[Tutor] application whitelisting

Peter Otten __peter__ at web.de
Fri Sep 21 14:19:12 CEST 2012 

Albert-Jan Roskam wrote:

> Hi,
> 
> My company just started application whitelisting. Now a new version of a
> (benign!!) dll does not work as it (or rather, its file hash, if I
> understood it correctly) is not whitelisted. Is there any way I can use
> the same dll of a newer version? I know this sounds like a hacking
> request, but my intentions are sincere. My only purpose is to use ctypes
> to use the functions that are present in the new, but not the old, dll
> version.
> 
> 
> The code below is probably simplistic/naive, but it's a product of my
> frustration + curiosity. The strategy was to generate a dll that has the
> same file hash as the original dll by right-padding it with zero until the
> desired checksum is found. Why a zero? No idea. ;-)
> 
> PS: I guess virtual environment also cannot be used for this, right?
> 
> 
> import hashlib
> import contextlib
> 
> def generateFile(infile, desired_hash, hashtype="md5"):
> outfile = infile[:-4] + "_adjusted.dll"
> hashlib_ = hashlib.new(hashtype)
> with contextlib.nested(open(infile, "rb"), open(outfile, "wb")) as (f_in,
> f_out): observed_hash = hashlib_(f_in.read())
> found = observed_hash.hexdigest() == desired_hash
> counter = 0
> while True:
> counter += 1
> observed_hash.update("0")
> if found:
> f_out.write(f_in.read() + (counter * "0"))
> print "Got it: '%s'" f_out.name
> break
> 
> infile = r"D:\temp\myown.dll"
> generateFile(infile, '4151e067c17a753fc5c4ec1c507d28c9')

Here's a back-of-the-envelope calculation:

'4151e067c17a753fc5c4ec1c507d28c9' is a hexadecimal number with 32 digits, 
otherwise known as

340282366920938463463374607431768211456L

If you are trying to hit that number using random additions to your file you 
can expect success after (that number)/2 attempts. Assuming you try 10 
million additions per second that will take about

>>> (16**32//2)/(10**7 * 60 * 60 * 24 * 365)
539514153540300709448526L

years. 

But you are lucky, md5 has been cracked. I don't know if there is a 
practical way to create a document with the same hash for any given hash 
though, so as a starting point I refer you to 

http://en.wikipedia.org/wiki/Md5

Looking forward to see your final script...

Or you think a bit out of the box and ask for the required dll to be put on 
the whitelist.

More information about the Tutor mailing list