2011's Blog Archive - A collection of all blog
posts from the year 2011.

Archive 2011

Last modified 2012/12/20 by Flo

Here you will find my posts from 2011, tl;dr.

Demo minifilter driver intercepting IRP_MJ_CREATE

2011/12/26 by Flo

While having some time off duty this winter I started analyzing Microsoft's "heavy duty" passThrough DDK-example driver and tried to build a simple minifilter driver that just checks for IRP_MJ_CREATE in its preoperation callback. The driver determinates the originating/correspondig filename for that IRP-call by using FltGetFileNameInformation. The resulting string will be printed via DbgPrint. You can use DebugView (download at to trace what this demonstration driver is doing.

Download my demo driver here:

PNG-image compression bomb

2011/12/11 by Flo

Just poking around my backups I found a PNG-compression bomb from back in the days. A compression bomb is a "malicious" packed file (e.g. ZIP, PNG, JPG or other media files) designed to crash or DoS a program or system while reading it. Such a bomb was crafted such that while unpacking it requires an enormous amount of time, disk space or memory making your system "busy" while opening/reading it. Compression bombs are usually very small in file size but will extend to max (e.g. up to GB or TBs) while being handled. In short: Such a file needs more resources than the system can handle.

Just have a look on it and watch your memory getting lost by this greedy image :-) USE ON YOUR OWN RISK!!!


Investigating an exploit's API-calls using WinDbg or a Hooking-Engine

2011/11/25 by Flo

In Investigating the new PowerPoint issue Bruce Dang and Jonathan Ness describe how to track down an exploit using windbg.exe and setting breakpoints to well known win32 API-functions.

Bruce and Jonathan just name CreateFile, LoadLibrary, and WinExec, but there are more calls to well known functions often used by exploits and malware I will list up below.

Instead of using WinDbg it is also possible to use some kind of hot-patching sandbox approach that uses inline hot-patching on well known win32 API-functions. Some exploits just quit if they detect a running debugger. In such cases patching the API seems to be a better solution to track the exploit's action. Just hotpatch well known API-functions by using a hooking engine (e.g. Detours or Mini Hook Engine) and replace the original function with a logging dummy that logs the most important parameters of its hooked API-function before calling the original one. For example log the filename and path if LoadLibrary was called, log the filename if CreateFile was used, log the download link passed to URLDownloadToFile etc.

Such hooks can be attached into the target process by using DLL-injection into the vulnerable application (e.g. word processor, document viewer, media player). After injecting such a sandbox open the content you expect containing an exploit and wait until some magic action takes place. Your logging sandbox should monitor the hooked API calls - this information could be used for a follow up analysis.

In general the following win32 APIs might be a good starting point to track malware and/or exploits:

  • CreateProcessW
  • CreateProcessA
  • LoadModule
  • LoadLibraryA
  • LoadLibraryW
  • LoadLibraryEx
  • ShellExecuteA
  • ShellExecuteW
  • InternetConnectA
  • InternetConnectW
  • InternetOpenUrlA
  • InternetOpenUrlW
  • CreateFileA
  • CreateFileW
  • RegCreateKeyExA
  • RegSetValueExA
  • VirtualAllocEx
  • WriteProcessMemory
  • CreateRemoteThread
  • OpenProcessToken
  • CreateProcessAsUser
  • CreateProcessWithLogonW
  • RegOpenCurrentUser
  • RegOpenKey
  • RegOpenKeyEx
  • RegCreateKeyEx
  • RegSetKeyValue
  • RegSetValueEx
  • WinExec
  • URLDownloadToFile
  • HttpOpenRequestA

Kernel-based monitoring on Windows (32/64 bit)

2011/11/23 by Flo

Since malware works fast and quiet there is demand to analyze such programs at some central point. There is nothing as central as the kernel of an operating system. This whitepaper describes how to monitor your Windows-based system by using a minifilter driver intercepting IRP_MJ-Functions in its PreOperation-Callback. By following Microsofts’ recommendation and guidelines for multi platform (e.a. Microsoft Windows versions) compatible driver development, the resulting drivers are so called kernel minifilter drivers that are reliable and compatible with all modern versions of Microsoft's Windows (2000, XP, Server, 7, 8) – including their 64 bit versions.


Web-based ARC4-En/Decryption v0.4

2011/11/22 by Flo

This is just an example of how to integrate base64-coding and ARC4-encryption into a web-site. ARC4 is known to be simple and speedy but has weaknesses that argue against its use in security 'products' nowadays.

Well, I tried to work around the well known issues (for an overview see Wikipedia) by using random one time keys for every encryption and by discarding the first 1024 bytes of ARC4's generated key stream. It is far from perfect, but it is good enough to keep out ordinary rubbernecks.

Have a look on it and try it yourself (feedback is welcome):


Retype password:



Credits and thanks to:

Obfuscating malware in NTFS Additional Data Streams

2011/11/12 by Flo

This is nothing new, but while analyzing some malware I found something stickyicky. The malware I found used NTFS Additional Data Streams (ADS) to obfuscate its autostart in the registry. NTFS allows to save additional data streams (ADS) since Windows NT 3.51. It seemed to me, that the authors used the following technique to hide and obfuscate their malware:

type evil.dll > c:\windows\system32\kernel32.dll:CreateNlsSecurityDescriptor



I found:

rundll32.exe c:\windows\system32\kernel32.dll:CreateNlsSecurityDescriptor,WindowsSecureStartup

Well, this is cool; although it will not trick the advanced user ;-)

User Agent ASCII Art

2011/11/11 by Flo

Well, this post is absolute geeky-nerdish nonsense, but it was and is great fun anyway. The following python script lets you leave some ASCII art via the user agent string. Site admins will love it ;-)

import urllib
import urllib2
import re
import time
doit = "true"

def open_url(user_agent):
		request = urllib2.Request("", headers={'cache-control':'no-cache'})
		request.add_header("User-Agent", user_agent)
		opener = urllib2.build_opener()
		f =
		doc =
		f.closewhile (doit=="true"):
		open_url("			Have an awesome day!")

Using Microsoft's Verify and Trust API

2011/10/08 by Flo

This little tool ( is able to verify the embedded signature of a PE file by using the WinVerifyTrust function as described by Microsoft in You can also use the signtool (distributed by the SDK), but in most cases it is not pre-installed on machines running Microsoft Windows.

Will Windows 7 internal firewall in combination with a malware scanner really protect you?!

2011/08/18 by Flo

We all know these shiny promotional brochures of security companies telling us that their products (desktop firewalls and/or malware scanners) will protect us against malware threats. These companies also tell us, that their solutions will use heuristics to detect and prevent us from new and currently unknown threats as well.

Nice to know, but will these products really protect us?

Well, I just want to quickly battle these eligible words and just tried to scan an very old keylogger I have written back in the days during my master thesis. This keylogger was designed really simple; it just uses the Win32-Function GetAsyncKeyState (see within a timer to log user pressed keys. This programm logs these keys for some time and tries to send them to a so called dropper using HTTP-POST over port 80. The basic design of this logger was kept simple, thus the programm was not packed with a EXE/PE-packer, the logger does not use encryption, autostart-options etc. to hide itself. It is just an ordinary Win32-Executable that can even be detected using Windows' TaskManager.

I assumed that such a stupid keylogger should be detected by many malware scanners at the first run. Although if it is a new and unknown "threat" I assumed that the malware scanners' heuristics will fire an alert or even Windows 7's firewall will trigger some alert that an untrusted stranger will connect to the internet.

Guess what happend?!

Nothing! I tried a scan with Microsoft Security Essentials; Result: Nothing found; No malware, no suspicious application. But hey, using GetAsyncKeyState is suspicious and a well known technique to log user entered keys. Sending data over internet (HTTP, port 80) to a server by an untrusted (not digital signed) application is suspicious too. So why isn't there any warning?

I did not capitulate and tried to scan this malware-example-application using the online-scanners jotti and VirusTotal. Well, the result (see jotti.png and virustotal.png) was almost the same :-( Only the scanner of SOPHOS detected this example as suspicious. All the others said, the executable seems to be clean.


Well, if Windows 7's firewall and currently well known malware scanners (as used at jotti and VirusTotal) are not able to detect such an ordinary example of typical malware, how should these tools detect heavily optimized malware that uses DLL-injection, encryption, PE-packers and (userland)-rootkit-technology to protect their malicious code and behavior. I am a little bit concerned about this. Why should I pay around 30 bucks to only protect myself against already (well) known malware and new malware will not be detected?! It is a fact, that most drive-by-downloads are packed with customized malware packages that are most likely new and unknown.

I only install trustable (original) software on my machines. I don't download crapware straight from suspicious web-sites. My provider scans all incoming e-mail for actual known viruses. Well, I think this is enough to be sure not getting infected by already known malware - why using a scanner?! Well, I am an advanced user and sometimes kid myself to handle the risk not using an installed malware-scanner all the time (maybe because I always have cloned images of my machines). If you are an ordinary user I still heavily recommend that you use a malware-scanner - but still keep in mind, that heuristics will not protect you all the time. New malware will most likely not be detected, so what's the real benefit of such tools? I cannot be sure to have a really clean computer at the end of the day. The average user is not able to check his/her system, analyze all running tasks in TaskManager or to check automatically started services or auto-runs in deep. And if malware uses typical techniques to hide itself from detection by manipulating the filesystem, list of running services and processes even an avanced and educated user will not be able to be sure that his/her computer is not infected.
At the end we cannot assume that users deeply check their systems for suspicious processes or behaviors. In some point I expected that my firewall and malware scanner will do the basic job. It seems that this is not the case and even worse, these protection tools can be fooled not only by heavily optimized malware but also by simple designed malware, too.

This is curios folks!

Taking screen-shots with your Android Galaxy mini (GT-S5570)

2011/07/05 by Flo

Fortunately most Android based Samsung smart-phones come with an internal screen-shot capturing feature similar to iPhone. You can take screen-shots of the actual screen without having to root your phone or to install an additional app. Captured screen-shots can be found from Gallery in their own folder named "Screen Capture".

To capture the screen on Android Galaxy mini (GT-S5570):

1. Be sure you are running Froyo on your Samsung Galaxy mini
2. When you are in the specific screen which you desire to take a screenshot just press the button in right bottom and hold it down. While holding the button press the button in the middle. A message will appear telling you that a screenshot was taken.
3. Go in the Gallery app and look out for a folder called "Screen Capture".

A quick hack to "seamless" integrate GPG 2 into your Windows Explorer shell

2011/06/30 by Flo

As you might know, I like tiny installations without the bloat of help files, shiny user interfaces, tray icons, all day running background tasks etc. That's why I started the "quick and dirty"-Project: Integrate GPG into the Windows explorer shell without an overburden GUI etc.

Summarized: This is a quick and dirty shell-extension to integrate GPG 2 into Windows 7 (Vista/XP as well). Just execute the installation script as administrator and you will be able to en- and decrypt files and folders with GPG on the fly using the context-menue with any file or folder.

If you have questions feel free to send me an e-mail, any feedback is appreciated.

You can download the package here:

DOM storage will not be cleared on Android/iOS, if cache was deleted

2011/04/08 by Flo

During some general tests with my stickyget ( on several mobile- and smart-phones I discovered some strange behavior on smart-phones running Android and iOS (both using webkit as their browser engine; Adroid <= 2.2.1, iOS < 4.0), where DOM storage will not be cleared on Android/iOS, if the browser's cache was cleared/deleted.

What is it all about, what happened and how to reproduce the problem?

I used DOM storage to create a so called DOM cookie that detects user visits in a simple manner. In general DOM storage or web storage are web application software methods used for persistent storing user specific data in a web browser's database. Viewed simplistically this is some kind of improved cookie providing much greater storage capacity. However, it differs from the HTTP cookies a bit, because unlike HTTP cookies, which can be accessed by both the server and client side, such DOM cookies can only be accessed by the client (JavaScript). Anayway, JavaScript can transmit such data if the web page was loaded or some other action takes place, so using AJAX technology can of course issue read and write requests.

Well, I used the following script on a simple web page to create a DOM storage cookie, that detects user visits in a simple manner (just see it as a PoC):

now = new Date();
if (window.localStorage['last_visit'] != null) document.getElementById("DOMStorage").innerHTML = "last visit saved with html5 DOM as " + window.localStorage['last_visit'];
window.localStorage['last_visit'] = now.toString();

If you visit a web page using this script, you can track a user with such a cookie even if a user does not accept cookies or deleted all his HTTP cookies. Well, in general this is nothing special because this is DOM storage ;-)

To remove such DOM cookies I assumed that clearing Android's or iOS's browser-cache will also delete the localStorage-Object 'last_visit' of my PoC, i.e. deleting the whole DOM storage and especially this DOM cookie. I cleared the cache and visited the web page again. Unfortunately, the DOM cookie was still alive and could be read (even if I restarted the browser app or rebooted Android/iOS).

I also tried to clear the browser's history, cookies and cache to get rid of the DOM cookie, but no luck. This kind of cookie was still alive, even if I rebooted Android/iOS directly after clearing the complete browsing history. The only way to remove such a cookie was to reset the whole browser settings or by deleting the browser's application cache, but this seems not to be a reliable solution to me.


Well, if a user wishes to clear Android's/iOS's browser cache DOM storage should also be cleared. Currently a web page can track an user, even if she/he clears the browsing cache, cookies and history. In my opinion this should not be possible. Well, this is not a serious (security) issue, but I do not feel comfortable knowing that a web page might track my browsing behavior even if I do not accept HTML cookies and/or clear the browser's cache after surfing around.

If you have questions feel free to send me an e-mail, any feedback is appreciated.

Backup/Cloning a NTFS volume using a Linux Live-System

2011/03/03 by Flo

Well, we all know that we as web- and computer-natives are some kind of nursery children, playing around with our operating systems (Windows XP, Vista or 7) until they are strewn and stuck with all that digital litter we have "collected" over time. In most cases joy is tempered until you have to reinstall Windows straight from scratch after playing around a little while, finding Windows in some state you cannot use it properly anymore (e.g. misconfiguration of the whole box, infected by malware, installed too many apps and software etc.). In such cases a comprehensive backup of a well installed and preconfigurated Windows-box (including all drivers, patches, software you needed at time of creation) seems to be worth one's weight in gold.

In general the solution is really simple: Create a beautiful plain installation of Windows and basic applications you always need and then build a so called image dump of that 'little something'. Having the image you're now in some kind of "god mode" and armed to have fun: You can play around, install and test software of any kind, install, test and analyze malware ... do stuff you should not do ... and! If you are done, just take that lovely image dump, restore it and it's like nothing happend :-)

Well, there are a lot of commercial tools out there to supply your need of an imaging tool. But wait a minute! Why should one spend about 50-100 bucks for something you could get for free? Yepp, for F-R-E-E!

Using one of the current well known Linux-distros you can achieve the same thing by just typing some magic lines into the console. And for my Windows fan boys Linux additionally proves that it is good for something ;-)


Having said this we can now move on. First boot up some Linux Live-System (e.g. try or and fire up a console. Lets assume your target NTFS volume is located at /dev/sda1. It could also be /dev/sda2, /dev/hda1 or /dev/hda2, so make sure that you adjust the lines below fitting your envrionment. Notice: Mount the volume in first instance and check its content to catch the right NTFS volume. Perform the following steps to create a NTFS-image dump out of it and/or to restore one:

Before we build any image make sure you are a super-user by executing
sudo su
Using sfdisk with the -d option we can get a dump of the current partition table in a regular file, and if needed we can restore it from that file:
sfdisk -d /dev/sda1 > sda1.partition (if necessary use --force)
and to restore the partition table:
sfdisk /dev/sda1 < sda1.partition (if necessary use --force)
To backup the boot sector use the dd-utility:
dd if=/dev/sda1 of=sda1.boot bs=512 count=1
To restore the boot sector:
dd if=sda1.boot of=/dev/sda1 bs=1
You might unmount /dev/sda1 before using ntfsclone to perform the following steps. Build a backup image straight from a NTFS-volume into a compressed image file by executing the following line:
ntfsclone --save-image -o - /dev/sda1 | gzip -c > sda1.img.gz
Restore a NTFS volume from a compressed image file:
gunzip -c sda1.img.gz | ntfsclone --restore-image --overwrite /dev/sda1 -
Well that's it. I always wonder why computer magazines spent plenty of time and paper to show up previews of imaging tools and do not even mention that basic image dumps can be created by simply starting up Linux and typing some lines in your console. Well, one might argue that this solution is a bit hacky, but hey: the demonstrated way suits perfectly for SOHO envrionments and it's for free.
Any feedback is appreciated.

Surfing the web "anonymously" with Tor

2011/02/10 by Flo

In some situations you would like to protect your privacy while surfing the web and defend yourself against network surveillance or traffic analysis. One possible solution might be the usage of a web-proxy by changing the proxy-preferences in your browser to one of the well known anonymous web proxy servers or by using a web based approach like Anonymouse (see

Another solution might be the usage of the well known Tor software (see that helps you defend network surveillance that threatens e.g. personal freedom (of speech), your privacy, confidential web activities or traffic analysis. Tor uses a distributed network of so called relays that bounces your communication around (also known as onion routing), so a trace to your original (physical) network-location is hard to gain. The usage of Tor makes it more difficult to trace internet traffic back to you. Well, it is not impossible but it is hard to do so. If you are a "hard believer" in the conspiracy theory I recommend not to use Tor because there are some drawbacks and concerns about Tor anyhow ;-) If you just want to leave some "anonymous" posts in a forum or message board etc., want to stalk around without leaving too many traces, Tor suits just fine for you.

The easiest way to use Tor is by downloading the official Vidalia Bundle/Tor Browser Bundle at If you are aware of using installers and like it a bit cracky hacky (or just simple) you might be interested in checking out my simple 2-go bundle ( that needs no installer and should run out of the box. Just decompress and fire up the polipo and tor startup scripts, change your web browser's proxy settings to and enjoy using Tor :-)

I will try to keep the bundle up to date and serve you with the latest official binaries. Questions, feedback, comments or suggestions are welcome (feel free to contact me).

Update [2011/08/29]

I updated the TOR-executable and added a shortcut to Google-Chrome you can use to simply start an anonymous session of Google Chrome (if installed on your system). It just executes Chrome in proxy and incognito-mode like:

%APPDATA%\..\Local\Google\Chrome\Application\chrome.exe --proxy-server= --incognito.

Additional notes, references: