Recently I had been to Virtualization conference, “Convergence 08“ held at IIT Bombay. This is the first ever technical event targeted at virtualization held so far in India with talks from industry experts in the field. Over 200 delegates from various organizations attended this two day event that focused on current research activitives in Virtualization.

The conference started with keynote from Prof. D.M.Dhamdhere one of the most respected professor at IIT, Bombay. Then the Chinmay from Vmware, talked about the Server Virtualization, delving deeper into the key features of various virtual appliances produced by Vmware over the years.

Next, Naresh Sehgal from Intel gave an very insightful, informative presentation on hardware virtualization. He explained how the hot virtualization waves forced the hardware vendors like Intel, AMD to support virtualization at processor level thus greatly reducing the tasks performed by hypervisors. This was the best presentation of the conference and he was kind enough to send me the soft copy of presentation on request.

Next day, we had presentation from IIT Bombay computer team on performance issues on Virtualiaztion using Xen. They explained about various aspects including schedulers, I/O processing mechanism built into Xen hypervisor. Also the presentations by Amit Shah & Symantec’s Anurag were useful. Apart from this, there were talks on storage virtualization, data virtualization, I/O virtualization etc which helped us to gain better understanding of varieties of Virtualization technologies evolving today.

Over all, it was worth attending such a highly technical event with insightful presentations from the knowledgable speakers.

.

Pattern based password recovery is not new concept. However it has been used very rarely in the present day programs besides its importance and improvement it brings on the performance.

It relies on the fact that each of us remembers some part of the password even though we have forgotten the password. This can be any parameters such as length, first few letters, end letters or middle part of the password.Also many of us have habits of choosing all of our passwords of particular pattern. When the person possess certain information about the password, it greatly reduces the time required to recover such a password.

Now the new FireMaster 2.5 introduces this technique which aims to recover the most complex or impossible looking passwords in very realistic time frame and also brings down the recovery time significantly.

To demonstrate this practically, lets take a example of password with 12 letters containing only lower case alphabets and numbers. Recovering such a password with brute force approach will take months together even on high end machines.

Now assume that certain information about this lost password is available, say for example password is of length 12, begins with ‘fire’ and ends with ‘12′.

In this case, running FireMaster using brute force method coupled with new pattern based recovery technique, this impossible looking password can be recovered in just 6 hours….!!!

Isn’t that cool ???

Best result comes when both the tool and the person’s brain are running at their top potential…!

- Nagareshwar

.

There is yet another book on the reversing arena which promises great deal of things. The books is titled “Reverse Engineering Code with IDA Pro” is set to release during the second week of February 2008. So far very few books have been released in the reverse engineering field. Also there is a need for the book which completely uncovers strength of BEST reversing tool on the earth and this book exactly does that.

Here is the table of contents of this book

………………………………………………………………………………….

Chapter 1: Introduction to IDA Pro

Chapter 2: Installing IDA Pro on Windows, OS X, and Linux

Chapter 3: Learning the IDA Pro Interface

Chapter 4: Analyzing Worms, Viruses, and Trojans

Chapter 5: IDA Pro as a Disassembler

Chapter 6: IDA Pro as a Debugger

Chapter 7: Breaking Hostile Code Armor

Chapter 8: Reversing Obfuscation in Hostile Code

Chapter 9: Automating IDA Pro with Macros

Chapter 10: Writing your Own Exploits

………………………………………………………………………………….

Looking at the contents of the book, it looks to be promising one. But lets wait for the D day to see if it really delivers on what it says…!

.

LDAPSearch is one of the simplest tool for remotely searching on the Directory servers such as eDirectory, Active Directory etc. Directory server provides the most scalable, high-performance LDAP data store for critical information within the industry and serves as the foundation for the new generation of e-business applications and Web services.

In this context, this LDAP search tool makes it easy to retrieve the information remotely and greatly helps in troubleshooting problems associated with the Directory servers.

This new version presents renovated look & feel with more simple and user friendly settings. In addition to Vista UAC compatibility there has been couple of performance related improvements.

For more details and to download this tool, follow this link.

Thanks for those who have sent their suggestions & feedback.

This is the international reverse engineering challenge conducted by one of the U.S based security company. The purpose of this challenge is to evaluate the effectiveness of software protections. The contest is carried out in 3 phases where first and third phase involved breaking the protection of custom programs by using reverse engineering. One of the interesting part of this reversing challenge is the usage of floating point instructions.

I have published the detailed analysis of problem & solution on phase I and phase III of the challenge.If you have already tried and could not complete then it will be interesting to look back and see where you have failed. On the other hand, if you are casual reverser and wanted to have some food, then it is worth the time. In case if you get stuck during the reversing game, you can follow the article for reference.

Happy r3v3rsing…!

- Nag

.

Almost everyone involved in the reverse engineering knows about the timer checks used for antidebugging. Generally functions such as GetTickCount or KeTickCount are used to detect and prevent any debugging attempts. Recently in the Hackers Reversing Challenge 2007, one of the less known timer checks have been used which makes use of functions QueryPerformanceFrequency & QueryPerformanceCounter.

General idea behind the timer checks is to record the time count at the beginning of important operation and then record at the end of the operation. If the program is being debugged then this time difference will be very much more than the normal execution time. Based on this calculation, it is easy to detect such a debugging activity and terminate or change the behavior of the program.

Here is the sample program which shows how it can be done using functions QueryPerformanceFrequency & QueryPerformanceCounter.

LARGE_INTEGER lpFrequency;
LARGE_INTEGER lpPerfCountOld, lpPerfCountNew;
BOOL isPerfCounterAvailable = FALSE;

// Record the initial performance counter value
if( QueryPerformanceFrequency(&lpFrequency) == TRUE )
{
if( QueryPerformanceCounter(&lpPerfCountOld) == TRUE )
isPerfCounterAvailable = TRUE;
}

// Do some important operation
for(int i=0; i<1000; i++)
printf(”Hello”);

// Now get the latest performance counter value….
if( isPerfCounterAvailable && QueryPerformanceCounter(&lpPerfCountNew) )
{
if( (lpPerfCountNew.QuadPart-lpPerfCountOld.QuadPart) > NORMAL_COUNTER_VALUE )
{
printf(”\n Program is being DEBUGGED”);
exit(0);
}
else
{
printf(”\n No debugging activity is detected”);
}
}

As per MSDN, if the installed hardware does not support high-resolution performance counter, then QueryPerformanceFrequency returns FALSE. In that case one has to fall back to traditional GetTickCount function as done in the Hacker challenge program.

Defeating such a trick is not difficult. Patching the QueryPerformanceFrequency function to return FALSE will solve the problem. However there is possibility that program may directly use QueryPerformanceCounter function which can be circumvented by patching it to return zero as shown in the following Ollyscript.

// patch the QueryPerformanceFrequency to return FALSE
gpa “QueryPerformanceFrequency”, “kernel32.dll”
mov [$RESULT], #33C0C20400#

// patch the “QueryPerformanceCounter to return zero
gpa “QueryPerformanceCounter”, “kernel32.dll”
mov [$RESULT], #33C0C20400#

Happy r3v3rsing
-Nagareshwar

…

One of the big event in the IT arena, FOSS.IN is taking place at Bangalore, the IT capital of India. It is fully packed with various presentations from big-wigs of open source community presenting some of the new stuffs and giving insight into the latest FOSS activities taking place across the world.

I went there with the intention to catch up with some of the kernel presentation, mainly to attend hypervisor talk by Rusty Russel. This Hypervisor is the buzz word now a days with every one cross the globe talking about the virtualization.

Morning session started with the presentation on kernel hacking by James Morris. We went there with the great expectation with lot of excitement. Well, throughout the presentation, James just talked about the process of preparing new bee to get ready for kernel coding. There was no talk about kernel code, no hacking, not even single technical stuff. For a moment, I felt that I could have put up better presentation than him about some of my recent discoveries which are yet to be published. James knows his stuff, but looks like the presentation was targeted to different audience.

Next event was the lunch, that was in fact the main part. Sitting on the grass and eating with colleagues from Novell, rehearsing the old memories was a good experience.

After noon, we went to the Hypervisor presentation with less hopes as we did not want to disappoint ourselves again . Contradictory to our expectations, Rusty Russel just rocked the show with highly technical insight into the hypervisor, lGuest with the nice mix of humour that kept every one awake till the end of presentation.

Since not many people have heard of this little kid in the virtualization arena, let me give brief introduction about it here. LGuest is the simple x86 hypervisor, allows you to run multiple copies of the same 32-bit Linux kernel. It is very good for the people who are new to this virtualization world and may want to expand lGuest or develop their own hypervisor…!

In the presentation, Rusty talked about some of the internal working of lGuest such as how the switching occurs from the host system to ghost ( sorry..guest ) and guest to host system. He also talked about some of the challenges and how he solved them. Overall the talk was full of memory management, interrupt tables, page fault handling etc etc….I am sure some of the half geeks who were present at the talk must have got petrified…!

You can download the hypervisor presentation from here.

Then we moved to the next talk on “Turning Linux into real time kernel Part 1″, which was more of general talk on getting with kernel development, almost similar to the James Morris’s morning presentation. We wanted to protect our bright brains so just escaped from the scene without making much noise…!

With the sun still shining brightly, we decided to take a stroll around the campus of IISC (India’s premier education institution) where the FOSS.IN is talking place. It is a very big campus spread across acres of land, fully submerged with big trees and covered in green bed, giving entirely different feeling…!

After that we headed back to home, immensely satisfied with hypervisor presentation with a thinking that next year we will put up a better show than some of those kernel presentations.

- Nagareshwar

…

F-Secure has announced new Reverse Engineering Challenge for the summer assembly event. The challenge is very interesting and neither easy nor difficult. It has 3 levels, at each level you have to find out email address which will take you to the next level.

The challenge was announced a day back and already 18 people including me have completed it. Though I could not make up to top 3 spot, I am happy that I have completed the challenge in between busy office schedule…

Once the challenge is over, I will post the answers here.

—- Update : 14th August 2007 —-

Since the khallenge.com website is offline and automated email system is not working anymore, its difficult to know if the answer is correct or not. Here are the final email addresses for different levels of challenge

Level 1 ThisIsAsm07REC@khallenge.com
Level 2 LuckyNumberIs_30503343_FSC@khallenge.com
Level 3 gr8skillz@khallenge.com

You can find complete solution with detailed analysis at zairon’s blog… http://zairon.wordpress.com/2007/08/06/f-secure-reverse-engineering-challenge-2007-solution/

———-

You can find the current stats and details of the challenge here http://www.khallenge.com/

So give it a try and see where do you stand….!

- Nagareshwar

.

Debuggers are the main tool used in reverse engineering. It is used by serial crackers to break the software protection or to uncover the algorithm used in the proprietary applications. On the other hand it is also used by researchers to analyze the malwares.

Detecting the presence of debuggers is an important step in this direction. Here I will discuss about both user land and kernel level debugger detection techniques. Also I will throw some light on how one can defeat these techniques. Its always good to know both sides of the coin even though you always sit on one side.

In user land

Detecting debuggers in user land (ring 3) is simple. Windows provides API IsDebuggerPresent() which indicates if the application is being debugged. In such a case application may decide to terminate or may take different path just to evade the crackers.

There is a better method than one mentioned above. This involves directly reading ‘beingDebugged’ flag of PEB of the process. It is more stealthier than directly using the function since the function entry is clearly visible in the import table. In fact the IsDebuggerPresent() function internally does the same thing of reading the flag from PEB.

Here is the disassembly of IsDebuggerPresent Function

mov eax, dword ptr fs:[18]
mov eax, dword ptr ds:[eax+30] ; eax now points to PEB
movzx eax, byte ptr ds:[eax+2] ; retrieves PEB->beingDebugged value

Bypassing the above detection is simple as well.You can just attach debugger and modify the return value of IsDebuggerPresent(). You can also directly modify the ‘beingDebugged’ value in PEB. OllyDbg has several plugins which does this automatically.

This technique of detecting debuggers is pretty old, but it still helps in evading casual crackers. Now there are most customized methods specific to debuggers such as OllyDbg, IDAPro, Softice etc.

You can find some very good techniques at OpenRCE.

Inside the Kernel

There are very less resouces available online when it comes to kernel as very few people have dared to enter ring 0. However windows provides support for detecting and defeating the debuggers inside kernel. You can use exported variable KdDebuggerEnabled of ntoskrnl to detect if the machine is being debugged by kernel debugger. The good place to perform this check in the DriverEntry routine of your driver.

Once the debugger is detected, you can either terminate execution of your driver or disable the debugger itself. To stop the debugger, you can use another exported function KdDisableDebugger on NT based machines.

This same trick is used by IceSword (anti rootkit tool) to prevent reversers from knowing its internals.Here is the code snippet from IceSword driver Isdrv120.sys which does this check and then disables the debugger.

However inside the ring 0 also its not rare to find debugger specific checks. For example, you can test for the presence of SoftIce by checking if its driver is loaded or not.

- Nagareshwar

.

I have just finished with enhancing my old tool, Reminder. This tool keeps track of your day to day tasks and reminds you at regular intervals. Though this has nothing to do with security, it helps you to align your activities. I wrote this tool couple of years back for my own needs. Then some people started using it and slowly I got new set of enhancement requests

This latest version has some good features along with cool user interface. Here are some of the main features…

• Auto starts when user logs in. So there is no need to manually start it. However this can be turned off by changing the relevant setting.
• System tray functionality. On closing the application, it will remain active at system tray. Any time, you can activate it by double clicking on it.
• Prioritize the tasks by moving them up or down in the task list.
• Modification of tasks is easy, just double click to edit it.
• Automatically reminds about remaining tasks at regular intervals . This time can be customized and also it can be enabled or disabled based upon the need.

You can download the latest version of Reminder 2.0 here.

- Nagareshwar Talekar

ProcHeapViewer is a fast heap enumeration tool which uses better technique than normal Windows heap API functions. Its very useful tool for anyone involved in analyzing process heaps. Vulnerability researchers can find it useful while working on heap related vulnerabilities.

Traditional Windows heap enumeration functions are slower and takes lot of time while traversing large number of heap blocks. Here is the article which uncovers the reason behind the slower functionality of heap functions. It also explains new efficient way of enumerating process heaps based on reverse engineering of Windows heap API functions.

You can read more interesting details about ProcHeapViewer here.

- Nagareshwar Talekar

Charles Miller, security researcher at Independent Security Evaluators claims that he got the offer of $80,000 for remotely exploitable flaw in Linux, sighs that he could have asked for more. Though he could not get that price due to several conditions but finally managed to sell it for $50,000.

He has written an interesting paper based on analysis of vulnerability market. In this paper he throws light on various aspect of selling vulnerability to legitimate companies and government agencies. He has also shared his experience in selling vulnerabilities indicating good and bad side of it. The paper will be presented at next weekend during the “workshop on economics of information security“.

Most of the vulnerability researchers neither have enough information about target contacts nor have idea of the right price. This is being used (or exploited) by iDefense and other vendors through the vulnerability reward programs.

Explaining on the current situation of vulnerability researchers, Charles says , “I don’t think it is fair that researchers don’t have the information and contacts they need to sell their research. ”

And here is a mind blowing paper written by him on vulnerability market
http://weis2007.econinfosec.org/papers/29.pdf

- Nagareshwar Talekar

ReactOS® is an advanced free open source operating system providing a ground-up implementation of a Microsoft Windows® XP compatible operating system. ReactOS is currently in its alpha stage and there is long way to go.Though its not exact replica of Windows XP, its near match. Moreover all function names are same as that of Windows.

Its an ideal platform for anyone curious to peek into windows architecture and implementation. One of the best thing is that you need not have to go through the source code, everything is available at just a click of mouse. Their website has a nice search feature through which you can look at the source of any Windows function. Note that the search query is case sensitive. So just typing createprocessa will not work. You need to type correct function name as “CreateProcessA”. I guess this has done to make the search results accurate, however other way would have been much better.

Here is the screenshot showing the file create.c containing implementation of CreateProcessA function (you need to scroll down to see the function)

This is great help for researchers especially for anyone into vulnerability research as it saves lot of reverse engineering time. Not only for researchers, its useful for any curious person who wants to know what lies beneath!. If you are good enough, then you may think of contributing to this great project as well.

In near future, ReactOS may force Bill to open the Windows Gates…!

iDefense who created the waves in the security world by introducing the vulnerability research program has started new game for researchers to find out the remotely exploitable flaw in critical internet applications. The game is open for second & third quarters of this year giving ample time for researchers to find the vulnerability.

Following are the list of applications set for the challenge

* Apache httpd
* Berkeley Internet Name Domain (BIND) daemon
* Sendmail SMTP daemon
* OpenSSH sshd
* Microsoft Internet Information (IIS) Server
* Microsoft Exchange Server

A vulnerability in any of the above applications will be rewarded with $16000 and there is additional amount of $2000 to $8000 for POC exploit code submitted for the same based on various factors such as reliability, quality etc.

With most of the buffer overflows getting disappeared which were fairly easy to exploit compared to other methods, its difficult to find new vulnerability and writing a successful exploit is even bigger challenge. There is need for inventing new techniques of exploitation and this challenge may give rise to one or more such methods.

Though one can earn more money by selling the vulnerabilities in black market, iDefense provides much better platform for responsible disclosure. Moreover its not just about the money but also the fame…!

- Nagareshwar Talekar

.

NetShareMonitor is the security tool to watch your shared files from the intruders and to protect your shares from unauthorized access. As soon as remote user connects to your machine, NetShareMonitor detects it and displays information about that session. The session information includes remote host address, remote user name, list of accessed files and time of connection. Entire details pertaining to each session will be logged to file for future analysis.

Now you no longer have to worry about your shared files being accessed by unknown persons on the network. Also it is very helpful when you are managing large networks in corporate or university environments.

For more details on NetShareMonitor visit the website here.

- Nagareshwar Talekar

Nagareshwar is a security enthusiastic person involved in reverse engineering, vulnerability research, coding security tools etc. He spend most of the time in uncovering the secrets of computer world.

He holds ‘Bachelor of Engineering’ degree from National Institute of Technology of Karnataka, India. He had professional experience of 2.5 years in Novell. At Novell he was working on various security products including ‘Novell Secure Login‘ and CASA.

For more information on his work, visit his website at http://securityxploded.com

.

Welcome to my security blog…!

This is the rejuvenation of my old blog here.Here you will find all sort of information pertaining to the computer security from beginner to advanced level.

For more information, visit my security website at http://securityxploded.com

- Nagareshwar Talekar