The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.
Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or \live.sysinternals.comtools<toolname>.
Miss Identify is a program to find Win32 applications. In its default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). The program can also be run to display all executables encountered, regardless of the extension. This is handy when looking for all of the executables on a drive. Other options allow the user to record the strings found in an executable and to work recursively. See the manual page for more information.
La distribución Ubuntu Malware Removal Toolkit 1.2 que llega en formato LiveCD (puede crearse fácilmente un pendrive autoarrancable: LiveUSB) y que promete limpiar de virus y malware un ordenador Windows.
Pero va más allá ya que dispone de soporte RDP, navegación web con Firefox, recuperación de mal timestamp en unidades NTFS, etc. Os dejamos una pequeña lista de las bondades de Ubuntu MRT 1.2
Once a system is infected with malware it becomes difficult to remove that malware as it is already embedded in the system and has control over many components which are key to the system’s operations. Malware, like rootkits, use system components to hide themselves and prevent other software from detecting or removing them. This is often the case of who gets there first; if the malware is able to get control of the system earlier on then it also has control over any software that may be run later. Besides just hiding, malware can also block the execution of other security applications. If you cannot install or run a security application in the first place then you cannot scan and detect the malware. The best time to remove this malware is when it is not running, but malware often starts with the Operating System, so we would have to stop the Operating System to stop the malware. On a shutdown OS nothing is running and malware like rootkits cannot hide themselves and so it would be easy to find and remove them.
REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.
Since I just received the new “Practical Malware Analysis” book from No Starch Press, the detailed lab exercises seemed like a perfect way to test out the tools included in REMnux. While most of the tools in the book are Windows-based, there are Linux-based equivalents found on REMnux.
The first task was downloading the lab files linked from http://practicalmalwareanalysis.com/labs and extracting them.
WARNING: The lab binaries contain malicious code and you should not install or run these programs without first setting up a safe environment.
Compatibility: The labs are targeted for the Microsoft Windows XP operating system. Many of the labs work on newer versions of Windows, but some of them will not. The labs are designed to mimic realistic malware. Some of them are well-written code that runs reliable and some of them (just like real malware) are poorly written code that may crash, contain memory leaks, or otherwise behave unexpectedly.
My plan to solely use REMnux was immediately thwarted by the self-extracting Windows executable that contained the lab files. There was a EULA (end user license agreement) wrapper as part of the executable that had to be accepted before the files could be extracted — a problem solved with a quick boot of a Windows XP virtual machine. Ideally, the authors will replace or supplement the self-extracting executable with a standard zip file.
After a quick and easy read through the first few chapters, I started to dig into the lab examples using REMnux’s tools. Chapter 1’s labs want you to upload the example binaries to VirusTotal to see whether any antivirus products detect them as possible malware. While I could have used Firefox to upload the files, I chose to use pyew’s “vt” plugin that searches VirusTotal using the MD5 hash of the file instead of uploading the actual file.
Searching just using the MD5 could have backfired if no one had uploaded the file to VirusTotal yet, but given the popularity of the book, the lab files had already been uploaded many times. It doesn’t appear that REMnux currently comes with a command-line tool to upload files to VirusTotal, so here are a couple of options (#1 and #2) that simply require that you get a free API key from VT first.
A few other tasks in the first few “Practical Malware Analysis” labs include looking at executables’ import/export functions, compile date, and packer identification. Pescanner works pretty well to figuring out those answers, but not all of them. For example, pescanner identifies suspicious import functions but does not list them all, and it incorrectly identified some of the executables as having been packed when they weren’t. Pyew faired better by being able to list all imports and exports and correctly identifying the packer, but it did not have an obvious way to show the compile date. But when used together, you can get the exact answers you need.
The last lab in Chapter 1 asks you to use Resource Hacker to look for resources that are stored in the file. To accomplish the same task on Linux, a command-line tool can be used called hachoir-subfile. Running hachoir-subfile against the Lab 1-4 executable will extract the embedded in PE file.
I’m looking forward to digging into the book more and using REMnux further to see just what I can do without having a Windows virtual machine. It’s not that I have anything against Windows — I just like to find alternative Linux-based tools that do the same thing as Windows-based tools. There’s definitely an advantage to having both platforms available for analysis with the plethora of tools to use.
I highly recommend taking a look at the “Practical Malware Analysis” if you’re interested in the topic, as it is one of the best books I’ve seen on subject and the labs are great. I suspect I’ll have more blogs in the future about the book and tools as I spend more time with it and find alternative tools to use for the analysis.
John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com and found on Twitter @johnhsawyer.
There are many ways to create a live USB drive carrying an operating system like Ubuntu, but the method I will describe further is mainly based on using SUN’s VirtualBox. While the method described on the Ubuntu documentations implies installing a Live CD image on a USB flash drive, which would then need to extract and load the operating system in the RAM, the method that I will describe on this page implies installing a fresh operating system on a bootable flash drive that will work the same way as from a real HDD (except the speed, of course). Thus, you should have a good bootable USB 2.0, with decent I/O data processing speeds, with at least 4GB (considering that the operating system itself weighs ~2GB, Karmic Koala).
Divide your USB flash drive into two partitions
In order to separate the operating system from the documents you would like to save on the flash drive, it is advisable that you divide your USB flash drive into two partitions. Only do this if your USB flash drive has more than 2GB of space and you do not need to save changes you make inside the operating system. In order to achieve this, you need to have GParted installed (or at least this is what i prefer). If you are not following this tutorial on a Linux machine, then you’ll have to use whatever software you best know that works with your operating system (on Windows I recommend Acronis Disk Director and Partition Magic). To get GParted type the following command in a terminal:
sudo apt-get install gparted
Now backup all data you have on your USB flash drive, because we will need to format it and create two partitions. Haven’t backed up your data? You’re playing with fire!
UNetbootin (Universal Netboot Installer) is a cross-platform utility that can create live USB systems and can load a variety of system utilities or install various Linux distributions and other operating systems without a CD.
Can load a variety of system utilities, such as Ophcrack, BackTrack.
Other operating systems can be loaded via pre-downloaded ISO image or floppy/hard drive disk image files.
Automatically detects all removable devices.
Supports LiveUSB persistence (preserving files across reboots; this feature is for Ubuntu only)
Multiple installs on the same device are not supported.
It is worth noting that UNetbootin’s meta-data is very out of date. For example, the latest version of Linux Mint offered in the drop-down menu is version 10, whilst the latest official release is version 14 (at time of writing, February 2013). However, UNetbootin can still be used to write a bootable Mint 14 ISO file onto a USB device, if the user first downloads the ISO file manually.
These can contain just about any tool you want: anti-virus, OS boot cd’s, OS repair / recovery discs, programs, etc.) This is a slightly more difficult section depending on exactly what you want on your flash drive. This can also be time consuming.
Different programs and bootable Windows and Linux ISO’s require different boot parameters. Which is why some things work with one program and not another.
SARDU, XBOOT, and YUMI can create a multiboot utility flash drive but each officially support different programs / ISO’s. EasyBCD can create multiboot flash drives but requires you to PAY ATTENTION when configuring.
You’ll have to find which actually work best for you.
I haven’t found one that does everything I would like it to (do all the programs below and work) so I’ve got 2 utility / rescue flash drives.
Places to find help for the above programs.
1 – See the links on those programs home pages.
2 – Reboot.Pro
3 – 911CD
Additions Tested :
– Windows 7 Recovery Discs (32 & 64-bit)
– Windows Vista Repair Discs (32 & 64-bit)
– UBCD4Win (SP3 slipstreamed pre-build, nlited to add drivers and update packs)
– Hiren’s Boot CD 14
– openSUSE 11.4 LiveCD (KDE)
– Linux Mint LiveCD (Gnome & KDE) (if Linux Mint works then Ubuntu should too)
– AVG
– Avira
– Kaspersky
– Microsoft Standalone System Sweeper
– Acronis True Image Home 2011
– Acronis Disc Director 11
Below are some notes on each program as of this writing.
They are not intended to bash anyone, they are just the results I came up with.
SARDU ( 2.0.3 beta 6)
– Do not rename ISO’s.
– openSUSE does not work.
– Hiren’s Boot CD support removed AFAIK due to it’s questionable legality. (download v2.0.2c if you need this)
– UBCD4Win does not work in this version. (download v2.0.2c if you need this)
– Microsoft Standalone System Sweeper supported.
– To add Acronis to this see here.
Make sure all your ISO’s are in one folder.
Do not rename the ISO’s.
If you haven’t already downloaded them. Click the button next to the check box will take you to the download page.
Plug in your preformatted flash drive
Click the CD/ISO picture (upper left) to load the ISO folder.
ISO’s already in the folder will be preselected.
Click the Search USB button on the right to find your flash drive.
Click the picture of the flash drive below it to start the process of making your bootable flash drive.
SARDU creates a multiboot USB drive, a multiboot DVD or multiboot CD (all-in-one) for free (personal and non commercial use, read the license). Hard disks (internal and external), SSD, USB flash drive and all removable memory disk and media are supported.
The multi bootable device can include comprehensive collections of antivirus rescue CD, utilities and popular Linux live distributions. Windows PE can also be included, as well as recovery disks and install media for Windows XP (Professional, Home and 64 Bit), Windows Vista, Windows Seven and Windows Eight.
A search led to a recommendation that I try XBOOT. Another source suggested that SARDU and XBOOT both might be more robust than YUMI.
Were there other possibilities? An AlternativeTo webpage listed Universal USB Installer (of which UNetbootin was apparently a clone) and WinToFlash as much more popular than SARDU, XBOOT, or YUMI, but these did not appear to be multiboot solutions. That is, they would load only one program onto the USB drive. At this point, Wikipedia’s list of tools to create live USB systems did not distinguish multiboot from single-boot tools — but it did make clear that there were many single- or multiboot tools out there. One source offered a way to use UNetbootin to create a multiboot flash drive, but it, too, sounded complicated. A search suggested that EasyBCD was another possibility, but it appeared that it was a boot manager that would let you decide whether to boot from, say, a hard drive partition containing Windows 7 rather than another partition containing Linux.
So I took it as a choice among YUMI, SARDU, or XBOOT. A search led to a thread with several user reports that tended to favor YUMI. As I had also found, one comment recommended formatting within YUMI rather than formatting the USB drive via Windows Explorer. One blogpage, written in spring 2011, seemed to find little difference in capabilities, between SARDU and YUMI, except that SARDU had the advantage of allowing the user to burn a CD or DVD containing one (or possibly more) installer. Two other webpages praised SARDU, but without offering specific comparisons against alternatives like YUMI. The XBOOT webpage seemed to indicate, as others had done, that XBOOT was preprogrammed to accept far fewer programs and distributions than YUMI; the same had also seemed to be true of SARDU.
YUMI (Your Universal Multiboot Installer), is the successor to MultibootISOs. It can be used to create a Multiboot USB Flash Drive containing multiple operating systems, antivirus utilities, disc cloning, diagnostic tools, and more. Contrary to MultiBootISO’s which used grub to boot ISO files directly from USB, YUMI uses syslinux to boot extracted distributions stored on the USB device, and reverts to using grub to Boot Multiple ISO files from USB, if necessary.
Aside from a few distributions, all files are stored within the Multiboot folder, making for a nicely organized Multiboot Drive that can still be used for other storage purposes.
Creating a YUMI Multiboot MultiSystem Bootable USB Flash Drive
YUMI works much like Universal USB Installer, except it can be used to install more than one distribution to run from your USB. Distributions can also be uninstalled using the same tool!
XBOOT is yet another neat little Multiboot ISO USB Creator. It is a Windows based application that can be used to create a Live Multiboot USB or even a Multiboot ISO file that can then be burnt to a CD/DVD. XBOOT supports many Linux Distributions and Utilities, and allows you to use your choice of a Grub or Syslinux bootloader. Also included is a built in QEMU emulator (enabling you to boot an ISO from within Windows).
This software boots your PC and analyse your filesystems. It displays a graphical menu for you to select which system to boot. Intended to replace LILO and Loadlin, written in C with GCC, fully real mode.
It can read FAT12, FAT16, FAT32, ext2, ext3, ext4 (with constant inode size) and ISO 9660 filesystems.
It has a graphical user interface with mouse support, and can be installed on any media: floppy, hard/USB disk partitions, hard/USB disk MBR, CD/DVDROM, DVD-ram (i.e. FAT with 2048 bytes/sectors). It can also use a serial port as input/ouput instead of the screen and keyboard.
Gujin can chain-load other bootloader, load Linux kernel, has an unfinished loader of multiboot specification, but more importantly for our current interest it can load standard ELF files (more exactly GZIP compressed ELF files).
There is two major ELF variant on the PC: ELF32 (with 32 bits load address, sizes and entry point) and ELF64 (with 64 bits fields), gujin loads any of them and switch the processor in protected mode to jump to the ELF entry point.
Gujin will not try to set-up memory paging at all, that is the job of the kernel to select which kind of paging it wants – so even the 64 bits ELF files will have to handle the transition from 32 bits to 64 bits themselves (because you need paging to go to 64 bits mode).
Same for interrupts, Gujin switches to protected mode but does not re-enable interrupts, that is the job of the kernel being booted to set-up the Interrupt Decriptor Table and handle each interrupts, because BIOS will not help the kernel any more.
Gujin can also relocate the ELF file if it contains relocation information, see option –emit-relocs of the “ld” linker of the “binutils” toolchain.
Because most applications will want to collect BIOS informations before the switch to protected mode, Gujin can call in real-mode a function of the ELF file, and if this function returns zero – continue the loading process – else display an error message (for instance: “trying to execute a 64 bits application on a processor without this feature!”).
Moreover, in most cases the kernel can decide to return to the Gujin bootloader (if it did not erased it from memory), without forcing a reboot.
The Gujin bootloader is built using standard Linux tools, it does not need Linux to run (only a not-too-buggy BIOS) – but we have to assume you are running Linux to use the GNU toolchain: GCC, binutils, GZIP… to produce the ELF file for the kernel. Also, Gujin installer needs either Linux 32 bits or Linux 64 bits to run and install the Gujin bootloader on a device.
Because Windows uses another executable format, you cannot install cygwin/MinGW on windows and use the compilation toolchain directly, in this case you would have to generate a cross compiler toolchain to produce ELF files, and that is out of scope for this description (but not that difficult).
So enough text description, let’s try it!
The floppies being out-dated, let’s say we want to use a USB stick as our test media. In some cases, we may want to use a SD card, basically the process is the same.
We first need to check that the target PC will be able to boot that USB stick or SD card, when Gujin is installed on it.
To have increased chances of success, we will ask the Gujin installer to reformat completely this USB disk or SD card, so first backup any interresting file you have in some other place.
If you do not trust anybody, download the source file gujin-*.tar.gz, extract it in a directory and type “make” – that will produce an executable named “gujin” (even on a 64 bits Linux).
Remember to visit http://gujin.org to check if there is a newer version of Gujin, and to increase Gujin author counters and keep him happy.
Then, we reformat that dedicated USB stick as a bootable FAT filesystem, erasing all its content: first go in “root” by typing “su” or “sudo” (distribution dependant), then get the device name of you USB stick (let’s say it is /dev/sdg) (sometimes /dev/mmcblk0 for SD cards), and type:
./gujin /dev/sdg --disk=BIOS:0x00,auto
Depending on the size of the USB stick, that will have created either a FAT16 or a FAT32 (or even a FAT12) filesystem, but that point is not really important.
You then unplug this device, and replug it: most distribution will automatically mount the filesystem and display a window of its content: only a single file which is the bootloader itself.
To check that this filesystem is correctly created, you can type:
/sbin/fsck.vfat /dev/sdg
With the Gujin installer parameters we used, that would have created a “superfloppy” format on our USB stick, that is currently the format most PC will be able to understand and boot from.
That does not mean your own PC will 100% boot it, due to BIOS bugs – so you need to test now that this USB stick is bootable by your PC or not: umount the USB stick, plug it in the test PC and power it on, see if Gujin is started (you will notice easily).
If it is not started try to check:
- that the boot order in the BIOS is set to boot USB devices first
- try the different USB devices if your BIOS has switchable items.
- try to tell the Gujin installer to use the Extended BIOS instead by typing (--disk=EBIOS:0x00,auto is the default):
./gujin /dev/sdg
- try to tell the Gujin installer to generate a real disk and not a superfloppy by:
./gujin --mbr /dev/sdg --disk=BIOS:0x00,auto
- try the two previous options together:
./gujin --mbr /dev/sdg --disk=EBIOS:0x00,auto
- try to use another (smaller) USB stick, some BIOS will only accept to boot from a FAT16 superfloppy
By now you should know a lot more about your BIOS, and have a bootable USB stick.
Then, we want to generate this ELF kernel – let’s try to generate a “hello world”: Create a file with that content:
const char msg1[] = "Hello protected-mode text world! please reboot ...";
#define STACKSIZE 64 * 1024
static unsigned stack[STACKSIZE / 4] __attribute__ ((aligned(32)));
void _start (void)
{
/* We are flat non-paged memory and interrupt disabled */
asm (" mov %0,%%esp " : : "i" (&stack[STACKSIZE / 4]));
volatile unsigned short *video_array = (volatile unsigned short *)0xB8000;
unsigned cpt1;
video_array += 10 * 80; /* few empty lines */
/* We want blue background color and lightgray foreground, so 0x1700: */
for (cpt1 = 0; cpt1 < sizeof(msg1) - 1; cpt1++)
video_array[cpt1] = 0x1700 + msg1[cpt1];
while (1)
continue;
}
Then compile it like (you may need to add “-fno-stack-protector” too, distribution dependant):
You just need to copy that hello.kgz file into the USB stick, and reboot with this USB stick, you will get a menu with “hello.kgz” displayed.
If you click on this filename, you will have “Hello protected-mode text world! please reboot …” displayed (Because this hello-world do not manage graphic modes, you have to “force start kernel in text mode” in Gujin configuration).
If you want a bit more complex “hello world” applications, you should download Gujin install*.tar.gz pack .
you will find there few KGZ files, like previous example but with some addresses displayed to show the exact position of the application in memory.
you can copy this hello_bios.kgz to the USB stick and run it, I hope the different functions of the source file are obvious.
The Gujin bootloader is willing to let the real mode and protected mode kernel to access the bootloader internal data (like what is the current video mode, how to display strings…) as long as the kernel is licensed under the GPL license – i.e. when the GZIP kernel contains a GZIP comment describing its license. That is illustrated by cleandisk.kgz compiled form this cleandisk.c source code and linked with this linker file.
The main point about the GPL license is that it is not possible to draw a line in between Gujin possible bug and a closed source application: it is no allowed to modify Gujin data while in real mode – but there isn’t any enforcement by hardware.
Obviously, Gujin will enable you to run an ELF file with a real mode part AND a protected mode part, just have a look at the example hello_gpl.kgz and its source code hello_gpl.c.
How Programming Languages Evolved
How the computer stores data
Numbering systems the computer likes
Different data types
Different programming Syles
Procedural
Functional
Object Oriented
What does it mean when a language is “strongly” or “weakly” typed
What is compiling and do I need to do it?
When I would do it, and when I would not
Why, what advantage does it provide
Modern Computer Languages Overview
Bash
Perl
Python
Ruby
C
C++
Java
Vala
C#/Mono
Programming methodologies
Waterfall
RAD
Summary of Graphical Programming Libraries
GTK
QT
FLTK
SDL
And finally, Programmers tools:
Eclipse
NetBeans
Anjuta
This is a lot of topics, and this week will be an overview. It should get you enough information to recognize the labels on the map, even if you are not 100% sure where the map will lead you. That will be the task for the following weeks.