VPC

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat 
Federal, I learned the hard way that VPC moves memory all around and 
your previously great universal addresses don't work. So you'll end up 
trying really hard to find an address that defeats SafeSEH on 2003 SP0 
in 15 minutes or less.

Also I notice there are a lot of companies doing automated Incident 
Response or malware analysis now.

Zynamic's VxClass is obviously one of my favorites.
HBGary has retooled Inspector into a tool ("Responder") that can read 
and analyze physical memory dumps.
Mandiant has their new tool out.
Norman had a softice-looking sandbox-like thing on display.
There's another one called CWSandbox that has a free web form you can 
send exe's to. (They hook a bunch of things but I think you can escape 
the hooking by calling system calls directly?)

And let me also put it this way: If you have a source code analyzer 
product booth, and you don't let people write little C programs and have 
them analyzed, it's really annoying.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHvXRstehAhL0gheoRApfGAJ9Bqr7bW57kHPSxkoExDbLs+kQ3eQCdE5Of
o+Wc9Ml2BVcy2h0aoFJC630=
=lAdf
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave