Stylishchamp is a tool that can create a HPA on a hard drive and then provide raw reads and writes to this area. It should incorporate latest TWISTEDKILT code so that Stylishchamp can support SATA drives. As a result, this will allow newer systems to use SWAP. Currently, they only use IDE drives.
S3285/Intern Projects – The accredited security level of this system is: TOP SECRET//SI-GAMMA/TALENT KEYHOLE//ORCON/PROPIN/RELIDO/REL TO USA, FVEY * TOP SECRET//SI//REL TO USA, FV
(TS//SI//REL) This page contains ideas about possible future projects for the Persistence Division.
(TS//SI//REL) USB Hard Drive Persistence
(TS//SI//REL) First, it develops a capability to install a hard drive implant on a USB hard drive. Because external hard drives are not normally boot from, the new implant will need to be an improved version of MADBISHOP so the hard drive implant will have the ability to manipulate the file system of the drive inside of the firmware itself. As a result, development would consist of 3 main development areas: • (TS//SI//REL) Reliable, robust, and portable NTFS C code. Finally, other file systems could also be looked into such as FAT, EXT2, etc. • (TS//SI//REL) Hard drive implant • (TS//SI//REL) Remote installation over USB
(TS//SI//REL) Self-Encrypting-Drive (SED) Persistence
(TS//SI//REL) SED drives provide additional security measures which often thwart IRATEMONK developer efforts to modify the firmware on these drives. I highly skilled intern with reverse engineering skills and understanding of security in computing systems would be invaluable in tackling one of the persistence divisions more difficult problems.
(U//FOUO) CASTLECRASHER (TS//SI//REL) CASTLECRASHER
It is the primary technique that executes DNT Windows payloads from all payload persistence techniques (i.e. IRATEMONK and SIERRAMISTFREE). Moreover, it is all Windows native mode code built using Visual Studio. Also, CASTLECRASHER has many advanced techniques in it including thread injection and anti-stack backtracing and in many cases, CASTLECRASHER is closer to the DNT style kernel work than it is to traditional Persistence work. While the current version is quite robust, we will add several features:
• (TS//SI//REL) Currently CASTLECRASHER doesn’t work against systems with 360 Safe installed. Consequently, we need to find a way around this even if it involves using the older Windows service method of execution, which will more than likely require a refactoring of how the configuration data of CASTLECRASHER is stored.
• (TS//SI//REL) We will develop an automated test suite using the Persistence Division’s ROGUESAMURAI test framework to provide more robust testing for this important project.
See also ► https://cryptome.org