OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Monday, May 4 2009 20:32.00 CDT

Modified: Monday, May 4 2009 21:13.35 CDT

This is an imported entry. View original.

Direct Link

Thanks Fravia! Rest In Peace

Author:

ero

# Views: 4759

Yesterday, May 3rd, the great Fravia passed away.
He ran his lengendary fravia pages and searchlores. A lot of people in the reverse engineering world are (and will be) definitely indebted to him for his teachings. He will definitely will be missed.

Some friends notes on the sad news here, here and here

Created: Friday, January 23 2009 18:44.00 CST

Modified: Friday, January 23 2009 18:50.52 CST

This is an imported entry. View original.

Direct Link

More syscall ordinals

Author:

ero

# Views: 5198

Daniel Reynaud has improved on the script I described a while ago and has posted on his blog the system call ordinals for Windows XP SP2 x64.

Created: Friday, January 23 2009 01:58.00 CST

Modified: Friday, January 23 2009 02:06.37 CST

This is an imported entry. View original.

Direct Link

pefile and LOAD_CONFIG

Author:

ero

# Views: 4960

Following a conversation in twitter Ive noticed pefile was lacking support for parsing one data directory in the PE format that is rather interesting, the IMAGE_LOAD_CONFIG_DIRECTORY.

Ive added support for it and fixed a few small bugs and released it as pefile-1.2.10-60

Now one can access this structures fields like, for instance, pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.SecurityCookie or pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.SEHandlerTable and also modify their values and write the result to a new PE file, all the usual handling & mangling that pefile allows.

Created: Thursday, January 8 2009 17:39.00 CST

Modified: Thursday, January 8 2009 18:02.34 CST

This is an imported entry. View original.

Direct Link

Tips and tricks

Author:

ero

# Views: 4440

A couple of interesting things Ive found out lately:

When packaging the latest pefile I noticed the dot-underscore files in the tar.gz. If one extracts the contents there are no such files to be found (if youre working on OSX) while they will show up in other operating systems. Those dot-underscore files are OSX way of storing the resource fork (metainformaion). While it might be handy to keep it around when moving files between Macs, its not nice to have such dot-underscore files show up in other systems. How to get rid of them is not too well documented.

There are two oddly named environment variables (they changed between OSX versions) that control the creation of such files. Setting the following envionment variables to true will make tar not create those dot-underscore files when archiving a file with a resource fork.

COPYFILE_DISABLE
COPY_EXTENDED_ATTRIBUTES_DISABLE

One can just set them in the python setup.py script, so when the source distribution is created, no resource forks are dumped into those files.

import os
os.environ[COPY_EXTENDED_ATTRIBUTES_DISABLE] = true
os.environ[COPYFILE_DISABLE] = true

In my case it was TextMate that was using a resource fork to store some metainformation about the Python files I was working with.

Now a useful tip for subversion. I always knew CVS and subversion had to have such feature but never was able to find how to use, I finally tracked it down.

This might not be knew to anyone that has spent some time with svn... but was to me. The things is, I was sure there had to be a comfortable way of having SVN automatically add the revision number to the source code. That would allow to have version numbers with a revision appended to them automatically, which would make lots of things much nicer, like tracking errors with specific versions.

To achieve that, one can use subversion keywords. SVN will replace those keywords with the appropriate information. In this case the cool one is "$LastChangedRevision$", whereever we write it, it will get replaced by "$LastChangedRevision: XXX $" where XXX is the revision number.

You need to tell subversion you want it to replace that keyword in a given file(s). To do that just issue a: svn propset svn:keywords "Rev" path/to/the/file to set the property on that file.

A practical example for Python code would be:

__revision__ = "$LastChangedRevision$"
__version__ = %d % int( __revision__[21:-2] )

The keyword would be replaced as described above and then we can fetch the revision number and add it to the version number transparently. Subversion will handle it cleanly.

Created: Tuesday, October 21 2008 15:29.00 CDT

Modified: Tuesday, October 21 2008 15:31.19 CDT

This is an imported entry. View original.

Direct Link

Thoughts on "Using dual-mappings to evade automated unpackers"

Author:

ero

# Views: 5514

Uninformed 10 was released recently. On it Skape brings about a simple, yet beautiful and powerful idea. The paper itself is short and concise but a quick summary would be along the lines of: some generic unpackers use, either as their main technique or as an heuristic, the tracking of memory writes and whenever the execution flow hits those written areas an assumption is made that unpacked (or self-modifying code) has been reached. This is an over-simplification because of multi-staged unpackers and other details, but will suffice for the sake of the discussion. Skape basically introduces a technique by which hes able to write into a range of virtual addresses an execute from another range, both pointing to the same real data.

This is a well supported technique and nothing strange of itself. It is its use what is creative and rather amusing as it breaks the assumption mentioned earlier. Given that no writes are seen in the area of memory that will be executed. The technique relies on the possibility of having several virtual addresses refer the same physical memory. The Memory Management Unit (MMU) allows pages of virtual memory to map to common physical locations in order to avoid, for instance, the need of having multiple copies of shared components between different processes.

Some of the tools having trouble with this trick cant really do much about it but other tools he mentions in the paper should have no issue handling it in some way or another.

Ive been working with Bochs for a few years. The technique should be (and is) easily defeatable by tools providing a birds eye perspective like Bochs or by tools running in kernel mode.

Analyzing the generally one-to-one mapping of virtual-to-physical memory to find a one-to-many relationship is not all that difficult, and the case where a set of virtually mapped pages receive writes and not much more and another set pointing to the same physical ranges is only (or mostly just) executed should be easy to determine. Thatd be a simple heuristic but attempting to defeat it by writing to the execute-only mapping would break down the whole idea...

Its definitely a beatiful idea but its easy to detect if youre on the right spot.

One can take a quick look at it if you have Windbg lying around. Just connect to your test machine running a test process that implements the code that Skape outlines.

Do a quick process listing to find it by issuing:

!process 0 0

Then, take a look at the Cid of the process of interest and get its details with:

!process <Cid>

In that listing the page directory base DirBase will be given. With that we can tell Windbg to do the mapping of a virtual address using the virtual-to-physical mapping of that process by pasing the directory base to the !vtop command. In my case the DirBase of my process was f5a and Ill instruct Windbg to give me the corresponding physical address to which the virtual addresses 0x419000 and 0x519000 are mapped (those addresses are specific to the example code I wrote implementing skapes idea)

lkd> !vtop f5a 0x419000
Pdi 1 Pti 19
00419000 14a79000 pfn(14a79)
lkd> !vtop f5a 0x519000
Pdi 1 Pti 119
00519000 14a79000 pfn(14a79)

As you can see both lead to the same physical location 14a79000. So its easy to see this from kernel mode by walking the page directory of a process under surveillance.

If you want to see all physical-virtual mappings the following command provides that:

!ptov f5a

Ive also implemented detection of this trick in some Python scripts Ive developed for my Python-weaponized Bochs environment. On that front. I have an up-to-date patch for Bochs (improved from what I introduced at HitB in Dubai). While I hope to be able to eventually work with the Bochs developers to merge it anyone that wants to give it a shot it welcome to shoot me an email...

Ill be talking on packers and their techniques on the forthcoming Hack in the Box in Kuala Lumpur. Ill be there next week and later in November at Power Of Community in Korea.

Archived Entries for ero

Subject	# Views	Created On
Twitter in Dubai	2510	Wednesday, April 16 2008
Running around	1909	Saturday, April 5 2008
Digging up system call ordinals	4986	Thursday, March 6 2008
Recon 2008	2551	Tuesday, March 4 2008
Old interviews with members of 29A	2200	Sunday, March 2 2008
badass debugger + badass toy = geek pr0n	3647	Tuesday, February 19 2008
pydot 1.0.2 ... that took long	1522	Thursday, February 14 2008
Exe_Dump_Utility, a web-enabled pefile	1784	Wednesday, December 19 2007
xkcd: Python	1803	Wednesday, December 5 2007
Take Two: Packers, Time and Google Groups	1766	Friday, November 30 2007
xkcd: Network	1390	Wednesday, November 28 2007
pefile 1.2.8	1626	Sunday, November 25 2007
Right, Left, Right, Right, Left... and the Dancing Girl	1629	Sunday, November 25 2007
Packers, Time and Google Groups	1592	Wednesday, November 21 2007
OpenRCE.org goodies	1216	Friday, October 12 2007
More iPhone hacking by HD Moore	1138	Friday, October 12 2007
Metasploit on the iPhone	2094	Wednesday, September 26 2007
Hex-Rays unleashed	2386	Tuesday, September 18 2007
Un-bricking the Garmin GPSmap 60CS	1974	Monday, September 17 2007
Reverse engineering a compiler-produced artifact	3438	Monday, September 10 2007
Visualizations of the Portable Executable Format	3726	Tuesday, August 28 2007
PyDbg hacks	1618	Thursday, August 23 2007
Google Sky	1585	Wednesday, August 22 2007
pefile 1.2.7	1821	Wednesday, August 22 2007
Great Python overview	1760	Tuesday, August 21 2007
Black Hat Slides	1875	Friday, August 10 2007
pefile 1.2.6	1713	Friday, August 10 2007
Supercomputing done with style	2608	Wednesday, July 25 2007
BlackHat Vegas is nearly here...	1756	Saturday, July 14 2007
Windows XP and Bochs	2011	Saturday, July 7 2007
Scanning data for entropy anomalies II	1482	Friday, July 6 2007
iPhone restore image on the loose	1793	Wednesday, July 4 2007
Talk and visualization of third world statistics by Hans Rosling	1481	Wednesday, July 4 2007
The Powerset Demo Day	1791	Friday, June 29 2007
Powerset and the garden path	2174	Friday, June 22 2007
Safari 3.0.1 for Windows	2049	Friday, June 15 2007
BinNavi: Simplifying code II. The implementation	1256	Thursday, June 14 2007
VxClass. Automated executable classification	2358	Monday, June 11 2007
pefile and packer detection	2401	Saturday, June 9 2007
Cool train	1989	Friday, June 8 2007
Parallels Desktop 3.0	1775	Friday, June 1 2007
Useful VB IDC script	2982	Thursday, May 31 2007
Google talk about reverse engeering to find security vulnerabilities	1927	Thursday, May 24 2007
Inkling market on the GDP growth of China vs. Germany	2062	Monday, May 21 2007
ida2sql, exporting IDAs dissasemblies to SQL	1924	Sunday, May 20 2007
pefile-1.2.5 released	1572	Sunday, May 20 2007
BinNavi: Simplifying code	2390	Tuesday, May 15 2007
Scanning data for entropy anomalies	2265	Saturday, May 12 2007
Training in BlackHat Tokyo	2029	Wednesday, May 9 2007
The Annapurna circuit the Google Earth way	1684	Tuesday, May 8 2007
Back from Nepal	1943	Monday, May 7 2007
Trekking in Nepal	2163	Sunday, April 8 2007
Tiny (and crazy) PE	3649	Tuesday, March 13 2007
pefile: parsing version information from the resources directory	3323	Thursday, February 22 2007
pefile 1.2.2	2347	Thursday, February 22 2007
BinNavi database format	2212	Tuesday, February 6 2007
In New York	1954	Sunday, January 21 2007
Uninformed 6	2213	Sunday, January 21 2007
BinNavis basic block handling	2786	Saturday, January 20 2007
Multi-chunked functions and IDA	1877	Tuesday, December 12 2006
Intel binaries for Pythonika	1788	Monday, December 11 2006
Simply blocks, basically...	1895	Friday, December 8 2006
Some useful OS X apps	2078	Monday, December 4 2006
Latest Parallels beta is impressive	1663	Monday, December 4 2006
Interesting tracing tool	2143	Wednesday, November 29 2006
OS X binary protection	1787	Tuesday, November 28 2006
NumPy arrays and Pythonika	1789	Thursday, November 16 2006
Mac OS X security report	1857	Wednesday, November 15 2006
pefile 1.2	1836	Monday, November 6 2006
Pythonika	1685	Monday, November 6 2006
Google rocks	1868	Thursday, October 5 2006
Reverse Engineering Training	1645	Thursday, June 22 2006
Packer tracing	1586	Thursday, June 22 2006
Recon 2006	1871	Thursday, June 22 2006
Tonight I dropped by the taping of Diggnation. The...	1925	Thursday, June 15 2006
pefile-1.1	1227	Tuesday, May 30 2006
ph-neutral	1838	Tuesday, May 30 2006
Steveys Blog Rants: Math For Programmers	1808	Monday, March 20 2006
DSL bandwidth and cooking my dinner are related?	1451	Wednesday, March 1 2006
Old "recordings", just incredible	1510	Sunday, February 19 2006
OS X malware	1367	Thursday, February 16 2006
Video of the Multi-Touch Interaction Research	1572	Wednesday, February 8 2006
oh no!	1728	Wednesday, January 25 2006
This is real teaching	1952	Saturday, January 21 2006
Visual Complexity	1276	Thursday, January 19 2006
Ilfakss: Return to the sources?	1384	Thursday, January 19 2006
IDAPython 0.8.0 released	1521	Thursday, January 19 2006
pefile is out!!	1403	Tuesday, December 27 2005
Some Python loving	1258	Tuesday, December 27 2005
pefile is out	1749	Monday, December 26 2005
Some (hopefully) informative graphs	3105	Monday, December 26 2005
Eyecandy and malware clustering experiments	1482	Sunday, December 25 2005
A couple of informative graphs	1991	Sunday, December 25 2005
More visualization	2095	Wednesday, November 23 2005
IDAPython function reference	1389	Thursday, August 18 2005
IDAPython and the idainfo structure	2362	Thursday, August 18 2005
IDAPython API Docs	1604	Thursday, August 18 2005

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit