Re: Nitin Kumar & Vipin Kumar: "please remember to give, necessary credit to the authors" PKB.

["listuser () nvlabs in" <listuser () nvlabs in>]

hi,
    here are the answers and other stuff.

also, i have add some other info.
as far as your question about vbootkit using the code, the code might
have come from the following virus

http://vx.netlux.org/vl.php use the link
click on to "Virus" Directory and then  click on  "Boot-DOS"  and then
click on Virus.Boot-DOS.QPHS.2931
  you would find similar pieces of code



if that doesn't satisfy you,click on almost any on of virus.
If that virus hooks int 13 , you would almost see 70% resemblance
otherwise you will see around 30% resemblance.

the resemblance will only be seen in initial 30-40 maybe 60 bytes of
codes, this is because initially everyone, viruses,boot-loaders all have
to set up stacks, copy themselves and so on( may be hook
interrupts).these are some basic procedures and will be found in even
future boot loaders etc.

for example, other names are Virus.boot.Xboot ( this will be found in
"Boot" directory instead of "Boot-DOS" )

and the list will go on, this is because almost all boot viruses
function the same way, and that's by hooking MBR, loading original mbr
and so on, taking control right from boot and so on.

also, one more thing,  as someone pointed out few months ago
bootkit code has resemblance with linux mbr code  ( and linux was
written yrs ago)




Dave Korn wrote:
> On 27 April 2007 07:56, Vipin Kumar wrote:
>
> > First of all,
> >            let me introduce myself.
> >            i am one of the vbootkit author.
>
>   That is the question up for debate!
>
> > VBOOTKIT source code was NEVER released !!!!! then how can someone
> > compare it ????
>
>   Please see my second post; I mistook your earlier bootkit for the
one being
> referred to.
>   However, I can tell that your new code is very very similar to your old
> code.  This is evident from the fact that we have seen several versions of
> your code with gradual evolution from one to the next, and that the new
> (Vista) version of your code does exactly the same things as the old
one.  The
> new kit is nothing more than a port to Vista.
Really !!! what about the altogether different structure of boot
process, it ain't similiar by any means.


> >  This comment was done by him, after proofs were delivered to him.
>
>   Yep, and you left out the rest of the quote, didn't you?  To anyone who
> hasn't followed the link:  the thread clearly began with someone
doubting that
> Vipin and Nitin had any rootkit at all.  The post in question shows Derek
> admitting that it does at least exist (since they had produced the
code) and
> going on to show (as my first post did) how it was plagiarized,
line-by-line.
> > as far as (Dave Korn's) comment goes "I wondered what was so special
> > about this that wasn't already
> > demonstrated by Derek and Ryan from eEye two years ago."
> >
> > here are the points
> >   1) Vista was not released 2 years back.
>
>   Big deal.  Us software engineers call that "Porting an existing
program".
> That's not demonstrating anything new.  That's not "special".
>
> >   2) haven't you heard about whole new vista boot process and the
> > different protections implemented,( there was no security in previous
> > versions).in previous versions, the ntldr did everything,but in case of
> > vista there is boot manager,windows loader etc
>
>   You haven't bypassed the *real* security in Vista, which is the
> TPM/Bitlocker.  Instead, what you have done is the same kind of thing
as Greg
> Hoglund did eight years (http://www.phrack.org/archives/55/P55-05) ago
(and
> what computer game hackers have been doing since the days of the
Spectrum and
> C64): you bypassed a security check by changing the sense of a branch.
> Trivial.

TPM is not only a Vista based stuff,it's for other OS too.
breaking TPM would imply an attack on not only Windows Bitlocker but
also on linux Enforcer  and so on.


>   So, the clever bit - starting at a boot sector and leveraging your
way up through the various loaders and the transition into 32-bit mode -
you took from Derek and Ryan's code, and then you just plugged your own
payloads into a couple of places.  This is what even patent examiners
call "obvious": plugging together a bunch of pre-existing components.
> >  also, 1 more question (for Dave Korn)
> >  can you suggest any more methods except hooking INT 13 to capture
Disk Request at such level ??
>   First off, that's not the issue.  There are many many ways to write
code to perform any given task.  The odds of choosing the exact same
instructions in every case?  Vanishingly small.  You've got four
registers that are pretty much equal (except for using cx as a loop
counter) - the odds of choosing the same registers in every single
instruction?  One in (four to the power of the number of single
register-insns) times (eight to the power of the number of two-register
insns).  We're in the astronomical realm here.

it's just the programming style,even if you check the loops later on,
you will find similiar sets
>   Oh, and yes, I can suggest other ways.  You could hook int 10h, for
example,and seize control at some point when the loader prints to the
textmode screen during startup.  You could hook int 16h, and seize
control in the boot menu, when it tests if the user has pressed F8.  A
good coder would never claim anything so ridiculous as that there's only
one possible way to do it, but you /have/ to make this untenable claim,
in order to try and back your other untenable claim.
>
in the above lines, i was talking only about hooking disk requests by
other techniques, not about int 10 or 9 or 15s
still,my questions is high, do you know any more methods to hook disk
requests ??????  or is INT 13 the only method to do it ( atleast at this
level) !!!!   i am anxiously waiting for other methods !!!!

> >  I think this will clear the stand.
>
>   Not by a million miles it doesn't:-
>
> 1.  ***** Explain why there are IDA pro labels in your source. *****

the IDA label is there because of laziness. instead of writing a new
label, just copied the label already written(ofcourse from ida), since
it was no useful later on,this was only used in debugging purposes,
since vmware  doesn't provide register values when we suspend the
machine,so if we place register value to memory it can be accessed via
file.as you can see, the variable are never used to do anything else
also, forgot to remove it later on

> 2.  Explain the purpose of this instruction sequence:
>       sti
>               mov ax,0x201
>         mov cl,0x2
>         cdq
>         cli

here's is the technical stuff
enable interrupts
mov 0x201 in ax
set 2 in cl
clear edx
cli enable interrupts

let me explain why it's used ( otherwise you will be saying that i
wanted why it was used)

to read disk ah should contain 02, al, contains number of sectors
cl contains sector number to start from

it's done to set registers just before calling int 13 . actually this
stuff is being done to read MBR.it can be optimized a bit but who cares !!!


i think the facts are clear now.

rgds,
vipin



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave