Few days back guys from MSRC ( Microsoft Security Research Center) has written a post on sla.ckers.org asking for security guys to report any vulnerabilities found on domain *.microsoft.com, *.live.com etc to them directly.

M$ guys have found clever ways to pass on their jobs to security researchers and guess what the researchers are going to gain…nothing more than SHIT…! How can M$ guys expect to get the vulnerabilities for FREE when lot of vendors are queued up for it and not to ignore the hot black market.

Anybody wanna donate the GOLD that he has found digging all the nights…??

Read the post below and also have a look at hot replies from security guys…
http://sla.ckers.org/forum/read.php?3,7458,7486

What do you say guys?

IceSword is the great rootkit detection tool that not many people know. It was coded by a Chineese programmer with a nickname as “pjf”. Though it is more powerful than any other rootkit detection tools, it hasn’t got much attention that other tools have received.

IceSword can find the rootkits which even top antirootkits (such as Rootkit Revealer, BlackLight, Rootkit Detective etc) failed to detect. However IceSword does not have automatic file scanning, registry scanning feature that other rootkits offer.

But when it comes to detecting variety of hidden stuffs none of the antirootkits  can stand near to IceSword. Here are some of the things that IceSword can show you

* Running Process list
* Open Port list along with process owning it
* Loaded Kernel modules
* System startup programs
* Windows services
* Layered Service Provider chain list
* Browser Helper objects
* System service descriptor table entries (SSDT)
* Message Hooks

If it detects any HIDDEN entry then it is shown in RED color. This makes it easy to differentiate between normal and hidden entries.

Other important features of IceSword are registry editor and file browser. Its registry editor is similar to windows registry editor but you can see the hidden keys and also the system keys which are not shown by windows registry editor.File browser is another integrated tool which will allow you to look for hidden files. In addition to this, you can also use it to copy the locked and system files which cannot be accessed/copied as long as Windows is running.For example you can copy SAM file and registry hive files for password cracking while you are on Windows.

These powerful features makes IceSword all in one tool and sets it apart from the other rootkit detection tools. But for the author its just the beginning.

Well, try it out today and do post your comments..!

Signing out
- Nagareshwar

.

When you start your PC, lot of processes will be running on your computer. Some processes run by default and some are started by you. As you keep installing more and more softwares, the task list goes bigger and bigger. One day it reaches the stage where in it gets difficult to manage those processes and in between if some spyware come and sit on your machine, you can’t make out easily until some really bad thing happens.

I have put a complete tutorial on my website which will explain the various techniques to find the hidden stuffs on your system and kick them out.  This tutorial starts with basic tools such as msconfig and then moving towards advanced rootkit detection tools. You can read the entire article here.

Do write back your experience.and me moving to find some fresh fish now…

- Nagareshwar Talekar

ImpREC is a very good import table fixing tool for PE packed files.It has been around since very long time and it is one the main tool in the reversing toolkit.

Any unpacking of PE file involves 2 main steps

• Finding OEP of the program and dumping it
• Fixing the import table

In recent days, PE protectors are using variety of techniques such as import redirection, code emulation to defeat the unpacking process. While unpacking such binaries, it gets really difficult to fix the import table just using built-in functionalities of ImpREC. However ImpREC’s functionalities can be extended and customized to particular packer by writing simple plugin.

Once you know how the import functions are handled for a given packer, you can write your own plugin for ImpREC, so that it makes yours and others job easier.

I have written one such ImpREC plugin for PESpin protector. Though it is meant for PESpin packer, same approach can be used to write plugins for other protectors.
http://nagmatrix.50webs.com/article_pespinplugin.html

Do write back your experience with it. Njoy reversing…!

.

In today’s reverse engineering world, most of the applications are packed with
one or other packer. Packers ( also called protectors) not only reduces the size of the application but more importantly makes it difficult to reverse engineer the application.

Before you proceed with unpacking of the application,first task is to determine the name and version of the PE packer software.There are two popular PE packer detectors.

1. PEiD : This is one of the first such tool which detects most common packers, cryptors for PE files and currently it can detect more than 400 different signatures in PE files. It has simple GUI and its rich with plugins.

2. RDG Packer Detector : Its handy alternative to PEid. It helps in detecting the packers more precisely and its signatures are more up to date. Hence it can detect more recent packers compared to PEid.

Both tools support drag and drop feature so you can just drop your PE file onto it and quickly find out its packer along with version.

Once you detect the type of packer, you can use automatic unpacker (if one is already available) or you can start manually unpacking it.

In the next post, I will throw some light on unpacking of simple packers/protectors.

till then, good bye…!

Many of us under the impression that IP address of the machine is changeable and mac address cannot be changed. But when it comes to the hacking world, anything can be tweaked and anything can be made possible.

I have written a tool named RemoteDLL which can inject the DLL into the process or free the DLL from any other process. It is based on popular DLL Injection technique which has already been used in many top programs such as pwdump.

This is very powerful tool when you are dealing with spywares or viruses on your machine, especially when you are cleaning it yourself or if the spyware is not being detected by your antivirus/spyware softwares.

Most of the today’s spyware does not come alone, they come with family, one member protects another. Usually they will have one or two main programs ( exe files ) which does the important tasks and there will be DLLs which are injected into the windows legitimate process such as explorer.exe, winlogon.exe etc. So these DLL’s main job is to make sure that user can’t terminate the main spyware programs. Even if you terminate, these DLLs will restart those programs and you can’t kill or stop these DLLs. This way spyware will be running on your machine as long as the machine is on. Even if you know that its dangerous spyware, you are very much helpless.

RemoteDLL allows you to kick of these DLLs from the windows processes in just one click. Once you identify the windows process and the culprit DLL, use the RemoteDLL’s “Free DLL” feature to remove that DLL from the process. Then you can terminate those main spyware programs and finally you can delete all these files from your system.

For detailed description of usage of RemoteDLL read the complete article here.

Happy hunting spyware….!

No matter where you are, inside or outside the computer world you can’t escape from viruses. However its interesting to know who is being attacked, which company is most affected, what part of the world is most abused by viruses…

To answer these questions F-Secure came with an unique idea of projecting the virus activity in various part of the world onto the map. This map is called world-map of virus attack. It works as follows…

F-secure has its own antivirus products running on machines across the world. When their product detect virus, it reports back to the central server with data that includes an IP address. This IP address is converted to a physical location and that is then displayed on the WorldMap. The WorldMap software runs in real-time as well as 1 hour and 24 hours playback mode.

Here is the sample of map showing virus attack distribution across the world

You can access the F-Secure’s world map at this location http://worldmap.f-secure.com/

Here is awesome video of F-Secure’s “worldmap live” showing outbreak of malware named Small.DAM.

For virus writers it will be very interesting to watch their virus performing in the field. Also there is no need to mention that this will add additional fuel to the ongoing fire between them and we will be able to witness more & more viruses which can fill up the entire map.

As long as there are soldiers, war will be on but with a break…!

Reference count or load count of the DLL is the number of times the DLL is loaded into the process. Each time the DLL is loaded (through LoadLibrary) into the process its reference count is incremented by 1 and it is decremented by 1, each time the DLL is freed (through FreeLibrary) from the process. When the reference count reaches 0, the DLL is completely removed from the process.

When you want to unload the DLL completely from the process, you have to invoke FreeLibrary as many times the DLL is loaded. In this case we need to know the reference count of DLL to completely remove it from the process. But there are no Windows APIs which provides information about reference count of DLL.

I was writing a program to free the spyware DLLs from the windows process such as explorer.exe using DLL injection. So I needed to know the load count of DLL to completely kick it off from the process. When I did not find any information on the internet, I decided to get into the internals of the windows to find it out myself.

After couple of hours of research I found that the load count is indeed stored in PEB ( Process environment block) of the process. One of the member of PEB is PEB_LDR_DATA structure which points to the linked list of loaded modules into that process. Each node of this linked list represented by the LDR_MODULE structure which contains complete information about that DLL. One of the field of this structure is called LoadCount which is nothing but the reference count of that DLL in that process.

So finally I have found the solution to this problem. For complete information on this read the ‘Finding DLL Reference count’ article.

Using this technique I have improved my RemoteDLL program to free the DLL from any remote process using just one click.Well, that makes it a day, watch out this space for more stuffs….!

rootkits are the most stealth programs than any other programs…one must admire the techniques used by the rootkit writers and equally the techniques used by rootkit detectors as well…

There has been lot of research going on in this field since quite some time and as a result many rootkits..hence rootkit detectors have surfaced….

Here are few rootkits Fu, hackerDefender and rootkit detectors are blacklight from f-secure, rootkit detective from mcafee, rootkit revealer from sysinternals, icesword, RAIDE.

blacklight and icesword mainly rely on userland techniques to detect rootkits as per the excellent research paper published by uninformed.org. Now a days rootkits uses advanced techniques and one cannot detect these by just playing in the userland. Detectors has to get deep into the kernel level. In this context, RAIDE does pretty good job by employing very advanced kernel level detection methods…..This has been demonstrated by Peter and Jamie at last black hat conference.

Well..its the game between attackers and defenders.In the middle the users/spectators are the victims as in any game