[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20020915174352.D7787@hamsec.aurora.sfo.interquest.net>
From: silvio at big.net.au (silvio@....net.au)
Subject: sandboxing
On Sun, Sep 15, 2002 at 08:31:21PM -0400, Michal Zalewski wrote:
>
> So far, the general approach many people have chosen for *nix
> anti-debugging is to simply "go nowhere" when a debugger is detected -
> crash, exit, trash the debugger - making it apparent there's an
> anti-debugging routine. If such a code was well-hidden and would decide
> about calling some obscure, self-modifying subroutine, perhaps not even
> contained within the binary itself, I wonder how many people would miss
> it. It is the author's courtesy to let you know there's an anti-debugging
> code that detected your debugger / tracer, period. Don't take it for
> granted ;>
>
> --
> m
>
heh.. great email btw :)
I remember i was analysing a linux binary once.. I was sort of in a rush,
and I didn't want to spend any time on it, unless I thought it was worth
it.
so i simply disassembled part of the binary, looked at all the syscalls to
see if it was network aware in some way.. well.. no syscalls involving
socketcall etc (erk), so i left it lie for a few days..
well.. someone said to me at that time, "yes. i'm seeing network connections
here!".. so i figure.. ok. maybe i should just look at it a bit closer,
and not assume its ur typical "evil" binary..
silly me.. there was extra code appended near the end of the binary, which
_was_ network aware :( i had simply ignored looking over the entire binary
for possible code, because i was busy with other things (analysing
binaries is not my profession!), and looked at the standard place being
used today for inserting of code/data.
yes.. a 2 minute tool can automate this process to find unaccounted for
bits in binaries, and help analysis alot more in terms of parasite
code etc.. one day i need to get organized ;-)
it sorta pissed me off though.. i thought i was getting ok at the reverse
engineering thing before that happened ;-)
--
Silvio
Powered by blists - more mailing lists