Tick-Tock, The Croc
Captain Hook
Wordlist Generator
DbgPlus Extension for WinDbg
Visual Data Tracer
Comments: Tick-Tock, The Croc, is a naive proof-of-concept rootkit detector. Its idea is that any LKM containing the SIDT instruction in its code is malicious and therefore should not be loaded into the kernel. Tick-Tock is a LKM itself, that hooks the 'init_module' and, each time a module is to be inserted, performs a simple code analysis to check for the presence of SIDT. Tick-Tock uses a minimalist, customized version of bastard's libdisasm to do the disassembly and it performs quite well against real-world example. Despite being very easy to fool (e.g. by using self-modifying/encrypted code or by executing SIDT in ring3, prior to inserting the LKM), I believe the concept behind Tick-Tock could still be applied at least against legitimate modules as general means of enforcing correctness of LKMs. A simple example of such uses would be, for instance, blocking a module that does floating-point arithmetics (since the internal state of the x87 FPU shouldn't be messed with in kernel-land). Tick-Tock, The Croc, is an offspring from my presentation at H2HC 3rd edition.
Year: 2006
Relevant Cross-References:
Comments: Captain Hook is a proof-of-concept LKM rootkit for Linux 2.6, also developed to illustrate my points during my presentation at H2HC 3rd edition. It has a very light and yet flexible design: it's simply an UDP server that can receive and then execute binaries. It also hides itself (i.e. the file 'capnhook.ko') to illustrate the syscall hooking technique.
Year: 2006
Relevant Cross-References:
Comments: Wordlist Generator was a rather fun project. What it does is automatically build giant wordlists out of a couple of words, by abusing their concatenation combinations and upper-case and l33t 5p34k variations. With just these two things, any two or three words fed to Wordlist Generator will explode into an amazing number of unique "passwords". I did this while working for Scanit ME and the code is rather interesting. If you think about it, it's a problem that demands a creative solution. The code only uses the standard C library, so it can compile pretty much anywhere else with a compliant toolchain. Here's what the release notes said...
This small utility should be used to aid dictionary-based attacks against pass{word,phrase} security. That is, it can be used to feed any password cracking software with specially targeted guesses of what the password might be. The concept behind this tool is that, instead of using general-purpose wordlists (such as a language dictionary or dictionary of computer terminology), one should be able to build a specially crafted wordlist that increases the chances of guessing a given password of a given individual. So, you basically input a few strings that you think have _HIGH_ probability of forming the password in question, and this program will output a list with every possible combination of theses strings. Featured is also the exploration of (upper/lower)-case variations and use of 'l33t 5p34k'. The link for this file has both the executable files for Win32 systems as well of the source code. Next versions will entail new features like phonetic and radical permutations, as well of switches for controlling permutations types (like "--no-leet-speak") so stay tuned!
Year: 2008
Relevant Cross-References: None
Download - code and Win32 binary (.zip)
Comments: DbgPlus is another interesting piece of code I did while working for Scanit ME. I'll simply skip any introductions and jump directly into the release notes, which are large and informative enough. Here we go...
This is the alpha release of the first public version of the DbgPlus extension. We call it alpha because it still contains a few minor glitches and bugs, as well as 'non-functional' points of improvement (such as performance). It is a 1.0 version, though, in the sense that it displays the feature set desired for this first release and it is, in fact, a hundred percent usable.
Although DbgPlus was born from hackish code created to aid vulnerability analysis, one can say its features are generic enough to make it useful for general-purpose debugging as well. Below, we describe its functionalities in brief:
[1] Remote call - This feature makes it possible to execute a call to a function in the debuggee address space and see the return value. Unlike windbg's '.call' meta-command, we are able to call a function even without symbol information. In fact, the user can call a function just by specifying its address. Furthermore, unlike Skywing's excellent extension, SDbgExt (which contains a similar functionality), we execute the call without needing the user to resume the execution of the process itself, making it perfect for post-mortem analysis (e.g. when the process has already crashed and you want to call some functions that will retrieve useful information on the process data).
[2] Trace and print history - This command will make the program execute until it reaches a breakpoint or exception and then print the last N (where N is an user-supplied number) instructions executed.
[3] Watch a range of memory - In order to overcome the processor's (and debugger's) limitation on the number of watchpoints, this command enables the user to watch for read and writes to a range of memory unlimited in size. Different from the way that the breakpoint/watchpoint-setting commands normally work, when you issue !watchrange the program will execute and print the instructions accessing the range of memory. It will do so without ever breaking and until it reaches a breaking condition (breakpoints, exceptions...). These are not persistent watchpoints, meaning you should then issue the command again is you're still interested in watching that range of memory further.
[4] Watch a register - This feature is perhaps the most exotic of the ones in DbgPlus, but can be a life saver if the user has to investigate the data-flow of a specific register for any reason. The !watchreg command takes a register name as parameter and watches for changes to that register in a similar fashion as the !watchrange command, printing the relevant instructions until a breaking condition.
As previously said, DbgPlus suffers from a few limitations. Most notably, the user should be aware that DbgPlus is not able to work with 64-bits targets and makes no effort to be otherwise. Adding support for 64-bits is doable but requires modifications in many parts of the code was not considered critical for this release. Furthermore, the last 3 commands described above change the execution to stepping mode, making the performance thousands of time slower and therefore, being unsuited for long excerpts of code (depending on the power of the computer and how long you want to wait for the analysis) or code that interacts with the user. Therefore, the sensible user will want to delimit the pieces of code he wants to analyze with care, instead of issuing those commands to work throughout the whole execution of a big program or on GUI code.
Last but not least, any new user is extremely recommended to issue the !help command, which will hopefully enlighten him/her on the usage of the rest of the DbgPlus commands.
Year: 2008
Relevant Cross-References: None
Download - code and binaries (.zip)
Comments: VDT is a dynamic dataflow analyzer designed to aid software vulnerability analysts. It traces across a reproduceable crashing execution while dumping a lot of this trace information into a file. It then runs a backwards DF analysis on that file, trying to correlate the faulting data with the user-input as it was present in the process address space. What it means is that with very little effort, VDT can tell you something like "the input that crashed this program is those 2 bytes at offset 0x1234 of your malicious file". I presented VDT in details in SOURCE Barcelona 2009, so I highly suggest that the interested visitor checks the presentation out.
Year: 2008/2009
Relevant Cross-References:
Download unavailable - Private project!