It's been a few crazy weeks for me. A few weeks ago I finally moved back to the wonderful Barcelona and trying to get settled in between trips to SOURCE Boston, BlackHat Amsterdam and now RSA in San Francisco... and next week is going to be HitB in Dubai where I'll be showing a new tool I've put together.
SOURCE Boston was a really interesting event, impeccably organized and with really great speakers and atmosphere. The technical level of the talks I could see was great, but missed the first day of conference because of tight scheduling. The materials will be coming out here. It was the first installment and sure hope will be the first of many, as it was really fun and enjoyable.
In BlackHat Amsterdam I was teaching the training with Pedram Amini. We got some good feedback and the course should be seeing some good updates in Las Vegas later in the summer.
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Saturday, April 05, 2008
Sunday, March 02, 2008
Old interviews with members of 29A
The guys at Hispasec managed to dig up some old interviews with members GriYo and MrSandman of the legendary group 29A that recently announced was closing shop. Definitely worth a read if you can handle spanish.
Tuesday, February 19, 2008
badass debugger + badass toy = geek pr0n
Today I finally got working a hacked-together minimal version of the iPhone debugger client for BinNavi. It's heavily based on Patrick Walton's (with HD's updates) weasel debugger. Once tied to BinNavi debug client framework the whole client-server interaction is trivial.
It feels just right, the best looking debugger together with the slickest device.. recipe for fun.. ;-)
The test application is telnet on the iPhone. On the iPhone's screen is the debug output from BinNavi's debug client. telnet is launched from an ssh session in OSX, where BinNavi is running.
For anybody trying to link Mach's debugging interface with a C++ iPhone application, remember the extern "C" when defining boolean_t exc_server(mach_msg_header_t *in, mach_msg_header_t *out); (which is not defined in the header files, as pointed in weasel's source code). Otherwise you'll get a nasty "Undefined symbols" message when linking.
extern "C" is also needed for catch_exception_raise(...) so exc_server can call it to handle exceptions. Documented here.
(I've used the standard iPhone toolchain on Debian, this is running on the firmware 1.1.3)
It feels just right, the best looking debugger together with the slickest device.. recipe for fun.. ;-)
The test application is telnet on the iPhone. On the iPhone's screen is the debug output from BinNavi's debug client. telnet is launched from an ssh session in OSX, where BinNavi is running.
For anybody trying to link Mach's debugging interface with a C++ iPhone application, remember the extern "C" when defining boolean_t exc_server(mach_msg_header_t *in, mach_msg_header_t *out); (which is not defined in the header files, as pointed in weasel's source code). Otherwise you'll get a nasty "Undefined symbols" message when linking.
extern "C" is also needed for catch_exception_raise(...) so exc_server can call it to handle exceptions. Documented here.
(I've used the standard iPhone toolchain on Debian, this is running on the firmware 1.1.3)
Friday, November 30, 2007
Take Two: Packers, Time and Google Groups
I just had to do it... This morning I read about chronoscope in a post in the Google Code Blog and I could not help myself from wanting to tinker with it.
I wrote a Mathematica function to export a time-series of the format (timestamp, value) into the dataset format used by chronoscope.
And ran it through the packer time-series I harvested from Google Groups. Then I picked some widget demo code and put it all together in a mash-up. The results of the quick hack are here... much nicer to visualize than in the previous post. (and it's interactive!)
I wrote a Mathematica function to export a time-series of the format (timestamp, value) into the dataset format used by chronoscope.
| Epoch[date_] := ToString[AbsoluteTime[DateList[ToString[date]]] - AbsoluteTime[DateList["1970"]]]; ChronoscopeJsExport = Function[ {datasetName, id, label, axis, data}, jsData = datasetName <> " = {\nId: \"" <> ToString[id] <> "\", \n" <> "domain: [" <> StringJoin[ Riffle[ Map[ Epoch, data[[All, 1]] ], ", "] ] <> "], \n" <> "range: [" <> StringJoin[ Riffle[ Map[ ToString, data[[All, 2]] ], ", "] ] <> "], \n" <> "label: \"" <> ToString[label] <> "\", \n" <> "axis: \"" <> ToString[axis] <> "\"\n};"; jsData ]; |
And ran it through the packer time-series I harvested from Google Groups. Then I picked some widget demo code and put it all together in a mash-up. The results of the quick hack are here... much nicer to visualize than in the previous post. (and it's interactive!)
- Use the mouse-wheel to zoom
- Drag the plot left/right to browse around different date ranges
- You can pick any packer and the data will be plotted against the previously selected one
Sunday, November 25, 2007
pefile 1.2.8
And yet another one. pefile 1.2.8 comes with the usual few bugfixes and a slew of enhancements. Some of them are:
For more details and downloads head to pefile's project page.
- One can now "relocate" the image by invoking relocate_image(ImageBase) with a new ImageBase the PE file's relocations will be applied to produce the relocated image.
- Section entropy is computed faster (thanks to Gergely)
- MD5, SHA-1, SHA-256, SHA-512 hashes are calculated on a per-section basis (thanks Jim Clausing for the suggestion)
- Improved (rather fixed) handling of Unicode strings when parsing the resources information
For more details and downloads head to pefile's project page.
Wednesday, November 21, 2007
Packers, Time and Google Groups
The other day I was talking with a friend and the discussion went into when certain anti-disassembly, anti-debug, etc. techniques might have appeared. That's bound to be difficult because tricks are usually simultaneously discovered by different people.
So I though, a trick will usually be regarded as "common" once it gets implemented in some packer, as those try to make analysis difficult and will attempt to embedded whichever tricks are good/popular within the underground at the time in order to make the reverse engineering process as cumbersome as possible. Therefore if I could somehow place packers in time I'd have a starting point...
That led me to remember about Google Groups. It's possible to make queries restricted to date ranges and the archives go back to 1981. I quickly put together a script to scan with a one-month window through 1981 to 2007 for a set of popular packers.
The most painful part of the whole process was to fool Google... they sure do not like robots... whenever they get a bunch of very simply automated queries they'll server back a "403 Forbidden" telling queries look like coming from a virus or spyware app...
But my script is good, it's no evil spyware... so I got into the mood of working my way around the checks. I needed to do quite some queries (> 10K) so I better make it believe I'm not a robot. Besides finding the right timing for the queries (too often will make Google sad) I had to distribute the search over a few hosts, randomize headers and User-Agents and the query itself (just throw in some randomized, "orthogonal" (nothing to do with your query) search terms). After that the script was good to go...
So, after mining the news groups for popular packer names ( the search string was, most of the time, " exe" plus the "randomized" terms ) I got a cute small data set to throw into Mathematica...
The results will have some inaccuracies, as it's possible some of the terms appeared in some news post not related to the packers. Yet I think they look plausible. When the volume of hits is high enough or constant over time it feels like it would indicate the approximate release date of the packer in question, or at least the first public discussion about it which, I would tend to think, will not necessarily be too far apart.
If someone can either corroborate or refute the data I'll be glad to hear.
I also did some test overlaying virus release times in order to try to spot correlations between big outbreaks and news-posts about packers, but I couldn't see anything particularly significant.
So I though, a trick will usually be regarded as "common" once it gets implemented in some packer, as those try to make analysis difficult and will attempt to embedded whichever tricks are good/popular within the underground at the time in order to make the reverse engineering process as cumbersome as possible. Therefore if I could somehow place packers in time I'd have a starting point...
That led me to remember about Google Groups. It's possible to make queries restricted to date ranges and the archives go back to 1981. I quickly put together a script to scan with a one-month window through 1981 to 2007 for a set of popular packers.
The most painful part of the whole process was to fool Google... they sure do not like robots... whenever they get a bunch of very simply automated queries they'll server back a "403 Forbidden" telling queries look like coming from a virus or spyware app...
But my script is good, it's no evil spyware... so I got into the mood of working my way around the checks. I needed to do quite some queries (> 10K) so I better make it believe I'm not a robot. Besides finding the right timing for the queries (too often will make Google sad) I had to distribute the search over a few hosts, randomize headers and User-Agents and the query itself (just throw in some randomized, "orthogonal" (nothing to do with your query) search terms). After that the script was good to go...
So, after mining the news groups for popular packer names ( the search string was, most of the time, "
The results will have some inaccuracies, as it's possible some of the terms appeared in some news post not related to the packers. Yet I think they look plausible. When the volume of hits is high enough or constant over time it feels like it would indicate the approximate release date of the packer in question, or at least the first public discussion about it which, I would tend to think, will not necessarily be too far apart.
If someone can either corroborate or refute the data I'll be glad to hear.
I also did some test overlaying virus release times in order to try to spot correlations between big outbreaks and news-posts about packers, but I couldn't see anything particularly significant.
Wednesday, September 26, 2007
Metasploit on the iPhone
A nice write-up on the iPhone has been posted in Metasploit's blog.
My favorite point...
My favorite point...
Every process runs as root. MobileSafari, MobileMail, even the Calculator, all run with full root privileges. Any security flaw in any iPhone application can lead to a complete system compromise. A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with "always-on" internet access over EDGE and you have a perfect spying device.
Tuesday, September 18, 2007
Hex-Rays unleashed
Hex-Rays, Ilfak Guilfanov's decompiler, has been unleashed. I have had the chance of playing a bit with the beta and it is really impressive, to say the least. This will save so many hours to reverse engineers...
Friday, August 10, 2007
Black Hat Slides
Although originally Halvar Flake and I were supposed to present together in a quick turbo-talk at Black Hat in Las Vegas, he unfortunately couldn't make it to the conference for reasons that have been already discussed.
I ended up sticking mostly to the original plan for the talk and presented some Python tools to automate reverse engineering and analysis processes.
I've just put the slides up here.
I ended up sticking mostly to the original plan for the talk and presented some Python tools to automate reverse engineering and analysis processes.
I've just put the slides up here.
Saturday, July 14, 2007
BlackHat Vegas is nearly here...
I'll be there, teaching with Pedram a couple of rounds (weekend and week) of our training, Reverse Engineering on Windows: Application in Malicious Code Analysis. And then ranting together with Halvar in a turbo talk, 4 x 5
For the people more into cutting edge vulnerability research, Halvar will also be doing his Analyzing Software for Security Vulnerabilities. Feel free to grab any of us during the conference if you have any questions regarding BinDiff, BinNavi or VxClass.
And now that I am in the mood of advertising things, be sure to check OpenRCE's event calendar, you can even subscribe to the iCal feed. I try to keep it up to date with whatever events fall into my ears. If anyone knows of more, please let me know.
 |
For the people more into cutting edge vulnerability research, Halvar will also be doing his Analyzing Software for Security Vulnerabilities. Feel free to grab any of us during the conference if you have any questions regarding BinDiff, BinNavi or VxClass.
And now that I am in the mood of advertising things, be sure to check OpenRCE's event calendar, you can even subscribe to the iCal feed. I try to keep it up to date with whatever events fall into my ears. If anyone knows of more, please let me know.
Thursday, June 14, 2007
Safari 3.0.1 for Windows
Apple released today an update for the recently unleashed Safari for Windows attempting to fix some of the problems promptly uncovered after the inital release.
I wanted to take a look at all the changes in the release. After comparing the hashes of all executable modules the following were identical to the ones included in Safari 3.0.0:
Of all the remaining, whose hashes were different, the following proved to be structurally identical after running them through BinDiff:
So that leaves us with the stuff to focus on:
The dependencies between this modules are show in the following graph (green=identical hash, black=hash changed but structurally identical, red=the meat)
Within those two modules, BinDiff finds a handful of functions changed, what could possibly have been fixed... ? ;)
I wanted to take a look at all the changes in the release. After comparing the hashes of all executable modules the following were identical to the ones included in Safari 3.0.0:
- coregraphics.dll, icudt36.dll, icuin36.dll, icuuc36.dll, libtidy.dll, libxml2.dll, libxslt.dll, javaplugin.jar, pthreadvc2.dll, sqlite3.dll, zlib1.dll
Of all the remaining, whose hashes were different, the following proved to be structurally identical after running them through BinDiff:
- safariresources.dll, cfnetwork.dll, safaritheme.dll, pubsubdll.dll, npjavaplugin.dll, corefoundation.dll
So that leaves us with the stuff to focus on:
- safari.exe and webkit.exe
The dependencies between this modules are show in the following graph (green=identical hash, black=hash changed but structurally identical, red=the meat)
Within those two modules, BinDiff finds a handful of functions changed, what could possibly have been fixed... ? ;)
Monday, June 11, 2007
VxClass. Automated executable classification
Here at Sabre Security, we have been putting together a variety of technologies nurtured and developed over years of reverse engineering and malware analysis. All of it has taken form in VxClass, which is finally shaping up. We are quite proud and happy to see such a complex project (and one I've personally long dreamed about) actually working.
The first incarnation of VxClass is already able to automatically handle (unpack, analyze and classify) a wide range of Windows malware. The results are nearly addictive to look at. Accompanying this post are some screen-shots of the Web interface showing a listing of files and the automatically generated cluster of families.
VxClass will allow analysts or other tools to communicate with it and submit executable files. Those will be unpacked, analyzed and classified automatically according to their structural properties. The classification results as well as analysis databases can be retrieved through either an XMLRPC or a Web interface.
If you or your company would be interested on evaluating it or discussing if it might be an applicable technology for you, don't hesitate in dropping us a mail.
Also, I'm in the Bay Area for most of June and August (also in Black Hat in Las Vegas). So if you want to have me demo it or chat about it, drop me a line.
The first incarnation of VxClass is already able to automatically handle (unpack, analyze and classify) a wide range of Windows malware. The results are nearly addictive to look at. Accompanying this post are some screen-shots of the Web interface showing a listing of files and the automatically generated cluster of families.
VxClass will allow analysts or other tools to communicate with it and submit executable files. Those will be unpacked, analyzed and classified automatically according to their structural properties. The classification results as well as analysis databases can be retrieved through either an XMLRPC or a Web interface.
If you or your company would be interested on evaluating it or discussing if it might be an applicable technology for you, don't hesitate in dropping us a mail.
Also, I'm in the Bay Area for most of June and August (also in Black Hat in Las Vegas). So if you want to have me demo it or chat about it, drop me a line.
Saturday, June 09, 2007
pefile and packer detection
I've always wanted some tool that I could run over large collections of executable files and would tell me what's packed and what's not and, ideally, also the packer. PEiD has wonderful signature libraries but my ideal tool would be easier to integrate with other components and not restricted to Windows.
The guys at OffensiveComputing had put together some code to, by making use of PEiD signatures and pefile, recognize packers.
I've decided that it's time for pefile to have such functionality by default and I've reimplemented the signature parsing and matching. The next version of pefile should include this new code.
I've also found some pretty extensive signature libraries and here are some of results of the test runs in some files I've laying around.
Of the 48.025 files (all malware) that I scanned, in ~42% no packer could be found using the current signature database. In the remaining ~58% the tests found 227 different packers and compiler signatures.
A more extense listing of the most frequently found packers looks like:
Given that I've run pefile in several tens of thousands of pieces of malware with all kind of exotic PE format contortions, I've managed to find and fix a couple of obscure bugs. The forthcoming release will be even stronger when facing files that push the limits of the PE format well-formedness.
The guys at OffensiveComputing had put together some code to, by making use of PEiD signatures and pefile, recognize packers.
I've decided that it's time for pefile to have such functionality by default and I've reimplemented the signature parsing and matching. The next version of pefile should include this new code.
I've also found some pretty extensive signature libraries and here are some of results of the test runs in some files I've laying around.
Of the 48.025 files (all malware) that I scanned, in ~42% no packer could be found using the current signature database. In the remaining ~58% the tests found 227 different packers and compiler signatures.
A more extense listing of the most frequently found packers looks like:
Given that I've run pefile in several tens of thousands of pieces of malware with all kind of exotic PE format contortions, I've managed to find and fix a couple of obscure bugs. The forthcoming release will be even stronger when facing files that push the limits of the PE format well-formedness.
Thursday, May 24, 2007
Google talk about reverse engeering to find security vulnerabilities
Great video of a Google talk by Alexander Sotirov on reverse engineering to find security vulnerabilities.
Sunday, January 21, 2007
Uninformed 6
The latest Uninformed issue makes for a good read.
Exploiting 802.11 Wireless Driver Vulnerabilities on Windows is truly interesting. Considering how highly-sensitive something like wireless drivers are, it's just sad how breakable appear to be.
Subverting PatchGuard Version 2 is Skywing's the lastest effort on how to overcome Microsoft's integrity checking technology. It's nice to see how far Microsoft have come and yet quite amusing to see the holes they leave open...
It also includes a nice article from skape on relocation tricks one can play with PE files. Although some of those tricks have been around in malware for a while this is the first time I've seen a good write-up about how they work.
Playing with relocations is a trick that Pedram and I always comment on in our training when teaching the PE file format. Speaking of which, Pedram and I will be teaching our training, Reverse Engineering on Windows: Application in Malicious Code Analysis, in BlackHat DC on February 26-27
Exploiting 802.11 Wireless Driver Vulnerabilities on Windows is truly interesting. Considering how highly-sensitive something like wireless drivers are, it's just sad how breakable appear to be.
Subverting PatchGuard Version 2 is Skywing's the lastest effort on how to overcome Microsoft's integrity checking technology. It's nice to see how far Microsoft have come and yet quite amusing to see the holes they leave open...
It also includes a nice article from skape on relocation tricks one can play with PE files. Although some of those tricks have been around in malware for a while this is the first time I've seen a good write-up about how they work.
Playing with relocations is a trick that Pedram and I always comment on in our training when teaching the PE file format. Speaking of which, Pedram and I will be teaching our training, Reverse Engineering on Windows: Application in Malicious Code Analysis, in BlackHat DC on February 26-27
Subscribe to:
Posts (Atom)
