Dailydave mailing list archives
VPC
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 21 Feb 2008 07:54:05 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat Federal, I learned the hard way that VPC moves memory all around and your previously great universal addresses don't work. So you'll end up trying really hard to find an address that defeats SafeSEH on 2003 SP0 in 15 minutes or less. Also I notice there are a lot of companies doing automated Incident Response or malware analysis now. Zynamic's VxClass is obviously one of my favorites. HBGary has retooled Inspector into a tool ("Responder") that can read and analyze physical memory dumps. Mandiant has their new tool out. Norman had a softice-looking sandbox-like thing on display. There's another one called CWSandbox that has a free web form you can send exe's to. (They hook a bunch of things but I think you can escape the hooking by calling system calls directly?) And let me also put it this way: If you have a source code analyzer product booth, and you don't let people write little C programs and have them analyzed, it's really annoying. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHvXRstehAhL0gheoRApfGAJ9Bqr7bW57kHPSxkoExDbLs+kQ3eQCdE5Of o+Wc9Ml2BVcy2h0aoFJC630= =lAdf -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- VPC Dave Aitel (Feb 21)
- Re: VPC Jared DeMott (Feb 21)