Here’s a video of an exercise in my White Hat Shellcode Workshop I gave at Brucon in September.
Tuesday 8 November 2011
7 Comments »
RSS feed for comments on this post. TrackBack URI
Didier Stevens
Pages
-
Top Posts
c
Fellow Bloggers
-
-
Blog Stats
- 1,852,415 hits
Twitter @DidierStevens
- New blogpost "Peeking at NAFT" http://t.co/PRwEt9Ul 4 days ago
- Got my liquid electrical tape. Not for sale in Belgium. 1 week ago
- Blog reader came through! Received confirmation from charity he donated in my name. Very cool! 2 weeks ago
- New blogpost: "Quickpost: Disassociating the Key From a TrueCrypt System Disk" http://t.co/wlwipokC 2 weeks ago
- IR reflective sensor aimed at least significant digit of watermeter works very well to detect water flowing. 2 weeks ago
Archives
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
Theme: Rubric. Blog at WordPress.com.
What did you use for video capture and text annotation? Nice video btw
Comment by Jkp — Wednesday 9 November 2011 @ 4:46
That’s fascinating – thank you. I’ve been looking forward to seeing a demo because, regrettably, I couldn’t attend Brucon.
I know that you’ve published simple-shellcode-generator.py and intended publishing create-remote-thread.py after Brucon. I’m keen to replicate your experiments – do you know when you’ll publish this code? I also saw some slides of the workshop and there was a package “shellcode-workshop.zip”. Do you plan publishing that too?
I realise that you created this material for the workshop and quite understand it if you decide to delay publication.
Comment by Iain — Wednesday 9 November 2011 @ 19:32
@Jkp I use VMware Workstation’s Capture Movie feature. And video + subs is produced with avisynth.
Comment by Didier Stevens — Wednesday 9 November 2011 @ 20:02
@Iain If you search a bit on the Brucon site, you’ll find all you need…
Comment by Didier Stevens — Wednesday 9 November 2011 @ 20:03
Got the package Didier – thank you. I’ll have a play around with it this weekend!
Comment by Iain — Thursday 10 November 2011 @ 11:53
I’ve had an interesting time playing around with the code and seeing some of the possibilities. I’m sure some real-life situations will pop into my head where I can use white hat shellcode!
I realise that CreateRemoteThread is flagged by AVs and, as far as I know, it is still available in Windows 7. I have a couple of questions:
I assume that, if an application needs to use this API, the AV will flag it as a problem so are there any alternatives that software developers can use? What about alternative methods of DLL injection?
If CreateRemoteThread is still available in Windows 7, why? Have Microsoft left it there for legacy purposes? Given the fact that AV pick it up if it’s used, what’s the point it being there?
Comment by Iain — Friday 30 December 2011 @ 14:04
@Iain I’ve not seen a lot of AV products identifying executables that call CreateRemoteThread malware. But there are security products that monitor calls to CreateRemoteThread.
Comment by Didier Stevens — Saturday 31 December 2011 @ 13:15