Valkyrie-X Security Research Lab
VXRL 2009 1
Special Thank You
• Mr. Byoungyoung Lee from PLUS and
who is the mentor/advisor of Valkyrie-X
VXRL 2009 2
• Focus on research and studies on
software/system exploitation, vulnerability
and reverse engineering, penetration test
and crypto problems.
• Activity:We joined CTF and ranked at 68 in
DefCon 17 Prequalifying Round out 230
VXRL 2009 3
– It is the major Green Dam service
– It is for installation and register software key
to the system
– It is responsible for password check and reset
– Commander of XDaemon.exe and gn.exe
– Kick start a number of processes with the
• Xdaemon, gn HTAnalyzer, MPSVCC, HNCENG,
HH, Looklog and LookPic
VXRL 2009 7
• After Green Dam converts the password
using the MD5 algorithm, it saves it in text
format within the kwpwf.dll file located in
the C:WINDOWSsystem32 directory.
When opened using Notepad, if the
content is then replaced with
????????" and saved, the password can
then be restored to the original
"1122??????". VXRL 2009 13
Green Dam – Data File
• Decrypted file content
– Contain keywords for filtering
• The data file naming convention and
filtering classification are exactly the same
as Cybersitter from Solid Oak.
VXRL 2009 15
Green Dam – Monitored Software
• Monitored software
– We could find it from injlib32.dll
– Injlib32.dll is injected to every critical process.
– Handle.dll is to create process/thread to
monitor any messages received from injected
DLL. (as it supports transmitstring).
VXRL 2009 22
Green Dam – Exploitation
• Possible vulnerabilities in Green Dam
– As Green Dam is injected to the browser
process and it cannot handle long URL
– Stack Buffer Overflow is found.
• The exploit is published in Milw0rm.com. It
should be the same
VXRL 2009 26
What is Stack Buffer Overflow?
VXRL 2009 28
How can we exploit?
• We try out input 2048 ‘A’s and submit it as
• We attach OllyDbg to the process of
Internet Explorer named as iexplore.exe
for debugging purpose in runtime.
VXRL 2009 29
• We strongly suggest not installing this
• It gives vulnerability, it is not just filtering
but monitor the use of software and the
content you typing into.
VXRL 2009 33
Thank you for your listening
• Anthony Lai (0xdf)
VXRL 2009 34
• Technical Analysis of Green Dam
• Analysis of Green Dam Censorware System
VXRL 2009 35
• MD5 Decryption
• IDA Pro (Get a free version)
VXRL 2009 36