Wednesday 20 May 2015

My C++ experience, the power of blogs and 'the online brand of an developer'

If you are a developer one of the most powerful things you can do for your carer is to have a solid online 'brand'.

Don't think of it as a place where you tell the world how amazing you are, but as a place where you keep a log of your past ideas and achievements.

In fact, your GitHub account is the place where your skills will be displayed in its purest format, so make sure you have a nice active and healthy presence.

Below you will find the contents of an email I just sent after I was asked 'So ... what is your C++ experience?', and note the difference between the period before and after I starter blogging (i.e links vs no-links)

And the worse part, is that not only I did not share those ideas with you (blog reader), I am also left of out it! (since those ideas and docs and now lost in old memories and laptops/vms long gone)

See Blogging is like speaking to my 'Future Self' for more on the idea that blogging is more about allow you in the future to have access to your ideas today



Here are some links about my dev and C++ experience:
I was also involved in a number of C++ research which where done before I started my blog:
  • Rooting the CLR where I was modifying the .NET CLR in real time to remove security features 
  • Use tools like Ollydb and IDAPro to reverse engineer C++ applications (and find vulns)
  • Exploit all sorts of buffer overflows (stack, heap, off-by-one), including bypassing ASLR using Heap Spaying techniques
  • Use Microsoft Detours API to hook to hook specific functions and write tools to introduce payloads via the hijacked functions
  • Broke multiple copy protection solutions (for a customer of those solutions who wanted to know how good they where). The last one was done by using a kernel driver which was a variation of  Rr0d, The Rasta Ring0 Debugger (codeslides). Yes I wrote a kernel driver to attack another kernel driver and bypass its copy protection actions
  • Developed Security Training courses based on the Writing Secure Code book, which included tons of C++ material and examples
  • Delivered training at BlackHat and OWASP conferences on advanced hacking techniques
One of my focus is on making developers understand the security implications of the code they are writing, and nothing shows that better than this PoC Real-Time Vulnerability Feedback in VisualStudio