vous devez chausser du 48 ou bien mettre des scholls

last post here ?
As I now prefer to write and update technical documents in my wiki, and notify people via my announcement-only twitter account, rather than write on this blog, it will be unlikely updated in the future.

So, to keep yourself updated, I suggest to check @corkami.
If you want to use an RSS reader, you can point it to this address, which doesn't require your own twitter account . For some reasons, Google Reader doesn't like it: to solve the problem, you can use a service such as Freemyfeed (no need of login/password). It gives you an url like this one, which works fine with Google Reader.

too scared to go to prison, we're unable to make decisions

I still don't have the time to write a decent blog article, but at least, I managed to do a few things since the last post (if you don't follow me on twitter or reddit):

• Trying to improve my screencasting methodology, I created a screencast tutorial on reJava (compare with my previous one and let me know which one is better).
• a summary of PDF tricks page, with various categories (encodings, structures, javascript...), and for each example, a handmade, clean and minimal PoC.
• In order to study a way to document in details a binary, I created a commented IDB of a PE file packed with UPX - released as is, on request but I find it a sub-optimal way to document assembly, especially as it's not really possible to easily move this information to another IDB.
• a small update to my PE infographics, some fixes, and improvments of the resource section.
• a merge from the aPlib part of Kabopan as a single independent aplib.py
• a commented disassembly of Peter Ferrie's new EICAR file
• a commented disassembly of Yosuke Hasegawa's AA86, the symbol assembler.
  Example: "Hello World" code:

@^^^^^-%+)@@^^^!;@@_!,((,.((-$+)@*+@!!@-,!"(+@@,$-,!"($%&,&,&_&,"@"'%_&"',&$&-@*@$"

• a handy python script to rename unicode filenames (and back), very handy for these tools that don't support unicode filenames.
  ex: 日本.txt <=> &'#26085;&'#26412;.txt
• a yED graph of intel AVX2 opcodes descriptions (png): totally useless in itself, yet all these opcodes are scary.

Mireille est une star au fin fond du Tibet

Here are a few things that I released recently but didn't get a regular blog post, just a twitter entry:

• Usermode test(v0.1): a usermode opcode tester, covering most opcodes, including rare, obsolete, recent, undocumented, 64 bits, exception triggers, anti-debugs.... (gathering and extending the result of my previous blog entries and programs)
  

• Following Peter Ferrie's article, I wrote a commented source of JJencode, the funny javascript obfuscator, along with a dumb decryption script.
• I extended y0da's binary corpus, with various compiled files and my own experimental PEs, to build my own binary corpus. It covers a lot of different compilers, sections layout, image directories,...
• I created a simple screencast to introduce tracing with OllyDbg, based on Oleh's tutorial.

I wear my crown of thorns, on my liar's chair

a bit of nostalgia (virii)
my first contact with a computer virus was Ping-Pong, which infected our 10 Mhz 8086. Hopefully, a magazine was giving the solution (for free!): they were giving the hex sequence to search and replace !!!
While it was a working solution, it was not exactly 'user-friendly': Hey Grandma, launch PCTools 4.30, open the hex editor, then.... err, nevermind !

My 2nd interaction with a virus was Tequila: it kept re-infecting our computer. However, because our 20 Mb hard disk was very noisy, I could eventually recognize the sound of the virus infecting the MBR ! Instant detection, but once again, not exactly the most user friendly !

Hopefully, Anti-Virus softwares are now a bit better than 'listen to your hard disk' or 'search and replace yourself' !

Mais je me lâche la main, je m’éloigne de moi...

unpacking drivers in user-mode (2)

Following my previous post on the topic, I came up with a few more tricks:

• since packed drivers typically use ExAllocatePool*, you need a user-mode equivalent to extract the packed driver. So I just made my fake ntoskrnl call VirtualAlloc* for the trick
• they often use RtlImageNtHeader, so I added a redirection for it in the fake ntoskrnl.
  
• some drivers import HAL.DLL and CLASSPNP.SYS, I made fake ones for them too.
• some drivers load ntoskrnl.exe manually. in this case, i'd use (under OllyDbg) multimate-assembler, with a standard snippet.
• it's important to recognize when the driver is trying to locate ntoskrnl, to be able to correct execution. Here are the various ways that I can recall:

1. calling SIDT will give you the IDT, which is present in ntoskrnl.
2. calling RDMSR with ECX=176 gives you Sysenter address, you can then locate ntoskrnl header.
3. standard range checking:

mov eax, 0ffdff12ch

mov eax, [eax]

loop:

and ax, f001

dec eax

cmp [eax], 5a4d

jnz loop

As usual, I included the (minimal) sources - happy unpacking!
Sources and binaries