Cryptography - Verifying the Signature of a Windows PE File

Cryptography is the use of codes to convert data so that only a specific recipient will be able to read it, using a key.

Microsoft cryptographic technologies include CryptoAPI, Cryptographic Service Providers (CSP), CryptoAPI Tools, CAPICOM, WinTrust, issuing and managing certificates, and developing customizable public key infrastructures.

ref:

Cryptography - http://msdn.microsoft.com/en-us/library/aa380255(v=VS.85).aspx

Example C Program: Verifying the Signature of a PE File - http://msdn.microsoft.com/en-us/library/aa382384(VS.85).aspx

CryptoAPI Tools Reference - http://msdn.microsoft.com/en-us/library/aa380240(v=VS.85).aspx

Windows Script Host: New Code-Signing Features Protect Against Malicious Scripts - http://msdn.microsoft.com/en-us/magazine/cc302149.aspx

Understanding Authentication and Security - http://uk.dwarner.org/library/SHELF5/Internet%20Explorer%20Plug-In%20and%20ActiveX%20Companion/ch5.htm

Tools to Sign Files and Check Signatures - http://msdn.microsoft.com/en-us/library/aa388151(v=VS.85).aspx

Tools to Create, View, and Manage Certificates - http://msdn.microsoft.com/en-us/library/aa388150(v=VS.85).aspx

Example C Code for Opening Certificate Stores - http://msdn.microsoft.com/en-us/library/aa382035(VS.85).aspx

How To Get Information from Authenticode Signed Executables - http://support.microsoft.com/kb/323809

How to retrieve the authenticode information - http://www.ucosoft.com/how-to-program-to-retrieve-the-authenticode-information.html

http://stackoverflow.com/questions/2008519/how-to-verify-that-my-orgainization-signed-a-trusted-windows-binary

An application that calls Cryptography API (CryptoAPI) functions may stop responding on a Windows XP-based computer - http://support.microsoft.com/kb/899420

Validating embedded digital signatures - http://rsanidad.wordpress.com/2008/10/31/validating-embeded-digital-signatures/

Other C Code Examples

The following topics present other procedures and extended C code examples that use the CryptoAPI functions:

• Verifying a CTL
• Verifying Signed Messages by Using CTLs
• Example C Program: Certificate Verification Operations
• Example C Program: Working with Key Identifiers
• Example C Program: Creating a Certificate Chain
• Example C Program: Making a Certificate Request
• Example C Program: ASN.1 Encoding and Decoding
• Example C Program: Using CertOIDToAlgId and CertCompareIntegerBlob
• Example C Program: Verifying the Signature of a PE File
• Modifying Key Container Access

Windows Services

Windows Services

Almost every operating system has a mechanism to start processes at system startup time that provide services not tied to an interactive user. In Windows, such processes are called services or Windows services, because they rely on the Windows API to interact with the system. Services are similar to UNIX daemon processes and often implement the server side of client/ server applications. An example of a Windows service might be a Web server because it must be running regardless of whether anyone is logged on to the computer and it must start running when the system starts so that an administrator doesn't have to remember, or even be present, to start it.

Windows services consist of three components: a service application, a service control program (SCP), and the service control manager (SCM). First, we'll describe service applications, service accounts, and the operations of the SCM. Then we'll explain how auto-start services are started during the system boot. We'll also cover the steps the SCM takes when a service fails during its startup and the way the SCM shuts down services.

Service Applications

Service applications, such as Web servers, consist of at least one executable that runs as a Windows service. A user wanting to start, stop, or configure a service uses an SCP. Although Windows supplies built-in SCPs that provide general start, stop, pause, and continue functionality, some service applications include their own SCP that allows administrators to specify configuration settings particular to the service they manage.

Service applications are simply Windows executables (GUI or console) with additional code to receive commands from the SCM as well as to communicate the application's status back to the SCM. Because most services don't have a user interface, they are built as console programs.

When you install an application that includes a service, the application's setup program must register the service with the system. To register the service, the setup program calls the Windows CreateService function, a services-related function implemented in Advapi32.dll (\Windows\System32\Advapi32.dll). Advapi32, the "Advanced API" DLL, implements all the client-side SCM APIs.

When a setup program registers a service by calling CreateService, a message is sent to the SCM on the machine where the service will reside. The SCM then creates a registry key for the service under HKLM\SYSTEM\CurrentControlSet\Services. The Services key is the nonvolatile representation of the SCM's database. The individual keys for each service define the path of the executable image that contains the service as well as parameters and configuration options.

After creating a service, an installation or management application can start the service via the StartService function. Because some service-based applications also must initialize during the boot process to function, it's not unusual for a setup program to register a service as an autostart service, ask the user to reboot the system to complete an installation, and let the SCM start the service as the system boots.

When a program calls CreateService, it must specify a number of parameters describing the service's characteristics. The characteristics include the service's type (whether it's a service that runs in its own process rather than a service that shares a process with other services), the location of the service's executable image file, an optional display name, an optional account name and password used to start the service in a particular account's security context, a start type that indicates whether the service starts automatically when the system boots or manually under the direction of an SCP, an error code that indicates how the system should react if the service detects an error when starting, and, if the service starts automatically, optional information that specifies when the service starts relative to other services.The SCM stores each characteristic as a value in the service's registry key.

ref:

A description of Svchost.exe in Windows XP Professional Edition -

http://support.microsoft.com/kb/314056

How to debug Windows services - http://support.microsoft.com/kb/824344

Preparing to debug a Service Application - http://msdn.microsoft.com/en-us/library/ff553427(VS.85).aspx

How to troubleshoot a service that crashes in Windows XP - http://support.microsoft.com/kb/934650

Windows Shared Services -

http://blogs.msdn.com/larryosterman/archive/2005/09/09/463018.aspx

Debugging Shared Services : BREAKING UP (SHARED SERVICES) IS(N'T) HARD TO DO -

http://blogs.msdn.com/larryosterman/archive/2005/09/12/464077.aspx

Trouble Shooting SVCHost.exe => http://blogs.technet.com/askperf/archive/2008/01/11/getting-started-with-svchost-exe-troubleshooting.aspx

USEFUL SERVICE TRICKS : DEBUGGING SERVICE STARTUP -

http://blogs.msdn.com/larryosterman/archive/2006/03/01/541403.aspx

WHEN SECURITY FIRMS OFFER BAD ADVICE -

http://blogs.msdn.com/LarryOsterman/archive/2004/03/17/91464.aspx

Windows Crash Dump Analysis - 1

Crash Dump - is a file that windows will create it when it gives you the Blue Screen of death (BSOD) error.

Configure the dump type:

To configure startup and recovery options to use the small memory dump file, follow these steps.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click System.
3. Click the Advanced tab, and then click Settings under Startup and Recovery.
4. In the Write debugging information list, click Small memory dump (64k).
   
   To change the folder location for the small memory dump files, type a new path in the Dump File box (or in the Small dump directory box, depending on your version of Windows).

Examine the dump file:

There are several commands that you can use to gather information in the dump file, including the following commands:

• The !analyze -show command displays the Stop error code and its parameters. The Stop error code is also known as the bug check code.
• The !analyze -v command displays verbose output.
• The lm N T command lists the specified loaded modules. The output includes the status and the path of the module.

ref:

Crash dump Analysis - http://msdn.microsoft.com/en-us/library/ee416349(VS.85).aspx

Analyzing Windows Crash Dump or Minidump with WhoCrashed (by Raymond Chen) -http://www.raymond.cc/blog/archives/2009/01/17/analyzing-windows-crash-dump-or-minidump-with-whocrashed/

How to debug Crash Dumps - http://thehiddenguide.com/how-to-analysis-crash-dump/

How to read the small memory dump files that Windows creates for debugging – http://support.microsoft.com/kb/315263/en-us

Windows Crash Dump Analysis Video - http://technet.microsoft.com/en-us/ff606436.aspx

Crash Dump Analysis using WinDbg - http://www.networkworld.com/news/2005/041105-windows-crash.html

WhoCrashed reveals the drivers responsible for crashing your computer - http://www.resplendence.com/whocrashed

Online community for windows support - http://www.windowsbbs.com/general-discussions/33471-dump-data-collection-tool-instructions.html

WinDbg Tutorial - http://www.codeproject.com/KB/debug/windbg_part1.aspx

Writing WinDbg extensions - http://www.codeproject.com/KB/debug/cdbntsd4.aspx

Remote Kernel debugging with WinDbg - http://www.wd-3.com/archive/RemoteDbg.htm

windbg the easy way –

http://www.debuginfo.com/articles/easywindbg2.html (Part1)

http://www.debuginfo.com/articles/easywindbg.html (Part2)

Find leak in Managed Program - http://blogs.msdn.com/delay/archive/2009/03/11/where-s-your-leak-at-using-windbg-sos-and-gcroot-to-diagnose-a-net-memory-leak.aspx

SOS WinDbg extension to debug managed programs - http://msdn.microsoft.com/en-us/library/bb190764.aspx

(The SOS Debugging Extension (SOS.dll) helps you debug managed programs in the WinDbg.exe debugger and in Visual Studio by providing information about the internal common language runtime (CLR) environment)

Windows Crash Dump Analysis - 2

How to Configure Windows to Generate Crash Dumps

The native debug tool on Windows systems, Dr. Watson, allows you to generate crash dumps. Dr. Watson, the system failure or "crash" analysis tool, has been replaced on Windows Vista with Problem Reports and Solutions.

However, Dr. Watson does not allow generation of crash dumps on a running process. To generate crash dumps from a running process, install the Debugging Tools. The Debugging Tools are freely available from the Windows web site at http://www.microsoft.com/whdc/devtools/debugging/default.mspx.

1. You can use Dr. Watson for crash dumps generated when a process dies.
1. Use the drwtsn32 -i command to make Dr. Watson the default debugger.
2. Open Dr. Watson with the drwtsn32 -i command.
3. Check all options.
4. Choose the path where crash dumps are generated.

When providing crash dumps, collect both the dmp and drwtsn32.log files.

2. Use the Window Debugging Tools to generate crash dumps of a running process.
1. Make sure you install the latest version of the Debugging Tools and OS Symbols for your version of Windows.
2. Set the _NT_SYMBOL_PATH for your environment.
3. Enable generation of a crash dump for your application.

Get the process ID of the application using the tlist.exe command, then enable the crash dump.

win-dbg-root\tlist.exe

win-dbg-root\adplus.vbs -crash -FullOnFirst -p pid -o C:\dump-dir

The adplus.vbs command tracks the application with process ID pid. The adplus.vbs command generates a dmp file in the event of a crash.

4. When collecting crash dump information, take the complete folder generated under C:\dump-dir.

Windows Debuggers:

kd = kernel mode debugger

ntsd/cdb = user mode debuggers

WinDbg = kernel or user mode debugger

Crash Dump Tools

Dr Watson

Dumpchk => Check whether dump is valid/invalid

API

MiniDumpWriteDump()

ref:

Crash Dump Analysis - http://msdn.microsoft.com/en-us/library/bb204861(VS.85).aspx

Windows Online Crash Analysis - http://oca.microsoft.com/en/windiag.asp

How to Generate a Memory Dump File When a Server Stops Responding (Hangs) -

http://support.microsoft.com/kb/303021/

Windows feature lets you generate a memory dump file by using the keyboard -

http://support.microsoft.com/kb/244139

To Configure Windows to Generate Crash Dumps -

http://docs.sun.com/app/docs/doc/820-0436/6nc65np8p?a=view

Windows feature lets you generate a memory dump file by using the keyboard -

http://support.microsoft.com/kb/244139

How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system - http://support.microsoft.com/kb/927069

Windows: Understanding Crash Dump Files -

http://www.ditii.com/2008/01/08/windows-understanding-crash-dump-files/

Testing Your PDB Files -

http://blogs.msdn.com/joshpoley/archive/2008/01/10/testing-your-pdb-files.aspx

Crash Dumps Blog -

http://blogs.msdn.com/joshpoley/search.aspx?q=crash+dump&p=1

Opening a Crash Dump File (Automating Crash Dump Analysis Part 1) -

http://blogs.msdn.com/joshpoley/archive/2008/05/27/opening-a-crash-dump-file-automating-crash-dump-analysis-part-1.aspx

Getting the Stack from a .DMP File (Automating Crash Dump Analysis Part 2) -

http://blogs.msdn.com/joshpoley/archive/2008/06/02/getting-the-stack-from-a-dmp-file-automating-crash-dump-analysis-part-2.aspx

Getting the Crash Details from a .DMP File (Automating Crash Dump Analysis Part 3) -

http://blogs.msdn.com/joshpoley/archive/2008/06/06/getting-the-crash-details-from-a-dmp-file-automating-crash-dump-analysis-part-3.aspx

MiniDumps and "Bad" Stack - http://blogs.msdn.com/joshpoley/archive/2008/11/10/minidumps-and-bad-stacks.aspx

Effective minidumps (part1) by Oleg Starodumov -

http://www.debuginfo.com/articles/effminidumps.html

Effective minidumps (part2) y Oleg Starodumov - http://www.debuginfo.com/articles/effminidumps2.html

DbgHelp Functions , Mini Crash Dump API

- MiniDumpCallback , MiniDumpReadDumpStream , MiniDumpWriteDump :

http://msdn.microsoft.com/en-us/library/ms679291(VS.85).aspx

How to check whether your Firewall software is protecting you !

No matter which firewall you chose from either the Free or commercial categories you should always and on a regular basis test it for holes. (Open "ports" are like open doors on your house). You need to test specific ports because many hostile programs used by hackers open these ports and transmit and receive data through them. so by blocking them you can neutralize some function of the hackers tools.

Here is a few web based firewall test sites you can go to and check you security:

HackerWatch
http://www.hackerwatch.org/probe/

Audit My PC
http://www.auditmypc.com/

TestMyFirewall
http://www.testmyfirewall.com/

Firewall Leak Tester
http://www.firewallleaktester.com/

PC Flank
http://www.pcflank.com/

Brief explanation about HackerWatch

HackerWatch is an online community where Internet users can report and share information to block and identify security threats and unwanted traffic.

With 2,000 malicious threats emerging each month, Internet users must continue to employ proven methods to safeguard vital information. Although firewall software is essential, HackerWatch is unique in its mix of community participation and proven technology: by analyzing corporate and individually-submitted data, HackerWatch reveals meaningful patterns of attacks, hacking attempts, and disruptions. Once a pattern is mapped, the appropriate authorities and ISP carriers can be notified.

HackerWatch delivers a truly proactive and direct approach to Internet security protection.

Use http://www.hackerwatch.org/probe/ to test whether your Firewall is protecting !

Rootkit

A rootkit is a type of software that is designed to gain administrative-level control over a computer system without being detected. In virtually all cases, the purpose and motive is to perform malicious operations on a target host computing system at a later date without the knowledge of the administrators or users of that system. Rootkits can be installed in hardware or software targeting the BIOS, hypervisor, boot loader, kernel or less commonly, libraries or applications

A rootkit is not an exploit. It is what an attacker uses after an initial exploit to allow future undetected access to a compromised computer.

Virus vs Worm vs Rootkit

It is also important not to confuse a rootkit with a virus, or a worm. The main difference is in propagation and stealth. Like a rootkit, a virus also alters software components of a system. A virus, however, is designed to do damage and possibly provide additional service(s) to the attacker. This usually alerts the user right away that something is wrong, and gives away its existence. A worm is usually designed to scan for vulnerabilities and take advantage of them, as well as spread to other computers connected to a network, thereby doing the same damage to them. Again, this alters computer behavior significantly enough to alert the user to its existence and that there is something wrong. A rootkit, on the other hand, is designed to maintain its own integrity, and remain hidden from the user in order to allow the attacker to use the compromised computer for a long period of time for his or her own nefarious means.

Payload

a virus payload referred to action a virus might take beyond simply infecting files. This payload could range from the virus displaying a dialog box with the words "Have a Good Day" to a virus that overwrites or deletes files on the system. For example, the circa 1998 CIH virus had a payload to overwrite the Flash BIOS of systems, rendering those systems unbootable. LoveLetter also deployed a malicious payload as part of its routine, overwriting certain media file types.

Today's malware is less likely to include a payload that damages files on the system, but instead typically include a payload that allows backdoor access to the system and steals passwords and other sensitive data.

Rootkit Types

There are three basic types of rootkits - library, application and kernel. There are also two subtypes - memory based, and persistent.

Rootkit Categories

There are two basic categories that modern rootkits in the wild can be divided into: those that are designed to hook, and those that are designed to use DKOM.

Hooks (or hooking) –

A hook, or hooking, is a method used by a rootkit to alter the normal execution path of the operating system.

Some of the more common areas a rootkit will hook are –

1. Execution paths

2. Import Address Tables(IAT)

3. System Service Descriptor Tables(SSDT)

4. Layered Filter Drivers

DKOM –

DKOM stands for Direct Kernel Object Manipulation. Rootkits designed to use DKOM rely on creation of kernel objects by the operating system, which are normally used by the system for auditing normal operation.

Rootkit SubTypes

Persistent versus memory-based rootkits:

Generally speaking, there are two types of rootkits: persistent rootkits and memory-based rootkits. The primary difference between these two types of rootkits lies in their "persistence" on an infected machine after a reboot. Persistent rootkits are capable of surviving a system reboot whereas memory-based rootkits are not. In order to survive a reboot, two conditions must be met. First, they must have some means of permanently storing their code on the victim system (such as on the hard disk). Second, they must place a hook in the system boot sequence so that they can be loaded from disk into memory and begin execution.

Unlike persistent rootkits, in-memory rootkits make no effort to permanently store their code on disk or hook into the boot sequence. Their code exists only in volatile memory and they may be installed covertly via a software exploit. This makes them stealthier than their "persistent" brethren and confers anti-forensic advantages. While it may seem that an inability to survive a reboot would undermine the usefulness of these rootkits, server systems frequently remain online for days, weeks, or months at a time. In practice, the potential for losing the rootkit infection may be counter-balanced by an attacker's need for untraceability.

ref:

Windows rootkits, Part1 - http://www.symantec.com/connect/articles/windows-rootkits-2005-part-one

Windows rootkits, Part2 - http://www.symantec.com/connect/articles/windows-rootkits-2005-part-two

Windows rootkits, Part3 - http://www.symantec.com/connect/articles/windows-rootkits-2005-part-three

http://www.5starsupport.com/tutorial/rootkits.htm

http://en.wikipedia.org/wiki/Rootkit

http://en.wikipedia.org/wiki/Malware

http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp

http://www.rootkit.com/newsread.php?newsid=928

http://www.viralpatel.net/taj/tutorial/idt.php

Home User Security: Personal Firewalls - http://www.symantec.com/connect/articles/home-user-security-personal-firewalls

Software Firewalls , Part 1 – http://www.symantec.com/connect/articles/software-firewalls-made-straw-part-1-2

Software Firewalls , Part 2 - http://www.symantec.com/connect/articles/software-firewalls-made-straw-part-2-2