The Mystery of the Duqu Framework

¿Estoy Mas Que Seguro Que es protollua?

si es igual fue creado por un grupo de estudiantes para facilitar
la orientacion a objetos escribeme......

¿Estoy mas que seguro que es protollua?

este es un nuevo lenguaje de programacio creado por la univesidad nacional de colombia pero aun no ha sido sacado a luz.
la sintasis es igual y se puede compilar en lua.por favor escribeme al gmail y te envio unas imagenes.y mira haber si es sierto

ZeroMQ? http://www.zeromq.org/

Some languages to check

http://en.wikipedia.org/wiki/List_of_programming_languages_ by_type#Object-oriented_class-based_languages

You should take a look at the fancy programming language http://en.wikipedia.org/wiki/Fancy_%28programming_language%29

iscoD

knows well basics of micro controller and processor.It Designed in all language and used effective parts assembler code.

sorry v poor eng

Since The language is C compiled with Microsoft C++, perhaps the library is the Microsoft SDK, a C library.

I know what the language is!

I've programmed in that language. It's assembly language.
100% sure.

Andreas

The Mystery of the Duqu Framework

I think that is Squirrel or very similar.

What about nesC

I've been looking into TinyOS and Sensor Network VM's and came across this nesC thing that seems would be right up the alley for someone doing this type of work...

I looks like it's got much what you've been talking about, not sure about it's direct access to WinAPI's but what about adaptability?

Check-out older possibilities

http://www.sics.se/~adam/lwip/ : IP stack
http://openthreads.sourceforge.net/ : threading framework
http://directory.fsf.org/wiki/Lightweight_C++ : intermediate language (get the code using webarchive)
http://bellard.org/tcc/ : low-level compiler

Perhaps that's the toolchain used...

An interesting aside

Of some kind of passing interest is the comment from Ken of Caffeine Security suggesting some level of similarity between Duqu and the recent Linux malware Linux/Bckdr-RKC. he claims to have sent material to Kasperski, but it may have fallen through the cracks.

http://caffeinesecurity.blogspot.com.au/2012/03/linuxbckdr-rkc-and-duqu-links-food-for.html

Hand written asm

Like eyenot, I think that it is hand written asm.

That would explain the different locations of the function table and the different ways the "this" pointer is passed. Human "mistakes".

(About mistake, should not be DeleteCriticalSection called instead of InitializeCriticalSection in the destructor ?)

That would also explain the non-usage of C runtime while it is painful in some cases (For example, whereas CopyMemory is "part" of Win32, it is not an actual function exported by a win32 dll. You have to code it again or use msvcrt.dll memcpy or another implementation).

Using asm + Win32 would not be to strange for people searching for vulnerabilities in a TrueType font parsing engine.

Putting function tables in instance is a naive and easy way of doing object oriented programming. Even a basic OO framework would have put function tables in a separate place with other class stuff (Static fields...) and would have put a pointer on this in the instance.

The framework looks like HLA standard library or ObjAsm32. But it is none of these two.

Anyway, my main point is that disassembly appears very clean and simple to me. Something pretty hard to obtain with traditional compilers which are often adding some weird stuff (Less clear instructions doing the same thing, particular stack frames, alignment stuff, strange instructions order, "mov edi, edi"...)

haXe

Have you eliminated haXe from your list of options?

sniffing from wrong direction, what does history tell you?

both As400tech and SCooke handed you the best hints.

A few years back I worked at East Fishkill long enough to meet eggs rubbing elbows with the 'black' GSA guys working down in Endicott and Watson (mostly the latter). The big topic at the time was exhorbitantly hi-priced memory being frantically consumed (we knew it was NSA, we realized later for upgrading Echelon to make it's data more transparent for future TIA transactions) post-911.

A cyberop like this would inevitably end up at big blooze' shop for the reasons scooke mentions: NOTHING gets thrown away by Endicott's hacks (a somewhat frustrating problem for workers needing access to boxes), their library of tools is as incomprehensibly massive as it is old. Indeed, Watson has not infrequently sent researchers there first to get their feet wet.

This probably initiated at Watson under NSA aegis, followed by research of tools at Endicott's library, then a handover to Haifa after payload completion. It's unrecognizable because NSA would demand that; any self-respecting beemer hack would know to hit up Endicott's libraries to make it so.

That said, it might be a little naive thinking any ibm'er you ask is gonna be successful convincing one of the mustier Endicott hacks to pony up from their libraries. scooke is right none of it is officially secret - but it frequently is VERY proprietary for some of them. A handful of old Endicott hacks still spend more time there than at home. That should tell you something about their priorities. It's all who you know. 'n no, I don't.

>they can receive “this” parameter in any register or in stack.
aggressive Whole Program Optimization?

I suggest to check those languages.
* XPCOM API -> pseudocode looks like this. but ABI is not standard xptcall.
* .Net (compiled to native code w/ Mono, LLVM CIL or GCC CIL back-end)
* Scheme-variant
* Haskell (GHC) -> it's not OO, so maybe not.
* OpenCOBOL -> IIRC COBOL 2002 has OO feature.
* Go Programming Language
* D Programming Language
* Vala

OOOAC ?

Is the C framework could be an extention of the "OOOAC" homemade framework ? It implement class system inheritance and event management in ansi c language.

I typed in "; lpMem" into google

and was then in a hunt for a win32 compiler ==>PowerBasic.

http://www.powerbasic.com/support/help/pbcc/index.htm#protected_mode_programming.htm

looks to be very nearly it. they have a set of objects including LinkedList with seemingly the same api names as above.
looking around their site it seems to be a serious programming platform for heavy win32 COM , complete with inline assembler.

they have some of the following idioms:

CLASS MyClass
INSTANCE MyVar AS LONG

CLASS METHOD CREATE()
' Do initialization
END METHOD

CLASS METHOD Destroy()
' Do cleanup
END METHOD

INTERFACE MyInterface
INHERIT IUNKNOWN
METHOD MyMethod()
' Do things
END METHOD
END INTERFACE
END CLASS

------------------------------------------------
EnterCriticalSection ByVal VarPtr(dStatus())
For i = 0 To UBound(gSoundStatus)
.... do stuff to data members of array
Next
LeaveCriticalSection ByVal VarPtr(dStatus())
------------------------------------------------

#COMPILE DLL "EvServer.dll"

$EvIFaceGuid = GUID$("{00000098-0000-0000-0000-000000000002}")
$MyClassGuid = GUID$("{00000098-0000-0000-0000-000000000003}")
$MyIFaceGuid = GUID$("{00000098-0000-0000-0000-000000000004}")

INTERFACE Status $EvIFaceGuid AS EVENT
INHERIT IUNKNOWN
METHOD Done
END INTERFACE

CLASS MyClass $MyClassGuid AS COM
INTERFACE MyMath $MyIFaceGuid
INHERIT IUNKNOWN
METHOD DoMath
MSGBOX "Calculating..." ' Do some math calculations here
RAISEEVENT Status.Done()
END METHOD
END INTERFACE

EVENT SOURCE Status

END CLASS
------------------------------------------------

This or something similar -- many scientists use this kind of interface for programming experimental machines and automating proceses. Thinking like a sneakypants, it would be a good way to take advantage of COM/win32 api 0-day exploits. TTF engine? .doc files -- tres faux paus!

Brainstorming

For some reason - call it a hunch - I delved into the AI related programming languages after seeing the output.

First up was Lisp, specifically Common Lisp, but it seems it has been mentioned plentiful already (Under the assumption that dialects like Scheme and Clojure also has been tested), maybe I am not to far off?

I lack deeper programming knowledge, but other AI programming languages like Strips, Planner and Prolog seems fundamentally to different to logically produce the same result. But then we have IPL, not that distant and there is the IBM connection with the IPL-V. But it feels way to legacy to be used today?

Then it felt like I had seen this code already, sometime, somewhere. And the only thing I could think was FORTRAN - From my mothers studies way back. And considering the prior mentioned dates, Fortran 2003 could be of interest. Also considering the fact that mixing C++ and Fortran is not to unheard of.

Edit:
Thought while trying to sleep - TCL?

Edited by M-Boy, 2012 Mar 14, 06:32

Could be one of these.

Could it be made in L (http://www.bitmover.com/lm/L/L.html)
Or in Ceylon
Or in Rust (by Mozilla).

PL/1,PL/S II,PL/AS,PL/X

Many IBM operating systems are written in these languages. As previous users mentioned the similarities to code they had seen on IBM systems i figured it might be worth while to take a look at these. IBM has a compiler for PL/1 that runs on windows. The other languages are derived from PL/1 and are mostly used interally on IBM so i wouldn't be a long shot to assume that they might have compilers for windows for those to. I should also add that this is all speculation on my part. i don't have the knowledge required to properly read and analyze the code posted.

The facts

1.Its calling Windows APIs so it has to be a Windows compiler (and not one for PLCs or SCADA or mainframes or anything else)
2.It was linked with Visual C++ code therefore it has to be something that emits native x86 Visual C++ compatible object files (rules out Delphi, any of the .NET languages, Java, Javascript, PHP, Python, Perl, Ruby, Visual Basic, VBA, VBScript and others)

Depending on what the disassembly of the memory allocate/free functions, I am going to concur with others here and say "yes this is a fake-OO framework for C (it might have even been compiled with a C++ compiler and not a C compiler)

Obfuscated ASM ?

It's been a very long time (like 15-20 years) since I wrote any C or C++, but I remember from those times contests of obfuscated C where the game was to write the most obscure piece of code possible (that would actually do something). I'm not in that kind of activity anymore, so I apologize if I'm stating something really obvious to this community.

It seems it's possible on ASM ( http://en.wikibooks.org/wiki/X86_Disassembly/Code_Obfuscation ): is it something that could have been done on that piece of code ? Or maybe did you already strip those layers of obfuscation ?

Regards,
Paul-Henri

It still looks like a dialect of Scheme

Igor,

Back in the day I had both a Dos and a windows version of Scheme. I used to look at the code after it was compiled and experiment with it. It treated all objects as first class which seems to be what it is doing after looking at the snippets. When I first looked at the code, Scheme is the first language that came to mind as it had that feel and look of old. David Heath also had a good idea about some of the SCADA/PLC development tools. One of them to look at would be Siemens Step 5/7 dvelopment environments which allows the use of statement logic and compiles the result into segments. I haven't explored it yet but I just might. I do like Wes's idea that it may be a Scheme derivitive as the feel is there.

tom

feasability of automated check

I've read through all the material given and the comments and while there are some interesting avenues of investigation, the general concensus is one you've already come to - that this is a custom OO framework. This concensus is one given by many skilled individuals who are familiar with decompiled code.

While I don't now how feasable this is, may I suggest a different and wider scoped approach? If a simple tool could be provided that automatically checked chosen folders for PE files on a user's machine for the code signature you're trying to identify, then you could post requests on hobbyist and professional programming boards, news forums etc. There are far more people out there willing to try and help than have the skills to delve into and identify decompiled code. Providing them with a tool to check their existing code bases will give you a much wider reach and would at the very least rule out some possibilities that you haven't considered yet.

Hobbyists and hobbyist programmers in particular (especially older ones) will have come into contact with a very large and varied code base. Asking them to check it for a matching signature would well raise a few flags and give directions for identifying the mystery code.

Just a thought. I've no idea how viable however.

Google's Dart

Coding looks very familiar. Just giving another option here. If anyone has time to take a look at google's Dart language which is similar to Javascript.

http://dartr.com/

its not Eiffel

Hi IGOR

Very interesting reading, our team here did look at this too, first some people suggested its Eiffel... It's not 99% we can tell!
We rather agree that this is custom oo C framework... we would put our bets on this! Good Luck!

This is very intriguing!

Have you considered comparing and analyzing it to RPGII it somewhat resembles that?

How about Visual Prolog

It is event driven, uses native windows API, has unique objects,

Another suggestion for Forth

As two others put forward - might be Forth.
Haven't done serious code in years but back when I was doing Forth (nearly 30 years ago now):
- we started by making our own version of Fig with the Nautilus cross-compiler
- if you remove the headers for target compilation then things down at the metal can look very strange to a non-forth coder
- we built our own Assembler in the Forth itself
- using that we could drop down into assembler and back to high level forth within the same word def
What can one person do?
Noodling about on my own I was able to get event driven, tight code that could patch itself to be a COM file for DOS or CMD file for CP/M. Same actual code doing this at run time.
And I was only a mediocre coder with time on my hands - what a good coder could do with the right software and motivation might look pretty dam alien to someone else.
We used to have a saying: Using C you can make a kludgy Forth but using Forth you can make a fine C.

Pike ?

Maybe it's written in Pike? Some of the features reminded me of what i have read about Pike, and according to Wikipedia it is used for Server/Gateway code for Opera Mini.
The syntax is also C like, i'm not sure about how it uses the windows API though