logs archiveIRC Archive / Undernet / #asm / 2006 / May / 23 / 1
Ingersol
night
terby
(Action) is away, sleep, (log\on pager\on)
EwIck-
delicious
Delerious
delerious
eww
EwIck-
doesn't your gf call you delicious?
Delerious
uh..
she's not on IRC
EwIck-
still?
Delerious
still what?
EwIck-
nevermind then
         

Delerious
it's like 3 gf's since we talked last time
and she's stuck on dial-up service
EwIck-
that rules cybersex out huh
well, non-text-only cybersex anyway
Delerious
yeah..but she lives like 1.5 km away from me.. so we get to have the real thing plenty ofte
*n
EwIck-
good good
is mark still alive?
Delerious
no idea
the last time i heard or saw anything about him he k/b'ed me from #asm and #ubixos.. that was the same time when he removed everybody's access from #asm
over a year ago
EwIck-
yeah..
he came back
then stormed out again couple months ago
Delerious
ah
do you know where he was?
EwIck-
NM I think
Delerious
if he was there, at least he'll be taken care of
EwIck-
whateve
r
Delerious
yeah
i still miss him.. but i've gotten used to the idea that i won't ever hear or see him again
EwIck-
really?
he didn't seem that much fun
vml
:_S
EwIck
what did I miss
vml
Actually, nothing.
MrAshe
Your own ping timeout
Delerious
he was a lot of fun as a roommate
maybe not as the tyrannical dictator of the channel, but hey.. can't win 'em all
MrAshe
Tyranny is fun
Delerious
depends on which side of the tyranny you fall on
vml
Good night.
         

_sin
he was in nm
he freaked out last time i talked to him
and threatened to shoot me if i showed up in nm to visit him
or maybe he didnt say shoot
i cant remember
tiocsti
he'll throw you on a fence
_sin
have you done much work reversing windows drivers?
tiocsti
not really, but i have recently
or what i mean is
i havent reversed a lot of drivers, but all my recent reversing has been of drivers
_sin
whats a good starting point
i recently had about 4 thrown across my desk
s/i/ive/
tiocsti
are they malware?
_sin
yea
tiocsti
yeah, im not sure, thats gonna be harder
i had an edge cuz mine werent, just ms drivers
_sin
i dont think they're going to be overly complicated
they hide files
tiocsti
on the other hand, im doing a full reverse, not just looking for something specific
ifthe protection isnt too much of a bi**h, it should be straightforward
grab the ddk and look sh*t up
_sin
is windbg any good?
i havent really used it aside from basics, and that was through the whatever its called the front end you can get from sysinternals
wait
does ida deal with .sys files effectively?
tiocsti
not really,but whatcha gonna do?
the disassembler does, yeah
_sin
well id prefer to see 'call <function name>'
instead of 'call 0x<address>'
tiocsti
the debugger is ring 3 tho, so nohelp there
_sin
yea no worries about the debugger
from the way it acts, id say its the windows version of crap you did for linux years ago
tiocsti
my targets all have debug info :)
_sin
you can see the files if you do a dir with the file name
you can remove them that way as well
the driver is registered as a service
tiocsti
if its not protected, then it should be cake
_sin
and you can manually turn it off, even though you cant see it in the list
hides ports as well
yea i dont think it will be incredibly hard
just never dealt with ring0 windows stuff
i suppose there is no time like the present
here's another one
suppose you had a malware binary
that is basically split into two sections
by the initialization you can tell it was most likely compiled with a MS compiler
but its lacking all of the .reloc/.rsrc/etc
the first section deals with everything through standard c stuff
i.e. fopen()/fread()/fseek()/etc
but then in the second section everything is done via the windows-centric stuff, i.e. CreateFile()/ReadFile()/WriteFile()/etc
there is a useless argument -update that just causes the program to sleep for about 20 seconds
and throughout the code you probably will execute 300 or 400 nops
tiocsti
that doesnt sound like a driver
_sin
no this is a different program
tiocsti
oh
_sin
the program decrypts and decompresses itself with fopen & co
then to write all the files it calls a couple of functions that use CreateFile()/SetFilePointer()/etc
it almost looks like someone went through and edited a binary
the difference in coding style/api's called
the useless option to the program
and all the nops
with no relocations/etc
do you guys have a signature for the word 0day yet tiocsti ?
tiocsti
i dunno
no word support, so i doubt it
_sin
oh thats right you guys dont really support client side exploits
tiocsti
we do, but within some limits
_sin
i never really thought they had much value
until i worked here
and realized how much of a mess it is to try and filter .doc's/.xls/.ppt enterprise wide
improbable
and if you chat up a phd long enough appealing to their 'genius'
tiocsti
forthe big things we have good support
_sin
they'll click on anything
tiocsti
emf, wmf, jpeg,png, zip, rar, etc
office stuff, i dont think so
i might be wrong, though
_sin
id imagine examing every .doc would kill your appliances
tiocsti
depends on the attack
and how quickly we can determine it's uninteresting
_sin
malformed .doc/.xls/.ppt
true
i sware to god in the last 6 months
ive learned more about .doc/.xls/.ppt/.jpg/.png/.gif/.emf/.wmf/.wav formats than i ever wanted to know
tiocsti
i know too much about emf/wmf
i want that space in my brain back
_sin
hehe
thats become my life
a week or two ago
tiocsti
i wrote out emf/wmf parsers
_sin
i examined a rogue ppt
tiocsti
our
_sin
and i extracted/examined all of the images and wav's and wmf's and emf's, etc
and after looking through all of that
i realized it was that routing slip bug
at any rate, im sure you guys have your contacts
but if you are doing the office stuff
and need any information on it, lemme know
there are things i can give out, and things i cant obviously
but for instance ive known about this ms word bug for about a month
tiocsti
well id be mostly interested in format details
not so much attacks
i get the impression it's massively complex though
and a highspeed parser is prob not gonna happen
_sin
you have all you need to know in /query
it most likely affects more components than office as well
« prev 1 2 3 next »