Dailydave mailing list archives
Re: Nitin Kumar & Vipin Kumar: "please remember to give, necessary credit to the authors" PKB.
From: "listuser () nvlabs in" <listuser () nvlabs in>
Date: Sat, 28 Apr 2007 15:42:21 +0530
hi, here are the answers and other stuff. also, i have add some other info. as far as your question about vbootkit using the code, the code might have come from the following virus http://vx.netlux.org/vl.php use the link click on to "Virus" Directory and then click on "Boot-DOS" and then click on Virus.Boot-DOS.QPHS.2931 you would find similar pieces of code if that doesn't satisfy you,click on almost any on of virus. If that virus hooks int 13 , you would almost see 70% resemblance otherwise you will see around 30% resemblance. the resemblance will only be seen in initial 30-40 maybe 60 bytes of codes, this is because initially everyone, viruses,boot-loaders all have to set up stacks, copy themselves and so on( may be hook interrupts).these are some basic procedures and will be found in even future boot loaders etc. for example, other names are Virus.boot.Xboot ( this will be found in "Boot" directory instead of "Boot-DOS" ) and the list will go on, this is because almost all boot viruses function the same way, and that's by hooking MBR, loading original mbr and so on, taking control right from boot and so on. also, one more thing, as someone pointed out few months ago bootkit code has resemblance with linux mbr code ( and linux was written yrs ago) Dave Korn wrote:
On 27 April 2007 07:56, Vipin Kumar wrote:First of all, let me introduce myself. i am one of the vbootkit author.That is the question up for debate!VBOOTKIT source code was NEVER released !!!!! then how can someone compare it ????Please see my second post; I mistook your earlier bootkit for the
one being
referred to. However, I can tell that your new code is very very similar to your old code. This is evident from the fact that we have seen several versions of your code with gradual evolution from one to the next, and that the new (Vista) version of your code does exactly the same things as the old
one. The
new kit is nothing more than a port to Vista.
Really !!! what about the altogether different structure of boot process, it ain't similiar by any means.
This comment was done by him, after proofs were delivered to him.Yep, and you left out the rest of the quote, didn't you? To anyone who hasn't followed the link: the thread clearly began with someone
doubting that
Vipin and Nitin had any rootkit at all. The post in question shows Derek admitting that it does at least exist (since they had produced the
code) and
going on to show (as my first post did) how it was plagiarized,
line-by-line.
as far as (Dave Korn's) comment goes "I wondered what was so special about this that wasn't already demonstrated by Derek and Ryan from eEye two years ago." here are the points 1) Vista was not released 2 years back.Big deal. Us software engineers call that "Porting an existing
program".
That's not demonstrating anything new. That's not "special".2) haven't you heard about whole new vista boot process and the different protections implemented,( there was no security in previous versions).in previous versions, the ntldr did everything,but in case of vista there is boot manager,windows loader etcYou haven't bypassed the *real* security in Vista, which is the TPM/Bitlocker. Instead, what you have done is the same kind of thing
as Greg
Hoglund did eight years (http://www.phrack.org/archives/55/P55-05) ago
(and
what computer game hackers have been doing since the days of the
Spectrum and
C64): you bypassed a security check by changing the sense of a branch. Trivial.
TPM is not only a Vista based stuff,it's for other OS too. breaking TPM would imply an attack on not only Windows Bitlocker but also on linux Enforcer and so on.
So, the clever bit - starting at a boot sector and leveraging your
way up through the various loaders and the transition into 32-bit mode - you took from Derek and Ryan's code, and then you just plugged your own payloads into a couple of places. This is what even patent examiners call "obvious": plugging together a bunch of pre-existing components.
also, 1 more question (for Dave Korn) can you suggest any more methods except hooking INT 13 to capture
Disk Request at such level ??
First off, that's not the issue. There are many many ways to write
code to perform any given task. The odds of choosing the exact same instructions in every case? Vanishingly small. You've got four registers that are pretty much equal (except for using cx as a loop counter) - the odds of choosing the same registers in every single instruction? One in (four to the power of the number of single register-insns) times (eight to the power of the number of two-register insns). We're in the astronomical realm here. it's just the programming style,even if you check the loops later on, you will find similiar sets
Oh, and yes, I can suggest other ways. You could hook int 10h, for
example,and seize control at some point when the loader prints to the textmode screen during startup. You could hook int 16h, and seize control in the boot menu, when it tests if the user has pressed F8. A good coder would never claim anything so ridiculous as that there's only one possible way to do it, but you /have/ to make this untenable claim, in order to try and back your other untenable claim.
in the above lines, i was talking only about hooking disk requests by other techniques, not about int 10 or 9 or 15s still,my questions is high, do you know any more methods to hook disk requests ?????? or is INT 13 the only method to do it ( atleast at this level) !!!! i am anxiously waiting for other methods !!!!
I think this will clear the stand.Not by a million miles it doesn't:- 1. ***** Explain why there are IDA pro labels in your source. *****
the IDA label is there because of laziness. instead of writing a new label, just copied the label already written(ofcourse from ida), since it was no useful later on,this was only used in debugging purposes, since vmware doesn't provide register values when we suspend the machine,so if we place register value to memory it can be accessed via file.as you can see, the variable are never used to do anything else also, forgot to remove it later on
2. Explain the purpose of this instruction sequence: sti mov ax,0x201 mov cl,0x2 cdq cli
here's is the technical stuff enable interrupts mov 0x201 in ax set 2 in cl clear edx cli enable interrupts let me explain why it's used ( otherwise you will be saying that i wanted why it was used) to read disk ah should contain 02, al, contains number of sectors cl contains sector number to start from it's done to set registers just before calling int 13 . actually this stuff is being done to read MBR.it can be optimized a bit but who cares !!! i think the facts are clear now. rgds, vipin _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Nitin Kumar & Vipin Kumar: "please remember to give, necessary credit to the authors" PKB. Vipin Kumar (Apr 27)
- Message not available
- Re: Nitin Kumar & Vipin Kumar: "please remember to give, necessary credit to the authors" PKB. listuser () nvlabs in (Apr 28)
- Message not available