Dailydave mailing list archives
Re: Graphing: Don't believe everything you see.
From: "Dave Aitel" <dave.aitel () gmail com>
Date: Fri, 9 Feb 2007 16:17:23 -0500
In the famous Buffy episode "Hush", Joss Whedon demonstrates through a creative plot device - removing the voices from the entire town - that often talking is the opposite of communication. But I don't have time to draw pretty pictures, so here goes. Imagining a simple host intrusion protection device that makes a graph of system call chains of a process as it runs normally, and then in the future restricts the process to those system call chains. These chains start with a CreateThread() and can end at any point, but typically with an ExitThread(). Given this simple system, we can defeat it with a "hooker shellcode" which hooks the functions our shellcode wants to call. For example, "accept()" ,"recv()", "CreateFile", "Write()" and so on. Because system call arguments are not looked at, we replace the original arguments with the arguments we would prefer, and then let the process continue. Each system call may happen in a completely different thread, but it will happen exactly as the HIPS thinks it should, just with different arguments. Essentially the problem is that the HIPS models on a per-thread basis, and there is no per-thread memory isolation. Of course to do the hooks themselves you'll want to call VirtualProtect, but we can do something more invasive to take over every thread's exception handler and play our little raindeer games. We can, after all, write into every thread's stack. And of course, it may be that statistically, CreateThread() branches quite predictably. So if we can call CreateThread, we might be able to do anything we want after that point. CreateThread(DoAcceptData()); CreateThread(DoWriteDataToFile()) CreateThread(DoExecFile()) and so on. Today I played a lot more with Vista. It turns out it DOES have the 10-half-open TCP connection limit. And there's no way to shut that off. I take back what I said about it being better than XP SP2. -dave On 2/8/07, Alexander Sotirov <asotirov () determina com> wrote:
Dave Aitel wrote: > For the record, or at least, as a reminder to the record, anything > based solely on system call ordering is going to have a bugger of a > time dealing with CreateThread(). What is the problem with CreateThread? You just need to look at the syscall ordering per thread, not per process, and everything will be fine. Alex _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Graphing: Don't believe everything you see., (continued)
- Re: Graphing: Don't believe everything you see. Felix von Leitner (Feb 06)
- Re: Graphing: Don't believe everything you see. dan (Feb 07)
- Re: Graphing: Don't believe everything you see. Adam Shostack (Feb 07)
- Message not available
- Re: Graphing: Don't believe everything you see. Adam Shostack (Feb 08)
- Re: Graphing: Don't believe everything you see. Douglas F. Calvert (Feb 09)
- Re: Graphing: Don't believe everything you see. dan (Feb 07)
- Re: Graphing: Don't believe everything you see. Felix von Leitner (Feb 06)
- Re: Graphing: Don't believe everything you see. Robert E. Lee (Feb 07)
- Re: Graphing: Don't believe everything you see. jf (Feb 07)
- Re: Graphing: Don't believe everything you see. LMH (Feb 07)
- Re: Graphing: Don't believe everything you see. Dave Aitel (Feb 09)
- Re: Graphing: Don't believe everything you see. Ed Ray (Feb 12)