Hack the Gibson – Episode #71

Read the reason for these posts. Read Steve Gibson’s response.

Hello all! Here is the latest of my rants / commentary series regarding the Security Now! podcast. This podcast is dedicated to discussing a vaporware security freeware: SecurAble. This isn’t more than a glorified CPU identification utility, similar but (based on the description) much more limited than many free ones, not to mention commercial ones. There is even at least one open source program out there with the same purpose.

What features does it supposedly have?

  • Detecting the manufacturer of the CPU
  • Detecting if it is a 64-bit (also callde x64) capable CPU
  • Detecting if it has the NX-bit (so that you can have hardware assisted DEP in Windows)
  • Detecting the presence of the NX bit, even if it was disabled in the BIOS
  • Probably a nice little story wrapped around all of these

The first three can be accomplished by the following short program written in FreePascal (if you want to use Turbo Delphi to compile it, make sure to remove the Crt unit, disable optimization and mark it as a console application, because otherwise it generates an erroneous code):

A little more than a hundred lines. Steve Gibson also likes to play the size game. Wherever possible he likes to mention that he writes his programs in assembly to make them as fast and as small as possible. However assembly is more a religion today than an useful tool. The proof is that I’ve written the above program in one afternoon while he works on his version for at least three weeks now. Also, he mentioned a file size of 24 KB on the show (without the digital signature). The above program, compiled with Turbo Delphi, is 21 405 bytes. No assembly, no magic. Steve also likes to pack his programs with UPX. But this is not enough for him, he also uses some modified version of UPX to hide this fact. Packing is not a protection tool and is mostly useless. But to even the field, since most probably he refers to the size of the packed executable, my executable packed is 11 KB. Of course I don’t include stories with my programs, because I write them on my blog.

The last point is the only interesting one. I’ll get a little technical here, so I apologize for the non-geeky readers: as Steve stated the only sanctioned way to accomplish this is to write a driver, because the information resides in a MSR register and the instructions required to read them are privileged ones. There are undocumented functions to read them from user mode (see here and here on OpenRCE.org), but they were eliminated starting from Windows 2003 SP1 (as was DevicePhysicalMemory). From what I gather, this information is available only for Intel processors (maybe AMD doesn’t offer the possibility to disable it from the BIOS). For more (technical) information check out the AMD and the Intel documentation (both are hard to find) and some third party info.

I await eagerly the release version of this tool to poke around with it and write about it.

, ,

2 responses to “Hack the Gibson – Episode #71”

Leave a Reply

Your email address will not be published. Required fields are marked *