You are browsing the archive for Puzzles.

Bits about People Management, and Team Building for IT Sec teams

November 15, 2018 in People Management, Preaching, Puzzles

Over years I had a privilege of managing a number of teams at different companies. While the feedback I get from my old reports is typically positive, I only hear it from people who are happy to maintain a friendship with me after our professional paths split. So, while this pleasant availability error could put me on a  pedestal of people management… the reality could be as well that I totally suck at it. Who knows?

People Management is hard.

People often ask: how to get better at people management, especially in a technical world?

I think the question like this is a premature one.

First of all, people management s not for everyone. And IMHO most of technical people should not be doing it, unless they have a real call for it. Seriously. No hurt feelings, but just no. Individual contributor can climb the corporate ladder too and very high, with no burden of ‘having to deal with reports’.

Also, not every manager position is good for every people manager, yes, even a good one, one that ‘delivers’. Some people managers find themselves performing better with younger teams, because they can ‘energize’ them, mentor them and empathize with their struggles during these first years of a professional career. Others will find such tasks daunting as they just want to get stuff done. Quickly. Such people managers will work very well with a well-developed, and often older, more experienced team. Let’s be honest, they are actually more Project Managers than People Managers. It is a HUGE difference. Directing multiple and multi-level teams is a completely different game as well.

So, how to get better at it?

It is still a premature question.

Do you know why you are there? What are your powers and responsibilities?

I didn’t know when I became one. It escalated quickly, because as a technical person I had to suddenly have a lot of 1:1 with individuals. And I am not too social. But I know my reports are not either. So that helps. We are sitting there barely looking at each other and we are both getting better at it.

Still… such a new experience, cuz… we no longer talk binary. We talk about life. Mainly their life and aspirations. And this is one of the reasons why people management can be very tough, mentally; you really need to deal with your employees’ personal life, and understand their circumstances. Very technically ‘non-sexy’. And when it gets ugly for some reason it is something that a regular employee typically deals with on a ‘office gossip’ level. And usually ‘after the fact’ , while a people manager hears first hand and has to think on his/her feet pretty quickly. Other than the usual admin work (and there is plenty!), s/he encounters cases of personal tragedies, unexpected life circumstances, new&better, or ruined futures, sudden departures, hassles with req approvals, HR and legal involvement in some cases, and not only exciting hiring process, but also laying off. Not fun. And there are metrics to maintain too 😉

So, how to get better at it?

Practice. Do not treat people like reports. Treat them as your SMEs. Empower to speak, shut up and listen and then discuss, in the end be _decisive_. Keep your promises, or tell your side of a story to give the context if you can’t. Be HONEST. It goes a long way. And IMHO nothing kills technical people more than a corporate jargon. So, there you have it.

But… that’s not all…

Managers are often tasked with organizing team events. If they are lucky to have some ‘people person’ on the team it’s easy to delegate. If not, you just need to deliver on your own…

And now, after such a long intro tirade it:

  1. … actually gives me an excuse to write some more about people management in the future
  2. … is time to bring up the topic that I actually want to talk about today!

I love puzzles and riddles. Not all of them, but… since I was a kid I was always a big fan of crosswords, any sort of word plays (anagrams, palindromes, homonyms, etc.), pun games of any sort, “Weird Al” Yankovic and –wannabe songs, as well as mechanical puzzles (if you never heard of Hanayama, please drop everything and look it up, like… right now).

Recently, I had a chance to play the escape room game.

While it was something I heard of before, I had a very incorrect perception of what it is. I don’t watch too much TV in last 15 years, never really played MUDs, and not that many board or card games, plus never bothered to actually look it up to correct this wrong perception so… mea culpa. For some, more or less biased reason, anytime I thought of it I had the mix of a Survivor, ‘panic room’, Houdini escapes, and Fort Boyard games in my mind (again, I don’t watch TV, but have a vague idea of what these TV shows are or were). Since I assumed it includes some cheezy role-playing, lots of muscle work in closed tight spaces,  plus I am cynical and bit claustrophobic I simply stayed away from it.

What a strategic mistake…

Playing the game for the first time I realized that I was totally wrong about what it is + I actually really liked it. In case you don’t have a clue what it is about, perhaps this post will make it easier for you to try…

The escape room is basically a room full of puzzles.

Whatever the escape room game setup is… doesn’t really matter. You get some intro story that sets you up in the escapist mood (oh man, it is actually a bit of a cheezy role-playing after all!), and the narrative of what happens next. You will get some vague instruction and… off you go. And of course, you are in the room or rooms and you can walk out anytime you like.

You and your buddies may get a few props. It can be a treasure chest, a cryptex, a map, a puzzle pieces that need to be put together, a key or a clue hidden inside a mechanical puzzle, a word riddle, a bunch of mathematical equations that need a solution, sometimes may have a few, pieces of wood, metal with some magic symbols on it, and plenty of red herrings, as well. You may need to write things down, search the room for clues, and use your detective and investigative skills.

The props may be ‘HarryPotterized’ or otherwise ‘alchemized’ and ‘mystified’; while their role is to fit the narrative and help setup the mood+actually give you the riddles to solve, it’s actually pretty cool to see them having the ‘look and feel’ that makes them more ‘real’, and aligned with a particular story play. Some may include ‘burnt’, crumpled, stained  sheets of papers with various types of riddles, 3d-puzzles, mazes, cryptogames, substitution ciphers, riddles hidden in poems, etc.. Some may use a different medium. I am intentionally writing about in a generic way, because the less you know about it, the better it is when you have to solve things on the spot!

The common denominator is that the whole experience relies on solving puzzles. No muscle work, no confined spaces, no holding your breath under water for extended periods of times, no crocs, no magic tricks. There is also an element of time pressure, some ad hoc challenges for your team, and really surprising collaboration that you will encounter during this puzzle solving experience.

The last bit is especially interesting to me as a people manager, because my skepticism towards team building activities is usually pretty high. Participating in the escape room game actually changed my opinion about it. Probably for the first time I felt it was a team building experience that is almost by design aiming at your regular IT SEC person, and not a sales guy, an HR person or C-level guys. No off roads, no shooting ranges, no golf, no Disney world, no go-go clubs, no gambling, no alcohol, no karaoke singing, no dry presentation quizzes, no motivational training and shpiels, no human knots, etc. Maybe I am in minority, but these don’t speak to me at all. I find these pretty irritating, to be honest. (and okay, I lied a bit, some alcohol is ok 😉

But… puzzle solving ?

YES!

And then comes the collaboration element:

  1. you will see natural leaders, or alphas at work; there may be actually a few of them, and also quite naturally all of them moving places, positions of influence as the game progresses; it’s definitely not democratic at all, there is a bit of an internal competition, but it shows the strengths of each temporary leader emerging for a moment as a Subject Matter Expert; it’s pretty cool to observe; it is a moment of empowerment for everyone
  2. you will realize that while you are good at some puzzles, other guys are good at puzzles you don’t have a clue about! this is a very nice, humble lesson; probably the best part of it really; you may be caught off-guard when you notice some of the coworkers you know not that much about actually killing it; yes, THEY TOO, same as you, if no more, DO have IT in them; mutual respect grows this way quickly
  3. the collaboration, even with complete strangers, is actually possible; you will form small teams organically; they will rise and they will die down quickly, but it does build that ‘solving problem together’ atmosphere which is very rewarding, especially if your mini-team solves the puzzle and gets the whole team that one more step closer to the final riddle; it is to be expected that next time you meet the ‘stranger’, s/he is no stranger at all, you will have a great memory to share (no ice breakers needed!)
  4. solving problems together gets both very creative and dumb – depends on the puzzle, and overall progress of the game; you will get stuck, go back, regroup, rebuild mini-teams, and the solutions will appear; pretty cool demo of testing solving problems in pairs, triplets, fours: some of them don’t work & some deliver beyond expectations; and lots of laughs and head scratching
  5. cheating is an art form – you need to quickly develop the per-game skill and hide it from opposing teams and escape room ‘guides’ 😉 yes, you need to cheat by all means (but not by googling the answers; more by changing the odds of the game to your favor – again, I won’t cover in detail not to spoil anything to anyone)

Overall, building teams is a really hard work; there are conferences (quite a passive interaction), the gamut of HR-driven activities I partially described above (usually not attractive to naturally introspective individuals, let alone imposter syndrome badge holders), there are very active technical CTF exercises, but these are not for everyone either (the bar is typically set at least ‘high’+it’s almost like work since you get stuck at the computer for many hours), and then there is an opportunity to go out, meet in a strange new place, and together solve the puzzles… of an escape room. And that’s probably the best way to build the team – escape the room/office/cubicle and… together solve problems. That human interaction is not imposed on anyone. It just happens and it’s great to watch and participate in.

p.s. one may argue there always individuals who love some of the ‘other’ activities I listed; I can see that of course and not arguing to completely abandon it; I am also aware that I have a very subjective view that is based on years of participating in various activities that were supposed to build a team, but imho failed miserably due to managers not understanding what makes the audience ‘kick’. Perhaps an anonymous poll is a good way to choose what clusters of reports like? perhaps there is a need to have all these different activities at some time to keep everyone happy? I really don’t know. This is a moving target and people managers have to keep up. I know I just like puzzles, and I hope you and your team do too.

Curious case of the conhost.exe and condrv.sys

April 1, 2018 in Puzzles, Reversing

Update

After I posted the question to Twitter, Alex Ionescu (god of NT kernel internals, for those who don’t know) suggested that it could be an export by ordinal from the ntoskrnl.exe. It was not the case in this scenario, but it’s a very good direction for investigation and I didn’t think of it when I encountered the issue.

Following on that lead I dug deeper. Further inspection of the condrv.sys driver confirmed that at least 2 functions from ntoskrnl.exe are imported by the ordinal (0x0001, and 0x0002):

->Import Table
 1. ImageImportDescriptor:
 OriginalFirstThunk: 0x0000A1AC
 TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
 ForwarderChain: 0x00000000
 Name: 0x0000AA04 ("ntoskrnl.exe")
 FirstThunk: 0x00002088

Ordinal/Hint API name
 ------------ ---------------------------------------
 0x00FF "ExReleasePushLockExclusiveEx"


 0x0002  <------- import by ordinal
 0x05C1 "ObCloseHandle"
 0x067F "PsGetProcessImageFileName"
 0x0001  <------- import by ordinal

so Alex’s explanation points us in a right direction, except the issue is the import table of condrv.sys, not the export table of ntoskrnl.exe; IDA somehow assumes the names of the ‘guessed’ service functions based on the ordinals and does it wrongly – this is what causes confusion and ends up with us staring at an incorrect disassembly.

Old Post

A few months back I came up with an idea to find out how the conhost.exe process is spawn by the OS to co-exist with pretty much every single console applications on the system.

I theorized that if I find out how it is spawn, I may be able to possibly influence this process and make it behave differently from the expected (wishful thinking that perhaps I could find a way to run this process anytime I want and hijack it for e.g. process hollowing or sth along these lines).

After looking at the code of the AllocConsole function (which is a prime suspect here as it allocates consoles after all), I eventually landed in the code that calls NtDeviceIoControlFile with the IOCTL 0x500037.

Quick google search followed and I re-visited an excellent posts from FireEye:

where the very same conhost.exe spawning mechanism is also described, although briefly.

So, there is a way to launch a conhost.exe process bypassing all the WinExec/ShellExecute/ShellExecuteEx/CreateProcess/CreateProcessInternal/etc. API layer. Still, there is no easy way to obtain the handle to that process so the malware that would try to use it would still need to find that process and hijack it. It looks like OS designers took the malicious bit into account and made it a bit harder for the coders to abuse it.

The reason for this post is not the mechanism itself, but the curious issue I encountered while analysing the condrv.sys driver. It is the driver that actually receives the IOCTL 0x500037 and processes it, calling the ZwCreateUserProcess routine in the end, at least, this is my working hypothesis at the moment.

Why hypothesis?

When you analyze the the driver w/o symbols, the system routine the driver calls to launch conhost.exe is not ZwCreateUserProcess, but ExAcquireRundownProtection. A very strange choice. It is only applying the .pdb file to IDA will allow to map that call to ZwCreateUserProcess. Could it be an intentional way to obfuscate the calls? Or, am I missing something? I will admit my kernel mode analysis skills are really rusty.

Ideas, anyone?

This is what I see inside the condrv.sys without symbols (see that 2nd functions):

and with symbols: