Monthly Archives: January 2014

Developing WinDbg ExtEngCpp Extension in C++ – Memory & Debugger Markup Language (DML) – Part 3


Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

In the previous articles, we have seen the basics of the functionalities and architecture of writing a WinDbg ExtEngCpp extension. We are now going move forward with additional functionalities.

Debugger Data Values

A useful function is IDebugDataSpaces::ReadDebuggerData which retrieves data from the KDDEBUGGER_DATA64 structure (nt!KdDebuggerDataBlock).

  1. span class=”st0″>"ReadDebuggerData(DEBUG_DATA_KernBase) = 0x%I64X\n", Data);
  2.         }

Another alternative is to use ExtNtOsInformation::GetNtDebuggerData() (from exengcpp.cpp) which internally use both g_Ext->m_Data->ReadDebuggerData() and g_Ext->m_Symbols->GetOffsetByName() to query symbols if the first call failed. Here is a good blogpost explaining how to use GetOffsetByName.

Fixed-size values

ExtRemoteData contains a bunch of functions to retrieve small-sized (inferior or equal to sizeof(ULONG64)) data such as GetChar(), GetUchar(), GetBoolean(), GetUshort(), GetUlong(), GetUlong64() or as we have seen previously GetPtr().

The sample below illustrates an example of using GetUlong() against a ExtRemoteData member.

  1. span class=”st0″>"e_lfanew"
Memory buffer

Another thing you are most likely to do is to read large buffer, or even multiple pages in memory when trying to read an executable for instance. But, as you know, the way executables are mapped in memory is not necessary linear especially because of the different sections. IDebugDataSpaces::ReadVirtual method always you to read linear mapped memory, the example below shows you how to use ReadVirtual to read non-linear memory using the same method.

  1. span class=”co1″>//
  2.             // Check if base address is valid or not.
  3.             //
  4. // g_Ext->Dml("Error: [%d] Can’t read 0x%I64x bytes at %I64x.\n",
  5.             //     Index, BytesToRead, BaseAddress + (Index * PAGE_SIZE));
  6.             // goto CleanUp;
Debugger Markup Language (DML)

WinDbg has its own markup language, the two most interesting tags are that you can create links to other commands using “link” tag, but also use colors with the help of “col” tag. Unfortunately, you can’t use custom colors but only predefined colors for the debugger.

The colors can be defined as the following: <col fg=”name” bg=”name”/></col>. DML can also be used in script using the .printf /D command, which can also be a fast way to try different colors.
Here is the list of the current color names (defaults only apply to windbg):

  • wbg and wfg – Default window background and foreground colors. Default to system colors for window and window text.
  • clbg and clfg – Current line background and foreground colors. Default to system colors for highlight and highlight text.
  • changed – Used for data that has changed since a previous stop point, such as changed registers in windbg. Defaults to red.
  • srcnum, srcchar, srcstr, srcid, srckw, srcpair, srccmnt, srcdrct, srcspid, srcannot – Source element colors. Defaults can be seen in windbg.
  • empbg and emphfg – Emphasized text. Defaults to light blue.
  • subbg and subfg – Subdued text. Default to system color for inactive caption text and inactive captions.
  • normbg, normfg, warnbg, warnfg, errbg, errfg, verbbg, verbfg – Output level colors. Defaults can be seen in windbg.

In the example below we are using the colors “changed” and “emphfg” to emphasized keywords before printing details of each process.

  1.        Dml("\n<col fg=\"changed\"/>Process: <link cmd=\"!process %p 1\"/>%s (PID=0x%x)\n""<col fg=\"emphfg\"/>Path: %S\n""<col fg=\"emphfg\"/>Vendor: %S\n""<col fg=\"emphfg\"/>Version: %S\n""<col fg=\"emphfg\"/>Description: %S\n"

The code above give us the following output. As you can see, it’s much clearer and nicer for the eyes.
sample-windbg

Related articles:

Developing WinDbg ExtEngCpp Extension in C++ – Introduction – Part 1
Developing WinDbg ExtEngCpp Extension in C++ – COM Interface – Part 2
Developing WinDbg ExtEngCpp Extension in C++ – Memory & Debugger Markup Language (DML) – Part 3
Developing WinDbg ExtEngCpp Extension in C++ – Symbols – Part 4

Developing WinDbg ExtEngCpp Extension in C++ – COM Interface – Part 2


Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

In my previous post, we started to get familiar with ExtEngCpp types and functions. Now we gonna see how to use more “low-level” functions part of the COM interface.

As we can see below, there is a total of 27 interfaces as part of the base class ExtExtension accessible by g_Ext.

  1. span class=”co1″>// These derived interfaces may be NULL on
  2.     // older engines which do not support them.
  3.     // The checked pointers will automatically
  4.     // protect access.

In the previous article we created a function to read UNICODE_STRING because none of the data types had a function to process it, but if we look closely at the COM Interface there are functions able to read Unicode String (But not the structure itself like in our previous post) such as IDebugDataSpaces4::ReadUnicodeStringVirtual and IDebugDataSpaces4::ReadUnicodeStringVirtualWide.

  1. span class=”st0″>"SeAuditProcessCreationInfo.ImageFileName").Field("Name").Field("Buffer"

Also a really important functionality when you are dealing with different address spaces, is to be able to change of context since each process as its own address space. There are different methods to do so using the IDebugSystemObjects and IDebugSystemObjects2 interfaces.

The first way is using IDebugSystemObjects::GetCurrentProcessId and IDebugSystemObjects::SetCurrentProcessId

  1. span class=”co1″>//
  2. // Save the process id before changing the current context.
  3. //
  4. //
  5. // […]
  6. //
  7.  
  8. //
  9. // Restore the previous process context
  10. //

The second approach, which is the one I prefer is by using the _EPROCESS pointer along with IDebugSystemObjects2::GetImplicitProcessDataOffset and IDebugSystemObjects2::SetImplicitProcessDataOffset.

  1. span class=”co1″>//
  2.     // Save, and change the current process.
  3.     //
  4. "(nt!_IMAGE_DOS_HEADER *)@$extin", OutProcessObject->ImageBase);
  5.  
  6.     BaseImage.OutFullValue(); // Dump the full node. Just like "dt"
  7. "e_magic"//
  8.     // Restore process context
  9.     //

In the next part, we will cover more about memory functions and how to use the Debugger Markup Language (DML) efficiently.

Related articles:

Developing WinDbg ExtEngCpp Extension in C++ – Introduction – Part 1
Developing WinDbg ExtEngCpp Extension in C++ – COM Interface – Part 2
Developing WinDbg ExtEngCpp Extension in C++ – Memory & Debugger Markup Language (DML) – Part 3
Developing WinDbg ExtEngCpp Extension in C++ – Symbols – Part 4

Developing WinDbg ExtEngCpp Extension in C++ – Introduction – Part 1


Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

WinDbg Software Development Kit is a very powerful resource to have, especially if you know how to use it. But there is a fairly low amount of publicly available resources regarding it, and the official documentation doesn’t provide enough examples in my opinion. Furthermore, if you search online for common class from the SDK you will find few hits, and most of them will be from the official documentation.

In addition of scripting capabilities, WinDbg contains a SDK to provide the ability to development it owns extensions (DLLs). There are three categories of extensions.

DbgEng extension DLLs. These are based on the prototypes in the dbgeng.h header file.
WdbgExts extension DLLs. These are based on the prototypes in the wdbgexts.h header file.
ExtEngCpp extension DLLs. These are based on the prototypes in the engextcpp.h and dbgeng.h header files. Each DLL of this type may export DbgEng extension commands. Which is the category we gonna focus on today.

In this series of short articles we gonna cover some of the poorly documented types of ExtEngCpp and see how to use them through explicit examples. ExtEngCpp is by far the most powerful engine because it offers a wide range of possibilities.

Beginners looking for a sample of a ExtEngCpp can refer to the SDK where the basics are covered in the sample provided at the following path: \Program Files (x86)\Windows Kits\8.0\Debuggers\x86\sdk\samples\extcpp

ExtRemoteData provides a function (GetString()) to return a string of characters but it doesn’t contain any functions to retrieve the content of a UNICODE_STRING. This is why I started to implement my own ExtRemoteTypedEx class and the sample below provide an example of how to use ExtRemoteData and ExtRemoteTyped together to retrieve the content of a UNICODE_STRING.

  1. span class=”st0″>"Length""MaximumLength""Buffer""String at %p overflows buffer, need 0x%x chars"

which can be used like the following:

  1. span class=”st0″>"SeAuditProcessCreationInfo.ImageFileName").Field("Name"

In the next blogpost, we gonna see how to use COM interface and among them: IDebugDataSpaces4::ReadUnicodeStringVirtual.

I’m working a WinDbg extension to unite all my existing code in order to have an ultimate Digital Forensics & Incident Response WinDbg Extension.

Thanks to Frank Boldewin and aionescu for their help.

Related articles:

Developing WinDbg ExtEngCpp Extension in C++ – Introduction – Part 1
Developing WinDbg ExtEngCpp Extension in C++ – COM Interface – Part 2
Developing WinDbg ExtEngCpp Extension in C++ – Memory & Debugger Markup Language (DML) – Part 3
Developing WinDbg ExtEngCpp Extension in C++ – Symbols – Part 4

Internet of Things = More devices = Attack surface growth.

First, I think I was probably like most of you now when reading about Internet Of Things (IoT) and Make It Wearable. What is this ?

This is basically about “things” (implying devices, clothes, etc.) that would be connected wirelessly to Internet. In other words, not only laptops, computers and smartphones have access to internet. The phenomena started in 2010, and a spectacular growth is expected according to Gartner as they recently stated in a press release entitled Gartner Says the Internet of Things Installed Base Will Grow to 26 Billion Units By 2020 and ABI Research expects more than 30 billion devices connected to Internet by 2020.

Like I’m explaining to most of non-tech people, as soon as you own a device that has the ability to connect to Internet – It makes your device (and you) a very high potential target.

Business Insider also released an interesting article about IoT few weeks ago, that contains the following flowchart.

2010 IoT

As you can see, the current number of global internet devices is 6 billion (around 3 times the number of devices from 2010), and around 70% are not personal computers. But most importantly, this number is expected to grow around 5 times by 2020 – which directly translate in the attack surfaces of tomorrow’s devices.

Why am I talking to you about those numbers ? Intel announced yesterday during his CES Keynote, Intel Edison.

Intel Edison is a 400MHz computer board that fits in an SD card, as part of a new product line. It supports Linux and includes a dual-core CPU, Wi-Fi, Bluetooth. No need to mention how great it is and much this will change the market and the impact it will have in future products. Simultaneously Intel is launching a very interesting contest called “Make It Wearable” to encourage companies and developers to use Edison in their products. In other words, it will result in an expansion of their attack surface.

2014. A Story of Leaks, Cyber-Security, Growth, APT and Sovereignty.

Two majors events happened in the past few weeks.

  • The first one is the release of additional documents by Jacob Appelbaum during his #30C3 talk and Der Spiegel about the NSA Catalog (dated 2007-2008).
  • And the second one is the acquisition of Mandiant by FireEye for $1 billion dollars.

There are few documents from the catalog that I find particularly interesting. Those are the ones about IRATEMONK, SWAP, IRONCHEF and DEITYBOUNCE. Why ? Let’s look at the Rootkits we have seen in the past few years and that are public knowledge.

Year Codename Spotted Note
2010 Stuxnet Mainly in Iran, but also on some Russian nuclear plants[8] Speculation has long swirled around government-backed hackers from nations like China and Russia until it was suspected to be a U.S./Israeli collaboration in 2012
2011 Duqu Spotted in Iran Similarities with Stuxnet highlighted by F-Secure.
2010 Flame Iran mainly but also Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt Found in 2012 but Kaspersky said it managed to stay undetected for two years.
2012 Shamoon/Disttrack Saudi Arabia (Aramco), Qatar (RasGas) Believed to be a strike back from Iran because of the Stuxnet/Flame attacks. “Shamoon contains a so-called wiper module designed to overwrite files from certain directories and the hard disk drive’s Master Boot Record (MBR) — a special region of the disk that contains information about its partitions.”
2008 IRATEMON ? “provides software application persistence on desktop and laptop computers by implanting the hard drive firmware to gain execution through Master Boot Record (MBR) Substition” (Dependency: Western Digital, Seagate, Maxtor and Samsung hard drives. Supported FS: FAT, NTFS, EXT3 and UFS). Leaked in 2013
2008 SWAP ? “provides software application persistence by exploiting the motherboard BIOS and the hard drive’s Host Protected Area to gain periodic execution before the Operating System loads” (dependency: systems running Windows, Linux, FreeBSD or Solaris with the following FS: FAT32, NTFS, EXT2, EXT3 or UFS 1.0). Leaked in 2013
2008 IRONCHEF ? “provides software application persistence to target systems by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to communicate with a hardware implant that provides two-way RF communication” (dependency to HP Proliant 380DL G5 server – probably because of SMM). Leaked in 2013
2008 DEITYBOUNCE ? “provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads”. Dependency: “supports multi-processor system with RAID hardware and Microsoft Windows 2000, 2003, and XP. It currently targets Dell PowerEdge 1850/2850/1950/2950 RAID servers, using BIOS versions A02, A05, A06, 1.1.0, 1.2.0 or 1.3.7″ (specific dependency probably because of SMM infection too). Leaked in 2013
2008 – 2014 More ? ?

As you can see several of the believed rootkits from the NSA are using SMM and HDD firmware infections. Both I first heard of from the French security researcher Loic Duflot, his initial research, Security Issues Related to Pentium System Management Mode, about SMM had been released in 2006 during CanSecWest conference who also later presented another research on firmware integrity not of HDD but of network cards in Run-time firmware integrity verification: what if you can’t trust your network card?… Given how reactive the NSA is to pick up on public domain research, I’d not be surprised if they already implemented the latest one in their latest catalog.

If we look at the table above, it resonates quitee well with the talk Mikko Hypponen cancelled for RSA Security 2014 which was entitled “Governments as Malware Authors”, and even with the blogpost from Microsoft, Brad Smith, General Counsel & EVP, Legal & Corporate Affairs who was also very clear about it when he said “Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.” back in December.

Governments are officially “advanced persistent threat” (APT).

Which brings us back to the second topic. Mandiant made the headlines in early 2013, for exposing APT1 which is frequently used as an example of Advanced Persistent Threats.

DeWalt has a successful track record but most notably had been CEO of McAfee and for selling the anti-virus company to Intel (INTC) for $7.7 billion in 2011, before being appointed FireEye CEO in November 2012.
FireEye IPOed in September 2013 with a valuation of $2 billions, the company has a market cap of almost $7 billion and shares price jumped by a third after the Mandiant M&A announcement. DeWalt was also the chairman of Mandiant since 2012.

Kevin Mandia, Mandiant founder and former C.E.O., began his career in the United States Air Force. He served as a computer security officer in the 7th Communications Group at the Pentagon, and later as a Special Agent in the Air Force Office of Special Investigations (AFOSI), where he worked as a Cybercrime Investigator.

Other shareholders of FireEye includes various notable VCs such as Sequoia but also In-Q-Tel.FireEye has raised $100 million in private capital from backers including Sequoia Capital, Norwest Venture Partners and In-Q-Tel, the CIA’s venture arm; Sequoia and Norwest each own 20 percent of the company, according to its SEC filings. Three other valley finance heavyweights — DAG Ventures, JAFCO Ventures and Silicon Valley Bank — collectively own nearly 25 percent.

It’s quite interesting to see and compare the difference of paradigms and dynamics between the U.S. and countries like France which is struggling to keep tech (I.T. Security or not) people and companies. And there is almost no hope to see any change over the next few years given the current politics of Fleur Pellerin, French Minister for SME, Innovation and Digital Economy or of the SGDSN/ANSSI.

The security industry has a lot of growth ahead to help enterprises and governments protect their intellectual property and secrets against cyberespionage and from the Advanced Persistent Threats. But how long until sovereignty becomes an issue ?