Dailydave mailing list archives
INNUENDO OPSEC THOUGHTS - Windows is Pythonic
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 30 Jan 2014 12:13:11 -0500
So the Python way is that there is really only one correct way to do it (and that way is easy to read and understand but medium slow and quite verbose). This is in stark opposition to the Orcish lineage of horrible evil that derives from Perl where there are a million ways to do it, each worthy of an obfuscated code challenge and requiring a PhD in complexity theory to understand. This is an emergent property that comes from some of the base design decisions, but which has no real "name" or math behind it. Windows implants are Pythonic in this way. When writing implants for Windows, there is really only one "correct" way to do things, which in some ways is quite nice but of course scares me a bit as well from an OPSEC perspective. The interplay of tokens, threading models, APIs, and kernel objects restricts the way you program for Windows into just a few channels. You can illustrate this with a simple question: How does your implant capture screens? To capture a screen in Windows can be done in many ways, but when you write trojans for the corporate world you will have to deal with Citrix (which is used extensively). So if you have chosen say, DirectX, to capture screens, you may be going the wrong direction. In fact, there are many screens running on their own "Desktops", and running as local system you cannot access them easily (as far as *I* know). So you want to at some point be running in the user context of all the different users to capture all their screens - and you can start up processes as them from LSASS to do so if you choose, but you can't do it directly from a SYSTEM owned process with thread impersonation (which is what you'd really want). At some point all the APIs become gibbledygook and you realize to do this simple job right you'll have to inject into other processes running as those users, one way or the other. But what exactly do you inject into them and how does this thingy communicate back to you? These questions continue, and there really is only one correct answer to each one, forcing almost all trojans in this space to act very similarly (or just bail out into kernel-space, which has its own issues). This bizzare Pythonic emergent property is an interesting thing, since in Unix, which is in some ways a more simple design, you will feel like there are a lot more ways to write a trojan "correctly". -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- INNUENDO OPSEC THOUGHTS - Windows is Pythonic Dave Aitel (Jan 30)
- Re: INNUENDO OPSEC THOUGHTS - Windows is Pythonic Dave Aitel (Jan 31)
- Re: INNUENDO OPSEC THOUGHTS - Windows is Pythonic Steve Grubb (Feb 03)
- Re: INNUENDO OPSEC THOUGHTS - Windows is Pythonic Andre Gironda (Feb 03)
- Re: INNUENDO OPSEC THOUGHTS - Windows is Pythonic Dave Aitel (Jan 31)