[Dailydave] VPC
Anthony Lineberry
anthony.lineberry at gmail.com
Mon Feb 25 22:34:24 EST 2008
On Thu, Feb 21, 2008 at 4:54 AM, Dave Aitel <dave at immunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat
> Federal, I learned the hard way that VPC moves memory all around and
> your previously great universal addresses don't work. So you'll end up
> trying really hard to find an address that defeats SafeSEH on 2003 SP0
> in 15 minutes or less.
>
> Also I notice there are a lot of companies doing automated Incident
> Response or malware analysis now.
>
> Zynamic's VxClass is obviously one of my favorites.
> HBGary has retooled Inspector into a tool ("Responder") that can read
> and analyze physical memory dumps.
> Mandiant has their new tool out.
> Norman had a softice-looking sandbox-like thing on display.
> There's another one called CWSandbox that has a free web form you can
> send exe's to. (They hook a bunch of things but I think you can escape
> the hooking by calling system calls directly?)
>
> And let me also put it this way: If you have a source code analyzer
> product booth, and you don't let people write little C programs and have
> them analyzed, it's really annoying.
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHvXRstehAhL0gheoRApfGAJ9Bqr7bW57kHPSxkoExDbLs+kQ3eQCdE5Of
> o+Wc9Ml2BVcy2h0aoFJC630=
> =lAdf
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
Is this sandboxing running outside of the hypervisor or inside?
One thing i've been messing with is lately is sandboxing from outside the guest
os by modifying a hypervisor to manipulate the kernel through external
hooks. I'm really curious is this has been done before and if i'm just
reinventing the wheel?
--
Anthony Lineberry
http://www.dtors.org
More information about the Dailydave
mailing list