Where all the Cyber Tooth Fairies go?

Posted on by

One of my favorite TV Series is Dexter. Early seasons were so-so, focused on a cheap thrill, lame TV that you can see all over the place. As the series progress though we observe a shift in the narrative and we witness a true character of the main protagonist developing in front of our eyes. Dexter’s inner thoughts are full of curiosity, inquisitive reflections on life and it’s hard not to relate. We all try to fit in and be a part of it, whatever that ‘IT’ is.

So far I watched the series twice and I know I will come back to it.

One of my fav parts of the series is the history of the Tooth Fairy Killer. Walter Kenny is in his 70s when he is introduced to the audience, and due to his serial killing activities he becomes one of Dexter’s targets. Tooth Fairy Killer’s character is very interesting, because… he is way past his prime, he never got caught and … he is a somehow lonely, old, yet still arrogant individual.

When we swap ‘killer’ with ‘cyber’ we bring this post back to our infosec world.

What happens or will happen to us, aging ‘serial cybers’?

I don’t know. We don’t hear much from cyber people who already retired and are either enjoying their Autumn years, or became wealthy quickly enough that working is no longer necessary and they can focus on hobbies, angel investment, whatever. Then there are these not so happily-ever after retired – these who we end up hearing about on the news or through a grapevine. And it is not surprising to find out that many of these we hear of commit suicide, end up imprisoned, or live bigger life than themselves.

How many of us will end up there?

Putting difficult, and somehow inevitable mental health and medical issues associated with aging aside, what is that we want to do at the age of 70? Will we still work thinking we are saving the world from the cyber crime? What if futuristic laws and protocols make the cybercrime almost obsolete? And if not, will we still care? Will we still hold true and honest the ideals from our 20s? Or, worse, will we become victims of some sophisticated future social engineering tricks that will target us – the elderly? Again, I don’t know the answer. I am not that old yet, yet the questions like this start popping up in my head as I am getting older.

Our industry expanded so quickly that it’s impossible to keep up. It’s now mandatory to specialize. The good ol’ corporate entered the game and we are being institutionalized like any other company department. Is the anniversary watch we get as we retire the only prize for all these efforts, all-nighters and opinions we so eagerly shared with others over these early cyber years?

Maybe it is a price of being in the industry that very quickly goes through stages of maturity. From random, opportunistic to systematic, managed. Very rapidly. There is a final stage of cyber process already emerging today. I expect that in the next few years most of the ‘really’ technical jobs in cyber will move and gravitate around specialized vendors – these providing classification, automation, orchestration or whatever you call it, and providing value derives from frameworks like Mitre Att&ck.

Forget manually crafted super-timelines, inspections of systems, bit-to-bit imaging, and file format analysis. Forget manual malware analysis. Not only OS/Cloud telemetry and forensic/sandboxing capabilities will be provided out of the box, but they will be easy to use, already built-in and the DFIR/RCE hacking as we know will be over. Plus, more and more zerotrust-ish, docker-ish stuff, logs that can be actually used, and finally more and more reliable MFA.

So, where do we land? Working for vendors is an easy answer. Client-side IT Security efforts coordinators aka security vendor managers is another. Security advisors? Security consultants? Table Top exercise coordinators? Teachers at uni?

Or.. perhaps cyber is here to stay for another 100 years ? And maybe, hopefully… Cyber Tooth Fairies is only the problem of the bad guys? Because… there is always something ‘for the benefit of good’ to do?

Memory buffers for… initiated, part 2 – Frida(y) edition

Posted on by

In my last post I boasted about my tool that could dump memory blocks that included plain vanilla perl, or .bat code obfuscated using a number of ‘2exe’ converters. Boasting is fun, but what about trying to share the actual tool instead?

While I can’t share the tool, I can do better — in this short post I will prototype 2 Frida handlers to do the job for me and since their code is available you can not only adjust it to your needs, but also copy the ideas presented and use it to hook & dump buffers of other APIs.

I am not very well versed in modern JavaScript, I used to code in it for a living at some stage in my past, but things changed so much since that I am basically a JavaScript noob. Secondly, I am also a Frida noob. Hence, the code I am going to present you is not top notch. Still, better some than none 🙂

In my original tool I was injecting a code into a monitored process; that code would then hook RtlFreeHeap function and the hook would make a call to RtlSizeHeap at the time of memory freeing. I needed the latter to obtain the size of the memory dump I wanted to save to a file.

With Frida, I took a simpler approach. I hook RtlAllocateHeap and anytime it is called I store the returned memory address and its requested size in an internal buffer. When RtlFreeHeap is called, I simply do a lookup in a table and obtain the size from there. If the size is larger than 1MB I just truncate the buffer to 1MB. Simple, and seems to work. Note that resizing of memory blocks is not supported and will break things.

That’s it really. All you have to do is to drop these 2 handlers in __handlers__\NtDll.dll\ and run: 

frida-trace -i RtlFreeHeap -i RtlAllocateHeap -f <exe>

The heap buffers will be stored in a heap_buffers.bin file.

Since I referred to rfc.exe in my previous article, let’s have a look how the tool works with this .exe — reviewing the content of heap_buffers.bin we can see:

Not bad.

The code of both handlers is here.

See part 3 here.