Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2020 交大程式安全:逆向工程上課講義-第二週(第一段)

terrynini
November 27, 2020
Technology
1
480

2020 交大程式安全:逆向工程上課講義-第二週(第一段)

(檔案大小有限制所以分兩段上傳...)
這是三校合開的資訊安全課程,今年有幸可以負責逆向工程的部分,逆向工程總共有三週,由於第三週為作業講解所以並沒有簡報。

這門課在三校的選課系統上的名字如下:
台大-計算機安全
台科大-資訊安全實務
交大-程式安全

terrynini

November 27, 2020
Tweet

More Decks by terrynini

See All by terrynini
2020 交大程式安全:逆向工程上課講義-第二週(第二段)
terrynini
0
200
2020 交大程式安全:逆向工程上課講義-第一週(第一段)
terrynini
1
720
2020 交大程式安全:逆向工程上課講義-第一週(第二段)
terrynini
1
510
2020 交大程式安全:逆向工程上課講義-第一週(第三段)
terrynini
3
2.1k
NTUST.pdf
terrynini
0
330
AIS3-Firmware Security Analysis
terrynini
2
1.1k
別pwn那裡.pdf
terrynini
0
430
逆逆_忍術_F5_消失之術_.pdf
terrynini
1
770
成功高中講義.pdf
terrynini
0
630

Other Decks in Technology

See All in Technology
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
650
現地でMeet Upをやる場合の注意点 〜反省点を添えて〜
shotashiratori
0
530
独自ツール開発でスタジオ撮影をDX!「VLS(Virtual LED Studio)」 / dx-studio-vls
cyberagentdevelopers
PRO
1
180
20241031_AWS_生成AIハッカソン_GenMuck
tsumita
0
110
顧客が本当に必要だったもの - パフォーマンス改善編 / Make what is needed
soudai
24
6.8k
【若手エンジニア応援LT会】AWS Security Hubの活用に苦労した話
kazushi_ohata
0
170
Autify Company Deck
autifyhq
1
39k
事業者間調整の行間を読む 調整の具体事例
sugiim
0
1.5k
生成AIと知識グラフの相互利用に基づく文書解析
koujikozaki
1
140
フルカイテン株式会社 採用資料
fullkaiten
0
36k
初心者に Vue.js を 教えるには
tsukuha
5
390
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
290k

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
355
29k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Producing Creativity
orderedlist
PRO
341
39k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Fireside Chat
paigeccino
32
3k
Done Done
chrislema
181
16k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
664
120k
Teambox: Starting and Learning
jrom
132
8.7k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
328
21k
Faster Mobile Websites
deanohume
304
30k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k

Transcript

  1. ৽஛Ѩംఱఱٯ޲ ޻ఔ terrynini38514 terrynini

  2. LAST WEEK ៺ঝ  2 vtable member1 member2 member3 human

    human_vtable FunA FunB FunC FunA code FunB code FunC code

  3. LAST WEEK ៺ঝ  3 vtable member1 member2 member3 TW_member1

    TW_member2 TW_member3 TW_member4 human Taiwanese_vtable Taiwanese FunA' FunB FunC' FunD FunE ୞༗WJSUVBMతGVODUJPO။ࡏWUBCMFத ׌ᙛ࢖༻ࢦඪ҃Ҿ༻  ࠽။ਅతڈ࢖༻WUBCMF FunA' code FunB code FunC' code FunD code FunE code

  4. LAST WEEK )PXUPSFDPWFSUIFNFNCFSPGBTUSVDUVSF  4 #FIBWJPS

  5. BASIC ANALYZE SKILL

  6. BASIC ANALYZE SKILL YECH$IFBU4IFFU  6 暫存器 堆疊 記憶體 反組譯視窗

    記憶體 位置 機器語言 組合語言 註解、標籤

  7. BASIC ANALYZE SKILL YECH$IFBU4IFFU  7 按鍵 功能 按鍵 功能

    F4 執⾏到指定的⾏為⽌ Ctrl+G 跳到某個address F7 單步執⾏(Step into) Enter 查看Function F8 單步執⾏(Step over) * 回到EIP的位置 F9 執⾏ -/+ 回到上/下⼀個位置 Ctrl+F2 重新開始 ;/: 新增註解/標籤 Ctrl+F9 執⾏到return後停⽌ f2 下斷點 alt+C disassemble alt+G Control flow graph

  8. LAB

  9. BABY STEP ෼ੳࡦུ ▸ ౟༻ቮ஌໛ܕ ▸ .BHJDOVNCFS ▸ ༬ଌఔࣜᛰ ▸

    ந৅Խʂ  9

  10. PE FILE FORMAT

  11. PE FILE FORMAT 'JMFGPSNBU ▸ 8JOEPXT࢖༻1& 1PSUBCMF&YFDVUBCMF ࡞ҝ FYFDVUBCMFɺ%--ɺ%SJWFSత֨ࣜ Ґݩత൛ຊ᜝࡞1&҃1&

    Ґݩత൛ຊ᜝࡞1& ҃ੋ1&  ▸ .BD049࢖༻.BDI0 ▸ -JOVYٴ6OJY࢖༻&-' &YFDVUBCMF-JOLBCMF'PSNBU 
 USZUIJTGJMFCPPUFGJ&'*VCVOUVHSVCYFGJ  11

  12. FILE FORMAT 4PNF1&WJFXFS ▸ FEJUPS ▸ 1&#FBS  12

  13. PE FILE FORMAT 1&GJMFGPSNBU  13 File Process Offset Address

    00000000 00400000 00401000 00402000 00403000 00404000 00000400 00000600 00000800 00000A00 NumberOfSections : 3 FileAlignment : 0x200 SectionAlignment: 0x1000 Header Null .text Null .data Null .rsrc Null Headers Null .text Null .data Null .rsrc Null

  14. PE FILE FORMAT 1&GJMFGPSNBU  14 Dos Header Dos Stub

    NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_DOS_HEADER

  15. PE FILE FORMAT 1&GJMFGPSNBU  15 Dos Header Dos Stub

    NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null

  16. PE FILE FORMAT 1&GJMFGPSNBU  16 Dos Header Dos Stub

    NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_NT_HEADERS

  17. File Header Machine NumberOfSections SizeOfOptionalHeader Characteristics ... more PE FILE

    FORMAT 1&GJMFGPSNBU  17 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Optional Header Magic AddressOfEntryPoint ImageBase SectionAlignment FileAlignment SizeOfImage SizeOfHeaders NumberOfRvaAndSizes ... more IMAGE_FILE_HEADER

  18. File Header Machine NumberOfSections SizeOfOptionalHeader Characteristics ... more PE FILE

    FORMAT 1&GJMFGPSNBU  18 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Optional Header Magic AddressOfEntryPoint ImageBase SectionAlignment FileAlignment SizeOfImage SizeOfHeaders NumberOfRvaAndSizes ... more IMAGE_OPTIONAL_HEADER

  19. PE FILE FORMAT *."(&@015*0/"-@)&"%&3  19 DataDirectory[0] = Export Directory

    DataDirectory[1] = Import Directory DataDirectory[2] = Resource Directory DataDirectory[3] = Exception Directory DataDirectory[4] = Security Directory DataDirectory[5] = Base Relocation Table DataDirectory[6] = Debug Directory DataDirectory[7] = Architecture Specific Data DataDirectory[8] = RVA of GlobalPtr DataDirectory[9] = TLS Directory DataDirectory[10] = Load Configuration Directory DataDirectory[11] = Bound Import Directory DataDirectory[12] = Import Address Table DataDirectory[13] = Delay Load Import Descriptors DataDirectory[14] = .NET header DataDirectory[15] = Reversed Directory IMAGE_DATA_DIRECTORY

  20. PE FILE FORMAT 1&GJMFGPSNBU  20 Dos Header Dos Stub

    NT Header Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_SECTION_HEADER[]

  21. File(offset) Process (Virtual Address) Header Null .text Null .data Null

    .rsrc Null Headers Null .text Null .data Null .rsrc Null PointerToRawData PointerToRawData PointerToRawData SizeOfRawData SizeOfRawData SizeOfRawData SizeOfHeaders ImageBase VirtualAddress VirtualAddress VirtualAddress VirtualSize VirtualSize VirtualSize VirtualSize SizeOfImage PE FILE FORMAT 1&GJMFGPSNBU  21

  22. PE FILE FORMAT ޸໌ͷ᠘  22 PE ഝཫత Virtual Address

    ଖመੋ Relative Virtual Address VA = RVA + ImageBase Process (Virtual Address) Header Null .text Null .data Null .rsrc Null ImageBase VirtualAddress VirtualAddress VirtualAddress VirtualSize VirtualSize VirtualSize VirtualSize SizeOfImage

  23. PE FILE FORMAT 4FDUJPOT ▸ UFYUఔࣜᛰ ▸ EBUB์EBUBత஍ํ ▸ SEBUB།ᩇతEBUB

    ▸ CTTᔒॳ࢝ԽతશҬ҃ᯩଶᏓᏐ  23 ▸ JEBUB᪑JNQPSU༗᮫త ▸ FEBUB᪑FYQPSU༗᮫ ▸ STSD᪑SFTPVSDF༗᮫ ▸ SFMPD᪑ॏఆҐ༗᮫ ▸ QEBUB᪑ྫ֎႔ཧ༗᮫

  24. IMAGE_IMPORT_DESCRIPTOR OriginalFirstThunk TimeDataStamp ForwarderChain Name FirstThunk PE FILE FORMAT *"5

    *NQPSU"EESFTT5BCMF  24 Kernel32.dll INT IAT 55e SetUnhandledExceptionFilter 271 GetModuleHandleW 376 IsDebuggerPresent

  25. PE FILE FORMAT &"5 &YQPSU"EESFTT5BCMF  25 ... Name ...

    AddressOfFuncitons AddressOfNames AddressOfOrdinals 0 1 2 Kernel32.dll 92C57 92C90 92CC3 92c6f 92ca5 1e690 "FuncA" "FuncB" "FuncC"

  26. PE FILE FORMAT (FU1SPD"EESFTT ೗Կ࢖༻&"5ਘፙGVODUJPOT ▸ 先從 AddressOfNames 找到名字 ▸

    使⽤第⼀步的 index 在 Ordinals 中找到對應的 ordinal 值 ▸ 使⽤第⼆步的 ordinal 在 Funcitons 中尋找 function offset  26

  27. PE FILE FORMAT #BTF3FMPDBUJPO5BCMF  27 Hello.exe ImageBase: 0x7000 A.DLL

    ImageBase: 0x7000 B.DLL 0x7000 0xC000 ImageBase: 0x7000 B.DLL Relocate

  28. PE FILE FORMAT #BTF3FMPDBUJPO5BCMF ▸ *."(&@#"4&@3&-0$"5*0/ ▸ ༝7JSUVBM"EESFTT 4J[F0G#MPDL 5ZQF0GGTFUߏ੒

    ▸ 5ZQF0GGTFU CJU IJHICJUGPSUZQF MPXCJUGPSPGGTFU ▸ 7JSUVBM"EESFTT PGGTFUबੋधཁॏఆҐత஍ํ  28

  29. PE FILE FORMAT STDT ▸ 3FTPVSDFIBDLFS  29

  30. PE FILE FORMAT 3VO5JNF1BDLFS ▸ 5PDPNQSFTTUIFFYFDVUBCMF 
 FH619 "41BDL ▸

    5PQSPUFDUUIFFYFDVUBCMF 
 FH7.1SPUFDU "41SPUFDU 5IFNJEB  30

  31. PE FILE FORMAT 3VO5JNF1BDLFS  31 Dos Header Dos Stub

    NT Header .text header .data header .rsrc header Null .text Null .data Null .rsrc Null Dos Header Dos Stub NT Header .UPX0 header .UPX1 header .rsrc header Null .UPX0 .UPX1 Null .rsrc Null Unpacking Packing File File