Call for Beta-Testers :: windd utility RC2 (32-bits & 64-bits)
Finally, I recently managed to find some time to updated win32dd, now called windd and part of a project codenamed “Pangowings *” (inspired by pangolin mammal). windd supports both 32-bits and 64-bits version (not Itanium, but x64-based) version of Windows from Windows XP to Windows 7.
All executables (including drivers) are digitally signed. And I suggest to people to always check this.
Would be nice to have people with more than 4GB to test it.
Here is a summary of the changelog:
- 2008-09-09
- 1.3. Major update
- - Network support (both client and server in one executable).
- - 64-bits support.
- - Very fast.
- - MD5, SHA-1 and SHA-256 hash support.
- - Support 3 mapping methods for both full crash dump and raw memory dump generation.
- - Can generate BSOD.
- - Can hibernate the system.
- - Microsoft crash dump fully compatible with Windbg
So, if you want to test it.:
Links
windd main page
Direct link to windd RC2
Randoms:
Here is also an interesting reading my friend Laurent Miltgen-Delinchamp pointed out:
Error when entering Hibernation on a Windows 7-based computer
Windows 7 Memory Manager and Committed Memory – SystemCommittedMemoryInformation
In Windows 7 build 7100, SYSTEM_INFORMATION_CLASS had been updated, and some of its classes like SystemLowPriorityInformation updated. Moreover, new classes are introduced like SystemCommittedMemoryInformation.
This useless post covers SystemCommittedMemoryInformation class which is part of Windows 7 Memory Manager and aims at retrieving information about committed memory.
Function: NtQuerySystemInformation
Class: SystemCommittedMemoryInformation
Privilege: None
Output size: 0×10 bytes
typedef struct _COMMITTED_MEMORY_INFORMATION
{
ULONG MmAvailablePages;
ULONG MmTotalCommittedPages;
ULONG MmTotalCommitLimit;
ULONG MmPeakCommitment;
} COMMITTED_MEMORY_INFORMATION, *PCOMMITTED_MEMORY_INFORMATION;
Ressources:
Source + Executable available here.
Security 2.0 – Fairy tales and the art of deception
Yesterday, I wrote a post about TwitPic and Twitter.
According to the blog of TwitPic, we can read this:
Yesterday we were made aware of a vulnerability with our email posting system that would allow someone to brute force someone’s Twitpic email PIN by trying every combination until one worked. A fix has been put in place to prevent this from happening.[...]
I want to make it clear that this was NOT a Twitter issue, but a Twitpic issue, and I take full responsibility for it. Once I contacted Twitter about the issue on our end, they worked with us to help remedy any unauthorized postings and they were extremely helpful. Kudos to the Twitter team.[...]
I want to apologize to anyone this has affected and I want you to know that we take security seriously.
The thing is: They still use a 4 DIGITS PIN code. So it means, both Twitter and TwitPic worked on this vulnerability to fix it and both of them are NOT shocked by the 10^4 possibilities of the 4 DIGITS PIN code. It’s getting funnier and funnier.
IMHO, if I should make a comparaison: it is like when a very big vendor fix an integer overflow but forget that the type of the integer is signed.
.. Shame.
Security 2.0 is not even a failure.. It is a nightmare.
Web vulnerabilities are lame and web developpers too. We all know this.
And here is what you can read on @britneyspears twitter.
Basically, TwitPic allows Twitter users to upload + post pictures on their Twitter status. How? You have to login on the TwitPic website with your login+password, then upload your picture and that’s it. According to their Twitter feed they have more than 2 millions users and as you can see they users who own a verified account like @britneyspears with more than 2 millions followers. For your information, a verified account can be recognize by the following icon: 
and they have from 10k to 2millions followers.
There is even a feature which allows you to twitt picture from your phone if you mail the following address: username.XXXX@twitpic.com
XXXX stands for the PIN code. This is obvious that 4 characters is A HUGE MISTAKE from a security point of view. But the most funny thing is…. this PIN code is 4 DIGITS code. Yes, 10^4 only… I am crying blood. Im crying tears from my eyes that i can’t deny and i am falling like a comet from the broken sky.
#1 This is a shame from a security point of view. This is not even 62^4, this is 10^4.
#2 They store both login + password (either in plaintext or using a reversible algorithm)
By the way, TwitPic is NOT even a departement of Twitter Inc.
If you look at the terms page, it looks the HQ address of TwitPic is that:
Twitpic Inc,7736 Farr St Suite 907, Charleston, SC 29492
which is different from Twitter HQ
Twitter Inc., 539 Bryant Street, Suite 402, San Francisco CA 94107.
Twitter has advanced search feature so it is not really hard to find potential victims
http://search.twitter.com/search?max_id=2387073237&page=3&q=http%3A%2F%2Ftwitpic.com%2F or you can still look what is the client used by Twitter user. You should read something like: “from TwitPic”
According to TwitPic, they are working on it. But the question is: How this kind of vulnerability is possible in 2009? Is that what people call Cloud Computing Bullshit?
http://twitter.com/TwitPic/status/2383953236
We've implemented a fix for the email posting vulnerability, a full blog post explaining the issue will be released soon
We can walk on the moon, we made highspeed trains, people are working on Quantum mechanics AND WE CAN STILL FIND THIS KIND OF VULNERABILITY?
To conclude:
- To conclude, Web 2.0 is even more than a failure. It shows you how much people can like Britney Spears, or how many of your Facebook friends are stupid enough to send you invitations to join 5 millions people in the “Join this group if you want to change the color of your name of Facebook.” facebook group.
- People do not care about security and do not even know what does mean this word.
- A PHP developer can buy a Ferrari writing a 2k lines website.
- 2009 music industry is a failure.
And we are suppose to improve the way people can use a computer? To change their lifestyle and the world?
Challenge of Windows physical memory acquisition and exploitation
(Honolulu, HW) – Here is a quick post to provide ressources presented this afternoon at Shakacon 2009.
This talks aims at showing to win32dd users (forensics engineers, investigators, incident response engineers, ..) why physical memory analysis is important, and mainly covers how to rethink memory acquisition and exploitation in a more efficient way.
Slides are available here. Not rocket science but very interesting to see how efficient results can be obtained if we put different exciting and performant technologies together.
PowerShell script used to retrieve erased EPROCESS entries from PspCidTable is available here.
Figure 1 – Screenshot of the powershell script in action
Magic command (.\FUto.ps1 | Out-GridView)
And here is win32dd v1.2.1.20090608 – If you want more information about the update go here.
PS. Do not copy win32dd in the System32 directory and run it as Administrator. I think I’ll write a HOWTO document soon.
