lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <D365BDA1-8567-4C74-8D9C-805AC034CBFC@phocean.net>
Date: Thu, 12 Jul 2012 19:02:39 +0200
From: phocean <0x90@...cean.net>
To: Григорий Братислава
	<musntlive@...il.com>
Cc: "Mikhail A. Utin" <mutin@...monwealthcare.org>,
	full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
Subject: Re: Full-Disclosure Digest, Vol 89,
	Issue 15 suspicion of rootkit (Alexandru Balan)

Not sure if you are kidding.

1) WinDBG is a debugger, not really memory dump.
2) Not sure to understand*
3) It is your opinion.
4) Don't understand. Sounds like a joke, but even with that angle I don't get it.*

* If only you stopped with this weird english.

--- phocean


Le 12 juil. 2012 à 18:54, Григорий Братислава a écrit :

> On Thu, Jul 12, 2012 at 12:47 PM, phocean <0x90@...cean.net> wrote:
>> Yes, maybe WinDbg… Not that I am confortable with WinDBG, but certainly a
>> good chance to learn and get more familiar.
>> 
>> However:
>> 
>> - Volatility: anything has to sit somehow in the memory, so there is no way
>> for it to escape from the analysis. It has all advantages of offline
>> analysis. I don't think Volatility is script kiddy stuff. I think it is a
>> great tool and should be enough for my concern.
>> 
>> - WinDBG: here we are doing live analysis, with all the difficulties it
>> implies. It is long and painful. You have to read damn a lot of assembly,
>> thousands of calls, decide to step into or step over, when and based on what
>> assumptions, etc.
>> Of course, perfect knowledge of the system internals is required. Difficulty
>> will be raised if ever there are some anti-debugging protections. Respect to
>> the people who can do it, they are artists, but is it really the most
>> reasonable way to go?
> 
> 0x00: MusntLive is give you now priceless advice for you must to listen:
> 
> 1) WinDBG is to dump your memory
> 2) Is HB Gary FD Pro is used not volatility. This is because since
> Greg is backdoored all his tools, is we don't find problems, then when
> is HB Gary snooping in our session maybe they can find is problem for
> us.
> 3) Volatility is script kid tool (don't is tell anyone who is use this)
> 4) Step over is step into. MusntLive give you good analogy right now.
> Is you have choice, step into POOP or is step over POOP is what is
> your choice? Step over is what is hoped. Forget this is step over,
> into, above, sideways. Foolproof is method is to diff memory. Before
> and is after yes. This is key to anomalies: Before and is after


Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ