[Dailydave] VPC
Dave Aitel
dave at immunityinc.com
Thu Feb 21 07:54:05 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat
Federal, I learned the hard way that VPC moves memory all around and
your previously great universal addresses don't work. So you'll end up
trying really hard to find an address that defeats SafeSEH on 2003 SP0
in 15 minutes or less.
Also I notice there are a lot of companies doing automated Incident
Response or malware analysis now.
Zynamic's VxClass is obviously one of my favorites.
HBGary has retooled Inspector into a tool ("Responder") that can read
and analyze physical memory dumps.
Mandiant has their new tool out.
Norman had a softice-looking sandbox-like thing on display.
There's another one called CWSandbox that has a free web form you can
send exe's to. (They hook a bunch of things but I think you can escape
the hooking by calling system calls directly?)
And let me also put it this way: If you have a source code analyzer
product booth, and you don't let people write little C programs and have
them analyzed, it's really annoying.
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHvXRstehAhL0gheoRApfGAJ9Bqr7bW57kHPSxkoExDbLs+kQ3eQCdE5Of
o+Wc9Ml2BVcy2h0aoFJC630=
=lAdf
-----END PGP SIGNATURE-----
More information about the Dailydave
mailing list