Dailydave mailing list archives
Systems Programming
From: Dave Aitel <dave () immunityinc com>
Date: Mon, 06 Jan 2014 16:11:14 -0500
So the thing about writing trojans is that they end up being large scale systems programs. What I mean by that, is one second your thinking about all the cool stuff you can do with covert channels and P2P networks and internal cryptographics, and the very next second, once any of that stuff is even halfway working, you are neck deep in figuring out COM programming and what the hell an Apartment Threading Model is. Windows NAMES all the painful parts of large scale distributed programing models, but that doesn't mean it's easy to conceptualize them unless you are essentially a Monk who spent years laboring in the coal mines of ole32.dll. But as a trojan writer ("Penetration testing tool writer"), you need to somehow make the horrible parts bearable so that people can use the system to do fancy things (C&C through Adobe Reader or Word!) without having to wonder what API it is you call to check to see if your token is in fact a domain impersonation token, or a delegation token, or whatever. MOSDEF was an attempt at this in a smaller way - even calling Windows API's from shellcode can be a huge pain in the ass because of the giant structures they take in and output on a regular basis. MOSDEF solves this problem by compiling structs and accesses to them into shellcode that runs on your target in a half-way sane way. But INNUENDO is different - much bigger and of course with a "richer" language of primitives. Nevertheless, you'll find yourself in ctypes more often than I'd like and a lot of our work is minimizing this so that there is a "right way" to do everything Windows related. To summarize: People think that trojans survive based on their covert channel wizardry or clever obfuscation. But the best trojans survive by offering a better API for systems programming than anyone else. As an example, many times you will break into a Windows network, and steal some user credentials. That user may be able to have interactive logon to a hundred machines or so. One feature you can add to your trojan is the ability to install itself on any one of those machines chosen at random, and then uninstall the original. To migrate, in other words. Fun, huh? -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Systems Programming Dave Aitel (Jan 06)