Tweet
Tweet

Slide 1

Slide 1 text

aaaddress1@chroot.org 414141414141414141 AAAAAAAAAA Windows Reversing Basic 台灣科技⼤學 資安實務

Slide 2

Slide 2 text

$_whoami #Windows #Reversing #Pwn #Exploit #EoP • blog.30cm.tw • aaaddress1@chroot.org • Master degree at CSIE, NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • aaaddress1@chroot.org

Slide 3

Slide 3 text

cd Compiler

Slide 4

Slide 4 text

# compiler Source.cpp Object Files Main.exe Compiler Assembly Codes Assembler Linker

Slide 5

Slide 5 text

# compiler #include int main() { MessageBoxA( 0, "hi there.", "info", 0 ); return 0; }

Slide 6

Slide 6 text

# #include int main() { MessageBoxA( 0, "hi there.", "info", 0 ); return 0; } push 0 push "info" push "hi there." push 0 call MessageBoxA xor eax, eax ret en.wikipedia.org/wiki/X86_calling_conventions compiler

Slide 7

Slide 7 text

# xor eax, eax ret push 0 push "info" push "hi there." push 0 call MessageBoxA 0xdead: "info" 0xbeef: "hi there." .rdata section 0xcafe: 0x7630EA99 .idata section (Import Address Table) compiler

Slide 8

Slide 8 text

# xor eax, eax ret push 0 push offset "info" push offset "hi there." push 0 call MessageBoxA 0xdead: "info" 0xbeef: "hi there." .rdata section 0xcafe: 0x7630EA99 .idata section (Import Address Table) compiler

Slide 9

Slide 9 text

# xor eax, eax ret push 0 push 0xdead push 0xbeef push 0 call ds:0xcafe 0xdead: "info" 0xbeef: "hi there." .rdata section 0xcafe: 0x7630EA99 .idata section (Import Address Table) compiler

Slide 10

Slide 10 text

# push 0 ; 6A 00 push 0xdead ; 68 AD DE 00 00 push 0xbeef ; 68 EF BE 00 00 push 0 ; 6A 00 call ds:0xcafe ; FF 15 FE CA 00 00 xor eax, eax ; 33 C0 ret ; C3 compiler

Slide 11

Slide 11 text

# Main.exe .text Section 6A 00 68 AD DE 00 00 68 EF BE 00 00 6A 00 FF 15 FE CA 00 00 33 C0 C3 0xdead: "info" 0xbeef: "hi there." 0xcafe: 0x7630EA99 .rdata Section .idata Section compiler

Slide 12

Slide 12 text

cd Hell_World.c

Slide 13

Slide 13 text

# $ gcc -S hellWorld.cpp Compiler

Slide 14

Slide 14 text

# $ gcc -O0 -c hellWorld.s Assembler

Slide 15

Slide 15 text

# COFF File?

Slide 16

Slide 16 text

# COFF File

Slide 17

Slide 17 text

# Linker

Slide 18

Slide 18 text

# Linker

Slide 19

Slide 19 text

aaaddress1@chroot.org cat./a.o # COFF Overview

Slide 20

Slide 20 text

aaaddress1@chroot.org .NumberOfSymbols cat./a.o # COFF Overview Image File Header Section Header 1 .NumberOfSections .RVA .size .name Section Header Array → Section Data .Machine .TimeDateStamp .PointerToSymbolTable .Characteristics Section Header 2 Section Header 3 ... Section Data .VA

Slide 21

Slide 21 text

aaaddress1@chroot.org cat./PE # PE Overview 'MZ' DOS 'PE' File Headr Opt Header Section Header 1 .NumberOfSections .SizeOfImage .DataDirectory .AddressOfEntryPoint .SizeOfHeaders .ImageBase .VA .size .RVA .text Section Header Array → .text (Data)

Slide 22

Slide 22 text

aaaddress1@chroot.org cat./PE # COFF or PE 'MZ' DOS 'PE' File Headr Opt Header Section Header 1 .NumberOfSections .SizeOfImage .DataDirectory .AddressOfEntryPoint .SizeOfHeaders .ImageBase .VA .size .RVA .text Section Header Array → .text (Data)

Slide 23

Slide 23 text

cd Win32 Process

Slide 24

Slide 24 text

syscall Ring0 Ring3 Parent Process (A.) CreateProcess Child Process (B.) Child Proess Created, EXE File Mapped, Gained the Same Privilege and New Thread pointed to RtlUserThreadStart (C.) Kernel Create a new Thread: RtlUserThreadStart →LdrInitializeThunk →LdrpInitializeProcess (D.) Jump into AddressOfEntry

Slide 25

Slide 25 text

# Source.cpp Object Files Main.exe Assembly Codes Process NT Header File Header Optional Header Section Header Array Section[0]: .text Section[1]: .data Section[2]: .rdata ... [DATA] .text [DATA] .data [DATA] .idata PE Module File Mapping Stack Memory lifecycle

Slide 26

Slide 26 text

aaaddress1@chroot.org cat./RunPE # Process Hollowing

Slide 27

Slide 27 text

# Process NT Header File Header Optional Header Section Header Array Section[0]: .text Section[1]: .data Section[2]: .rdata ... [DATA] .text [DATA] .data [DATA] .idata Heap Stack Memory Local Global lifecycle

Slide 28

Slide 28 text

# Process NT Header File Header Optional Header Section Header Array Section[0]: .text Section[1]: .data Section[2]: .rdata ... [DATA] .text [DATA] .data [DATA] .idata Heap Stack Memory Local Global lifecycle

Slide 29

Slide 29 text

# Source.cpp Object Files Main.exe Assembly Codes Process hellWorld.exe [DATA] .text [DATA] .idata File Mapping msvcrt.dll [DATA] .text kernel32.dll [DATA] .text iat:imp_printf iat:imp_WinExec new Thread module_a.dll module_b.dll lifecycle

Slide 30

Slide 30 text

# Process hellWorld.exe [DATA] .text [DATA] .idata msvcrt.dll [DATA] .text kernel32.dll [DATA] .text Thread[0] module_a.dll module_b.dll Thread[1] Thread[2] 分時多⼯ 我怎麼知道這⼀次是哪個模組的執⾏緒啦,森77。 lifecycle

Slide 31

Slide 31 text

# Process hellWorld.exe [DATA] .text [DATA] .idata msvcrt.dll [DATA] .text kernel32.dll [DATA] .text Thread[0] Thread[1] Thread[2] TEB[0] TEB[1] TEB[2] lifecycle fs:[0x18]

Slide 32

Slide 32 text

aaaddress1@chroot.org In computing, the Win32 Thread Information Block (TIB) is a data structure in Win32 on x86 that stores information about the currently running thread. This structure is also known as the Thread Environment Block (TEB). The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FS segment register when operating on 32 bits, and from GS in 64 bits. en.wikipedia.org/wiki/Win32_Thread_Information_Block /? TIB

Slide 33

Slide 33 text

aaaddress1@chroot.org /? TIB

Slide 34

Slide 34 text

aaaddress1@chroot.org # Undocumented info struct TEB { //NT_TIB structure portion EXCEPTION_REGISTRATION* ExceptionList; //0x0000 / Current Structured Exception Handling frame void* StackBase; //0x0004 / Bottom of stack (high address) void* StackLimit; //0x0008 / Ceiling of stack (low address) void* SubSystemTib; //0x000C union { void* FiberData; //0x0010 DWORD Version; //0x0010 } dword10; void* ArbitraryUserPointer; //0x0014 TEB* Self; //0x0018 //NT_TIB ends (NT subsystem independent part) void* EnvironmentPointer; //0x001C CLIENT_ID ClientId; //0x0020 // ClientId.ProcessId //0x0020 / value retrieved by GetCurrentProcessId() // ClientId.ThreadId //0x0024 / value retrieved by GetCurrentThreadId() void* ActiveRpcHandle; //0x0028 void* ThreadLocalStoragePointer; //0x002C PEB* ProcessEnvironmentBlock; //0x0030 ... bytepointer.com/resources/tebpeb32.htm /? TIB

Slide 35

Slide 35 text

aaaddress1@chroot.org /? x64dbg

Slide 36

Slide 36 text

aaaddress1@chroot.org • GetCurrentThread • GetModuleHandleW • GetCurrentThreadId • GetCurrentThread • IsDebuggerPresent /? C$Windows\Sys32\Kernel32

Slide 37

Slide 37 text

# Process hellWorld.exe [DATA] .text [DATA] .idata msvcrt.dll [DATA] .text kernel32.dll [DATA] .text Thread[0] Thread[1] Thread[2] TEB[0] TEB[1] TEB[2] lifecycle fs:[0x18]

Slide 38

Slide 38 text

# Process hellWorld.exe [DATA] .text [DATA] .idata msvcrt.dll [DATA] .text kernel32.dll [DATA] .text Thread[0] Thread[1] Thread[2] TEB[0] TEB[1] TEB[2] lifecycle fs:[0x18] PEB

Slide 39

Slide 39 text

aaaddress1@chroot.org In computing the Process Environment Block (abbreviated PEB) is a data structure in the Windows NT operating system family. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system. Microsoft notes, in its MSDN Library documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows". The PEB contains data structures that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures. en.wikipedia.org/wiki/Process_Environment_Block /? PEB

Slide 40

Slide 40 text

aaaddress1@chroot.org /? x64dbg

Slide 41

Slide 41 text

# Process hellWorld.exe [DATA] .text [DATA] .idata msvcrt.dll [DATA] .text kernel32.dll [DATA] .text Thread[0] Thread[1] Thread[2] TEB[0] TEB[1] TEB[2] lifecycle fs:[0x18] PEB fs:[0x30] typedef struct _PEB32 { UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; ULONG Mutant; ULONG ImageBaseAddress; PPEB_LDR_DATA Ldr; ULONG ProcessParameters; ULONG SubSystemData; ULONG ProcessHeap; ULONG FastPebLock; ULONG AtlThunkSListPtr; ULONG IFEOKey; ULONG CrossProcessFlags; ULONG UserSharedInfoPtr; ULONG SystemReserved; ULONG AtlThunkSListPtr32; ULONG ApiSetMap; } PEB32, *PPEB32;

Slide 42

Slide 42 text

/?main

Slide 43

Slide 43 text

aaaddress1@chroot.org cat./PE # PE Overview 'MZ' DOS 'PE' File Headr Opt Header Section Header 1 .NumberOfSections .SizeOfImage .DataDirectory .AddressOfEntryPoint .SizeOfHeaders .ImageBase .VA .size .RVA .text Section Header Array → .text (Data)

Slide 44

Slide 44 text

$_./Lab1

Slide 45

Slide 45 text

# Lab1

Slide 46

Slide 46 text

$_./Lab2

Slide 47

Slide 47 text

# Lab2

Slide 48

Slide 48 text

# Lab 1 & 2

Slide 49

Slide 49 text

# Lab1

Slide 50

Slide 50 text

cd ./r3versing

Slide 51

Slide 51 text

aaaddress1@chroot.org /? homework # Back To The Future

Slide 52

Slide 52 text

aaaddress1@chroot.org /? homework 我知道在場⼀堆IDA狗,再不學動態分析試試看,看怎麼你逆 ㄏㄏ

Slide 53

Slide 53 text

cd ./stack

Slide 54

Slide 54 text

>_Thread addr @ 401000: 6A 00 68 AD DE 40 00 68 EF BE 40 00 6A 00 FF 15 FE CA 40 00 33 C0 C3 push 0 push 0x40dead push 0x40beef push 0 call ds:0x40cafe xor eax, eax ret via x86 Instruction Set Registers eax 41414141 ebx 42424242 ecx 43434343 edx 44444444 ... ... esp 7ffffffc ebp 7ffffffc eip 401000

Slide 55

Slide 55 text

>_Thread addr @ 401000: 6A 00 68 AD DE 40 00 68 EF BE 40 00 6A 00 FF 15 FE CA 40 00 33 C0 C3 push 0 push 0x40dead push 0x40beef push 0 call ds:0x40cafe xor eax, eax ret via x86 Instruction Set Registers eax 41414141 ebx 42424242 ecx 43434343 edx 44444444 ... ... esp 7ffffffc ebp 7ffffffc eip 401000 Process aaaaaaaaa.exe ntdll.dll kernel32.dll ... Low Address custom.dll xxxxxx.dll module.dll High Address Thread Stack

Slide 56

Slide 56 text

>_Heap uint32_t buf[3] = { 1, 2, 3 }; buf[1] = 0xAAAAAAAA; buf[2] = 0x12345678; Low Address = 0x100 (buf) High Address &(buf[0]) = 0x100 buf[0] = 1 00 00 00 01 &(buf[1]) = 0x104 buf[1] = 0xAAAAAAAA AA AA AA AA &(buf[2]) = 0x108 buf[2] = 0x12345678 78 56 34 12

Slide 57

Slide 57 text

>_Stack uint32_t stack[100]; uint32_t index = 99; void x86_push(uint32_t in) { stack[--index] = in; } void x86_pop(&out) { x = stack[index++]; } Low Address = 0x100 (stack) High Address esp = 0x100 + sizeof(uint32_t) * 99 Allocate Local Memory Release Local Memory

Slide 58

Slide 58 text

>_Stack push eax push ebx pop edx Low Address = 0x100 (stack) High Address eax 1 ebx 2 edx 3 esp = 0x28c index = 99

Slide 59

Slide 59 text

>_Stack push eax push ebx pop edx Low Address = 0x100 (stack) High Address eax 1 ebx 2 edx 3 00 00 00 01 esp = 0x288 index = 98 esp = 0x28c index = 99

Slide 60

Slide 60 text

>_Stack push eax push ebx pop edx Low Address = 0x100 (stack) High Address eax 1 ebx 2 edx 3 00 00 00 01 esp = 0x288 index = 98 esp = 0x28c index = 99 00 00 00 02 esp = 0x284 index = 97

Slide 61

Slide 61 text

>_Stack push eax push ebx pop edx Low Address = 0x100 (stack) High Address eax 1 ebx 2 edx 2 00 00 00 01 esp = 0x288 index = 98 esp = 0x28c index = 99 00 00 00 02 esp = 0x284 index = 97

Slide 62

Slide 62 text

aaaddress1@chroot.org x86 Calling Convention

Slide 63

Slide 63 text

>_Calling Convention en.wikipedia.org/wiki/X86_calling_conventions add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret

Slide 64

Slide 64 text

>_Calling Convention en.wikipedia.org/wiki/X86_calling_conventions add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret The Begin of function The end of function

Slide 65

Slide 65 text

>_Function Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3)

Slide 66

Slide 66 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) 00 00 00 03 esp = 0x288 index = 98

Slide 67

Slide 67 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) 00 00 00 03 esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97

Slide 68

Slide 68 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) 00 00 00 03 esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96

Slide 69

Slide 69 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 00 00 00 03

Slide 70

Slide 70 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 00 00 00 03

Slide 71

Slide 71 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) 00 00 00 03

Slide 72

Slide 72 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) local buf esp = 0x274 index = 93 00 00 00 03

Slide 73

Slide 73 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) local buf esp = 0x274 index = 93 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03

Slide 74

Slide 74 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) local buf esp = 0x274 index = 93 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03

Slide 75

Slide 75 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) 6 esp = 0x274 index = 93 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03

Slide 76

Slide 76 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp esp = 0x278 index = 94 ebp = 0x278 (the base pointer for the current stack frame) 6 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03

Slide 77

Slide 77 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr esp = 0x27c index = 95 old ebp 6 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03

Slide 78

Slide 78 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) esp = 0x288 index = 98 00 00 00 02 esp = 0x284 index = 97 00 00 00 01 esp = 0x280 index = 96 ret addr old ebp 6 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10 00 00 00 03

Slide 79

Slide 79 text

Low Address = 0x100 (stack) High Address esp = 0x28c index = 99 add: push ebp mov ebp, esp sub esp, 0x04 mov eax, [ebp+0x08] add eax, [ebp+0x0C] add eax, [ebp+0x10] mov [ebp-0x04], eax mov eax, [ebp-0x04] mov esp, ebp pop ebp ret push 3 push 2 push 1 call add add esp,0x0c // add(1, 2, 3) 00 00 00 03 00 00 00 02 00 00 00 01 ret addr old ebp 6 ebp ebp+4 arg1: ebp+8 arg2: ebp+0x0c arg3: ebp+0x10

Slide 80

Slide 80 text

aaaddress1@chroot.org Structured Exception Handling (SEH)

Slide 81

Slide 81 text

Structured exception handling enables you to have complete control over the handling of exceptions, provides support for debuggers, and is usable across all programming languages and machines. Vectored exception handling is an extension to structured exception handling. >_SEH docs.microsoft.com/en-us/windows/desktop/debug/structured-exception-handling

Slide 82

Slide 82 text

>_Visual C++ Actually SEH is a feature to support try {} catch (...) {} and...

Slide 83

Slide 83 text

aaaddress1@chroot.org

Slide 84

Slide 84 text

>_Visual C++

Slide 85

Slide 85 text

aaaddress1@chroot.org Thread Information Block —— Break into how Win32 API works

Slide 86

Slide 86 text

aaaddress1@chroot.org In computing, the Win32 Thread Information Block (TIB) is a data structure in Win32 on x86 that stores information about the currently running thread. This structure is also known as the Thread Environment Block (TEB). The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FS segment register when operating on 32 bits, and from GS in 64 bits. en.wikipedia.org/wiki/Win32_Thread_Information_Block /? TIB

Slide 87

Slide 87 text

aaaddress1@chroot.org /? TIB

Slide 88

Slide 88 text

aaaddress1@chroot.org # Undocumented info struct TEB { //NT_TIB structure portion EXCEPTION_REGISTRATION* ExceptionList; //0x0000 / Current Structured Exception Handling frame void* StackBase; //0x0004 / Bottom of stack (high address) void* StackLimit; //0x0008 / Ceiling of stack (low address) void* SubSystemTib; //0x000C union { void* FiberData; //0x0010 DWORD Version; //0x0010 } dword10; void* ArbitraryUserPointer; //0x0014 TEB* Self; //0x0018 //NT_TIB ends (NT subsystem independent part) void* EnvironmentPointer; //0x001C CLIENT_ID ClientId; //0x0020 // ClientId.ProcessId //0x0020 / value retrieved by GetCurrentProcessId() // ClientId.ThreadId //0x0024 / value retrieved by GetCurrentThreadId() void* ActiveRpcHandle; //0x0028 void* ThreadLocalStoragePointer; //0x002C PEB* ProcessEnvironmentBlock; //0x0030 ... bytepointer.com/resources/tebpeb32.htm /? TIB

Slide 89

Slide 89 text

aaaddress1@chroot.org /? x64dbg

Slide 90

Slide 90 text

aaaddress1@chroot.org • GetCurrentThread • GetModuleHandleW • GetCurrentThreadId • GetCurrentThread • IsDebuggerPresent /? C$Windows\Sys32\Kernel32

Slide 91

Slide 91 text

>_x64dbg We can use the command "teb()" to fetch the current TEB table address. Point to handler-chain

Slide 92

Slide 92 text

>_x64dbg teb() = 0x5b0000

Slide 93

Slide 93 text

>_SEH Record Thread Exception TEB fs:[0] SEH Chain fs:[4] StackBase fs:[8] StackLimt fs:[c] SubSystem Handler 3 Callback Handler Ptr Prev Handler Handler 2 Callback Handler Ptr Prev Handler Handler 1 Callback Handler Ptr -1 (end)

Slide 94

Slide 94 text

>_SEH

Slide 95

Slide 95 text

>_SEH push ebp mov ebp, esp push offset __ehhandler$_main push fs:[0] mov fs:[0], esp mov [0], 1 xor eax, eax mov ecx, [esp] mov large fs:0, ecx mov esp, ebp pop ebp retn Return value Function codes Register a handler Unregister a handler The begin of function The end of function

Slide 96

Slide 96 text

>_Stack Frame Low Address (stack) High Address ret addr old ebp ebp (current stack frame) SEH record esp ebp ebp+4 arg3 arg2 arg1 ebp+8 ebp+0x0c ebp+0x10 canery SEH record Previous SEH Record addr Current Handler buffer

Slide 97

Slide 97 text

>_Buffer Overflow Low Address (stack) High Address ret addr old ebp ebp (current stack frame) SEH record esp ebp ebp+4 arg3 arg2 arg1 ebp+8 ebp+0x0c ebp+0x10 canery SEH record Previous SEH Record addr Current Handler buffer

Slide 98

Slide 98 text

>_Buffer Overflow Low Address (stack) High Address ret addr old ebp ebp (current stack frame) SEH record esp ebp ebp+4 arg3 arg2 arg1 ebp+8 ebp+0x0c ebp+0x10 canery SEH record Previous SEH Record addr Current Handler buffer Buffer Overflow from low addr to high addr

Slide 99

Slide 99 text

>_Buffer Overflow Low Address (stack) High Address ret addr old ebp ebp (current stack frame) SEH record esp ebp ebp+4 arg3 arg2 arg1 ebp+8 ebp+0x0c ebp+0x10 canery SEH record Previous SEH Record addr Current Handler buffer Buffer Overflow from low addr to high addr buffer memory out of bounds

Slide 100

Slide 100 text

aaaddress1@chroot.org Lab 2: Knock down the handler

Slide 101

Slide 101 text

aaaddress1@chroot.org 414141414141414141 AAAAAAAAAA Windows Reversing Basic 台灣科技⼤學 資安實務 Slide Github @aaaddress1 Facebook