Check your system virginity in less than 60 seconds.
Programming, WindowsToday, I wrote a tool called sym32guid which aims at retrieving all stored Program DataBase (*.PDB File) GUID (Globally Unique Identifier) from a physical memory dump. To do why? The first goal was to use use symbols as additional information regarding unexported functions like the über-famous msv1_0!MsvpPasswordValidate, but it looks it can also be used to detect Virus and Trojan…
The target machine is a Windows Vista SP1 32bits, I’ve installed last week inside a Virtual Machine and I’ve extracted the physical memory dump from the windows hibernation file through SandMan Framework.
Sym32GUID - Symbols 32bits GUID dumper.
Matthieu Suiche (c) 2008 - http://www.msuiche.net
Searching for PDB signature....
Guid: {5b360e5e-6cb4-4fed-aace-dc446ac26a6b} PDB: bootmgr.pdb
Guid: {01b4cd8a-8437-4a8c-b6bf-20da89086b5c} PDB: dxapi.pdb
Guid: {c1772914-3219-4cc8-a5d6-b9e083420760} PDB: luafv.pdb
Guid: {ff6c84fc-d2e5-4d92-8d1b-cd38165357ea} PDB: diskdump.pdb
Guid: {abe17e2b-a5fc-4268-9a35-2fa52d3ba68e} PDB: msacm32.pdb
Guid: {f4e61857-4910-4231-8000-c5ce88b4d6e6} PDB: ksuser.pdb
Guid: {3376eb68-740d-46ed-9f9c-095791216b12} PDB: qagent.pdb
Guid: {ef783696-2ace-4995-9135-86e950a0dcde} PDB: mgmtapi.pdb
Guid: {3ceab1e1-dc75-4adf-ad90-ddf2983ada17} PDB: main.pdb
Guid: {c87b26a9-4f69-4f2c-b840-274f2f92085d} PDB: MFPS.pdb
Guid: {52bcd81d-e4c1-4b42-91c9-ddebc15b213b} PDB: intl.pdb
Guid: {d44d8060-ea0b-4211-8894-40831430abe7} PDB: oobefldr.pdb
Guid: {8d6249e0-dba8-466a-b545-ca680b3541ee} PDB: glu32.pdb
Guid: {09463a53-f731-4e8f-a4dd-528945738ac7} PDB: wuapi.pdb
Guid: {13c87af1-e9a5-4c12-8acc-fae8a92a77ce} PDB: dxva2.pdb
Guid: {baa51a0e-f312-473b-ac4c-ba694e867cb5} PDB: icm32.pdb
Guid: {9f6ca43b-973a-4823-ba82-0c51a37513d3} PDB: msdmo.pdb
Guid: {9d95f9c7-ae33-4799-aeab-f5ad264c40a8} PDB: aclui.pdb
Guid: {ec36dd80-0c84-40ee-b65f-f673059562dc} PDB: FXSMON.pdb
Guid: {abfc57f5-72d7-4675-a81a-488c2a30d970} PDB: cscapi.pdb
Guid: {af02eb9b-cd67-4ab0-a33d-c299abce16cd} PDB: cscui.pdb
Guid: {fc2b56b8-2613-4912-95a3-f60ae1061ecc} PDB: ddraw.pdb
Guid: {c0e31437-4eb3-4d6d-8f52-6ae5f3476dc6} PDB: TCPMON.pdb
Guid: {6a735a67-dd84-4d78-b665-73d98f265806} PDB: w:\Starteam\1999_ThinPrint\SE\Dev
\Quellcodes\MSdev\TPVMMon\Release English\TPVMMon.pdb
Guid: {0825361b-f2ef-4b18-9fd5-e2ada3dc7264} PDB: eappprxy.pdb
Guid: {03d7dbf2-52f4-48a4-84a9-e17fb7734ee6} PDB: ntkrpamp.pdb
(...)
Guid: {f6dc669d-d565-4fff-8767-fc756dc8141c} PDB: kbdus.pdb
Guid: {90140190-0102-7375-6572-33322e706462} PDB: !#HSTR:Trojan:Win32/Busky.EI
Guid: {9942c1ad-f742-4a3c-8682-8a7925e3f0d0} PDB: appwiz.pdb
Guid: {ee6f2dea-68d5-45a9-9bf5-30f52acf7e31} PDB: HNetCfg.pdb
(…)
Guid: {a6364233-9105-49f3-a054-e0bd5869f65f} PDB: win32k.pdb
Guid: {65bc1194-c0d0-420d-be9d-26b894a4dddd} PDB: dxg.pdb
Guid: {c75665db-de52-4724-8b6c-0d9389c4d326} PDB: TSddd.pdb
Guid: {4baaedc2-8c46-4577-adf9-5aca59f7f6c9} PDB: clfs.pdb
Guid: {271175d5-763c-48a7-9600-8af3b4096251} PDB: ci.pdb
Guid: {032c7493-d12b-4132-b060-690307a1cf02} PDB: kdcom.pdb
Guid: {bc65b112-97d7-4f25-bb01-7884612e1efb} PDB: pshed.pdb
Guid: {02125e70-512a-456f-bb0e-955ad9d31525} PDB: bootvid.pdb
Guid: {17d8e566-7c50-42ad-b862-830e99e1d3a5} PDB: mcupdate_GenuineIntel.pdb
[TOTAL:] Sym32GUID retrieved 697 GUID signatures.
Awesome nop? :) This might means that old school ASM virus programmers are dead now. Moreover, it also proves that Visual Studio can do Anti-virus job with its debug directory.
Tool and source can be downloaded there
Sym32GUID - Symbols 32bits GUID dumper. Matthieu Suiche (c) 2008 - http://www.msuiche.net Usage: Sym32Guid.exe [option] dumpfile Commands: -u Print the remote url to download the symbol from Microsoft server. Sample: Sym32Guid.exe memory.dump Search guid. Sym32Guid.exe -u memory.dump Search guid and print msdl url.
Ooh! Headshot! Linus Torvalds about OpenBSD Team.
WindowsSource: http://thread.gmane.org/gmane.linux.kernel/706600/
On Tue, 15 Jul 2008, Linus Torvalds wrote: > So as far as I'm concerned, "disclosing" is the fixing of the bug. It's > the "look at the source" approach. Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior. It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important. In fact, all the boring normal bugs are _way_ more important, just because there's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking. Security people are often the black-and-white kind of people that I can’t stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it’s no less important than everything *else* that is also important! Linus
Capture memory under Win2k3 or Vista with win32dd!
WindowsActually, win32dd is the only 100% open-source tool to capture memory under Win2k3 or Vista. Even, if ManTech released a similar tool yesterday, but some part of the source code (e.g. driver source code) are missing. Then, I decide to release mine as a full open-source project under GPL3 license.
The main difference between ManTech tool and win32dd, is that win32dd is mainly a kernel mode application — then it avoids to use user-land API to write to an output file, everything is done with native functions. Thus, it means a faster dumping… This point isn’t negligible when you have one million page to dump in one single.
In ManTech tool, the driver is only used to get \Device\PhysicalMemory handle.
Download win32dd v1.0.20080615 now!
EDIT: (16th June), New version, fixed bug.
PS: You can read further information about PhysicalMemory restriction access on the Microsoft MSDN here.
BlackHat Las Vegas Briefing 2008
Windows
In November 2007, Nicolas and I presented “Enter SandMan” in Tokyo at PacSec during its development phase. You can get the materials we used for this lecture here in English and here in Japanese.
Some months later, an alpha version formally called 1.0.080226, of Sandman Framework has been released as an open source project. — you can find the current version here. Please consider, as Volatility Team has kindly reminded SandMan is a GPL3 project then don’t imitate Vendor “X” which don’t even waited a final version of SandMan to violate the GPL and then implemented a bugged version into his commercial products :).
Furthermore, in March Cedric presented and commented the SandMan proof of concept video during lightning talks at CanSecWest 2008 in Vancouver.
Anyway, at the upcoming Black Hat Vegas 2008, I’m going to give a talk entitled “Windows hibernation file for fun and profit“. This talk aims to discuss about both forensics and offensics uses through the hibernation file (hiberfil.sys) with SandMan.
For your information, Alex is also giving a talk at BH called “Of Pointers and Handles A Story of Unchecked Assumptions in the Windows Kernel”.
You can take a look at the full schedule here.
X-Files. Episode 2. *Squeeze*
Articles, Law, SandManAs said previously, it’s really easy to find proof of plagiarism when an open-source tool is released and whan this source is reimplemented into a commercial software without compliance. Andreas published a new article called The implementation by Vendor “S”. In this article, he has explained what are the differences between the implementation of XpressDecode in SandMan and the Microsoft OS Loader’s one.