📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
randori82
's Blog
Created: Friday, April 14 2006 01:57.24 CDT
Modified: Friday, April 14 2006 01:58.41 CDT
Direct Link, View / Make / Edit Comments
New Shell Extension CLSID Black List
Author:
randori82
# Views:
3138
There's a new reg key to black list CLSIDs for Shell Extensions from the latest MS patch set(MS06-015).
Here's a bit of detail on the keys for Shell Extensions (
http://support.microsoft.com/kb/216384/EN-US/
):
HKLM:Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved is the CLSID list of Shell Extensions that are approved to run.
This is compared against when 'EnforceShellExtensionSecurity' is set to 1 in HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Nothing new there, that's existing functionality.
However, with MS06-015, there's a new key: HKLM:Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked that also gets referenced from ShouldLoadShellExt.
The *blocked list* is checked before the *allowed list*, so anything that is blocked will not run, whether or not it's in the *allowed list*.
So, following MS06-015, you can make sure hosts will not run Shell Extensions by adding their CLSID to the *blocked list*.
Obviously this couldn't be put in the workaround for this patch, but for future Shell Extension vulnerabilities, this is definatley a workaround.
This new key was found while reversing MS06-015 for XP.
~Andre Protas
Created: Monday, March 27 2006 02:45.53 CST
Direct Link, View / Make / Edit Comments
script contribution
Author:
randori82
# Views:
903
just a simple timesaver, but pysym.py will auto-load (once re-supported by idapython) symbols/debug from ms's symbol servers.
https://www.openrce.org/repositories/browse/randori82
Created: Wednesday, March 22 2006 17:40.17 CST
Modified: Thursday, March 23 2006 04:00.10 CST
Direct Link, View / Make / Edit Comments
blackhat europe slides
Author:
randori82
# Views:
1223
Thanks for coming (those of you that did) to the presentation. The little feedback that we have heard was quite positive.
For those of you interested, here are the slides:
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Manzuik.pdf
The free diffing tool should be available soon, as it's undergoing some batch mode analysis for qa testing.
Archived Entries for randori82
Subject
# Views
Created On
No archived blog entries found.
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}