sandboxing

[silvio () big net au (silvio () big net au)]

On Sun, Sep 15, 2002 at 08:31:21PM -0400, Michal Zalewski wrote:
> So far, the general approach many people have chosen for *nix
> anti-debugging is to simply "go nowhere" when a debugger is detected -
> crash, exit, trash the debugger - making it apparent there's an
> anti-debugging routine. If such a code was well-hidden and would decide
> about calling some obscure, self-modifying subroutine, perhaps not even
> contained within the binary itself, I wonder how many people would miss
> it. It is the author's courtesy to let you know there's an anti-debugging
> code that detected your debugger / tracer, period. Don't take it for
> granted ;>
>
> -- 
> m

heh.. great email btw :)

I remember i was analysing a linux binary once.. I was sort of in a rush,
and I didn't want to spend any time on it, unless I thought it was worth
it.

so i simply disassembled part of the binary, looked at all the syscalls to
see if it was network aware in some way.. well.. no syscalls involving
socketcall etc (erk), so i left it lie for a few days..

well.. someone said to me at that time, "yes. i'm seeing network connections
here!".. so i figure.. ok. maybe i should just look at it a bit closer,
and not assume its ur typical "evil" binary..

silly me.. there was extra code appended near the end of the binary, which
_was_ network aware :(  i had simply ignored looking over the entire binary
for possible code, because i was busy with other things (analysing
binaries is not my profession!), and looked at the standard place being
used today for inserting of code/data.

yes.. a 2 minute tool can automate this process to find unaccounted for
bits in binaries, and help analysis alot more in terms of parasite
code etc.. one day i need to get organized ;-)

it sorta pissed me off though.. i thought i was getting ok at the reverse
engineering thing before that happened ;-)

--
Silvio