Dailydave mailing list archives
Re: Some Propaganda.
From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Wed, 15 Nov 2006 08:53:49 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Piotr Bania wrote:
CODENAME 4514N - PRE-ANNOUNCE PROPAGANDA ---------------------------------------- Just some info for those who are interrested. I'm currently working on my masterpiece project (school project), a first gui oriented and the most advanced integrating-metamorphic engine so far. Integration engine allows user to integrate any code to any PE binary file (x86 rocessors), including device drivers etc. etc. 4514N engine can rebuild all the PE structure, internal offsets (jumps,refferences), any type of PE sections relocs,imports,exports,resources...), moreover it even can keep the align of variables. Integration means that firstly target file is disassembled to pieces (it creates a chain which connects the body of target file), then we move that chain, we do everything we want (i call this step InverseKinematics, just because i'm an 3d graphics hobbyst) and then we compile the chain again. Such horrible modified application runs perfectly, moreover it is almost impossible to disinfect the modified target. So tell me, do you want to compile a rootkit inside of yours ndis.sys? :)
That would actually be trivially detectable if you decided to infect any of the Windows system files (like e.g. quoted above NDIS.SYS), as all those files (starting from Windows 2000) are digitally signed... Still, the project looks cool - I could imagine using such an engine to e.g. infect any of the non-signed PF files on disk, just to allow our rootkit to be loaded into memory at system startup - but once loaded rootkit should not change *any* code sections (Type I rootkits ale really passe IMHO)... Existence of such tools, as Piotr is working on, should really convince and encourage *all* developers to digitally sign their executables. cheers, joanna. -----BEGIN PGP SIGNATURE----- iD8DBQFFWseMORdkotfEW84RAvg7AJ4mARCFjcDNfhYVy2B5SMi/lgZ+fwCcC2m+ 0GtRUkGLSCZ2/km4Vhx8VqU= =F3mR -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Some Propaganda. Piotr Bania (Nov 14)
- Re: Some Propaganda. Arun Koshy (Nov 14)
- Re: Some Propaganda. Joanna Rutkowska (Nov 15)
- Re: Some Propaganda. Halvar Flake (Nov 15)
- Re: Some Propaganda. dan (Nov 15)
- I love PKI :) (was Some Propaganda.) Joanna Rutkowska (Nov 16)
- Re: I love PKI :) (was Some Propaganda.) ergosum (Nov 17)
- Re: I love PKI :) (was Some Propaganda.) Danny Quist (Nov 19)
- <Possible follow-ups>
- Re: Some Propaganda. Piotr Bania (Nov 15)
- Re: Some Propaganda. Piotr Bania (Nov 15)
- Some Propaganda. Piotr Bania (Nov 15)
- Re: Some Propaganda. Marek Bialoglowy (Nov 16)