Green Dam Analysis Valkyrie-X by Alnthony Lai

•

3 likes•539 views

Charles Mok

Reversing and Exploiting Green Dam by Anthony Lai 賴灼東 2009.07.21

Technology Business

Reversing and
Exploiting
Green Dam
[0xdf]
Valkyrie-X Security Research Lab

VXRL 2009 1

Special Thank You
•  Mr. Byoungyoung Lee from PLUS and
who is the mentor/advisor of Valkyrie-X

VXRL 2009 2

Background
•  Focus on research and studies on
software/system exploitation, vulnerability
and reverse engineering, penetration test
and crypto problems.

•  Activity:We joined CTF and ranked at 68 in
DefCon 17 Prequalifying Round out 230
teams.
VXRL 2009 3

Agenda
•  Reversing a few critical modules in Green
Dam.
•  Exploitation Possibility

VXRL 2009 5

Reversing
•  XNet2.exe
–  It is the major Green Dam service
–  It is for installation and register software key
to the system
–  It is responsible for password check and reset
–  Commander of XDaemon.exe and gn.exe
–  Kick start a number of processes with the
following executables:
•  Xdaemon, gn HTAnalyzer, MPSVCC, HNCENG,
HH, Looklog and LookPic
VXRL 2009 7

Installation
•  Installation – Software Key Registration To
Registry.

9

More Interesting stuff is…

VXRL 2009 10

Installation Password
•  After Green Dam converts the password
using the MD5 algorithm, it saves it in text
format within the kwpwf.dll file located in
the C:WINDOWSsystem32 directory.
When opened using Notepad, if the
content is then replaced with
"D0970714757783E6CF17????????????
????????" and saved, the password can
then be restored to the original
"1122??????". VXRL 2009 13

Green Dam – Data File
•  Decrypted file content
–  Contain keywords for filtering
•  The data file naming convention and
filtering classification are exactly the same
as Cybersitter from Solid Oak.

VXRL 2009 15

Green Dam – Connected IPs
•  Connected IPs
–  Connected to ISP in USA?
–  Connected to NIST’s time server?

VXRL 2009 18

Green Dam – Monitored Software
•  Monitored software
–  We could find it from injlib32.dll
–  Injlib32.dll is injected to every critical process.
–  Handle.dll is to create process/thread to
monitor any messages received from injected
DLL. (as it supports transmitstring).
Handler.dll Injlib32.dll

Notepad.exe
VXRL 2009 22

Green Dam – Exploitation
•  Possible vulnerabilities in Green Dam
version 3.1.7
–  As Green Dam is injected to the browser
process and it cannot handle long URL
–  Stack Buffer Overflow is found.
•  The exploit is published in Milw0rm.com. It
should be the same

VXRL 2009 26

What is Stack Buffer Overflow?

VXRL 2009 27

What is Stack Buffer Overflow?
(from Wikipedia.org)

VXRL 2009 28

How can we exploit?
•  We try out input 2048 ‘A’s and submit it as
an URL.
•  We attach OllyDbg to the process of
Internet Explorer named as iexplore.exe
for debugging purpose in runtime.

VXRL 2009 29

Exploitation Summary
•  Successfully overwritten with our input.
•  Deploying shellcode will be our next
mission.
•  No patch is provided 

VXRL 2009 31

Conclusion
•  We strongly suggest not installing this
software.
•  It gives vulnerability, it is not just filtering
but monitor the use of software and the
content you typing into.

VXRL 2009 33

Thank you for your listening
•  Anthony Lai (0xdf)
•  0xdarkfloyd@gmail.com

VXRL 2009 34

Reference
•  Technical Analysis of Green Dam
–  http://wikileaks.org/wiki/
A_technical_analysis_of_the_Chinese_'Green_Dam_Youth-
Escort'_censorship_software
•  Analysis of Green Dam Censorware System
–  http://www.cse.umich.edu/~jhalderm/pub/gd/

VXRL 2009 35

Tools
•  MD5 Decryption
–  http://www.md5decrypter.com/
•  IDA Pro (Get a free version)
–  http://www.hex-rays.com/idapro/
–  http://www.amazon.com/exec/obidos/ASIN/1593271786/
datarescuesanv

VXRL 2009 36

What's hot

Mirko Damiani - An Embedded soft real time distributed system in Go

linuxlab_conf

In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network. Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers. Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...

CODE BLUE

Avast CTO Ondrej Vlček breaks down the sophisticated CCleaner supply-chain malware attack, providing new unpublished findings about the unique stealth, steganography and exfiltration techniques used by the attackers. Avast will dissect the malicious payload, inner workings of the CnC server environment, and analyze how the attack went unnoticed by the global security industry—for almost a month. Learning Objectives: 1: Experience a “technical” lens to a real industry attack. 2: Learn the inner workings of the attack and new, previously unpublished findings. 3: Learn about in-depth CnC server environment and various exfiltration techniques. (Source: RSA Conference USA 2018)

CCleaner APT Attack: A Technical Look Inside

Priyanka Aash

Intel trusted execution environment, SGX, offers an attractive solution for protecting one's private data in the public cloud environment, even in the presence of a malicious OS or VMM. In this talk, we will: * explore how SGX mitigates various attack surfaces and the caveats of naively using the technology to protect applications, * discuss the performance implications of SGX on common applications and understand the new bottlenecks created by SGX, which may lead to a 5X performance degradation. * describe an optimized SGX interface, HotCalls, that provides a 13-27x speedup compared to the built-in mechanism supplied by the SGX SDK. * discuss how it is possible for the OS to manage secure memory without having access to it. * explore various attack surfaces and published attacks which require collusion with the OS. Specifically, page-fault and page-fault-less “controlled channel attacks”, branch-shadowing attacks and potential mitigations. Ofir Weisse is a Researcher PhD Student at University of Michigan. Video available at: https://www.youtube.com/watch?v=I3TCctdnOEc

SGX Trusted Execution Environment

Kernel TLV

Do you ever wonder what the kernel is doing while your code is running? This talk will explore some methodologies and techniques (eBPF, ftrace, etc.) to look under the hood of the Linux kernel and understand what it’s actually doing behind the scenes. This talk explores methodologies that allow to take a look “live” at kernel internal operations, from a network perspective, to I/O paths, CPU usage, memory allocations, etc., using in-kernel technologies, like eBPF and ftrace. Understanding such kernel internals can be really helpful to track down performance bottlenecks, debug system failures and it can be also a very effective way to approach to kernel development.

Andrea Righi - Spying on the Linux kernel for fun and profit

linuxlab_conf

Karen Easterbrook, Microsoft Brian LaMacchia, Microsoft Quantum computers may be 10 years away, but well-funded adversaries are already preparing for their arrival. Even if they can’t read high-value encrypted traffic today, they are recording and storing for when they can decrypt it in the future. If your secrets need to be protected for more than 10 years, you need to take action now. In this talk, we will explore how sufficiently large quantum computers will catastrophically break all public-key cryptography commonly used today, the overall scope of this threat, and the steps underway to develop and deploy quantum-resistant replacement algorithms and security protocols. We will introduce the code and tools that you can use today to fend off these future advanced threats.

BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...

BlueHat Security Conference

Csw2017 bazhaniuk exploring_yoursystemdeeper_updated

CanSecWest

MNSEC 2018 - Windows forensics

MNCERT

Malware analysis using volatility

Yashashree Gund

С переходом на новую версию интернет-протокола (IPv6) изменились и правила игры «Сетевая разведка»: использовать метод перебора адресов, как в случае с IPv4, не представляется возможным, так как на каждую подсеть приходится 264 адреса. На мастер-классе вы узнаете о новейших технологиях в области исследования сетей IPv6, описанных в RFC 7707. Вашему вниманию будет представлен интенсивный мастер-класс, посвященный отработке методов исследования и взлома сетей IPv6.

Разведка в сетях IPv6

Positive Hack Days

Automated Malware Analysis and Cyber Security Intelligence

Jason Choi

Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.

Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...

Igor Korkin

CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security

CanSecWest

amrapali builders @@ hacking challenges.pdf

amrapalibuildersreviews

The Linux kernel has a rich and modular cryptographic API that is used extensively by familiar user facing software such as Android. It's also cryptic, badly documented, subject to change and can easily bite you in unexpected and painful ways. This talk will describe the crypto API, provide some usage example and discuss some of the more interesting in-kernel users, such as DM-Crypt, DM-Verity and the new fie system encryption code. Gilad Ben-Yossef is a principal software engineer at ARM. He works on the kernel security sub-system and the ARM CryptCell engine. Open source work done by Gilad includes an experiment in integration of network processors in the networking stack, a patch set for reducing the interference caused to user space processes in large multi-core systems by Linux kernel “maintenance” work and on SMP support for the Synopsys Arc processor among others. Gilad has co-authored O’Reilly’s “Building Embedded Linux Systems” 2nd edition and presented at such venues as Embedded Linux Conference Europe and the Ottawa Linux Symposium, as well as co-founded Hamakor, an Israeli NGO for the advancement for Open Source and Free Software in Israel. When not hacking on kernel code you can find Gilad meditating and making dad jokes on Twitter.

Linux Kernel Cryptographic API and Use Cases

Kernel TLV

Next Generation Memory Forensics

Andrew Case

What's hot (16)

Mirko Damiani - An Embedded soft real time distributed system in Go

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...

CCleaner APT Attack: A Technical Look Inside

SGX Trusted Execution Environment

Andrea Righi - Spying on the Linux kernel for fun and profit

BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...

Csw2017 bazhaniuk exploring_yoursystemdeeper_updated

MNSEC 2018 - Windows forensics

Malware analysis using volatility

Разведка в сетях IPv6

Automated Malware Analysis and Cyber Security Intelligence

Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...

CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security

amrapali builders @@ hacking challenges.pdf

Linux Kernel Cryptographic API and Use Cases

Next Generation Memory Forensics

Viewers also liked

PDPO legislation

Charles Mok

流動保安

Charles Mok

Great CIO Debate 2011

Hkim innovation 2011

網絡暴力和性別平等

Cybercrime in hk

Pan-Democrat CE Primary E-voting System

Charles Mok

Future Challenges for Media Literacy

Charles Mok

Viewers also liked (8)

PDPO legislation

流動保安

Great CIO Debate 2011

Hkim innovation 2011

網絡暴力和性別平等

Cybercrime in hk

Pan-Democrat CE Primary E-voting System

Future Challenges for Media Literacy

Similar to Green Dam Analysis Valkyrie-X by Alnthony Lai

OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar

Santhosh Kumar

Malware Detection With Multiple Features

Muhammad Najmi Ahmad Zabidi

how-to-bypass-AM-PPL

nitinscribd

Pursuing evasive custom command & control - GuideM

Mark Secretario

From ATT&CKcon 3.0 By Jared Stroud, Lacework Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.

ATT&CKING Containers in The Cloud

MITRE ATT&CK

In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

enSilo

"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others. In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures." (Source: Black Hat USA 2016, Las Vegas)

Piratng Avs to bypass exploit mitigation

Priyanka Aash

I got 99 trends and a # is all of them

Roberto Suggi Liverani

SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)

Security Bootcamp

Rapid Android Application Security Testing

Nutan Kumar Panda

2017 03-10 - vu amsterdam - testing safety critical systems

Jaap van Ekris

2015 05-07 - vu amsterdam - testing safety critical systems

Jaap van Ekris

L'infrastruttura come codice e le applicazioni cloud-native consentono di raggiungere livelli senza precedenti di efficienza e governance dei nostri servizi cloud, rendendoci capaci di creare infrastrutture immutabili e ripetibili, di poterci operare come se fossero applicazioni quindi versionando il codice, qa e test automatici e procedure di rilascio automatiche verso gli ambienti di destinazione. Più inseriamo codice nelle nostre infrastrutture, più estendiamo la superficie di attacco. In questo talk, esaminerò gli attacchi alla catena di approvvigionamento a diversi livelli, come rilevarli e le tecniche per mitigarli e come scrivere codice IaC più sicuro.

Deep dive nella supply chain della nostra infrastruttura cloud

sparkfabrik

Civil engineers build structures to last. Aerospace engineers build airplanes for the long haul. Automotive engineers build cars to last. How about software engineers? Not all of software needs to be engineered for long-life, but in some systems the predicted market span dictates we plan for the future. How can we do this, given the uncertainties in the technology industry? What can we learn from the past? How can we take informed bets on technologies and plan for change? This session will cover some of the important technical considerations to make when thinking about the long term.

Long Life Software

Mike Long

Dll injection

KarlFrank99

Droidcon it-2014-marco-grassi-viaforensics

viaForensics

Data centers move exabytes of data through their networks. This explosive growth in network traffic has put demands on data centers to adapt and add new technologies and standards to keep pace and make information easily accessible. Our personal information, company IP assets and sensitive data run across these networks that are constantly under persistent and malicious cyber attacks to look for vulnerabilities in their networks. IT security teams have to protect complex networks that are growing in size and complexity. They call for a new approach to gaining full – rather than partial – visibility into network behavior to stop downtime losses and data leaks. By providing 1 to 1 NetFlow generation then collecting the data and analyzing the flow records is essential in time-to-resolution (TTR). To help you take full advantage of valuable NetFlow data for use in network security management, Emulex and Lancope have created a best-in-class network and security solution that allows you to quickly and continuously monitor the makeup of the traffic traversing your network. In this webinar, we’ll explore why network security management is crucial in managing functionality and visibility of an organization’s network infrastructure and how Emulex helps address these deployment requirements. We'll also explore what matters most when network security is breached, and share some best practice insights gleaned from working with customers that run some of the largest and most critical data networks on the planet.

Using NetFlow to Streamline Security Analysis and Response to Cyber Threats

Emulex Corporation

NTTドコモ様導入事例 OpenStack Summit 2015 Tokyo 講演「After One year of OpenStack Cloud...

VirtualTech Japan Inc.

Functional and Behavioral Analysis of Different Type of Ransomware.pptx

tarkovtarkovski

Top 5 benefits of docker

John Zaccone

Similar to Green Dam Analysis Valkyrie-X by Alnthony Lai (20)

OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar

Malware Detection With Multiple Features

how-to-bypass-AM-PPL

Pursuing evasive custom command & control - GuideM

ATT&CKING Containers in The Cloud

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

Piratng Avs to bypass exploit mitigation

I got 99 trends and a # is all of them

SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)

Rapid Android Application Security Testing

2017 03-10 - vu amsterdam - testing safety critical systems

2015 05-07 - vu amsterdam - testing safety critical systems

Deep dive nella supply chain della nostra infrastruttura cloud

Long Life Software

Dll injection

Droidcon it-2014-marco-grassi-viaforensics

Using NetFlow to Streamline Security Analysis and Response to Cyber Threats

NTTドコモ様導入事例 OpenStack Summit 2015 Tokyo 講演「After One year of OpenStack Cloud...

Functional and Behavioral Analysis of Different Type of Ransomware.pptx

Top 5 benefits of docker

Recently uploaded

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Delhi Call girls

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

In an era where artificial intelligence (AI) stands at the forefront of business innovation, Information Architecture (IA) is at the core of functionality. See “There’s No AI Without IA” – (from 2016 but even more relevant today) Understanding and leveraging how Information Architecture (IA) supports AI synergies between knowledge engineering and prompt engineering is critical for senior leaders looking to successfully deploy AI for internal and externally facing knowledge processes. This webinar be a high-level overview of the methodologies that can elevate AI-driven knowledge processes supporting both employees and customers. Core Insights Include: Strategic Knowledge Engineering: Delve into how structuring AI's knowledge base is required to prevent hallucinations, enable contextual retrieval of accurate information. This will include discussion of gold standard libraries of use cases support testing various LLMs and structures and configurations of knowledge base. Precision in Prompt Engineering: Learn the art of crafting prompts that direct AI to deliver targeted, relevant responses, thereby optimizing customer experiences and business outcomes. Unified Approach for Enhanced AI Performance: Explore the intersection of knowledge and prompt engineering to develop AI systems that are not only more responsive but also aligned with overarching business strategies. Guiding Principles for Implementation: Equip yourself with best practices, ethical guidelines, and strategic considerations for embedding these technologies into your business ecosystem effectively. This webinar is designed to empower business and technology leaders with the knowledge to harness the full potential of AI, ensuring their organizations not only keep pace with digital transformation but lead the charge. Join us to map a roadmap to fully leverage Information Architecture (IA) and AI chart a course towards a future where AI is a key pillar of strategic innovation and business success.

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Earley Information Science

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

CNv6 Instructor Chapter 6 Quality of Service

giselly40

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Histor y of HAM Radio presentation slide

vu2urc

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Partners Life - Insurer Innovation Award 2024

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Boost PC performance: How more available memory can improve productivity

A Domino Admins Adventures (Engage 2024)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

CNv6 Instructor Chapter 6 Quality of Service

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Boost Fertility New Invention Ups Success Rates.pdf

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Axa Assurance Maroc - Insurer Innovation Award 2024

presentation ICT roal in 21st century education

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Tech Trends Report 2024 Future Today Institute.pdf

Exploring the Future Potential of AI-Enabled Smartphone Processors

GenCyber Cyber Security Day Presentation

How to Troubleshoot Apps for the Modern Connected Worker

Histor y of HAM Radio presentation slide

Green Dam Analysis Valkyrie-X by Alnthony Lai

1. Reversing and Exploiting Green Dam [0xdf] Valkyrie-X Security Research Lab VXRL 2009 1

2. Special Thank You •  Mr. Byoungyoung Lee from PLUS and who is the mentor/advisor of Valkyrie-X VXRL 2009 2

3. Background •  Focus on research and studies on software/system exploitation, vulnerability and reverse engineering, penetration test and crypto problems. •  Activity:We joined CTF and ranked at 68 in DefCon 17 Prequalifying Round out 230 teams. VXRL 2009 3

4. 4

5. Agenda •  Reversing a few critical modules in Green Dam. •  Exploitation Possibility VXRL 2009 5

6. Let us start  VXRL 2009 6

7. Reversing •  XNet2.exe –  It is the major Green Dam service –  It is for installation and register software key to the system –  It is responsible for password check and reset –  Commander of XDaemon.exe and gn.exe –  Kick start a number of processes with the following executables: •  Xdaemon, gn HTAnalyzer, MPSVCC, HNCENG, HH, Looklog and LookPic VXRL 2009 7

8. Prepare and set up processes 8

9. Installation •  Installation – Software Key Registration To Registry. 9

10. More Interesting stuff is… VXRL 2009 10

11. 11

12. Prepare a list of processes 12

13. Installation Password •  After Green Dam converts the password using the MD5 algorithm, it saves it in text format within the kwpwf.dll file located in the C:WINDOWSsystem32 directory. When opened using Notepad, if the content is then replaced with "D0970714757783E6CF17???????????? ????????" and saved, the password can then be restored to the original "1122??????". VXRL 2009 13

14. Easy Password VXRL 2009 14

15. Green Dam – Data File •  Decrypted file content –  Contain keywords for filtering •  The data file naming convention and filtering classification are exactly the same as Cybersitter from Solid Oak. VXRL 2009 15

16. Green Dam – Data File 16

17. VXRL 2009 17

18. Green Dam – Connected IPs •  Connected IPs –  Connected to ISP in USA? –  Connected to NIST’s time server? VXRL 2009 18

19. VXRL 2009 19

20. 20

21. VXRL 2009 21

22. Green Dam – Monitored Software •  Monitored software –  We could find it from injlib32.dll –  Injlib32.dll is injected to every critical process. –  Handle.dll is to create process/thread to monitor any messages received from injected DLL. (as it supports transmitstring). Handler.dll Injlib32.dll Notepad.exe VXRL 2009 22

23. 23

24. 24

25. 25

26. Green Dam – Exploitation •  Possible vulnerabilities in Green Dam version 3.1.7 –  As Green Dam is injected to the browser process and it cannot handle long URL –  Stack Buffer Overflow is found. •  The exploit is published in Milw0rm.com. It should be the same VXRL 2009 26

27. What is Stack Buffer Overflow? VXRL 2009 27

28. What is Stack Buffer Overflow? (from Wikipedia.org) VXRL 2009 28

29. How can we exploit? •  We try out input 2048 ‘A’s and submit it as an URL. •  We attach OllyDbg to the process of Internet Explorer named as iexplore.exe for debugging purpose in runtime. VXRL 2009 29

30. Demo VXRL 2009 30

31. Exploitation Summary •  Successfully overwritten with our input. •  Deploying shellcode will be our next mission. •  No patch is provided  VXRL 2009 31

32. Our Conclusion VXRL 2009 32

33. Conclusion •  We strongly suggest not installing this software. •  It gives vulnerability, it is not just filtering but monitor the use of software and the content you typing into. VXRL 2009 33

34. Thank you for your listening •  Anthony Lai (0xdf) •  0xdarkfloyd@gmail.com VXRL 2009 34

35. Reference •  Technical Analysis of Green Dam –  http://wikileaks.org/wiki/ A_technical_analysis_of_the_Chinese_'Green_Dam_Youth- Escort'_censorship_software •  Analysis of Green Dam Censorware System –  http://www.cse.umich.edu/~jhalderm/pub/gd/ VXRL 2009 35

36. Tools •  MD5 Decryption –  http://www.md5decrypter.com/ •  IDA Pro (Get a free version) –  http://www.hex-rays.com/idapro/ –  http://www.amazon.com/exec/obidos/ASIN/1593271786/ datarescuesanv VXRL 2009 36

Green Dam Analysis Valkyrie-X by Alnthony Lai

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Viewers also liked

Viewers also liked (8)

Similar to Green Dam Analysis Valkyrie-X by Alnthony Lai

Similar to Green Dam Analysis Valkyrie-X by Alnthony Lai (20)

More from Charles Mok

More from Charles Mok (20)

Recently uploaded

Recently uploaded (20)

Green Dam Analysis Valkyrie-X by Alnthony Lai