Reversing symbols in file name - character-encoding

This is not really about programming, but I don't know where else to ask it. So I've just downloaded torrent with one file in it - the formal name of file should be "123.avi.exe" (which is typical for viruses and trojans). Now, interesting thing is that name is encoded in UTF16-LE as following bytes:
FFFE3100320033002E002D202E202D202E206900760061002E00650078006500
which gives us strange, partially reversed over ".exe" text (try to move cursor left-to-right and you will be surprised):
123.‭‮‭‮iva.exe
But the bad part of all - is that utorrent showing non-suspicious ".avi" extension while when you double click it in GUI - it goes as as ".exe" and program runs.
You can test it yourself by creating dummy file with the name I wrote above. How can I protect myself from running files like that on system level?
P.S. I've started similar thread on uTorrent tracker (not yet approved by moderator)

You have possibly found a active attack using a Remote Code Execution Vulnerability in uTorrent and other torrent clients. There has been similar vulnerabilities before: http://www.zerodayinitiative.com/advisories/ZDI-16-674/
It's probably a good idea to contact uTorrent and make them aware of the exploit.
What version of uTorrent do you use?
In general the best protection is to use the newest stable version of programs.
Even if newer uTorrent versions is infested with annoying advertisement, that can be deactivated.
This question may fit better at https://security.stackexchange.com/

Related

any downsides to writing the same file 1000's of times in iOS?

I'm considering overwriting the same small file 1,000's - 100,000's of times in an iOS app. Are there any downsides to this, given that flash memory is rated for 1000's of writes (but not, say, 100,000's)?
Will the system file cache save me if I stick to standard FileHandle operations? (without me having to implement my own such cache)
This has been addressed before: Reading/Writing to/from iPhone's Documents folder performance
Any new insights?
Update in response to some comments below: in general I agree with you that sometimes examining the choice of solution is more critical than helping with the proposed solution itself.
However, for this case, I feel the question is legit. Basically, it applies to any program where there is a small amount of very volatile data that needs to be persisted often: say, a position in a game, or a stock tick, or some counter, or the last key pressed, or something like that. It needs to be reliably read after process restart, so the app can pick up where it left off, hence the question:
Can I use the iOS file system for that? I know I can't write 10,000's of times to actual flash memory - that would burn it out. But will file system operations solve this for me, through some form of caching? Or do I need to do that myself, 'by hand'?
I sort of assume 'yes' (file system will solve) - otherwise other apps that do this (there must be some) would be burning out phones all the time! But: hard to know for sure...
Update again: asked this question on apple forums:
https://forums.developer.apple.com/thread/116740
Still no clear answer. Some answers are: just cache it yourself to avoid any such potential problems (and there can be: a file write can fail, and increasing the frequency increases the probability of failure in weird ways). Another is: iOS logs so much stuff, there's no way I can write more frequently than that, and that's fine, so no worries... I guess I'll leave this question open for now.

Detection of function hooking in iOS

So far as I know, in iOS there are three techniques of function hooking:
preload library using DYLD_INSERT_LIBRARIES
imported symbol table redirection using fishhook
patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction
These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.
I had the same issue - trying to avoid any potential function hooking within my app.
My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.
OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.
As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.
From OWASP:
In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate
Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:
Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…
However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.
I hope this helps, in some way or form ...

What changes in a jailbroken kernel?

Having seen this question on protecting your app from being cracked, I saw that the top answerer mentioned something about being able to see if a device was jailbroken by some internal imbalance in the kernel. Having looked into it a bit more, I discovered the Kernel Architecture Overview guide, and have knowledge of ways to interact with the Mach-BSD kernel. All I need to know is: What am I looking for? Is there some kind of key or internal state that changes when the device is jailbroken in the context of the kernel?
To be clear, I'm not looking for code (I know how to do these things myself), I'm looking for what to look for... As weird as that sounds. I've seen the answers in the linked questions, I know that they work, but I'm wondering about an all kernel route, which seems more of a generic and efficient way to check instead of searching for directories that might change or plist keys that might have different names.
I also don't intend to disable any functionality on the part of the app because of piracy (just show a message or something based on a condition).
All the "modern" kernel patches are based on comex's patches.
the main things which are being patched are:
security.mac.proc_enforce
cs_enforcement_disable (kernel and AMFI)
PE_i_can_has_debugger
vm_map_enter
vm_map_protect
…
Oh, and there are sandbox patches too. If you wanna read more about all these patches I suggest you take a look at iOS Hacker's Handbook.
Edit:
I just came up with a simple idea to check if the device is jailbroken, but I'm not sure if Apple allows the use of these functions:
allocate some memory using mach_vm_allocate()
change the protection of that page via mach_vm_protect() to VM_PROT_READ | VM_PROT_EXECUTE | VM_PROT_COPY
Since the stock iOS doesn't allow VM_PROT_EXECUTE from inside your app this will fail, check the return value of mach_vm_protect(), when not jailbroken, but succeed if the device is jailbroken.
About a year ago, saurik wrote a comment on Hacker News with a list of the "'best practice' patches that jailbreaks install by default". I'd suggest reading that comment for all the details, but here is a preview of what he says (with lots of explanation that I snipped out):
AFC2: allows you to access, over USB, all of / as root instead of just /var/mobile/Media as mobile.
fstab / rw: makes / be mounted read-write.
fstab /var suid dev: allows setuid executables and device nodes on the user data partition.
codesign: allow code that has not been signed by anyone to execute.
codehash: allow processes with "corrupt" pages of code to execute.
rw->rx: supports changing a page of memory from writable to executable.
rwx: allows memory to be marked for write and execute at the same time.
sandbox: allow processes to access files that are outside of their sandbox based on Unix permissions rather than the normal sandbox
rules.
crazeles: a ludicrously complicated hack by planetbeing that neuters the FairPlay DRM checks that cause iBooks to refuse to operate
correctly on jailbroken devices.

Delphi logging with multiple sinks and delayed classification?

Imagine i want to parse a binary blob of data. If all comes okay, then all the logs are INFO, and user by default does not even see them. If there is an error, then user is presented with error and can view the log to see exact reason (i don't like programs that just say "file is invaid. for some reason. you do not want to know it" )
Probably most log libraries are aimed at quickly loading, classifying and keeping many many log lines per second. which by itself is questionable, as there is no comfort lazy evaluation and closures in Delphi. Envy Scala :-)
However that need every line be pre-сlassified.
Imagine this hypothetical flow:
Got object FOO [ok]
1.1. found property BAR [ok]
1.1.1. parsed data for BAR [ok]
1.2 found property BAZ [ok]
1.2.1 successfully parsed data for BAR [ok]
1.2.2 matching data: checked dependancy between BAR and BAZ [fail]
...
So, what can be desired features?
1) Nested logging (indenting, subordination) is desired then.
Something like highlighted in TraceTool - see TraceNode.Send Method at http://www.codeproject.com/KB/trace/tracetool.aspx#premain0
2) The 1, 1.1, 1.1.1, 1.2, 1.2.1 lines are sent as they happen in a info sink (TMemo, OutputDebugString, EventLog and so one), so user can see and report at least which steps are complete before error.
3) 1, 1.2, 1.2.2 are retroactively marked as error (or warning, or whatever) inheriting from most specific line. Obviously, warning superseeds info, error superseeds warning and info, etc/
4) 1 + 1.2 + 1.2.2 can be easily combined like with LogMessage('1.2.2').FullText to be shown to user or converted to Exception, to carry the full story to human.
4.1) Optionally, with relevant setup, it would not only be converted to Exception, but the latter even would be auto-raised. This probably would require some kind of context with supplied exception class or supplied exception constructing callback.
5) Multisink: info can be just appended into collapsible panel with TMemo on main form or currently active form. The error state could open such panel additionally or prompt user to do it. At the same time some file or network server could for example receive warning and error grade messages and not receive info grade ones.
6) extra associated data might be nice too. Say, if to render it with TreeView rather than TMemo, then it could have "1.1.1. parsed data for BAR [ok]" item, with mouse tooltip like "Foo's dimensions are told to be 2x4x3.2 metres"
Being free library is nice, especially free with sources. Sometimes track and fix the bug relying solely on DCUs is much harder.
Non-requiring extra executable. it could offer extra more advanced viewer, but should not be required for just any functionality.
Not being stalled/abandoned.
ability to work and show at least something before GUI is initialized would be nice too. Class constructors are cool, yet are executed as part of unit visualization, when VCL is not booted yet. If any assertion/exception is thrown from there, user would only see Runtime error 217, with all the detail lost. At least OutputDebugStreen can be used, if nothing more...
Stack tracing is not required, if needed i can do it and add with Jedi CodeLib. But it is rarely needed.
External configuration is not required. It might be good for big application to reconfigure on the fly, but to me simplicity is much more important and configuration in code, by calling constructors or such, is what really matters. Extra XML file, like for Log4J, would only make things more fragile and complex.
I glanced few mentioned here libraries.
TraceTool has a great presentation, link is above. Yet it has no info grade, only 3 predefined grades (Debug/Error/Warning) and nothing more, but maybe Debug would suit for Info replacement... Seems like black box, only saving data into its own file, and using external tool to view it, not giving stream of events back to me. But their messages nesting and call chaining seems cool. Cools is also attaching objects/collection to messages.
Log4D and Log4Delphi seems to be in a stasis, with last releases of 2007 and 2009, last targeted version Delphi 7. Lack documentation (probably okay for log4j guy, but not for me :- ) Log4Delphi even had test folder - but those test do not compile in Delphi XE2-Upd1. Pity: In another thread here Log4delphi been hailed for how simple is to create custom log appender (sink)...
BTW, the very fact that the only LOG4J was forked into two independent Delphi ports leaves the question of which is better and that both lack something, if they had to remain in split.
mORMot part is hardly separated from the rest library. Demo application required UAC escalation for use its embedded SQLite3 engine and is frozen (no window opened, yet the process never exits normally) if refused Admin grants. Another demo just started infinite stream of AV exceptions, trying to unwind the stack. So is probably not ready yet for last Delphi. Though its list of message grades is excessive, maybe even a bit too many.
Thank you.
mORMot is stable, even with latest XE2 version of Delphi.
What you tried starting were the regression tests. Among its 6,000,000 tests, it includes the HTTP/1.1 Client-Server part of the ORM. Without the Admin rights, the http.sys Server is not able to register the URI, so you got errors. Which makes perfectly sense. It's a Vista/Seven restriction, not a mORMot restriction.
The logging part can be used completely separated from the ORM part. Logging is implemented in SynCommons.pas (and SynLZ.pas for the fast compression algorithm used for archival and .map embedding). I use the TSynLog class without any problem to log existing applications (even Delphi 5 and Delphi 6 applications), existing for years. The SQLite3 / ORM classes are implemented in other units.
It supports the nesting of events, with auto-leave feature, just as you expect. That is you can write:
procedure TMyClass.MyMethod(const Params: integer);
begin
TSynLog.Enter;
// .... my method code
end;
And adding this TSynLog.Enter will be logged with indentation corresponding to the recursive level. IMHO this may meet your requirements. It will declare an ISynLog interface on the stack, which will be freed by Delphi at the "end;" code line, so it will implement an Auto-Leave feature. And the exact unit name, method name and source code line number will be written into the log (as MyUnit.TMyClass.MyMethod (123)), if you generated a .map file at compilation (which may be compressed and appended to the .exe so that your customers logs will contain the source line numbers). You have methods at the ISynLog interface level to add some custom logging, including parameters and custom state (you can log objects properties as JSON if you need to, or write your custom logging data).
The exact timing of each methods are tracked, so you are able to profile your application from the data supplied by your customer.
If you think the logs are too much verbose, you have several levels of logging, to be customized on the client side. See the blog articles and the corresponding part of the framework documentation (in the SynCommons part). You've for instance "Fail" events and some custom kind of events. And it is totally VCL-independent, so you can use it without GUI or before any GUI is started.
You have at hand a log viewer, which allow client-side profiling and nested Enter/Leave view (if you click on the "Leave" line, you'll go back to the corresponding "Enter", e.g.):
If this log viewer is not enough, you have its source code to make it fulfill your requirements, and all the needed classes to parse and process the .log file on your own, if you wish. Logs are textual by default, but can be compressed into binary on request, to save disk space (the log viewer is able to read those compressed binary files). Stack tracing and exception interception are both implemented, and can be activated on request.
You could easily add a numeration like "1.2.1" to the logs, if you wish to. You've got the whole source code of the logging unit. Feel free to ask any question in our forum.
Log4D supports nested diagnostic contexts in the TLogNDC class, they can be used to group together all steps which are related to one compound action (instead of a 'session' based grouping of log events). Multi-Sinks are called Appenders in log4d and log4delphi so you could write a TLogMemoAppender with around twentyfive lines of code, and use it at the same time as a ODSAppender, a RollingFileAppender, or a SocketAppender, configurable at run time (no external config file required).

Delphi programs blocked by antivirus programs [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
I have a piece of code that is trying to write to disk many files in one second. However, it fails wince I have installed Kaspersky Anrivirus 2011.
Stream:= TFileStream.Create(sName, fmCreate);
The code totally worked with Kaspersky 2010 and also works with Kaspersky 2011 if I disable its scanners (it cannot be totally unloaded from memory - unless it is uninstalled). The code also works if (Kaspersky 2011 is running and) I write to disk slooooowly. So it obviously is not fast enough to handle my disk requests.
The error I get is EFCreateError ('Cannot create xxx file blablabla'). Error is random. Most of the files are written to disk. About 10% fail.
I have tried to get support but is impossible to find a real person at Kaspersky to speak with. Their so called 'support' is actually a FAQ data base. Of course it speaks about how to install the product and related stuff. There is nothing about programing-related issues. Any ideas?
PS: this has repercussions for the entire Delphi community! All our customers will fail to use Delphi software if they are using KIS 2011 as antivirus. For the moment I recommend to my users to disable their antivirus but I need a real solution.
It will be nice if a person with KIS 2011 can confirm the problem. Just create a tiny program that write 200 small files to disk using TFileStream.
UPDATE:
The problem appears ONLY when the file does not exist and it is created (created as opposed to overwritten).
Similar report: https://forums.embarcadero.com/thread.jspa?threadID=32751&tstart=15
Similar report: http://forum.kaspersky.com/index.php?showtopic=120561
A possible solution that popped in my mind is to detect if KIS is running and if it is, to put a delay after each writing to disk. Or at leat, let the user know there may be problems. Anybody knows how to detect if a service is running?
I added a delay of 650ms (after each file creation) and the bug is still there). So is not about how fast you write to disk but about how many files you write.
Just uninstalled KIS 2011. The problem does not appear anymore.
Just reinstalled the good old KIS 2010. The bug is still there but it appear rarely (about every 300 files instead of about 30 as in KIS 2011).
The problem was confirmed on a second computer.
NEWS: The crash appears in TFileStream.Create however it may be caused by a function called earlier: TestWriteAccess. If I disable this function, the TFileStream.Create doesn't fail anymore. Well, this doesn't change things too much. No matter which line of code generates the error, the program still fails (randomly) to write files to disk while Kaspersky is running.
Still waiting a response from a real person from Kaspersky...
More automated responses received from Kaspersky support (I sent emails to support in several countries). All pointing to a FAQ database.
I change my status from Kaspersky fan (and customer) to Kaspersky hater because I finally receive an answer from a real person from Kaspersky support and it was plain and simple obnoxious.
To test the code, try to use the code in a loop, to create 1000 files. The program creates a bunch of files (random number) then it fails at StreamFile:= TFileStream.Create.
Update: The issue can be fixed by entering a small delay after creating each file.
https://docs.google.com/forms/d/1H3_O1z1iEqfh9ZT9u3B0R1tGEj-Hc9o7rAE0LKPr33Y
2013 Update
Starting with this afternoon (after an update) KIS conflicts with Delphi.
Every time I compile a project KIS spikes to 100% CPU utilization. I will have to uninstall it.
2017 Update
All false positive alarms disappeared magically for all my Delphi programs starting with 2017. It seems that it was enough for a program like Kaspersky remove Delphi-generated executables from its virus list; all other smaller antivirus programs followed.
Delphi 7, Win 7 (32), KIS 2011
You need to instruct your users, i.e. Kaspersky's customers, that Kaspersky is interfering with the operation of your software, and that THEY should report it. Express your frustration that you, as a developer, don't have access to a real human being. This is the only way that the anti-malware companies will ever react - bad PR with their paying customers.
Kaspersky = pirate company? Maybe yes, maybe no. Maybe just yet another company with a bad product and nonexistent support. Their "support" consists in a FAQ database and an automatic email answering program. Phones are hooked to answering machines also. Their automated answer keep explaining me how to add my program in KIS "exception" database. I keep replying to those stupid emails that I cannot personally go to all my customers at home and put my program in the "exception" database and that it will be better if they will fix the bug.
When I finally got a non-automatic answer (the only one), the support guy fella is as rude as possible.
Possible solutions for Delphi programmers:
* Don't check if the user has write permission to a file (in order not to trigger Kaspersky bug)
* Check if the user has write permission. If the bug appears inform the user that Kaspersky creates problem and it should be temporary disable (while the program is running). Use a TRY EXCEPT block to do this.
Advice (based on my past experience):
Don't always blame your code if you ever received strange bug reports from your users when your program was trying to write to disk. Check also external factors (like existence of Kaspersky antivirus).
UPDATE:
I just applied for a refund. I will go for a chargeback if they won't refund the money (I strongly feel they won't).
Conclusion
When I posted this on StackOverflow I didn't realized the magnitude of the problem and I didn't realized it will deviate so much from initial course. Still I think it is well within the purpose of StackOverflow. We have all learned that sometimes the problems in out programs may not be caused by our faulty code and neither we can control the source of these problems (21 persons voted this question up - which means a lot of other people encountered issues with KIS).
We can just hope that poor designed programs that interacts with user's system at a very low level (such as KIS antivirus program) will be soon fixed so our sales won't suffer (much).
It is just frustrating when your program is labeled "buggy" and you can't do much about it!
Not an answer to solve your problem, but you should inform Kaspersky, probably they don't know there is a virus signature associated with a Delphi library.
And if your program isn't too complex, you might want to try Lazarus/FPC. It's not as good as Delphi, but I've been using it for several years now, and have got good results in Windows/MacOS/Linux.
i had similar problems with kaspersky 2011 when i was trying to add my prog to windows startup using d2010's new TFile.Copy() as well as raw api function:
CopyFile(PChar('C:\chellenger.exe'), PChar('C:\Documents and Settings\Omair\Start Menu\Programs\Startup\chellenger.exe'), False);
my solution was to put my delphi app in vb.net app as a resource, the vb.net app extracted it and put it to startup without false positives . Mixing two languages for your problem might solve your problem too(1 possible solution but a very ugly and nonprofessional solution i admit)
When you create file, any antivirus checks it. There is probably some kind of collision between your application and KAV. Have you tried to combine fmCreate with share modes. You can see in help for TFileStream.Create for available modes.
If the problem is just with kapersky, then just have your program detect if it is running. If so, scale back your file creation / writes to whatever passes their detection. Make sure you have some little status message somewhere that tells the user why things are slow. Incidentally, virus writers already know this which is why those heuristics simply don't work.
After doing that, contact Kapersky and work with them directly to get this resolved.
This gets past your immediate issue and will give you and kapersky time to figure out a long term solution.
Alternatively, you could simply shut kapersky down.. Just make sure you grab all of their watch dogs in the process.. But that tends to be a little more combative.
Creating a huge amount of files sounds like something that isn't necessarily A Good Thing, but you probably have your reasons :)
When you get the error code in Delphi, does KAV pop up any heuristic warnings, or is it completely silent? It wouldn't be weird to get a heuristic "omg, that app is doing something bad!" from creating a ton of new file, but if KAV is silent I'd say it's a bug.
Can you post a delphi executable with the tiniest amount of code that reproduces the bug? And a version that does the same step but only creates one file, it might be interesting to trace with SysInternals' ProcMon.
First, do you really need to test for write permissions by creating a file? Can't you just check the permission directly? I feel that creating a file for that purpose only is a lame way of doing it in any case.
Second, like noted above, it's likely that after you create and then delete a file, there is some intervention by Kaspersky's security mechanisms. Probably a driver tries to check the contents of the file you deleted, and keeps it alive for a while. Like this:
You create the file and open it, incrementing the refcount.
Kaspersky driver notices that and opens the file too. Even if you set share mode deny, as a driver it probably has the power to open it anyway (if Kaspersky could not circumvent sharing denials, any virus could have used the same trick to hide its data!).
You close the file and delete it. When you delete the file, the system just marks it "FILE_FLAG_DELETE_ON_CLOSE", but the file is still there until all the handles to it are closed.
Kaspersky continues to scan file, still haven't released the handle.
Therefore the file is still there.
You try to create a new file and the call fails because the old file is still not deleted.
The reason for all this mess is, of course, partly Kaspersky's checking mechanics, but they did nothing especially wrong here. Kaspersky needs to scan the file anyway, hardly anything can be done about that - it's antivirus, for crying out loud. On the other hand, checking permissions by creating and then deleting a file is (probably) very, very wrong. So I guess, you're the one at fault here.
I had the same problem. KIS made all kind of troubles. Until I reinstalled it. So, it was just a faulty installation.

Resources