Annoyances

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You know what would be annoying? If every fifteen seconds a random VM 
was suspended just long enough to get a memory snapshot and then that 
snapshot was analyzed for CANVAS-style shellcode in every process. It's 
not hard to do now that the API's are all opening up. Even a simple 
"This thread is running from the heap and is not Java" would work. At 
that point the shellcode will have to jump into unused space in a DLL 
and then we all get to play statistical matching games to say "This 
function does not look like Visual Studio compiled it, unlike the rest 
of the DLL".

Anyways, there's a lot of cool stuff you can do from the hypervisor. 
Probably the stuff VMWare and Microsoft and Xen don't want to talk about 
involved breaking DRM, writing invisible email-sniffing programs that 
hook Exchange's new email function, or other fun stuff. Just being able 
to get a clean copy of memory is cool, since you don't get one with a 
little daemon installed on the server (since memory changes as you copy it).

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIzlVutehAhL0gheoRAi2uAJ4hdQFi5cH/35vh5zgZNhs9ARvmkgCdE8rI
6ZDejFziVmOQQpThAI4LUBI=
=WdZI
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave