11 Mar 2015

Miserable state of open source code

Yesterday I wanted to make a small API hook detector in C#. It has to parse PE file, find exported functions, read bytes from the beginning of function and then compare them with the bytes in process memory. Sounds simple, right?

Well, good luck finding a PE parser that actually works!

Looking for PE parser

Most of PE parsers stop at parsing DOS header, NT headers and section headers. But I needed something that would also parse export table for me. After a couple of Google searches I ended up with PEReader by DKorablin. From the first look it's decent and even has a demo application. What else could you want?

Hmmm, how about working correctly on really simple files? wink

Sorry, nope.

Results from PEReader and CFF
It sure finds exported functions but it mismatches function names & RVAs. So, if you wanted to examine, say, CreateFileW, you will end up examining DeleteFileA. Or some other random API. Great job!

But it's opensource. Just fix it and submit a patch!

Umm, no. I was looking for a PE parser that I can take, load it in VS and use it. I don't want to spend days hunting down bugs and fixing them - this stops me from doing what I really want to do.

So, dear opensourcer, if you are publishing your code, make sure it actually works. If it doesn't work, please don't publish it at all - it's not helping anyone. Don't waste other people's time..

P.S. I ended up with using DNLib and writing my own PE export parsing. At least, I know it works properly..

16 Feb 2015

Why you should not worry about HARES

Last week Wired published an article about HARES - Hardened Anti-Reverse Engineering System. The article is really great example of what happens when some idiot starts to write about things he has no clue about.

I wanted to write a full-length post about that, but Errata Security beat me to it. So, please enjoy this great writeup instead. smile Thank you, guys!

So, can HARES be used in malware?

Wired article states that:

[HARES] could also mean the start of a new era of well-armored criminal or espionage malware that resists any attempt to determine its purpose, figure out who wrote it, or develop protections against it.

First, HARES requires a hypervisor. If the attacker had ability install hypervisor on your system, you were screwed anyway. This also means that 99.999% of today's malware won't be able to take advantage of HARES.

Second, modern antimalware solutions do not need to analyze code. They can analyze behavior of the process, monitor network connections, registry changes, file system changes - and that's enough for a successful detection. HARES doesn't interfere with that.

You can go to sleep peacefully tonight, the world is still spinning and no magical malware is going to appear overnight.

Further reading

HARES FAQ
PDF: MoRE Shadow Walker: TLB-splitting on Modern x86
Youtube video: Virtualization: MoRE Shadow Walker The Progression of TLB Splitting on x86
PAGEEXEC and TLB Splitting

12 Feb 2015

Freeware scam artists. And some real morons.

If you spend any time playing with malware, or just downloading software, you've probably seen those kinds of scams.

Take some free software, wrap it in Nullsoft Installer, add a few toolbar and "system optimizer" softwares to the bundle, make the installation dialog as confusing as possible and get commissions for each install.

It usually looks something like this:
uniblue

The reason why it works - people are stupid. They just click "Next", "Next", "Next", "Finish" and think it's gonna be alright. Sorry grandma - you just made somebody a few bucks richer!

These types of installers are usually detected as Adware or PUAs (Potentially Unwanted Programs) by most antivirus companies. The criteria for detection are really simple - if your installation dialog is designed to confuse Average Farmer Joe, you should be detected. You may not hide "Decline" button, you may not try to blend it into background, it must be clearly visible and accessible.

And now look at Elementary OS

Having said that, just look at the new and improved download page for ElementaryOS - freeware, open-source operating system:
elementaryos_download_dialog
Can you see the free download button? Neither can I. Because it's not there!

You have to explicitly click on "$ Custom", enter "0" there, and then click "Download".

Huh? Come again, please?

Apparently, someone at Elementary OS thinks it's a great feature:

We’ve opted to present users with some easy one-button choices. Right now we have ambitious $10, $25, and $50 buttons along with a “Custom” button that lets you type anything—including $0.
...
We didn’t exclude a $0 button to deceive you; we believe our software really is worth something.

You, sir, are a fucking moron.