RE: We have met the enemy, and the enemy is ... you.

["Kyle Quest" <Kyle.Quest () networkengines com>]

Speaking of HIDS systems... Has anybody looked
at SolidCore. It's not for end users. It's more
for appliances that have everything installed
during manufacturing. ISS recently decided
to use it for their security appliances...

The main idea behind solid core is API 
scrambling, which is done during the
"solidification" process at which point
the system has all of its components 
installed. It modifies library APIs
(changing system call number or/and
changing function names, etc) and
then modifies the programs that use
those library APIs, so they are calling
the scrambled library APIs instead
of the standard ones. The scrambling
seems to be different on each system
the "solidification" process is performed.

This whole API scrambling is suppose
to prevent shellcode from running
because it uses the original standard
API calls, which would make it fail.

I found a couple of cases where this
protection mechanism could be bypassed
and one way when shellcode would still
execute even with those scrambled function
names/numbers.

Has anybody else looked into this HIDS
and found ways to bypass its protection?

K