Category Archives: System

Assurance level of 3rd party software – Part 1


As we know google did the 3rd party application assurance last few months. Their objective is intend to fight against unknown malicious code embedded in software.

Hidden malicious code history

Metamorphic code (Win32/Simile)  was born on 2002 written in assembly language which target Microsoft software operating system products. As time goes by, the 2nd generation of metamorphic code capable changing what registers to use, changing flow control with jumps, changing machine instructions to equivalent ones or reordering independent instructions.

*Metamorphic code can also mean that a virus is capable of infecting executables from two or more different operating systems (such as Windows and GNU/Linux) or even different computer architectures.

Malware/RootKit infection from software device driver to Smartphone

A revolution of technology world on 2007 driven by Apple iPhone and Android. Thus such a way driven malware and rootkit re-engineering their architecture. As a result, their implant destination not limit on device drive itself. It also includes smartphone 3rd party application.

Part 1 – Microsoft OS products, rooting your software driver technique overview 

An important step lets the hacker do the hook or infiltrate job is to identify the usable memory space.  A parameter so called KeServiceDescriptorTableShadow. Using KeServiceDescriptorTable variable exported by ntoskrnl.exe, we can get the address of KeServiceDescriptorTableShadow variable. KeServiceDescriptorTableShadow is an extension of
KeServiceDescriptorTable variable.

Below syntax get the address of KeServiceDescriptorTableShadow by comparing memories around KeServiceDescriptorTable.

typedef struct _SERVICE_DESCRIPTOR_TABLE { PULONG ServiceTable; // array of entry-points PULONG puCounterTable; // array of counters ULONG uTableSize; // number of table entries PUCHAR pbArgumentTable; // array of byte counts } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

Below syntax is retrieves its address in different version of Windows.

 ULONG Index;
 UONG MajorVersion, MinorVersion, BuildNumber;
 PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, &CSDVersion);
 if(MajorVersion == 5 && MinorVersion == 1) // Windows XP
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable - 0x40);
 else // Windows 2000, or Windows Vista
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable + 0x40);
 for(Index = 0; Index < 0x1000; Index ++, SDTShadow ++)
 KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
 if(KeServiceDescriptorTableShadow == &KeServiceDescriptorTable)
 if(memcmp(KeServiceDescriptorTableShadow, &KeServiceDescriptorTable, 0x10) == 0 
 && ((UCHAR)KeServiceDescriptorTableShadow->ServiceTable & 3) == 0)
 return NULL;
 return NULL;

Below details on the picture left hand side show you the step how to relies on driver hook into the kernel process. In end-user point of view, there is a simple way to identify the current driver load into your PC or server. You just execute a command fltmc in your MS-DOS prompt. There is not require any assembly language knowledge. It is a simple and direct path to let you know how many 3rd party driver load into the windows kernel. For more details, please refer to right hand side in below picture.


Hacker is difficult to find available address space due to ASLR technique. (see below URL for reference)

The enemy of ASLR (Address space layout randomization) – memory leak

Even though ASLR has design limitation might have possibility let hacker implant malware. However a better idea is that take easy way instead of difficult way. A way confirm that it is possible. From technical point of view, ASLR avoid hacker know the actual memory address.  How about run the malicious code driver and ASLR mechanism at the same time (simultaneously).That is pre-install a 3rd party driver with malicious code embedded then load the software driver during operating system startup. The way similar antivirus product using API hooking allows the antivirus to see exactly what function is called.

- Loading drivers
- Starting new processes
- Process executable image
System DLL: ntdll.dll (2 different binaries for WoW64 processes)
- Runtime loaded PE images – import table, LoadLibrary, LoadLibraryEx[1], NtMapViewOfSection

Antivirus software may use SSDT hooking (System Service Dispatch Table hooking) on 32-bit operation.  On a 64-bit system, a KM (kernel module) driver can only be loaded if it has a digital signature. And therefore hacker could be focus on 32 bit OS instead of 64 bit.

How to run 32-bit applications on x64?

In order to maintain complete code separation, running 32-bit code on a 64-bit operating system design with a destinate folder named \Windows\SysWOW64 that is used to store the 32-bit DLLs to meet the design objective. Meanwhile the x64 version of Windows uses the \windows\system32 folder for 64-bit DLLs. Below diagram shown that the WOW64 emulator responsible for file system redirection for several key components of the Windows operating system.

To identify 32 bit and 64 bit environment changes depending on the registry key. For instance, the ‘rundll32’ is point to the specify registry (HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\CurrentVersion\Run).

Therefore it will execute the following command.


This is the 32-bit version program thus everything will be remapped accordingly (see below diagram for reference)

Above details shown the registry and file redirection mechanism to execute 32 bit application on 64 bit of operating system. It looks fine that application not possible to work with incorrect bits environment since it governance by registry. However a fundamental design architecture looks provide benefits to the hacker (see below diagram for reference):

Above diagram indicated that software device driver module allow 32-bit software driver go thought module (WOW64) communicate with 64-bit Kernel function. So it has possibility go through the software driver then compromise the system. From security point of view, the server or workstation Antivirus processes will keep track all DLL activities on directory (c:\windows\SysWoW64). So what is the malware next action?

Malware next action

A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring. A hacking technique so called Register load image callback (see below)


How to prevent PsSetLoadImageNotifyRoutine

Microsoft have solution available against register load image callback flaw. Developer can define a minifilter (FltGetFileNameInformationUnsafe) to confirm the routine returns name information for an open file or directory. And therefore it is the way to avoid the fundamental design limitation of API system Call mechanism (PsSetLoadImageNotifyRoutine).

But what is the causes for system developers not intend to use this preventive mechanism.

FltGetFileNameInformationUnsafe allocates it’s own memory for the structure. As a result it will encountered blue screen and system crash once 3rd party software driver not follow the SDLC (software development life cycle).

Alternative type of attack  (This time does not intend to discuss in detail)

A rootkit will create a hidden partition, at the end of the drive, 1 – 10 MB in size and set itself as the boot partition. Hence, the rootkit is already running before Windows loads. This hidden partition will not show up on Windows Disk Management in most cases.

Rootkit categories:

Operation feature

Persistent rootkit is one that is activated every time the system starts up.

Non-persistent rootkit is not capable of automatically running again after the system has been restarted.

Operation mode

User mode: this kind of rootkit hooks system calls and filters the information returned by the APIs (Application Programming Interface)

Kernel mode : these rootkits modify the kernel data structures, as well as they hook the kernel’s own APIs. It compromise the antivirus program at the same time. This is the most reliable and robust way of intercepting the system.


Even though your IT infrastructure install full scope of detective and preventive control facilities. The 3rd software driver will broken your security facilities. Perhaps you have SIEM and central log event management product however such malicious activities is hard to detect since it is running in Kernel (Ring 0).  So a standard policy on software usage is critical goal on today cyber technology world. Believe it or not, a 3rd party software driver embedded malicious code can break your great wall.








Perhaps military battleship can destroy everything, but it could not win in the digital war!

We heard battleships accident occurs this year. The most recent accident was that it collides with oil tanker near Singapore! (see below BBC news)

I am interested of cyber security technology and believed that Navy already has advanced cyber defense mechanism. The errors which occurred was taken by careless mistake! Headline news was told that a possibility might causes by cyber attack. It is hard to believed in earlier stage that this is a possible factor. But now change my mind, since (VSAT) Satellite Communication Systems rife with security flaws. It was vulnerable to Remote Hacks path! This technical limitation not the news today. It was found on 2014. The subject matter expert found that just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems.

Remark: Rumors told that a weakness happen on VSAT Firmware.

A design weakness was found on the system based on Information security design best practice (see below information for reference)

Identification – identify trusted source (malicious SMS or crafted message)

Authentication – permit or denied request (an authentication mechanism system authorize the electronic computing process)

Silence (behalf of penalty) of the lambs

We all known the discipline of Military is serious. Any change management requires inform the duty officer (captain). For instance, management team define the fairway. It requires authorize person acknowledgment before modifications. If the specify accident not a low level mistake (absence duty or incorrect operation procedure). It looks that the hardware manufacturer might bare the responsibilities. However do the firmware upgrade not a difficult way in IT world because Microsoft do the software patching weekly!

My comments

Since the overall political atmosphere looks unstable in APAC countries. The United States Seventh Fleet responsible to equality of power and peaceful of this area (after finished the battle of World War II). However a technical limitation (hiccup) shown to the world in military force. Even though you have anti-defense to offence missile send by South Korea. But any military plan it is a dangerous game indeed.


Do you think Mainframe forever secure in cyber world?


IBM z/OS assumed to be secure because it have ACF2 & RACF.

Mainframe access control types:

RACF – Resource Access Control Facility or RACF® provides the tools to help the installation manage access to critical resources.

ACF2 – (Access Control Facility) is a commercial, discretionary access control software security system developed for the MVS (z/OS today), VSE (z/VSE today) and VM (z/VM today)

Start discussion

Why we have this discussion topic today? We all known IBM z/OS is a proprietary OS. The Enterprise firms especially Banking and Finance group They are relies on mainframe comupter to do the handle the high volume of electronic transaction procoess.

A term so called operation day end process, it is well known job process in banking finance, broker firm and insurance industries.

Since Mainframe responsible for the back end job and therefore the modern Java apps with front end web application not direct communicate with this giant (see below diagram for reference). The inquiry and data download will be responsible by middle tier. Such architecture implementation not require high risk components especially Java components did not install on top of mainframe partition (LPAR).

As times goes by, Unified Computing System techniques like from virtual storage integrate to cloud computing and run in wide range of coverage. Actually mainframe is the pioneer of Unified Computing System technology. Since 2000 IBM z/OS (MVS) capable to support more than one OS running on top on the machine. It can be partitioned into multiple logical partitions, each hosting a separate operating system. A logical partition, commonly called an LPAR, is a subset of a computer’s hardware resources, virtualized as a separate computer.

Vulnerability not the proprietary of Microsoft OS and Linux OS

The penetration test performed by Mark Wilson on 2013. There are over 100 vulnerabilities found on z/OS even 1.13. The weakness of z/OS happened in the following area:

  • Poor APF Library protection
  • Poor SURROGAT profiles
  • Poorly coded SVC’s

Reference: z/OS V1R1 was first introduced in October 2000, z/OS Initial release on March 30, 2001 , Version 2.2 (V2R2) introduced on June 28, 2015. On February 21, 2017 IBM z/OS Version 2 Release 3 go to the market and available to use.

Hold different opinion on vulnerability

My assumption base on the security findings of a security auditor (Ayoub Elaassal) from Black Hat conference in Las Vegas.  His finding is that the ASM program updates the ACEE block in memory to give temporary SPECIAL privilege and causes privileges escalation. Hints that if you want to manually specify the user getting the SPECIAL privilege, replace userid() with any user in line 104 (see below command syntax for reference)

QUEUE "/*"
 QUEUE "/*"
 QUEUE "//*"

Ayoub Elaassal create a utility to test the privileges escalation on z/OS.  The file name of the utility is ELV.APF.

***The authorized program facility (APF) helps your installation protect the system. APF-authorized programs can access system functions that can affect the security and integrity of the system. APF-authorized programs must reside in APF-authorized libraries, which are defined in an APF list, or in the link pack area.

However any misconfiguration will make a castle become a unsecured house…..But our study bring me consider of the malware infection on non IBM CISC environment especially Windows server environment and Linux environment!

If above speculation is true. The z/OS system will be encountered of the following security problem.

It looks that IBM need to cope with IT world trend. CISC system environment capable of Java framework. CICS uses the IBM 64-bit SDK for z/OS, Java Technology Edition.  Regarding to our earlier discussion, 64 bit OS environment not absolute avoid malware infection. Even though you apply ASLR technology, sometimes a open source or 3rd party application will bring up operation problem causes system developer to modify the core system source code and not aware to create the vulnerability.  We all known business driven the IT world instead of technology or Information security.

Visitor who will be interested of the report of mainframe penetration tool, please visit GitHub to find out the details.

….let me find out more information security items and share with you soon! Bye!




Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

Announcement – Since the original post encountered slow response issue. In order to keep the comments input by visitors. We are going to keep the original post. This post is cater for visitor who can’t access the original web page. Please accept our apologizes that has been made.



The trend in IT world running into virtual world nowadays. Even though your mobile phone operation system is run on top of virtual machine. The memory resources utilization from tradition static to dynamic since virtual machine architecture founded. Security experts worries about infiltration of malware on virtual machine. A mitigation step introduce on VMware since 2014. The system designer conducted a technology alleged address space layout randomization. As a result it avoid malware implant to kernel since no living place for the malware alive (see below – a statement on technical article point out that how ASLR bring in the value)

The VMware ESXi kernel uses an address space layout randomization (ASLR) methodology to provide random and unpredictable addresses for user-mode applications, drivers, libraries and other executable components. This is a significant security benefit because of the way ASLR thwarts malware looking to take advantage of memory-based exploits. The malware would not have a known address to use as a vector for the exploit because of the randomization.

As times goes by, ASLR not even is the assistance of virtual machine designer. On the other hand, he will become a killer to kill his master. But this fact is not a news today. Regarding to the technology expertise experimental studies, it is possible to execute a attack on kernel side through malicious Java application. The method is a kind of side-channel attack (side-channel attacks) and based on the definition of indirect addresses to which had previously been handling when traversing page tables memory processor unit MMU (Memory Management Unit) in the translation of virtual memory addresses to physical memory addresses. Since cache CPU general and it is recognized as an active application or activity the MMU, then by evaluating differences in data access time before and after resetting the cache (the attack variety “EVICT + TIME”) can with high probability to choose the address and able to detect the locations since it is under the operation of memory management unit.

By breaking ASLR, an attacker will know where code executes, and prepare an attack that targets the same area of the memory, stealing sensitive information stored in the computer’s memory.

The vulnerability channel found on web browser announced by Professor of Computer Science at Cornell Tech on Jan 2016.

When attacking browsers, may be able to insert arbitrary objects into the victim’s heap. Let’s focus on web browser design fundamental.

Web applications communicate with each other through system calls to the browser kernel. As we know, web applications exist in separate processes owned by the browser kernel, they are prohibited from communicating with each other, except through the browser kernel.


However Plugins are less reliable than browsers.

However Plugins are less reliable than browsers


As a matter of fact, Java script is the helper of ASLR vulnerability. Sounds like java-script is an accomplice. The murderer is plug in application.

But in which situation virtual machine will be compromise of this vulnerability?

From technical point of view hacker engage a cyber attack targets workplace on memory area we understood that it is a malware form style attack.  As we know, AMD architecture define a feature named SVM instruction set.  AMD virtualization technology, codenamed “Pacifica,” introduces several new instructions and modifies several existing instructions to facilitate the implementation of VMM systems.
The SVM instruction set includes instructions to:

Start execution of a guest (VMRUN)
Save and restore subsets of processor state (VMSAVE,VMLOAD)
Allow guests to explicitly communicate with the VMM (VMMCALL)
Set and clear the global interrupt flag (STGI, CLGI)
Invalidate TLB entries in a specified ASID (INVLPGA)
Read and write CR8 in all processor modes
Secure init and control transfer with attestation (SKINIT)

Remark: Fundamentally, VMMs (Hypervisor) work by intercepting and emulating in a safe manner sensitive operations in the guest (such as changing the page tables, which could give a guest access to memory it is not allowed to access).


As such,  you are more free to run on memory address space once AMD-V is enabled in the BIOS (or by the host OS).


Below confirmed CVEs looks headaches to virtual machine core designers (VMWARE, VBOX, Hyper-V), right?

  • CVE-2017-5925 for Intel processors
  • CVE-2017-5926 for AMD processors
  • CVE-2017-5927 for ARM processors
  • CVE-2017-5928 for a timing issue affecting multiple browsers

Since founded AnC attack (EVICT+TIME), it  can detect which locations in the page table pages are accessed during a page table walk performed by the MMU.  In the sense that it such a way broken the ASLR feature on virtual machine. The objective of ASLR mainly avoid malware infection on virtual machine. What scenario we can foreseen tomorrow!

Sample: Java code with execute arbitrary memory write

// prepare buffer with address we want to write to
ptrBuf = ""
// fill buffer: length = relative ptr address - buffer start + ptr offset
while (ptrBuf.length < (0x????? - 0x9????? + 0xC)){ptrBuf += "A"}
ptrBuf += addr

// overflow buffer and overwrite the pointer value after buffer

// use overwritten pointer to conduct memory write of 4 bytes
obj.SetFontName("\xbe\xba\xfe\xca") // WHAT TO WRITE
alert("Check after write:0x???????? + 0x?






The other side of the story on cyber attack (Electronic war between countries)



We heard  that the new age transformation is coming.  As a result it transform the traditional military weapons to electronic codes. The computer  technologies such as DDOS (Distributed denial of services), malware and virus similar a killer. It can disrupt the financial activities,  daily network communication and health care services. An idea bring to our attention on world war II history was that classic military power result destroyed everything (mankind and properties).  But re-built the society and operation after war. It is a harsh and difficult mission! From technical point of view, the victorious might stand on ethics view point to assists defeated side to rebuild the business and economic system. As a matter of fact, the distruction level of war created by military weapon especially missile it is hard to evaluation. And this is the reason let’s cyber warfare appears in coming future! But it started already!

Analytic result on technical articles about cyber warfare

In regards to my study on technical article issued by CSS Eth Zurich (The Center for Security Studies (CSS) at ETH Zurich).The analytic result highlights serveral key factors of Cyber warfare . Cyber warfare was cheaper than traditional military force. It provides a  “cleaner” (with less or no bloodshed) suitation. No doubt that  less risky for an attacker than other forms of armed conflict. The analytic result  defines 5 different types of cyber conflict during their study. They are Cyber War, Cyber Terrorism, Cyber Espionage, internet crime and cyber vandalism.

The specific feature of cyber weapon (in between country to country)

I was sometimes confused with the headline news on prediction on cyber technology war.  The questions on my mind is that how electronic weapon or cyber weapon replacing traditional military facilities? Think it over, the appropriate technique might adopted target into the following criteria (see below):

The capabilities of cyber attack techniques ( A transformation of traditional military force)

Type Attack technology Functional feature – objective Target – Environment Remark:
Cyber Vandalism, Cyber War IOT & BOTNET (DDOS technique)


Services suspension – electronic communication services (IP-Telephony) Bank, Fund House , Stock Exchange
Cyber Espionage Malware Information gathering Bank, Fund House, Stock Exchange & government sector
Cyber War, Cyber Vandalism Ransomware Services suspension important facility fucntion nuclear facility , Airlines,TV broadcast station, Radio broadcast station & military facility Ransomware feature contained facility to supspend the computer services. Besides it capable listen to the instruction of C&C server. On the other hand, the attacker can resume the services once they win the battle.
Traditional military force Bomb Services Suspension on important facility function and destroy permanently nuclear facility, military facility, power station, airport & communiation facility (Digital phone system)
Internet Crime, Cyber war Email phishing and Scam email message Carry out  psychological warfare, implant malware activities in order to fulfill their objective nuclear facility, military facility, power station,

Let us dig out one of the attack technique to see how the cyber technology feature fulfill the goal of the cyber warfare features .

Do you think Ransomware is founded by military department?

The first ransomware appear in the world on 1989. A biologist Joseph L. Popp sent 20,000 infected diskettes labeled
“AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.
But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer.
To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama.

In 2006, former President George W. Bush was increasingly worried about Iranian efforts at enriching uranium, and ultimately, its hopes to build an atomic bomb. The goal of Stuxnet is going to destroy Iraq nuclear facilities driven by US government. The rumors were told Stuxnet malware destroyed roughly one-fifth of Iran’s centrifuges in 2009.

An unconfirmed  information stated that there is a separate operation called Nitro Zeus, which gave the US access into Iran’s air defense systems so it could not shoot down planes, its command-and-control systems so communications would go dead, and infrastructure like the power grid, transportation, and financial systems.


WannaCry infection using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol.  The U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. As we know nuclear power facilities control system OS platform relies on Microsoft OS system (see below articles). It may causes people think is there any secret action hide by NSA (National Security Agency). He aroused my interest in questioning who is the key figure to spread WannCry ransome? It looks that there is similarity with Stuxnet worm infection in 2009. Since we all fool by NSA at that time let your computer workstation transform to a cyber army then attack USA enemy.  Do you think wanncry is the rehearsal of test or pilot run?

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

Below diagram is my imagination of the modern nuclear facility environment. The SCADA system pay a key role in nuclear power facility. Ransomeware have capabilities to suspend the services of this facilities. It doesn’t need to destroy anything but the services will be totally shut it down the services. We have seen the real example in UK health care services as a reference. I will stop written here. Should you have any queries, I will try my best to written more in future.

Supplement – The other side of the story on cyber attack (Electronic war between countries) – 13th June 2017


As said on above discussion topic, since it looks not interest to visitors on reflection of comments on feedback.  However there is something on my mind need to share.

North Korea President Kim’s intention show to the world of his governance power. He is in frequent to demonstrate his military power cause US government concerns his equalize of military power in the world. To be honest, it is hard to equal the military and economics power as of today. For instance China nearly become the 1st business economic leader. We all know United state is the leader in this moment. However their economic operation chain should have difficulties to do the 2nd round of transformation. Because some of their capital business and business economy contained made in China element.  Since North Korea on finance and business economy are weak. President Kim did such things seems not make sense. I did not visit North Korea however a lot of news on TV might speculate their current situation. I strongly believed that their nuclear facility might operation in 60’s fashion. The SCADA system not possibly supply by Siemens. But learn and develop a windows based SCADA system not difficult.  From information point of view, North Korea nuclear facilities might relies on window for Control Systems instead of Linux for control system.  And therefore Ransomware type attack can specifics shot the target. Meanwhile the business industry from North Korea all work with Microsoft OS  in daily life.

The infection status of wannacry was not issued by North Korea government.  But for sure that wannacry type infection can suspend North Korea business finance and industries operations.

Below are the hints how to eliminate the risks issued by  SCADA system vendor. Any interest?

Process control vendors require:
1. A system with a minimal attack surface, so that biweekly or monthly patches are not required
2. A consistent programming interface that will not change every four to five years, requiring a complete rewrite of their software
3. An environment that can be quickly and safely “locked down” to reduce the risk from hacking
4. A system with limited network access, only through specific ports to reduce the risk of network based attacks
5. Support for priority-based multi-tasking, preferably a real-time operating system (RTOS) that supports hard real-time requirements
6. A robust ecosystem of utilities and tools to make development, installation, debugging, and maintenance as easy as it is on consumer systems.

End of this topic




Modern Malware intelligence


More people pay attention on cyber security world this year, the tremendously cyber security incidents  known as ATM thieves,  NSA scandal, IoT DDOS & recently WannaCry ransomware cyber security incident. Since more and I forgot. But those incidents have common criteria. The culprits of the infection techniques are given by malware technology.


Before the term malware was introduced by Yisrael Radai in 1990, malicious software was referred to as computer viruses. A conceptual idea categories Malware to the following elements such as trojan horses, worms, spyware, RootKit and Botnet. For more details, please refer to below diagram for references.


How modern technique fight against malware:

Preventive control mechanism

Address Space Layout Randomization (ASLR):

This feature randomizes how and where important data is stored in memory, making it more likely that attacks that try to write directly to system memory will fail because the malware can’t find the specific location it need.

Data Execution Prevention (DEP):

This feature substantially reduces the range of memory that code can run in.

How malware break the ice

Evasion technique against Sandbox

Evasion technique 1:

To avoid Sandbox detection –  Refresh the malware body (executable file) frequently (Checksum – hash) such a way benefits avoid signature-based antivirus software detection.

Evasion technique 2:

Malware can search through physical memory for the strings, new generation of malware commonly used to detect memory artifacts. For instance by default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network (This is the vulnerability of metasploit , they fixed already). Malware contains intelligence detect sandbox status.  No activities will be taken once sandbox has been detected.

Evasion technique 3:

Sandbox might uses a pipe \\\\.\\pipe\\cuckoo for the communication between the host system and the guest system. A malware can request the file to detect the virtual environment.

Evasion technique 4:

Since open source applications are popular in IT world. And therefore a lot of security analysis will built their own sandbox. The cuckoo sandbox deployment covered certain amount of percentage. Meanwhile malware enhance their intelligence. They can detect the cuckoo agent. Cuckoo uses a python agent to interact with the host guest. By listing the process and finding python.exe or pythonw.exe or by looking for an in the system, a malware can detect Cuckoo.

Evasion technique 5:

Most of the modern workstation  has installed at least 4GB or more memory. Malware developer setup the intelligence that machines with less memory size may become a sandbox setup.

Evasion technique against Virtual machine environment
Red Pill

Red Pill is a technique to detect the presence of a virtual machine. The code display below can be used to detect whether the code is executed under a VMM or under a real environment.

Red Pill developed by Joanna Rutkowska

Swallowing the Red Pill is more or less equivalent to the following code (returns non zero when in Matrix):

     int swallow_redpill () {
unsigned char m[2+4], rpill[] = “\x0f\x01\x0d\x00\x00\x00\x00\xc3”;
*((unsigned*)&rpill[3]) = (unsigned)m;
return (m[5]>0xd0) ? 1 : 0;

Remark: SIDT instruction (encoded as 0F010D[addr]) can be executed in non privileged mode (ring3) but it returns the contents of the sensitive register, used internally by operating system.

Theory: The virtual machine monitor must relocate the guest’s IDTR to avoid conflict with the host’s IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned. Thereby the process gets the relocated address of IDT table. It was observed that on VMWare, the relocated address of IDT is at address 0xffXXXXXX, while on Virtual PC it is 0xe8XXXXXX.

No Pill (Store Global Descriptor Table-SGDT & Store Local Descriptor Table-SLDT)

The sgdt and sldt instruction technique for VMware detection is commonly known as No Pill. The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine result zero. While a virtual machine result non-zero.

Evasion technique: Especially POS system

Malware use a smart way to evade of sandbox. The method is use hash to replace API program name, uses a table of hash values to ignore certain processes from being parsed by sandbox.

Intangible of attack benefits evasion of sandbox detection

We alert ourself that malware most likely using below methods to avoid sanbox antivirus or sandbox detection.

  • Hide the code which may be recognized as malicious. This is generally done using encryption.
  • Code the decryption stub in such a way it is not detected as a virus nor bypassed by emulation/sandboxing.

However we known that there are intangible of attacks on internet. Such work style of attack benefits for malware avoid the sandbox detection.

PE inject:

PE injection looks more powerful than classic code injection technique. Whereas it does not require any shell coding knowledge. The malicious code can be written in regular C++ and relies on well documented Windows System and Runtime API. Compared to DLL injection the main asset of PE injection is that you don’t need several files, the custom malicious code self inject inside another normal process and therefore it might possibilities to bypass detection.

Example for reference:

Hacker compromise a web site and lure the visitor visit the web page. During the visit an message alert the visitor that in order to display correct content, they need to download the font. From technical point of view, antivirus might detect the malicious once download if it is a known virus. Otherwise the malware can execute the following actions:

Socket creation and network access
Access to filesystem
Create threads
Access to system libraries
Access to common runtime libraries

How does malware complete the job?

Calculate the amount of memory (need to allocate)
  1. /* Get image of current process module memory*/
  2. module = GetModuleHandle(NULL);
  3. /* Get module PE headers */
  4. PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)((LPBYTE)module + ((PIMAGE_DOS_HEADER)module)->e_lfanew);
  5. /* Get the size of the code we want to inject */
  6. DWORD moduleSize = headers->OptionalHeader.SizeOfImage;
Calculate the new addresses to set in the distant process
  1. /* delta is offset of allocated memory in target process */
  2. delta = (DWORD_PTR)((LPBYTE)distantModuleMemorySpace – headers->OptionalHeader.ImageBase);
  3. /* olddelta is offset of image in current process */
  4. olddelta = (DWORD_PTR)((LPBYTE)module – headers->OptionalHeader.ImageBase);
The relocation data directory is an array of relocation blocks which are declared as IMAGE_BASE_RELOCATION structures.
  1. typedef struct _IMAGE_BASE_RELOCATION {
  2. ULONG VirtualAddress;
  3. ULONG SizeOfBlock;
Relocation data directory

Relocation Block 1                                        | Relocation Block 2
VAddr|SizeofBlock|desc1|desc2|desc3| VAddr|SizeofBlock|desc1|…
32b      32b                16b       16b      16b     |

Relocation descriptors in all relocation blocks, and for each descriptor, modify the pointed address to adapt it to the new base address in the distant process
  1. /* Copy module image in temporary buffer */
  2. RtlCopyMemory(tmpBuffer, module, moduleSize);
  3. /* Get data of .reloc section */
  4. PIMAGE_DATA_DIRECTORY datadir = &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
  5. /* Point to first relocation block copied in temporary buffer */
  6. PIMAGE_BASE_RELOCATION reloc = (PIMAGE_BASE_RELOCATION)(tmpBuffer + datadir->VirtualAddress);
  7. /* Browse all relocation blocks */
  8. while(reloc->VirtualAddress !=0)
  9. {
  10. /* We check if the current block contains relocation descriptors, if not we skip to the next block */
  11. if(reloc->SizeOfBlock >=sizeof(IMAGE_BASE_RELOCATION))
  12. {
  13. /* We count the number of relocation descriptors */
  14. DWORD relocDescNb = (reloc->SizeOfBlock – sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
  15. /* relocDescList is a pointer to first relocation descriptor */
  16. LPWORD relocDescList = (LPWORD)((LPBYTE)reloc + sizeof(IMAGE_BASE_RELOCATION));
  17. /* For each descriptor */
  18. for(i =0; i < relocDescNb; i++)
  19. {
  20. if(relocDescList[i]>0)
  21. {
  22. /* Locate data that must be reallocated in buffer (data being an address we use pointer of pointer) */
  23. /* reloc->VirtualAddress + (0x0FFF & (list[i])) -> add botom 12 bit to block virtual address */
  24. DWORD_PTR *p = (DWORD_PTR *)(tmpBuffer + (reloc->VirtualAddress + (0x0FFF & (relocDescList[i]))));
  25. /* Change the offset to adapt to injected module base address */
  26. *p -= olddelta;
  27. *p += delta;
  28. }
  29. }
  30. }
  31. /* Set reloc pointer to the next relocation block */
  32. reloc = (PIMAGE_BASE_RELOCATION)((LPBYTE)reloc + reloc->SizeOfBlock);
  33. }

Once the code is injected, hacker can attempt to call its functions.

Overall comment on above matter:

Above details only provide an idea to reader know your current situation in Cyber World.  There are more advanced hacking technique involved.  The motivation driven myself to do this quick research. My goals is going to let’s IT users know more in this regard.


Coming soon!
How does the advanced technology fight with Dark Power

Advanced technology against Dark Power










How to rescue yourself on this month. SMB flaw, apply to all windows platform


By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys

Blocking outbound SMB connections – TCP ports 139 and 445 along with UDP ports 137 and 138 – from the local network to the wide area network…..said US CERT

Reminder: Mrxsmb20.sys driver handles SMB 2.0 and SMB 3.0 traffic.

Windows OS design objective: In Windows 8, the SMB 3.0 protocol is supported. The Mrxsmb10.sys driver handles legacy SMB traffic, and the Mrxsmb20.sys driver handles SMB 2.0 and SMB 3.0 traffic.

Phenomenon: We have confirmed that without apply the patch on May those Windows 10 , Windows 8.1 client systems as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2 are all encountered SMB vulnerability. In the sense that it is vulnerable.

Current Situation 1: If you are windows OS home user (all windows OS platform), be aware and confirm apply below hot-fix to your home workstation.

Current Situation 2:If you are IT guy maintained whole bunch of MS windows server. You are the technical expert and believed that the hotfix you apply already. But I would like to bring your attention of on server SMB registry.

What’s the reason to point out the SMB registry. It is a quick way to isolate the problem once you suspect that you file server may encounter malicious attack. As a matter of fact, registry check is one of the fast path know what is happen in malware movement.

Regarding to the subject matter, our objective is going to discuss how to rescue yourself this month due to SMB flaw, right? I written an techincal article yesterday mainly highlight the SMB flaw. For more details, please find below url for reference.

Does SMB mess up the world? But he is sick always! …Wanacrypt0r, SMB worm,…etc

Any information update will keep posted. Thank you for your kind attention.

Does SMB mess up the world? But he is sick always! …Wanacrypt0r, SMB worm,…etc


Ransomware (#wanacrypt0r #wannacry #ransomware #wcry) outbreak since last Friday 12th May 2017 till this week. Believed that no room discuss here since you are easy to get the information update on internet. However SMB is our discussion topic today. As we know SMB ver 1 is the culprits of Wanacrypt. The side effect looks only affected outdated windows OS (2003,XP,Me and Vista) or recently end of support product (Windows 2008 instead of 2008 R2)! In the meantime, do you have issue to worry like myself on SMB version 2 and version 3?

SMB critical flaw historical background:

Vulnerability in Microsoft Windows SMB2 -_Smb2ValidateProviderCallback()  flaw found 2009.

An attacker could exploit this flaw to disable the remote host or to execute arbitrary code on it.
Solution: As a workaround, you can disable SMB2 by editing the registry.Under the hive HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters

Create the key ‘Smb2’ (of type REG_DWORD) and set it to ‘0’

On August 11, 2015 Microsoft released  SMB Server fix on SMB (MS15-083 – Microsoft Windows SMB Memory Corruption Vulnerability). An authenticated remote code execution vulnerability exists in Windows that is caused when Server Message Block (SMB) improperly handles certain logging activities, resulting in memory corruption. A successful exploit could corrupt memory in such a way as to allow the attacker to execute arbitrary code. A successful exploit could result in a complete system compromise.

SMB architecture

The structure of the header is as follows:

   UCHAR  Protocol[4];
   UCHAR  Command;
   SMB_ERROR Status;
   UCHAR  Flags;
   USHORT Flags2;
   UCHAR  SecurityFeatures[8];
   USHORT Reserved;


Why SMB always encounter vulnerabilities? Why old version of SMB need to stay on windows OS?

NSA surveillance  tool kit named EternalBlue exploits a vulnerability on SMB. From my personal point of view, not surprise! Since no operation systems are prefect, right! But the earliest time SMB encountered flaw was back time to 2009. A flaw was found on Microsoft SRV.SYS Driver. The symptom exploit that a Remote Code Execution vulnerability in Microsoft SMB Servers (WriteAndX Invalid DataOffset).

Remark: Srv.sys is a Windows driver. A driver is a small software program that allows your computer to communicate with hardware or connected devices. This means that a driver has direct access to the internals of the operating system, hardware etc (see below picture for reference). Microsoft suggest that Srv.sys should be set to start on demand since it is only communicate with old fashion client such as windows XP.

Command: sc config srv start=demand

Regarding to security vendor Rapid 7 findings on 2009, Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table exploits an out of bounds function table dereference in the SMB.

Looks irritating, we are not going to post all the flaws. But I am interested that is there something get wrong from fundamental design causes such non stop vulnerability. As far as I know, all SMB family are easy to causes vulnerable. Even though SMB3! An official announcement by Microsoft highlight that transferring files by using SMB2 or SMB3 causes memory leak on a windows computer (see below url for reference). And then Microsoft issued a hotfix held on 2017.

Our Observation:

Take the latest reference as an example. See how the weakness of SMB. Yes, it is not a SMB2 or 3.  Since SMB2 and SMB3 obtain their own design weakness on memory validation (see above description). OK, Let’s go. We start the journey.

Equation Group’s (NSA) wake up all the IT guys, attacker can easy initiate a Ring 0 attack relies on SMB. They  took below action:

  1. Determine x86 or x64
  2. Confirm and locate the IDT(Interrupt Descriptor Table) from the KPCR( (Kernel) Processor Control Region).
  3. Viewing Physical Memory Addresses in OllyDbg, Traverse backward from memory address. That means from end return to 1st interrupt handler to find ntoskrnl.exe base address.
  • If the beginning of the file does not begin with “MZ” or “ZM”, it is not an DOS or Windows executable image. Otherwise you may have one of the following types of executable formats: plain DOS, NE (Windows 16-bit), LE (16-bit VXD), PE32, or PE32+ (PE64).
  • Determine if you have a plain DOS executable by looking at the e_lfanew value. A plain DOS executable will have an out-of-range e_lfanew pointing outside of the limits of the file, a zero, or if the offset happens to be in range, the signature at its offset won’t match any signatures below.
  • Try to match the signature of the “in-range” offset pointed to by e_lfanew with the following WORD or DWORD values:
    "PE" followed by two zero bytes if the image is a PE32 or PE32+ (PE64) and is further determined by the "magic" in the NT Optional Header
    "NE" indicates the image is a 16-bit Windows executable
    "LE" indicates the image is a 16-bit Virtual Device Driver (VXD)

5. Reads ntoskrnl.exe’s exports directory, and uses hashes to find ExAllocPool/ExFreePool/ZwQuerySystemInformation functions.

Remark: If you would like to call ZwQuerySystemInformation, a parameter need attach with the command. You must input buffer as size of SYSTEM_PROCESS_INFORMATION. And then checking the return value and return requied size. If the return is not success, you must make the second call with input buffer of requied size (i.e.size return from the first call).

6. Calls ZwQuerySystemInformation with the SystemQueryModuleInformation argument, which loads a list of all drivers. It uses this to locate Srv.sys, an SMB driver.

7. Switches the SrvTransactionNotImplemented() function pointer located at SrvTransaction2DispatchTable[14] to its own hook function.

Remark: Npp buffer + 0x100 directly written before the leak out of the function table

Above scenario happen SMB or SMB v1 only.  But when we know SMB2 and SMB3 also found vulnerability on memory side.  My research is on the way, my friend I will keep you posted if there is anything updating.

Are 64-bit OS malware proof?



As we known, computer process direct work with Kernel (Ring 0) is quite dangerous. More realistic to say is that Real mode, also called real address mode, is an operating mode of all x86-compatible CPUs. Real mode provides no support for memory protection, multitasking, or code privilege levels. Windows 95 executes drivers and process switching in ring 0, while applications, including API DLL such as kernel32.dll and krnl386.exe are executed in ring 3.

We found trick on Windows 10. For instance,  you are allow to run 16 bit application on 32 bit (Window 10) operating system. But not allow to run 16 bit application on 64 bit (Windows 10) OS.

Why? A processor limitation of 64 bit OS to execute (non-protected mode) 16-bit code. The 64-bit versions of Windows include 32-bit protected mode runtime libraries, but do not include any 16-bit protected mode runtime libraries. But how’s the mystery allow execute a Dos command prompt on 64-bit (Windows 10)OS? The Dos emulator make the magic.

The kernel of windows 10 is located at top of memory. The 64 bit OS of memory support 3.5GB RAM above, hacker have difficulties to find out the kernel process finger print in memory. Apart from that, the 64 bit operating system Kernel executable not direct reachable! Since it can’t communicate with kernel directly. Therefore a common criteria consensus 64 bits OS is malware proof.

Have you heard the weakness of superman? Kryptonite are able to reduce his power?

The origin story of Superman relates that he was born on the planet Krypton. Kryptonite is a radioactive mineral from Krypton. It was produced during explosion of Krypton. Kryptonite are able to reduce superman power. A similar scenario of 64 bit OS system. Since Kernel executable not reachable. However PAGE TABLE is loaded below 4GB. So it is possible to do the follow concept to unlock windows 10.

Viewing and Editing Registers in WinDbg

Solution: Self-ref entry technique

Reference: In 32 bits, this entry is usually located in the PAGE DIRECTORY, even with PAE enabled.
In 64 bits, this entry is located in the PML4

  • CPU CR3 register point to physical address (PA) of PML4
  • PML4(entry) point to PA of PDPT
  • PDPT(entry) point to PA of PD
  • PD(entry) point to PA of PT
  • PT contains Page Table Entries

As a result a re-used entry in the four paging levels, which means that this is used by the CPU as PML4 entry, PDPT entry, Page Directory entry and Page Table entry at the same time.

Busy this week, allow for me to complete the remaining part next week, Sorry!

Conduct self assessment enhance your cyber security setup


Although your in house IT setup has SIEM, IDS, IPS, ..etc. But you may have questions? What is the defense criteria. Yes, we fully understand that install full scope of defense mechanism might mitigate the risk, right? Implement the IT strategic outsourcing.  Enforce the follow the Sun policy. Deploy the management security service.  But think it over, those defense mechanisms are involve human operation.  Perhaps the SLA agreement of your services provider promises 99.99 % response time. But cyber security incident handling method far away with normal IT operation framework. For instance, engage the forensic investigation sometimes consume time to isolate the problem. As a matter of fact, SLA looks like a value. The quicker you receive email reply or return phone call did not imply it boots up the value of cyber incident management.


Now we look back the cyber incident history. The security experts and security analysis Guru are summarized the key factors of the weakness of IT infrastructure today. No matter how was the size of your firm. Below key elements can guide you to the appropriate approach.

Weaknesses of IT domain – Key elements

  1. Unauthenticated protocols
  2. Outdated hardware
  3. Weak user authentication
  4. Weak file integrity checks
  5. Vulnerable Windows operating systems
  6. Undocumented third-party relationships

If your firm is able to compliance above 6 items of key elements. I was say congratulation to you. But for the realistic point of view, I believed that it is not easy to archive. For instance, you application development team is going to enhance the application. However the application integrate with a legacy product. Furthermore the legacy product is retired of their product life cycle. You know what is the weakness and the vulnerabilities. As a matter of fact, it is not possible to inform your management team suspend the project process since this is a business objective. Similar fashion of  scenario you might encountered or familiar.  Any idea or resolution to resolve such business habit forming manner. Since all the final decision will be decide by CSO, CIO or coporate management team. But at least following hints can give more space to you for thinking of this subject matter.


Use a security controls matrix to justify controls and identify the weakness of the specifics area. The design goal is that take the benefit of matrix table for simplification terms. Thus provide a straight forward path which can apply to the key objective area. Since we all tech guy and no need to mention in depth. For more details, please see below:

Base on the 6 key elements of weakness in overall IT Infrastructure. Below assessment tool can provides an overall idea to you which area of weakness encountered in your shop.


authenticated protocols Availability SSL or VPN (Ipsec) Change control policy
Router (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Switch (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Firewall (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Managed security service (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Cloud Farm (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)
Outdated Hardware Still operate In-House hardware lifecycle policy
Router (OS obsoleted) Yes(0)/No(1) Yes(1)/No(0)
Switch (OS obsoleted) Yes(0)/No(1) Yes(1)/No(0)
Firewall (OS obsoleted) Yes(0)/No(1) Yes(1)/No(0)
Sever (Vendor support – End of Life) Yes(0)/No(1) Yes(1)/No(0)
PABX (CTI server) Yes(0)/No(1) Yes(1)/No(0)
Total score Full score (5) Full score (5)
user authentication ID asset management Single sign-on feature
Router Logon access Yes(1)/No(0) Yes(0)/No(1)
Switch Logon access Yes(1)/No(0) Yes(0)/No(1)
Firewall Logon access Yes(1)/No(0) Yes(0)/No(1)
Privileges ID Yes(1)/No(0) Yes(0)/No(1)
Application program service ID Yes(1)/No(0) Yes(0)/No(1)
Total score Full score (5) Full Score (5)
File integrity check Top Secret / Confidential Data Data classification Policy
Server Yes(1)/No(0) Yes(1)/No(0)
Web Application (External) Yes(1)/No(0) Yes(1)/No(0)
Web Application (Internal) Yes(1)/No(0) Yes(1)/No(0)
Database (DB) Yes(1)/No(0) Yes(1)/No(0)
Cloud farm Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)
Vulnerability management Zero day & critical patch Incident management procedure
Router Yes(1)/No(0) Yes(1)/No(0)
Switch Yes(1)/No(0) Yes(1)/No(0)
Firewall Yes(1)/No(0) Yes(1)/No(0)
Server Yes(1)/No(0) Yes(1)/No(0)
Application Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)
3rd Party relationship Responsibilities (scope of works and support level of cyber security incident) Dedicated subject matter expert implement in this role
Management security services Yes(1)/No(0) Yes(1)/No(0)
Web Hosting Yes(1)/No(0) Yes(1)/No(0)
Application (Vendor service support token) Yes(1)/No(0) Yes(1)/No(0)
Hardware maintenance (services provider) Yes(1)/No(0) Yes(1)/No(0)
Network (MPLS, Frame-link, Internet line, Boardband..etc) Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)


What is your over performance score on above matrix table?  If it is not suitable to your environment. No problem, please go ahead to modify the criteria and try to fit to your project scope. Even though external auditor engage the risk assessment they are using the same idea.  Good luck to all of you!