lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20020915174352.D7787@hamsec.aurora.sfo.interquest.net>
From: silvio at big.net.au (silvio@....net.au)
Subject: sandboxing

On Sun, Sep 15, 2002 at 08:31:21PM -0400, Michal Zalewski wrote:
>
> So far, the general approach many people have chosen for *nix
> anti-debugging is to simply "go nowhere" when a debugger is detected -
> crash, exit, trash the debugger - making it apparent there's an
> anti-debugging routine. If such a code was well-hidden and would decide
> about calling some obscure, self-modifying subroutine, perhaps not even
> contained within the binary itself, I wonder how many people would miss
> it. It is the author's courtesy to let you know there's an anti-debugging
> code that detected your debugger / tracer, period. Don't take it for
> granted ;>
> 
> -- 
> m
> 

heh.. great email btw :)

I remember i was analysing a linux binary once.. I was sort of in a rush,
and I didn't want to spend any time on it, unless I thought it was worth
it.

so i simply disassembled part of the binary, looked at all the syscalls to
see if it was network aware in some way.. well.. no syscalls involving
socketcall etc (erk), so i left it lie for a few days..

well.. someone said to me at that time, "yes. i'm seeing network connections
here!".. so i figure.. ok. maybe i should just look at it a bit closer,
and not assume its ur typical "evil" binary..

silly me.. there was extra code appended near the end of the binary, which
_was_ network aware :(  i had simply ignored looking over the entire binary
for possible code, because i was busy with other things (analysing
binaries is not my profession!), and looked at the standard place being
used today for inserting of code/data.

yes.. a 2 minute tool can automate this process to find unaccounted for
bits in binaries, and help analysis alot more in terms of parasite
code etc.. one day i need to get organized ;-)

it sorta pissed me off though.. i thought i was getting ok at the reverse
engineering thing before that happened ;-)

--
Silvio

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ