Month: August 2009

Having some free time, I managed to apply some minor fixed to the TraceHook – I also decided to publish it, by the way. If there will be any bug reports / improvement suggestions, I will be more motivated to return to its development ;)

TraceHook is a tiny application keeping track over processes and dumping them when necessary. It’s main objective is to handle various types of malware samples, launched inside a virtual environment (pure malware analysis purposes). Once you choose the executable to run, TraceHook creates the process and adds its PID to the “Controlled Processes’ List”. Every single child-process created by one of these already present in our list, is also being controlled. After all the manual steps are performed (triggering the malware’s core functionality) on the virtual machine, the application dumps the memory context of all the processes inside our controlled list, to separate files inside the hardcoded C:\dump path.

The engine itself is a kernel module (device driver), having a callback routine registered using the documented PspCreateProcessNotifyRoutine API. It works in the context of all processes, thus doesn’t need to inject any additional user-mode code anywhere.

A complete package (EXE + sources): TraceHook_v0.0.1.zip (40kB)

Read more

I have been recently encountering quite a non-typical problem – playing Starcraft was hard due to the amount of active processes running on my operating system – including a few IDA instances, virtual machines and the most disturbing… Firefox web browser. As we all know, it’s not only about the memory being used by Firefox – the main problem is that the application tends to consume large amounts of CPU time (especially when having 150-200 opened tabs at once). When we add a very easily-heating processor, the aforementioned game might really have some problems with effectiveness.

The most intuitive solution to that problem seemed to be simply killing the firefox.exe process (no matter if it means closing it the right way or just terminating it) – the rest was no longer a problem, since it is possible to pause the Virtual Machine execution etc. The real problem appeared after the game, when I wanted to start working with the web browser – loading 150 sites back is always time-consuming, no matter how fast your connection is. When such a situation began taking place a number of times a day, I became pretty frustrated.

Read more

I have a pleasure to inform the blog readers about the incoming event I am taking part in – the polish SecDay conference (regarding security in a general meaning)! ;)

My presentation’s subject is the practical approach to, so called, bootkit creation. To make things clear, bootkit consists of a number of code blocks present on some kind of bootable media, being able to take complete control over the attacked machine, by simply performing some run-time memory modifications at the time of OS startup process.  To be exact, I will try to show how easy pwning a machine is, provided the potential attacker has physical access to the target. The steps taken by our bootable code to achieve specific goals (hacking the user authorization mechanism etc) will be described in detail.

The event will is going to be held in polish, but I expect my presentation stuff to be released in both PL and EN versions ;)

Welcome to the blog on my own hosting!

I have recently decided to add multi-language support to the blog, which obviously required the WordPress system to be moved to my own hosting (the one provided by wordpress.com lacks many important features, like the possibility to install plugins (which turned out to be very useful, by the way)). What is more, some other handy plugins have been installed as well, including code highlighting, modified theme and a few other, not visible to the user himself.

Right from now, every new post is supposed to be available in the polish language version first. However, I will do my best to translate them as soon as possible. Hope you will like the new features!