Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2020 交大程式安全:逆向工程上課講義-第二週(第一段)

terrynini
November 27, 2020
Technology
1
490

2020 交大程式安全:逆向工程上課講義-第二週(第一段)

(檔案大小有限制所以分兩段上傳...)
這是三校合開的資訊安全課程,今年有幸可以負責逆向工程的部分,逆向工程總共有三週,由於第三週為作業講解所以並沒有簡報。

這門課在三校的選課系統上的名字如下:
台大-計算機安全
台科大-資訊安全實務
交大-程式安全

terrynini

November 27, 2020
Tweet

More Decks by terrynini

See All by terrynini
2020 交大程式安全:逆向工程上課講義-第二週(第二段)
terrynini
0
210
2020 交大程式安全:逆向工程上課講義-第一週(第一段)
terrynini
1
760
2020 交大程式安全:逆向工程上課講義-第一週(第二段)
terrynini
1
520
2020 交大程式安全:逆向工程上課講義-第一週(第三段)
terrynini
3
2.1k
NTUST.pdf
terrynini
0
330
AIS3-Firmware Security Analysis
terrynini
2
1.1k
別pwn那裡.pdf
terrynini
0
430
逆逆_忍術_F5_消失之術_.pdf
terrynini
1
790
成功高中講義.pdf
terrynini
0
640

Other Decks in Technology

See All in Technology
The Role of Developer Relations in AI Product Success.
giftojabu1
0
120
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
190
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
120
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
510
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
Amazon Personalizeの レコメンドシステム構築、実際何するの? 〜大体10分で具体的なイメージをつかむ〜
kniino
1
100
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
530
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
350

Featured

See All Featured
Unsuck your backbone
ammeep
668
57k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
A Modern Web Designer's Workflow
chriscoyier
693
190k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Gamification - CAS2011
davidbonilla
80
5k
Navigating Team Friction
lara
183
14k
Fireside Chat
paigeccino
34
3k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Being A Developer After 40
akosma
86
590k
Designing for Performance
lara
604
68k

Transcript

  1. ৽஛Ѩംఱఱٯ޲ ޻ఔ terrynini38514 terrynini

  2. LAST WEEK ៺ঝ  2 vtable member1 member2 member3 human

    human_vtable FunA FunB FunC FunA code FunB code FunC code

  3. LAST WEEK ៺ঝ  3 vtable member1 member2 member3 TW_member1

    TW_member2 TW_member3 TW_member4 human Taiwanese_vtable Taiwanese FunA' FunB FunC' FunD FunE ୞༗WJSUVBMతGVODUJPO။ࡏWUBCMFத ׌ᙛ࢖༻ࢦඪ҃Ҿ༻  ࠽။ਅతڈ࢖༻WUBCMF FunA' code FunB code FunC' code FunD code FunE code

  4. LAST WEEK )PXUPSFDPWFSUIFNFNCFSPGBTUSVDUVSF  4 #FIBWJPS

  5. BASIC ANALYZE SKILL

  6. BASIC ANALYZE SKILL YECH$IFBU4IFFU  6 暫存器 堆疊 記憶體 反組譯視窗

    記憶體 位置 機器語言 組合語言 註解、標籤

  7. BASIC ANALYZE SKILL YECH$IFBU4IFFU  7 按鍵 功能 按鍵 功能

    F4 執⾏到指定的⾏為⽌ Ctrl+G 跳到某個address F7 單步執⾏(Step into) Enter 查看Function F8 單步執⾏(Step over) * 回到EIP的位置 F9 執⾏ -/+ 回到上/下⼀個位置 Ctrl+F2 重新開始 ;/: 新增註解/標籤 Ctrl+F9 執⾏到return後停⽌ f2 下斷點 alt+C disassemble alt+G Control flow graph

  8. LAB

  9. BABY STEP ෼ੳࡦུ ▸ ౟༻ቮ஌໛ܕ ▸ .BHJDOVNCFS ▸ ༬ଌఔࣜᛰ ▸

    ந৅Խʂ  9

  10. PE FILE FORMAT

  11. PE FILE FORMAT 'JMFGPSNBU ▸ 8JOEPXT࢖༻1& 1PSUBCMF&YFDVUBCMF ࡞ҝ FYFDVUBCMFɺ%--ɺ%SJWFSత֨ࣜ Ґݩత൛ຊ᜝࡞1&҃1&

    Ґݩత൛ຊ᜝࡞1& ҃ੋ1&  ▸ .BD049࢖༻.BDI0 ▸ -JOVYٴ6OJY࢖༻&-' &YFDVUBCMF-JOLBCMF'PSNBU 
 USZUIJTGJMFCPPUFGJ&'*VCVOUVHSVCYFGJ  11

  12. FILE FORMAT 4PNF1&WJFXFS ▸ FEJUPS ▸ 1&#FBS  12

  13. PE FILE FORMAT 1&GJMFGPSNBU  13 File Process Offset Address

    00000000 00400000 00401000 00402000 00403000 00404000 00000400 00000600 00000800 00000A00 NumberOfSections : 3 FileAlignment : 0x200 SectionAlignment: 0x1000 Header Null .text Null .data Null .rsrc Null Headers Null .text Null .data Null .rsrc Null

  14. PE FILE FORMAT 1&GJMFGPSNBU  14 Dos Header Dos Stub

    NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_DOS_HEADER

  15. PE FILE FORMAT 1&GJMFGPSNBU  15 Dos Header Dos Stub

    NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null

  16. PE FILE FORMAT 1&GJMFGPSNBU  16 Dos Header Dos Stub

    NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_NT_HEADERS

  17. File Header Machine NumberOfSections SizeOfOptionalHeader Characteristics ... more PE FILE

    FORMAT 1&GJMFGPSNBU  17 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Optional Header Magic AddressOfEntryPoint ImageBase SectionAlignment FileAlignment SizeOfImage SizeOfHeaders NumberOfRvaAndSizes ... more IMAGE_FILE_HEADER

  18. File Header Machine NumberOfSections SizeOfOptionalHeader Characteristics ... more PE FILE

    FORMAT 1&GJMFGPSNBU  18 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Optional Header Magic AddressOfEntryPoint ImageBase SectionAlignment FileAlignment SizeOfImage SizeOfHeaders NumberOfRvaAndSizes ... more IMAGE_OPTIONAL_HEADER

  19. PE FILE FORMAT *."(&@015*0/"-@)&"%&3  19 DataDirectory[0] = Export Directory

    DataDirectory[1] = Import Directory DataDirectory[2] = Resource Directory DataDirectory[3] = Exception Directory DataDirectory[4] = Security Directory DataDirectory[5] = Base Relocation Table DataDirectory[6] = Debug Directory DataDirectory[7] = Architecture Specific Data DataDirectory[8] = RVA of GlobalPtr DataDirectory[9] = TLS Directory DataDirectory[10] = Load Configuration Directory DataDirectory[11] = Bound Import Directory DataDirectory[12] = Import Address Table DataDirectory[13] = Delay Load Import Descriptors DataDirectory[14] = .NET header DataDirectory[15] = Reversed Directory IMAGE_DATA_DIRECTORY

  20. PE FILE FORMAT 1&GJMFGPSNBU  20 Dos Header Dos Stub

    NT Header Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_SECTION_HEADER[]

  21. File(offset) Process (Virtual Address) Header Null .text Null .data Null

    .rsrc Null Headers Null .text Null .data Null .rsrc Null PointerToRawData PointerToRawData PointerToRawData SizeOfRawData SizeOfRawData SizeOfRawData SizeOfHeaders ImageBase VirtualAddress VirtualAddress VirtualAddress VirtualSize VirtualSize VirtualSize VirtualSize SizeOfImage PE FILE FORMAT 1&GJMFGPSNBU  21

  22. PE FILE FORMAT ޸໌ͷ᠘  22 PE ഝཫత Virtual Address

    ଖመੋ Relative Virtual Address VA = RVA + ImageBase Process (Virtual Address) Header Null .text Null .data Null .rsrc Null ImageBase VirtualAddress VirtualAddress VirtualAddress VirtualSize VirtualSize VirtualSize VirtualSize SizeOfImage

  23. PE FILE FORMAT 4FDUJPOT ▸ UFYUఔࣜᛰ ▸ EBUB์EBUBత஍ํ ▸ SEBUB།ᩇతEBUB

    ▸ CTTᔒॳ࢝ԽతશҬ҃ᯩଶᏓᏐ  23 ▸ JEBUB᪑JNQPSU༗᮫త ▸ FEBUB᪑FYQPSU༗᮫ ▸ STSD᪑SFTPVSDF༗᮫ ▸ SFMPD᪑ॏఆҐ༗᮫ ▸ QEBUB᪑ྫ֎႔ཧ༗᮫

  24. IMAGE_IMPORT_DESCRIPTOR OriginalFirstThunk TimeDataStamp ForwarderChain Name FirstThunk PE FILE FORMAT *"5

    *NQPSU"EESFTT5BCMF  24 Kernel32.dll INT IAT 55e SetUnhandledExceptionFilter 271 GetModuleHandleW 376 IsDebuggerPresent

  25. PE FILE FORMAT &"5 &YQPSU"EESFTT5BCMF  25 ... Name ...

    AddressOfFuncitons AddressOfNames AddressOfOrdinals 0 1 2 Kernel32.dll 92C57 92C90 92CC3 92c6f 92ca5 1e690 "FuncA" "FuncB" "FuncC"

  26. PE FILE FORMAT (FU1SPD"EESFTT ೗Կ࢖༻&"5ਘፙGVODUJPOT ▸ 先從 AddressOfNames 找到名字 ▸

    使⽤第⼀步的 index 在 Ordinals 中找到對應的 ordinal 值 ▸ 使⽤第⼆步的 ordinal 在 Funcitons 中尋找 function offset  26

  27. PE FILE FORMAT #BTF3FMPDBUJPO5BCMF  27 Hello.exe ImageBase: 0x7000 A.DLL

    ImageBase: 0x7000 B.DLL 0x7000 0xC000 ImageBase: 0x7000 B.DLL Relocate

  28. PE FILE FORMAT #BTF3FMPDBUJPO5BCMF ▸ *."(&@#"4&@3&-0$"5*0/ ▸ ༝7JSUVBM"EESFTT 4J[F0G#MPDL 5ZQF0GGTFUߏ੒

    ▸ 5ZQF0GGTFU CJU IJHICJUGPSUZQF MPXCJUGPSPGGTFU ▸ 7JSUVBM"EESFTT PGGTFUबੋधཁॏఆҐత஍ํ  28

  29. PE FILE FORMAT STDT ▸ 3FTPVSDFIBDLFS  29

  30. PE FILE FORMAT 3VO5JNF1BDLFS ▸ 5PDPNQSFTTUIFFYFDVUBCMF 
 FH619 "41BDL ▸

    5PQSPUFDUUIFFYFDVUBCMF 
 FH7.1SPUFDU "41SPUFDU 5IFNJEB  30

  31. PE FILE FORMAT 3VO5JNF1BDLFS  31 Dos Header Dos Stub

    NT Header .text header .data header .rsrc header Null .text Null .data Null .rsrc Null Dos Header Dos Stub NT Header .UPX0 header .UPX1 header .rsrc header Null .UPX0 .UPX1 Null .rsrc Null Unpacking Packing File File