On USB Driver #2

October 31, 2007


In the previous post, we talked about the General USB Architecture, that as you have seen is not easy and Highly Hierarchical, you can read that as highly Layerized.

Before talking about the foundamentals of USB Coding, is important to spent some words about Usb Protocols (not deeply handled in the previous post).

USB protocols are different from the other common interfaces, are highly layerized, but we will work only with High Level Layers, Low Level are controlled by USB Controller.

Each USB Transaction consists of a:

  • Token Packet (Header defining what it expects to follow)
  • Optional Data Packet, (Containing the payload)
  • Status Packet (Used to acknowledge transactions and to provide a means of error correction)

The first packet ( Token Packet ) is generated by the Host Controller and will cointain vital informations about the data transaction such as Device Address, Endpoints. Second packet strictly linked to the first, cointains the Payload and is called Data Packet, and finally a Status Packet is sent, works as an Handshaking Packet.

.:: Anatomy of an USB Packet ::.

USB’s data is formatted in LSB, and foundamentally USB packet is consist of various fields:

  • SYNC (All packets must start with a sync field. The sync field is 8 bits long at low and full speed or 32 bits long for igh speed and is used to synchronise the clock of the receiver with that of the transmitter. The last two bits indicatehere the PID fields starts.)
  • PID (his field is used to identify the type of packet that is being sent), Values of PID can identify 4 kind of packets: Token, Data, Handshake, Special.
  • ADDR (The address field specifies which device the packet is designated for. Being 7 bits in length allows for 127 devices to be supported. Address 0 is not valid, as any device which is not yet assigned an address must respond to packets sent to address zero.)
  • ENDP ( The Endpoint, already defined in the previous post)
  • CRC ( A classical Anti Corruption Check)
  • EOP (End Of Packet)

This is the basical composition of an USB Packet, and as said 4 types of packets, each packet have more kind of Sub-Packets:

  • Token Packets
    • In
    • Out
    • Setup
  • Data Packets
    • Data0
    • Data1
  • Handshake Packets
    • ACK
    • NAK
    • STALL
  • Start of Frame Packets (often called SOF Packet)

As you have seen, USB protocol is complicated to code directly, but fortunately we have a series of Functions that manages from low level to transation level, and only things we need to know are the error codes. Each function will have a series of buffers, typically 8 bytes long, each buffer will belong to an endpoint – EPx In, EPx

Out (we have the following numeration EP0 In/Out, EP1 In/Out, etc) , these Endpoints can be described as sources or

sinks of data, so if we send a packet to our EP1 device we will deal with EP1 In and EP1 Out. In all cases we have to ensure the support for EP0, because it receives all foundamental data about Device Control/Status.

Effective data transfer is done by Pipes, that are Logical Connections between Host and Endpoints and have some Control Parameters as Bandwidth Allocation, Transfer Type.

We can have two kind of pipes:

  • Stream Pipes: Can be sent any type of data down a stream pipe and can retrieve the data out the other end, and can support Bulk, Isochronous and Interrupt Transfer Types.
  • Message Pipes: Data is transferred in the desired direction, and is a Bidirectional Channel.

Here finishes the Architectural part, in the next part we will talk about USB Coding, and finally about Usb Forensics..

Many thanks goes to BeyondLogic Corp. for the great USB’s Arch Summary.

See you to the next post.. πŸ™‚

On USB Driver #1

October 21, 2007


USB Driver Coding is considered out of here something of really mystic, and too many speculations to help developers has been done, someone implemented also his own USB Development Kit, causing a lot of confusion, I’ll try to explain how to move in the USB field πŸ˜‰
Here a rapid explaination of USB Architecture:

Starting out new with USB can be quite daunting, USB 2.0 documentation is 650 pages long, full of ssociated

standards as USB Class Standards such as HID Class Specifications (Human Interface Devices), and unlike RS-232 USB protocol is made up of several layers of protocols.

USB specification defines four transfer/endpoint types:

  • Control Transfers (typically used for command and status operations)
  • Interrupt Transfers (as each microcontroller, Interrupt transfers are typically non-periodic, small device initiated” communication requiring bounded latency)
  • Isochronous Transfers (sochronous transfers occur continuously and periodically. They typically contain time sensitive information, such as an audio or video stream. If there were a delay or retry of data in an audio stream)
  • Bulk Transfers (Bulk transfers can be used for large bursty data, as for printers, scanners)

All USB devices have a hierarchy of descriptors which describe to the host information such as what the device is, who makes it, what version of USB it supports, most common USB Descriptors, are:

  • Device Descriptors (The device descriptor, specifies some basic, important informations such as the supported USB version, maximum packet size, vendor and product IDs)
  • Configuration Descriptors (USB Supports different configurations although the majority of devices are simple and only have one, this descriptor specifies how the device is powered, what the maximum power consumption is, thenumber of interfaces it has)
  • Interface Descriptors (The interface descriptor could be seen as a header or grouping of the endpoints into a functional group performing a single feature of the device)
  • Endpoint Descriptors (Endpoint descriptors are used to describe endpoints other than endpoint zero)
  • String Descriptors (String descriptors provide human readable information and are optional)

Every USB device must respond to Setup Packets on the default pipe. The setup packets are used for detection and configuration of the device and carry out common functions such as setting the USB device’s address, requesting a device descriptor or checking the status of a endpoint.

Enumeration is the process of determining what device has just been connected to the bus and what parameters it requires such as power consumption, number and type of endpoint(s), class of product etc. The host will then assign the device an address and enable a configuration allowing the device to transfer data on the bus.

As you can see, USB driver coding is not so easy, is necessary to know:

  • General USB driver issues
  • USB Interrupt handling
  • Read, write, and IO control operations
  • General power management issues
  • Device suspend and wakeup

Obviously the only best way to write a good usb driver is to use WDF and KMDF, here some good link:






See you to the next post.. πŸ™‚

BouncyCastle C# DiffieHelman

October 20, 2007


I’ve done some experiments with DiffieHelman Basic Agreement, code is written in C# using as Crypto Framework

Org.BouncyCastle.Crypto.Agreement.DHBasicAgreement DHB = new Org.BouncyCastle.Crypto.Agreement.DHBasicAgreement();

BigInteger g = new BigInteger(“153d5d6172adb43045b68ae8e1de1070b6137005686d29d3d73a7749199681ee5b212c9b96bfdcfa5b20cd5e3fd2044895d609cf9b410b7a0f12ca1cb9a428cc”, 16);
BigInteger p = new BigInteger(“9494fec095f3b85ee286542b3836fc81a5dd0a0349b4c239dd38744d488cf8e31db8bcb7d33b41abb9e5a33cca9144b1cef332c94bf0573bf047a3aca98cdf3b”, 16);

DHParameters dhParams = new DHParameters(p,g);
DHKeyGenerationParameters dhkParam = new DHKeyGenerationParameters(new SecureRandom(),dhParams);
DHKeyPairGenerator kpGen = new DHKeyPairGenerator();


AsymmetricCipherKeyPair pair = kpGen.GenerateKeyPair();

//First Pair

DHPublicKeyParameters pub1 = (DHPublicKeyParameters) pair.Public;
DHPrivateKeyParameters pvt1 = (DHPrivateKeyParameters)pair.Private;

textBox1.Text = pvt1.X.ToString();
textBox2.Text = pub1.Y.ToString();

// Second KeyPair Generation

DHPublicKeyParameters pub2 = (DHPublicKeyParameters)pair.Public;
DHPrivateKeyParameters pvt2 = (DHPrivateKeyParameters)pair.Private;

DHBasicAgreement e1 = new DHBasicAgreement();
DHBasicAgreement e2 = new DHBasicAgreement();


BigInteger k1 = e1.CalculateAgreement(pub2);
BigInteger k2 = e2.CalculateAgreement(pub1);

if (!k1.Equals(k2))
MessageBox.Show(“Bit 2-way test FAILED”, “Error”, MessageBoxButtons.OK, MessageBoxIcon.Error);
MessageBox.Show(“Test PASSED”, “Error”, MessageBoxButtons.OK, MessageBoxIcon.Error);

See you to the next post! πŸ™‚

The Day Is Finished

October 15, 2007

Finally the day is finished, and the Dark came with is Deadly Silence…

Good Night Darkness

[Malware] Reversing Trojan-PSW.Win32.OnLineGames.eos #1

October 15, 2007


Win32.OnLineGames is a very spreaded virus, that can be founded in many spam/Online Games WebSites, is not a dangerous virus but for OnlineGames can be a problem.

Win32.OnLineGames is a PSW Trojan, which works as Password Stealer, specifically written to rip online gaming passwords.

00401314                 add     eax, esi
00401316                 lea     eax, ds:401442h
0040131C                 jmp     eax ;00401442

At the entry point, code flow jumps to 00401442

00401442                 push    ebp
00401443                 mov     ebp, esp
00401445                 sub     esp, 52Ch
0040144B                 call    ds:GetCurrentThreadId
00401451                 push    eax
00401452                 call    ds:GetThreadDesktop
00401458                 test    eax, eax
0040145A                 jnz     short loc_40145D
0040145D                 push    ebx
0040145E                 push    esi
0040145F                 push    edi
00401460                 mov     edi, offset aCzxsderdaksiic ; "CZXSDERDAKSIICS_MX"
00401465                 xor     esi, esi
00401467                 push    edi ; String
00401468                 push    esi ; NULL
00401469                 push    EVENT_ALL_ACCESS
0040146E                 call    ds:OpenEventA

Obtains the handle to the desktop associated to the executable itself and opens the handle of an existing event called CZXSDERDAKSIICS_MX, if event exists its own handle is closed, else a new event (called CZXSDERDAKSIICS_MX9 is created with standard SecurityAttributes.

00401486                 mov     [ebp-10h], eax
00401489                 mov     edi, offset off_401154 ;Edi points to an array of strings,
 that are a list of executables
0040148E                 mov     ecx, [edi]
00401490                 call    sub_401798 ;Check if the searched process is running
00401495                 cmp     eax, esi
00401497                 jz      short loc_4014B2 ; If no, go to the next process
00401499                 push    eax
0040149A                 push    esi
0040149B                 push    1F0FFFh
004014A0                 call    ds:OpenProcess
004014A6                 cmp     eax, esi
004014A8                 jz      short loc_4014B2
004014AA                 push    esi
004014AB                 push    eax
004014AC                 call    ds:TerminateProcess
004014B2                 add     edi, 4
004014B5                 cmp     edi, offset dword_40115C ;Next process to search
004014BB                 jl      short loc_40148E
004014BD                 call    sub_40131E ;AdjustTokenPrivilege

The searched executables: Twister.exe, FilMsg.exe

0040151B                 call    ds:GetSystemDirectoryA
 00401521                 mov     edx, offset asc_401204 ; "\\"
 00401526                 lea     ecx, [ebp-11Ch] ;points to the System Directory
 0040152C                 call    sub_40174A
 00401531                 lea     edx, [ebp-11Ch]
 00401537                 lea     ecx, [ebp-428h]
 0040153D                 call    sub_40176F
 00401542                 push    esi
 00401543                 call    ds:GetModuleHandleA
 00401549                 push    offset aMndll   ; "MNDLL"
 0040154E                 push    65h
 00401550                 push    eax
 00401551                 mov     [ebp+8], eax
 00401554                 call    ds:FindResourceA
 0040155A                 push    eax                       ;00402048
 0040155B                 mov     [ebp-4], eax
 0040155E                 push    dword ptr [ebp+8]
 00401561                 call    ds:SizeofResource
 00401567                 push    dword ptr [ebp-4]
 0040156A                 mov     [ebp-18h], eax
 0040156D                 push    dword ptr [ebp+8]
 00401570                 call    ds:LoadResource
 00401576                 push    eax                   ;00402070
 00401577                 call    ds:LockResource
 0040157D                 cmp     eax, esi
 0040157F                 mov     [ebp-4], eax
 00401582                 jnz     short loc_40158E
 00401584                 push    dword ptr [ebp-10h]
 00401587                 call    edi ; CloseHandle
 00401589                 jmp     loc_4016C6

The code here is clear, after enstablishing the System Directory, searches for a Resource type “MNDLL” and next loads it, the LoadResource give us an intersing location 00402070, that’s an executable image, exploring this executable we can see some intersing strings hxxp://www.poptang.com/ekey.Bind ConfigAreaName game.ini

004015A6                 add     esp, 0Ch
 004015A9                 lea     edx, [ebp-428h]
 004015AF                 lea     ecx, [ebp-11Ch]
 004015B5                 call    ScansFor ;call    sub_40176F (searches for csavpw0.dll)
 004015BA                 lea     edx, [ebp-324h] ; SystemDirectory
 004015C0                 lea     ecx, [ebp-11Ch] ; csavpw0.dll
 004015C6                 call    sub_40174A
 004015CB                 lea     eax, [ebp-11Ch]
 004015D1                 push    eax
 004015D2                 call    ds:DeleteFileA
 004015D8                 push    esi
 004015D9                 push    80h
 004015DE                 push    2
 004015E0                 push    esi
 004015E1                 push    esi
 004015E2                 lea     eax, [ebp-11Ch]
 004015E8                 push    40000000h
 004015ED                 push    eax
 004015EE                 call    ds:CreateFileA
 004015F4                 cmp     eax, 0FFFFFFFFh
 004015F7                 mov     [ebp-14h], eax
 004015FA                 jnz     short loc_401605
 004015FC                 inc     dword ptr [ebp+8]
 004015FF                 cmp     dword ptr [ebp+8], 0Ah
 00401603                 jb      short loc_401591 ;Go to the next cycle

If there is another csavpw0.dll, is firstly deleted and next recreated, if creation fails is performed the same routine for csavpw1.dll, csavpw2.dll.

In my case csavpw2.dll is founded

00401608                 push    esi
 00401609                 push    ecx
 0040160A                 push    dword ptr [ebp-18h] ; Size: 4C00
 0040160D                 push    dword ptr [ebp-4] ; Buffer: 00402070
 00401610                 push    eax
 00401611                 call    ds:WriteFile
 0040161A                 call    CloseHandle
 0040161C                 push    ebx
 0040161D                 call    ds:Sleep
 00401623                 lea     ecx, [ebp-11Ch] ;C:\WINDOWS\system32\csavpw2.dll

csavpw2.dll is filled up with the Founded Resource.

00401630                 push    ebx
 00401631                 lea     eax, [ebp-220h]
 00401637                 push    offset aCzxsderdaksi_0 ; "CZXSDERDAKSIICS_%d"
 0040163C                 push    eax
 0040163D                 call    ds:wsprintfA
 00401643                 add     esp, 0Ch
 00401646                 lea     eax, [ebp-220h]
 0040164C                 push    eax ;CZXSDERDAKSIICS_0
 0040164D                 push    esi
 0040164E                 push    1F0003h
 00401653                 call    ds:OpenEventA
 00401659                 cmp     eax, esi
 0040165B                 jz      short loc_401666
 0040165D                 push    eax
 0040165E                 call     CloseHandle
 00401660                 inc     ebx
 00401661                 cmp     ebx, 0Ah
 00401664                 jb      short loc_401630

As usual it searches for CZXSDERDAKSIICS_0, CZXSDERDAKSIICS_1, CZXSDERDAKSIICS_2 when the OpenEvent FAILS we have this

0040166C                 push    104h
 00401671                 push    eax
 00401672                 push    esi
 00401673                 call    ds:GetModuleFileNameA
 00401679                 lea     eax, [ebp-220h]  ;CZXSDERDAKSIICS_2
 0040167F                 lea     edx, [ebp-52Ch] ;Path of our virus executable
 00401685                 push    eax                 ;CZXSDERDAKSIICS_2
 00401686                 lea     eax, [ebp-11Ch]
 0040168C                 push    eax                ;C:\WINDOWS\system32\csavpw2.dll
 0040168D                 mov     ecx, offset a8dfa290443ae89 ; "{8DFA2904-43AE-8929-9664-
 00401692                 call    sub_40124E

-> call sub_40124E Creates a RegKey in HKEY_CLASSES_ROOT with SubKey CLSID\{8DFA2904-97C43AE-8929-9664-4347554D24B6} and setted some values as “ExeModuleName“, “DllModuleName“, “SobjEventName

 004016B5                 push    eax           ; csavpw2.dll
 004016B6                 call    edi ; LoadLibraryA
 004016B8                 push    esi
 004016B9                 call    ds:ExitProcess
 004016BF                 push    eax
 004016C0                 call    ds:CloseHandle

.:: Trojan Removal ::.



1) Delete the Trojan file: csavpw0/1/2/etc.dll

1) Delete the following CLSID CLSID\{8DFA2904-97C43AE-8929-9664-4347554D24B6}


In the next we will see how csavpw0.dll works.


See you to the next post.. πŸ™‚

Potting the HoneyPot #1

October 15, 2007

This post is strictly correlated with the previous Malware Hunting.

As mentioned earlier, there is a big necessity of automated collection tecnology, such as generic Malware Collector and HoneyPots.

In computer terminology, a honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated, (un)protected and monitored, and which seems to contain information or a resource that would be of value to attackers. A honeypot that masquerades as an open proxy is known as a sugarcane.

It’s necessary to distinguish between various kinds of HoneyPots, but we’re intersted to the Malware Collectors

MultiPot The most easy and little HoneyPot



Argos Argos is a full and secure system emulator designed for use in honeypots. It is based on Qemu, an open source emulator that uses dynamic translation to achieve a fairly good emulation speed.

Honeyd Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.

HoneyBOT HoneyBOT is a Windows based medium interaction honeypot solution, this HoneyPot supports in a great manner malicious uploading, so can be used for Malware Collection.

Around here, there are also many HoneyPot Projects developed by various organizations that are referred to a common big project, the HoneyNet Alliance

In my experience I’ve seen that the most flexible and powerful HoneyPot Framework, is Honeyd, it can be used in different areas of system security, Network Decoys and the most intersting (for me) Detecting Collecting Worms.


October 15, 2007

Today my year++ counter is updated, as every BirthDay this is not an happy day, this should be caused by my growing misantropy, so i’ll spent the whole day at Pc in writing and publishing, this make me feel alive..

See you to the next post πŸ™‚

[Malware Hunting] Some Considerarion

October 8, 2007


This can sound strange to the people not involved in Malware Analysis, any times one of the big problems for a reverser is to find good live Malware samples.

Out there we have a good Malware DataBase is provided by OffensiveComputing, great source of Live Samples, but as every Community Submitting based reality not updated every time.

As should be clear, is truly important to have Live Material in Time, because malware spreading is truly fast, the only great defence (apart Security Countermeasures) is the Speed Analysis, for fast updated AntiViral Basis/Payloads, this because the basical TimeLife of a malware is directly proportional to the Speed of the Incident Reporting Companies. Home made DataBases are a great example of real life malware, especially for WebBased viruses, because implicitly these boards are a reflection of the most spreaded Social Stream Preferences, and consequently the most common choised WebSites.

About live malware samples, unfortunately this mechanism is not so efficient, for many reasons:

  • Slow Time Reporting
  • Geographycal Malware Density

Slow Time Reporting, is caused by different Fuse Time and obviously by not continue (linear) malware posting.

Geographycal Spreading, means that in some well defined locations we have the expansion of a particular Virus.

As you should understanded for mass malware analysis is necessary to use other technologies, as Malware Collectors and HoneyPots.

Soon I’ll publish something about mwcollection, so stay tuned πŸ˜‰

See you to the next post πŸ™‚

.NET Source Code

October 6, 2007

A great news from Microsoft, in some time will be released .NET Base Class Libraries‘s Source Code πŸ™‚

A great new for Coders and Reversers..

See you to the next post

Various News

October 2, 2007

These are days full of news, good and bad ones πŸ™‚

Bye Bye VirtualBox! Due to several crashes with USB I’ can’t continue tu use VirtualBox, coming back to my dear VMWare ultra Fault Tollerant, old dear VMWare!

Code Development is blocked cause, Notebook Death, but I’ve updated my Todo Code List:

  • Commercial version of FolderProtector, realized in C# using Strong Cryptography and AntiCorruption Checks.
  • MultiSteganer (I think this will be Commercial), realized in C#, will works various file formats. Data Storing will be Protected by a Password frase that Encrypts the content.
  • Free Version of SteganoDetector, based over the previous Tool, but with Forensics Purposes.

Today begins my new work for Investigative Data Recovery Enterprise πŸ™‚ πŸ˜€

See you to the next post πŸ™‚