August 29, 2007

Hello there,

Today I’ve founded a truly intersing tool for Malware Hunting called Malzilla

You can explore the content of suspicious Website, parse links etc. πŸ™‚


See you to the next post


How to Eliminate Orer.exe

August 28, 2007


Orer.exe became active, after the first reboot from infection.

ToΒ  Eliminate orer is necessary to have a copy of explorer.exe

  1. Enter into Task Manager and select New Operation
  2. Type Cmd, to call cmd.exe
  3. Switch to theΒ  external support that contains the original explorer
  4. Copy the original explorer into windows (copy *.* c:\Windows)
  5. Execute original explorer and suddenly power off the Pc
  6. Restart and Eliminate from Temp’s Directory orer.exe

That’s all folks

Hope thi can be useful πŸ™‚

See you to the next post

Something about Firewall hooking and Packet Filtering #2

August 27, 2007


Here the second and last part of my little paper..
First of all, let’s introduce some more specification, to make previous blog entry more clear
The last struct showed, is the _FIREWALL_CONTEXT_T, and as can be seen there is DIRECTION_E that could be a little obscure, so here is reported:

typedef enum _IP_DIRECTION_E {

Represents easly a packet is Receiver or Transmitted.

The return values by the filter-routine can be:

DROP = 1

that are proper of FORWARD_ACTION

As previously said, to implement IP_SET_FIREWALL_HOOK_INFO, it’s necessary to write a filter function for \device\IP, so the pointer (to IP) self can be obtained easly by calling IoGetDeviceObjectPointer( )

Now can be installed the filter function, by passing througout IP’s pointer the address of the filtering function self, with IoBuildDeviceIoControlRequest(IOCTL_IP_SET_FIREWALL_HOOK, IpDeviceObject,…..)
It’s important to say also (according to DDK documentation) that IOCTL_PF_SET_EXTENSION_POINTERregisters filter-hook callback to the IP filter driver, to “make known” \device\IP to reroute every packet received or transmitted, and finally this same IOCTL clears the filter function from IP device. All these specifications could be made, by filling up the proper structure of this IOCTL, that will go to constitute the InputBuffer of IoBuildDeviceIoControlRequest:

PF_SET_EXTENSION_HOOK_INFO, that inside have another struct PacketFilterExtensionPtr which specifies the pointer to the filter hook callback, and when ins FALSE clears the filter.

typedef PF_FORWARD_ACTION (*PacketFilterExtensionPtr)(
IN unsigned char *PacketHeader, //Pointer to Ip header of packet
IN unsigned char *Packet, //Points a buffer with informations in the packet
//that filter-hook receives
IN unsigned int PacketLength , //Length of the packet
IN unsigned int RecvInterfaceIndex,//Index number for the interface adapter (InGoing)
IN unsigned int SendInterfaceIndex,//Index number for the interface adapter (OutGoing)
IN IPAddr RecvLinkNextHop, //IP address for the interface adapter that received the packet
IN IPAddr SendLinkNextHop //IP address for the interface adapter that will transmit the packet

It’s also important to notice that only on filter function per time can be installed, if others resides functions are stil working this one will not work.

See you to the next post! πŸ™‚


August 27, 2007

Today I’ve cleared many problems of my Pentium1-166 with IOBit’s Windows Care Suite,

you can download it for free at IOBit

Spyware Immunizing, Registry Cleaner, System Cleaner and other cool features..

Download also SmartDefrag, little and fast πŸ™‚

See you to the next post!!

Something about Firewall hooking and Packet Filtering

August 26, 2007


Firewall hooking is a task in major part not well documented, MS doesn’t provides a clear and exaustive documentation about structures and development, so the only mode to have more knowledge is the RCE method.

These filter-hooks obviously works only at kernel mode, installing a callback function, and the driver installs a callback into \device\IP (which can be seen with WinObj) but let’s also parse \system32\Drivers

Fortunately, no extreme binary analysis is needed, we can study directly some header file from DDK, and precisely ipfirewall.h, so let’s take a deeper look to this file. Immediately we can see two intersing structs, the first is IPPacketFirewallPtr that works as a callout routine, and the most interesting _IP_SET_FIREWALL_HOOK_INFO
First Struct:

First Struct: typedef FORWARD_ACTION (*IPPacketFirewallPtr)(
VOID **pData, //can be pMdl or pRcvBuf
UINT RecvInterfaceIndex, //Received Data
UINT *pSendInterfaceIndex, //Index where data is sent
UCHAR *pDestinationType, //Can be Local Network, Remote, Broadcast, Multicast.
VOID *pContext, //Points to _FIREWALL_CONTEXT_T
UINT ContextLength, //sizeof(FIREWALL_CONTEXT_T)
struct IPRcvBuf **pRcvBuf

Second Struct:

IPPacketFirewallPtr FirewallPtr; // Packet filter callout.
UINT Priority; // Priority of the hook
BOOLEAN Add; // if TRUE then ADD else DELETE

This is the heart structure necessary to set-up the filter-hook, which can be done by sending a IOCTL to \device\Ip


IP_SET_FIREWALL_HOOK_INFO will be the Input Structure to be filled for the IOCTL.

By observing IPPacketFirewallPtr, we can see _FIREWALL_CONTEXT_T which is:

typedef struct _FIREWALL_CONTEXT_T {
DIRECTION_E Direction;
void *NTE;
void *LinkCtxt;
UINT LContext2;

After installing the filter-hook, can be powered up a set of rules to FORWARD or DROP a packet.

Thanks to Jesus O.

Opening Category

August 25, 2007


just to open this category:

Advanced Driver Debugging (ppt)




Security Reverse Engineering at Low Level

The VMWare Case

August 25, 2007


This morning I’ve started as usual my Virtual XP Sp2 Box, but at win’s StartUp Time,
something went Wrong, a Redundancy Check failed..

 Aug 25 07:45:18: vmx| VMXAIOMGR: Retry on read "D:My Virtual MachinesWindows XP

 ProfessionalWindows XP Professional.vmdk" : Errore nei dati (controllo di ridondanza

 Aug 25 07:45:18: vmx| VMXAIOMGR: system : err=5890 errCode=23 freeSpace=7789461504

 Aug 25 07:45:18: vmx| VMXAIOMGR: "D:My Virtual MachinesWindows XP ProfessionalWindows XP Professional.vmdk" : read s=1382023168 n=65536 ne=16

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[0]=03FBB000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[1]=03FA5000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[2]=03FA7000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[3]=03FA9000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[4]=03FC7000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[5]=04056000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[6]=03EED000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[7]=040F5000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[8]=040F3000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[9]=02D7D000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[10]=040EF000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[11]=03EE5000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[12]=04170000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[13]=02D75000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[14]=02D3A000:4096

 Aug 25 07:45:18: vmx| VMXAIOMGR:             v[15]=03FE7000:4096

It’s clear VMXAIOMGR give us an Error (5890) and error code (23), maybe there is a Minidump..
Indeed you can obtain at every VM crash, in the log we can see the following line:

Aug 25 07:50:03: vmx| CoreDump: Writing minidump to C:\Documents and Settings\Proprietario\Dati applicazioni\VMware\vmware-vmx-944.dmp

.:: The Solution ::.

aiomgr.buffered = “TRUE” (this is always suggested, because many times the I/O manager is overcharged of work πŸ˜‰ )

Sometimes Antivirus Scanners can lock portion portion of file, but no damage is caused to the virtual HD.

But a CRC Error means that the physical hardisk have some damaged cluster so the best solution is to move, in another partition the VM File.

Hope this may help.

See you to the next post

PS: This Post is dedicated to a special person πŸ™‚