PDF Insider Demo

A small, on the fly video presentation of my new utility.



The emphasis of this application stands on parsing correctly the PDF format, if it can’t because the PDF is malformed (very common among malicious PDFs), then it provides the tools to read the objects nonetheless. I tested it on many PDF (also malicious ones) and it handles all of them very well.

As I have written this application in five days, there are still some small features I’d like to add, but most of the code is already there. I started the development of it quite some time ago on a weekend while I was sick at home and have found only now the time to finish it.

I have no plans about how and when to release it yet, but some friends of mine will start using it in real world scenarios.

P.S. Thanks to Alessandro Gario for the throughout testing.

Posted in News, Reversing | Tagged , | 9 Comments

CFF & Rebel.NET Update

Fixed some bugs in both applications.
In particular, made some part of the CFF Explorer more robust. The current CFF Explorer still contains the core I wrote when I was 19yo. The newer kernel, which I don’t know if I’ll ever get the time to finish, doesn’t have the same problems. Anyway, this should improve rebuilding, resources importing and displaying of .NET table elements with extremely long names (more than 4096 characters).

Posted in Update | Tagged , | Leave a comment

My first month at Hex-Rays

At the beginning of September I started looking for a job. I actually wanted a job to work from remote. Despite the fact that I got several offers, all of them required relocation. So in the end I saw the Hex-Rays hiring announcement on Woodmann and sent out my résumé. From all the relocations, Belgium was the nearest and best connected one and of course it’s a very good job.

The first month at Hex-Rays has been tough on all fronts. Mainly because of the relocation and getting used to work in an office. Now work is proceeding well, but the rest is still difficult. Having one day of sun here in Belgium would help, by the way.

Musil wrote in his life’s work that modern man is spending his life always increasing his level of expertise, remaining with a millimeter of specialistic knowledge which only few people in the world could really understand. The others, talking about his millimeter would only say stupid things and he himself can’t move from his own millimeter without running into the same problem.
I think I found my millimeter in the IT world. However, I can’t stand still on it. I always keep moving with exasperated restlessness.

I have written in the last 2 years at least 5 programs of bigger size which are almost complete, but as I’m now working at Hex-Rays they will have to wait. When I was writing mostly software on my own I did it almost entirely to be active in something. Now that I’m working on IDA every day I feel that my need of being active is fulfilled and I don’t feel the need to write more code when I’m at home. Instead, I feel the need of art.

Why haven’t I tried producing art instead of programming already? Because I have always been capable of judging my own work objectively and I know when the time is not right.

What’s the difference between programming and art? Both need experience. The difference is that one can build one’s technical experience alone in one’s room, without the help of events, social interaction, etc. In a technical field it is possible to make the time needed for experience advance faster. Viceversa, in one’s reflections about life one has to actually follow the time of his own life.

I feel that something is changing about that.

Posted in Uncategorized | 9 Comments

Busy & Qt 4.6

I apologize if in the last time I couldn’t answer to emails without many days of delay, but I’m incredibly busy in my real life.
There is some important news I can’t yet talk about but will soon.

Also, yesterday the new Qt 4.6 has come out. For Windows developers good news: the sdk come with gcc 4.4 with patches for phonon, in case you don’t want to use Visual Studio (like myself). Among the new features: animation and state machine frameworks, multi-touch support, symbian support. Also many improvements in Qt Creator.

P.S. I wanted to publish this post several days ago, but pressed Save Draft instead of Publish.

Posted in Uncategorized | 2 Comments

CFF Explorer update: scripting arguments

Arguments can now be passed through command line just by making them follow the name of the script. E.g.:

“CFF Explorer.exe” “C:\mydir\script.cff” arg1 arg2 “arg 3”

To access the arguments from the scripting part you can use the global variables argv and argc, which are the same thing as in C. Actually, argv would’ve been sufficient as it is a table and its size can be retrieved with “#”, argc is only present for coherence with the C-style.

Example:

[cc lang=”lua”]x = 0
while x < argc do MsgBox(argv[x]) x = x + 1 end[/cc] I also fixed a bug in the add section code and improved the PE rebuilding.

Posted in Update | Tagged | Leave a comment

Filter Monitor 1.1.0: filter restore

Uploaded the new version of this little utility. Fixed some bugs (nothing serious). Now it has the capability to restore some types of filters that the user unregister. Basically, it can restore Create Process, Thread and Load Image callbacks.

Posted in Update | Tagged | 2 Comments

Explorer Suite update

CFF Explorer:
Improved support for tiny PEs.
Fixed a bug in the Exception Directory which was due to the grid set up.

Task Explorer:
Fixed a minor bug on x64.
Added the Driver List tool.

Posted in Update | Tagged , | 7 Comments

Filter Monitor 1.0.1

This week, after months of development of bigger projects, I found some time to windbg “ntoskrnl.exe” and write a utility. It is called Filter Monitor and shows some key filters installed by kernel mode components.

“As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology.

Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that’s why I wrote this little utility which monitors some key filters.

Since I haven’t signed the driver of my utility, you have to press F8 at boot time and then select the “Disable Driver Signature Enforcement” option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment.

A disclaimer: the boot process can be a bit annoying, but the utility should be used on virtualized systems anyway, as I haven’t fully tested it yet. I doubt that it will crash your system, I guess the worst scenario is that it won’t list some filters. It should work on any Windows system starting from Vista RTM and I have provided an x86 version and an x64 version. But the truth is that I have tested only the x64 version on Windows 7 RTM. Last but not least, I can’t guarantee that this utility will work on future versions of Windows, it relies heavily on system internals.

Now, let’s run it. The supported filters/notifications at the time are these: Registry, Create Process, Create Thread and Load Image. “Registry” stands for CmRegisterCallback filters. “Create Process” for PsSetCreateProcessNotifyRoutine callbacks. “Create Thread” for PsSetCreateThreadNotifyRoutine callbacks. And “Load Image” for PsSetLoadImageNotifyRoutine callbacks.

The “Additional Info” in the list view provides internal information like the address of the callback function.

There are some default filters registered by system components, but, as you can notice, there are also Kaspersky components. That’s because some filters (like the registry filter) are not used by system components and I needed a tool which would make use of these filters for my little demonstration.

The version of Kaspersky I have installed is the latest one available on the internet which is: 9.0.0.463.

I created for this demonstration a little executable called “k-test” (what you see on the desktop are three copies of the same executable) which copies itself in a directory called “borda” in the “Roaming” directory of the operating system. It then creates a value in the Run key of the registry to execute itself at each start-up. Finally, it launches itself from the “Roaming” directory and ends.

This is a typical malware behavior. Beware that the signature of the application itself is not contained in the databases of Kaspersky as I have written it on the fly, but it detects the suspicious behavior, stops execution and deletes the file. And it does this every time I launch the test application.

Now let’s get to the part where I show an additional functionality of the Filter Monitor which is the ability to remove registered filters and see what happens if I remove the filters installed by klif.sys, which is the “Kaspersky Lab Interceptor and Filter” driver. As the name suggests, this driver intercepts and filters: it installs all four of typologies of filters listed by the Filter Monitor. On x86 instead of calling CmRegisterCallback it additionally hooks about 60 functions of the Service Descriptor Table (which is a lot), but that’s no longer possible on x64.

So, let’s remove the filters and re-launch k-test. It works now.

Final disclaimer: It is not my intent to comment on security features of anti-viruses, I just wanted to present my new tool and show its functionalities. I was already familiar with the internals of Kaspersky before writing this utility.

I hope you enjoyed the presentation.”

P.S. A huge thanks goes to Alessandro Gario for providing me with all the different versions of ntoskrnl.exe.

Posted in Internals, News, Reversing | Tagged | 2 Comments

CFF Explorer bug-fix

Fixed a bug reported by icy. It was causing crashes in executables without sections when calculating their PE size.

Posted in Update | Tagged | 6 Comments

Qt’s GUI Thread

If you’re a Qt developer, you surely are aware of the fact that you can only display GUI elements and access them from the main thread. This limitation as far as I know is mostly bound to the limitations of X and it isn’t to exclude that multithreading support for GUIs will be added soon.

This limitation never caused me any trouble, since the signal & slots mechanism is thread-safe and communicating between threads and GUI elements can be achieved through it. However, yesterday I needed to show a messagebox in a method and, in case the code is not executing in the main thread, show a native win32 MessageBox instead of a QMessageBox (of course, only on Windows can I do that, on other platforms when I’m not in the main thread, I won’t show anything).

Anyway, here’s a simple method to establish if we’re running the GUI thread:

bool isGuiThread()
{
    if (QCoreApplication::instance()->thread() == QThread::currentThread())
        return true;
    return false;
}

As you can see this is a pointer comparision, but can we rely on the value returned by currentThread? Yes, we can since the pointer is associated with the thread itself as we can see from the code of the method:

QThread *QThread::currentThread()
{
    QThreadData *data = QThreadData::current();
    Q_ASSERT(data != 0);
    return data->thread;
}
 
// thread_win.cpp
 
QThreadData *QThreadData::current()
{
    qt_create_tls();
    QThreadData *threadData = reinterpret_cast<QThreadData *>(TlsGetValue(qt_current_thread_data_tls_index));
    if (!threadData) {
        QThread *adopted = 0;
        if (QInternal::activateCallbacks(QInternal::AdoptCurrentThread, (void **) &adopted)) {
            Q_ASSERT(adopted);
            threadData = QThreadData::get2(adopted);
            TlsSetValue(qt_current_thread_data_tls_index, threadData);
            adopted->d_func()->running = true;
            adopted->d_func()->finished = false;
            static_cast<QAdoptedThread *>(adopted)->init();
        } else {
            threadData = new QThreadData;
            // This needs to be called prior to new AdoptedThread() to
            // avoid recursion.
            TlsSetValue(qt_current_thread_data_tls_index, threadData);
            threadData->thread = new QAdoptedThread(threadData);
            threadData->deref();
        }
 
        if (!QCoreApplicationPrivate::theMainThread) {
            QCoreApplicationPrivate::theMainThread = threadData->thread;
        } else {
            HANDLE realHandle = INVALID_HANDLE_VALUE;
#if !defined(Q_OS_WINCE) || (defined(_WIN32_WCE) && (_WIN32_WCE>=0x600))
            DuplicateHandle(GetCurrentProcess(),
                    GetCurrentThread(),
                    GetCurrentProcess(),
                    &realHandle,
                    0,
                    FALSE,
                    DUPLICATE_SAME_ACCESS);
#else
                        realHandle = (HANDLE)GetCurrentThreadId();
#endif
            qt_watch_adopted_thread(realHandle, threadData->thread);
        }
    }
    return threadData;
}

qt_create_tls just calls once for every thread TlsAlloc and if the data for the current thread hasn’t been set yet, it is set with TlsSetValue. So, we can rely on a pointer comparision.

Posted in Programming | Tagged , , , | 1 Comment