Adam Zabrocki computer security researcher, pentester and bughunter, currently working as
a Security SDE at Microsoft. He was working in European Organization for Nuclear Research (CERN), where he was responsible for creating, design and development of rootkit detector for kernel 2.6 (32 and 64 bits). In parallel he was part of the GRID team and testing of DPM, LFC and RFIO software used in Large Hadron Collider (LHC) project.
He was also working in HISPASEC Sistemas company (known from the virustotal.com project), Wroclaw Centre for Networking and Supercomputing (part of PL-GRID project – Polish Infrastructure for Supporting Computational Science in the European Research Space), Security Consultant at Cigital (working at a large financial institution as part of the Application Security Architecture team).
As a hobby he was developer in The ERESI Reverse Engineering Software Interface project, bughunter (discovered vulnerabilities in OpenSSH, Apache, Adobe Acrobat Reader, Xpdf, Torque GRID server, FreeBSD and more) and studied exploitation and mitigation techniques, publishing results of his research in Phrack Magazine.
Crashdumps: hunt 0days and rootkits
Crashdumps are often underestimated source of very interesting information. It is a common belief that they are used only for application/system bugs/vulnerabilities analysis. In this presentation I would like to show a little bit different approach for this source of information. Microsoft Windows allows to change default configuration for WER/CER protocol in such a way, that all generated crashdumps will be stored in a custom storage. This is very useful in a large corporate networks, where we can find tens, hundreds or even thousands of machines, because more than a hundred crashdumps may be generated per day. In most of the cases administrators are afraid of a critical information leak (XBI, PII) via crashdumps, but could they gain some useful knowledge about the network status via this source? I will try to show what kind of benefits could be gained if we start analyzing crashdumps independently and in a little bit different perspective…