I might write a program to detect malicious (or non-malicious) software that is key logging (logging key strokes to gain information).
What tactics would be used?
Is there certain code to look for?
Are there certain locations I should search?
I prefer Java or Perl as I am fluent in those languages
Would these languages work?
Is there a better language to use for this case?
What would be used?
Code?
Algorithms?
Function?
I think it depends on what you are attempting to do. If you are looking for known keylogging programs, you could use any software that can search the file system to view file signatures. However, it sounds like you want to detect unknown programs. I do not believe this is strictly possible. Keylogging applications can passively listen to the keystrokes so there is not an active signature you could look for. It would probably be easier to understand the software that is supposed to run on your computer and then detect any new software that starts to run. It wouldn't necessarily be keystroke logging software, but it would be unauthorized software (or at least yet to be authorized software).
Keystrokes are broadcast to the system as events that you can subscribe to in your application. This is how games and other programs use the keyboard input. The entire system knows when a key is hit and which key it was. You can't know who is listening.
To put it another way, if this were possible, it would kill software keystroke loggers since every anti-virus and anti-spyware application would have an option to detect and remove all of these types of software. They have an option similar to this, but it is based upon known signatures of known keystroke loggers.
As a program trying just to figure if it's input is being key-logged, for badly written key-loggers, you can look for some time-patterns, like periodic delays when the logger recycle buffers, but normally key-loggers are very well-written and will inject themselves in the driver chain and so will be indiscernible from the normal chain.
In that case the only hope to detect key-loggers is to inspect the driver chain looking for non-standard drivers (but some key-loggers can infect standard drivers) which isn't particularly easy in Windows-land (such low level inspection).
One would need to plug into the anti-virus/anti-malware hooks to be able to really access not only the driver chain definitions, but the real code being executed, to detect if some key-logging is takeing place, and that is hard, full of bureaucracy, and almost undoable in anything but C/C++
Related
I am looking to create an AI environment where users can submit their own code for the AI and let them compete. The language could be anything, but something easy to learn like JavaScript or Python is preferred.
Basically I see three options with a couple of variants:
Make my own language, e.g. a JavaScript clone with only very basic features like variables, loops, conditionals, arrays, etc. This is a lot of work if I want to properly implement common language features.
1.1 Take an existing language and strip it to its core. Just remove lots of features from, say, Python until there is nothing left but the above (variables, conditionals, etc.). Still a lot of work, especially if I want to keep up to date with upstream (though I just could also just ignore upstream).
Use a language's built-in features to lock it down. I know from PHP that you can disable functions and searching around, similar solutions seem to exist for Python (with lots and lots of caveats). For this I'd need to have a good understanding of all the language's features and not miss anything.
2.1. Make a preprocessor that rejects code with dangerous stuff (preferably whitelist based). Similar to option 1, except that I only have to implement the parser and not implement all features: the preprocessor has to understand the language so that you can have variables named "eval" but not call the function named "eval". Still a lot of work, but more manageable than option 1.
2.2. Run the code in a very locked-down environment. Chroot, no unnecessary permissions... perhaps in a virtual machine or container. Something in that sense. I'd have to research how to achieve this and how to make it give me the results in a secure way, but that seems doable.
Manually read through all code. Doable on a small scale or with moderators, though still tedious and error-prone (I might miss stuff like if (user.id = 0)).
The way I imagine 2.2 to work is like this: run both AIs in a virtual machine (or something) and constrain it to communicate with the host machine only (no other Internet or LAN access). Both AIs run in a separate machine and communicate with each other (well, with the playing field, and thereby they see each other's positions) through an API running on the host.
Option 2.2 seems the most doable, but also relatively hacky... I let someone's code loose in a virtualized or locked down environment, hoping that that'll keep them in while giving them free game to DoS or break out of the environment. Then again, most other options are not much better.
TL;DR: in essence my question is: how do I let people give me 'logic' for an AI (which I think is most easily done using code) and then run that without compromising the functionality of the system? There must be at least 2 AIs working on the same playing field.
This is really just a plugin system, so researching how others implement plugins is a good starting point. In particular, I'd look at web browsers like Chrome and Safari and their plugin systems.
A common theme in modern plugins systems is process isolation. Ideally you should run the plugin in its own process space in a sandbox. In OS X look at XPC, which is designed explicitly for this problem. On Linux (or more portably), I would probably look at NaCl (Native Client). The JVM is also designed to provide sandboxing, and offers a rich selection of languages. (That said, I don't personally consider the JVM a very strong sandbox. It's had a history of security problems.)
In general, my preference on these kinds of projects is a language-agnostic API. I most often use REST APIs (or "REST-like"). This allows the plugin to be highly restricted, while not restricting the language choice. I like simple HTTP for communications whenever possible because it has rich support in numerous languages, so it puts little restriction on the plugin. In fact, given your description, you wouldn't even have to run the plugin on your hardware (and certainly not on the main server). Making the plugins remote clients removes many potential concerns.
But ultimately, I think something like your "2.2" is the right direction.
I have a X7 G800V keyboard with 15 custom keys. The problem is they are not detected in anything but the software that comes with the keyboard which is a real cave eat since I can't use them in photoshop, word or any other program. Is there any way to make them detectable? I am open for ideas even if they include writing my own driver, although I may need some tips on that but still I am open for learning. After all the guys from A4Tech do it with their software and I think they are not even installing any drivers.
PS: I am sorry for this not being an exactly programming question.
If the OS doesn't support these keys, I don't see a way to process them, unless you can configure your driver to communicate them to the OS as some other key. For instance if you press key Special1, the driver tells the operating system to process it as Play.
Or you might consider to write a driver yourself, if the driver is open-source, or an API is available.
Is there any way to protect a shared library (.so file) against reverse engineering ?
Is there any free tool to do that ?
The obvious first step is to strip the library of all symbols, except the ones required for the published API you provide.
The "standard" disassembly-prevention techniques (such as jumping into the middle of instruction, or encrypting some parts of code and decrypting them on-demand) apply to shared libraries.
Other techniques, e.g. detecting that you are running under debugger and failing, do not really apply (unless you want to drive your end-users completely insane).
Assuming you want your end-users to be able to debug the applications they are developing using your library, obfuscation is a mostly lost cause. Your efforts are really much better spent providing features and support.
Reverse engineering protection comes in many forms, here are just a few:
Detecting reversing environments, such as being run in a debugger or a virtual machine, and aborting. This prevents an analyst from figuring out what is going on. Usually used by malware. A common trick is to run undocumented instructions that behave differently in VMWare than on a real CPU.
Formatting the binary so that it is malformed, e.g. missing ELF sections. You're trying to prevent normal analysis tools from being able to open the file. On Linux, this means doing something that libbfd doesn't understand (but other libraries like capstone may still work).
Randomizing the binary's symbols and code blocks so that they don't look like what a compiler would produce. This makes decompiling (guessing at the original source code) more difficult. Some commercial programs (like games) are deployed with this kind of protection.
Polymorphic code that changes itself on the fly (e.g. decompresses into memory when loaded). The most sophisticated ones are designed for use by malware and are called packers (avoid these unless you want to get flagged by anti-malware tools). There are also academic ones like UPX http://upx.sourceforge.net/ (which provides a tool to undo the UPX'ing).
I need to develop a large set of tools to be run from the server command line (i.e. not client-server architecture). The systems does not have to be high-performance; I just want something that is easy to develop with.
Which technologies are out there I can use to build simple GUI to be run from the command line? I need only menus where I can select a line/check-box/enter free text in a dialog.
Edit: forgot to add, access to Mysql (i.e. drivers available) is essential.
Shell, with dialog, the old stand-by - http://www.linuxjournal.com/article/2807
EDIT- If it's MySQL-related, take a look at PERL-Tk and DBI.
python + ncurses would be a good combo here.
i like using perl's re.pl from the Devel::REPL library for quickie cli interfaces. read on a bit for my rationale before downvoting!
in this type of app it sounds like you will be doing query-type operations. these naturally lend themselves to a "repl" style interraction. re.pl gives you all of the goodies, namely command editing and history. all you need to write are the functions that users will call. the nice thing is that users who know perl will realize they can use any installed module to extend the functionality of your system on their own. i my case, i used re.pl to create a mysqlclient-like tool to access and display data that was being compressed in a way that the standard mysqlclient couldn't deal with.
i cite perl because it's DBI is the best database abstraction and it is what i have used....but the rationale can be extended to other tools. python's repl or any other would provide the same benefit.
You could use Mono for Linux and write your program in C# .NET, then make it work for Linux, since Mono allows so.
As far as graphic command line interfaces go, one of the best frameworks is ncurses. It abstracts away most of the ugliness associated with graphic command line applications.
I have to say, use Python, because I like it.
But text-based interfaces are pretty much not worth it, because they seem like a good idea until you look at the details:
There isn't really a standard keyboard navigation model for text-UIs; they all use their own scheme
How is unicode supported? (Hint: this is nontrivial)
What about different keyboard layouts? What key does someone press if their keyboard doesn't have, say, a "home", "end", or "Escape" ?
ncurses does not provide a widget set, only low-level operations. The answers to the above questions aren't easy.
It really shows that nobody has put much thought into keyboard-and-text-driven terminal-based UIs recently, or these would all have been solved.
Web interfaces have them solved, in fact, you can use a text-mode web browser if you like.
Modern devices like i(phone|pad)s and even cheap mobile phones have a web browser which is good enough.
It is easy to write a web application which uses a very simple style (few images, little Javascrfipt) and have it work without much effort on a variety of devices.
So I would say go with dmckee's comment "go with what you know".
By building your own terminal-based interface, you are going to box yourself into a corner in the long term.
I'm using the RxTx library over usbserial on a Linux distro. The RxTx lib seems to behave quite differently (in a bad way) than how it works over serial.
One of my biggest problems is that the RxTx SerialPortEvent.OUTPUT_BUFFER_EMPTY does not work on linux over usb serial.
How do I know when I should write to the stream? Any indicators I might have missed?
So far my experience with writing and reading concurrently have not been great. Does anyone know if I should lock the DATA_AVAILABLE handler from being invoked while I'm writing on the stream? Or RxTx accepts concurrent read/writes?
(perhaps slightly off-topic, but here goes)
I'm not familiar with that particular library, but I can assure you from dire experience (I work in the security systems (as in: hardware security devices) business, where RS-232 is heavily used) that not all USB-serial converters are born equal. Many such devices so not properly emulate all RS-232 lines, and many don't even handle any comms without flow control. Before blaming the library, try to confirm that the hardware actually does what it's supposed to do.
Without wanting to endorse a particular product or brand, the best (as in: least buggy) USB-serial converter I have come across in years is the USA-19HS.
Using RxTx over usb-to-serial you can't set notifyOnOutput to true otherwise it locks up completely.
I've learned this the hard way. This problem is documented on a few web sites over the internet.
I'm running it on Linux and I believe that this is a Linux only issue, although I can't confirm that.
As for the link you've given me... I've seen the SimpleReader and SimpleWriter examples, but these don't represent a real world application. It is not multi-threaded, assumes a read has the full data it needs instead of buffering reads, etc.
Thanks,
Jeach!