Jake’s Tech Notes

No, I haven’t gone rogue selling PII, I needed a file with some fake SSN’s for a class I’m teaching.  Sort of a “flag” if you will.  Fire up the python shell and this one is no problem.

import random
random.seed()
def getone():
   return random.randint(0.9)
for i in range(1, 1000):
   print "%d%d%d-%d%d-%d%d%d%d" % (getone(), getone(), getone(), getone(),
          getone(), getone(), getone(), getone(), getone())

Yep, that’s all it takes to get 1000 fake SSN’s.  Need more?  Change the values in the range statement.

So I was working on a college assignment where I was asked to characterize large amounts of data contained in PCAP files to isolate particular traits, particularly TCP retransmission. I’ll note for those who don’t know that I’m REALLY lazy by default and didn’t want to spend all evening hand cramming data from tcpdump into some file for analysis.

First I thought about just running tcpdump from the command line and parsing the text output for analysis. Retransmissions are pretty easy to find since they will have duplicate sequence numbers. Then I thought I shouldn’t depend on tcpdump since it will be a multi-step process (run tcpdump to output to a file, then ingest that file).

So I downloaded pcap and dpkt for Python from googlecode. The documentation on dpkt is a little sparse, but I was able to get something going. I’ll post some code once I clean it up, but there are a couple of things worth noting.

1. My code assumed all frames are ethernet. That’s easy since I’m capturing from an ethernet device (and so were the sample files I was given). Once you have the packet from pcap (called “pkt” in this example), get dpkt to tokenize it for you using:

eth = dpkt.ethernet.Ethernet(pkt)

2. Getting IP and TCP structures are as easy as getting the “data” from each upper encapsulating layer using:
ip = eth.data
tcp = ip.data

3. It isn’t that easy. If we are looking for tcp data, we need to make sure we only deal with TCP, which is IP protocol number 6 and not UDP or something else. Before getting the data from the ip packet (or treating that data as if it’s TCP), make sure it really is:

if ip.p != 6: # this isn’t TCP so we don’t care in this case

4. Even the treating the eth.data field as IP is a bad idea. ARP will bite you there since it doesn’t have a protocol field. Defensive programming is your friend.
if not isinstance(ip, dpkt.ip.IP):

So there were my quick pitfalls. Like I said, I’ll try to post some code later when it gets cleaned up. For now, don’t assume Ethernet packets have an IP payload and don’t assume that IP packets are TCP and you should be good to find any duplicate sequence numbers.

If you are ignoring DLP concerns, this should wake you up.  Remember that no matter how much money and time you put into perimeter network defenses, the insider threat is still present.  I’d hazard the guess that the Army spent much more time and money vetting this guy than you do your employees.  His attitude evident in the chats is revealing, he really believes he’ll never be caught. Honestly with no DLP solution in place, he probably would not have been had he not confided in someone before planning to leak the information.

http://blogs.techrepublic.com.com/itdojo/?p=1860&tag=nl.e103

I was looking for information on an AV hit today when I came across this site.  Surely it doesn’t have weaponized samples available for download…  But it does.  Very cool.  Neat place to get samples for self-study (that is if you don’t already have enough samples as it stands now…).

http://vx.netlux.org/

The playable flash based pacman game on the google search picture today is the coolest one ever. Google never ceases to amaze me in the things they come up with.

I found a neat tool out on the net today from NTCore.com.  The tool is called CFF Explorer (I got the whole tool suite).  There is a PE scanning utility which is nothing really new, but the explorer utility does include a PE rebuilder and a resource editor.  I haven’t tried the rebuilder yet to verify it works.  Don’t have anything cool to play with right now.

The really cool tool in the suite is the Signature Explorer.  This allows you to load a number of executables and scan for a common pattern among them.  Really this is best used to find common compiler strings in a family of malware and is something you could do manually, but I like the automatic functionality it provides.  I’ll be using this some to get a first guess of whether several pieces of malware are related.

Beware, the website is VERY slow.

You probably know about SetWindowsHookEx().  I knew about WM_KEYBOARD but I’ve never used WH_KEYBOARD_LL.  This allows you to hook at a lower level than WM_KEYBOARD.  There is some interesting example code I found that demos how to use the hook (although not for anything nefarious).

http://www.codeproject.com/KB/cpp/ForTheKids.aspx

I want to caveat that I haven’t had a chance to compile the code yet.  I’ll make sure to do that this week and post additional comments.  I’d be interested in writing some thread injection code to get this into remote process and log a specific application’s keystrokes using this method.

Its been a long time since I’ve been here.  Busy with quite a lot of fun stuff.  I was reading into some information on malware analysis and found this (somewhat dated) information on the PE/COFF file format.  I’m a sucker for anything that includes C source code though.  Again, I’ll point out that this is dated, so much so that it includes contact information via Compuserve…

http://msdn.microsoft.com/en-us/library/ms809762.aspx

The portion of the article that discusses sections was probably the most useful to me.  I have to confess that despite the fact that I feel like I understand the PE format, I still find myself scratching my head once in a while.  Any fresh read I can get on the specification (other than what MS calls “documentation”) can be a breath of fresh air.

Now all the source code for the pedump program isn’t in the article.  Well that isn’t cool.  With a little help from google, I was able to track the author back to his website at http://www.wheaty.net/.  The complete source code for this and some other projects are on his website.

This led me to another gem that I can honestly say I haven’t read yet (it is getting late), reducing the size of an executable through a number of means.  My favorite is removing the relocations.  The source code is available on the web site above and the article is available at http://www.microsoft.com/msj/archive/S572.aspx.

I am pretty new to Windows system programming and the topic of file locking has sort of eluded me (how one process can absolutely lock a file and how to circumvent this).  I got to looking at the CreateFile() call and given that a flag is passed to the function to dictate file locking behavior, it seems that the flag could simply be changed in memory if you can find the file handle in the process’s memory space.  I’ll have to investigate further and will post proof of concept code if it works…

I had to do some malware research this fall for my master’s degree and was able to do it on Linux rootkits, specifically EnyeLKM. I posted most of my research on my wiki.