Grey bar Blue bar
Share this:

Fri, 23 Sep 2011

Runtime analysis of Windows Phone 7 Applications

Runtime analysis is an integral part of most application security assessment processes. Many powerful tools have been developed to perform execution/data flow analysis and code debugging for desktop and server operating systems. Although a few dynamic analysis tools such as DroidBox are available for Android, I currently know of no similar public tools for the Windows Phone 7 platform. The main challenge for Windows Phone 7 is the lack of a programable debugging interface in both the Emulator and phone devices. The Visual Studio 2010 debugger for Phone applications does not have an "Attach to process" feature and can only be used to debug applications for which the source code is available. Although the Kernel Independent Transport Layer (KITL) can be enabled on some Windows Phone devices at boot time which could be very useful for Kernel and unmanged code debugging, it can't be used directly for code tracing of phone applications which are executed by the .NET compact framework.

The following figure demonstrates an overview of the process which I have used to record the execution and data flow of Windows Phone 7 applications without using a debugger:

The instrumented phone application prints out method names and variables to the emulator console (that can be enabled by adding a registry key) at runtime. The console window buffer is then captured by an API Hook (WriteFile API) in the emulator process and saved to the runtrace file. I have developed a tool named "XAP Spy" in C# to automate the above process. You will need Windows Phone 7 SDK, .NET freamworks 4.0 and 2.0 (The API hook code is based on EasyHook library which only works with .NET framework 2.0) to run this tool.

Runtime analysis demo of a WP7 software token

Download XAP Spy binaries

Download source code

Update (9/21/2011): XAP Spy binaries for Windows Phone SDK7.1 can be downloaded here.

Tue, 13 Sep 2011

Hacking Online Auctions - UnCon && ITWeb talk

I gave an updated version of my 'Hacking Online Auctions' talk at UnCon in London last week. The talk gave a brief intro to general auction theory, and how the models can be applied online, but the main focus was on 'penny auction' websites. What are those all about then? Well, during my Masters last year I took a course on Internet Economics, and one of the modules involved auction theory. It was a really interesting module, and I did a bit of my own research on the side, whereby I stumbled across various penny auction sites. The sites (who pretend to be akin to eBay or the likes) go a little something like this:

1) Loads of high demand products up for auction (e.g. iPhones, cars, TVs, cameras, etc). 2) All auctions start from some predetermined countdown, usually around 5-9 hours, and tick down one second at a time. 3) All auctions start with an opening price of £0.01 (or R0.01 etc). Each bid placed increases the price by one penny/cent. 3) When the timer hits zero and no-one places a bid, the auction ends and the last bidder wins. He pays the price that the item climbed to.

If you check out some of these websites, you'll notice that items seem to sell for ridiculously low prices - e.g. an iPhone 4 for £30, an Audi A1 for £300. The sites also, of course, include various 'winner galleries', showcasing happy winners with their dirt-cheap fancy kit. It all seems too good to be true, and the sites lure in loads of sucke^Wplayers.

Alas, there are two big caveats which are not mentioned early on:

1) You have to purchase your bids in advance - for anything from £0.20 to £0.50 each. 2) If someone places a bid when the countdown timer is under 30 seconds, the timer gets reset to 30 seconds, indefinitely.

So, after I realised the slightly dodgy premise of these businesses, I decided to do some deeper investigation. I identified a few of the biggest / most popular penny auctions websites, decoded their server <--> browser protocol, and made my own simple client to query auctions over time. Over a period of 90 days I observed some 30,000 auctions, involving over 2,000,000 individual bids from around 20,000 unique players. All of this was pumped into a nice MySQL db, allowing us to dig through the data and pull out some interesting stats, and devise some cunning methods to 'game the system'.

Tue, 4 May 2010

ITWeb Security Summit 2010 & Afterparty

The ITWeb security summit is coming up next week from the 11th to 13th of May. This is a conference we're quite excited about, and have been involved in for the last few years, but most recently, we've been able to further our involvement beyond just speaking.

For years I jealously watched as SensePost'ers would trundle all over the world shaking hands and drinking beer with the leet haxors of the world. Then a few years ago, the ITWeb Security Summit brought over Kevin Mitnick. I remember sitting in the audience awe'd not so much by what was said (sorry Kevin, I'm sure it was interesting) but at the fact a real celebrity hacker was meters from me. I still keep his lock-pick business card as a memento. Since then, the summit has gotten bigger and better. ITWeb previously brought out people like Bruce Schneier (who I think thought I was a stalker), David Litchfield, Johnny Long (he's African now), Johny Cache, Richard Stiennon, Roberto Preatoni and Phil Zimmerman (he video conf'ed in from his hospital bed after emergency heart surgery).

While meeting some of the international speakers was awesome, there was always a feeling that the conference was too vendor dominated. To help remedy this, last year SensePost was asked to put together a technical committee. SensePost's guidance on international speakers had an immediate effect and last year we had a ton of hacker rock stars: Jeremiah Grossman, Window Snyder, Adam Shostack, Mike Dahn, Tyler Moore, Frank Artes, Phil Zimmerman (this time IRL) and even The Gruq washed himself and made it over. In addition to the international speakers, the technical committee (which I was lucky enough to be part of) evaluated and voted on all talks, with the ability to vote out sponsor talks if they weren't up to scratch. While we had some teething problems (for example we weren't able to review all final presentations in detail) and made a mistake in trying to fit more speakers into a "turbo track", I feel the quality of the conference improved significantly.

After the conference, one of the awesome memories was the "Hackers on Safari" trip we took the international speakers on (and some of the technical committee, if they agreed to do dishes). It proved to be a really great way to "sell" South Africa to the international speakers. As we watched a battery of cameras synchronously snap many pictures of the "the asses of Africa" (the animals kept turning their back on us), we were reminded what a great place South Africa is.

This year is looking even better than last. There's a solid line up of international speakers: Kingpin, Moxie, Charlie Miller, FX, Dino Dai Zovi, Saumil Shah, Nitesh Dhanjani & Jeremiah Grossman. In addition, a third track has been created for security products with the other two focusing on the technical and business aspects of security respectively. We should see a lot of quality South African talks. Unfortunately, some promising talks and speakers had to be dropped to make space, but hopefully this is an indicator of higher quality and popularity rather than poor judgement.

Additionally, this year on the 13th of May @7pm (the last day of the conference) there is a hacker's party organised by our local unconference ZaCon (for full details follow the link), which is within walking distance from the conference venue. The party's aim is to raise funds for Hackers for Charity, with voluntary donations of R50 being asked, and HFC shirts for sale. Hopefully it will also provide a chance for members of the local scene who are unable to afford ITWeb tickets the ability to meet some of the international and local speakers.