Thursday, September 29, 2011

Building Binary from multiple C files: Using custom header, accessing variables across multiple .c files

One of my friend requested me to add basic stuff related to C programming. Initially when I started coding I was skeptical using custom header files, using same variable in different .c files and building binary from multiple C files. This post probably clears all those doubts.

Below shapshot shows content in header file (praveen.h) and code in different C files (sharedvar1.c, sharedvar2.c).

Below snapshot shows how to compile multiple C files to create a single binary and also output of the program.


Also we have learned how to access single variable across multiple files.
Hope this might have helped from someone somewhere :) !!!

Thursday, September 8, 2011

Malicious PDF: Portable Document Files Compresion/Encoding/Obfuscation

Malicious PDF's has increased manifold which are used to infect computers with Malware of execute code when PDF files are opened. We will see various ways how javascript embedded within PDF's can be compressed or encoded to evade detection by IDS/IPS and Anti Virus. Normally many PDF Parsers crash while analyzing the malicious/malformed file but Adobe reader successfully opens the file which leads to infection.

Below is the malicious PDF file viewed in text editor.



PDF Parsers might have issues in analyzing following abnormal files:
1. Portable Document File Format does not strictly abide to its specification.
2. PDF Version might be malformed (NULL value, incomplete value etc) (can see in above pic)
3. May not contain endobj or endstream (atleast one string should be present within an object)
4. May not contain xref table
5. Names may be Encoded (/JavaScript as /J#61vaScript).
6. No %%EOF header
7. There might be multiple %%EOF headers or trailer’s  indicating incremental updates.
8. PDF embedded within other PDF (same object numbers in a single file).
9. Different types of Evasions/ Encoding can be found at

Different Encoding/Compressions Filter types are
/FlateDecode
/ASCIIHexDecode
/ASCII85Decode
/JBIG2Decode
/LZWDecode
/RunLengthDecode
/SCIIHexDecode, 
/CCITTFaxDecode
/DCTDecode
/JPXDecode
This might not be the full list of Filters (not sure) .

Below snapshot shows highly obfuscated  PDF file



Good articles related to PDF's can be found at

For quick analysis of a PDF file you can upload to
http://wepawet.cs.ucsb.edu/

Live malicious PDF files can be found at
http://filex.jeek.org/archive_PDF.zip
Please do not open files in the archive with any of the PDF readers.

Following articles might be of your interest
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html
http://darshanams.blogspot.in/2010/09/forensics-1-extracting-image.html
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html

Comments are most welcome :) !!!

Saturday, July 23, 2011

Message Queues- An Introduction

Processes can exchange messages using Message Queues. Sending process message is saved in a queue, Receiving process reads the message from queue.

Below program sends message to queue.


Below snapshot is the code for receiving process which reads message from queue.


Compiling msg_snd.c:
#gcc msg_snd.c -o msg_snd

Compiling msg_recv.c:
#gcc msg_recv.c -o msg_recv

Output:
Snapshot below

To check the state of Message Queues run ipcs -q command.

Pointers:
1. Include headers
         sys/types.h
         sys/ipc.h
         sys/msg.h
2.  msgq_id (message id) is an arbitrary number of type int generated by msgget() which should be passed as parameter/argument to msgsnd(), msgrcv()
msgq_id can also be generated using ftok()
3. key (key_t is of type int) is another arbitrary number. Same key value must be passed as parameter/argument to msgsnd() and msgrcv().
4. Message Type (mtype) is another arbitrary number. Same mtype should be passed as parameter/argument to msgsnd(), msgrcv()
5. mtype is passed as struct mbuf argument to msgsnd(), and long type to msgrcv()
6. for man page of any API run man command e.g.
        man 2 msgsnd
        man ipcs

This is pretty high-level overview of Message Queues.
Feel free to drop a comment.

Other articles on C language
http://darshanams.blogspot.in/2011/09/building-single-binary-from-multiple-c.html
http://darshanams.blogspot.in/2012/01/endianness-different-processors.html

Saturday, May 7, 2011

Snort: Logging Alerts to Syslog Server

Life is so busy. It's been pretty long since my last post. Well coming to the post :) ...

We will get into configuration details of Syslog and Snort to log our alerts into Kiwi Syslog Server.

Add the following line to Snort configuration file
 output alert_syslog: host=172.16.232.161:514, LOG_AUTH LOG_ALERT
Snort configuration file can be found at
                 /etc/snort/snort.conf
In my case Snort is running on 3.3.3.9 on eth1 and eth0 is assigned with 172.16.232.171 IP which talks with Syslog Server.

Following command is used to run Snort
 snort -c /etc/snort/snort.conf -i eth1
-c    provide snort configuration file path
-i     interface on which Snort is sniffing the traffic

Output shown in above figure is seen when the Snort command is successful.

Modify syslog configuration file
                 /etc/rsyslog.conf
by adding line
*.*                                                     @172.16.232.161:514
where 172.16.232.161 is the Syslog Server IP Address and UDP/514 is the port on which it is listening.
*.* says log all types of alerts.

To make sure that Syslog Server is running on UDP/514 port uncomment below lines in the configuration file
$ModLoad imudp.so
$UDPServerRun 514
Above lines are commented by default.

Once the modified configuration is saved restart the Syslog daemon
 /etc/rc.d/init.d/rsyslog restart

Make sure to stop firewall or add rule to allow traffic on UDP/514 port.

When we send malicious payload or replay PCAP with malicious traffic on the interface where snort is running, we can see alerts in our Kiwi Syslog Server which is installed on Windows XP machine (172.16.232.161).

Below is the Packet Capture format when Snort sends alerts to Syslog Server.

Refer Snort Manual and/or Snort FAQ for further details.

For Snort Preprocessors you can refer below link
http://darshanams.blogspot.in/2010/06/snort-preprocessors-and-alerts.html

Hope this will help someone somewhere.

Following articles might be of your interest
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html
http://darshanams.blogspot.in/2011/09/portable-document-files.html
http://darshanams.blogspot.in/2010/09/forensics-1-extracting-image.html

Enjoy :) !!!