I’ve upgraded to IDA Pro Advanced 5.2 recently and I really really like it. Good job as always, Ilfak!
// Oliver
Archive for the 'Reversing' Category
… and no more excuses from those pirating IDA. Datarescue made a freeware version 4.9 of IDA available for download. In the scope of IDA Palace, I have mirrored the files on two more servers. One of the servers is likely going to disappear in the long run, but I’ll make sure the links will work regardless.
Feel free to link.
// Oliver
Scientists have shown that the attack method devised against MD5 in 2004 is usable and can even trick code-signing tools into “believing” that the binary is the same.
We announce two different Win32 executable files with different functionality but identical MD5 hash values. This shows that trust in MD5 as a tool for verifying software integrity, and as a hash function used in code signing, has become questionable.
(Quote from the linked page)
What are the implications? Well, the worst and foremost is, that an attacker can put malicious code under the disguise of a valid and trusted signature. As an example: an elaborate attack could use a driver signed by Microsoft, and his own rootkit to create a content that is indistinguishable by MD5 hash. Thus allowing the attacker to trick the victim into believing that the code was signed by Microsoft - which is ultimately trusted on most Windows systems by default.
// Oliver
Einige werden es bereits aus privaten Konversationen wissen, der Rest weiß es eben jetzt … ich halte mich als einer von sieben Vertretern von FRISK Software in Wien bei der Virus Bulletin Konferenz 2007 auf. Hier trifft man nette Leute und kann sich - zumindest wenn kein Manager danebensteht - auch mal offen mit Kollegen aus anderen Firmen austauschen. Beispiel: gestern habe ich einige Leute kennengelernt, aber die beiden angenehmsten Bekanntschaften für mich waren Nicolas Brulez und Boris Sharov. Ersterer ist vielen Reversern sicherlich ein Begriff und hat sich auch als Autor von Armadillo (ein kommerzieller EXE-Packer) einen Namen gemacht. Letzterer wiederum ist der CEO (kurz: Chef) von Dr.Web Antivirus, einem der beiden Antivirenhersteller aus Rußland. Ansonsten trifft man hier viele Leute die “in der Szene” bekannt sind, einige die sonst nur hinter den Kulissen tätig sind und so weiter. Alles in allem bin ich bei meinem Erstbesuch positiv überrascht. Abgesehen davon sind hier natürlich jede Menge Österreicher mit ihrem sympathischen Akzent (und Dialekt).
… darf es noch etwas Orangensaft sein, der Herr? 
// Oliver
PS: Gestern abend haben wir auch ein zünftig “österreichisches” Abendessen gehabt. Es gab Döner und Dürüm 
She and a partner, Alexander Tereshkin, have published the source to BluePill, or rather a rewrite called New BluePill (NBP), since Rutkowska’s previous employer owns the rights to the original one:
http://www.bluepillproject.org
The source is a little flawed, at least the version I got. It requires three minor corrections, but I am not sure whether this is an intentional hurdle for script-kiddies or a difference between the in-lab source and the one being published. Anyway, it’s not hard at all to figure it out. The source won’t compile with the WNET DDK, though - and presumably won’t compile with even older DDKs either. This means you have to get the Vista WDK or the beta of the 2008 Server WDK. The problem for the WNET DDK seem to be the assembly parts in the source, so this may be possible to be fixed, however, I didn’t try. The executable is around 50 kiB big. Obviously compiles only for AMD64
Continue reading ‘Joanna Rutkowska gets serious ;)’
Michał ‘GiM’ Spadliński, a Polish blogger wrote in his article “Czy Redpill Joanny Rutkowskiej jest poprawny?“:
Oliver Schneider (Reverse Engineer pracujący dla F-Prota) opublikował […] artykuł, datowany na pierwszego kwietnia, który wcale nie wygląda na prima aprilisowy żart.
This made me really laugh. No, I have to admit my Polish is not the best (and getting worse due to lack of exercise), but I could clearly understand the quoted parts and quite some more.
Continue reading ‘No it wasn’t an April Fool’s joke’
Ptacek, Lawson and Ferrie - well-known security specialists - joined up to challenge Rutkowska and prove that her virtualization rootkit BluePill (up to now AMD-specific) is detectable regardless of her claims. The above link leads to her official reply to them.
Rutkowska likes to speak in absolutes, as it seems. In one instance I could even falsify one of her claims concerning VMM detection from within a VM using the interrupt descriptor table address as an indicator. This shows she is human as everyone, but having her own company now and being busy all the time (who is not?) she never found the time to respond to my articles 
Anyway, this gets me really excited about who will win the challenge, but Peter Ferrie, being a former FRISK employee, has all my sympathies
// Oliver
… here Kaspersky claims:
An advisory has recently been published on rootkit.com regarding a vulnerability in KAV 7.0. Unfortunately, the authors of this material chose not to adhere to industry standard practice, and contact the vendor prior to disclosing vulnerability details. Although the authors claim that all attempts to inform Kaspersky Lab about this vulnerability were ignored, this is not the case: if we had been informed, this issue would have been addressed long ago.
I am really upset by this! I reported this vulnerability back in October 2005 in the Kaspersky subforum at malware-research.co.uk, a closed forum for security professionals, and one person from Kaspersky Labs Netherlands replied and said it would be taken care of. Back then (before the reply) I wrote that if they would not respond in due time I’d publish it (without details) through public channels which was taken as a threat by the person who responded. Interestingly I did never check again and it was almost one year later (September 2006) that I joined FRISK Software International and thus the AV industry.
Also fascinating, I am not the one who published it on rootkit.com, instead I chose to contact them in a closed security-aware community and the result was apparently the same, Kaspersky chose to ignore it in the end in both cases. I can well imagine that “the authors claim that all attempts to inform Kaspersky Lab about this vulnerability were ignored”.
Excuse me, but the claims in the above quote are ridiculous to say the least.
// Oliver
BTW: I met said person at the AV Workshop this year. A few weeks after the workshop a bug that I reported more than 18 months ago surfaces again (in one of their latest products!). Amazing!
Ilfak posted a nice demo clip on his blog: “Decompilation gets real”. This is really a dream of many reversers and could really speed up the analysis of many samples.
// Oliver
In my previous article from November last year I challenged the claims of Joanna Rutkowska concerning Redpill. A recent article in the German computer magazine iX (April 2007) mentioned Rutkowska’s findings again so that I decided to review the tool, the driver, the accompanying research paper and the results. You can download the new results below. The most interesting findings were made by observing the values on Virtual PC 2007. For every operating system and every VMM tested the following constellations were considered: VMM tools installed or not installed with acceleration enabled or disabled respectively. For Virtual PC 2007 the acceleration was hardware virtualization.
Continue reading ‘Redpill getting colorless? (continued)’
Since it is always exciting to find new features, I thought it would be good to put up a list of the changes introduced into the IDA SDK since version 5.0! This should allow all plugin writers to get a quick overview of new functionality.
Relevant changes in the IDA SDK between version 5.0 and 5.1 beta 2 follow, sorted by filename …
Continue reading ‘Updates in the IDA SDK 5.1 …’
Finally IDA 5.1 and Virtual PC 2007 have been released. I wrote about IDA during the beta-phase and I promise to write some more stuff (probably) the next weekend.
Virtual PC 2007, just like its predecessor Virtual PC 2004, is freely downloadable and comes free of charge. Although it is inferior to VMWare in several aspects, it seems there is one point where Virtual PC 2007 is better than VMWare … the support of VMX on 32bit hosts. However, I’ll have to verify that and will turn back to you with more information about it once I have it.
// Oliver
Yesterday Ilfak released the second beta of IDA 5.1. Not only have several issues been fixed, but also were the IDC symbol and kernel function introduced as described in the updated blog entry from a few days ago.
// Oliver
On my website you can find some IDC scripts which have been uploaded just lately. Some are related to kernel mode reversing and some (MFCxx.rar) at user mode reversing. Please find them here.
Update: If you downloaded the scripts before, please download the new version and apply it. This should possibly catch some of those functions which have been imported several times and not optimized to one import by the linker.
// Oliver
Last week Ilfak released the first beta version of the upcoming IDA 5.1. I am one of the lucky ones who get to test IDA in beta stage already. And since everyone should know how I love IDA - a.k.a. the best disassembler in the world - I want to present some of my personal highlights of this beta Continue reading ‘IDA 5.1 Beta 1 (updated).’
What would you think of a company that is presenting its new product which is somewhat innovative, but the product is based on OpenSource software and the company does not care about the OpenSource licenses of the used components?
As an OpenSource author I don’t like such companies. Lately I discovered this for one Asian-European company which has released a product this year. They were using OpenSource from a project in which I am involved and which is licensed under LGPL or MPL (to be chosen by the licensee). After notifying them that they were in violation of the license, they added the mandatory attribution in their help file and later seemingly removed(?) the respective units completely (the GUI part of the product is a Delphi program). Continue reading ‘Violating GPL to make the big money …’
Although I had posted this already at the malware research forum and received little feedback, I decided to prepare a brief research paper about this topic and post it here.
The topic is that the Redpill approach by Joanna Rutkowska does not seem to work reliably and the values retrieved in kernel mode inside a virtual machine (VMWare ) differ substantially from the ones retrieved in user mode. While calling SIDT in user mode was the rationale of the whole approach, it would not usually be expected that the results between user mode and kernel mode are different. Also the difference means that the approach is not generally applicable. Last but not least the Redpill approach failed for me on Virtual PC (see the paper).
Continue reading ‘Redpill getting colorless?’
Recently I wrote an article about Agnitum, a security software vendor known for its firewall, because of their accusations towards Microsoft. Today I recognized there was a comment of someone from Agnitum at the Sunbelt Blog, so I decided to comment it. Here is the original comment from Agnitum:
Agnitum’s technical brief about Microsoft’s approach to Kernel Patch Protection has sparked intense discussion at Alex Eckelberry’s blog.
May we participate in the debate?
The new approach to kernel patch protection is designed to block rootkits. That’s progress. However, ironically, it also prevents the installation of third-party security software from Agnitum, and Zone Labs, and McAfee, and Symantec, and other companies. This is not progress. History proves we should not rely on Microsoft and only Microsoft for operating-system security. Continue reading ‘Agnitum still panicked?! …’
In the Sunbelt Blog I read today, that Agnitum, vendor known for its firewall mainly, is panicked because of Microsofts Kernel Patch Protection. Sorry, but that caused me to laugh. No idea how new the news are, but to those following the driver developer mailing lists and fora it is certainly no news. Let’s look at some of the claims of Agnitum Continue reading ‘Agnitum panicked because of Microsoft’s security measures’