Forcing Block Devices to Re-Read Partitions Using IOCTL

Got a block device in module that stubbornly refuses to produce dependent partition devices in Linux? (Looking at you, NBD..)

#include <fcntl.h>
#include <sys/mount.h>

int main( int argc, char** argv ){
    if( argc != 2 ) return -1;
    int f = open( argv[1], O_RDONLY );
    if( f < 1 ) return -2;
    return ioctl( f, BLKRRPART );
}

That or you could just sleep for a while, checking for the existence of /dev/nbdXpX -- but I am an impatient bastard..

Tactical Use of Symbolic Links in Code Review

Need an index of all files that contains a given regex nice and need for review purposes? (Like, cough, strcpy?)

find . -type f -exec grep -l strcpy \{} \; | sed -s s:^./:$PWD: >STRCPY_INDEX
mkdir STRCPY
ln -sf $(cat STRCPY_INDEX) STRCPY

More Fun With the Malware Analysis Environment (MalNet)

Last fall I put together a LiveCD to support Wes Brown's Malware Analysis Workshop at Hack in the Box Malaysia 2009 using Debian, a lot of bailing wire, and some duct tape. The disc has attracted some attention, especially at B-Sides, but is not distributable for several reasons:

• It is a sealed box; any updates you make disappear when someone pushes the pretty red button.


• It requires a Windows Virtual Machine; no, we cannot give you ours.


• If Debian Stable did not like your video card, neither did our LiveCD.


• Ditto for your network card. Well, triple for your network card. Who in the audience did not bring a 3c905-TX NIC, please raise your hands?

The latest Ubuntu release, Lucid Lynx, fixes the last two problems. That is a big deal for me, as the lack of good NVidia and ATI support was a problem for me as well as some participants. Ubuntu's LiveCD seems to do the right thing, which is great news for me. The second problem is a big one, and comes down to a need to document the work required for building a virtual machine that can be instrumented by our tools. And, like any large and boring problem, I am going to ignore it.

But, I think the first one will be fun to solve. It starts with stealing a page from WaspVM and MOSREF and building a metacircular environment. The Malware Analysis Environment should be able to serialize itself to either an ISO9660 filesystem or a USB flash drive as needed, and boot from either of those two source. It should also be able to "checkpoint" changes to the filesystem and load them up as overlays -- a trick borrowed from my customizations of Finnix which never saw the light of day.

Combine those two tools, and it should be possible for analysts using MalNet to customize their environment, install the One True Editor, or even download updates. Maybe, if I'm really lucky, I can even factor myself out of the day to day maintenance. More time to start new pet projects is always good.

So far, I have converting from a CDROM or ISO filesystem to USB figured out and working nicely. Converting backwards should follow soon behind -- this is just flopping between syslinux and isolinux using either block devices or loop mounted files. Next up is figuring out how to trick Casper into checkpointing to the boot drive or committing the time to actually writing a serialize-to-squashfs script of my own.

Where Scott Inserts Foot in Mouth at Notacon

So.. Preview night.. I am a little twitchy after previewing NoSpex without a slide stack.. There is a really off the wall preview for a presentation on "Building the Digital City" by er.. Some guy. I didn't catch the name; the premise is very 40,000 foot, and as a pragmatic hacker, I had no clue what he was getting at. There was, however, a question about why the flat encyclopedia model took over the digital media world.

So, I had two immediate ideas. The first was that "article content" is really low barrier to entry. Anyone who paid attention in English class knows how to compose paragraphs and express an idea in bare text. I sat on that one, defending ASCII text seemed like a losing proposition. So the other, which I thought would be sympathetic, was decrying the death of HyperCard, which was the first moderately successful rich authoring environment in my mind. (Doesn't hurt that there was an "Apple is Evil" comment earlier stuck in my head.)

It wasn't until the next day, in a conversation with Mark Schumann that I understood why the presenter gave me an odd look. Turns out he was Marc Canter, one of the bright minds from the original Macromedia. So.. Ahem.. Making friends at Notacon 7!

Where Scott Whines About SecDev Burnout..

So, I spent last 45 days spending all of my out-of-band coding time working on NoSpex -- a realtime graphing library for process display and analysis. That is my karmic punishment for jokingly suggesting "Hey, I could graph threads talking to each other in my recent reverse engineering project" for a proposal in response to Notacon 7.

The presentation was way too early for me, a west coaster in Ohio, and seemed too early for the con in general. I appreciate N7's staff for having me, I was not too friendly in the whole proposal process, so I deserved that "first slot on the first day" spot. That said, having spent 45 days working on something almost as complicated as the first rounds of Mosquito or IPAF to an audience of 20 was pretty disappointing.

I am going to dedicate my out-of-band time for the next month or two to game development; maybe a Seven Day Roguelike. It is not very well timed, with Blackhat and DefCon's Call for Papers windows opening up, but a little fun is in order.

Where Scott Creates a New Blog..

.. again. With my current work load at IOActive, it is obvious that I'm not going to have time to touch WaspVM for a while. This means that my usual outlet, WaspVM Developments has gone stale. I want to keep WaspDev focussed on improvments to WaspVM and MOSREF, so I have decided to create a new journal for my other projects and personal commentary.