[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0405031000320.3081@catbert.rellim.com>
From: gem at rellim.com (Gary E. Miller)
Subject: Unpacking Sasser
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yo Lee!
On Mon, 3 May 2004, Lee wrote:
> I am intrigued by your points of malware understanding the environment
> I have never seen this before, have you any pointers for me?
Go try to dissasemble some commercial dongle code. THose guys have been
counter attacking against debuggers and reverse assemblers for a long
time. Here are a few tricks they use:
Dynamically modifying code. The code that really gets executed only
exists for a brief moment. So the only way to see the real execution is
to single step it or dynamically trace capture it. Self modifying code
also confuses any debugger that modifies the running code with single step
or break instructions instead of using debug registers.
Timing checks in the code. Set a timer, do a bit of work, check that
the timer has barely moved branch to dummy code if the timer has lasted
more than an instant. That handily defeats single stepping or slower
means of dynamic trace.
Many debuggers subtely change the execution environment. Maybe a
normally unused soft irq now points to a new handler. Maybe one of
the segment registers or link library bases is not the usual. A few
subtle pieces of info like that and the secret code knows to go in to
confuse mode.
Are these perfect? No, but it was better to piss off a few customers
than to let your code get hacked.
The list goes on and on. The virus/worm guys have a lot to learn from
the dongle guys.
RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
gem@...lim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAln9P8KZibdeR3qURAosdAKDbcTDyGue7BtGFJsIw/Uby/nhyNgCgvdgu
exiicLAhLnYVd2aOSGi8EZ0=
=xZXc
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists