Attack N Defence

Transcript

1. Attack N Defence - 0101 - JD

2. Notice • Solution is not perfect. • Also, sample is

   not perfect. • So, we should have imagine.

3. Process Product Attack Defence

4. Setup • docker pull jongsu253/dev-seminar:0.1 • docker run --privileged --cap-add=SYS_PTRACE

   --security-opt seccomp=unconfined -it ed79ba87900b /bin/bash

5. Let’s do it now!

6. Section I - Hooking Dynamic Linking libc.so program call printf@PLT

   PLT[0]: call resolver PLT[X]: jmp *GOT[X] push XX jmp PLT[0] GOT[X]: &printf printf:
 … ld.so resolver: … program call printf@PLT PLT[0]: call resolver PLT[X]: jmp *GOT[X] push XX jmp PLT[0] GOT[X]: &hooker libc.so printf:
 … ld.so resolver: … hook.so hooker:
 …

7. Section I - Hooking Dynamic Loading ld.so libc.so libm.so libhook.so

   printf read write pow sqrt ceil printf read write libraries:
 libc.so libm.so libhook.so ld.so libraries:
 libhook.so libc.so libm.so libc.so libm.so libhook.so printf read write printf read write pow sqrt ceil

8. Section II - Debugger Process A Process B name phone

   address … Process A Process B name phone address … access / control kernel access / control

9. Section II - Debugger Process A Process B name phone

   address … kernel access / control Process C 1 2

10. Section II - Debugger Process A Process B name phone

    address … kernel Process B` fork Attached Not Attached

11. Section II - Debugger Process A Process B kernel Attached

    Thread 1 Thread 2 Thread 3 Thread N

12. Section II - Debugger Process A Process B kernel Thread

    1 Thread 2 Thread 3 Thread N Attached Process C

13. What do you think …?

14. Q & A

15. Thank you!