Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Dave Aitel (daveimmunityinc.com)
Date: Mon Sep 15 2008 - 07:30:38 CDT
-----BEGIN PGP SIGNED MESSAGE-----
You know what would be annoying? If every fifteen seconds a random VM
was suspended just long enough to get a memory snapshot and then that
snapshot was analyzed for CANVAS-style shellcode in every process. It's
not hard to do now that the API's are all opening up. Even a simple
"This thread is running from the heap and is not Java" would work. At
that point the shellcode will have to jump into unused space in a DLL
and then we all get to play statistical matching games to say "This
function does not look like Visual Studio compiled it, unlike the rest
of the DLL".
Anyways, there's a lot of cool stuff you can do from the hypervisor.
Probably the stuff VMWare and Microsoft and Xen don't want to talk about
involved breaking DRM, writing invisible email-sniffing programs that
hook Exchange's new email function, or other fun stuff. Just being able
to get a clean copy of memory is cool, since you don't get one with a
little daemon installed on the server (since memory changes as you copy it).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Dailydave mailing list