| |
| |
| |
|
Page: 1 2 3
Comments:
<0> night
<1> delicious
<2> delerious
<2> eww
<1> doesn't your gf call you delicious?
<2> uh..
<2> she's not on IRC
<1> still?
<2> still what?
<1> nevermind then
<2> it's like 3 gf's since we talked last time
<2> and she's stuck on dial-up service
<1> that rules cyber*** out huh
<1> well, non-text-only cyber*** anyway
<2> yeah..but she lives like 1.5 km away from me.. so we get to have the real thing plenty ofte
<2> *n
<1> good good
<1> is mark still alive?
<2> no idea
<2> the last time i heard or saw anything about him he k/b'ed me from #asm and #ubixos.. that was the same time when he removed everybody's access from #asm
<2> over a year ago
<1> yeah..
<1> he came back
<1> then stormed out again couple months ago
<2> ah
<2> do you know where he was?
<1> NM I think
<2> if he was there, at least he'll be taken care of
<1> whateve
<1> r
<2> yeah
<2> i still miss him.. but i've gotten used to the idea that i won't ever hear or see him again
<1> really?
<1> he didn't seem that much fun
<3> :_S
<4> what did I miss
<3> Actually, nothing.
<5> Your own ping timeout
<2> he was a lot of fun as a roommate
<2> maybe not as the tyrannical dictator of the channel, but hey.. can't win 'em all
<5> Tyranny is fun
<2> depends on which side of the tyranny you fall on
<3> Good night.
<6> he was in nm
<6> he freaked out last time i talked to him
<6> and threatened to shoot me if i showed up in nm to visit him
<6> or maybe he didnt say shoot
<6> i cant remember
<7> he'll throw you on a fence
<6> have you done much work reversing windows drivers?
<7> not really, but i have recently
<7> or what i mean is
<7> i havent reversed a lot of drivers, but all my recent reversing has been of drivers
<6> whats a good starting point
<6> i recently had about 4 thrown across my desk
<6> s/i/ive/
<7> are they malware?
<6> yea
<7> yeah, im not sure, thats gonna be harder
<7> i had an edge cuz mine werent, just ms drivers
<6> i dont think they're going to be overly complicated
<6> they hide files
<7> on the other hand, im doing a full reverse, not just looking for something specific
<7> ifthe protection isnt too much of a bitch, it should be straightforward
<7> grab the ddk and look **** up
<6> is windbg any good?
<6> i havent really used it aside from basics, and that was through the whatever its called the front end you can get from sysinternals
<6> wait
<6> does ida deal with .sys files effectively?
<7> not really,but whatcha gonna do?
<7> the dis***embler does, yeah
<6> well id prefer to see 'call <function name>'
<6> instead of 'call 0x<address>'
<7> the debugger is ring 3 tho, so nohelp there
<6> yea no worries about the debugger
<6> from the way it acts, id say its the windows version of crap you did for linux years ago
<7> my targets all have debug info :)
<6> you can see the files if you do a dir with the file name
<6> you can remove them that way as well
<6> the driver is registered as a service
<7> if its not protected, then it should be cake
<6> and you can manually turn it off, even though you cant see it in the list
<6> hides ports as well
<6> yea i dont think it will be incredibly hard
<6> just never dealt with ring0 windows stuff
<6> i suppose there is no time like the present
<6> here's another one
<6> suppose you had a malware binary
<6> that is basically split into two sections
<6> by the initialization you can tell it was most likely compiled with a MS compiler
<6> but its lacking all of the .reloc/.rsrc/etc
<6> the first section deals with everything through standard c stuff
<6> i.e. fopen()/fread()/fseek()/etc
<6> but then in the second section everything is done via the windows-centric stuff, i.e. CreateFile()/ReadFile()/WriteFile()/etc
<6> there is a useless argument -update that just causes the program to sleep for about 20 seconds
<6> and throughout the code you probably will execute 300 or 400 nops
<7> that doesnt sound like a driver
<6> no this is a different program
<7> oh
<6> the program decrypts and decompresses itself with fopen & co
<6> then to write all the files it calls a couple of functions that use CreateFile()/SetFilePointer()/etc
<6> it almost looks like someone went through and edited a binary
<6> the difference in coding style/api's called
<6> the useless option to the program
<6> and all the nops
<6> with no relocations/etc
<6> do you guys have a signature for the word 0day yet tiocsti ?
<7> i dunno
<7> no word support, so i doubt it
<6> oh thats right you guys dont really support client side exploits
<7> we do, but within some limits
<6> i never really thought they had much value
<6> until i worked here
<6> and realized how much of a mess it is to try and filter .doc's/.xls/.ppt enterprise wide
<6> improbable
<6> and if you chat up a phd long enough appealing to their 'genius'
<7> forthe big things we have good support
<6> they'll click on anything
<7> emf, wmf, jpeg,png, zip, rar, etc
<7> office stuff, i dont think so
<7> i might be wrong, though
<6> id imagine examing every .doc would kill your appliances
<7> depends on the attack
<7> and how quickly we can determine it's uninteresting
<6> malformed .doc/.xls/.ppt
<6> true
<6> i sware to god in the last 6 months
<6> ive learned more about .doc/.xls/.ppt/.jpg/.png/.gif/.emf/.wmf/.wav formats than i ever wanted to know
<7> i know too much about emf/wmf
<7> i want that space in my brain back
<6> hehe
<6> thats become my life
<6> a week or two ago
<7> i wrote out emf/wmf parsers
<6> i examined a rogue ppt
<7> our
<6> and i extracted/examined all of the images and wav's and wmf's and emf's, etc
<6> and after looking through all of that
<6> i realized it was that routing slip bug
<6> at any rate, im sure you guys have your contacts
<6> but if you are doing the office stuff
<6> and need any information on it, lemme know
<6> there are things i can give out, and things i cant obviously
<6> but for instance ive known about this ms word bug for about a month
<7> well id be mostly interested in format details
<7> not so much attacks
<7> i get the impression it's m***ively complex though
<7> and a highspeed parser is prob not gonna happen
<6> you have all you need to know in /query
<6> it most likely affects more components than office as well
Return to
#asm
or
Go to some related
logs:
www.liveweb
Hacked by gonns
#linux
page of #london undernet
PERLHOME windows
cook canned tuna
#linux
#php
#AllNiteCafe
#chatzone
|
|