Archive for September 9th, 2008

Learning IDA

Tuesday, September 9th, 2008

I discovered today that great IDA book was published last month:

The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler

Buy from Amazon

Curious about this published book I did some digging and finally ordered it because in the past I was always interested in knowing more about IDA after reading about it in some reverse engineering and disassembly books (more about them later) but was somewhat dissatisfied with IDA freeware version 4.3. The last argument in buying the book was my discovery that the new freeware version is available 4.9 which looks much better:

http://www.hex-rays.com/idapro/idadownfreeware.htm

I’ll keep investigating it for the purposes of memory dump analysis.

- Dmitry Vostokov @ DumpAnalysis.org -

Hardening Dump Security: beware of PEB data

Tuesday, September 9th, 2008

Previously I wrote about security options in WinDbg but recently discovered that PEB is included with sensitive data for full user dumps despite stack and page cleaning and removing module paths. Module paths are removed indeed from lmv command output but _PEB.Ldr lists contain full module path information:

0:000> dt _PEB Ldr
ntdll!_PEB
   +0x018 Ldr : Ptr64 _PEB_LDR_DATA

0:000> dt _PEB_LDR_DATA
ntdll!_PEB_LDR_DATA
   +0x000 Length           : Uint4B
   +0x004 Initialized      : UChar
   +0x008 SsHandle         : Ptr64 Void
   +0×010 InLoadOrderModuleList : _LIST_ENTRY
   +0×020 InMemoryOrderModuleList : _LIST_ENTRY
   +0×030 InInitializationOrderModuleList : _LIST_ENTRY

   +0×040 EntryInProgress  : Ptr64 Void

0:000> !peb
PEB at 000007fffffdb000
[...]

You can see this in the dump sample saved with /r and /R options:

ftp://dumpanalysis.org/pub/LargeHeapAllocations.zip 

The only options I see currently are:

  • - Custom minidumps: do not save process dumps containing full user space with /ma or /mf option for .dump command 

  • - Include PEB but erase specific sections and regions pointed to like environment blocks. See the previous Data Hiding in Crash Dumps post.

  • - Erase specific ASCII or UNICODE fragments manually using any binary editor. This was done for the dump file above.

  • Do not send dumps but logs. See All at once: postmortem logs and dump files.

Anyway manual inspection of a dump saved with security options is recommended before sending it. 

- Dmitry Vostokov @ DumpAnalysis.org -

BugSlasher: Fuzzy Logic Bug Hunting Robot

Tuesday, September 9th, 2008

New cartoon from Narasimha Vedala provides insight into Dr. Debugalov’s embedded programming hobby:

Dr. Debugalov tests his new invention “BugSlasher” the fuzzy logic bug hunting robot.

DBG_BugBotMounts from Narasimha Vedala (click to enlarge)

- Dmitry Vostokov @ DumpAnalysis.org -

Bugtation No.17

Tuesday, September 9th, 2008

“A new” bugfix “is often a” new “error.”

Malesherbes, Pensées et maximes

- Dmitry Vostokov @ DumpAnalysis.org -