Blog

Powered by Scanit Research and Development Labs.

Wednesday, September 3. 2008

Binary Patching...in Mac OS X

Time and time again, we came across binary-only executables doing things against our likings. Like asking for registration number to use it, or open it. With no viable replacement solution or no source code, it turns out that we are left with only one option and that to patch the binary to override some of it's functionality to make it work as per our likings.

In other words, most of the bad programs these days comes in binary-only version. With no source code available it gets very frustrating when we are forced to use programs, which are so obviously wrong, but which can not be fixed and rebuilt. But there is a very simple way available where you need to flip few bits of the program to solve the issue on hand.

Remember the last time you had to patch a binary program to make it work as per your liking? Don't worry, I'll show you how to patch a binary on Mac OS X.

Continue reading "Binary Patching...in Mac OS X" »

Posted by
Pallav Khandhar
at 16:07

Detect Hidden Processes (Part-2)

I will continue with couple of user-level (ring-3) process enumeration approaches.

As we discussed earlier, from handles' list we can derive running processes. There is another method based on handle enumeration.

Essentially, the method is to enumerate the list of processes by analyzing the handles open in another process related to itself. All processes running in the system have to be started by some means of parent process. Therefore, parent process will have handles of each process it has started, unless parent has closed such handles which is uncommon. Win32 subsystem known as, csrss.exe, will have handles of all available processes. While iterating handle list -

1. For each handle of a process, PID of the process can be found using ZwQueryInformationProcess API.

2. For each handle of a thread, PID of the process can be found using ZwQueryInformationThread API.

3. For each handle of a job, PID of the process can be found using ZwQueryInformationJobObject.

Continue reading "Detect Hidden Processes ... »

Posted by
Pallav Khandhar
at 09:57

Sunday, June 15. 2008

Detect Hidden Processes (Part-1)

Process hiding has a significant effect. Many of the trojan, virus, spyware writers use similar techniques to hide themselves and stay undetected as long as possible on target machines.

We should expect the number of trojans & viruses using this technique is going to grow.

It is necessary to have protection against the hidden processes, if you want to stay secured. Many of the antivirus and antispyware manufacturing companies falling back as they are not able to come up with any solutions for hidden processes. There are only few tools which can detect hidden processes, but are you willing to pay them considerable amount of money?

There are several different methodologies we can use to detect hidden processes. Essentially, we should implant all these different methods in one tool and come up with a robust solution.

Continue reading "Detect Hidden Processes ... »

Posted by
Pallav Khandhar
at 09:50 | Comments (0) | Trackbacks (0)

Sunday, June 8. 2008

Magical offsets: track and analyze in-memory kernel objects which represents process and threads

Microsoft Windows kernel maintains few lists which can help to track processes, threads and other objects.

Most of the current tools are built on the concept of enumerating lists maintained by the kernel to keep track of processes, threads, handles and other objects to analyze systems running Microsoft Windows.

Trace and analyze the in-memory structures which represents process and threads using following magic numbers:

Continue reading "Magical offsets: track and ... »
Posted by
Pallav Khandhar
at 09:38 | Comments (0) | Trackbacks (0)

Thursday, June 5. 2008

Introduction to Bro IDS's built-in data structures

Bro IDS has built-in network-centric data structures for scripting. For example, connection is a type of data structure. Question is, where are these structures defined? They are in the file $BROHOME/policy/bro.init! Here are some examples of pre-defined structures: 
type tcp_hdr: record {
    sport: port;        # source port
    dport: port;        # destination port
    seq: count;     # sequence number
    ack: count;     # acknowledgement number
    hl: count;      # header length (in bytes)
    dl: count;      # data length (xxx: not in original tcphdr!)
    flags: count;       # flags
    win: count;     # window
};
TCP Header 
type ip_hdr: record {
    hl: count;      # header length (in bytes)
    tos: count;     # type of service
    len: count;     # total length
    id: count;      # identification
    ttl: count;     # time to live
    p: count;       # protocol
    src: addr;      # source address
    dst: addr;      # dest address
};
IP Header 
type udp_hdr: record {
    sport: port;        # source port
    dport: port;        # destination port
    ulen: count;        # udp length
};
UDP Header 
type icmp_hdr: record {
    icmp_type: count;   # type of message
};

ICMP Header

You will notice that Bro have its own data type. In the snippets above, the data types are record, port, count and addr. This built-in data types, combined with the data types makes writing Bro scripts easier since you only have to focus on your scripting logic and flow without worrying too much about the data types and structures. In the next few posts, I will show you how you can write simple Bro IDS scripts.

Posted by
Mel Mudin
at 09:35 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 5 entries)

Calendar

Back November 2008
Su Mo Tu We Th Fr Sa
Fri November 21 2008
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30            

Quicksearch

Archives

November 2008
October 2008
September 2008
Recent...
Older...

Categories



    All categories

    News feed

    XML RSS 0.91 feed
    XML RSS 1.0 feed
    XML RSS 2.0 feed
    ATOM/XML ATOM 1.0 feed
    XML RSS 2.0 Comments