lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Jul 2012 19:02:39 +0200 From: phocean <0x90@...cean.net> To: Григорий Братислава <musntlive@...il.com> Cc: "Mikhail A. Utin" <mutin@...monwealthcare.org>, full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu Subject: Re: Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan) Not sure if you are kidding. 1) WinDBG is a debugger, not really memory dump. 2) Not sure to understand* 3) It is your opinion. 4) Don't understand. Sounds like a joke, but even with that angle I don't get it.* * If only you stopped with this weird english. --- phocean Le 12 juil. 2012 à 18:54, Григорий Братислава a écrit : > On Thu, Jul 12, 2012 at 12:47 PM, phocean <0x90@...cean.net> wrote: >> Yes, maybe WinDbg… Not that I am confortable with WinDBG, but certainly a >> good chance to learn and get more familiar. >> >> However: >> >> - Volatility: anything has to sit somehow in the memory, so there is no way >> for it to escape from the analysis. It has all advantages of offline >> analysis. I don't think Volatility is script kiddy stuff. I think it is a >> great tool and should be enough for my concern. >> >> - WinDBG: here we are doing live analysis, with all the difficulties it >> implies. It is long and painful. You have to read damn a lot of assembly, >> thousands of calls, decide to step into or step over, when and based on what >> assumptions, etc. >> Of course, perfect knowledge of the system internals is required. Difficulty >> will be raised if ever there are some anti-debugging protections. Respect to >> the people who can do it, they are artists, but is it really the most >> reasonable way to go? > > 0x00: MusntLive is give you now priceless advice for you must to listen: > > 1) WinDBG is to dump your memory > 2) Is HB Gary FD Pro is used not volatility. This is because since > Greg is backdoored all his tools, is we don't find problems, then when > is HB Gary snooping in our session maybe they can find is problem for > us. > 3) Volatility is script kid tool (don't is tell anyone who is use this) > 4) Step over is step into. MusntLive give you good analogy right now. > Is you have choice, step into POOP or is step over POOP is what is > your choice? Step over is what is hoped. Forget this is step over, > into, above, sideways. Foolproof is method is to diff memory. Before > and is after yes. This is key to anomalies: Before and is after Content of type "text/html" skipped Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists