March 2015 – Life In Hex

The malware arms race

2015-03-312015-03-31 kao

Today's Slashdot features a very nice question:

We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them.
...
My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win?
...

In the comments you'll see a lot of libertarian psychobabble about how NSA/CIA/{whatever-3-letter-organization} caused this, how you are going to surrender your fundamental rights to a few corporations who pretend to protect you, how everything sucks and will suck even more in the future.

Well, that IS Slashdot, afterall.

But this comment made my day so much better:

Have fun and keep your schlongs safe!

.NET, ScyllaHide and HEAP_CREATE_ENABLE_EXECUTE

2015-03-23 kao

While doing some research on ILProtector, I loaded my test executable in Olly. To much of my surprise, it refused to run and all I could see in Olly log, was this:

Log data
Address    Message
           OllyDbg v1.10
           Command line: test.exe

           Console file 'C:\test.exe'
           ODbgScript v1.82.6 i686 VC2008 WDK7.1 CRT/STL60
             http://odbgscript.sf.net
           ScyllaHide Plugin v1.3
             Copyright (C) 2014 Aguila / cypher
           Hooked Olly Breakpoints handler for TLS at 0x2F918
           New process with ID 00002E2C created
00FC404E   Main thread with ID 00002754 created
           [ScyllaHide] Reading NT API Information C:\Tools\Olly\Plugins\NtApiCollection.ini
           [ScyllaHide] Hook Injection successful, Imagebase 00030000
00FC0000   Module C:\test.exe
             CRC changed, discarding .udd data
748C0000   Module C:\Windows\SYSTEM32\MSCOREE.DLL
             CRC changed, discarding .udd data
76070000   Module C:\Windows\syswow64\KERNEL32.dll
76180000   Module C:\Windows\syswow64\KERNELBASE.dll
             CRC changed, discarding .udd data
77100000   Module C:\Windows\SysWOW64\ntdll.dll
             CRC changed, discarding .udd data
771A103B   System startup breakpoint
76650000   Module C:\Windows\syswow64\ADVAPI32.dll
             CRC changed, discarding .udd data

...

5B820000   Module C:\Protect32.dll
             CRC changed, discarding .udd data
76840000   Module C:\Windows\syswow64\OLEAUT32.dll
             CRC changed, discarding .udd data
008B5BFF   Access violation when executing [008B5BFF]
7618C42D   Exception E0434F4D
7618C42D   Exception E06D7363
7618C42D   Exception E0434F4D
           Debugged program was unable to process exception

Something smells fishy! 😉

I disabled all non-standard plugins, and I was still getting the exception. It was only after I removed the remaining 2 plugins (ScyllaHide and ODBGScript) that my test application launched. Few more restarts and I was sure that ScyllaHide is the one causing the trouble.

OK, I've found a bug in ScyllaHide. But where is it? Which option is causing it? And how can I fix it?

Unfortunately, there is no easy way. Just go through one option after another, until you trigger the bug. 10 minutes and 100 rude words later I was sure that "HeapFlags" is the culprit.

A side note from Captain Obvious

If you're seeing access violation in Olly and want to know where it's happening, make sure you uncheck Ignore Memory access violation in Debugging Options:

and then run your target:

Here we can see that there is a real code at this address - small stub calling mscorwks.dll and that the call comes from ILProtector's protect32.dll.

It immediately gives you plenty of useful information about what's happening. Unfortunately I debugged one instance of Olly from another instance of Olly - got the same results but it took me much longer.

Meet HEAP_CREATE_ENABLE_EXECUTE

It turns out that .NET Runtime Execution Engine (mscoreei.dll) loves to put executable code on heap:

.text:1000A424 ; int __stdcall DllMainProcessAttach()
.text:1000A424 ?DllMainProcessAttach@@YGHXZ proc near  ; CODE XREF: DllMain(x,x,x):loc_1000A6B4p

...

.text:1000A591   push    ebx             ; dwMaximumSize
.text:1000A592   push    ebx             ; dwInitialSize
.text:1000A593   push    HEAP_CREATE_ENABLE_EXECUTE ; flOptions
.text:1000A598   call    ds:__imp__HeapCreate@12 ; HeapCreate(x,x,x)
.text:1000A59E   mov     ?g_ExecutableHeapHandle@@3PAXA, eax ; void * g_ExecutableHeapHandle
...

but ScyllaHide prefers to mark all heaps as non-executable:

if (ReadProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0))
{
  heapFlags &= HEAP_GROWABLE;
  WriteProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0);
}

and these 2 options kinda conflict with each other. 🙂

Workaround & fix

This small bug can be used to detect ScyllaHide, as it's enabled by default in all configurations, and tooltip explicitly suggests to leave it as-is:

Very important option, a lot of protectors check for this value.

Here is a suggested patch:

if (ReadProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0))
{
  heapFlags &= (HEAP_GROWABLE | HEAP_CREATE_ENABLE_EXECUTE) ;
  WriteProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0);
}

If you don't want to recompile the entire Scylla, here's the binary patch for the official ScyllaHideOlly1.dll from ScyllaHide_v1.3fix_Olly1.rar package:

00005A0B: 85 81
00005A0C: C0 65
00005A0D: 74 FC
00005A0E: 14 02
00005A0F: 83 00
00005A10: 65 04
00005A11: FC 00
00005A12: 02 90

As a simple workaround, you could uncheck "HeapFlags" in ScyllaHide when debugging .NET applications. However, I would really suggest to fix ScyllaHide instead.

Have fun and keep it safe!

Fighting comment spam

2015-03-162015-03-16 kao

When I started this blog, I was aware that comment spam exists. What I didn't know, is how common it really is. 🙂

Current statistics are:

Comment type	Count	%
Spam	39	56
Normal	29	41
Trashed	2	3
Total	70	100

What can be done?

WordPress has several anti-spam plugins. Some of the add captchas, some rely on JavaScript and others rely on continually updated blacklists for spammer IPs and/or keywords. I hate captchas, I respect users that use NoScript, and my webhost is running with allow_url_fopen = false which prevents automatic blacklist updates. Crap!

So, I'm left with a very few options, like blocking spammer IP address ranges using .htaccess file and mod_rewrite.

mod_rewrite magic

When you know what you're doing, mod_rewrite does wonders. When you don't, you might lock yourself out of web-admin interface. Trust me, it's not fun! 😉

In the very simplest form, we can block one IP address:
RewriteCond %{REMOTE_ADDR} ^(123\.456\.789\.666)$ RewriteRule (.*) - [F,L]

First line is a condition - if visitor comes from IP address 123.456.789.666, then apply the rule. Keep in mind that mod_rewrite is matching IP address against regexp, so do not forget backslashes! Otherwise you might accidentally block more than you wanted..

Second line is the rule - whatever URL it tries to access, send response "403 Forbidden". (.*) is a regexp matching anything¹. [F] forbids access and [L] stops any other rules from applying, making it the last rule.

It will work, but my webhost does not allow custom 403 pages. So, we can adjust the example a bit:
RewriteCond %{REMOTE_ADDR} ^(123\.456\.789\.666)$ RewriteCond %{REQUEST_URI} !/error.html$ RewriteRule (.*) /error.html [R=302,L]

Now there are 2 conditions, first is matching IP address, 2nd is checking if requested page is not error.html. Note that by default all conditions must match (logical "and").

Also, [R=302] is used to redirect users with Error 302 Found to error.html instead of sending Error 403 Forbidden.

It's better, but we need to block several IP blocks. That's easy too!
RewriteCond %{REMOTE_ADDR} ^123\.456\.789 [OR] RewriteCond %{REMOTE_ADDR} ^555\.666 RewriteCond %{REQUEST_URI} !/error.html$ RewriteRule (.*) /error.html [R=302,L]

Flags [OR] say we're checking if IP address begins with 123.456.789 or 555.666. Also, the regexp was changed to check only beginning of IP address, and ignore the rest.

That's it. Easy, right? 🙂

Identifying spammer-friendly IP blocks

I just went through my inbox and looked at the "Please moderate" emails:

Author : Adrienne (IP: 104.168.70.107 , 104-168-70-107-host.colocrossing.com)
E-mail : hekhwrjjrab@mail.com
URL : http://Adrienne
Whois : http://whois.domaintools.com/104.168.70.107
Comment:
Hi, my name is Adrienne and I am the sales manager at {Spammer Company}. I was just looking at your When software is good enough | Life In Hex website and see...

So, the offending IP address is 104.168.70.107.

DomainTools tells us it's owned by ColoCrossing, and how large the IP block is:
IP Location: United States United States Williamsville Proxy R Us.com ASN: United States AS36352 AS-COLOCROSSING - ColoCrossing (registered Dec 12, 2005) Resolve Host: 104-168-70-107-host.colocrossing.com Whois Server: whois.arin.net IP Address: 104.168.70.107 NetRange: 104.168.0.0 - 104.168.127.255
Going through other notification emails, I identified 2 more spammer-friendly proxy/vps services: AS15003 and Krypt. It covers almost all comment spam, the rest are residental IP addresses in China and Vietnam - most likely part of some botnet and not really worth blacklisting.

Putting it all together

Armed with basic knowledge about mod_rewrite and offending IP addresses, I put it all together:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} !/403.html$ RewriteCond %{REQUEST_URI} !/403.png$ RewriteCond %{REQUEST_URI} !/403.css$ RewriteCond %{REQUEST_URI} !/sad.png$ RewriteCond %{REMOTE_ADDR} ^23\.108\.170 [OR] RewriteCond %{REMOTE_ADDR} ^23\.94 [OR] RewriteCond %{REMOTE_ADDR} ^104\.168 [OR] RewriteCond %{REMOTE_ADDR} ^98\.126 RewriteRule (.*) /403.html [R=302,L] </IfModule>
So, anyone coming from those IP address blocks will get redirected to http://lifeinhex.com/403.html. Problem (hopefully) solved! 🙂

Footnotes

1. Actually, the pattern in the RewriteRule does not need to match the _whole_ URL, so you might encounter "$", "(.*)", "." and many more variations in these kinds of rules.

Miserable state of open source code

2015-03-11 kao

Yesterday I wanted to make a small API hook detector in C#. It has to parse PE file, find exported functions, read bytes from the beginning of function and then compare them with the bytes in process memory. Sounds simple, right?

Well, good luck finding a PE parser that actually works!

Looking for PE parser

Most of PE parsers stop at parsing DOS header, NT headers and section headers. But I needed something that would also parse export table for me. After a couple of Google searches I ended up with PEReader by DKorablin. From the first look it's decent and even has a demo application. What else could you want?

Hmmm, how about working correctly on really simple files? 😉

Sorry, nope.

It sure finds exported functions but it mismatches function names & RVAs. So, if you wanted to examine, say, CreateFileW, you will end up examining DeleteFileA. Or some other random API. Great job!

But it's opensource. Just fix it and submit a patch!

Umm, no. I was looking for a PE parser that I can take, load it in VS and use it. I don't want to spend days hunting down bugs and fixing them - this stops me from doing what I really want to do.

So, dear opensourcer, if you are publishing your code, make sure it actually works. If it doesn't work, please don't publish it at all - it's not helping anyone. Don't waste other people's time..

P.S. I ended up with using DNLib and writing my own PE export parsing. At least, I know it works properly..

Gigaom suspends operations

2015-03-10 kao

This day started with some sad news:

Gigaom recently became unable to pay its creditors in full at this time. As a result, the company is working with its creditors that have rights to all of the company’s assets as their collateral. All operations have ceased.

Gigaom is (was?) a very nice technology site. I liked it. And I'll certainly be sad to see it go. However, this failure proves something I've said for years, yet everyone else seemed to disagree:

If your web-based business depends on ad revenue, you're going to fail.

Sure, some stay at home moms can get few hundreds of bucks per month by blogging about the color of their baby poop. And some other stay at home moms will read this shit blog, looks at the ads, and possibly even click on Pimpers(tm) picture to buy some. Yes, that can work.

But you can't build a real business based on ad revenue.

Nobody loves ads

Face it - people hate ads. That's why people install adblockers. It's not because they hate you, the poor publisher. It's not because adblocker speeds up web page loading time. And it's certainly not because people need to save some traffic.

You can remind them nicely:

You can nag and deny access to your precious content, like ArsTechnica did in 2010, or lots of sites try to do today:

But no matter how hard you try, you can't make a long-term business based on ads.

R.I.P. GigaOm, I hope others will learn from your failure.

Improved static Enigma Virtual Box unpacker

2015-03-052017-12-18 kao

Last few weeks have been really hectic. I moved to a new apartment, so lots of time was spent on packing, unpacking, cleaning, and other non-computer related chores. Finally it's done, I got a great new place to live and I'm happy. 🙂

To relax and get back into shape, I spent an evening with one of my old projects - Enigma Virtual Box unpacker. I fixed few little bugs and added support for x64 executables.

Get it here: Please get latest version from this post

Month: March 2015