SuperFish AdWare Found Inside X-Notifier Browser Extension Code.

You probably already heard about SuperFish around the web, an adware that Lenovo pre-installed on its computers since mid-2014. The danger does not reside inside the adware itself, that basically just injects some advertisment inside user web searches, but in the fact that, in order to handle HTTPS search engines ( Google ), it installs a root CA on the computer and replaces every HTTPS certificate sent by the web server with this one, leaving the victim vulnerable to SLL man in the middle attacks.

As soon as I heard the name “SuperFish”, it suddenly was somehow familiar to me … “Where the hell did I hear this name before?”

Read More

Process Introspection for Fun and Profit

While studying Windows internals for my job, I had to deepen my knowledge of executable loading process, including their memory layout, address relocations and so on.
I came accross the PEB ( process environment block ), a data structure ( mostly undocumented ) that NT systems use internally to handle many aspects of a process, including a list of loaded libraries, environment variables, command line arguments, heap informations, TLS slots and so on.
The interesting fact about the PEB is that can be inspected to obtain those informations without the use of any standard API, thus resulting in an interesting technique to detect bad written virtual machines, emulators and any sort of sandboxing that could be used by a malware analyst or an anti virus product.
Moreover you could check the PEB to detect if a DLL has been injected into your process to perform api hooking.
API hooking softwares usually hooks API such as EnumProcessModules and patch them to hide the presence of the injected module. Inspecting the PEB you will be able to perform the same task only analyzing your address space, thus avoiding API patching.

Read More