KasperBlog

I've been playing a little with git and grown to like it. I'm planning to use it to adapt Pandora's Bochs to the latest development version of Bochs and continue development on it. Therefore, I started mirroring the Bochs CVS repository from SourceForge.net in my own git repository, using git-cvsimport.

I've set the repository up so that you can view it through gitweb, or clone it from git://0x0badc0.de/home/repo/git/bochs. The CVS HEAD is imported into the branch CVSHEAD and merged into the master branch. All other CVS branches retain their names. This is an experiment for now, let me know if you find it useful.

It seems the HAL or PolicyKit package are broken at the moment and fail to install a certain policy file.

Quick fix: cd /usr/share/PolicyKit/policy && sudo wget http://cgit.freedesktop.org/hal/plain/policy/org.freedesktop.hal.power-management.policy

See also: http://bbs.archlinux.org/viewtopic.php?id=58047&p=1

ln -s /etc/ssl/certs/ca-certificates.crt ~/.gajim/cacerts.pem

It took me about 14 years to figure out why half-bytes are called a nibble. Last week it hit me: A nibble is less than whole b(y|i)te. Duh.

Annoying. I wonder why it didn't do that for all the other non-http ports I used today, though.

Part of the motivation for working on my thesis titled "Pandora's Bochs: Automatic Unpacking of Malware" was to write a publicly available and open source unpacker for runtime-packed executables, so I had originally planned to polish my code, write up better documentation and release it to the public. However, since handing in my thesis, 6 months passed and I have still not found the time to do so. I do not know when that time will come, so I decided to at least release the latest snapshot to the public. It will probably be non-trivial to set up outside of its original development environment, but it might be useful to somebody. Feel free to pester me with flames or questions.

A slightly modified version of Bochs with a Python instrumentation interface and instrumentation code that attempts to supervise processes of a Windows XP SP2 guest system can be found here. The instrumentation code logs instrumentation events to an SQLite3 database. Additionally, the address space of a supervised process is dumped to the database, when execution of a modified memory region (indicating execution of newly unpacked code) is detected.

A tool that attempts to reconstruct valid PE images from these databases can be found here. It can also do other stuff I have long forgotten.

Like Bochs, my additions to it are released under the LGPL.

Interesting article about how carelessly some institutions deal with personal information over at lipflip.org

To the person HTTP-GETting the same URL with more than 20 User Agents right now, hoping for some remote file inclusion vulnerability: It doesn't work kthxbye.

At the end of January I handed in my thesis “Pandora's Bochs: Automatic Unpacking of Malware”, the last missing piece towards my graduation. It deals with building an automatic unpacker for runtime-packed PE binaries on top of the Bochs PC Emulator. The results were encouraging, but I hit some limits with Bochs's emulation speed, and there were also other issues with advanced packers that I could not fully investigate. Other than that, Pandora's Bochs can fairly reliably create memory dumps of an unpacked process, yet automatic import recovery and OEP reconstruction fail for packers that redirect imports or use “stolen bytes” or similar techniques.

I'm planning to release Pandora's Bochs's source code once I find some time to clean it up a little.

Yesterday, I registered a new domain - 0x0badc0.de ... i've been toying with the idea for a while, and just couldn't resist any longer.

Content to follow. Or not.

The folks at DataRescue released an updated freeware version of IDA Pro, that is based on IDA Pro 4.9.

Windows only, non-commercial use only: IDA Pro 4.9 Freeware Version

I recently installed Fedora 7 and VMware Server on top of that, to run a Windows XP guest system. I used bridged networking for the guest and wanted to use rdesktop to connect from the host to the guest OS, but I was unable to successfully establish a connection from the host to the guest. As it turned out, the host system could communicate with all other machines on the network successfully, and so could the guest system, but the host and guest could not talk to each other properly.

After harnessing the power of my favorite search engine, it appeared that checksum offloading might be to blame, so here's what i did:

I first checked whether checksum offloading was enabled:

[lutz@kasperletheater /]$ ethtool -k eth0
Offload parameters for eth0:
Cannot get device udp large send offload settings: Operation not supported
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp segmentation offload: on
udp fragmentation offload: off
generic segmentation offload: off

As you can see, it was. The next step was to disable this feature:

[lutz@kasperletheater /]$ sudo ethtool -K eth0 rx off tx off sg off tso off
Password:
[lutz@kasperletheater /]$ ethtool -k eth0
Offload parameters for eth0:
Cannot get device udp large send offload settings: Operation not supported
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp segmentation offload: off
udp fragmentation offload: off
generic segmentation offload: off

This seems to have solved the issue, as host and guest system can now successfully communicate.

I finally figured out how to debug Windows XP running in one QEMU instance with WinDbg running in another:

• Compile QEMU with this patch: qemu-20070110-windbg.patch


• Edit boot.ini in the debuggee to add an entry to start Windows XP with "/debugport=com1 /baudrate=115200" arguments.


• Start the debuggee VM with "qemu -net nic -net tap -serial tcp:127.0.0.1:4444,server". QEMU will now wait for a connection on 127.0.0.1:4444.


• Start the debugger VM with "qemu -net nic -net tap -serial tcp:127.0.0.1:4444". This will connect to the debuggee VM and both VMs will now start booting. Make sure to interrupt the debuggee VM's boot menu countdown at this point.


• When the debugger VM has fully booted, start WinDbg in that VM and click "File->Kernel Debug", select "COM", set "Baud Rate" to "115200", "Port" to "com1" and click "Ok".


• In the debuggee VM, select the boot menu entry that will start Windows with remote debugging enabled now.

WinDbg should recognize the debuggee VM now. Have fun.

Checking referrers to my website through awstats, i found that some people actually found it by searching for the terms "UCSB CTF". That reminded me to check the UCSB CTF website for updates, and in fact, the website says "The 2006 iCTF is scheduled Friday, December 8, 2006, from 8am to 5pm, PST". Good news, I'm really looking forward to it

UPDATE: I just noticed: While the VMware images of the past CTFs contained only a single virtual host, the UCSB CTF website now says "The iCTF is scheduled on Friday, December 8, 2006. The contest starts at 8am, PST, by distributing a VMware-based virtual network (one or more hosts running a composition of Linux? *BSD? Windows? services) that supports a number of services.". Sounds interesting, maybe we'll be getting multiple hosts per team to defend and attack.

Ross Anderson's book "Security Engineering" is now available for free download.