In the famous Buffy episode "Hush", Joss Whedon demonstrates through a creative plot device - removing the voices from the entire town - that often talking is the opposite of communication. But I don't have time to draw pretty pictures, so here goes.
<br><br>Imagining a simple host intrusion protection device that makes a graph of system call chains of a process as it runs normally, and then in the future restricts the process to those system call chains. These chains start with a CreateThread() and can end at any point, but typically with an ExitThread().
<br><br>Given this simple system, we can defeat it with a "hooker shellcode" which hooks the functions our shellcode wants to call. For example, "accept()" ,"recv()", "CreateFile", "Write()" and so on. Because system call arguments are not looked at, we replace the original arguments with the arguments we would prefer, and then let the process continue. Each system call may happen in a completely different thread, but it will happen exactly as the HIPS thinks it should, just with different arguments.
<br><br>Essentially the problem is that the HIPS models on a per-thread basis, and there is no per-thread memory isolation. Of course to do the hooks themselves you'll want to call VirtualProtect, but we can do something more invasive to take over every thread's exception handler and play our little raindeer games. We can, after all, write into every thread's stack.
<br><br>And of course, it may be that statistically, CreateThread() branches quite predictably. So if we can call CreateThread, we might be able to do anything we want after that point.<br>CreateThread(DoAcceptData()); CreateThread(DoWriteDataToFile()) CreateThread(DoExecFile()) and so on.
<br><br>Today I played a lot more with Vista. It turns out it DOES have the 10-half-open TCP connection limit. And there's no way to shut that off. I take back what I said about it being better than XP SP2.<br><br>-dave
<br><br><br><br><div><span class="gmail_quote">On 2/8/07, <b class="gmail_sendername">Alexander Sotirov</b> <<a href="mailto:asotirov@determina.com">asotirov@determina.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Dave Aitel wrote:<br>> For the record, or at least, as a reminder to the record, anything<br>> based solely on system call ordering is going to have a bugger of a<br>> time dealing with CreateThread().<br><br>What is the problem with CreateThread? You just need to look at the syscall
<br>ordering per thread, not per process, and everything will be fine.<br><br>Alex<br>_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com
</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave">http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br></blockquote></div><br>