Uncategorized

User Mode Hook Scanner (Alpha)

I finally decided to write my first security tool based on an idea I had for advanced hook detection, I couldn’t find any evidence of the method being used so I based a tool around it. It’s still a working progress but I’m posting so I can get some feedback …

Uncategorized

Darkode Returns Following International Raids

When I was contacted asking for a comment about the darkode raid, I’d said that the main administrator was not arrested and that’d I’d be surprised if it wasn’t back within a week; well It’s been a little more than a week (I’ll put on my surprised face), but as …

Uncategorized
4

Windows 10 System Call Stub Changes

Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods of user mode system call hooking on x86 and WOW64 (Recap: here). Windows 10 x86 …

Uncategorized
2

MalwareTech SBK – A Bootkit Capable of Surviving Reformat

Since i got into firmware hacking, I’ve been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full disk format. Unfortunately I can’t post a proof of concept for many reasons (people have even contacted …

Uncategorized
14

Hard Disk Firmware Hacking (Final)

Core 2, I choose you. Less than 5 minutes after posting the last article, i discovered the final piece of my puzzle: a second CPU core. I was looking through my OpenOCD configuration when I realized it had a single tap definition hardcoded, so i decided to comment it out …

Uncategorized

Hard Disk Firmware Hacking (Part 5)

“Discovery requires experimentation” This weekend I made a pretty big breakthrough which lead to me making a few smaller breakthroughs and ultimately negating most of my previous research. I’ve also learned that “not reinventing the wheel” isn’t always the best option, especially when it comes to trusting other people’s research. …

Uncategorized
7

Hard Disk Firmware Hacking (Part 4)

It seems that the bootstrap code is just scattered around various memory addresses and there’s no simple way to dump all of it, so i decided to just dump a chunk of memory from 0x00000000 and look for any reference to addresses outside of that chunk (allowing me to build …

Uncategorized
1

Hard Disk Firmware Hacking (Part 3)

Before we get started with part 3, I have a few updates regarding part 1 & 2. I’ve found that the reset pad on the JTAG header is not actually a system reset (SRST) but a TAP reset (TRST), which isn’t very useful for debugging. Here is the updated layout …

Uncategorized

Hard Disk Firmware Hacking (Part 2)

Now that everything is ready to be connected, power up the hard drive an run openocd with the following command: openocd -f interface/<your interface here>.cfg -f target/test.cfg test.cfg should be the configuration for the CPU used by your hard disk controller, for most marvell CPUs this config should work. I’m …

Uncategorized
1

Hard Disk Firmware Hacking (Part 1)

I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple …