Login: Password: Remember Me Register Blogs >> Piotr 's Blog

Created: Friday, July 17 2009 09:58.44 CDT Modified: Friday, July 17 2009 10:36.19 CDT Printer Friendly ... Some news on Aslan and BLOG issues Author: Piotr # Views: 7844

For those who are interested:



The OPENRCE FEED reader seems to be not working correctly and posts from my original blog (outside one) are imported to OPENRCE usually with long delay. I have noticed Pedram about it but this issue stays unresolved.



I have recently updated my website with few articles and a little update for Aslan 4514N.



If anyone is interested here is my current blog:

http://blog.piotrbania.com



And here you can subscribe:

http://blog.piotrbania.com/feeds/posts/default



Some short post about Aslan and its new feature is available here:

http://blog.piotrbania.com/2009/07/aslan-4514n-binary-code-integrator.html



peace



Blog Comments PeterFerrie Posted: Friday, July 17 2009 10:59.39 CDT Integration of C code into executables was done by herm1t in his Crimea virus for Linux. ELF is far more complicated than PE. Don't bother. ;-)

Piotr Posted: Friday, July 17 2009 11:59.11 CDT AFAIK ELF integration/injection is also already supported by the ERESI project as well. So i don't see any reason to add this to Aslan. Besides regarding the Crimea virus, i would like to see how it handles FPU/SSE instructions - as far as i know it was based on XDE and this engine was unable to disassemble such instructions. Not to mention some of its bugs like SIB decoding (AFAIR) etc. Finally will i bother with adding ELF support or not is entirely my decision not yours, so don't bother giving me yours life advices. ;-)

Orr Posted: Saturday, July 18 2009 08:11.52 CDT very good work piotr! ;)



for peter: question is how a scanner will be able to deal with a virus using victim's own APIs?

PeterFerrie Posted: Saturday, July 18 2009 15:14.02 CDT Piotr: you misunderstood me. I meant "don't bother with Aslan" because it has all been done before, by Zombie for PE, and herm1t for ELF. No matter how good your engine is, we'll still only think of you as the second man on the moon. btw what possible purpose could Aslan serve?



Orr: it was done already by Drill. It was no problem for us to detect it.



BanMe Posted: Saturday, July 18 2009 18:10.26 CDT Thats considerably disturbing..



thats "nice" that z0mbie and herm1t did it..

you lack foresight and a unquenchable thirst for knowledge that is what I find disturbing..But I find it Disgusting, that you would say "don't bother with 'your project name here'" that is the apitemy of why "other" communities have died.. the idea that "it's already been done" so why "redo it" is not something I think should be said to anyone let alone someone who contributes "publicly" there research and knowledge..



regards BanMe

Piotr Posted: Saturday, July 18 2009 20:33.04 CDT PeterFerrie: Oh please, perhaps we should all stick to grab people's antidebugging methods, write another "Anti-Unpacker Tricks" issue and sign it with ours name? Where is the innovation in that? Once more as long as i consider Aslan as knowledge i will continue it and if you have nothing useful to add/comment please limit your ego to bash others on your private site or mmpc blog.





EDITO:

EDITO: P.S I don't see any reason to continue this useless discussion, i believe OPENRCE.ORG is not a place for flame wars besides flame wars do not interest me at all (and in fact they never did). I was with OPENRCE from the start and i think i have contributed enough to this site. Whenever readers like my stuff or not is up to them to decide, i am always open to criticism as long as it is constructive. Right now i am going to enjoy my holidays, i respect my freetime so goodbye all and be safe.

PeterFerrie Posted: Sunday, July 19 2009 22:33.28 CDT BanMe:



> you lack foresight and a unquenchable thirst for knowledge that is what I find disturbing..



And you base this on what?



> But I find it Disgusting, that you would say "don't bother with 'your project name here'"



That is not what I said.



What I find disgusting is this on Piotr's site: "do you want to compile a rootkit inside of yours ndis.sys?"

Is Aslan intended for malicious purposes? What else would anyone do with it? Is OpenRCE any place for such a thing?



> perhaps we should all stick to grab people's antidebugging methods, write another "Anti-Unpacker Tricks" issue and sign it with ours name?



I gave credit to all techniques that were not mine, however we are talking about you not me.



> Once more as long as i consider Aslan as knowledge i will continue it and if you have nothing useful to add/comment



But this is my useful comment. If Aslan is intended to be malicious, then it is my duty to try to discourage you in that effort.



Piotr Posted: Monday, July 20 2009 02:57.12 CDT Dear PeterFerrie,



>What I find disgusting is this on Piotr's site: "do you want to compile a

> rootkit inside of yours ndis.sys?"

> Is Aslan intended for malicious purposes? What else would anyone do with it?



I need to clarify something here. As updated Aslan website says and one of the comment on my blog in reply to dELTA message Aslan can be used in variety of legal purposes:



- partially it is used in PE protection software which i am currently doing for one of companies

- sometimes we use it in pentest to bypass AV protection

- it can be used in extending original applications which are not updated anymore of course as long as it does not violate the copyrights



Of course it can be still used for malicious purposes, thats why i am not releasing it. Moreover i have made a bet with couple of persons that you will be the first person to throw stones even if no code is released, not really surprisingly i won.





> Is OpenRCE any place for such a thing?



Oh, really? Let me quote:



"OpenRCE aims to serve as a centralized resource for reverse engineers (currently heavily win32/security/malcode biased) by hosting files, blogs, forums articles and more. "



Besides I am afraid you haven't contributed much to this site so your demands look at least ridiculous.





Now regarding the 'rootkit' word:



Almost every year in BlackHat agenda (also multiple other conferences) there are few talks when people present rootkits. This year as far as i remember Dino is presenting a MacOS rootkit, Travis Goodspeed is presenting a rootkit too, Erez Metula too, Alexander Tereshkin, Rafal Wojtczuk, Peter Kleissner too - and few others also [1]. Moreover not so long ago Immunity presented a linux rootkit which comes with complete source code [2] not to mention Greg has a nice rootkit collection on his site [3]. I don't find it disgusting but what about you? Why your sense of duty have suddenly disappeared? Does it work only on selected persons? Why you haven't complained to them, how big hypocrite does it make you? Besides original Aslan website with the 'rootkit' word is online since 2006, i bet you have seen it multiple times already and suddenly today you found it disgusting, *sweet Jesus*.



>I gave credit to all techniques that were not mine, however we are talking

>about you not me.



Oh really? But how come you are using tricks from the persons who you found "disgusting" and moreover you are also making money from it? Ohh and wait, those unpacking tricks can be also used in evil purposes, right? Don't bother to answer it was kinda rethorical question. So i am afraid we are talking about you here too. Of course not to mention you once said you are not going to credit virus writers [5].



>But this is my useful comment. If Aslan is intended to be malicious, then it >is my duty to try to discourage you in that effort.



Look upper lines about you being a hypocrite.





I made a big effort to read some of yours articles today and also some posts written by you on the mmpc blog together will old symantec ones. In almost everyone of them you are trying to bash people, claiming how big your brain is and how small is theirs (of course mostly except the posts about roygbiv - somehow :)). You are trying to pose like a justice servant with your shiny little badge of lieutenant Columbo, dangling a plastic water gun in front of your monitor. If you are thinking i am breaking the law spreading malicious software just sue me otherwise please cut the crap.



P.S And if a person who writes such things publicly [4] on the corporate blog, bragging about his undercover investigation names me as "disgusting" then i really feel relieved. Despite of your technical skills i feel sad for you, i may be young and stupid and that may be my explanation but for your lack of good-taste and bragging about things like that there is none. One thing is certain, all the underground/hacker people should now beware, you never know from which toilet mr. Ferrie undercover investigation will jump out from.



Since you have been spreading your envy and bane for few long years already i don't think anything i say will change you behaviour. Some people feed on looking for scandals and that's the way it is. Therefore i see no point with arguing/talking with you - i have already said enough. Cum tacent, clamant.





with no regards,

Piotr Bania





[1] - http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html



[2] - http://www.immunitysec.com/downloads/linux_rootkit_source.tbz2



[3] - http://www.rootkit.com



[4] - http://blogs.technet.com/mmpc/archive/2009/02/17/we-read-their-forums-too.aspx



[5] - http://seclists.org/fulldisclosure/2006/Oct/0370.html



wtbw Posted: Monday, July 20 2009 03:41.34 CDT C'mon guys.



There are many reasons to do projects other than being the first, both for one's self and for the community; and we all have to make decisions about how and what we publish based on what we think is right.



There are too few of us doing this sort of research... let's stick together and try to respect each other even if our often unusual social styles rub a bit ;-)



"Anybody can press a button and blow a ship up, anybody can use an atom bomb, anybody can pick up a big whip and whip you, anybody can stick a knife into you, anybody can pull a trigger... but where's the man with the character as can take a punch on the nose and keep his temper and keep control of himself?"

Piotr Posted: Monday, July 20 2009 04:37.02 CDT wtbw:

I honestly don't care which number do i have, as long as i find things that i do interesting. This is true that the idea of PE/ELF integration was developed earlier, but i have only claimed i am the first to introduce two PE file welding together with additional import repairing and support for FPU/SSE instructions.



It's hard to get on with mr. Ferrie since in my humble opinion he commented this blog entry only to create another plastic scandal (Aslan itself is not even a rootkit btw.) - and if you will read his work you will find he did it multiple times. And it is just as i said when people are publishing rootkits on conferences or they are published by security companies he suddenly disappears. This thing and also many others i have already mentioned make him the one of the biggest hypocrite ever. It's like they say: "no matter how much do you earn or where you work as long as you see the same pig in your mirror".

MohammadHosein Posted: Monday, July 20 2009 15:09.59 CDT What I find disgusting is this on Piotr's site: "do you want to compile a rootkit inside of yours ndis.sys?"

Is Aslan intended for malicious purposes? What else would anyone do with it? Is OpenRCE any place for such a thing?

But this is my useful comment. If Aslan is intended to be malicious, then it is my duty to try to discourage you in that effort.



so basically what you find disgusting is just another way to mount a Rootkit ? and you probably think this is nessecarily a malicious activity ? what's even more funnier is that you are telling us you have a "duty" to let openrce community know this is not a place for such stuff ?



Rootkits are not necessarily malwares and ideas or tools to develop stuff what that nature are not necessarily malicious . you are in no position to make judgment on people's intentions . here , i'm not talking about the technical aspects of this story , since Piotr did that himself . what i'm talking about is the other thing . "duty" . sounded very much relegious to me . please be aware that , according to Pedram , OpenRCE is modeled on the architecture of Rootkit.com the very same site hosting all sorts of codes and tricks related to Rootkits and Greg is a respected member of this Community .



your history in anti av probably had effects on your position against technical research and development . i strongly suggest you to think on that .



at the end of the day ,nothing is wrong with putting a rootkit on ndis.sys . using that to steal someone's money is wrong , according to law . gangsters use guns and you have constitutional right to own one to defend yourself and nobody has a "duty" to sue the weapon manufacture company . take a look at the hiring ad section of openrce . half the people , maybe more , active in RCE environment working for some law enforcement or defense contractors . we all know the deal . maybe you dont ?

BanMe Posted: Monday, July 20 2009 18:43.28 CDT bah I contributed to a senseless war, this is not how we should act..nor should I be the one to say 'how anyone "should" act', but we lose sight of what we all do and forge barriers between people that "could've" been freinds with this and other "flame" wars..and each has to have their own say. we are always granted that, but it is the "saying of it" that should be tempered and given thought to before just typing it out.



I quote Cli3nt again...

"Peace & Code"



PeterFerrie: 'you base this on what'

Simple and constructive as possible. Someone who has these things wouldn't discourage someone else in pursuit of there own interests, just to say its been done before.. of course its been done before...Microsoft(all rights denied) prolly did it before all of us..so..why bother programming or asking why? Because that is part of the fundementals of being human..think of us as 'old' kids. Asking why over and over..and you might not get entangled in such heated response :D



kind regards,

BanMe



PeterFerrie Posted: Tuesday, July 21 2009 15:26.13 CDT > Of course it can be still used for malicious purposes, thats why i am not releasing it.



So we are discussing a product that we will never see?



> i have made a bet with couple of persons that you will be the first person to throw stones even if no code is released



I am not the first one to suggest that you stop work on it.

Surely you remember this? http://omeg.pl/dump/OpenRCE.htm

"Cancel Aslan, apologize for releasing Garaa, and go back to work on vulnerabilities".

I didn't write any of that (apart from the stuff that they quoted from the Tigraa article).



> how come you are using tricks from the persons who you found "disgusting" and moreover you are also making money from it?



You started by saying that I stole the tricks, which I refuted, so now you're attacking me for something else? Please decide.

I didn't say anything about the people whose tricks I described. You're trying to put words into my mouth.



> those unpacking tricks can be also used in evil purposes, right?



Yes, but in that case, the disclosure takes away the element of surprise. We now know the tricks, so we can defend against the tricks, even before we see them.



> I made a big effort to read some of yours articles today ...

> In almost everyone of them you are trying to bash people, claiming how big your brain is and how small is theirs



They are virus writers, so by definition their brain is already smaller than mine. ;-)



> (of course mostly except the posts about roygbiv - somehow :)).



:-) He has fewer bugs than most, but I still make fun of him. herm1t has even fewer bugs and I haven't even made fun of him at all yet. Do you suggest that I am him? That would be equally silly.



> i have already said enough



And yet you keep talking...



It sounds like you need that holiday. Perhaps it will help you to calm down.



MohammadHosein:



> you are telling us you have a "duty" to let openrce community know this is not a place for such stuff ?



I didn't say that. I said that it's my duty to try to discourage [Piotr] in that effort. I didn't say anything about OpenRCE. I merely asked if this is the place for such a thing.



> "duty" . sounded very much relegious to me



Yes, it is that. Read my articles, read my blog entries, you'll see that it's a theme with me.



Piotr can say what he likes ("I'm going to write this"), I can say what I like ("please don't do that"), but no-one should be trying to tell me that I can't say it.



AbelianGrape Posted: Wednesday, July 22 2009 01:53.05 CDT Why does Peter Ferrie continually dodge the question as to why he doesn't apply the same standard to those who publish rootkits at major security conferences?

gnukish Posted: Thursday, July 23 2009 03:44.47 CDT wow, i think we've gotta throw some cold water on to you guys... relax ! :)

AbelianGrape Posted: Friday, July 24 2009 04:21.35 CDT No gnukish, the issue goes deeper than this. When evaluating another human being, one of the central questions that I ask is "is this person consistent". Given that Peter Ferrie gave a presentation at BlackHat publicly regarding someone else's rootkit research, and did not take the opportunity to bash that person for producing a rootkit at all, it would seem that his current position is contradictory, in fact hypocritical. I am waiting for a clarification from Peter Ferrie. If I don't get one, I must forever decide that Peter Ferrie is in fact a hypocrite, and I would encourage all readers of sound mind to reach the same conclusion.

PeterFerrie Posted: Friday, July 24 2009 13:59.50 CDT I haven't been dodging the question, I have been ignoring it.

You took something that I did not say, and made it the core of your complaint against me.

Or, more specifically, Piotr took something that I did not say, and you embarass yourself by blindly copying him.

Remedial reading classes for both of you.

Perhaps you'll learn to be more polite while you're there. ;-)

BanMe Posted: Friday, July 24 2009 14:31.33 CDT ewww..

using a attack vector to passivly attack another..absolutly disgusting..shows on which level you range from..this also shows you are not any different then any other 'person'. so caught up in the world of your want's and needs, that you neglect your own advice.. marvelous self-deprecation.. ;p



AbelianGrape not only presented a valid 'varaint' point. Then you chose to 'dodge' the meat of the question and mount a counter attack..I find it sickening that this is what we are still. Just 3~4 yr olds on a playground spitting anger driven remarks back and forth at each other..



also maybe you should take the 'remedial reading' class and learn more word associations.. cause in my book dodging and ignoring are the same thing...



'BanMe from this world of pettiecoats and turncoats.'



and the quote by ferrie 'they are virus writers of course there brain is smaller then mine..' arrogance is a slippery slope my friend ;)







BanMe









sovietskicpu Posted: Friday, July 24 2009 19:35.40 CDT Hey mister Ferrie you seem in big troubles here, don't you ? You are getting shot by everyone in every word they are saying don't you feel the heat yet ? I feel you are somehow hated and things are conducted against your person : Peter Ferrie. I mean : they used to hate you before anyway, and now,after your comments about Bania's work they are just hating you a bit more hehe...



Now, frankly speaking, personnally I don't give a damn about the potential malicious usage of Bania's work. I even encourage the malicious usage of his findings... you know why ? Simply there is no damn RELIGION in our AV BUSINESS !! I have more to tell : may GOD Bless all those Rootkits,worms,virii and craps makers all around the world !! you know why ? if there were no viruses and no virii writers then how would you bought your car(s) and house(s) ? if there were no virii writers how would Symantec existed then ? would Peter Ferrie existed also ? Or may be you would have been working in walt disney with the rest of us : doing toy researches hehe :)



Mister Ferrie, I am in your side, I mean I am also paying my bills by doing AV "homeworks" :) However, I do respect my enemies, I even do like them because they are maintaining my life up. I understand you can't officially respect virii writers, however as a minimum, you owe them some diplomacy for every dollar(s) you had won, can you please ?

bubbles Posted: Friday, July 24 2009 20:59.51 CDT From my perspective it looks rather like Ferrie is jealous for Piotr recent research (and i don't mean only Aslan here but also excellent articles he released recently). It looks like another Ferrie's frenzied attempt to discredit Piotr. I think Peter Ferrie got stuck in the elevator with 'his' unpacking tricks and lost creativity. Oh noez :(^H^H^H^H. Peter Ferrie I hope you stopped spending nights in the company, perhaps you are just tired? Nevertheless you shot your own feet with your comments.



Can a mod just delete this thread already? It's going nowhere!

msuiche Posted: Tuesday, August 4 2009 08:27.36 CDT I would like to thanks every contributor of this thread. I really enjoyed the reading.



Cheers,

sohlow Posted: Saturday, August 15 2009 15:37.41 CDT peterferrie -> i <3 you

cli4fun Posted: Tuesday, September 1 2009 01:19.42 CDT I would say, if its public, every "noob" can use it, this forces the AV do a better job.



I believe that if he did it, and its a problem for new "malware" heuristics then ...



What about the "bad teams" out there?



The black market? The true "malwares" that we know that can't be detected by AV's because it have "specific" targets, its not spread to the world ...



I'm with Mr. Ferrier that, every "good" boy here, could make your efforts in something that he thinks is "good", that is, "good" for him and others, more "good" than "bad" at least :P, that's enough.



But I'm with Piotr because hes making it "public".



If it was a real threat, and he a "bad" boy, he would never make it so public like hes doing right know ...



I don't know either Fer. or Pi.



That's a simple post, would be very stupid make conclusions about just, it.



But, as I'm new to this stuff of "low level stuff", i say thanks anyway for such thing, not because the almost flamewar( flamewar > 100 replies most the times hehe) i have discovered more people involved in this scene ...



Some mentioned the ERESI, I'm curious ...



Why they decreased the commits to the tree? I saw a very low access rate on the project page, and it is considered a "complex" soft, what i would think that require updates really often ...



Seems to have few open source projects on that stuff, i hope it don't end up being no more maintained ;/







mayhem Posted: Thursday, November 19 2009 01:39.12 CST Piotr is right to mention that ERESI already supports the feature of injecting C code to an executable. I originally wrote this code in 2003 and documented it in an article published in phrack #61 called "THe Cerberus ELF interface". A cool feature also was the ability to work on PaX machines. Since that time, we ported the feature for a couple of architectures, but at this point, it was all just for fun. I dont think those techniques implemented in ELFsh need any specific maintaining. They just work.



As for ERESI in general, we are sorry not to provide much update for a couple of months. We are all very busy and there are time when you just cant feed a family by writing free software. It doesnt mean that the project is dead, but in the absence of contributors, I dont see how the project could grow more for now. Many motivated students worked on interfacing eresi with virtual machines and make it capable of using the GDB/JTAG protocol to debug embedded systems. We havent advertized much that work but its there and working if you know where to look at in the SVN.



Beside this, if you are interested in coding in eresi, just let us know and we will surely tell you how you can help.



-m













