[Tutor] application whitelisting
Peter Otten
__peter__ at web.de
Fri Sep 21 14:19:12 CEST 2012
Albert-Jan Roskam wrote:
> Hi,
>
> My company just started application whitelisting. Now a new version of a
> (benign!!) dll does not work as it (or rather, its file hash, if I
> understood it correctly) is not whitelisted. Is there any way I can use
> the same dll of a newer version? I know this sounds like a hacking
> request, but my intentions are sincere. My only purpose is to use ctypes
> to use the functions that are present in the new, but not the old, dll
> version.
>
>
> The code below is probably simplistic/naive, but it's a product of my
> frustration + curiosity. The strategy was to generate a dll that has the
> same file hash as the original dll by right-padding it with zero until the
> desired checksum is found. Why a zero? No idea. ;-)
>
> PS: I guess virtual environment also cannot be used for this, right?
>
>
> import hashlib
> import contextlib
>
> def generateFile(infile, desired_hash, hashtype="md5"):
> outfile = infile[:-4] + "_adjusted.dll"
> hashlib_ = hashlib.new(hashtype)
> with contextlib.nested(open(infile, "rb"), open(outfile, "wb")) as (f_in,
> f_out): observed_hash = hashlib_(f_in.read())
> found = observed_hash.hexdigest() == desired_hash
> counter = 0
> while True:
> counter += 1
> observed_hash.update("0")
> if found:
> f_out.write(f_in.read() + (counter * "0"))
> print "Got it: '%s'" f_out.name
> break
>
> infile = r"D:\temp\myown.dll"
> generateFile(infile, '4151e067c17a753fc5c4ec1c507d28c9')
Here's a back-of-the-envelope calculation:
'4151e067c17a753fc5c4ec1c507d28c9' is a hexadecimal number with 32 digits,
otherwise known as
340282366920938463463374607431768211456L
If you are trying to hit that number using random additions to your file you
can expect success after (that number)/2 attempts. Assuming you try 10
million additions per second that will take about
>>> (16**32//2)/(10**7 * 60 * 60 * 24 * 365)
539514153540300709448526L
years.
But you are lucky, md5 has been cracked. I don't know if there is a
practical way to create a document with the same hash for any given hash
though, so as a starting point I refer you to
http://en.wikipedia.org/wiki/Md5
Looking forward to see your final script...
Or you think a bit out of the box and ask for the required dll to be put on
the whitelist.
More information about the Tutor
mailing list