Check your system virginity in less than 60 seconds.
Today, I wrote a tool called sym32guid which aims at retrieving all stored Program DataBase (*.PDB File) GUID (Globally Unique Identifier) from a physical memory dump. To do why? The first goal was to use use symbols as additional information regarding unexported functions like the über-famous msv1_0!MsvpPasswordValidate, but it looks it can also be used to detect Virus and Trojan…
The target machine is a Windows Vista SP1 32bits, I’ve installed last week inside a Virtual Machine and I’ve extracted the physical memory dump from the windows hibernation file through SandMan Framework.
Sym32GUID - Symbols 32bits GUID dumper.
Matthieu Suiche (c) 2008 - http://www.msuiche.net
Searching for PDB signature....
Guid: {5b360e5e-6cb4-4fed-aace-dc446ac26a6b} PDB: bootmgr.pdb
Guid: {01b4cd8a-8437-4a8c-b6bf-20da89086b5c} PDB: dxapi.pdb
Guid: {c1772914-3219-4cc8-a5d6-b9e083420760} PDB: luafv.pdb
Guid: {ff6c84fc-d2e5-4d92-8d1b-cd38165357ea} PDB: diskdump.pdb
Guid: {abe17e2b-a5fc-4268-9a35-2fa52d3ba68e} PDB: msacm32.pdb
Guid: {f4e61857-4910-4231-8000-c5ce88b4d6e6} PDB: ksuser.pdb
Guid: {3376eb68-740d-46ed-9f9c-095791216b12} PDB: qagent.pdb
Guid: {ef783696-2ace-4995-9135-86e950a0dcde} PDB: mgmtapi.pdb
Guid: {3ceab1e1-dc75-4adf-ad90-ddf2983ada17} PDB: main.pdb
Guid: {c87b26a9-4f69-4f2c-b840-274f2f92085d} PDB: MFPS.pdb
Guid: {52bcd81d-e4c1-4b42-91c9-ddebc15b213b} PDB: intl.pdb
Guid: {d44d8060-ea0b-4211-8894-40831430abe7} PDB: oobefldr.pdb
Guid: {8d6249e0-dba8-466a-b545-ca680b3541ee} PDB: glu32.pdb
Guid: {09463a53-f731-4e8f-a4dd-528945738ac7} PDB: wuapi.pdb
Guid: {13c87af1-e9a5-4c12-8acc-fae8a92a77ce} PDB: dxva2.pdb
Guid: {baa51a0e-f312-473b-ac4c-ba694e867cb5} PDB: icm32.pdb
Guid: {9f6ca43b-973a-4823-ba82-0c51a37513d3} PDB: msdmo.pdb
Guid: {9d95f9c7-ae33-4799-aeab-f5ad264c40a8} PDB: aclui.pdb
Guid: {ec36dd80-0c84-40ee-b65f-f673059562dc} PDB: FXSMON.pdb
Guid: {abfc57f5-72d7-4675-a81a-488c2a30d970} PDB: cscapi.pdb
Guid: {af02eb9b-cd67-4ab0-a33d-c299abce16cd} PDB: cscui.pdb
Guid: {fc2b56b8-2613-4912-95a3-f60ae1061ecc} PDB: ddraw.pdb
Guid: {c0e31437-4eb3-4d6d-8f52-6ae5f3476dc6} PDB: TCPMON.pdb
Guid: {6a735a67-dd84-4d78-b665-73d98f265806} PDB: w:\Starteam\1999_ThinPrint\SE\Dev
\Quellcodes\MSdev\TPVMMon\Release English\TPVMMon.pdb
Guid: {0825361b-f2ef-4b18-9fd5-e2ada3dc7264} PDB: eappprxy.pdb
Guid: {03d7dbf2-52f4-48a4-84a9-e17fb7734ee6} PDB: ntkrpamp.pdb
(...)
Guid: {f6dc669d-d565-4fff-8767-fc756dc8141c} PDB: kbdus.pdb
Guid: {90140190-0102-7375-6572-33322e706462} PDB: !#HSTR:Trojan:Win32/Busky.EI
Guid: {9942c1ad-f742-4a3c-8682-8a7925e3f0d0} PDB: appwiz.pdb
Guid: {ee6f2dea-68d5-45a9-9bf5-30f52acf7e31} PDB: HNetCfg.pdb
(...)
Guid: {a6364233-9105-49f3-a054-e0bd5869f65f} PDB: win32k.pdb
Guid: {65bc1194-c0d0-420d-be9d-26b894a4dddd} PDB: dxg.pdb
Guid: {c75665db-de52-4724-8b6c-0d9389c4d326} PDB: TSddd.pdb
Guid: {4baaedc2-8c46-4577-adf9-5aca59f7f6c9} PDB: clfs.pdb
Guid: {271175d5-763c-48a7-9600-8af3b4096251} PDB: ci.pdb
Guid: {032c7493-d12b-4132-b060-690307a1cf02} PDB: kdcom.pdb
Guid: {bc65b112-97d7-4f25-bb01-7884612e1efb} PDB: pshed.pdb
Guid: {02125e70-512a-456f-bb0e-955ad9d31525} PDB: bootvid.pdb
Guid: {17d8e566-7c50-42ad-b862-830e99e1d3a5} PDB: mcupdate_GenuineIntel.pdb
[TOTAL:] Sym32GUID retrieved 697 GUID signatures.
Awesome nop? :) This might means that old school ASM virus programmers are dead now. Moreover, it also proves that Visual Studio can do Anti-virus job with its debug directory.
Tool and source can be downloaded there
Sym32GUID - Symbols 32bits GUID dumper. Matthieu Suiche (c) 2008 - http://www.msuiche.net Usage: Sym32Guid.exe [option] dumpfile Commands: -u Print the remote url to download the symbol from Microsoft server. Sample: Sym32Guid.exe memory.dump Search guid. Sym32Guid.exe -u memory.dump Search guid and print msdl url.
Ooh! Headshot! Linus Torvalds about OpenBSD Team.
Source: http://thread.gmane.org/gmane.linux.kernel/706600/
On Tue, 15 Jul 2008, Linus Torvalds wrote: > So as far as I'm concerned, "disclosing" is the fixing of the bug. It's > the "look at the source" approach. Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior. It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important. In fact, all the boring normal bugs are _way_ more important, just because there's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking. Security people are often the black-and-white kind of people that I can't stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it's no less important than everything *else* that is also important! Linus
