Friday, February 24, 2012

IDApro and Microsoft

I want to respond to the following tweet, but in more than 140 characters:


Microsoft is a heavy user of IDApro. This one time, while giving a presentation at BlueHat (Microsoft's internal cybersec conference), while an IDApro image of Microsoft code was on the screen, I asked "How many of you use IDApro?". Hundreds of people rose their hands -- many more than when I ask the same question at BlackHat. It was a bit scary. I'll bet that Microsoft is buy far IDApro's largest customer, far larger than the CIA or NSA, or the entire US government.

They have to, out of self-defense. When they update their software, sometimes third-party code breaks. They have to reverse engineer that code in order to figure out what's going on, then create a workaround.

Back in the day, my code (BlackICE) broke when they tried to release WinXP SP2. That's because in order to provide a seamless installation without reboot, my code did evil rootkit-like tricks in order to patch the stack while under heavy network load, patching functions in the driver with an atomic jump instruction on multicpu systems. I think we might've even patented the technique.

They had to reverse engineer my code with IDApro to figure out what the heck I was doing, then changed their own code so that my code would stop breaking.

There are still people at Microsoft who hate me for this, who still complain about how evil my code was for delaying the release of SP2. The legacy of this is that in Windows 7, they checksum kernel code to prevent changes. This isn't simply to protect against evil hackers trying to install rootkits, it's also to protect against evil hackers like me creating legitimate software that gives Microsoft's headaches trying to support.

Some at Microsoft wanted to sue me, because in order to patch their kernel, I had to do "reverse engineering" on Microsoft's code. But here's the thing: it's impossible to write code for Windows without some "reverse engineering". Whenever your code breaks because of some undocumented behavior in an API, and you have to figure out why it breaks, you are essentially "reverse engineering" the code. The EULA refers to reverse-engineering-to-replicate, which is far different than reverse-engineering-to-interoperate.

But of course, in order to ship SP2, Microsoft had to break our EULA and reverse-engineer my code in return. Maybe I should've sued them.

So far, I've given 4 presentations at Microsoft (Bluehat or otherwise) where I've popped up live IDApro of their own code, protected against their EULA by, among other things, DMCA provisions supporting reverse-engineering.

Because of their legal hassles with anti-trust/monopolistic practices, Microsoft divisions are independent. They don't get access to each other's source code. In order to get things to work, each division has to reverse engineer the code of other divisions.

I doubt that Microsoft is using IDApro to do evil things, like reverse-engineer competitors to replicate stuff. Such secrets would be impossible to keep, and if they wanted to do such things, they'd work at arms-length with shell-companies and contractors in Asia. But for good things, like getting stuff to work, they use IDApro heavily. They have to reverse third-party drivers, and third-party applications, to see what changes in Windows break things. They have to reverse engineer other divisions, because they don't get access to source. Finally, the blog post the above tweet mentions is about malware research. Of course, Microsoft uses IDApro on viruses as well.


Update:All this predates IDApro. I remember back in the 1990s having casual conversations with Microsoft people about how we all reverse-engineered Diablo 2 (in our free time, not work related). For a lot of Microsoft people, reading binary is as natural as breathing.

2 comments:

Anonymous said...

While this is all sort of interesting its also at times silly and inaccurate. "They don't get access to each other's source code." Come on, man. Really? And you know this from visiting campus four times? Please. But worse still, you never actually make a point. People at MS use IDA. Ok...and...?
"I doubt that Microsoft is using IDApro to do evil things."
Wow, good guess.

Robert Graham said...

The bit about source code was told to me by a programmer on their Office team.

It's not just that people at Microsoft use IDA, it's that so many do.

The cybersec community has such a huge amount of bigotry against Microsoft that I feel compelled to keep pointing out that they are not, actually, evil.