|
There's been a fair amount of discussion in recent months, especially in IoT circles, about application dependencies - especially with respect to encryption and vulnerabilities in libraries. For instance - in version x of a product, which libraries are used? The salesfolks will stop there, but more importantly, which libraries and DLLs do my libraries and DLL's use, and so on? If you go 3 levels deep, will you maybe find a statically linked openssl lib that's vulnerable to poodle or something else? In Windows, you can get that first pass using Powershell: PS C:\test> start-process -PassThru c:\windows\notepad.exe | get-process -module or, more verbosely (this is the listing that you really want):
PS C:\test> start-process -PassThru c:\windows\notepad.exe | get-process -module -fileversioninfo ProductVersion FileVersion FileName But that doesn't show the dependecy tree (if someone knows how to do this in Powershell, please use the comment form and let us all know!). Dependency Walker does a decent job of this for Windows apps (http://dependencywalker.com/). A simple run of "depends.exe /c /oc:dependencies-np.csv /ot:dependencies-np.txt c:\windows\notepad.exe" gives us a much more complete dependency tree listing (over 3000 lines in my system): [ 6] c:\windows\NOTEPAD.EXE This isn't something you need every day - but if you are auditing code to see what's inside of it, to see if you are using a vulnerable library 2 or 3 levels deep, it's invaluable. No matter how good your processes are, there will always be some reference to an old library left over that someone thought was deleted, a dll used by a library you bought (or downloaded) that you didn't know was statically linked in there, or something a dev used "just for testing" that never got removed. In Linux? Much easier- ldd (with a -v argument) does the trick there - in OSX you would use "otool -L". For instance, to get the full dependency tree for vi: ldd -v /usr/bin/vi > vi-tree.out
This gives me a 465 line tree of libraries! (on kali 2.0). Without the tree listing, it's down to 65 unique libs, but that's still a solid bit of work to plow through to come to the answer of "Are all my libraries up to date? Am I vulnerable to something I wasn't aware of?" Tools like CVE Search can simplify this task, but there's still some plain old hard work involved! Similarly, if you work in the mobile space, on android you might use ldd-arm or maybe ndk-depends. What do you use to get a similar tree listing for iOS? If you've found a better way to tackle this problem (on whatever OS) that I've overlooked, please - use our comment form and post some code! =============== |
Rob VandenBrink 577 Posts ISC Handler Dec 23rd 2015 |
| Thread locked Subscribe |
Dec 23rd 2015 6 years ago |
|
PowerShell sees only a snapshot, and DepencyWalker can't list DLLs which are loaded during runtime.
Turn on SAFER without restrictions just to log all executables: see http://seclists.org/fulldisclosure/2015/Nov/101 |
Anonymous |
| Quote |
Dec 24th 2015 6 years ago |
|
Is there anywhere admins can validate if the md5s on their systems are malicious? I assume that is how herdprotect works. It is so easy to find gigantic password files (rockyou.txt), but I don't see any huge files online offering known good (or bad) md5 hashes for windows or linux files.
|
mabraFoo 9 Posts |
| Quote |
Dec 24th 2015 6 years ago |
|
Have a look at the NSRL project (National Software Reference Library).
You can also manage your own db of hashes from a clean computer. I wrote a diary on this topic: isc.sans.edu/forums/diary/Detecting+file+changes+on+Microsoft+systems+with+FCIV/… (for Microsoft systems) |
Xme 686 Posts ISC Handler |
| Quote |
Dec 24th 2015 6 years ago |
|
Windows system files are cryptographically signed by Microsoft.
They are also protected by the "Windows File/Resource Protection". Use WinVerifyTrust() to check the signatures. On Linux, both installation packages as well as their contents are cryptographically signed too; check their detached signatures. |
Anonymous |
| Quote |
Dec 25th 2015 6 years ago |
|
Can't you do this with listdlls.exe (part of the SysInternals suite)? Maybe it doesn't dig deep enough (dlls that load dlls). Also, some of the SysInternals suite can submit the MD5 to Virus Total. I'm not sure if listdlls.exe can or not. If not, you may be able to see if Mark Russinovich will add it in since he has it implemented for some of the other tools like autorunsc.exe. If you submit to VT using SysInternals it is free.
|
Justin 9 Posts |
| Quote |
Jan 4th 2016 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
