[Dailydave] Systems Programming
Dave Aitel
dave at immunityinc.com
Mon Jan 6 16:11:14 EST 2014
So the thing about writing trojans is that they end up being large scale
systems programs. What I mean by that, is one second your thinking about
all the cool stuff you can do with covert channels and P2P networks and
internal cryptographics, and the very next second, once any of that
stuff is even halfway working, you are neck deep in figuring out COM
programming and what the hell an Apartment Threading Model is.
Windows NAMES all the painful parts of large scale distributed
programing models, but that doesn't mean it's easy to conceptualize them
unless you are essentially a Monk who spent years laboring in the coal
mines of ole32.dll. But as a trojan writer ("Penetration testing tool
writer"), you need to somehow make the horrible parts bearable so that
people can use the system to do fancy things (C&C through Adobe Reader
or Word!) without having to wonder what API it is you call to check to
see if your token is in fact a domain impersonation token, or a
delegation token, or whatever.
MOSDEF was an attempt at this in a smaller way - even calling Windows
API's from shellcode can be a huge pain in the ass because of the giant
structures they take in and output on a regular basis. MOSDEF solves
this problem by compiling structs and accesses to them into shellcode
that runs on your target in a half-way sane way. But INNUENDO is
different - much bigger and of course with a "richer" language of
primitives. Nevertheless, you'll find yourself in ctypes more often than
I'd like and a lot of our work is minimizing this so that there is a
"right way" to do everything Windows related.
To summarize: People think that trojans survive based on their covert
channel wizardry or clever obfuscation. But the best trojans survive by
offering a better API for systems programming than anyone else.
As an example, many times you will break into a Windows network, and
steal some user credentials. That user may be able to have interactive
logon to a hundred machines or so. One feature you can add to your
trojan is the ability to install itself on any one of those machines
chosen at random, and then uninstall the original. To migrate, in other
words. Fun, huh?
-dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140106/39cc4e39/attachment.sig>
More information about the Dailydave
mailing list