Archive for June, 2013

This may help in some way the process of debugging and developing a GCC PLUGIN 

#Needed Information
PROJECT_WSPACE=Work space Path
GCC_SRC_NAME=Plugin Src File Name

#Needed Paths


# Test Information
GCC_INJECT_CASE=Test Case File Name

# Create the plugin #
gcc -I $(GCC_LIB_PATH) -shared -fPIC -O2 $(GCC_SRC_NAME).c -o $(GCC_PLUGIN_SO_PATH)/$(GCC_SRC_NAME).so
# Execute with input test
# Move tree information
mv case_* $(GCC_TEST_TREES_PATH)

# Clean all paths #

if test -d $(GCC_PLUGIN_SO_PATH) ; then rm -f -r $(GCC_PLUGIN_SO_PATH) ;fi
if test -d $(GCC_TEST_RESULT_PATH); then rm -f -r $(GCC_TEST_RESULT_PATH) ;fi

# Make paths #

if ! test -d $(GCC_PLUGIN_SO_PATH); then mkdir $(GCC_PLUGIN_SO_PATH) ;fi
if ! test -d $(GCC_TEST_RESULT_PATH); then mkdir $(GCC_TEST_RESULT_PATH) ;fi
if ! test -d $(GCC_TEST_TREES_PATH); then mkdir $(GCC_TEST_TREES_PATH) ;fi
if ! test -d $(GCC_INJECT_PATH); then mkdir $(GCC_INJECT_PATH) ;fi

An Example

#Needed Information

#Needed Paths


# Test Information


# Create the plugin #
gcc -I $(GCC_LIB_PATH) -shared -fPIC -O2 $(GCC_SRC_NAME).c -o $(GCC_PLUGIN_SO_PATH)/$(GCC_SRC_NAME).so
# Execute with input test
# Move tree information
mv case_* $(GCC_TEST_TREES_PATH)

# Clean all paths #

if test -d $(GCC_PLUGIN_SO_PATH) ; then rm -f -r $(GCC_PLUGIN_SO_PATH) ;fi
if test -d $(GCC_TEST_RESULT_PATH); then rm -f -r $(GCC_TEST_RESULT_PATH) ;fi

# Make paths #

if ! test -d $(GCC_PLUGIN_SO_PATH); then mkdir $(GCC_PLUGIN_SO_PATH) ;fi
if ! test -d $(GCC_TEST_RESULT_PATH); then mkdir $(GCC_TEST_RESULT_PATH) ;fi
if ! test -d $(GCC_TEST_TREES_PATH); then mkdir $(GCC_TEST_TREES_PATH) ;fi
if ! test -d $(GCC_INJECT_PATH); then mkdir $(GCC_INJECT_PATH) ;fi


I started working on my thesis A compiler-based infrastructure for software-protection , When I was researching the state of the art , One of the things I was looking for is on-line compiler services as I guessed there is lots of them , Google shows 14,000,000 result for the keyword “ Online Compiler ” ,

Screenshot from 2013-06-22 03:52:35

lest say 2% are really what we are looking for ,this makes 280000 web site offering this service , ignoring the on-line IDE Service even if thats probably working in the same architectural way , the thing really caught my attention was how this sites secure them self from command injection attacks vector ???

lets say this is the general architecture

General ONlineCompiler

Let say it should work like this

1- The user upload the code or write it on the interface

2- The Service Logic receives the compilation request ,

2.1 sanitate the parameters , and file name

2.2 request the compilation from the model

3- The model create a new ( remote or local ) process thread that triggers the compiler with code and requested parameters

3.1 The model reads warring’s ,errors ,

IF there is no errors

3.1.1 move the compiled object to boxed environment

3.1.2 execute the compiled object in the boxed environment

3.1.3 read the execution output stream

3.1.4 move the compiled code to public place allowing a download option

3.1.5 remove the compiled code and clean the session space in the boxed environment

4- the errors , warring’s and result is propagated backward to the user interface

4.1 the result is sanitized

I think using this pseudo steps we can mitigate a lot of risk and offer a good quality service , but turn out that more than 90% of analyzed ( I analyzed 20 ) web site leaks or bad implements the steps of 2.1 , 3.1.1 , 3.1.2 , 3.1.5 and 4.1 or doesn’t even follow any security consideration .

As an example this is the first result of the search on Goolge using the keywords “ online compiler “


Languages Page Rank Owner

Support a lot of languages From C .. CSS


Mohammad Mohtashim

Screenshot from 2013-06-22 05:02:04

Attacks : From command injection to XSS

Sample attack vector

The web site offer a shell interpreter in uncontrolled environment so it wasn’t difficult to do the following

 – Browsing the os path

Screenshot from 2013-06-22 05:22:24

– Gathering information about the system

Screenshot from 2013-06-22 05:20:57

Screenshot from 2013-06-22 05:38:14

Screenshot from 2013-06-22 05:38:19

 Executing XSS attack

 Screenshot from 2013-06-22 05:35:34

Gathering /etc/passwd

Screenshot from 2013-06-22 05:34:46



Languages Page Rank Owner

Support a lot of languages From C .. CSS



 Screenshot from 2013-06-22 06:09:09

Attacks : Command injection

Sample attack vector

The web site offer a shell interpreter in CONTROLED environment but command injection can be done

– Browsing the OS path

– From shell code the permission police disallow this kind of injection

Screenshot from 2013-06-22 05:57:26

 BUT if we compile a file , we can see the police applied to the execution account of is different

Screenshot from 2013-06-22 06:29:04

– Gathering information about the system

Screenshot from 2013-06-22 05:54:59

Gathering /etc/passwd

Screenshot from 2013-06-22 05:56:28

In all of the the example we are able to inject a reverse back shell , and have more flexible control over the systems we even can exploit some kernel vulnerabilities to get root , I highly recommend the owners , to review the architecture and security police of there implementation .


1- Building such a service should be well architected

2- A highly security consideration has to be made and tested before deployment

3- A sanitation process should be injected in the incoming and outgoing flow

4- Sandboxing is a most in this kind of project  

I Was browsing my FBaccount and i sow my self reading this comment posted by Mohammad Hammada about the last post of

خاص بلفضائية السورية means “Private to the general organization of radio and TV in Syria” ,

the post claimed to disclose a list of killers names related to massacre in Syria and bunch of pictures , ( I don’t use to follow such posts neither enter in political debates ) but the interesting part was ,the replay of the people “ Be careful there is a malware inside ” , I downloaded the file from it was 239.29 KB !! ( First thought how many pictures are there ? )

Screenshot from 2013-06-14 03:24:02

In the RAR there was 5 JPG ( Real Pictures , I will not post theme here due to strong content  ) and one file called _1194cds62rcs.txt it was easy to notice that the .txt it wasn’t a real text file , if you take a look at the TYPE column in the RAR you will see written “unknown” , i  extracted all of them after making sure there is no autorun   after extraction ,

Screenshot from 2013-06-14 03:24:16

so as we knew from the beginning is not text file , its an executable developed in .Net targeting MS Windows OS , lets go further and try to see what else we can get about this file ,

1- Using /

The file is detected as virus from 7 major AV solutions , so lets make an static and dynamic analysis

Screenshot from 2013-06-14 03:43:52

Screenshot from 2013-06-14 03:44:18 Screenshot from 2013-06-14 03:44:24 Screenshot from 2013-06-14 03:44:37

+ Result of static analysis

1- We got the real entry point and the version of the .Net Framework used to develop the maleware .

// Entry point: mc.Main

// Architecture: x86

// Runtime: .NET 2.0

2- The dependency

// dmcl40 // kernel32.dll // rpcrt4 // urlmon // netapi32 // difxapi // opengl32 // odbc32 // ole32

// crypt32 // hhctrl // winfax // odbccp32 // iprop // faultrep // mpr // winusb // irprops // dbghelp

// credui // mscorsn // comctl32 // hid // dnsapi

3- The malware is obfuscated and encrypted , it detects the presence of a debuggers and task managers

Screenshot from 2013-06-14 03:59:03 Screenshot from 2013-06-14 03:59:15

I reversed the code and made small script to decrypt and pull out more information

Screenshot from 2013-06-14 03:59:47

Screenshot from 2013-06-14 04:06:49

As result from the script

– It detects the presence of

  • OllyDBg
  • SbieCtrl
  • mbam
  • taskmgr
  • HijackThis
  • Virtual PC
  • TEMemoryScanner

– Store his self as cvtres.exe

– Use Kernel32 and ntdll to create a new process

– Query and manipulate a dozens of register key

– Query a name server and communicate (  i will soon disclose the information i can gather from the command center  )

– Put its self at Start-up

The creator putted a lots of effort in the process of obfuscating and encryption .

This group is the official Facebook group of .

Screenshot from 2013-06-14 04:32:10

 Screenshot from 2013-06-14 06:10:23


Netblock Owner

190 Internet Service Provider



IP address

DNS admin

IPv6 address

Not Present

Reverse DNS


Domain registrar


Nameserver organisation




Hosting company

Top Level Domain

Syria (.sy)

DNS Security Extensions


Hosting country


Netblock owner

IP address


Web server

Last changed

190 Internet Service Provider Windows Server 2008 Microsoft-IIS/7.5 2-May-2013

A governmental page with high page rank on google

Screenshot from 2013-06-14 04:40:19

there is tow hypothesis

1- this is really done by the government

2- some one hacked to the account and did it

but if the Syrian gov is  spreading maleware using facebook pages I couldn’t imagine how many exploits they are lunching throw the web site it self ,this looks like since fiction  movie but the reality is that we are facing a time where cyber space is the battle field . i hope this can serve as an alert message  to everyone , be careful when you are wired , don’t trust on AV solutions only .

===== Update 14,2013 at 4:51

The Syrian Official web site recognized losing the facebook page

Screenshot from 2013-06-14 12:45:31

Intro To x86

Posted: June 13, 2013 in Programming
Tags: ,

Intro to Intel X86

First thing we should know is that X86 is ( microprocessor ) and the X represents a number in the family of 86 , the main components you should aware of is

1- How Ram works RAM with the OS .

2- The Processor it self 😀 , this tell you what architecture you are working with .

– Data Type

Length ( bits )

Intel – ASM


8 ( Bytes )



16 ( 2 Bytes )



32 ( 4 Bytes )

Double word

Int / long

128 ( 16 Bytes )

Quad word

Double /long long

– Representation

Decimal ( base 10 )

Binary ( base 2 )

Hex ( base 16 )

















































So how we represent the negative numbers .

1- Flips the one → zero , zero → one

2- Sum 1 to the flipped representation

Number Ones’ Comp Tow’s Comp. ( Negative )
0000-0001b : 0x01 1111-1110b : 0xFE 1111-1111b : 0xFF : -1
0000-0100b : 0x04 1111-1011b : 0xFB 1111-1100b : 0xFC : -4

What kind of architecture are there

1- CISC ,Complex Instruction Set Computer { Intel }

– It main characteristic is the huge number of special propose instructions

– Variable length is between 1 and 16 bytes long

2- RISC , Reduced Instruction Set Computer { PowerPC, ARM , SPARC, MIPS }

– Built upon small set of instructions

– Typically has more registers than CISC

In both previous architecture the y should find a way to map the bytes to the RAM

and there is to way to do that ( Little endian , Big endian )

Little endian : you store first the leas significant bytes , 0x12345678 → 0x78563412

Big endian : you store first the most significant byes , 0x12345678 → 0x12345678

Intel is Little endian , but network traffic for example is big endian , other architecture like ARM,SPARC , MIPS ) uses big endian too or can be configured as little endian .

Very important , ( Endianess operation are at byte level )

– Registers

Registers are small box of memory in the CPU some for general propose use and others very important specific uses

Int the INTEL architecture , we have 8 registers and the instruction pointer register

On x86-32 the registers are 32 bit size

On x86-64 the registers are 64 bit size

1- EBX ( Base pointer to the data section ) shorter form ( BX )

2- ECX ( Its used as counter ) shorter form ( CX )

3- EAX ( Stores function return values and shorter form ( AX )

4- EDX ( I / O Pointer ) shorter form ( DX )

5- EIS ( Index source of data ) shorter form ( IS )

6- EDI ( Destination Index ) shorter form ( DI )

7-EBP ( Stack Base Frame pointer ) shorter form ( BP )

8-ESP ( Stack pointer ) shorter form ( SP )

-EFLAG ( This register contains several sub registers each of 1 bit represents something )

ZF : Set to zero if the instruction result is 0

SF : Signed register is set to 1 if the most significant bit is 1 . we can use this register to see if the value is positive or negative .

– EIP ( Instruction Pointer )

– Conventions

Caller – Save register eax, edx , ecx

if the caller has any thing in the registers he is responsible to save the register data before calling, and restoring the data after calling , thats because the callee is highly likely to use this registers

Callee – Save register edx,eci,edi,ebx,ebp

if the callee is in need to change any registers other than the saved from the caller he is responsible of storing the value and restore them .

– Calling Convention

– C declaration : ( c-decl )

1. Parameter are saved into the stack from right to left

push x

2. Save Stack point

push esp

3. Create new Stack Frame

mov ebp , esp

4. return value stored on eax or edx:eax

5. caller is responsible for cleaning up the stack

pop ebp

move esp,ebp


How the call Instruction works

the only instruction that makes a jump to some location in the code and inject the mechanism to go back is the call ,

the call instruction , sets the EIP to the address its going to execute , but before that , it push the next instruction ( the one after the call ) address to the stack , allowing the return back mechanism by using the “RET “ instruction in the callee function .