U.S. / France cyber-security budget

Pentagon Five-Year (until 2018) Cybersecurity Plan Seeks $23 Billion (cf. 2015 Fiscal Year Budget request)
That is around 1.6x times ($4.6 Bn/Year) the annual budget of DARPA ($2.8 Bn/Year)

France Five-Year (until 2019) Cybersecurity plan is EUR 1 Billion
This is around 1.33x times (EUR 200M/Year) the budget allocated to the call for projects in cyber-security from last year. The budget allocated was supposed to be EUR 150M but no updates had been communicated by officials since the initial press release, and any attempts to obtain more information had been dismissed or ignored.

U.S. cyber security budget is 17+ times more the French budget.
And in addition of that the U.S. is developing partnerships at different levels within its own ecosystem, which is something yet to be seen in France even through claims had been mentioned by the government to strengthen its sovereign technology.

That’s so Swish !

SwishDbgExt is a Microsoft WinDbg debugging extension that expands the set of available commands by Microsoft WinDbg, but also fixes and improves existing commands.

Description

This extension has been developed by Matt Suiche (@msuiche) – feel free to reach out on Twitter (even better, on the mailing list) to ask for more features, offer to contribute and/or report bugs.

Mailing-List: https://groups.google.com/a/moonsols.com/forum/#!forum/dfir-list or dfir-list+subscribe@moonsols.com

SwishDbgExt aims at making life easier for kernel developers, troubleshooters and security experts with a series of debugging, incident response and memory forensics commands.

Because SwishDbgExt is a WinDbg debugging extension, it means it can be used on local or remote kernel debugging session, live sessions generated by Microsoft LiveKd, but also on Microsoft crash dumps generated to a Blue Screen of Death or hybrid utilities such as MoonSols DumpIt.

help01
help02

Acknowledgements

I personally don’t have enough time to proceed to a full in-depth testing of all the commands on every of Windows, that’s is why I would like to thank few people who assisted me during with the testing of the private beta and their contributions. Now that the extension is public, I’m sure more bugs will be found – and as said above, feedback are highly appreciated and the mailing list is the most efficient way to share it :-)

Thanks to Frank Boldewin for his feedback and sharing his shellcode scanning techniques (!ms_malscore).

Thanks to Benjamin Delpy for his feedback and writing mimikatz (!ms_credentials).

Download

Current version is: v0.5.20140716 (16 July 2014)

La French Tech : Cyber-Security – Where is the money ?

Most of you probably already know the Cyber Fast Track (CFT) program from DARPA, formely led by Peiter Zatko (congrats again!), that provides fast access to grants to U.S. cyber security researchers.

In July 2013, France tried to launch a similar project (but obviously applications are more complex and bureaucratic) called “Investissements d’avenir pour la securite numerique”, the official press release can be found here.

The initiative had been launched by the ministers Arnaud Montebourg, Fleur Pellerin, and Louis Gallois, former CEO of Airbus (ex-EADS), as Commissaire général à l’investissement for the “Grand Emprunt“. Grand Emprunt is a 35 billions loan issued by France in 2010 as part of its innovation strategy to stimulate R&D in different fields. Unfortunately, the coordinator of the projects were not communicated.

July 2013’s press release announced a EUR 150 millions (USD 200M+ USD) fund, for cyber security projects. I have always been curious to know, who was the commission and jury in charge of reviewing the submissions, and when will the list of accepted contestants and projects be published. The cyber-security call-for-projects closed on the 29th November 2013. So I assume something must have happened since then.

I know a lot of potential candidates didn’t submit anything because they were afraid the funds would go to multi-billions dollars French defense companies, so I offered to check by myself on their behalf. Therefore, I tried to contact individuals and generic contact information available at @finances.gouv.fr for the above information, but I unfortunately never got I answer back.

Nonetheless, I thought it was a great initiative that was poorly communicated, I was myself very impressed and glad to see that the French government was supporting sovereign projects related to cyber-security.

Has any contestants, journalists or member of the “French Tech” heard of anything ?

Hives & Trust issues


Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Some of you may have ever used RtlQueryRegistryValues, and probably wondered what Microsoft meant by saying:

Starting with Windows 8, if an RtlQueryRegistryValues call accesses an untrusted hive, and the caller sets the RTL_QUERY_REGISTRY_DIRECT flag for this call, the caller must additionally set the RTL_QUERY_REGISTRY_TYPECHECK flag.

A hive is marked as untrusted using the 0x1 flag in CMHIVE.Flags. This applies to any hives loaded using ZwLoadKey() such as third party hives, and as you can see below all USER hives and the Boot Configuration Data (BCD).

hivelist_trust

This can be an easy & quick way to recognize non-system hives. Moreover, another thing that people tend to forget is the presence of a hive specific function table within the HHIVE data structure. This function table has slightly changed between Windows 7 and Windows 8.

The 2 functions marked in the following data structure snippet, ReleaseCellRoutine(), FileSetSize() and FileFlush() have been removed from Windows 8 data structure.

  1. span class=”co1″>// Removed in Windows 8
  2. // Removed in Windows 8
  3. // Removed in Windows 8

Checking the integrity of this function table, is an important step to prevent from threats that are avoiding to call CmRegisterCallbackEx() to register their registry callback functions.

hivescan

Developing WinDbg ExtEngCpp Extension in C++ – Symbols – Part 4


Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

As part of my previous series of articles on developping WinDbg ExtEngCpp extension, I will cover through two examples how to use symbols efficiently while writing your extension.

In the past, I tried several times to report issues (e.g. “!reg subkeylist”), but I never had a response from the WinDbg team. Same thing when I attempted to reach them for some questions related to the WinDbg SDK, which is the reason I assume there is no team (retired ?) anymore at Microsoft to maintain WinDbg and decided to convert my frustration in my own extension replacing most of the broken or improvable functions from WinDbg as you can at the end of the article. If anyone is interested in beta-testing my extension, contact me over email.

ExtRemoteTyped

You can find below an example of using ExtRemoteTyped. The function below computes the cellindex using the benefit ExtRemoteTyped format and functions.

  1.  
  2. EXT_COMMAND(ms_cellindex,
  3.     "Compute cell index",
  4.     "{;ed;hive;Key hive}{;ed;index;Cell index}""(nt!_HHIVE *)@$extin"// g_Ext->Dml("Hive: %I64X, CellIndex = %x, Type = %x, Table = %x, Block = %x, Offset = %x\n",
  5.     //    KeyHive.GetPtr(), CellIndex, Type, Table, Block, Offset);
  6.  
  7.     ExtRemoteTyped DirMap = KeyHive.Field("Storage").ArrayElement(Type).Field("Map");
  8.     ExtRemoteTyped MapTable = DirMap.Field("Directory").ArrayElement(Table);
  9.     CellAddr = MapTable.Field("Table").ArrayElement(Block).Field("BlockAddress""Version"

m_Symbols

There are two functions that can be used for symbols name resolution, GetOffsetByName() and GetNameByOffset()

  1. span class=”st0″>"nt!KeServiceDescriptorTable""nt!KiServiceLimit""[%3d] 0x%I64X %-64s (Hooked: %3s) (Inline: %3s)\n""Yes" : "No""Yes" : "No");

knode

kvalue

Related articles:

Developing WinDbg ExtEngCpp Extension in C++ – Introduction – Part 1
Developing WinDbg ExtEngCpp Extension in C++ – COM Interface – Part 2
Developing WinDbg ExtEngCpp Extension in C++ – Memory & Debugger Markup Language (DML) – Part 3
Developing WinDbg ExtEngCpp Extension in C++ – Symbols – Part 4