Dailydave mailing list archives

Re: VPC

From: "Anthony Lineberry" <anthony.lineberry () gmail com>
Date: Mon, 25 Feb 2008 19:34:24 -0800

On Thu, Feb 21, 2008 at 4:54 AM, Dave Aitel <dave () immunityinc com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat
 Federal, I learned the hard way that VPC moves memory all around and
 your previously great universal addresses don't work. So you'll end up
 trying really hard to find an address that defeats SafeSEH on 2003 SP0
 in 15 minutes or less.

 Also I notice there are a lot of companies doing automated Incident
 Response or malware analysis now.

 Zynamic's VxClass is obviously one of my favorites.
 HBGary has retooled Inspector into a tool ("Responder") that can read
 and analyze physical memory dumps.
 Mandiant has their new tool out.
 Norman had a softice-looking sandbox-like thing on display.
 There's another one called CWSandbox that has a free web form you can
 send exe's to. (They hook a bunch of things but I think you can escape
 the hooking by calling system calls directly?)

 And let me also put it this way: If you have a source code analyzer
 product booth, and you don't let people write little C programs and have
 them analyzed, it's really annoying.

 - -dave

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.6 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 iD8DBQFHvXRstehAhL0gheoRApfGAJ9Bqr7bW57kHPSxkoExDbLs+kQ3eQCdE5Of
 o+Wc9Ml2BVcy2h0aoFJC630=
 =lAdf
 -----END PGP SIGNATURE-----

 _______________________________________________
 Dailydave mailing list
 Dailydave () lists immunitysec com
 http://lists.immunitysec.com/mailman/listinfo/dailydave


Is this sandboxing running outside of the hypervisor or inside?
One thing i've been messing with is lately is sandboxing from outside the guest
os by modifying a hypervisor to manipulate the kernel through external
hooks. I'm really curious is this has been done before and if i'm just
reinventing the wheel?

-- 
Anthony Lineberry
http://www.dtors.org
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: VPC, (continued)
- - - Re: VPC dan (Feb 25)
    - Re: VPC Joanna Rutkowska (Feb 25)
    - Re: VPC Kurt Baumgartner (Feb 22)
    - Re: VPC John H. Sawyer (Feb 23)
- Re: VPC Thorsten Holz (Feb 21)
  - Re: VPC Jared DeMott (Feb 22)
    - Re: VPC John H. Sawyer (Feb 23)
  - Re: VPC Halvar Flake (Feb 27)
- Re: VPC Thierry Zoller (Feb 22)
- Re: VPC Alexander Sotirov (Feb 24)
- Re: VPC Anthony Lineberry (Feb 28)
  - Re: VPC Matt Richard (Feb 29)
    - Re: VPC Jon Oberheide (Feb 29)
    - Re: VPC Andrew R. Reiter (Mar 03)
- Re: VPC Thierry Zoller (Feb 23)
  - Re: VPC Tyler (Feb 23)
    - Re: VPC J.M. Seitz (Feb 24)
    - Re: VPC Jared DeMott (Feb 25)
- Re: VPC Rodrigo Rubira Branco (BSDaemon) (Feb 29)
  - Re: VPC Joanna Rutkowska (Feb 29)
    - Re: VPC Joanna Rutkowska (Feb 29)

(Thread continues...)