DorivalacTech: 2012

quarta-feira, 21 de novembro de 2012

PUSHAD , 286 386 486 Interesting Instruction

The old PUSH Assembly Instruction is old culture for malware programmers .... is easy see the Assembly Instruction PUSHAD just beginning section .TEXT , .CODE , as SALLITY malware.

The PUSHAD (Code 60h ) (Push ALl Register), put at Stack all Register Values (EAX, EBX,ECX, and so on).

To get values is easy, and very intuitive ! The Instruction POPAD can be used !

Then ... the code below can run

PUSHAD

MOV EAX, 5
MOV ECX, EAX
MOV EBX, 2
MOV EDX, EBX

POPAD

Why to use PUSHAD ? caue the malware need be the smaller possible ! and all way is used to do it.

The Sallity Malware Code:

00401010 60 PUSHAD
00401011 E8 00000000 CALL min2.00401016
00401016 5B POP EBX
00401017 0FAFC8 IMUL ECX,EAX
0040101A 46 INC ESI
0040101B 69CF E7FF0351 IMUL ECX,EDI,5103FFE7
00401021 FFC6 INC ESI
00401023 0FAFFE IMUL EDI,ESI
00401026 68 7C060000 PUSH 67C
0040102B 0FBEF8 MOVSX EDI,AL

terça-feira, 23 de outubro de 2012

Driver Windows and Windows 7/Vista

DbgPrint question !

When migrating from Windows XP to Windows 7(or vista) the drivers made on Windows XP, more one he Headache when using DbgPrint, on WIndows 7 que compiler change DbgPrint to DbgPrintEx (with more parameters) ... well, the result of all this is no message on DbgMon or Debugger ... the case is that the parameter inserted on DbgPrintEx (when make change automatically, the extra parameters dont works !!!

How to help this ???

I have used the program: SetDbgPrintFiltering.exe , and them you need only put :

Component Level:
DEFAULT

VIsta Debug leval:
255

This is enough to use DbgPrint (and see the string printed !) using Windows Vista or Windows 7.

After put these parameters, do shutdown and restart windows , and them, all message print will be displayed.

Download Solution (exec file)
http://www.osronline.com/article.cfm?name=setdbgprintfiltering_v1.zip&id=506

OSROnline documentation
http://www.osronline.com/article.cfm?article=295

terça-feira, 25 de setembro de 2012

WIndbg Symbol Maps loader ...

One most fundamental thing on the WinDbg is the SYMBOL MAPS objects Loader into WinDbg, starting in WinDbg, i always faced with "no maps load", and it´s turn new trouble in my work (and it have a lot trouble).

But, after run WinDBG, is possible Load the SYMBOL MAPS from Microsoft at this Address:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

it is very easy to do !

On WinDbg Menu :

1) ---> File

2) ---> Symbol File Path

Put: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols at the box

3) DONT FORGET CHECK THE [ X] Reload

4) Press OK and bt happy ;) All the symbol will be load, it will take a few seconds for loading ...

Now, we can use all resource of Symbols

quarta-feira, 11 de julho de 2012

Two news commands ...

Yesterday i discovery two news commands from Windows7 (... and windows xp), the amazing command 'whoami', it´s largest used in Linux, and it utility is know who´s the curent session owner, i have suprised when keypress 'whoami' in windows 7 and the session owner was showed to me.

Other interesting command is the LogonSession, it returns all the sessions opened on current os, if has other session (user) opened and frozen, it will appears when th ecommand LogonSession is used, i may see all the sessions opened. If i have two CMD windows opened, one with Administrator and other with other user, after i use LogonSession, this two windows is treated separately and showed when use LogonSession command.

However ... the whoami command is internals, but the LogonSession command needs have downloaded from SystemInternals from microsoft.

c:\> logonsession /p

Logonsesions v1.21
Copyright (C) 2004-2010 Bryce Cogswell and Mark Russinovich
Sysinternals - wwww.sysinternals.com

[0] Logon session 00000000:000003e7:
User name: WORKGROUP\AV-PC$
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: S-1-5-18
Logon time: 11/07/2012 09:38:53
Logon server:
DNS Domain:
UPN:
280: smss.exe
356: csrss.exe
392: wininit.exe
404: csrss.exe
432: winlogon.exe
492: services.exe
500: lsass.exe
508: lsm.exe
616: svchost.exe
672: VBoxService.exe
864: svchost.exe
912: svchost.exe
1308: spoolsv.exe
1172: SearchIndexer.exe
2920: svchost.exe

[1] Logon session 00000000:000060a1:
User name:
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: (none)
Logon time: 11/07/2012 09:38:53
Logon server:
DNS Domain:
UPN:

[2] Logon session 00000000:000003e4:
User name: WORKGROUP\AV-PC$
Auth package: Negotiate
Logon type: Service
Session: 0
Sid: S-1-5-20
Logon time: 11/07/2012 09:38:55
Logon server:
DNS Domain:
UPN:
724: svchost.exe
1184: svchost.exe
1832: svchost.exe
1788: sppsvc.exe
2976: wmpnetwk.exe
2512: WmiPrvSE.exe

[3] Logon session 00000000:000003e5:
User name: NT AUTHORITY\LOCAL SERVICE
Auth package: Negotiate
Logon type: Service
Session: 0
Sid: S-1-5-19
Logon time: 11/07/2012 09:38:55
Logon server:
DNS Domain:
UPN:
820: svchost.exe
1096: svchost.exe
1344: svchost.exe
1444: svchost.exe

[4] Logon session 00000000:0001431e:
User name: NT AUTHORITY\ANONYMOUS LOGON
Auth package: NTLM
Logon type: Network
Session: 0
Sid: S-1-5-7
Logon time: 11/07/2012 09:38:59
Logon server:
DNS Domain:
UPN:

[5] Logon session 00000000:0001c457:
User name: AV-PC\AV
Auth package: NTLM
Logon type: Interactive
Session: 1
Sid: S-1-5-21-1374473137-781671793-3807514444-1000
Logon time: 11/07/2012 09:39:10
Logon server: AV-PC
DNS Domain:
UPN:
2528: dllhost.exe
2756: cmd.exe
2764: conhost.exe
2616: logonsessions.exe

[6] Logon session 00000000:0001c487:
User name: AV-PC\AV
Auth package: NTLM
Logon type: Interactive
Session: 1
Sid: S-1-5-21-1374473137-781671793-3807514444-1000
Logon time: 11/07/2012 09:39:10
Logon server: AV-PC
DNS Domain:
UPN:
600: taskhost.exe
188: dwm.exe
1128: explorer.exe
1960: VBoxTray.exe
1944: cfp.exe
3352: cmd.exe
3360: conhost.exe

c:\> whoami

my-homepc\mozart