NTUST [2019]: Windows Reversing

229b1596ce57cd0935a2bacd410d87a0?s=47 馬聖豪
September 26, 2019
0
410

NTUST [2019]: Windows Reversing

資安食物不好吃

229b1596ce57cd0935a2bacd410d87a0?s=128

馬聖豪

September 26, 2019
Tweet

Want more?

229b1596ce57cd0935a2bacd410d87a0?s=48 aaaddress1
0
900
229b1596ce57cd0935a2bacd410d87a0?s=48 aaaddress1
0
300
229b1596ce57cd0935a2bacd410d87a0?s=48 aaaddress1
0
130
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
1
100
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
1
54
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
60
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
4
120
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
3
140
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
2
210
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
2
390
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
110
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
200

Transcript

  1. 1.

    aaaddress1@chroot.org 414141414141414141 AAAAAAAAAA Windows Reversing Basic 台灣科技⼤學 資安實務

  2. 2.

    $_whoami #Windows #Reversing #Pwn #Exploit #EoP • blog.30cm.tw • aaaddress1@chroot.org

    • Master degree at CSIE, NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • aaaddress1@chroot.org
  3. 3.

    cd Compiler

  4. 4.

    # compiler Source.cpp Object Files Main.exe Compiler Assembly Codes Assembler

    Linker
  5. 5.

    # compiler #include <Windows.h> int main() { MessageBoxA( 0, "hi

    there.", "info", 0 ); return 0; }
  6. 6.

    # #include <Windows.h> int main() { MessageBoxA( 0, "hi there.",

    "info", 0 ); return 0; } push 0 push "info" push "hi there." push 0 call MessageBoxA xor eax, eax ret en.wikipedia.org/wiki/X86_calling_conventions compiler
  7. 7.

    # xor eax, eax ret push 0 push "info" push

    "hi there." push 0 call MessageBoxA 0xdead: "info" 0xbeef: "hi there." .rdata section 0xcafe: 0x7630EA99 .idata section (Import Address Table) compiler
  8. 8.

    # xor eax, eax ret push 0 push offset "info"

    push offset "hi there." push 0 call MessageBoxA 0xdead: "info" 0xbeef: "hi there." .rdata section 0xcafe: 0x7630EA99 .idata section (Import Address Table) compiler
  9. 9.

    # xor eax, eax ret push 0 push 0xdead push

    0xbeef push 0 call ds:0xcafe 0xdead: "info" 0xbeef: "hi there." .rdata section 0xcafe: 0x7630EA99 .idata section (Import Address Table) compiler
  10. 10.

    # push 0 ; 6A 00 push 0xdead ; 68

    AD DE 00 00 push 0xbeef ; 68 EF BE 00 00 push 0 ; 6A 00 call ds:0xcafe ; FF 15 FE CA 00 00 xor eax, eax ; 33 C0 ret ; C3 compiler
  11. 11.

    # Main.exe .text Section 6A 00 68 AD DE 00

    00 68 EF BE 00 00 6A 00 FF 15 FE CA 00 00 33 C0 C3 0xdead: "info" 0xbeef: "hi there." 0xcafe: 0x7630EA99 .rdata Section .idata Section compiler
  12. 12.

    cd Hell_World.c

  13. 13.

    # $ gcc -S hellWorld.cpp Compiler

  14. 14.

    # $ gcc -O0 -c hellWorld.s Assembler

  15. 15.

    # COFF File?

  16. 16.

    # COFF File

  17. 17.

    # Linker

  18. 18.

    # Linker

  19. 19.

    aaaddress1@chroot.org cat./a.o # COFF Overview

  20. 20.

    aaaddress1@chroot.org .NumberOfSymbols cat./a.o # COFF Overview Image File Header Section

    Header 1 .NumberOfSections .RVA .size .name Section Header Array → Section Data .Machine .TimeDateStamp .PointerToSymbolTable .Characteristics Section Header 2 Section Header 3 ... Section Data .VA
  21. 21.

    aaaddress1@chroot.org cat./PE # PE Overview 'MZ' DOS 'PE' File Headr

    Opt Header Section Header 1 .NumberOfSections .SizeOfImage .DataDirectory .AddressOfEntryPoint .SizeOfHeaders .ImageBase .VA .size .RVA .text Section Header Array → .text (Data)
  22. 22.

    aaaddress1@chroot.org cat./PE # COFF or PE 'MZ' DOS 'PE' File

    Headr Opt Header Section Header 1 .NumberOfSections .SizeOfImage .DataDirectory .AddressOfEntryPoint .SizeOfHeaders .ImageBase .VA .size .RVA .text Section Header Array → .text (Data)
  23. 23.

    cd Win32 Process

  24. 24.

    syscall Ring0 Ring3 Parent Process (A.) CreateProcess Child Process (B.)

    Child Proess Created, EXE File Mapped, Gained the Same Privilege and New Thread pointed to RtlUserThreadStart (C.) Kernel Create a new Thread: RtlUserThreadStart →LdrInitializeThunk →LdrpInitializeProcess (D.) Jump into AddressOfEntry
  25. 25.

    # Source.cpp Object Files Main.exe Assembly Codes Process NT Header

    File Header Optional Header Section Header Array Section[0]: .text Section[1]: .data Section[2]: .rdata ... [DATA] .text [DATA] .data [DATA] .idata PE Module File Mapping Stack Memory lifecycle
  26. 26.

    aaaddress1@chroot.org cat./RunPE # Process Hollowing

  27. 27.

    # Process NT Header File Header Optional Header Section Header

    Array Section[0]: .text Section[1]: .data Section[2]: .rdata ... [DATA] .text [DATA] .data [DATA] .idata Heap Stack Memory Local Global lifecycle
  28. 28.

    # Process NT Header File Header Optional Header Section Header

    Array Section[0]: .text Section[1]: .data Section[2]: .rdata ... [DATA] .text [DATA] .data [DATA] .idata Heap Stack Memory Local Global lifecycle
  29. 29.

    # Source.cpp Object Files Main.exe Assembly Codes Process hellWorld.exe [DATA]

    .text [DATA] .idata File Mapping msvcrt.dll [DATA] .text kernel32.dll [DATA] .text iat:imp_printf iat:imp_WinExec new Thread module_a.dll module_b.dll lifecycle
  30. 30.

    # Process hellWorld.exe [DATA] .text [DATA] .idata msvcrt.dll [DATA] .text

    kernel32.dll [DATA] .text Thread[0] module_a.dll module_b.dll Thread[1] Thread[2] 分時多⼯ 我怎麼知道這⼀次是哪個模組的執⾏緒啦,森77。 lifecycle
  31. 31.

    # Process hellWorld.exe [DATA] .text [DATA] .idata msvcrt.dll [DATA] .text

    kernel32.dll [DATA] .text Thread[0] Thread[1] Thread[2] TEB[0] TEB[1] TEB[2] lifecycle fs:[0x18]
  32. 32.

    aaaddress1@chroot.org In computing, the Win32 Thread Information Block (TIB) is

    a data structure in Win32 on x86 that stores information about the currently running thread. This structure is also known as the Thread Environment Block (TEB). The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FS segment register when operating on 32 bits, and from GS in 64 bits. en.wikipedia.org/wiki/Win32_Thread_Information_Block /? TIB
  33. 33.

    aaaddress1@chroot.org /? TIB

  34. 34.

    aaaddress1@chroot.org # Undocumented info struct TEB { //NT_TIB structure portion

    EXCEPTION_REGISTRATION* ExceptionList; //0x0000 / Current Structured Exception Handling frame void* StackBase; //0x0004 / Bottom of stack (high address) void* StackLimit; //0x0008 / Ceiling of stack (low address) void* SubSystemTib; //0x000C union { void* FiberData; //0x0010 DWORD Version; //0x0010 } dword10; void* ArbitraryUserPointer; //0x0014 TEB* Self; //0x0018 //NT_TIB ends (NT subsystem independent part) void* EnvironmentPointer; //0x001C CLIENT_ID ClientId; //0x0020 // ClientId.ProcessId //0x0020 / value retrieved by GetCurrentProcessId() // ClientId.ThreadId //0x0024 / value retrieved by GetCurrentThreadId() void* ActiveRpcHandle; //0x0028 void* ThreadLocalStoragePointer; //0x002C PEB* ProcessEnvironmentBlock; //0x0030 ... bytepointer.com/resources/tebpeb32.htm /? TIB
  35. 35.

    aaaddress1@chroot.org /? x64dbg

  36. 36.

    aaaddress1@chroot.org • GetCurrentThread • GetModuleHandleW • GetCurrentThreadId • GetCurrentThread •

    IsDebuggerPresent /? C$Windows\Sys32\Kernel32
  37. 37.

    # Process hellWorld.exe [DATA] .text [DATA] .idata msvcrt.dll [DATA] .text

    kernel32.dll [DATA] .text Thread[0] Thread[1] Thread[2] TEB[0] TEB[1] TEB[2] lifecycle fs:[0x18]
  38. 38.

    # Process hellWorld.exe [DATA] .text [DATA] .idata msvcrt.dll [DATA] .text

    kernel32.dll [DATA] .text Thread[0] Thread[1] Thread[2] TEB[0] TEB[1] TEB[2] lifecycle fs:[0x18] PEB
  39. 39.

    aaaddress1@chroot.org In computing the Process Environment Block (abbreviated PEB) is

    a data structure in the Windows NT operating system family. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system. Microsoft notes, in its MSDN Library documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows". The PEB contains data structures that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures. en.wikipedia.org/wiki/Process_Environment_Block /? PEB
  40. 40.

    aaaddress1@chroot.org /? x64dbg

  41. 41.

    # Process hellWorld.exe [DATA] .text [DATA] .idata msvcrt.dll [DATA] .text

    kernel32.dll [DATA] .text Thread[0] Thread[1] Thread[2] TEB[0] TEB[1] TEB[2] lifecycle fs:[0x18] PEB fs:[0x30] typedef struct _PEB32 { UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; ULONG Mutant; ULONG ImageBaseAddress; PPEB_LDR_DATA Ldr; ULONG ProcessParameters; ULONG SubSystemData; ULONG ProcessHeap; ULONG FastPebLock; ULONG AtlThunkSListPtr; ULONG IFEOKey; ULONG CrossProcessFlags; ULONG UserSharedInfoPtr; ULONG SystemReserved; ULONG AtlThunkSListPtr32; ULONG ApiSetMap; } PEB32, *PPEB32;
  42. 42.

    /?main

  43. 43.

    aaaddress1@chroot.org cat./PE # PE Overview 'MZ' DOS 'PE' File Headr

    Opt Header Section Header 1 .NumberOfSections .SizeOfImage .DataDirectory .AddressOfEntryPoint .SizeOfHeaders .ImageBase .VA .size .RVA .text Section Header Array → .text (Data)
  44. 44.

    $_./Lab1

  45. 45.

    # Lab1

  46. 46.

    $_./Lab2

  47. 47.

    # Lab2

  48. 48.

    # Lab 1 & 2

  49. 49.

    # Lab1

  50. 50.

    cd ./r3versing

  51. 51.

    aaaddress1@chroot.org /? homework # Back To The Future

  52. 52.

    aaaddress1@chroot.org /? homework 我知道在場⼀堆IDA狗,再不學動態分析試試看,看怎麼你逆 ㄏㄏ

  53. 53.

    cd ./stack

  54. 54.

    >_Thread addr @ 401000: 6A 00 68 AD DE 40

    00 68 EF BE 40 00 6A 00 FF 15 FE CA 40 00 33 C0 C3 push 0 push 0x40dead push 0x40beef push 0 call ds:0x40cafe xor eax, eax ret via x86 Instruction Set Registers eax 41414141 ebx 42424242 ecx 43434343 edx 44444444 ... ... esp 7ffffffc ebp 7ffffffc eip 401000
  55. 55.

    >_Thread addr @ 401000: 6A 00 68 AD DE 40

    00 68 EF BE 40 00 6A 00 FF 15 FE CA 40 00 33 C0 C3 push 0 push 0x40dead push 0x40beef push 0 call ds:0x40cafe xor eax, eax ret via x86 Instruction Set Registers eax 41414141 ebx 42424242 ecx 43434343 edx 44444444 ... ... esp 7ffffffc ebp 7ffffffc eip 401000 Process aaaaaaaaa.exe ntdll.dll kernel32.dll ... Low Address custom.dll xxxxxx.dll module.dll High Address Thread Stack
  56. 56.

    >_Heap uint32_t buf[3] = { 1, 2, 3 }; buf[1]

    = 0xAAAAAAAA; buf[2] = 0x12345678; Low Address = 0x100 (buf) High Address &(buf[0]) = 0x100 buf[0] = 1 00 00 00 01 &(buf[1]) = 0x104 buf[1] = 0xAAAAAAAA AA AA AA AA &(buf[2]) = 0x108 buf[2] = 0x12345678 78 56 34 12
  57. 57.

    >_Stack uint32_t stack[100]; uint32_t index = 99; void x86_push(uint32_t in)

    { stack[--index] = in; } void x86_pop(&out) { x = stack[index++]; } Low Address = 0x100 (stack) High Address esp = 0x100 + sizeof(uint32_t) * 99 Allocate Local Memory Release Local Memory
  58. 58.

    >_Stack push eax push ebx pop edx Low Address =

    0x100 (stack) High Address eax 1 ebx 2 edx 3 esp = 0x28c index = 99
  59. 59.

    >_Stack push eax push ebx pop edx Low Address =

    0x100 (stack) High Address eax 1 ebx 2 edx 3 00 00 00 01 esp = 0x288 index = 98 esp = 0x28c index = 99
  60. 60.

    >_Stack push eax push ebx pop edx Low Address =

    0x100 (stack) High Address eax 1 ebx 2 edx 3 00 00 00 01 esp = 0x288 index = 98 esp = 0x28c index = 99 00 00 00 02 esp = 0x284 index = 97
  61. 61.

    >_Stack push eax push ebx pop edx Low Address =

    0x100 (stack) High Address eax 1 ebx 2 edx 2 00 00 00 01 esp = 0x288 index = 98 esp = 0x28c index = 99 00 00 00 02 esp = 0x284 index = 97
  62. 62.

    aaaddress1@chroot.org x86 Calling Convention

  63. 63.

    >_Calling Convention en.wikipedia.org/wiki/X86_calling_conventions add: push ebp mov ebp, esp sub

    esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret
  64. 64.

    >_Calling Convention en.wikipedia.org/wiki/X86_calling_conventions add: push ebp mov ebp, esp sub

    esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret The Begin of function The end of function
  65. 65.

    >_Function Low Address = 0x100 (stack) High Address esp =

    0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3)
  66. 66.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) 00 00 00 03 esp = 0x288 index = 98
  67. 67.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) 00 00 00 03 esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97
  68. 68.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) 00 00 00 03 esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96
  69. 69.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 00 00 00 03
  70. 70.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 00 00 00 03
  71. 71.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) 00 00 00 03
  72. 72.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) local buf esp = 0x274 index = 93 00 00 00 03
  73. 73.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) local buf esp = 0x274 index = 93 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03
  74. 74.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) local buf esp = 0x274 index = 93 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03
  75. 75.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) 6 esp = 0x274 index = 93 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03
  76. 76.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) 6 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03
  77. 77.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp 6 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03
  78. 78.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr old ebp 6 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03
  79. 79.

    Low Address = 0x100 (stack) High Address esp = 0x28c

    index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) 00 00 00 03 00 00 00 02 00 00 00 01 ret addr old ebp 6 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10
  80. 80.

    aaaddress1@chroot.org Structured Exception Handling (SEH)

  81. 81.

    Structured exception handling enables you to have complete control over

    the handling of exceptions, provides support for debuggers, and is usable across all programming languages and machines. Vectored exception handling is an extension to structured exception handling. >_SEH docs.microsoft.com/en-us/windows/desktop/debug/structured-exception-handling
  82. 82.

    >_Visual C++ Actually SEH is a feature to support try

    {} catch (...) {} and...
  83. 83.

    aaaddress1@chroot.org

  84. 84.

    >_Visual C++

  85. 85.

    aaaddress1@chroot.org Thread Information Block —— Break into how Win32 API

    works
  86. 86.

    aaaddress1@chroot.org In computing, the Win32 Thread Information Block (TIB) is

    a data structure in Win32 on x86 that stores information about the currently running thread. This structure is also known as the Thread Environment Block (TEB). The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FS segment register when operating on 32 bits, and from GS in 64 bits. en.wikipedia.org/wiki/Win32_Thread_Information_Block /? TIB
  87. 87.

    aaaddress1@chroot.org /? TIB

  88. 88.

    aaaddress1@chroot.org # Undocumented info struct TEB { //NT_TIB structure portion

    EXCEPTION_REGISTRATION* ExceptionList; //0x0000 / Current Structured Exception Handling frame void* StackBase; //0x0004 / Bottom of stack (high address) void* StackLimit; //0x0008 / Ceiling of stack (low address) void* SubSystemTib; //0x000C union { void* FiberData; //0x0010 DWORD Version; //0x0010 } dword10; void* ArbitraryUserPointer; //0x0014 TEB* Self; //0x0018 //NT_TIB ends (NT subsystem independent part) void* EnvironmentPointer; //0x001C CLIENT_ID ClientId; //0x0020 // ClientId.ProcessId //0x0020 / value retrieved by GetCurrentProcessId() // ClientId.ThreadId //0x0024 / value retrieved by GetCurrentThreadId() void* ActiveRpcHandle; //0x0028 void* ThreadLocalStoragePointer; //0x002C PEB* ProcessEnvironmentBlock; //0x0030 ... bytepointer.com/resources/tebpeb32.htm /? TIB
  89. 89.

    aaaddress1@chroot.org /? x64dbg

  90. 90.

    aaaddress1@chroot.org • GetCurrentThread • GetModuleHandleW • GetCurrentThreadId • GetCurrentThread •

    IsDebuggerPresent /? C$Windows\Sys32\Kernel32
  91. 91.

    >_x64dbg We can use the command "teb()" to fetch the

    current TEB table address. Point to handler-chain
  92. 92.

    >_x64dbg teb() = 0x5b0000

  93. 93.

    >_SEH Record Thread Exception TEB fs:[0] SEH Chain fs:[4] StackBase

    fs:[8] StackLimt fs:[c] SubSystem Handler 3 Callback Handler Ptr Prev Handler Handler 2 Callback Handler Ptr Prev Handler Handler 1 Callback Handler Ptr -1 (end)
  94. 94.

    >_SEH

  95. 95.

    >_SEH push ebp mov ebp, esp push offset __ehhandler$_main push

    fs:[0] mov fs:[0], esp mov [0], 1 xor eax, eax mov ecx, [esp] mov large fs:0, ecx mov esp, ebp pop ebp retn Return value Function codes Register a handler Unregister a handler The begin of function The end of function
  96. 96.

    >_Stack Frame Low Address (stack) High Address ret addr old

    ebp ebp (current stack frame) SEH record esp ebp ebp+4 arg3 arg2 arg1 ebp+8 ebp+0x0c ebp+0x10 canery SEH record Previous SEH Record addr Current Handler buffer
  97. 97.

    >_Buffer Overflow Low Address (stack) High Address ret addr old

    ebp ebp (current stack frame) SEH record esp ebp ebp+4 arg3 arg2 arg1 ebp+8 ebp+0x0c ebp+0x10 canery SEH record Previous SEH Record addr Current Handler buffer
  98. 98.

    >_Buffer Overflow Low Address (stack) High Address ret addr old

    ebp ebp (current stack frame) SEH record esp ebp ebp+4 arg3 arg2 arg1 ebp+8 ebp+0x0c ebp+0x10 canery SEH record Previous SEH Record addr Current Handler buffer Buffer Overflow from low addr to high addr
  99. 99.

    >_Buffer Overflow Low Address (stack) High Address ret addr old

    ebp ebp (current stack frame) SEH record esp ebp ebp+4 arg3 arg2 arg1 ebp+8 ebp+0x0c ebp+0x10 canery SEH record Previous SEH Record addr Current Handler buffer Buffer Overflow from low addr to high addr buffer memory out of bounds
  100. 100.

    aaaddress1@chroot.org Lab 2: Knock down the handler

  101. 101.

    aaaddress1@chroot.org 414141414141414141 AAAAAAAAAA Windows Reversing Basic 台灣科技⼤學 資安實務 Slide Github

    @aaaddress1 Facebook