-f00l!sh
Friday, June 15, 2012
Wednesday, August 10, 2011
Combating Packers and cryptors through Memory Scanning
In recent days almost all the malwares are protected by packers or cryptors to protect it from security scanners. The malware analysts waste lot of time in analyzing same malware variants protected by different packers. Memory scanning can be employed to fight against such type of samples.
Vejovis is a project that was started to develope an user mode memory scanning tool "MeMMoN - A Process Memory Scanning Tool". It scans the memory of all the processes in the system. It can be downloaded from the below link.
Download Link
Vejovis is a project that was started to develope an user mode memory scanning tool "MeMMoN - A Process Memory Scanning Tool". It scans the memory of all the processes in the system. It can be downloaded from the below link.
Download Link
Friday, March 18, 2011
Reversing Android Applications
In the recent weeks we are witnessing a massive increase in the amount of malwares for android mobiles. Most of the malwares sent SMS to premium mobile numbers. Before getting into reversing android applications let us see how they can be developed. Android os is based on modified version of Linux Kernel.Android uses Dalvik Virtual Machine(DVM) to execute all android applications.
The android applications can be developed using Java in Android SDK. The tool dx included in Android SDK transforms JAVA .class files to Android .dex(Dalvik Executables) files. Then the .dex files are archived usins zip to form .apk(Android apps) files. To get the .dex file and the rest of the resource files of the andoid application, unarchive the .apk file.
Unlike Windows PE files in Android you can get the source code of android applications from the available .apk files. Here we are going to employ a trick through which we can get the source code of Android apps.
The first step is converting the .apk file to .jar(JAVA Archive). Then using JAVA Decompiler to get the source of the class files that are transformed to form the .dex file and later to .apk file.
To convert .apk to .jar we can use Dex2Jar(Google code project).
/>Dex2Jar <%file name%>
Then finally we can use JAVA Decompiler to get the JAVA source code.
Reference:
http://www.android.com/
http://developer.android.com/guide/basics/what-is-android.html
http://en.wikipedia.org/wiki/Android_%28operating_system%29
http://www.dalvikvm.com/
http://java.decompiler.free.fr/
http://code.google.com/p/dex2jar/
The android applications can be developed using Java in Android SDK. The tool dx included in Android SDK transforms JAVA .class files to Android .dex(Dalvik Executables) files. Then the .dex files are archived usins zip to form .apk(Android apps) files. To get the .dex file and the rest of the resource files of the andoid application, unarchive the .apk file.
Unlike Windows PE files in Android you can get the source code of android applications from the available .apk files. Here we are going to employ a trick through which we can get the source code of Android apps.
The first step is converting the .apk file to .jar(JAVA Archive). Then using JAVA Decompiler to get the source of the class files that are transformed to form the .dex file and later to .apk file.
To convert .apk to .jar we can use Dex2Jar(Google code project).
/>Dex2Jar <%file name%>
Then finally we can use JAVA Decompiler to get the JAVA source code.
Reference:
http://www.android.com/
http://developer.android.com/guide/basics/what-is-android.html
http://en.wikipedia.org/wiki/Android_%28operating_system%29
http://www.dalvikvm.com/
http://java.decompiler.free.fr/
http://code.google.com/p/dex2jar/
Wednesday, November 10, 2010
Windows "DbgHelp.dll" Export name stack overflow vulnerability
Vulnerability in Microsoft Windows XP Dbghelp.dll(version 5.x) has been exploited by malwares to thwart debugging by researchers. The Dbghelp.dll is the Windows Image Helper dynamic linking library. This dll was being used by almost all the debuggers and disassemblers. The code that reads export function name fails to check the function name length before moving the data into the stack.
The malware authors have exploited this Remote code execution vulnerability with a specially crafted executable file with malicious export table. The exploit code exits the Olly debugger while it was trying to load this executable. Certain IRC bots are coming with this anti debugging(loading) protection. The latest version of Olly Debugger comes with this vulnerable dll.
To exploit this vulnerability the export function name must be greater than 2104 bytes. The interesting thing is malwares are coming with export function name longer than this size. The malware which I have seen had TLS call back function. The malware author tried to hide this exploitation trick by setting a TLS call back function so as to make us think the anti debugging trick would be lying in TLS function. The IDA pro debugger version 5.1.x itself is using the Dbghelp.dll version 6.x. I don't know what version of this dll other debuggers are using.
I kindly request the malware reversers particularly those who use Olly debugger to reverse malwares to use the new version of Dbghelp.dll(6.x and above).
The malware authors have exploited this Remote code execution vulnerability with a specially crafted executable file with malicious export table. The exploit code exits the Olly debugger while it was trying to load this executable. Certain IRC bots are coming with this anti debugging(loading) protection. The latest version of Olly Debugger comes with this vulnerable dll.
To exploit this vulnerability the export function name must be greater than 2104 bytes. The interesting thing is malwares are coming with export function name longer than this size. The malware which I have seen had TLS call back function. The malware author tried to hide this exploitation trick by setting a TLS call back function so as to make us think the anti debugging trick would be lying in TLS function. The IDA pro debugger version 5.1.x itself is using the Dbghelp.dll version 6.x. I don't know what version of this dll other debuggers are using.
I kindly request the malware reversers particularly those who use Olly debugger to reverse malwares to use the new version of Dbghelp.dll(6.x and above).
Friday, September 3, 2010
Applications vulnerable to Dll Hijacking
These are all the list of applications (along with dll name) that are vulnerable to Dll Hijacking attack in windows.
For more Information about Dll Hijacking take a look at my previous posting on Dll preloading.
* ArchiCad 13.00 (srcsrv.dll)
* Nokia Suite contentcopier (wintab32.dll)
* Nokia Suite communicationcentre (wintab32.dll)
* Sony Sound Forge Pro 10.0 (MtxParhVegasPreview.dll)
* Camtasia Studio 7 (mfc90enu.dll, mfc90loc.dll)
* Media Player Classic v1.3.2189.0 (ehtrace.dll)
* Microsoft Help and Support Center (wshfra.dll)
* Microsoft Clip Book Viewer (mfaphook.dll)
* Real Player 1.1.5 Build 12.0.0.879 (wnaspi32.dll)
* SiSoftware Sandra (dwmapi.dll)
* SMPlayer v0.6.9 (wintab32.dll)
* Winmerge v2.12.4 (MFC71ESN.DLL)
* Steam Games (steamgamesupport.dll)
* UltraISO Premium 9.36 .isz (daemon.dll)
* wscript.exe (XP) (wshfra.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Daemon tools lite .mds (mfc80loc.dll)
* Google Earth v5.1.3535.3218 .kmz (quserex.dll)
* Nullsoft Winamp 5.581 .cda (wnaspi32.dll)
* Media Player Classic 6.4.9.1 .mka (iacenc.dll)
* Corel PHOTO-PAINT X3 v13.0.0.576 .cpt (crlrib.dll)
* CorelDRAW X3 v13.0.0.576 .cmx .csl (crlrib.dll)
* Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll)
* Adobe Extension Manager CS5 v5.0.298 (dwmapi.dll)
* Mozilla Thunderbird ( dwmapi.dll )
* Microsoft Office PowerPoint 2007 (rpawinet.dll)
* Roxio MyDVD 9 (HomeUtils9.dll)
* Windows Internet Communication Settings (schannel.dll)
* Microsoft Windows Contacts (wab32res.dll)
* Adobe InDesign CS4 (ibfs32.dll)
* Cisco Packet Tracer 5.2 (wintab32.dll)
* Nvidia Driver (nview.dll)
* Adobe Illustrator CS4 (aires.dll)
* Adobe On Location CS4 (ibfs32.dll)
* Adobe Premier Pro CS4 (ibfs32.dll)
* Roxio Creator DE (HomeUtils9.dll)
* Skype <= 4.2.0.169 (wab32.dll)
* Mediaplayer Classic 1.3.2189.0 (iacenc.dll)
* TechSmith Snagit 10 (Build 788) (dwmapi.dll)
* Ettercap NG-0.7.3 (wpcap.dll)
* Microsoft Group Convertor .grp (imm.dll)
* Safari v5.0.1 (dwmapi.dll)
* Adobe Device Central CS5 (qtcf.dll)
* Microsoft Internet Connection Signup Wizard (smmscrpt.dll)
* InterVideo WinDVD 5 (cpqdvd.dll)
* Roxio Photosuite 9 (homeutils9.dll)
* Microsoft Vista BitLocker Drive Encryption (fveapi.dll)
* VLC Media Player (wintab32.dll)
* uTorrent DLL Hijacking Vulnerabilities
* TeamMate Audit Management Software Suite (mfc71enu.dll)
* Microsoft Office Groove 2007 (mso.dll)
* Microsoft Address Book 6.00.2900.5512 (wab32res.dll)
* Microsoft Visio 2003 (mfc71enu.dll)
* avast! <= 5.0.594 license files (mfc90loc.dll)
* Adobe Photoshop CS2 (Wintab32.dll)
* Adobe Dreamweaver CS5 <= 11.0 build 4909 (mfc90loc.dll)
* BS.Player <= 2.56 build 1043 (mfc71loc.dll)
* Adobe Dreamweaver CS4 (ibfs32.dll)
* TeamViewer <= 5.0.8703 (dwmapi.dll)
* Microsoft Windows 7 wab.exe (wab32res.dll)
* Opera v10.61 (dwmapi.dll)
* Microsoft Windows Movie Maker <= 2.6.4038.0 (hhctrl.ocx)
* Firefox <= 3.6.8 (dwmapi.dll)
* Windows Live Email (dwmapi.dll)
* Foxit Reader <= 4.0 pdf Jailbreak Exploit
* uTorrent <= 2.0.3 (plugin_dll.dll)
* Microsoft Power Point 2010 (pptimpconv.dll)
* Wireshark <= 1.2.10 (airpcap.dll)
* Notepad++ (SciLexer.dll)
* Microsoft Power Point 2007 (pp4x322.dll)
* Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll)
* Microsoft Word 2007 (msapsspc.dll,schannel.dll, digest.dll, msnsspc.dll)
* Microsoft Powerpoint 2007 (pp7x32.dll, pp4x322.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll)
* Tftpd32 version 3.35 (IPHLPAPI.DLL)
* Microsoft ATL Trace Tool Build 10.0.30319.1 atltracetool8.exe dwmapi extention .trc
* Windows Live! Messenger (Build => 14.0.8117.416) msgsres.dll Hijacking
* Active Perl v5.12.1 (wshenu.dll)
* CATIA V5 R17 (hzs_lm.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Cool Edit Pro 2.0 (coolburn.dll)
* GOM Player 2.1.25.5015 (schannel.dll)
* MAGIX Music Studio 12 deluxe (playripla6.dll)
* Opera 10.61 (dwmapi.dll)
* TeamViewer 5 (dwmapi.dll)
* Windows Address Book (wab32res.dll)
* Java Version 6 Update 21 (schannel.dll)
* Windows Progman Group Converter (imm.dll)
* NetStumbler 0.4.0 (mfc71enu.dll)
* Windows Mail 6.0.6000.16386 (wab32res.dll)
* TeamViewer (TV.dll)
* Wireshark <= 1.2.10 (libintl-8.dll)
* Microsoft Windows Media Encoder 9 .prx (msxml.dll)
* Notepad++ V5.4.5 Dll Hijack (SpellChecker.dll)
* Windows 7 and Vista Backup Utility .wbcat (fveapi.dll)
* Virtual DJ 6.1.2 .mp3 hdjapi.dll
* Atheros Client Utility dll Hijacking exploit (oemres.dll)
* Internet download manager dll Hijacking exploit (idmmkb.dll)
* Forensic Toolkit .ftk (MFC90DEU.DLL)
* EnCase .endump (rsaenh.dll)
* IBM Rational License Key Administrator .upd (IBFS32.DLL)
* PGP Desktop 9.8 .pgp (credssp.dll)
* Forensic CaseNotes .notes (credssp.dll)
* Microsoft RDP .rdp (ieframe.dll)
* pdf x viewer .pdf (wintab32.dll)
* Ultr@ VNC Viewer .vnc (vnclang.dll)
* Babylon v8.0.0.18 .txt (besextension.dll)
* QtWeb v3.3 .htm, .xml (wintab32.dll)
* IZArc 4.1.2.2012 .rar .zip .jar (ztv7z.dll)
* Jetaudio v7.1.8.4006 plus VX .mp3 mogg .mov and others (wnaspi32.dll)
* TechSmith Snagit v7.2.5 .snagprof (mfc71enu.dll)
* QXDM v03.09.19 (Qualcomm eXtensible Diagnostic Monitor) .isf (mfc71enu.dll)
This listing was published to make security analysts aware of exploitable applications in order to protect their resources from any possible attacks.
For more Information about Dll Hijacking take a look at my previous posting on Dll preloading.
* ArchiCad 13.00 (srcsrv.dll)
* Nokia Suite contentcopier (wintab32.dll)
* Nokia Suite communicationcentre (wintab32.dll)
* Sony Sound Forge Pro 10.0 (MtxParhVegasPreview.dll)
* Camtasia Studio 7 (mfc90enu.dll, mfc90loc.dll)
* Media Player Classic v1.3.2189.0 (ehtrace.dll)
* Microsoft Help and Support Center (wshfra.dll)
* Microsoft Clip Book Viewer (mfaphook.dll)
* Real Player 1.1.5 Build 12.0.0.879 (wnaspi32.dll)
* SiSoftware Sandra (dwmapi.dll)
* SMPlayer v0.6.9 (wintab32.dll)
* Winmerge v2.12.4 (MFC71ESN.DLL)
* Steam Games (steamgamesupport.dll)
* UltraISO Premium 9.36 .isz (daemon.dll)
* wscript.exe (XP) (wshfra.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Daemon tools lite .mds (mfc80loc.dll)
* Google Earth v5.1.3535.3218 .kmz (quserex.dll)
* Nullsoft Winamp 5.581 .cda (wnaspi32.dll)
* Media Player Classic 6.4.9.1 .mka (iacenc.dll)
* Corel PHOTO-PAINT X3 v13.0.0.576 .cpt (crlrib.dll)
* CorelDRAW X3 v13.0.0.576 .cmx .csl (crlrib.dll)
* Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll)
* Adobe Extension Manager CS5 v5.0.298 (dwmapi.dll)
* Mozilla Thunderbird ( dwmapi.dll )
* Microsoft Office PowerPoint 2007 (rpawinet.dll)
* Roxio MyDVD 9 (HomeUtils9.dll)
* Windows Internet Communication Settings (schannel.dll)
* Microsoft Windows Contacts (wab32res.dll)
* Adobe InDesign CS4 (ibfs32.dll)
* Cisco Packet Tracer 5.2 (wintab32.dll)
* Nvidia Driver (nview.dll)
* Adobe Illustrator CS4 (aires.dll)
* Adobe On Location CS4 (ibfs32.dll)
* Adobe Premier Pro CS4 (ibfs32.dll)
* Roxio Creator DE (HomeUtils9.dll)
* Skype <= 4.2.0.169 (wab32.dll)
* Mediaplayer Classic 1.3.2189.0 (iacenc.dll)
* TechSmith Snagit 10 (Build 788) (dwmapi.dll)
* Ettercap NG-0.7.3 (wpcap.dll)
* Microsoft Group Convertor .grp (imm.dll)
* Safari v5.0.1 (dwmapi.dll)
* Adobe Device Central CS5 (qtcf.dll)
* Microsoft Internet Connection Signup Wizard (smmscrpt.dll)
* InterVideo WinDVD 5 (cpqdvd.dll)
* Roxio Photosuite 9 (homeutils9.dll)
* Microsoft Vista BitLocker Drive Encryption (fveapi.dll)
* VLC Media Player (wintab32.dll)
* uTorrent DLL Hijacking Vulnerabilities
* TeamMate Audit Management Software Suite (mfc71enu.dll)
* Microsoft Office Groove 2007 (mso.dll)
* Microsoft Address Book 6.00.2900.5512 (wab32res.dll)
* Microsoft Visio 2003 (mfc71enu.dll)
* avast! <= 5.0.594 license files (mfc90loc.dll)
* Adobe Photoshop CS2 (Wintab32.dll)
* Adobe Dreamweaver CS5 <= 11.0 build 4909 (mfc90loc.dll)
* BS.Player <= 2.56 build 1043 (mfc71loc.dll)
* Adobe Dreamweaver CS4 (ibfs32.dll)
* TeamViewer <= 5.0.8703 (dwmapi.dll)
* Microsoft Windows 7 wab.exe (wab32res.dll)
* Opera v10.61 (dwmapi.dll)
* Microsoft Windows Movie Maker <= 2.6.4038.0 (hhctrl.ocx)
* Firefox <= 3.6.8 (dwmapi.dll)
* Windows Live Email (dwmapi.dll)
* Foxit Reader <= 4.0 pdf Jailbreak Exploit
* uTorrent <= 2.0.3 (plugin_dll.dll)
* Microsoft Power Point 2010 (pptimpconv.dll)
* Wireshark <= 1.2.10 (airpcap.dll)
* Notepad++ (SciLexer.dll)
* Microsoft Power Point 2007 (pp4x322.dll)
* Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll)
* Microsoft Word 2007 (msapsspc.dll,schannel.dll, digest.dll, msnsspc.dll)
* Microsoft Powerpoint 2007 (pp7x32.dll, pp4x322.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll)
* Tftpd32 version 3.35 (IPHLPAPI.DLL)
* Microsoft ATL Trace Tool Build 10.0.30319.1 atltracetool8.exe dwmapi extention .trc
* Windows Live! Messenger (Build => 14.0.8117.416) msgsres.dll Hijacking
* Active Perl v5.12.1 (wshenu.dll)
* CATIA V5 R17 (hzs_lm.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Cool Edit Pro 2.0 (coolburn.dll)
* GOM Player 2.1.25.5015 (schannel.dll)
* MAGIX Music Studio 12 deluxe (playripla6.dll)
* Opera 10.61 (dwmapi.dll)
* TeamViewer 5 (dwmapi.dll)
* Windows Address Book (wab32res.dll)
* Java Version 6 Update 21 (schannel.dll)
* Windows Progman Group Converter (imm.dll)
* NetStumbler 0.4.0 (mfc71enu.dll)
* Windows Mail 6.0.6000.16386 (wab32res.dll)
* TeamViewer (TV.dll)
* Wireshark <= 1.2.10 (libintl-8.dll)
* Microsoft Windows Media Encoder 9 .prx (msxml.dll)
* Notepad++ V5.4.5 Dll Hijack (SpellChecker.dll)
* Windows 7 and Vista Backup Utility .wbcat (fveapi.dll)
* Virtual DJ 6.1.2 .mp3 hdjapi.dll
* Atheros Client Utility dll Hijacking exploit (oemres.dll)
* Internet download manager dll Hijacking exploit (idmmkb.dll)
* Forensic Toolkit .ftk (MFC90DEU.DLL)
* EnCase .endump (rsaenh.dll)
* IBM Rational License Key Administrator .upd (IBFS32.DLL)
* PGP Desktop 9.8 .pgp (credssp.dll)
* Forensic CaseNotes .notes (credssp.dll)
* Microsoft RDP .rdp (ieframe.dll)
* pdf x viewer .pdf (wintab32.dll)
* Ultr@ VNC Viewer .vnc (vnclang.dll)
* Babylon v8.0.0.18 .txt (besextension.dll)
* QtWeb v3.3 .htm, .xml (wintab32.dll)
* IZArc 4.1.2.2012 .rar .zip .jar (ztv7z.dll)
* Jetaudio v7.1.8.4006 plus VX .mp3 mogg .mov and others (wnaspi32.dll)
* TechSmith Snagit v7.2.5 .snagprof (mfc71enu.dll)
* QXDM v03.09.19 (Qualcomm eXtensible Diagnostic Monitor) .isf (mfc71enu.dll)
This listing was published to make security analysts aware of exploitable applications in order to protect their resources from any possible attacks.
Tuesday, August 31, 2010
Windows DLL load hijacking
This blogging is to demonstrate DLL Pre-loading/hijacking bug in Windows.
The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This is being abused by computer criminals.
The Microsoft Security Response Center has written about the issue :
"Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.
Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately."
Microsoft also has published some Registry tweaks which can change the default DLL library search behavior:
http://support.microsoft.com/kb/2264107
Testing the Exploit:
Ok let us try to employ this exploit on "Media Player Classic".
Write a dll of your own. If don't know how to write a dll you can get it from the link below.
http://www.filefactory.com/file/b32433b/n/iacenc.rar
http://rapidshare.com/files/416173663/iacenc.rarMD5: 886173D0BB985E7E8DF51E4CBAE242B6
I assume that you have Media player classic being installed in your machine.
Rename the dll as "iacenc.dll". Place it in a directory with any media file that can be played by Media player Classic.
Now open the media file and see the magic.
This exploit can be used by malware writers to spread their malware. So security professionals are expected to get updated knowledge on this exploits. To check on what priority applications load a dll you can use Sysinternal's FileMon tool.
The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This is being abused by computer criminals.
The Microsoft Security Response Center has written about the issue :
"Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.
Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately."
Microsoft also has published some Registry tweaks which can change the default DLL library search behavior:
http://support.microsoft.com/kb/2264107
Testing the Exploit:
Ok let us try to employ this exploit on "Media Player Classic".
Write a dll of your own. If don't know how to write a dll you can get it from the link below.
http://www.filefactory.com/file/b32433b/n/iacenc.rar
http://rapidshare.com/files/416173663/iacenc.rar
I assume that you have Media player classic being installed in your machine.
Rename the dll as "iacenc.dll". Place it in a directory with any media file that can be played by Media player Classic.
Now open the media file and see the magic.
This exploit can be used by malware writers to spread their malware. So security professionals are expected to get updated knowledge on this exploits. To check on what priority applications load a dll you can use Sysinternal's FileMon tool.
Subscribe to:
Posts (Atom)