Grey bar Blue bar
Share this:

Fri, 23 Sep 2011

Runtime analysis of Windows Phone 7 Applications

Runtime analysis is an integral part of most application security assessment processes. Many powerful tools have been developed to perform execution/data flow analysis and code debugging for desktop and server operating systems. Although a few dynamic analysis tools such as DroidBox are available for Android, I currently know of no similar public tools for the Windows Phone 7 platform. The main challenge for Windows Phone 7 is the lack of a programable debugging interface in both the Emulator and phone devices. The Visual Studio 2010 debugger for Phone applications does not have an "Attach to process" feature and can only be used to debug applications for which the source code is available. Although the Kernel Independent Transport Layer (KITL) can be enabled on some Windows Phone devices at boot time which could be very useful for Kernel and unmanged code debugging, it can't be used directly for code tracing of phone applications which are executed by the .NET compact framework.

The following figure demonstrates an overview of the process which I have used to record the execution and data flow of Windows Phone 7 applications without using a debugger:

The instrumented phone application prints out method names and variables to the emulator console (that can be enabled by adding a registry key) at runtime. The console window buffer is then captured by an API Hook (WriteFile API) in the emulator process and saved to the runtrace file. I have developed a tool named "XAP Spy" in C# to automate the above process. You will need Windows Phone 7 SDK, .NET freamworks 4.0 and 2.0 (The API hook code is based on EasyHook library which only works with .NET framework 2.0) to run this tool.

Runtime analysis demo of a WP7 software token

Download XAP Spy binaries

Download source code

Update (9/21/2011): XAP Spy binaries for Windows Phone SDK7.1 can be downloaded here.

Tue, 13 Sep 2011

Hacking Online Auctions - UnCon && ITWeb talk

I gave an updated version of my 'Hacking Online Auctions' talk at UnCon in London last week. The talk gave a brief intro to general auction theory, and how the models can be applied online, but the main focus was on 'penny auction' websites. What are those all about then? Well, during my Masters last year I took a course on Internet Economics, and one of the modules involved auction theory. It was a really interesting module, and I did a bit of my own research on the side, whereby I stumbled across various penny auction sites. The sites (who pretend to be akin to eBay or the likes) go a little something like this:

1) Loads of high demand products up for auction (e.g. iPhones, cars, TVs, cameras, etc). 2) All auctions start from some predetermined countdown, usually around 5-9 hours, and tick down one second at a time. 3) All auctions start with an opening price of £0.01 (or R0.01 etc). Each bid placed increases the price by one penny/cent. 3) When the timer hits zero and no-one places a bid, the auction ends and the last bidder wins. He pays the price that the item climbed to.

If you check out some of these websites, you'll notice that items seem to sell for ridiculously low prices - e.g. an iPhone 4 for £30, an Audi A1 for £300. The sites also, of course, include various 'winner galleries', showcasing happy winners with their dirt-cheap fancy kit. It all seems too good to be true, and the sites lure in loads of sucke^Wplayers.

Alas, there are two big caveats which are not mentioned early on:

1) You have to purchase your bids in advance - for anything from £0.20 to £0.50 each. 2) If someone places a bid when the countdown timer is under 30 seconds, the timer gets reset to 30 seconds, indefinitely.

So, after I realised the slightly dodgy premise of these businesses, I decided to do some deeper investigation. I identified a few of the biggest / most popular penny auctions websites, decoded their server <--> browser protocol, and made my own simple client to query auctions over time. Over a period of 90 days I observed some 30,000 auctions, involving over 2,000,000 individual bids from around 20,000 unique players. All of this was pumped into a nice MySQL db, allowing us to dig through the data and pull out some interesting stats, and devise some cunning methods to 'game the system'.

Tue, 6 Sep 2011

Systems Applications Proxy Pwnage

[2011/9/6 Edited to add Slideshare embed]

I am currently in London at the first ever 44con conference. It's been a fantastic experience so far - excellent talks & friendly people.

Yesterday, I presented a paper titled "Systems Applications Proxy Pwnage" . The talk precis sums it up nicely:

It has been common knowledge for a number of years that SAP GUI communicates using an unencrypted and compressed protocol by default, and numerous papers have been published by security professionals and researchers dealing with decompressing this traffic.

Until now, most of these methods have been time consuming, convoluted and have focussed more on obtaining sensitive information (such as credentials) than a thorough understanding of the protocol used by SAP GUI.

During this presentation, the speaker will focus on the protocol used by SAP GUI. The speaker will demo and release a new tool-set to assist security professionals in parsing, decompressing and understanding this protocol, as well as demonstrate how this formerly sacrosanct protocol makes SAP applications potentially vulnerable to a wide-range of attacks which have plagued web applications for years.

The talk went very well. All demos worked perfectly. My newly authored toolset not only seems to have performed admirably during the presentation, but also seems to be in some demand...

As such, I'm pleased to announce the public release of two tools - SApCap and SAPProx.

SApCap is a Java-based packet sniffer, decompressor and protocol analysis tool for SAP GUI. It makes use of a third-party JNI interface for pCap (get it here) and a custom-built JNI decompression interface for SAP. You can download it here.

SAPProx is what I believe to be the world's first ever SAP GUI proxy. Think of it as WebScarab for SAP. You can download it here.

The programs are GPL, and the sources are also available from the relevant pages.

The custom JNI library used for decompressing SAP traffic is also available from the previously mentioned download pages in both binary and source formats. I have, however, only had the opportunity to build binary libraries for Mac OS/X, Linux (32-bit) and Windows (32-bit). I will add more binary libraries as soon as I get back to ZA and have access to some different build environments again.

If you're interested, a copy of my 44con presentation is available from here or below.