Cracking Windows by Atom Bombing - Computerphile
ฝัง
- เผยแพร่เมื่อ 1 พ.ย. 2016
- A security exploit using standard Windows commands which can lie undetected. Dr Steve Bagley explains the latest revealed exploit.
Password Cracking: • Password Cracking - Co...
Google Deep Dream: • Deep Dream (Google) - ...
FPS & Digital Video: • FPS & Digital Video - ...
Read more about this exploit here: bit.ly/ComputerphileAtom
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
Every time these exploits become public, I get the idea that those who were using it, now don't need it anymore.
Yeah, imagine what they have now if they find this irrelevent ...
cicci0salsicci0 it's still exploitable because a lot of internet-connected computers still run older versions of Windows that won't get any security patch to fix this. people aren't going to upgrade because they can't install windows 10 on such an old pc and it's too expensive to buy a new PC.
And be stuck with what's basically a glorified tablet that's non-functional without internet?
same
Linux basically solves this problem by not doing it in the first place.
A keylogger running in the background?
Don't worry, Windows 10 already has that feature built in
Yep, it does. I keep telling my friends and family to use Linux but they don' want to.
I dunno. I just get this warm and fuzzy feeling knowing I'm the only one who's safe.
Purin1023
No, it doesn't.
Yes. Yes it does.
SharpOB
That's way too exaggerated, and certainly not literally true, mr. Pleasure Island.
A. No, it is not. I suggest you look into the extent of the privacy violations Windows 10 has.
B. Thanks for noticing the reference.
These days I wouldn't even be surprised if my printer driver tried to talk to the internet...
The Pancakerizer It probably does.
The Pancakerizer If it's an HP and wireless driver, it does.
Thankfully, one solution is to enforce signed drivers on your system. However, that wouldn't prevent the NSA from making the companies slip their backdoor in. For the keylogger thing, a decent antivirus software should detect an application changing the interrupt table (or a unsigned keyboard driver).
Of course it's a given that drivers these days report back your usage statistics - ink, paper, times of day, and whether you use 3rd party cartridges. After all you agreed to their terms.
orbik That's why, when I bought an HP printer, I declined the system called Instant Ink that automatically orders ink for you. I read the agreement which states that you cannot print ANY files, even files on your own computer(s), if you don't have an internet connection. In case of an emergency when the Internet goes down, the firmware will not let me print?! I'd rather buy ink for myself than be unable to print!
"Why is my printer driver trying to talk to the internet" LOL... Because it's an HP printer! You need to block it in your firewall settings so they don't phone home 5 times a minute.
"This isn't bios."
More proof that sometimes the best puns created by a slip of the tongue.
I dont get it :(
Not me! Ahhhhh hahah thanks!
Is Ki
Pretty sure that they weren't laughing at 'bios' but rather, 'bias' .. it would make more sense that way, since they were just talking about not being biased towards other systems
This isn't BIOS, this is UEFI.
I had no idea atoms existed at all! This is awesome
DeoMachina I thought you already knew about atoms in science class :P
Colton Rushton Look above! That's the joke that flew right over you.
A Ton
I refer you to your own comment
metallsnubben Thank you.
@@tripplefives1402 I code in C# and never saw a reference to such a thing called atoms. Is this something done in the background of .NET?
TL;DR: If you're naming a technology, and you can imagine a cool-sounding exploit using that name, something's wrong.
I will give all my functions I write boring and bland names, so that even a huge exploit in my work will be unappealing as a meme, and thus minimise the potential for damage.
I call it meta-social-IT-security.
WriteData(byte[] data)
The first thing a friend of mine said when he heard of Dirty Cow was that there's probably something worse for Windows.
It's probably just as bad as dirty cow, if you ran dirty cow to become root, you can take down the entire system within a couple minutes. Likewise, if this atom bombing was implemented right, albeit a bit harder to do, you could easily take down the system as well.
DirtyCow is more about PrivEsc, whereas this is more about detection evasion, so "Worse" is very subjective.
This is no where near as bad as dirty cow. Dirty cow allows a restricted account to gain root access. There is NO privilege escalation in Atom Bombing. You can still only do what that user can already do. You're just making it really complicated and calling it an exploit. This still requires that you get the exploit program onto the target machine. You are already on the other side of the air-tight hatchway, so to speak, so all bets are off.
visualdragon Yeah that is true, but what if this is executed on an admin user? It is conceivable that the malware could destroy entire directories very easily, no?
visualdragon It depends which process you are targeting. Assuming you can target a system owned process perhaps you could use it for privesc.
Getting more and more paranoid after these exploit videos
Don't worry there are probably a lot more out there :D
Don't worry, you're already part of the botnet.
Don't worry, they NSA already logs all your activity
I'm glad I use Linux...
Why bother with backup software? If you lose your files and emails, just call your Congressman and they will get the NSA to refresh them for you!
I can only assume the Acorn Atom was purposefully placed to the side because of its name?
I saw it as well, but your comment beat me
+
+
You may well think that - but I couldn't possibly comment ;)
Love how the meat of it: getting the executable region in memory set up (which is the hard part, I assume) is just slipped over. As he repeatedly said, the rest is standard OS functionality.
I always wondered why that "execute some function of another process" thing was necessary
Maybe multithreaded processes?
Dennis Lubert dll?
IPC is very useful. You may want to open a web page in the browser. Or start Word and generate a document in it. Or tell a web server to reload configuration. However, I find the problem here in that it's too powerful on Windows. You should be able to run only defined set of methods that the process can sanitize, not just anything in the process.
Jan Sten Adámek like on linux with dbus uses xml to do IPC. it sounded like on windows used actual code functions
Benjamin Philipp Opening a web page from the command line actually does IPC in the background, otherwise it would open a new browser instance each time (which would need IPC to synchronize history and cookies with other instancies). And when it needs to do IPC anyway, you can just cut the middleman and call it directly.
I wonder if process Explorer would show Chrome as the parent of calculator in that example. So showing chrome ran it
I love the subtly placed Acorn Atom right in front of him.
I miss my Atom. That was a good machine.
This is no where near as bad as dirty cow. Dirty cow allows a restricted account to gain root access. There is NO privilege escalation in Atom Bombing. You can still only do what that user can already do. You're just making it really complicated and calling it an exploit. This still requires that you get the exploit program onto the target machine. You are already on the other side of the air-tight hatchway, so to speak, so all bets are off. Frankly, all you need to do is trick the user into installing your exploit program and include an "auto-update" feature that let's you see "the newest bestest funniest cat pictures LOL DERP" and now the user will grant it access to the Internet.
Nobody said it's as bad as Dirty COW but it still allows you to circumvent local security. On many computers, there is a firewall installed that limits what processes can communicate over the internet and with which websites (e.g. Kerio or Nod32 do that). This allows the attacker to communicate even when his application should not be able to.
If the injected code is executed in another process then it has the same privileges as the targeted process (right ?), doesn't it mean that this technique has privilege escalation capability ?
JeSuisUnKikoolol You can call this IPCs only on processes of the same user. It has some potential of privilege escalation inside the user's namespace (like acessing internet from a process that should not be able to) but it can't be used for full privilege escalation (getting admin rights).
Jan Sten Adámek
Ok, thank you
Jan Sten Adámek There are others commenting that this might be as bad or worse than dirty cow. My main point is that if you can already run code as the user, there are far easier ways to manipulate them into granting your program internet access. How many programs do you have installed right now that auto-update? Programs are always installed using elevated privileges and internet access is granted at that time. This is a non-exploit and it's disappointing to see ***** not explaining this in more detail. The click-bait title is disappointing as well.
99.99% of all NHS Systems are windows. 99.99% of all letters are typed in-house. That's a lot of patient data up for grabs...
Sandwich247 Don't worry. Google will keep them safe.
+L Ahahahahahahahaha
came for the exploit, stayed for the best explanation of atomic types ever.
So, how is this better than doing VirtualAllocEx, WriteProcessMemory and CreateRemoteThread? I mean, you can inject code into another process with documented Windows APIs, so what's the advantage here?
EDIT: Right, so I read the article and basically the advantage is that (unlike WriteProcessMemory for example) the APIs used here are not monitored by modern security solutions, so (for now) you're less likely to be detected.
I agree... Why bother storing code in an Atom if you're already able to CreateRemoteThread on a target process to run what code you want...? Plus I believe Atoms have a restricted size footprint limiting the amount of code you can store, which isn't an issue with remote threads.
I don't know either. From what I have seen on msdn, an atom can store 255 bytes. You cannot search trough the atom tables though and I guess that's the point. You can search for a specific string or the integer representing the atom, but you can't iterate trough all existing atoms by index. That means your crypted string/virus + runpe can be written into atom tables in plain and there is not a real detection for it. I mean it is basically stored in memory, but it can't be detected. If you would load or store detected code in "normal RAM" anti virus could access it and detect it. It's not a real security threat though because you still need to run an EXE that has the virus stored in it and has to store it in atom tables. Once they are stored there, you would still need to inject either a DLL or code in for example Chrome to load it from there and execute it. So tl;dr: Atom tables allow you to store detected code in memory without getting detected - that's it.
+nemo - est I've read the article and they use APCs to force the target process to load the atom and to then execute a ROP chain which will allocate a block of RWX memory, copy the atom (currently loaded in RW memory) into it and execute it. The advantage is that current security software doesn't monitor the API used to allocate APCs (well it does, but it only looks for stuff like LoadLibrary), so you're less likely to set off alarm. Contrary to the claims Coputerphile makes, this is easily fixable. The exploit calls NtQueuApcThread (an API which is already monitored by most security products) and passes GlobalGetAtomName to it. There is no legitimate scenario when you should be doing that (in fact NtQueuApcThread is an undocumented API, so you shouldn't be calling it at all), so you just need to detect that and stop it.
Also you very much can iterate over the global atom table. GlobalGetAtomName returns the length of the atom on success or 0 if it fails (like when that atom doesn't exist). An atom is reprsented by a 16-bit integer, so all you have to do is iteratively call GlobalGetAtomName with values between 0 and 65535 and you can dump the whole table.
***** interesting thanks...can you send me the article? :)
nemo - est It's linked in the description.
Steve Bagley's videos are amazing. Can you make one discussing the pros and cons of linux, iOS and MS with comparing the structural solidity of each, for exampme Linux doesn't use atoms but ...
I like the placement of the Acorn Atom. It actually took me a while to click why it was there.
It seems to me, that rather than having anti-malware programs check every system call to look for global add atom calls and then checking the atom to see if it's suspicious, that maybe windows should put a check directly in the global add atom process that either checks for suspicious atoms or at least throws an event or handle so that anti-malware programs know when that specific system function is used to investigate, without having to monitor every single one.
So the only thing they discovered was a slightly more convenient way of moving data into the attacked process? If so it doesn't appear to be noteworthy. The real issues is that a printer driver can attach itself as a debugger (I assume that is what you mean by saying "asynchronously execute functions on behalf of anouther process") to a chrome.exe.
you know you are talking to person that works "close to metal" when he has pliers laying on his table next to 6 computers
Thanks for bringing this up, it lets me know the Architecture i been working on is Not vulnerable to this!
3:50 he said 0 to 65536... in fact, it should actually be 0 to 65535 with 65536 possible unique values (including zeros). not sure if it was a mistake, but nice video. really informative
I'm sorry (and not entirely sure), but this sounds like what Raymond Chen would call "it rather involved being on the other side of an airtight hatchway".
As soon as you're able to mess with the memory outside of your process, and flip NX bits, you own the machine. Anything else is extraneous and unnecessary, and not really a security exploit, it's just flavoring on top of it.
Both of these features have absolutely legitimate applications - ability to write to another process' memory is needed by debuggers and controlling the NX bit from user-space is the very foundation of JIT compilation.
Something I don't get - what's the purpose of using the Atom API in this exploit?
The main hurdle you have to overcome here is the permissions - if the user hasn't turned off UAC, your process wouldn't have the permission to write into another process's memory, as it will be run with a normal user security token.
On the other hand, if you do somehow run with administrative rights, you can take the malicious code you originally stored in the Atom table and write it directly into Chrome's memory, or just run whatever piece of code you want to yourself.
So why is the Atom necessary here?
Man! How can anyone make this work?
I get 10 errors when making a "Hello world" program.
I get ten errors when I type a single character and haven't even tried running any code.
Hang in there bro, try again again and again. Watch out for the brackets
Try running a linter. I'm a web developer and I run both a linter and a code formatter that makes life a breeze. You'll get there man just gotta keep on keeping on
@Hand Solo Learn to Journal
5:01 CHROMG
lol
Nobody:
Grandmas 1989 Fridge: *Wants to connect to the internet*
I just can't stop myself from checking out the machines in the background :)
Miraç Göksu Öztürk Me too...
I got stuck looking at the one in the foreground.
I really appreciate the higher framerates, thanks!
For the love of OCD: if you do retakes from different perspectives please check the continuity before splicing them in. Especially if the pencil screech noise doesn't sync to the video....
Screech, screech, screech...
...
...
Amen
i dont think they care, its just to make sure people understand what the person talking is referencing, the pencil screech doesnt matter. I'm also pretty sure they aren't retakes, its just a clip from a different point in their recording
also why not use the audio from one source and just cut the video back and forth?
I honestly don't care about the perspectives, pencil screeches, etc. Just swallow what they feed us. Not everybody does this without the drama.
I love your videos. They're always well made, very enjoyable and delightfully insightful on topics I find most fascinating. Can I just ask one thing? Please please please stop having those kinds of markers be audible. It actually makes these otherwise brilliant videos almost painful. I hate to give any negative feedback, but I wish to want to binge your videos and markers always make me stop.
How is this any different to standard dll injection. You're allocating executable memory in the target process then mapping the malicious code into it (you could just aswell use WriteProcessMemory to do this rather than the atom table and a rop-chain??) and then executing it by calling CreateRemoteThread. It was also mentioned that this leaves "no traces" and is "hard to detect" which is false considering the two steps previously mentioned. For one, random rwx memory is allocated and a random thread is also created both of which are trivial to detect! There's definitely no need for antiviruses to hook system calls especially considering that the system call table is monitored by patchguard which means the antivirus would have to be using a hypervisor.
like how he has an Acorn Atom on his desk
I remember seeing this on the PCMR subreddit
isn't this a problem of applications which aren't sanitizing their imput. Simular to sql injection, but this time facilitated by RPC?
My firewall has a security scanner that warns you literally every time one program calls anything at all in another, or launches another program...
But it's so pedantic with it's warnings that it's more hassle than it's worth unless security is really important to you.
99.9% of everything it warns you about is harmless and even nessesary for basic things to function.
The problem with this method of security is it relies on the user knowing what's legitimate and what isn't, even though under regular circumstances most of the warnings are stuff no program ever made will explain to you that it does.
So untangling what's safe to allow and what isn't is way too hard in most cases.
KuraIthys thanks for this bit of info!
Is it just me, or do all exploit demos use the calculator as an example? the VBA GameShark code file exploit did it, this video did it...
Robert Miles better the calculator than our internet banking haha. But at least they’re consistent!
As a demo that others should try on their own computers or VMs, it has to be a program that’s available on all possibly vulnarable Windows versions. So why not calc.exe?
WOW!Heartbleed->Dirty COW->Atom Bomb!!
cant find the sql-slammer video though. does one exist?
sequel smasher
Could not resist laughing when i saw the skull and bones symbol! XD
2Spooky4Me, thank you for another great video!
Im just going to download this... for science, of course..
I don't understand the point of using atoms. Why would someone use the atom table over WriteProcessMemory()? Or any other form of IPC like pipes or windows.
The problem is that, unless it manages to coop and become a 'elevated program' key features & elements are still completely locked off, and the most you're off to doing is spying.
Though if this does get more prevalent, the solution does exist, HIPS will be baked into what ever 'defender' windows gets and logging, prompts will start to happen, as to windows asking if you want 'X program to access Y program data' before those calls even get processed.
***** Erm, the problem is that it doesn't translate the privileges to the other program right?
A program that 'accesses' another's, Memory Section still retains the lowest permissions of the two, assuming no elevation was given. It may look as if it's from say 'chrome' but it has the permissions of said program. Truth be told, the 'Opening' program has to have the Elevated permissions for real damage to be done.
-The reason is that the program/user that opened it sets the permissions level. (& Yes NT based windows w/ UAC enabled, even admin users have standard user rights without elevation with minor difference of it has slightly more freedom then normal Standard user rights.)
-
It NTFS carries & uses DENY over ALLOW, and assumes DENY if ALLOW or DENY isn't set for some action. (which isn't normally seen as USER permissions are very through and an user is the starting point for permissions most of the time. Where as a program that isn't triggered directly by the user, is given base permissions[Everyone], not [System] which is reserved for selected Processes.)
Kerns Noel spying is all you need to keylog passwords
You got the new apple wireless keyboard, and you've got two of 'em
The idea is that you have corrupted part of the kernel mode side of windows to do weird things. The malicious driver has to alter the executable parser part of windows, or I guess it could try to mod the executable from kernel mode. So if you snooped your system atom table and see your key input you have a problem.
If you can execute a function inside chrome to take the atom and store it in memory, can’t you just do whatever you want to at that step, instead of relying on the atom? Or does windows have some security in place for that sort of thing.
The text at 3:14 :-)
Cool fact: it literally says iterally instead of "literally".
is it coincidence that it's happens at 3.14?
So is that the meaning of Lorem Ipsum?
Holy Moly. Thats crazy
afaik lorem ipsum is meaningless
I love your writing paper 😂
A3 materix, nice!
Surely one can simply rehash the kernel directory and inject indirect SQL mapping to reboot all services? Or would that require kilobyting the table generator?
Does ASLR (address space layout randomization) defeat return-oriented programming? Not like it matters all that much, since the main flaws are already there in the OS.
"Donkey's Years" is slang for "A very long time", and originates from the previous slang term of "Donkey's Ears", which is a reference to the length of the animal's ears.
So originally you'd say "I haven't seen you in a donkey's ears" to say it's been a while, but somehow that got mutated to the current phrase of "Donkey's Years".
== Fun Facts in TH-cam Comments with Squiggs | Episode 1 ==
It seems to me that the real issue here is ROP.
As for the wider attack, I could see eventually see AV hooking the GlobalAddAtom/Ex API and running it through a reliable hash function before passing it on to the original function, perhaps only in the event where the lpString contains non-whitelisted characters... slower for sure, but the whole point is speed (and not needing to allocate memory to xfer strings).
(Yes, I realise that antimalware unilaterally changing the internals of an entire system call is a huge problem in itself).
That example text tho XD Made my day :D
Where is the advantage of this method compared to the classical VirtualAlloc+WriteProcessMemory method? you have to
do this too to get the code in the victim process. Its only a nice way to transport the data, but nothing new.
The point its that this method is not monitored by security applications, so less chance of being detected.
Regarding this malware example in the beginning... Isn't it easier to just hide it in something that user may think needs to be connected to the internet, such as freeware multiplayer game? Then you don't have to make out with chrome/ff which may show many effects such as browser process opening/closing in process manager which could tip off more advanced users that something's not right.
"I'm brian & so's my wife" in the atom animation
So how do other OSs prevent this, or is Windows the only one with anything like this system?
+Computerphile So basically this is a different way of doing VirtualAllocEx as used in reflective dll injection? I presume VirtualAllocEx is monitored by AV, whereas GlobalAddAtomW isn't?
Why don't you just do CreateRemoteThread + ROP?
I'm so glad you guys made these videos; but now I'm paranoid. I run everything on Dirty Cow and Atom Bomb vulnerable systems and there's nothing I can do about it, please help.
Could this be solved by not storing information like passwords in a program that connects to the Internet, or could it just get the information from the program storing the passwords the sending it by another program that connects to the Internet?
What's up with the terrible camerawork this time? Hold it still!
I don't get why you say it isn't discoverable by the antivirus. The end result is very hard to detect indeed, but it takes a program to execute the exploit. And this program has its own signature, which will be detected by antivirus, right? So is there really a way to execute this kind of exploit without any kind of "standalone" executable?
deejay2221 This exploit is mostly useful for Trojan Horses (malware disguised as something else.) Since many Trojan Horses are keyloggers that "phone home" (send collected keystrokes back to a server), lots of antivirus programs detect suspicious uses of resources (Internet usage being among them.) By using another harmless program as a proxy, malware using this exploit can disguise its resource use.
Microsoft - A living example of why accountants shouldn't run IT companies.
The fact that any attack can be done is evidence that the OS is defective. It is supposed to maintain security etc on its own. AV is just a bandaid covering the problem until the next version of the OS can fix the problem. If the code for the OS was free of all mistakes then AV would not be needed.
This exploit depends on the user explicitly running the malicious app with admin privs. How could any OS prevent a user from being malicious to themselves?
*****
1) A virus can't do anything if it can't get onto the machine at all. Or if once on the machine it has no right to be executed. Things that a user may wish to install are always sandboxed.
2) If by "your files", you mean those in user space, skip this but if it is a file that the OS has then there should be no way for a user to delete the file hence the user can never grant the rights to delete it.
3) The point in the video was about using the internet. For that, it should be that no program installed by the user should be able to cause any access to the internet. This is not a file issue admittedly.
4) If you allow the user to install something like a printer driver, then the printer driver should be strictly sandboxed so it can only access files in the directory assigned to it. I will get the thing to be printed via its "stdin" and can access the device for the printer in this example. It should not be able to even see anything beyond this.
5) No user installed program is allowed to even see a file outside its sandbox without using the OS's mechanism to put up a dialog box asking the user for the file. Needless to say, the user can't give permission for a file beyond their rights.
you most certainly do need an elevated token to make another process start executing on your processes behalf unless you have uac disabled
"but it is so locked down no one would want to use it"
Many Android and iOS users would disagree with you there.
Though granted, for any kind of development work or poking around with anything deeper than "I want that one %points finger%", having root access to your own machine is damned near essential.
How is this different from DLL injection except being more convoluted?
So the atom table is a sort of hash table where every program has it's own rainbow table and there is a global rainbow table? And boy it's old if it's only 16 bit..
This seems like a ridiculously easy thing to properly design an operating system around. If a program like a printer driver tries to use another program like a standard internet browser to communicate over the internet, obviously the program that actually ORIGINATED the request should be what's displayed on an access request warning. There is no way the operating system couldn't "know" which program actually initiated the request, and so barring the OS programmers being completely lazy and stupid, there is absolutely no reason an exploit like this should even be thinkable.
Computers remind me of the financial world, the best defense is education because the government, corporations, and people have not stopped trying to steal from each other.
I don't understand if this allows elevation of privilige, if it does not that the only drawback of this vulnerability is malware detection engine, otherwise your system is no better or worse shape then to begin with since you already allowed external program to be launched on your computer.
I wonder if copying something to the 'executable' memory space of an application from a 'data' memory space is something that could be used to sort this out. Such an action does not appear to be something that you should be able to do. Isn't this the whole idea about how segmented memory protection works?
Well, the javascript engine is expected to do just that for the jit compilation and execution of code. The fact the code is self modifiable is what makes modern computers so powerful and able to do a lot of stuff they can do.
Ewan Marshall Yep, and that could be a path to take inside Chrome.
The video said that any process could be made to execute the exploit. So now I am wondering if this capacity is somehow or other 'built-into' Local/Global-Atoms. I know when reading and MSDN article about this they referenced DDE (Dynamic Data Exchange) a very, very old thing.
When I was doing Windows programming before I retired I know we avoided DDE like it was the plague. All our interprocess communication was via data only and signals to execute functions that were already in the remote process, I never recall anything that used dynamic code. It still seems like a fundamental violation of the architecture of the CODE/DATA/STACK/HEAP idea that the x86 processors started implementing way back in i386 days.
And the way MSFT repurposes paradigms over and over it may be the case that the ability to execute data that is passed between processes is something they had and never managed to drop. MSFT was famous if for nothing else 'backward-compatibility'. And it may be in this case it has firmly and completely bitten them in the posterior.
I think an analysis by Microsoft of this exploit should be published so it is clear how ANY process can be tricked into executing DATA.
Yes, as you suspected, one normally never gives write access to executable memory (that would make the access distinction completely pointless - and that distinction is the whole reason it even exists). If you need jit compilation then you obviously disable execution rights when you need to enable writes. *IF* the program (jit or whatever) is written correctly then no external source can use it to run arbitrary code.
When am I going to get a patch for this?
What is global atom table ? Table where all the global variables are stored or what ? I didn't understood it well at all ...
Ha Ha Acorn Atom next to the MacBook - I learnt (not) to solder on one of these, iron too cold, blobby solder, luckily big brother was at college and used a higher temp solder station to make it work!
This video is helpful and appreciated, but it could have been 5 minutes with an option to view a longer video if you'd like more depth.
Or, if you want the short version... You can just google it.
I hate it when a video is split in parts just because some people are too impatient to watch the GOOD version.
By the sound of it we're all pretty much screwed.
Nice! this is just what I needed...
I'm not a programmer/coder, so excuse the question. It seems like an atom is similar to a hash? Is it considered a hash, or how are they different?
They are just chunks of data locally stored in a table/directory that all processes on the Windows system can access. The malware stashes code in an "atom" then gets another process to load it into memory, subsequently tricking it into loading it into _executable_ memory ("NX" bit = off) and executing it.
A hashcode is something else: a number calculated from an object. Hashcodes are used for different purposes but you can generally think of a hashcode as a "fingerprint" of an object (except that different objects _could_ have the same hash).
X11 has an atom table too. I wonder if this is possible with it.
I run fedora 24. love it. never have to use cli if I dont want to.
I WANT A VIDEO ON DYNAMIC PROGRAMMING! Why not even a 5 part series. PLEASE PLEASE PLEASE PLEASE
Would've been nice to show this happening n Process Explorer or Task Manager
Donkey's Years
Seems like that would be a fundamental design flaw, that a program would allow execution of arbitrary code. I would hope some receiver of this message (that there's an atom which should be accessed) can refuse to do anything with that atom.
1:26 maybe i'm a tad more computer-savvy than the average person, but if an internet browser just suddenly, out of nowhere, needed *permission* to access the internet? that would make so many alarm bells go off in my mind. it'd be a bit like getting a call from some random number & being asked your social security by someone claiming to represent a bank or government agency.
It wouldn’t be out of nowhere, you’ll have already gave chrome permission in the firewall to use the internet when you first installed it, there would be no signal to the user anything was happening
Confusing title, thought it was using nuclear weapons to crack window panes.
isn't this something that can be addressed using private instead of public functions in your code?
The calling process has to open another thread with some special tokens. I wonder why not just interfere this step?
The ability to queue an arbitrary operation on a thread in another process space indeed appears to be critical security fail in itself. Making arbitrary calls into another processes code, used by ROP, would be another fail that should be blocked.
around 8:30-9:00 why does it let you copy non execute to an executable area?
What is the saving grace for linux and ios? Lack of global atom tables?
And is this a total failure on Windows part?
For running an android emulator i had to turn my NX bit off. Does that open up my system to easier hacks?
I like you, H.P.Baxxter.
4:09 "I'm Brian and so's my wife."
How Long is a piece of string though
I love the channel, but for the love of the Queen and all that is holy, why on earth are they using paper and filming the screen instead of compositing the PC output directly into the video?
Any version? I'll go boot up Windows 2.03 on my IBM XT.
It should be half this length
9:08 of course you'll leave the important part out as always
MofoesTeamPresents I've read that