home
Last reviewed

Sunday 13 January 2013
+
It's a honour for me the "Ode to Dreg chapter" By Bill Blunden in the Second edition of the book Rootkit Arsenal: "While I was recovering from writing the first edition of this book, I received an email from David Reguera Garcia (a.k.a Dreg) that included code to deal with the case of multiple processors. To show my appreciation for his effort, I offered to include his proof-of-concept code in the second edition. Thanks David!

Dreg's work inspired me to write a multiprocessor version of HookGDT. In a nutshell, I recycled the tools I used in the HookSYSTENTER example to modify the GDT assigned to each processor." Thx Bill! You can buy the book here:

http://www.amazon.com/The-Rootkit-Arsenal-Evasion-ebook/dp/B007RFXCEW

Sunday 17 January 2010
+
It's a honour for me colaborating with the rootkit unhooker: version 3.8 LE build 386/588 Service Release 1, build date 12.01.2010. I colaborate with a Call Gate detector for all COREs, finding in the GDTs. You can download the release from DiabloNova blog in rootkit.com: http://www.rootkit.com/blog.php?newsid=993

+ It's a honour for me colaborating with blog.48bits.com , My first post is: "Rootkit Arsenal, Installing a Call Gate":

Hi, I was reading the book “The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System” and I'd like to qualify a few things about the chapter “Hooking the GDT - Installing a Call Gate”. A PoC driver is included at the end of the article that supports WalkGDT for multiple COREs.

A Call Gate is a mechanism in the Intel x86 architecture to change privilege levels of the CPU when running a predefined function that is called by the instruction CALL/JMP FAR.

...
Now is time for a more detailed view, the POC code of the book doesn't allow the possibility of multiple CORES, this means that is only able to install the Call Gate in the CORE assigned when the driver is loaded and the GDT of the oher CORE remains intact, the problem is that if the userspace application makes a FAR CALL being in another CORE where there is no Call Gate, so it doesn't work.
...

You can view the orginal and official Spanish post in:
http://blog.48bits.com/2010/01/08/rootkit-arsenal-installing-a-call-gate/

And the English post in my rootkit.com blog:
http://www.rootkit.com/blog.php?newsid=992

You can download the POC driver in: http://www.48bits.com/files/cgaty.rar and in my mirror click here: cgaty.rar

You can download the mirror of my spanish post click here: Rootkit Arsenal Installing a Call Gate Spanish

You can download the mirror of my english post click here: Rootkit Arsenal Installing a Call Gate English

Friday 8 Janurary 2010
+
EvilFingers: It is an honor to be part of: Evil Fingers Members Now I am Colaborating with: RootkitAnalytics People if you want colaborate with EF or RootkitAnalytics: https://www.evilfingers.com/about/contact.php is a place with good people ;-).

Friday 18 December 2009
+
In the past for make a PEB Hooking (or replacing a dll in disk) It was neccesary the creation of a template .c and .h from the real DLL and after compile it. The las method is for each SP and for each Windows... in a few words, in the past you needed a dll fake repository (for sp1, sp2 ...) for each dll. I resolved this problem creating a tool called dwtf published yesterday at Rootkitanalytics.com, this tool exports all symbols of the real.dll and imports all exports of real.dll, after, It creates an area code with a JMP DWORD [ADDRESS] for each export. Then you can add or remove payloads or a stack of payloads with a simple IAT hooking in fake DLL in runtime, this method for payloads is only a xchg of 32bits (micro lock..); dwtf is a opensource tool with MIT License.

dwtf demo: http://www.youtube.com/watch?v=t7UXEJieliM
dwtf site: http://rootkitanalytics.com/tools/dwtf.php

More info about dwtf internals, view this post:
Generating any DLL for PEB Hooking or replacing in disk, binary form, By Dreg:
http://www.rootkit.com/blog.php?newsid=988

Mirrors:
Generating any DLL for PEB Hooking or replacing in disk, binary form
dwtf v1

Friday 5 November 2009
+
Thx to http://0vercl0k.blogspot.com/2009/05/understand-phooks-internals.html for the work about the phook - the peb hooker project, I upload a mirror of the project: UnderstandPhooksInternals.zip

+ Understanding WinXPSP2.Cermalus: http://biht.blogspot.com/2009/10/understanding-winxpsp2cermalus.html , mirror: Understanding WinXPSP2.Cermalus.txt , src of the malware (with headers modified): WinXPSP2.Cermalus.zip

Wednesday 5 August 2009
+
New paper!: document is about how to use and implement the "E8 Method" with only one
hook handler for every hook that will be safe and will be implemented in C/C++: "One safe Hook Handler".
Two public libraries, where a hack has been applied, will be used:
1.- Microsoft Detours Library
2.- Easy-Hook

Download paper in spanish: One safe hook handler - E8 Method Spanish
Download paper in english: One safe hook handler - E8 Method English
Download tools: E8 Method.zip

Thanks to http://www.rootkit.com/ for published in the home index.

Tuesday 4 August 2009
+
I created a tool useful to reversing and keygen stuff download here: cypher.rar
The desing is simple, you only need program a DLL which implement the algorithm, using
the data from a buffer, and the application load the dll, open the files, process the outputs etc...

Example of use:
C:\>cypher.exe -d cypher.dll -a b_xor_b_b2E -r "poc"
Data: ^AM

If you dont specify the -d the default dll is cypher.dll, include in the .rar:
C:\>cypher.exe -a b_xor_b_b2E -r "^AM"
Data: poc

C:\>cypher.exe -a help
CyphDll Template HELP:
Supported Algorithms
b_xor_b_bindexPb4 - b_dato[oi] = b_dati[ii] XOR (b_ii + b4) (DEFAULT)
b_xor_b_b2E - b_dato[oi] = b_dati[ii] XOR b_0x2E
dw_mul_w_wkey - dw_dato[oi] = w_dati[ii] MUL w_key

C:\>cypher.exe -r "poc" -o file
Using the default algorithm: b_xor_b_bindexPb4
Dumped data to file: file

C:\>more file
tje <- TEXT poc ENCRYPT.
C:\>cypher.exe -i file
Using the default algorithm: b_xor_b_bindexPb4
Data: poc

T.O.D.O:

1- ADD SUPPORT TO ANY TYPE OF DATA AND ITERATION.. IMPLEMENT A CALLBACK MECHANISM TO ITERATE THE INPUT BUFFER
IN THE DLL. It is useful, for example if you need only process the data in one iteration. Also is useful when the
iteration depends of the data and you need control the index in data input.

2- Improve the code, coments, fix bugs, add a GUI... Improve the ANSI C FileMapper using blocks with fread.

3- ...

Monday 15 December 2008
+
Bypassing windows hook engines which if the LoaderLock is held not executes the hook handler: bypass_easyhook.rar
More information :
- http://www.openrce.org/blog/view/1328/Bypassing_windows_hook_engines_which_if
_the_LoaderLock_is_held_not_executes_the

_ https://www.rootkit.com/blog.php?user=Dreg

+Bypassing DLL injection method based in thread injection or based in code injection in any thread diferent to main (in this case): bypass_dllinj_wbti.rar
More information :
- http://www.openrce.org/blog/view/1329/Bypassing_DLL_injection
_method_based_in_thread_injection_or_based_in_code_injection_
in_any_thread_diferent_to_main_(in_this_case)

_ https://www.rootkit.com/blog.php?user=Dreg

Friday 12 December 2008
+
Here my reversing of the Auxiliary Windows API Library (x86 and x86_64), Release 1.0 (MIT License) This library is useful to avoid deadlocks and other stuff: AuxLib.zip

More information :
- http://www.openrce.org/blog/view/1326/AuxLib_-_Reverse_engineering_of_Auxiliary_Windows_API_Library_(x86_and_x86_64)
- https://www.rootkit.com/blog.php?user=Dreg

Friday 14 November 2008
+
Recommended Reading: APPLYING USER-MODE MEMORY SCANNING ON WINDOWS NT,
Eric Uday Kumar (Anti-Malware Research). http://ericuday.googlepages.com/EricUdayKumar-VB2008.pdf (VIRUS BULLETIN CONFERENCE OCTOBER 2008).

PD: Eric Uday Kumar referenced in the paper the phook project :-):

Friday 18 July 2008
+
NetSearch 9 Call For Papers published, the ezine has reborn with a new staff and new web: http://www.netsearch-ezine.org/

Monday 9 June 2008
+
phook 1.0.1 released! with SP3 support for ph_ker32.dll and others things.

Monday 19 May 2008
+
Translation to french (UTF-8) language of phook article - The PEB Hooker. Translated by _cb^ in arsouyes - http://arsouyes.org/, available at the papers section.

Wednesday 7 May 2008
+
Published presentation phook & BuggyBoss (engine http://www.phrack.org/ Issue 65) and automatic analyser malware), the presentation was given by ENISE I (I Spanish Security Industry National Encounter), have also further been published demos and video.

Tuesday 29 April 2008
+
Translation to russian (UTF-8) language of phook article - The PEB Hooker. Published at the forum CULT OF RUSSIAN UNDERGROUND by Izg0y - http://coru.in/, available at the papers section.

Monday 14 April 2008
+
Phrack 65 is out, inside you will find a paper written by Juan Carlos Montes Senra (aka [Shearer]) and me (David Reguera Garcia aka Dreg). I've dropped a copy of the article in the papers section, also I've uploaded the spanish translation of the article. the paper talks about a method for 'hooking' Windows DLLs using PEB and other tools.

Wednesday 27 February 2008
+
English version published of the document reversing of the Spyware (web-mediaplayer)

Thursday 21 February 2008
+
New advisory and POC "exploit" in advisories / exploits
Advisory: GNU objdump 2.15 [FreeBSD] 2004-05-23 shows:
BFD: BFD 2.15 [FreeBSD] 2004-05-23 internal error, aborting at
/usr/src/gnu/usr.bin/binutils/libbfd/../../../../contrib/binutils/bfd/
elfcode.h line 188 in bfd_elf32_swap_symbol_in
BFD: Please report this bug.
While analyzing crafted ELF.
Note: this bug (in my opinion) is irrelevant, the exception is captured by the library
exception handler. I am reporting it because of the message:
BFD: Please report this bug.
Affected Version:
- GNU objdump 2.15 [FreeBSD] 2004-05-23 [TESTED & FOUND]
- Maybe others.
Affected OS:
- FreeBSD 6.3 [TESTED & FOUND]
- FreeBSD 6.2 [TESTED & FOUND]
- Maybe others.
Discovered By : INTECO-CERT, David Reguera Garcia, david.reguera@inteco.es
POC exploit by : INTECO-CERT, David Reguera Garcia, david.reguera@inteco.es
Remote : NO
Execution of code : NO
Privilege scalation : NO
Report: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/120946

Tuesday 13 February 2008
+
A new section called advisories / exploits has been created, were reverse
advisories and/or exploits have been added .i.e advisory and exploit of ELFdump:

Software : elfdump
Version : 1.12.8.2 2006/01/28 18:40:55
Author : Jake Burkholder <jake@FreeBSD.org>
Remote : NO
Execution of code : NO
Privilege scalation : NO
Discovered by : INTECO-CERT - David Reguera Garcia <david.reguera@inteco.es>
Exploit by : INTECO-CERT - David Reguera Garcia <david.reguera@inteco.es>
Description : When elfdump analyzes an "evil" elf, the application crashes
and causes a Segmentation fault: 11
Affected OS:
- FreeBSD:
- 5.5 - TESTED AND FOUND
- 6.2 - TESTED AND FOUND
- 6.3 - TESTED AND FOUND
- Maybe others, the elfdump utility first appeared in FreeBSD 5.0
Report: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/120562

Friday 8 February 2008
+
A dinamic analysis has been done and a small reversing to very specific areas, of an
spyware that installed itself in the web-mediaplayer, the spyware wich we are talking about
was hidding the files that was creating, hidding the process etc..., the report can be found at
the reversing section, also with the tools. The malware study, the report and tools have
been made at INTECO-CERT http://cert.inteco.es. The english version of the report is in
process.

Wednesday 23 January 2008
+
All the enyelkm blog has been translated by delcoyote.
+ Links fixed at the projects section in the english version of the web.

Sunday 20 January 2008
+
The whole website has been translated to english by delcoyote, many thanks. And many
thanks again for translating into english the troyan analysis
BZub.CX

Wednesday 5 December 2007
+ The site has been restructured, overlapping the ppt and demo sections in one : .ppt

Tuesday 4 December 2007
+
A new section called reversing has been created, were reverse engineering reports
have been added .i.e analysis of BZub.CX troyan. Some addons have been attached to
the file: tools to decipher the web pages were phishing is being executed in the registry,
etc. The troyan has been analyzed and BHO wich enters ( iexplorer browser extension)
and it captures everything sent with GET or POST methods. It also sends information
about the infected computer. Also inyects fields in the HTML, which asks
necessary information to rob bank account details and also does phishing plus other
things (screenshots ...).

Tuesday 23 October 2007
+ This year the I National Encounter of the Security Industry in Spain will be allocated
at (Enise), at Leon. It has been designed to be an annual event, the website of this event
is : https://1enise.inteco.es/ ,just to mention that i will attend the event as
presenter, presenting an engine that I created with juan Carlos Montes (aka [Shearer])
and its application to make an automated analysis of malware. There will be
comparisons with some of the freeware alternatives. Technological tendencies in
malware detection
. https://1enise.inteco.es/david-reguera-garcia

+ I will also send an article for Netsearch 9 (NS9). We are preparing the NS9: kenshin, oyzzo, sha0, Raise ... and myself. All the best of luck to all the people that participate (obviously not all the contributions will be published). http://www.netsearch-ezine.org/

+Added to the Curriculum Vitae the made papers and the next ones.

Monday 24 September 2007
+
Curriculum Vitae section about has been modifidied and the PDF version has been added.

Sunday 12 August 2007
+
Jointrooter added in the projects section. This tool is to pen-test routers through
the TELNET protocol and SSH soon (i.e. linksys); to do all this it uses dictionaries and
a file with different models prompts, to be able to audit more routers we only need to
add new prompts. Actually the database has prompts for: ZyXeL, 3Com & Vigor
(but is possible for it to detect much more due to many prompts are similar, i.e.: ">" ).
We recommend to use it with a Fast HTTP Auth Scanner, created by
Andres Tarasco, published in http://www.514.es , to be able to audit the web
portal and the TELNET service.

+
For every file downloadable a link with text DOWNLOAD has been added.

Tuesday 24 July 2007
+
Bugs fixed in LO/LS/OT_SC+STDEINSU_GV:
- memory zone (free) not reserved released when a file is not infected.
- Bug when deleting temporary files at the cleaner, when there are no permissions to
open the file to be cleaned.
- Bug in the scripts, they were in DOS format (wtf!).

+ Captions added in the article LO/LS/OT_SC+STDEINSU_GV of massive infection.

Saturday 21 July 2007
+
LO/LS/OT_SC+STDEINSU_GV added in the projects section. The tool has been made
to exchange and escalate privileges in GNU/Linux, when there are writting permissions in
ELF files.

Tuesday 5 June 2007
+ Added email address for contact and work experience at the section about.

+ Added the rest of enyelkm versions.

Saturday 2 June 2007
+ There have been modifications at the sections: projects, notes, ppt. now is much
more easy to access the contents, due to the use of tables and reestructure of the proyects.

+ New version of enyelkm v1.2 has been added.

+Curriculum Vitae added at about section.