From: Dave Aitel (daveimmunityinc.com)
Date: Mon Sep 15 2008 - 07:30:38 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You know what would be annoying? If every fifteen seconds a random VM
was suspended just long enough to get a memory snapshot and then that
snapshot was analyzed for CANVAS-style shellcode in every process. It's
not hard to do now that the API's are all opening up. Even a simple
"This thread is running from the heap and is not Java" would work. At
that point the shellcode will have to jump into unused space in a DLL
and then we all get to play statistical matching games to say "This
function does not look like Visual Studio compiled it, unlike the rest
of the DLL".

Anyways, there's a lot of cool stuff you can do from the hypervisor.
Probably the stuff VMWare and Microsoft and Xen don't want to talk about
involved breaking DRM, writing invisible email-sniffing programs that
hook Exchange's new email function, or other fun stuff. Just being able
to get a clean copy of memory is cool, since you don't get one with a
little daemon installed on the server (since memory changes as you copy it).

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIzlVutehAhL0gheoRAi2uAJ4hdQFi5cH/35vh5zgZNhs9ARvmkgCdE8rI
6ZDejFziVmOQQpThAI4LUBI=
=WdZI
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]