http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-06-30 13:44:04 - Matthieu Suiche's blog ! : Yesterday, I wrote a post about TwitPic and Twitter According to theblog of TwitPic, we can read this: Yesterday we were made aware of avulnerability with our email posting system that would allow someoneto brute force someone’s Twitpic email PIN by trying every combinationuntil one worked A fix has been put in http://www.secuobs.com/revue/news/115233.shtmlhttp://www.secuobs.com/revue/news/115233.shtml Secuobs.com : 2009-06-29 20:41:19 - Matthieu Suiche's blog ! - Web vulnerabilities are lame and web developpers too We all know thisAnd here is what you can read on @britneyspears twitter Basically,TwitPic allows Twitter users to upload + post pictures on theirTwitter status How You have to login on the TwitPic website withyour login+password, then upload your picture and that’s it Accordingto http://www.secuobs.com/revue/news/114958.shtmlhttp://www.secuobs.com/revue/news/114958.shtml Secuobs.com : 2009-06-12 07:43:21 - Matthieu Suiche's blog ! - Honolulu, HW - Here is a quick post to provide ressources presentedthis afternoon at Shakacon 2009 This talks aims to show to win32ddusers forensics engineers, investigators, incident responseengineers, why physical memory analysis is important, and mainlycovers how to rethink memory acquisition and exploitation in a moreefficient way Slides are available here http://www.secuobs.com/revue/news/108932.shtmlhttp://www.secuobs.com/revue/news/108932.shtml Secuobs.com : 2009-06-09 00:40:55 - Matthieu Suiche's blog ! - This week Im going to give a talk at Shakacon entitled Challenge ofWindows physical memory acquisition and exploitation — then I thinkit’s time to release a new version of win32dd Two major bugs fixed inthis release are: System cache size was growing because the outputfile was mapped, then it filled the memory with http://www.secuobs.com/revue/news/107179.shtmlhttp://www.secuobs.com/revue/news/107179.shtml Secuobs.com : 2009-06-07 22:17:31 - Matthieu Suiche's blog ! - In fact, this new key category appearred for the first time in WindowsXP, formely called Whistler, in early 2001 Yes, almost 9 years agoBut its structure CM_BIG_DATA had been removed from Microsoft WindowsXP public symbols but not from Windows Vista and later symbolsBasicaly, this “secret” registry key had been briefly introduced inhttp://www.secuobs.com/revue/news/106733.shtmlhttp://www.secuobs.com/revue/news/106733.shtml Secuobs.com : 2009-04-11 23:06:58 - Matthieu Suiche's blog ! - It’s official - I’m a Microsoft Entreprise Security MVP For people whodon’t know what MVP means here is the definition from wikipedia:Microsoft MVPs are exceptional technical community leaders from aroundthe world who have been awarded for voluntarily providing technicalexpertise towards technical communities supporting Microsoft productsor technologies Wikipedia Past well-know MVPs includes MarkRussinovich, http://www.secuobs.com/revue/news/82303.shtmlhttp://www.secuobs.com/revue/news/82303.shtml Secuobs.com : 2009-04-01 23:46:17 - Matthieu Suiche's blog ! - Based on Windows Vista I/O priorities manager, Windows 7 provides a newclass to retrieve information/statistics about about Low I/O prioritycounts Function: NtQuerySystemInformation Class:SystemLowPriorityInformation Privilege: None Output size: 0×24 bytesThe output structure is the following typedef struct_LOW_PRIORITY_INFORMATION { ULONG IoLowPriorityReadOperationCount;ULONG IoLowPriorityWriteOperationCount; ULONGIoKernelIssuedIoBoostedCount; ULONG IoPagingReadLowPriorityCount;http://www.secuobs.com/revue/news/78169.shtmlhttp://www.secuobs.com/revue/news/78169.shtml Secuobs.com : 2009-04-01 02:31:01 - Matthieu Suiche's blog ! - This post is the first of a serie of articles/blogposts about new SystemInformation Class under Windows 7 32bits ATM used by bothNtQuerySystemInformation and extended version of this API calledNtQuerySystemInformationEx introduced in Windows 7 and Windows 2008R2 First of all, here is the prototype of these functions NTSTATUSWINAPI *NtQuerySystemInformationExSYSTEM_INFORMATION_CLASSSystemInformationClass, http://www.secuobs.com/revue/news/77680.shtmlhttp://www.secuobs.com/revue/news/77680.shtml Secuobs.com : 2009-03-09 14:13:09 - Matthieu Suiche's blog ! - # Authors: Dmitry Vostokov, Matthieu Suiche, Roberto Alexis Farah #ISBN-10: 1906717389 # ISBN-13: 978-1906717384http://www.secuobs.com/revue/news/68598.shtmlhttp://www.secuobs.com/revue/news/68598.shtml Secuobs.com : 2009-02-20 10:23:13 - Matthieu Suiche's blog ! - Well, I’m moving to Den Haag in Netherlands to work at the NetherlandsForensic Institute of the Dutch Ministry of Justice If you livearound feel free to send me an e-mail to drink some beershttp://www.secuobs.com/revue/news/63537.shtmlhttp://www.secuobs.com/revue/news/63537.shtml Secuobs.com : 2009-02-07 15:04:00 - Matthieu Suiche's blog ! - Investigators, Incident Response Engineers, Forensics Engineers, SecurityConsultants, CISSP, … from all around the world here are somequestions for you I tried to find answers by myself but I feel unableto do so So, let’s improve communication/interaction between us #1Could you define the role of a security researcher #2 How do you orhttp://www.secuobs.com/revue/news/59575.shtmlhttp://www.secuobs.com/revue/news/59575.shtml Secuobs.com : 2009-01-29 02:12:43 - Matthieu Suiche's blog ! - Offline domain join is a new process that joins computers runningWindows® 7 or Windows Server 2008 R2 to a domain in Active DirectoryDomain Services AD DS—without any network connectivity This processincludes a new command-line tool, Djoinexe, which you can use tocomplete an offline domain join Run Djoinexe to provision thecomputer account http://www.secuobs.com/revue/news/56185.shtmlhttp://www.secuobs.com/revue/news/56185.shtml Secuobs.com : 2009-01-12 18:17:37 - Matthieu Suiche's blog ! - If you’re generating a Microsoft Crash Dump file under Windows Seven youmight noticied that DirectoryTableBase field in the crash dump headeris set to zero The reason is the current version of win32dd choosedto retrieve cr3 register through the PROCESSOR_STATE structure storedinto KPRCB But since KPRCB had been updated in Windows 7 http://www.secuobs.com/revue/news/50640.shtmlhttp://www.secuobs.com/revue/news/50640.shtml Secuobs.com : 2009-01-06 12:23:16 - Matthieu Suiche's blog ! - First of all problem reported and explained in my previous blogpostregarding multi-processors computers and Microsoft crash dumpgeneration is fixed The limitation had been raised from 1 to 32processors KeQueryActiveProcessorCount API only exist in Vista andlater version of Windows, that’s why I wrotexxxKeQueryActiveProcessorCount in driver/private/kec becausecompatibility matter By the way, about http://www.secuobs.com/revue/news/48914.shtmlhttp://www.secuobs.com/revue/news/48914.shtml Secuobs.com : 2009-01-05 00:19:04 - Matthieu Suiche's blog ! - Tomorrow, I’ll publish a bugfix for win32dd about the following problem:on multi-processors computers a BSOD occurs when user try to generatea Microsoft Crash dump file through the -d option The problem islocated inside KdGetDebuggerDataBlock function, when the function tryto read KdVersionBlock field an invalid pointer is returned becausethis field is only http://www.secuobs.com/revue/news/48487.shtmlhttp://www.secuobs.com/revue/news/48487.shtml Secuobs.com : 2009-01-02 18:47:40 - Matthieu Suiche's blog ! - I was looking for the shortest way to wish to people I know happy newyear for 2009 Here is a flowchart to explain what’s going on justafter I press the “Publish” wordpress button As you can see I useWordpress, Twitter, and Facebook technology — that’s pretty uselessbut that’s funny :- Update will be show http://www.secuobs.com/revue/news/48180.shtmlhttp://www.secuobs.com/revue/news/48180.shtml Secuobs.com : 2008-12-13 21:18:47 - Matthieu Suiche's blog ! - Part I <http://www.secuobs.com/revue/news/43621.shtmlhttp://www.secuobs.com/revue/news/43621.shtml Secuobs.com : 2008-12-04 19:36:15 - Matthieu Suiche's blog ! - For people who attend to my talk this week and asked for slides here iswhere you can download them If you have any questions I’m reachableat matt#msuiche#nethttp://www.secuobs.com/revue/news/40692.shtmlhttp://www.secuobs.com/revue/news/40692.shtml Secuobs.com : 2008-11-05 12:08:57 - Matthieu Suiche's blog ! - Download win32dd v1220081105 now New features coming into thisversion — but the most notable feature is the capacity to generateMicrosoft crash dump file without rebooting or generating a BSOD Thismean you can load your memory snapshot into WinDbg Here is a sampleof output using WinDbg Symbol search path is:SRV*C:WINDOWSSymbols*http://msdlmicrosoftcom/download/symbolsExecutable search path is: Windows http://www.secuobs.com/revue/news/33622.shtmlhttp://www.secuobs.com/revue/news/33622.shtml Secuobs.com : 2008-10-16 23:14:11 - Matthieu Suiche's blog ! - I’m going to discuss about Microsoft Crash Dump Analysis weaknesses, butin fact this blogpost is somehow an introduction to the next versionof Win32DD 12 Indeed, the next version of win32dd will have crashdump generation implemented and some others things you’ll enjoy tooAny reader who is interested in this topic is encouraged to http://www.secuobs.com/revue/news/30092.shtmlhttp://www.secuobs.com/revue/news/30092.shtml Secuobs.com : 2008-10-15 15:50:48 - Matthieu Suiche's blog ! - As said previously, it’s really easy to find proof of plagiarism when anopen-source tool is released and whan this source is reimplementedinto a commercial software without compliance Andreas published a newarticle called The implementation by Vendor “S” In this article, hehas explained what are the differences between the implementation ofhttp://www.secuobs.com/revue/news/29358.shtmlhttp://www.secuobs.com/revue/news/29358.shtml Secuobs.com : 2008-10-15 15:50:48 - Matthieu Suiche's blog ! - In November 2007, Nicolas and I presented “Enter SandMan” in Tokyo atPacSec during its development phase You can get the materials we usedfor this lecture here in English and here in Japanese Some monthslater, an alpha version formally called 10080226, of SandmanFramework has been released as an open source project — http://www.secuobs.com/revue/news/29357.shtmlhttp://www.secuobs.com/revue/news/29357.shtml Secuobs.com : 2008-10-15 15:50:48 - Matthieu Suiche's blog ! - Actually, win32dd is the only 100% open-source tool to capture memoryunder Win2k3 or Vista Even, if ManTech released a similar toolyesterday, but some part of the source code eg driver source codeare missing Then, I decide to release mine as a full open-sourceproject under GPL3 license The main difference between ManTech toolhttp://www.secuobs.com/revue/news/29356.shtmlhttp://www.secuobs.com/revue/news/29356.shtml Secuobs.com : 2008-10-15 15:50:48 - Matthieu Suiche's blog ! - Source: http://threadgmaneorg/gmanelinuxkernel/706600/ On Tue, 15 Jul2008, Linus Torvalds wrote: So as far as I'm concerned, "disclosing"is the fixing of the bug It's the "look at the source" approachBtw, and you may not like this, since you are so focused on security,one reason I refuse to bother with the whole security circus is that Ihttp://www.secuobs.com/revue/news/29355.shtmlhttp://www.secuobs.com/revue/news/29355.shtml Secuobs.com : 2008-10-15 15:50:48 - Matthieu Suiche's blog ! - Today, I wrote a tool called sym32guid which aims at retrieving allstored Program DataBase *PDB File GUID Globally Unique Identifierfrom a physical memory dump To do why The first goal was to use usesymbols as additional information regarding unexported functions likethe über-famous msv1_0MsvpPasswordValidate, but it looks it can alsobe used http://www.secuobs.com/revue/news/29354.shtmlhttp://www.secuobs.com/revue/news/29354.shtml Secuobs.com : 2008-10-15 15:50:48 - Matthieu Suiche's blog ! - Today I mean meanwhile :- at Blackhat US 2008, Shawn Embleton andSherri Sparks presented their research concerning theCleanHatConsulting SMM Rootkit * The first and main limitationconcerns the D_LCK bit BIOS Vendors enables this bit for some yearsmaybe like 2/3 years, few times after Loic Duflot first lecture Itmeans that “new computers” http://www.secuobs.com/revue/news/29353.shtmlhttp://www.secuobs.com/revue/news/29353.shtml Secuobs.com : 2008-10-15 15:50:48 - Matthieu Suiche's blog ! - As I said in my previous post, this year I gave a talk at BH USA Forpeople who attended or not to my talk you can here find mypresentation PDF, PPTX, demos ZIP, new version of SandMan version1120080804 ZIP black hat release - DEMOS * Offensive -Bypassing Windows Login Prompt + msvpc - Local privilege escalation +http://www.secuobs.com/revue/news/29352.shtmlhttp://www.secuobs.com/revue/news/29352.shtml Secuobs.com : 2008-10-15 15:50:48 - Matthieu Suiche's blog ! - Two new releases: The first one is as I said in my previous post SandmanFramework which is now in version 11 And the second is win32dd whichalso turned to version 11http://www.secuobs.com/revue/news/29351.shtmlhttp://www.secuobs.com/revue/news/29351.shtml Secuobs.com : 2008-10-15 15:50:48 - Matthieu Suiche's blog ! - I’d like to introduce a new tool I plan to release later This tool aimsat providing a local shell to explore the windows hibernation filelike windbg, or livekd can do with crash dump using SandMan frameworkThe most interesting point regarding the usage is the loading ofMicrosoft Debugging Symbols to retrieve critical http://www.secuobs.com/revue/news/29350.shtmlhttp://www.secuobs.com/revue/news/29350.shtml Secuobs.com : 2008-10-15 15:50:48 - Matthieu Suiche's blog ! - Here is a method I’m using in the next version of Win32DD 12, toretrieve MmPhysicalMemoryBlock regardless of the NT Version The mainproblem with KDDEBUGGER_DATA64 structure is the version dependencyThen, we have to rebuild this field by ourselves To retrieve physicalmemory runs, I’m using MmGetPhysicalMemoryRanges *undocumented*function This function usage had been documented http://www.secuobs.com/revue/news/29349.shtmlhttp://www.secuobs.com/revue/news/29349.shtml Secuobs.com : 2008-04-20 21:03:59 - Matthieu Suiche's blog ! - Day 1 :: Workshop 800 PM yeah it’s late I had almost 7 hours of timetravel in Train from Paris to Goettigen It was really exhausting butit was a good opportunity to talk with pretty girls visiting Europa :This year, SambaXP conference hold in Freizeit Hotel Free time inEnglish in Goettingen Germany from http://www.secuobs.com/revue/news/19560.shtmlhttp://www.secuobs.com/revue/news/19560.shtml Secuobs.com : 2008-04-07 00:03:22 - Matthieu Suiche's blog ! - As you probably know, Microsoft released last month several thousandspages of documentation about office file format and Windows protocolsIt means numerous hundredsthousands of functions/algorithmsdocumentation and pseudo-code But, are these pseudo-function rightIt looks not While I was reading MS-DRSR: Directory ReplicationService DRS Remote Protocol Specification, I was a bit http://www.secuobs.com/revue/news/16712.shtmlhttp://www.secuobs.com/revue/news/16712.shtml Secuobs.com : 2008-04-03 14:11:11 - Matthieu Suiche's blog ! - X-Ways WinHex editor Forensics Beta 2 now includes hibernationfilehiberfilsys support for Windows XP 32-bit only Please notice,Sandman library/framework is an open-source project under GNU GeneralPublic License v3 Posted on Friday, Mar 28, 2008 - 1:05: * Ability todecompress Windows XP 32-bit hiberfilsys files, whether active orinactive, to get a dump http://www.secuobs.com/revue/news/16174.shtmlhttp://www.secuobs.com/revue/news/16174.shtml Secuobs.com : 2008-03-29 07:27:14 - Matthieu Suiche's blog ! - As I explained in a previous post Here There are some funnyprogrammers in Redmond who like to put some hidden strings Thefollowing sample is from Windows 2000 Kernel text:004054A0 94 7F 00C0 4F B9 60 EE 66 19 14 06 45 72 69 63 Eric text:004054B0 46 2E 4E 656C http://www.secuobs.com/revue/news/14603.shtmlhttp://www.secuobs.com/revue/news/14603.shtml Secuobs.com : 2008-03-29 07:27:14 - Matthieu Suiche's blog ! - http://wwwmicrosoftcom/technet/security/advisory/932596mspx MicrosoftSecurity Advisory 932596 Update to Improve Kernel Patch ProtectionPublished: August 14, 2007 An update is available for Kernel PatchProtection included with x64-based Windows operating systems KernelPatch Protection protects code and critical structures in the Windowskernel from modification by unknown code or data This update addsadditional checks to this protection for increased reliability, http://www.secuobs.com/revue/news/14602.shtmlhttp://www.secuobs.com/revue/news/14602.shtml Secuobs.com : 2008-03-29 07:27:14 - Matthieu Suiche's blog ! - Only the most skilled ninjas are able to find out easter eggs… Even Aliceneeded to follow the rabbit to find them… “We are all mad here” hihiOS Version: Windows 2003 SP1 Checked only Module: diskdumpsys ;Exported entry 10 ScsiPortGetPhysicalAddress ; SCSI_PHYSICAL_ADDRESS__stdcall ScsiPortGetPhysicalAddress ; PVOID HwDeviceExtension, ;PSCSI_REQUEST_BLOCK Srb, ; PVOID VirtualAddress, ;ULONG *Length_ScsiPortGetPhysicalAddress@16: ; CODE XREF:StorPortGetPhysicalAddressx,x,x,x http://www.secuobs.com/revue/news/14601.shtmlhttp://www.secuobs.com/revue/news/14601.shtml Secuobs.com : 2008-03-29 07:27:14 - Matthieu Suiche's blog ! - Most of young people spend their whole summer vacation on the beach, butthis wasn’t my case this year But It doesn’t mean that I don’t havefun while working all my summer at EADS with a highly skilledresearcher team I probably met the funniest serpillière of the worldUnfortunately, I don’t have the http://www.secuobs.com/revue/news/14600.shtmlhttp://www.secuobs.com/revue/news/14600.shtml Secuobs.com : 2008-03-29 07:27:14 - Matthieu Suiche's blog ! - Everyone knows that Dumbledore is homosexual but there is a mostimportant thing you have to know The PacSec Agenda had been releasedhttp://wwwsecurityfocuscom/archive/1/482602/30/0/threaded Speakerlist: http://wwwpacsecjp/speakershtml Talk selections for PacSec2007 - November 29 and 30 - Aoyama Diamond Hall ——- - Programmed I/Oaccesses: a threat to virtual machine monitors - Loic Duflot, -Developing Fuzzers with Peach - Michael http://www.secuobs.com/revue/news/14599.shtmlhttp://www.secuobs.com/revue/news/14599.shtml Secuobs.com : 2008-03-29 07:27:14 - Matthieu Suiche's blog ! - For people who wasn’t or was : at PacSec the last week Slides ofSandman lecture can be found in JapanesePPT or in English updated -last version PDF JPhttp://wwwmsuichenet/pres/psj07ruffsuiche-jppdf ENhttp://wwwmsuichenet/pres/PacSec07-slides-04pdf An overview ofhibernation file format is explained and the forensics library wecalled Sandman is introduced Sandman status is reachable here :http://sandmanmsuichenet/http://www.secuobs.com/revue/news/14598.shtmlhttp://www.secuobs.com/revue/news/14598.shtml Secuobs.com : 2008-03-29 07:27:14 - Matthieu Suiche's blog ! - Ladies and Gentlemen, Phase 1 C Library and Phase 2 Python are almostfinished I’ve recently started the Phase 3 Documentation The firstpublic version of sandman should be released in the following daysYou can see here the actual progress of Sandman Furthermore, SandManwill be released as an open-sourceGPLv3 project But actually, onlya 32bits compability http://www.secuobs.com/revue/news/14597.shtmlhttp://www.secuobs.com/revue/news/14597.shtml Secuobs.com : 2008-03-29 07:27:14 - Matthieu Suiche's blog ! - Since Windows 2000, Microsoft provides a feature called Hibernation alsoknow as suspend to disk that aims to save the system state into anundocumented file called hiberfilsys This file contains all thephysical memory saved by the Operating System and aims to be restoredby the user the next time the computer is powered http://www.secuobs.com/revue/news/14596.shtmlhttp://www.secuobs.com/revue/news/14596.shtml Secuobs.com : 2008-03-29 07:27:14 - Matthieu Suiche's blog ! - These last weeks several proof of concept were published about physicalmemory access The first one 21 February 2008 was from Princetonuniversity who published a very buzzed proof of concept in videoThis one allows to read the physical memory in a limited time Thesecond one was SandMan which is hosted by myself This one http://www.secuobs.com/revue/news/14595.shtmlhttp://www.secuobs.com/revue/news/14595.shtml Secuobs.com : 2008-03-29 07:27:14 - Matthieu Suiche's blog ! - In November 2007 at PacSec'07, Tokyo, Japan, Nicolas Ruff and IMatthieu Suiche presented how to create a readable physical memorydump from the undocumented Microsoft hibernation file Last month, Ipublished an open-source public version of this project called SandManFramework This framework allows manipulating the hibernation file foroffensics malicious or forensics uses Today, I http://www.secuobs.com/revue/news/14594.shtmlhttp://www.secuobs.com/revue/news/14594.shtml