Monthly Archives: July 2008

Check your system virginity in less than 60 seconds.

Today, I wrote a tool called sym32guid which aims at retrieving all stored Program DataBase (*.PDB File) GUID (Globally Unique Identifier) from a physical memory dump. To do why? The first goal was to use use symbols as additional information regarding unexported functions like the ├╝ber-famous msv1_0!MsvpPasswordValidate, but it looks it can also be used to detect Virus and Trojan…

The target machine is a Windows Vista SP1 32bits, I’ve installed last week inside a Virtual Machine and I’ve extracted the physical memory dump from the windows hibernation file through SandMan Framework.

 Sym32GUID - Symbols 32bits GUID dumper.
 Matthieu Suiche (c) 2008 - http://www.msuiche.net

Searching for PDB signature....

  Guid: {5b360e5e-6cb4-4fed-aace-dc446ac26a6b} PDB: bootmgr.pdb
  Guid: {01b4cd8a-8437-4a8c-b6bf-20da89086b5c} PDB: dxapi.pdb
  Guid: {c1772914-3219-4cc8-a5d6-b9e083420760} PDB: luafv.pdb
  Guid: {ff6c84fc-d2e5-4d92-8d1b-cd38165357ea} PDB: diskdump.pdb
  Guid: {abe17e2b-a5fc-4268-9a35-2fa52d3ba68e} PDB: msacm32.pdb
  Guid: {f4e61857-4910-4231-8000-c5ce88b4d6e6} PDB: ksuser.pdb
  Guid: {3376eb68-740d-46ed-9f9c-095791216b12} PDB: qagent.pdb
  Guid: {ef783696-2ace-4995-9135-86e950a0dcde} PDB: mgmtapi.pdb
  Guid: {3ceab1e1-dc75-4adf-ad90-ddf2983ada17} PDB: main.pdb
  Guid: {c87b26a9-4f69-4f2c-b840-274f2f92085d} PDB: MFPS.pdb
  Guid: {52bcd81d-e4c1-4b42-91c9-ddebc15b213b} PDB: intl.pdb
  Guid: {d44d8060-ea0b-4211-8894-40831430abe7} PDB: oobefldr.pdb
  Guid: {8d6249e0-dba8-466a-b545-ca680b3541ee} PDB: glu32.pdb
  Guid: {09463a53-f731-4e8f-a4dd-528945738ac7} PDB: wuapi.pdb
  Guid: {13c87af1-e9a5-4c12-8acc-fae8a92a77ce} PDB: dxva2.pdb
  Guid: {baa51a0e-f312-473b-ac4c-ba694e867cb5} PDB: icm32.pdb
  Guid: {9f6ca43b-973a-4823-ba82-0c51a37513d3} PDB: msdmo.pdb
  Guid: {9d95f9c7-ae33-4799-aeab-f5ad264c40a8} PDB: aclui.pdb
  Guid: {ec36dd80-0c84-40ee-b65f-f673059562dc} PDB: FXSMON.pdb
  Guid: {abfc57f5-72d7-4675-a81a-488c2a30d970} PDB: cscapi.pdb
  Guid: {af02eb9b-cd67-4ab0-a33d-c299abce16cd} PDB: cscui.pdb
  Guid: {fc2b56b8-2613-4912-95a3-f60ae1061ecc} PDB: ddraw.pdb
  Guid: {c0e31437-4eb3-4d6d-8f52-6ae5f3476dc6} PDB: TCPMON.pdb
  Guid: {6a735a67-dd84-4d78-b665-73d98f265806} PDB: w:\Starteam\1999_ThinPrint\SE\Dev
\Quellcodes\MSdev\TPVMMon\Release English\TPVMMon.pdb
  Guid: {0825361b-f2ef-4b18-9fd5-e2ada3dc7264} PDB: eappprxy.pdb
  Guid: {03d7dbf2-52f4-48a4-84a9-e17fb7734ee6} PDB: ntkrpamp.pdb
(...)
  Guid: {f6dc669d-d565-4fff-8767-fc756dc8141c} PDB: kbdus.pdb
  Guid: {90140190-0102-7375-6572-33322e706462} PDB: !#HSTR:Trojan:Win32/Busky.EI
  Guid: {9942c1ad-f742-4a3c-8682-8a7925e3f0d0} PDB: appwiz.pdb
  Guid: {ee6f2dea-68d5-45a9-9bf5-30f52acf7e31} PDB: HNetCfg.pdb
(...)
  Guid: {a6364233-9105-49f3-a054-e0bd5869f65f} PDB: win32k.pdb
  Guid: {65bc1194-c0d0-420d-be9d-26b894a4dddd} PDB: dxg.pdb
  Guid: {c75665db-de52-4724-8b6c-0d9389c4d326} PDB: TSddd.pdb
  Guid: {4baaedc2-8c46-4577-adf9-5aca59f7f6c9} PDB: clfs.pdb
  Guid: {271175d5-763c-48a7-9600-8af3b4096251} PDB: ci.pdb
  Guid: {032c7493-d12b-4132-b060-690307a1cf02} PDB: kdcom.pdb
  Guid: {bc65b112-97d7-4f25-bb01-7884612e1efb} PDB: pshed.pdb
  Guid: {02125e70-512a-456f-bb0e-955ad9d31525} PDB: bootvid.pdb
  Guid: {17d8e566-7c50-42ad-b862-830e99e1d3a5} PDB: mcupdate_GenuineIntel.pdb
[TOTAL:] Sym32GUID retrieved 697 GUID signatures.

Awesome nop? :) This might means that old school ASM virus programmers are dead now. Moreover, it also proves that Visual Studio can do Anti-virus job with its debug directory.

Tool and source can be downloaded there

 Sym32GUID - Symbols 32bits GUID dumper.
 Matthieu Suiche (c) 2008 - http://www.msuiche.net

   Usage: Sym32Guid.exe [option] dumpfile
Commands:
   -u      Print the remote url to download the symbol from Microsoft server.

Sample:
   Sym32Guid.exe memory.dump     Search guid.
   Sym32Guid.exe -u memory.dump  Search guid and print msdl url.

Ooh! Headshot! Linus Torvalds about OpenBSD Team.

Source: http://thread.gmane.org/gmane.linux.kernel/706600/

On Tue, 15 Jul 2008, Linus Torvalds wrote:

> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's 
> the "look at the source" approach.
Btw, and you may not like this, since you are so focused on security, one 
reason I refuse to bother with the whole security circus is that I think 
it glorifies - and thus encourages - the wrong behavior.

It makes "heroes" out of security people, as if the people who don't just 
fix normal bugs aren't as important.

In fact, all the boring normal bugs are _way_ more important, just because 
there's a lot more of them. I don't think some spectacular security hole 
should be glorified or cared about as being any more "special" than a 
random spectacular crash due to bad locking.

Security people are often the black-and-white kind of people that I can't 
stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in 
that they make such a big deal about concentrating on security to the 
point where they pretty much admit that nothing else matters to them.

To me, security is important. But it's no less important than everything 
*else* that is also important!

			Linus