbf4 8093e6fc nt!NtQueryMutant
8082cbf8 808ebdc8 nt!NtQueryObject
8082cbfc 8094a976 nt!NtQueryOpenSubKeys
8082cc00 8093eeac nt!NtQueryPerformanceCounter
8082cc04 808a35fc nt!NtQueryQuotaInformationFile
8082cc08 808e0024 nt!NtQuerySection
8082cc0c 808e7a86 nt!NtQuerySecurityObject
8082cc10 8093c0de nt!NtQuerySemaphore
8082cc14 808ec92e nt!NtQuerySymbolicLinkObject
8082cc18 8093d91c nt!NtQuerySystemEnvironmentValue
8082cc1c 8093d8e4 nt!NtQuerySystemEnvironmentValueEx
8082cc20 809388d0 nt!NtQuerySystemInformation
8082cc24 8093a076 nt!NtQuerySystemTime
8082cc28 8093e026 nt!NtQueryTimer
8082cc2c 8093a108 nt!NtQueryTimerResolution
8082cc30 b9f8e866 d347bus+0xd866
8082cc34 808e06b2 nt!NtQueryVirtualMemory
8082cc38 808a3ae6 nt!NtQueryVolumeInformationFile
8082cc3c 808f8b2a nt!NtQueueApcThread
8082cc40 8086d14c nt!NtRaiseException
8082cc44 8093bd50 nt!NtRaiseHardError
8082cc48 808a4286 nt!NtReadFile
8082cc4c 808a47f0 nt!NtReadFileScatter
8082cc50 808cd942 nt!NtReadRequestData
8082cc54 808dbd06 nt!NtReadVirtualMemory
8082cc58 808f9fee nt!NtRegisterThreadTerminatePort
8082cc5c 8093e834 nt!NtReleaseMutant
8082cc60 8093c20e nt!NtReleaseSemaphore
8082cc64 8089fbd4 nt!NtRemoveIoCompletion
8082cc68 8096a372 nt!NtRemoveProcessDebug
8082cc6c 8094ab68 nt!NtRenameKey
8082cc70 8094cd4a nt!NtReplaceKey
8082cc74 808ccfc2 nt!NtReplyPort
8082cc78 808cdf8a nt!NtReplyWaitReceivePort
8082cc7c 808cd992 nt!NtReplyWaitReceivePortEx
8082cc80 808cd2ac nt!NtReplyWaitReplyPort
8082cc84 808eff46 nt!NtRequestDeviceWakeup
8082cc88 808ca520 nt!NtRequestPort
8082cc8c 808ca84c nt!NtRequestWaitReplyPort
8082cc90 808efd54 nt!NtRequestWakeupLatency
8082cc94 809361f8 nt!NtResetEvent
8082cc98 80849980 nt!NtResetWriteWatch
8082cc9c 80949536 nt!NtRestoreKey
8082cca0 808fc32e nt!NtResumeProcess
8082cca4 808fc210 nt!NtResumeThread
8082cca8 809495d8 nt!NtSaveKey
8082ccac 80949668 nt!NtSaveKeyEx
8082ccb0 80949734 nt!NtSaveMergedKeys
8082ccb4 808cb83a nt!NtSecureConnectPort
8082ccb8 8093d900 nt!NtSetBootOptions
8082ccbc 8093d900 nt!NtSetBootOptions
8082ccc0 89be5860
8082ccc4 8096d02a nt!NtSetDebugFilterState
8082ccc8 8093bbfa nt!NtSetDefaultHardErrorPort
8082cccc 80937d40 nt!NtSetDefaultLocale
8082ccd0 809385b2 nt!NtSetDefaultUILanguage
8082ccd4 808a250c nt!NtSetEaFile
8082ccd8 809362b8 nt!NtSetEvent
8082ccdc 80936382 nt!NtSetEventBoostPriority
8082cce0 8093e518 nt!NtSetHighEventPair
8082cce4 8093e448 nt!NtSetHighWaitLowEventPair
8082cce8 80969d3c nt!NtSetInformationDebugObject
8082ccec 808a2e30 nt!NtSetInformationFile
8082ccf0 808fe1c2 nt!NtSetInformationJobObject
8082ccf4 80949edc nt!NtSetInformationKey
8082ccf8 808eb33e nt!NtSetInformationObject
8082ccfc 808f5758 nt!NtSetInformationProcess
8082cd00 89be56e0
8082cd04 80921736 nt!NtSetInformationToken
8082cd08 8093e980 nt!NtSetIntervalProfile
8082cd0c 8089fb72 nt!NtSetIoCompletion
8082cd10 808fb15a nt!NtSetLdtEntries
8082cd14 8093e4b4 nt!NtSetLowEventPair
8082cd18 8093e3dc nt!NtSetLowWaitHighEventPair
8082cd1c 808a35da nt!NtSetQuotaInformationFile
8082cd20 89be2700
8082cd24 8093dba0 nt!NtSetSystemEnvironmentValue
8082cd28 8093d8e4 nt!NtQuerySystemEnvironmentValueEx
8082cd2c 80936c1e nt!NtSetSystemInformation
8082cd30 b9f8e0b0 d347bus+0xd0b0
8082cd34 8093b37e nt!NtSetSystemTime
8082cd38 808efc68 nt!NtSetThreadExecutionState
8082cd3c 80860fde nt!NtSetTimer
8082cd40 8093a850 nt!NtSetTimerResolution
8082cd44 8093c6c4 nt!NtSetUuidSeed
8082cd48 809497ee nt!NtSetValueKey
8082cd4c 808a3ef0 nt!NtSetVolumeInformationFile
8082cd50 80939e6e nt!NtShutdownSystem
8082cd54 8084ea60 nt!NtSignalAndWaitForSingleObject
8082cd58 8093ebca nt!NtStartProfile
8082cd5c 8093ed74 nt!NtStopProfile
8082cd60 89be5420
8082cd64 89be52c0
8082cd68 8093ef98 nt!NtSystemDebugControl
8082cd6c 808fed56 nt!NtTerminateJobObject
8082cd70 89be4e50
8082cd74 89be5150
8082cd78 808fc498 nt!NtTestAlert
8082cd7c 8085d374 nt!NtTraceEvent
8082cd80 8093d90e nt!NtTranslateFilePath
8082cd84 808ac03a nt!NtUnloadDriver
8082cd88 80949ab6 nt!NtUnloadKey
8082cd8c 80949cac nt!NtUnloadKeyEx
8082cd90 808a149c nt!NtUnlockFile
8082cd94 808de924 nt!NtUnlockVirtualMemory
8082cd98 808da88c nt!NtUnmapViewOfSection
8082cd9c 80922aee nt!NtVdmControl
8082cda0 80969aa4 nt!NtWaitForDebugEvent
8082cda4 808e80dc nt!NtWaitForMultipleObjects
8082cda8 808e7ff2 nt!NtWaitForSingleObject
8082cdac 8093e378 nt!NtWaitHighEventPair
8082cdb0 8093e314 nt!NtWaitLowEventPair
8082cdb4 808a4cee nt!NtWriteFile
8082cdb8 808a52d2 nt!NtWriteFileGather
8082cdbc 808cd96a nt!NtWriteRequestData
8082cdc0 89be5f50
8082cdc4 8082cff4 nt!NtYieldExecution
8082cdc8 8093f3f0 nt!NtCreateKeyedEvent
8082cdcc 8093f4da nt!NtOpenKeyedEvent
8082cdd0 8093f58c nt!NtReleaseKeyedEvent
8082cdd4 8093f7e8 nt!NtWaitForKeyedEvent
8082cdd8 808f3210 nt!NtQueryPortInformationProcess

Seems there's some hooks ,installed on my system's kernel, let me describe it .
Look at entries I made them Bold style mid Red color .
As you can See, there's no proper function names exported from Ntoskrnl for them .
in this case case, sometimes you might see an unknown name like this :

8082cd30 b9f8e0b0 d347bus+0xd0b0

or sometimes you might see something look likes that :

8082cd74 89be5150

Addresses without a proper function name .
this is because the malware or even security product that is installed in your system or anyone else, will modify the function addresses with it's desire function to do what the malware / security product saying .

In major cases related to malwares, they're attempting to allocate a new addresse ranges out of ntoskrnl kernel base address , in this case, you should have special attention to addresses & if there' are entries out of kernel base address (0x80000000 to 0xFFFFFFFF), you must know, something suspicious attempting to hide itself & in most cases it's a rootkit .

Tuesday, August 10, 2010

NT Insider journal | Issue for July / Aug

Hello there .
Always articles, journals, papers & anything related to learning stuff from Osronline impressed me.
Fairly to say,the greatest resource for learning & discussion about Windows Driver Development, helpful tips about general system programming stuff on windows platform is Osronline .

They released the new version of their journal about windows driver development tips .
Topics discussed in this new journal are the following :

Undocumented DFS & RDR Interactions
Peter Pontificates: Pros & Cons of Agile SW Development Methodology
Virtual Storport Tweaks
Debugger Extensions: Short Term Effort, Long Term Gain
The Isolation Driver (Part I)
A Primer on Signature Checks in Windows
Implementing Reader/Writer Locks in User-Mode
Analyst’s Perspective: Debug Smarter
WDK Community Bug Bash Contest 2010

So if you like it, you can grab a copy from here .
Hope to be useful & full of new tips you didn't see before .

Monday, August 2, 2010

Windows NT Architecture Vs. Prior Windows Versions

You know having knowledge about the architecture or internals of an operating system is an essential part of the job for a System Programmer, System administrator & intimate to say for a security expert .
Well, windows is a big & complex operating system, from different versions it revealed to the community that windows ever has potential to progress along with other operating Systems like Apple mac Osx or difference Posix based systems like different variant of Linux or Bsd's .
nowadays everyone likes to work, develop & working experiences with new windows versions, I mean Windows 7, it's a good idea for everyone to have experience with new releases of products but in fact having knowledge at least about prior versions is a prerequisite for professionals who want to have adventure around internals .
As you might already know developing effective applications require in-depth knowledge about how the underlying system works . it's a mandatory topic for programmers & security experts who's trying to build Native ( Subsystem independent applications ) & or Kernel Land Softwares .
of course there's no user-friendly application that is programmed purely in ring0, because by default or better to say by nature a ring0 application just going to install through services & nobody can see the output directly .
I've decided to allocate this entry to anyone who likes to know better about Windows NT ( includes Windows 2000, Windows Xp 32 & 64 Bit, Windows 2003 32 & 64 Bit ), so if you're a beginner in this area keep following this blog or if you're an experienced windows System programmer feel free to skip this entry .

From the initial announcement of Windows NT, Microsoft made it clear that it was to be long-term replacement for windows 95 ( & it's subsequent releases, windows 98 & windows millennium edition ).
The following list highlights some architectural differences & advantages that Windows NT ( and its subsequent releases ) has over windows 95 ( & its subsequent releases ) :

Windows NT supports multiprocessor environments, as windows 95 doesn't .
The windows NT File System supports security ( such as discretionary access control ) however windows 95 file system doesn't .
Windows NT is fully a 32-Bit ( & now 64-bit ) operating system - it contains no 16-bit code, other than support code for running 16-bit windows applications . windows 95 contains a large amount of old 16-bit code from its predecessors, windows 3.1 & MS-DOS.
Windows Nt is fully reentrant or better to say a multi-threading System, Significant parts of Windows 95 are nonreentrant ( mainly the 16-bit code taken from windows 3.1 ). this nonreentrant code includes majority of graphics & window management functions ( GDI & User ) . when a 32-bit application on windows 95 attempts to call a system service implemented in nonreentrant 16-bit code, the application must first obtain a system-wide lock ( or mutex ) to block other threads from entering the nonreentrant code base . And even worse, a 16-bit application holds this lock while running. As a result, although the core of windows 95 contains a preemptive 32-bit multi-threaded scheduler, applications often run single threaded because so much of the system is still implemented in nonreentrant code.
Windows NT provides an option to run 16-Bit windows applications in their own address space, Windows 95 always run 16-bit windows applications in a shared address space, in which they can corrupt ( & hang ) each other .
Process shared memory on windows NT is visible only to the process that are mapping in the same shared memory section. On Windows 95, all shared memory is visible & writable from all processes. thus, any process can write to & corrupt shared memory being used by other cooperating processes .
Windows 95 has some critical operating system pages that are writable from user-mode, thus allowing a user application to corrupt or crash the system .

The one thing windows 95 can do that windows NT-Based systems will never do is run all older MS-Dos and Windows 3.1 applications ( notably applications that require direct hardware access ) as well as 16-bit MS-Dos device drivers .
Whereas 1000 percent compatibility with MS-Dos and Windows 3.1 was a mandatory goal for windows 95, the original goal for windows NT was to run most existing 16-bit applications while preserving the integrity and reliability of the system .

Windows Internals, Forth Edition. Mark E.Russinovich, David A.Solomon. 2005

Saturday, July 24, 2010

24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them

Always new books in the field of security impressed me .
I was away from popular security materials due to huge amount of work on ring0 Development .
Anyone knows Kernel mode development & such a like stuff are somewhat arid but in my opinion these-like materials are powerful & essential for anyone who is in Reverse community .

While searching new books, My friend suggested me a Book with title "24 deadly sins of software security, programming flaws & how to fix them" .

First I thought I have already this book, I asked & get no as answer .
The book I had was 19 deadly ... , along with my friend's suggestion I found the book & had a review .
the books is valuable to read .
topics are updated & obvious,

take a look at the following description :

Fully updated to cover the latest security issues, 24 Deadly Sins of Software Security reveals the most common design and coding errors and explains how to fix each one-or better yet, avoid them from the start. Michael Howard and David LeBlanc, who teach Microsoft employees and the world how to secure code, have partnered again with John Viega, who uncovered the original 19 deadly programming sins. They have completely revised the book to address the most recent vulnerabilities and have added five brand-new sins. This practical guide covers all platforms, languages, and types of applications. Eliminate these security flaws from your code :

# SQL injection
# Web server- and client-related vulnerabilities
# Use of magic URLs, predictable cookies, and hidden form fields
# Buffer overruns
# Format string problems
# Integer overflows
# C++ catastrophes
# Insecure exception handling
# Command injection
# Failure to handle errors
# Information leakage
# Race conditions
# Poor usability
# Not updating easily
# Executing code with too much privilege
# Failure to protect stored data
# Insecure mobile code
# Use of weak password-based systems
# Weak random numbers
# Using cryptography incorrectly
# Failing to protect network traffic
# Improper use of PKI
# Trusting network name resolution

so if you are interested in this book, get it from this link .