PDA

View Full Version : shiva


mike
January 12th, 2005, 17:23
SHIVA, ELF encryption tool
http://www.securiteam.com/tools/5XP041FA0U.html

zipped ppt attached explaining the tool

0xf001
January 12th, 2005, 18:09
definately a cool tool!

did anyone get it to run? I tried (just quick, no "analysis" with kernel 2.6.x, 2.4.x, on mdk, knoppix, suse and "out of the box" it segfaults

but they say currently they expect many problems with it as it is under development.

I can't wait to get a running copy and play around with it. I potentionally
see weaknesses when one patches (wrapps) ptrace(), is using other kernel modules to load the executable, or implements tracer / debugger which do
not use ptrace(); Also luckily one can patch the /proc modules so ....
we will see...

Next came to my mind that code analysis using intermediate representation is missing a good tool, isn't it? (meaning I do not know one ) At least the obfuscation could be cleaned up by that.

Those are all "approaches" of course, or - some initial thoughts haha

thanks for this link!!

0xf001

NOP
January 13th, 2005, 08:16
some packers crypters
http://www.exetools.com/forum/showthread.php?t=5042

0xf001
January 16th, 2005, 08:31
cool NOP!

I am not allowed to download those tools in the forum, but googled them. Actually none of them worked on my system maybe I have to use older kernel / libc / ... need time !

for shiva0.95 I have found some very interesting links, it was defeated at least in 3 different ways, as described here:

http://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-clowes.pdf

more details here
http://www.blackhat.com/presentations/bh-federal-03/bh-federal-03-eagle/bh-fed-03-eagle.pdf

There should be 0.96 out, did not find it yet

Shiva was besides others attached by using the IDA code emulation plugin

http://ida-x86emu.sourceforge.net/