Bochs plugin goes alpha
Bochs debugger plugin is in alpha stage now, all of the 3 loaders mentioned in the previous blog entry, are now complete.
November 07, 2008
October 10, 2008
From simple to complex
The last week Elias ran a sample malware in the Bochs emulator and I was curious to see what it exactly does.
So I took the unpacked version of the malware and fed it into the decompiler. It turned out to be a pretty short downloadler (different AV vendors give it different names: Lighty
after the compression method, or FraudLoad, or FakeAlert, etc). Such simple code is very easy to decompile. I renamed some functions and added some
comments to it. The final text looks like this:
October 03, 2008
Bochs Emulator and IDA?
The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.
September 25, 2008
BITS used as a covert channel
The idea to use BITS to download files from the internet is not new. If you check the corresponding page from Wikipedia, you will find that
The web page ends with a list of third-party applications that use BITS. However, as any technical method, it can be used for evil purposes as well. Eric Landuyt analyzed a malware that exploits it for bad:
http://www.datarescue.com/laboratory/trojan2008/index.html
I liked the "proof of concept" WinDbg script that runs the malware in a controlled manner. Breakpoints with actions are very powerful, indeed.
Nice work, Eric! 
August 26, 2008
The IDA Pro book
This is not the first book about IDA Pro. However, this is the first book I recommend to anyone using IDA Pro because of the following points:
- Comprehensive: it describes all major IDA features by starting at the beginning and going all the way to the end. Experienced users may be tempted to skip the first few chapters; resist this temptation and you will discover something new (I did :)
- Accurate: it is very difficult to be detailed and precise when describing such a complex product. Chris does it excellently well.
- Real: handles real world malware, packers, and obfuscated code
- No fillers: it is direct and concise
- Profound: this is not just a collection of recipes or tricks, but will give you a better understanding of the IDA architecture, thus saving you from unnecessary frustration. Knowing the limitations of your tool is just as important as knowing its capabilities.
If you want to use IDA efficiently, get your copy from No Starch Press!
UPD for numerologists: the book has exactly 640 pages, no less, no more!
August 21, 2008
Mr. Bachaalany joins Hex-Rays
I'm happy to tell you that Mr. Elias Bachaalany has joined our development team!
He is one of keenest and most knowledgeable IDA users. Elias bought his first copy of IDA long ago while he was a student. Immediately after that he contacted us with tons of questions, suggestions, ideas how to improve things, etc. While we addressed most his questions, we could not handle everything. Then he designed and implemented many free and open source scripts and plugins for IDA.
We are lucky to have him in our team. I'm sure that very soon we will see new nice features in IDA Pro created by Elias. Stay tuned!
August 09, 2008
Blackhat USA 2008
Sometimes names just do not reflect the nature of things. Sometimes it is our fault to attribute a wrong meaning to names. I do not know which of the above holds for Windows ASLR. After Alex Sotirov and Mark Dowd's talk at Blackhat I know that ASLR is not that random despite of its name.
The ASLR abbreviation contains "randomization", which is enough (at least for me) to deduce that EXEs and DLLs get loaded at randomly chosen addresses. I was wrong to think that this makes it hard for the attacker to guess the loaded addresses. As it turns out, binaries get loaded to somehow predictable addresses.
While I understand that there were some technical difficulties and compatibility issues, the implementation choices made for ASLR effectively weakened it a lot to the point that it failed to deliver the promised.
Another revelation of this talk was that IE happily loads any .NET DLL provided by the web server using the plain old LoadLibrary function. The ramifications of this are enormous because the system is essentially accepting raw binary data (a file of the PE file format) and runs it on the user's computer. No need to talk about GS, SafeSEH and any other protections mechanisms after this.
The outcome of these two choices is also predictable, as Alex and Mark demonstrated to us: anyone visiting a malicious web site with IE can be easily owned.
There were other interesting talks at Blackhat, no way I can mention all of them here. Just one more pointer: I was amused and amazed by Hovav Scacham's Return-Oriented Programming. As it turns out, pieces of "good" code in standard libraries can be used to build a turing-complete machine. This machine is programmable by the attacker using a byte code which does not require the X (execute) bit in the page permissions. This defeats W^X or DEP protections.
My talk on decompilers was received well. If you missed it, find the white paper here.
Heading to DEFCON now, for more interesting talks!
The IDA Pro book Search
Categories
Archives
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- April 2008
- March 2008
- February 2008
- January 2008
- November 2007
- October 2007
- September 2007
- August 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- October 2006
- September 2006
- August 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
