Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2020 交大程式安全:逆向工程上課講義-第二週(第一段)

terrynini
November 27, 2020
Technology
1
440

2020 交大程式安全:逆向工程上課講義-第二週(第一段)

(檔案大小有限制所以分兩段上傳...)
這是三校合開的資訊安全課程,今年有幸可以負責逆向工程的部分,逆向工程總共有三週,由於第三週為作業講解所以並沒有簡報。

這門課在三校的選課系統上的名字如下:
台大-計算機安全
台科大-資訊安全實務
交大-程式安全

terrynini

November 27, 2020
Tweet

More Decks by terrynini

See All by terrynini
2020 交大程式安全:逆向工程上課講義-第二週(第二段)
terrynini
0
170
2020 交大程式安全:逆向工程上課講義-第一週(第一段)
terrynini
1
520
2020 交大程式安全:逆向工程上課講義-第一週(第二段)
terrynini
1
460
2020 交大程式安全:逆向工程上課講義-第一週(第三段)
terrynini
3
2k
NTUST.pdf
terrynini
0
310
AIS3-Firmware Security Analysis
terrynini
2
1k
別pwn那裡.pdf
terrynini
0
420
逆逆_忍術_F5_消失之術_.pdf
terrynini
1
710
成功高中講義.pdf
terrynini
0
600

Other Decks in Technology

See All in Technology
ログラスにおけるコード品質でビジネスに貢献する仕組み・カルチャー / A system and culture that contributes to business through code quality in Loglass
yoshikiiida
11
1.6k
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM and Prompt Engineering and Building Tutors
ks91
PRO
0
180
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs (QCon London)
inesmontani
PRO
0
130
XSS using dirty Content Type in cloud era
flatt_security
2
990
コンテナセキュリティの基本と脅威への対策
kyohmizu
2
330
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
0
160
RustでGISなOSS
nokonoko1203
1
170
なぜ NOT A HOTEL が Web3 に取り組むのか - NOT A HOTEL TECH TALK
ynunokawa
0
150
Discord とビルダー&チャットボットの使い方 / How to use Discord and Builder & Chatbots
ks91
PRO
0
130
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
1
620
デザインシステム基盤構築実践
leveragestech
0
330
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
13
35k

Featured

See All Featured
Code Reviewing Like a Champion
maltzj
513
39k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
124
32k
Facilitating Awesome Meetings
lara
40
5.6k
Pencils Down: Stop Designing & Start Developing
hursman
115
11k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
114
18k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.3k
Fontdeck: Realign not Redesign
paulrobertlloyd
75
4.9k
Fireside Chat
paigeccino
19
2.6k
How to name files
jennybc
64
92k
A designer walks into a library…
pauljervisheath
199
23k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Stop Working from a Prison Cell
hatefulcrawdad
265
19k

Transcript

  1. ৽஛Ѩംఱఱٯ޲ ޻ఔ terrynini38514 terrynini

  2. LAST WEEK ៺ঝ  2 vtable member1 member2 member3 human

    human_vtable FunA FunB FunC FunA code FunB code FunC code

  3. LAST WEEK ៺ঝ  3 vtable member1 member2 member3 TW_member1

    TW_member2 TW_member3 TW_member4 human Taiwanese_vtable Taiwanese FunA' FunB FunC' FunD FunE ୞༗WJSUVBMతGVODUJPO။ࡏWUBCMFத ׌ᙛ࢖༻ࢦඪ҃Ҿ༻  ࠽။ਅతڈ࢖༻WUBCMF FunA' code FunB code FunC' code FunD code FunE code

  4. LAST WEEK )PXUPSFDPWFSUIFNFNCFSPGBTUSVDUVSF  4 #FIBWJPS

  5. BASIC ANALYZE SKILL

  6. BASIC ANALYZE SKILL YECH$IFBU4IFFU  6 暫存器 堆疊 記憶體 反組譯視窗

    記憶體 位置 機器語言 組合語言 註解、標籤

  7. BASIC ANALYZE SKILL YECH$IFBU4IFFU  7 按鍵 功能 按鍵 功能

    F4 執⾏到指定的⾏為⽌ Ctrl+G 跳到某個address F7 單步執⾏(Step into) Enter 查看Function F8 單步執⾏(Step over) * 回到EIP的位置 F9 執⾏ -/+ 回到上/下⼀個位置 Ctrl+F2 重新開始 ;/: 新增註解/標籤 Ctrl+F9 執⾏到return後停⽌ f2 下斷點 alt+C disassemble alt+G Control flow graph

  8. LAB

  9. BABY STEP ෼ੳࡦུ ▸ ౟༻ቮ஌໛ܕ ▸ .BHJDOVNCFS ▸ ༬ଌఔࣜᛰ ▸

    ந৅Խʂ  9

  10. PE FILE FORMAT

  11. PE FILE FORMAT 'JMFGPSNBU ▸ 8JOEPXT࢖༻1& 1PSUBCMF&YFDVUBCMF ࡞ҝ FYFDVUBCMFɺ%--ɺ%SJWFSత֨ࣜ Ґݩత൛ຊ᜝࡞1&҃1&

    Ґݩత൛ຊ᜝࡞1& ҃ੋ1&  ▸ .BD049࢖༻.BDI0 ▸ -JOVYٴ6OJY࢖༻&-' &YFDVUBCMF-JOLBCMF'PSNBU 
 USZUIJTGJMFCPPUFGJ&'*VCVOUVHSVCYFGJ  11

  12. FILE FORMAT 4PNF1&WJFXFS ▸ FEJUPS ▸ 1&#FBS  12

  13. PE FILE FORMAT 1&GJMFGPSNBU  13 File Process Offset Address

    00000000 00400000 00401000 00402000 00403000 00404000 00000400 00000600 00000800 00000A00 NumberOfSections : 3 FileAlignment : 0x200 SectionAlignment: 0x1000 Header Null .text Null .data Null .rsrc Null Headers Null .text Null .data Null .rsrc Null

  14. PE FILE FORMAT 1&GJMFGPSNBU  14 Dos Header Dos Stub

    NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_DOS_HEADER

  15. PE FILE FORMAT 1&GJMFGPSNBU  15 Dos Header Dos Stub

    NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null

  16. PE FILE FORMAT 1&GJMFGPSNBU  16 Dos Header Dos Stub

    NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_NT_HEADERS

  17. File Header Machine NumberOfSections SizeOfOptionalHeader Characteristics ... more PE FILE

    FORMAT 1&GJMFGPSNBU  17 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Optional Header Magic AddressOfEntryPoint ImageBase SectionAlignment FileAlignment SizeOfImage SizeOfHeaders NumberOfRvaAndSizes ... more IMAGE_FILE_HEADER

  18. File Header Machine NumberOfSections SizeOfOptionalHeader Characteristics ... more PE FILE

    FORMAT 1&GJMFGPSNBU  18 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Optional Header Magic AddressOfEntryPoint ImageBase SectionAlignment FileAlignment SizeOfImage SizeOfHeaders NumberOfRvaAndSizes ... more IMAGE_OPTIONAL_HEADER

  19. PE FILE FORMAT *."(&@015*0/"-@)&"%&3  19 DataDirectory[0] = Export Directory

    DataDirectory[1] = Import Directory DataDirectory[2] = Resource Directory DataDirectory[3] = Exception Directory DataDirectory[4] = Security Directory DataDirectory[5] = Base Relocation Table DataDirectory[6] = Debug Directory DataDirectory[7] = Architecture Specific Data DataDirectory[8] = RVA of GlobalPtr DataDirectory[9] = TLS Directory DataDirectory[10] = Load Configuration Directory DataDirectory[11] = Bound Import Directory DataDirectory[12] = Import Address Table DataDirectory[13] = Delay Load Import Descriptors DataDirectory[14] = .NET header DataDirectory[15] = Reversed Directory IMAGE_DATA_DIRECTORY

  20. PE FILE FORMAT 1&GJMFGPSNBU  20 Dos Header Dos Stub

    NT Header Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_SECTION_HEADER[]

  21. File(offset) Process (Virtual Address) Header Null .text Null .data Null

    .rsrc Null Headers Null .text Null .data Null .rsrc Null PointerToRawData PointerToRawData PointerToRawData SizeOfRawData SizeOfRawData SizeOfRawData SizeOfHeaders ImageBase VirtualAddress VirtualAddress VirtualAddress VirtualSize VirtualSize VirtualSize VirtualSize SizeOfImage PE FILE FORMAT 1&GJMFGPSNBU  21

  22. PE FILE FORMAT ޸໌ͷ᠘  22 PE ഝཫత Virtual Address

    ଖመੋ Relative Virtual Address VA = RVA + ImageBase Process (Virtual Address) Header Null .text Null .data Null .rsrc Null ImageBase VirtualAddress VirtualAddress VirtualAddress VirtualSize VirtualSize VirtualSize VirtualSize SizeOfImage

  23. PE FILE FORMAT 4FDUJPOT ▸ UFYUఔࣜᛰ ▸ EBUB์EBUBత஍ํ ▸ SEBUB།ᩇతEBUB

    ▸ CTTᔒॳ࢝ԽతશҬ҃ᯩଶᏓᏐ  23 ▸ JEBUB᪑JNQPSU༗᮫త ▸ FEBUB᪑FYQPSU༗᮫ ▸ STSD᪑SFTPVSDF༗᮫ ▸ SFMPD᪑ॏఆҐ༗᮫ ▸ QEBUB᪑ྫ֎႔ཧ༗᮫

  24. IMAGE_IMPORT_DESCRIPTOR OriginalFirstThunk TimeDataStamp ForwarderChain Name FirstThunk PE FILE FORMAT *"5

    *NQPSU"EESFTT5BCMF  24 Kernel32.dll INT IAT 55e SetUnhandledExceptionFilter 271 GetModuleHandleW 376 IsDebuggerPresent

  25. PE FILE FORMAT &"5 &YQPSU"EESFTT5BCMF  25 ... Name ...

    AddressOfFuncitons AddressOfNames AddressOfOrdinals 0 1 2 Kernel32.dll 92C57 92C90 92CC3 92c6f 92ca5 1e690 "FuncA" "FuncB" "FuncC"

  26. PE FILE FORMAT (FU1SPD"EESFTT ೗Կ࢖༻&"5ਘፙGVODUJPOT ▸ 先從 AddressOfNames 找到名字 ▸

    使⽤第⼀步的 index 在 Ordinals 中找到對應的 ordinal 值 ▸ 使⽤第⼆步的 ordinal 在 Funcitons 中尋找 function offset  26

  27. PE FILE FORMAT #BTF3FMPDBUJPO5BCMF  27 Hello.exe ImageBase: 0x7000 A.DLL

    ImageBase: 0x7000 B.DLL 0x7000 0xC000 ImageBase: 0x7000 B.DLL Relocate

  28. PE FILE FORMAT #BTF3FMPDBUJPO5BCMF ▸ *."(&@#"4&@3&-0$"5*0/ ▸ ༝7JSUVBM"EESFTT 4J[F0G#MPDL 5ZQF0GGTFUߏ੒

    ▸ 5ZQF0GGTFU CJU IJHICJUGPSUZQF MPXCJUGPSPGGTFU ▸ 7JSUVBM"EESFTT PGGTFUबੋधཁॏఆҐత஍ํ  28

  29. PE FILE FORMAT STDT ▸ 3FTPVSDFIBDLFS  29

  30. PE FILE FORMAT 3VO5JNF1BDLFS ▸ 5PDPNQSFTTUIFFYFDVUBCMF 
 FH619 "41BDL ▸

    5PQSPUFDUUIFFYFDVUBCMF 
 FH7.1SPUFDU "41SPUFDU 5IFNJEB  30

  31. PE FILE FORMAT 3VO5JNF1BDLFS  31 Dos Header Dos Stub

    NT Header .text header .data header .rsrc header Null .text Null .data Null .rsrc Null Dos Header Dos Stub NT Header .UPX0 header .UPX1 header .rsrc header Null .UPX0 .UPX1 Null .rsrc Null Unpacking Packing File File