flat assembler
Message board for the users of flat assembler.

Index > Heap > FASMCON 2010

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
FASMCON 2010 preliminary date is set to friday - sunday 10.-12. september. Since Madis is unfortunately unable to organize the event in Tallinn, place is same as last year: Slovakia, pension Havlová in Polianka, near Myjava town.

So far, these people are likely to come:
Tomasz Grysztar (with Ender?)
possibly Tom Tobias
Feryno
MazeGen
vid

Anyone else who wishes to come, please contact me (post in this thread, PM on board, email, IM, ...). For first-timers, travelling to destination might be a little bit tricky, but we will surely organize some feasible way (as we did last year).

Also, anyone coming please try to think about giving some talk. So far only Feryno has announced his talk.


Last edited by vid on 13 Jul 2010, 16:03; edited 1 time in total
Post 12 Jul 2010, 11:03
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
I'll prepare 3 short interactive presentations about various practical usages of hypervisor (small projects which may be done by small companies or even by single programmer)

[0] watching running ring3 processes and ring3 threads under win64 by hypervisor and identifying them, stopping all running threads of given ring3 process using hypervisor (without win64 API), dumping virtual memory of ring3 process by hypervisor (withoput win64 APIs) after stopping its threads - ring3 virt mem as well ring0 virt mem of process, forcing win64 to map in virtual memory pages which are not yet present in virt memory space, stopping all ring3 processes and then dumping the whole physical memory (stopping threads of processes, and reading the physical memory is done purely using hypervisor, without calling any win64 API)
[1] ring3 virtual memory protection / antidebug by hypervisor - based on watching win64 while switching threads (thread is leaving context - hypervisor encrypts memory, thread is entering context - hypervisor decrypts memory. The result - any alien process like debugger, memory dumping tool... sees the memory only in encrypted state.)
[2] ring3 debugger based on hypervisor - debugger is free of calling win64 debug subsystem either win64 memory subsystem (ring3 debugger uses purely calls to hypervisor instead of calling win64 debug APIs either win64 memory APIs)

don't expect details on know-how (you may obtain contacts where to ask for them), but expect something like this:
we may prepare interactively some executable targets and explore them by tools in [0] to see the virtual memory of process (ring3 as well ring0 part of virtual memory of ring3 process) and save the dump into files + we force win64 to map in not yet present pages in virtual memory space (e.g. to fill holes in virtual memory of process by non present pages of executable. win64 maps pages only when executable accesses them - that win64 feature is used to improve executable startup, later the pages are mapped in on executable demand)
we will single step instructions in the protected memory [1] by a debugger + we will prepare executable with encrypted code which will be decrypted by hypervisor while executable will be running
we intercept some pagefaults (#PF), debug exceptions (#DB) and breakpoint exceptions (#BP) and do few single steps / debug register breakpoints / int3 memory breakpoints using hypervisor based debugger - process being debugged will be prepared by CreateProcess without debug flags (thus IsDebuggePresent will return 0), we may also attach to a running thread, do few steps and then detach and let the thread to run

[0] and [2] are useful for reversing engineers (e.g. antivirus labs)
[1] is attractive for malware writers as well for fighters agains them (don't doom malware writers - a lot of people may thank them for having good jobs in antivir companies) - so I hope presentations will be balanced (to help and inspire and satisfy both opposite parties)
Post 13 Jul 2010, 09:12
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
Feryno wrote:
[1] ring3 virtual memory protection / antidebug by hypervisor - based on watching win64 while switching threads (thread is leaving context - hypervisor encrypts memory, thread is entering context - hypervisor decrypts memory. The result - any alien process like debugger, memory dumping tool... sees the memory only in encrypted state.)
Can this be done more efficiently? Instead of encrypting the memory at each process switch (a time consuming action) just encrypt specifically accessed pages on demand.

I wonder how this interacts with background I/O. Will the OS map in an encrypted page within the context of another process to copy a disc transfer block into there? How could/do you distinguish between the OS background copy action and the foreign process requesting data action?
Post 13 Jul 2010, 09:34
View user's profile Send private message Visit poster's website Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan
Hope it all will be published as pdf
Post 13 Jul 2010, 12:11
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
protecting is only concept
the idea is completely my property, so I can share more details with anybody interested in it
the efficiency is quite good:
encryption/decryption consumes about 10000 cpu cycles, more powerful encryption will consume more, when thread runs with decrypted pages the thread consumes about 10 millions CPU cycles per 0,01 second as I approximate common quantum time for common thread
I approximate that ms windows x64 swiches not more than about 100 threads per 1 second even in case threads are consuming a lot of CPU time, win may switch more threads per second if threads are not too busy

here some info, links, some poor quality video how does it look like
http://board.x86asm.net/viewtopic.php?t=625
it is memory protection, but when you single step code in protected page, debugger shows you crazy mess because when debugger reads protected page the page is encrypted. Single stepping normally changes instruction pointer, debugger is only unable to read page in decrypted state.

I didn't solve the SMP attack yet (still have hangs)
it is still only a concept, I don't know how much viable should it be when developping it further

Surely it may be done more efficiently by e.g. erasing the present bit of protected page and intercepting corresponding pagefaults by hypervisor.

I just want to demonstrate some new concept of antidebug/memory protection - perhaps there is somebody doing things like this, but I don't know anybody yet. It may be done in Linux without hypervisor intervention, but in close source OS the hypervisor may perform that taks very well also.
Post 13 Jul 2010, 12:22
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Tomasz Grysztar
Assembly Artist


Joined: 16 Jun 2003
Posts: 7718
Location: Kraków, Poland
Tomasz Grysztar
Yes, me and Ender plan to come both again. I don't plan any presentation this year, though.
Post 13 Jul 2010, 12:29
View user's profile Send private message Visit poster's website Reply with quote
edemko



Joined: 18 Jul 2009
Posts: 549
edemko
are you meeting to get drank
there is a forum you can talk topics mentioned
Post 13 Jul 2010, 14:11
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
Feryno wrote:
the efficiency is quite good:
encryption/decryption consumes about 10000 cpu cycles, more powerful encryption will consume more, ...
Okay, for a small application it might not be perceivable. But for an app using 1GB+ I expect you will have performance "difficulties". Wink
Post 13 Jul 2010, 14:15
View user's profile Send private message Visit poster's website Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
Quote:
Okay, for a small application it might not be perceivable. But for an app using 1GB+ I expect you will have performance "difficulties".

there is no need to encrypt the whole virtual memory of process, typically it is enough to protect only few pages (e.g. 1-2 pages of code and 1-2 pages of stack when executing the code in protected page)
every asm programmer is able to put critical code into 1-2 memory pages (4-8 kB)
the performance penalty should be visible when protecting MB or even GB of data - like video streams etc... - but such protection may be done in another way (strong encryption algorythm)
Post 14 Jul 2010, 07:14
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
edemko



Joined: 18 Jul 2009
Posts: 549
edemko
Hi, i'ma big lalala but take as more photos as you can please Smile
I'd like viewing.
Post 08 Aug 2010, 11:50
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
Hi, i'ma big lalala but take as more photos as you can please

Is that "more photos than you please" or "as many photos as you please"? Because the ideal amount for me is zero Smile

Do you plan to attend?
Post 08 Aug 2010, 22:16
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
edemko



Joined: 18 Jul 2009
Posts: 549
edemko
Unsure ambiguity, sorry.
I was asking you/someone else of taking moment photos.
No attending plans: to young, to far(being there would not: to young). Still i'd chase you behind.
The way Europeans/etc spend money kills me. Joke.
I'm a minimalist though my mother(itch) scolds me putting money for the tramps. I hate money-slavery - people hate me.
Minds aloud.
Your library @vid: it's raw but helps.
New topic is to be created.
Your(all) presentations on There: you could use video charts or upload those as links to see those here.
This time i cannot understand the nearness you are all feeling to do that.
Post 08 Aug 2010, 23:07
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
Wait... you're too young to travel to Slovakia, but you're old enough to hire prostitutes!?
Post 08 Aug 2010, 23:16
View user's profile Send private message Reply with quote
edemko



Joined: 18 Jul 2009
Posts: 549
edemko
Quote:

but you're old enough to hire prostitutes!

Quote:

This time i cannot understand the nearness you are all feeling to do that.
Post 09 Aug 2010, 00:13
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
edemko wrote:
The way Europeans/etc spend money kills me. Joke.

Interesting.. Ukrainians don't count into "Europeans/etc"? Don't worry though, things do change when you start making your own money, and given you are kind of guy who studies coding in his spare time, there is a good chance you will earn well. Wink

By the way, FASMCON in Polianka is a relatively cheap action in itself (eg. living will cost 20 EUR for entire weekend in a very nice guest house), but the traveling expenses are indeed astronomical Sad.

Quote:
Your library @vid: it's raw but helps.

To be honest "raw" is one of few descriptions I wouldn't have expected Very Happy. Many asm-minded (read that quickly & aloud 3 times over!) would consider it "not raw enough". But if you meant it "raw" as in "unfinished", then I agree completely.

Quote:
Your(all) presentations on There: you could use video charts or upload those as links to see those here.

If you mean realtime video stream, we tried that, and we found it quite hard interacting with both real world and online people at the same time. So we just stick to good-old ice age putting video online after the action. And it also gives you better censorship options Laughing


Last edited by vid on 09 Aug 2010, 06:59; edited 2 times in total
Post 09 Aug 2010, 06:52
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Tyler wrote:
Wait... you're too young to travel to Slovakia, but you're old enough to hire prostitutes!?

Is there some minimal age requirement for hiring a prostitute? You know, this might be matter of cash, not age. Twisted Evil
Post 09 Aug 2010, 06:57
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
vid wrote:

Is there some minimal age requirement for hiring a prostitute? You know, this might be matter of cash, not age. Twisted Evil
I've never been told I'm too young... Twisted Evil
Post 09 Aug 2010, 09:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
What happened?
Post 25 Sep 2010, 13:41
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 701
guignol
Meaning?
Post 25 Sep 2010, 15:49
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
Meaning the FasmCon was 2 weeks ago, and there's no update as to how it went.
Post 25 Sep 2010, 17:29
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.