From XP to 10, DoubleAgent pwns all your Windows?

The Cybellum team published a new 0-day technique for injecting code and maintaining persistency on a target computer, baptized DoubleAgent. This technique uses a feature that all Windows versions since XP provide, that allows for an Application Verifier Provider DLL to be installed for any executable. The verifier-provider DLL is just a DLL that is loaded into the process and is supposedly responsible for performing run-time verifications for the application. However, its internal behaviour can be whatever an attacker wants, since he can provide the DLL himself.

Microsoft describes it as:

Application Verifier is a runtime verification tool for unmanaged code. Application Verifier assists developers in quickly finding subtle programming errors that can be extremely difficult to identify with normal application testing. Using Application Verifier in Visual Studio makes it easier to create reliable applications by identifying errors caused by heap corruption, incorrect handle and critical section usage. (…)

The code injection occurs extremely early during the victim’s process initialization, giving the attacker full control over the process and no way for the process to actually detect what’s going on. Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots, updates, reinstalls, or patches.

So it’s all over for Windows right? Well… no. The thing is, to register this DLL, the registered process has to have administrator rights so it can write the proper key to the Windows Registry. Without these permissions, there is no way for this attack to work. You know, the kind of permissions that allow you to install software for all users or format your own hard-drive. So, although this technique has its merit and can present challenges to processes that absolutely must maintain their integrity (such as the Cybellum team points out in the Anti-Virus software case), some other security flaw had to occur first so you can register this sort of ‘debugging DLL’.

If you already have administrator permissions you can do pretty much what you want, including DLL injection to fool anti-virus software. (Though it might be easy just to disable or remove it.)  This new tool has the advantage of being stealthy, but is a 0-day that requires root a 0-day?

[via The Hacker News]

An Android Phone Makes A Better Server Than You’d Think

There was a time a few years ago when the first Android phones made it to market, that they seemed full of promise as general purpose computers. Android is sort of Linux, right, or so the story went, so of course you must be able to run Linux on an Android phone and do all sorts of cool stuff with it.

As anyone who tried to root an Android phone from 2010 will tell you, it was a painful and unrewarding process. There was normally a convoluted rooting process followed by somehow squeezing your own Linux filesystem tree onto the device, then chroot-ing into it. You’d then have to set up a VNC server and VNC into it, and eventually you’d feel immensely proud of your very slow tiny-screen Linux desktop that you’d slaved over creating. It was one of those things that’s simple in theory, but extremely convoluted in practice.

But six years have passed since those days, phones have gotten much faster and so has the software for tasks such as rooting, so maybe it’s time to return to the topic of Linux on an Android device. [Pete Scargill] gave it a try when a friend gave him a Chinese quad-core Android phone with a broken screen. He proceeded to put a Debian installation on it, upon which he runs his collection of server processes.

Rooting the phone was straightforward process using the KingRoot app, a sideloaded version as it seems there’s a bogus copy on the Play Store. Then bringing a Linux system to it could be achieved with the LinuxDeploy app. The result is surprisingly useful, after some installation steps upon which he goes into detail.

You might ask what would be the point of this exercise, given that you can do the same thing much more easily with a single board computer such as a Raspberry Pi. But to buy a Pi, SD card, screen, and UPS, as he points out you’d have to spend a lot more than you would for a second-hand phone from eBay — or a free, slightly broken, one from friends or family.

If getting more from your Android phone is your thing, perhaps you’d like to know about installing Busybox on it. We’ve also advocated for using old Android phones for ARM dev.

How Does a Voltage Multiplier Work?

If you need a high voltage, a voltage multiplier is one of the easiest ways to obtain it. A voltage multiplier is a specialized type of rectifier circuit that converts an AC voltage to a higher DC voltage. Invented by Heinrich Greinacher in 1919, they were used in the design of a particle accelerator that performed the first artificial nuclear disintegration, so you know they mean business.

Theoretically the output of the multiplier is an integer times the AC peak input voltage, and while they can work with any input voltage, the principal use for voltage multipliers is when very high voltages, in the order of tens of thousands or even millions of volts, are needed. They have the advantage of being relatively easy to build, and are cheaper than an equivalent high voltage transformer of the same output rating. If you need sparks for your mad science, perhaps a voltage multiplier can provide them for you.

Continue reading “How Does a Voltage Multiplier Work?”

Dartboard Watches Your Throw; Catches Perfect Bullseyes

Some people really put a lot of effort into rigging the system. Why spend years practicing a skill and honing your technique to hit a perfect bullseye in darts when you can spend the time building an incredibly complicated auto-bullseye dartboard that’ll do it for you?

In fairness, what [Mark Rober] started three years ago seemed like a pretty simple task. He wanted to build a rig to move the dartboard’s bullseye to meet the predicted impact of any throw. Seems simple, but it turns out to be rather difficult, especially when you choose to roll your own motion capture system.

That system, built around the Nvidia Jetson TX1, never quite gelled, a fact which unfortunately burned through the first two years of the project. [Mark] eventually turned to the not inexpensive Vicon Vantage motion capture system with six IR cameras. A retroreflector on the non-regulation dart is tracked by the system and the resulting XY data is fed into MATLAB to calculate the parabolic path of the dart. An XY-gantry using six steppers quickly shifts the board so the bullseye is in the right place to catch the incoming dart.

It’s a huge amount of work and a lot of money to spend, but the group down at the local bar seemed to enjoy it. We wonder if it can be simplified, though. Perhaps tracking just the thrower’s motions with an IMU-based motion capture system and extrapolating the impact point would work.

Continue reading “Dartboard Watches Your Throw; Catches Perfect Bullseyes”

Shut the Backdoor! More IoT Cybersecurity Problems

We all know that what we mean by hacker around here and what the world at large thinks of as a hacker are often two different things. But as our systems get more and more connected to each other and the public Internet, you can’t afford to ignore the other hackers — the black-hats and the criminals. Even if you think your data isn’t valuable, sometimes your computing resources are, as evidenced by the recent attack launched from unprotected cameras connected to the Internet.

As [Elliot Williams] reported earlier, Trustwave (a cybersecurity company) recently announced they had found a backdoor in some Chinese voice over IP gateways. Apparently, they left themselves an undocumented root password on the device and — to make things worse — they use a proprietary challenge/response system for passwords that is insufficiently secure. Our point isn’t really about this particular device, but if you are interested in the details of the algorithm, there is a tool on GitHub, created by [JacobMisirian] using the Trustwave data. Our interest is in the practice of leaving intentional backdoors in products. A backdoor like this — once discovered — could be used by anyone else, not just the company that put it there.

Continue reading “Shut the Backdoor! More IoT Cybersecurity Problems”

Creepy Speaking Neural Networks

Tech artist [Alexander Reben] has shared some work in progress with us. It’s a neural network trained on various famous peoples’ speech (YouTube, embedded below). [Alexander]’s artistic goal is to capture the “soul” of a person’s voice, in much the same way as death masks of centuries past. Of course, listening to [Alexander]’s Rob Boss is no substitute for actually watching an old Bob Ross tape — indeed it never even manages to say “happy little trees” — but it is certainly recognizable as the man himself, and now we can generate an infinite amount of his patter.

Behind the scenes, he’s using WaveNet to train the networks. Basically, the algorithm splits up an audio stream into chunks and tries to predict the next chunk based on the previous state. Some pre-editing of the training audio data was necessary — removing the laughter and applause from the Colbert track for instance — but it was basically just plugged right in.

The network seems to over-emphasize sibilants; we’ve never heard Barack Obama hiss quite like that in real life. Feeding noise into machines that are set up as pattern-recognizers tends to push them to the limits. But in keeping with the name of this series of projects, the “unreasonable humanity of algorithms”, it does pretty well.

He’s also done the same thing with multiple speakers (also YouTube), in this case 110 people with different genders and accents. The variation across people leads to a smoother, more human sound, but it’s also not clearly anyone in particular. It’s meant to be continuously running out of a speaker inside a sculpture’s mouth. We’re a bit creeped out, in a good way.

We’ve covered some of [Alexander]’s work before, from the wince-inducing “Robot Bites Man” to the intellectual-conceptual “All Prior Art“. Keep it coming, [Alexander]!

Continue reading “Creepy Speaking Neural Networks”

Making More Of Me Money

For the last few years, Hackaday has really been stepping up our game with marketing materials. Our t-shirts and swag are second to none, and last year we introduced the ‘Benchoff Buck’ (featured above), a bill replete with Jolly Wrencher EURions that is not yet legal currency. At least until we get a sweet compound in the desert, that is.

[Andrew Sowa] created the Benchoff Nickel. It’s a visage of yours truly emblazoned on a PCB, rendered in FR4, silkscreen, gold, and OSHPark’s royal purple. In doing so, [Andrew] has earned himself a field commission to the rank of lieutenant and can now reserve the dune buggy for a whole weekend.

The Benchoff Nickel was created in KiCad using the Bitmap2Component functionality. Planning this required a little bit of work; there are only five colors you can get on an OSH Park PCB, from white to gold to beige to purple (soldermask on top of copper) to black (soldermask with no copper). Luckily, the best picture we have of me renders very well in five colors.

The Bitmap2Component part of KiCad will only get you so far, though. It’s used mainly to put silkscreen logos on a board, and messing around with copper and mask layers is beyond its functionality. To import different layers of my face into different layers of a KiCad PCB, [Andrew] had to open up Notepad and make a few manual edits. It’s annoying, but yes, it can be done.

OSH Park’s fabs apparently use two different tones of FR4

The Benchoff Nickel can be found on Github and as a shared project on OSH Park ($22.55 for three copies). One little curiosity of the OSH Park fabrication process presented itself with [Andrew]’s second order of Benchoff Nickels. OSH Park uses at least two board houses to produce their PCBs, and one of them apparently uses a lighter shade of FR4. This resulted in a lighter skin tone for the second order of Benchoff Nickels.

This is truly tremendous work. I’ve never seen anything like this, and it’s one of the best ‘artistic’ PCBs I’ve ever held in my hands. It was a really great surprise when [Andrew] handed me one of these at the Hackaday Unconference in Chicago. I’ll be talking to [Andrew] again this week at the Midwest RepRap festival, and we’re going to try and figure out some way to do a small run of Benchoff Nickels.

Edit: OSH Park revealed why there are different tones of FR4. In short, there aren’t. The lighter shade of skintone is actually FR408, which is used on 4-layer boards.