combating the advanced memory exploitation techniques ... · combating the advanced memory...

Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory

Information Leak

By nEINEI /CanSecWest2014

Agenda

• Background

• Our approach

• Case Study

• Optimization

• Acknowledgement & Reference

Background What’s ROP ?

ROP(Return-Oriented Programming) : search those instruction sequences (gadgets) that end up

with a ret instruction (0xc3) to construct the basic functionalities like memory read/write, logic

operation, and flow control.

The powerful weapon for bypassing DEP: an attacker needs to set executable flag in the memory

where the shellcode resides.

In order to make sure the ROP runs successfully, the 1st ROP gadget needs to switch the current

ESP to pointing to some controllable data on the heap (stack pivot)

Background ROP Exploitation Approaches

Statically loaded module base information + ROP

Load non-ASLR modules, such as Adobe Shockwave (dirapi.dll), MSVCR71.dll,Office(HXDS.DLL) … ,

these modules are being loaded at some fixed addresses in the process space; therefore it’s very

easy to be leveraged to constructed the ROP chain.

Memory information leak + ROP: calculate the ROP module loading base address at runtime

Exploiting a vulnerability, modify the array object’s length field to increase the array length to

achieve an out of bound arbitrary address read/write, leak ntdll.dll address from SharedUserData

(CVE-2013-1690)

Exploiting a vulnerability, modify the null terminator of a BSTR string to be able to leak the memory

information after that (CVE-2013-0640)

Exploiting a vulnerability, modify the length of Flash Vector object (by Flash AS) to cross-boundary

read out the vtable pointer of some other subsequent object, obtain module base address ->

obtain module’s import table address-> obtain kernel32 base -> obtain ntdll.dll base (cve-2014-

0322).

Microsoft EMET (Enhanced Mitigation Experience Toolkit)

Check points: stack pivot, caller check, simulate execution flow

Weakness: API hook based detection, subject to API hook hopping bypass.

Leverage Intel Pin tool to achieve dynamic instruction instrumentation, dynamically monitoring the

instruction sequence execution

Check points: The existence of some unique gadgets of ROP. Validity check on ret /call /jump.

Weakness: Performance hit in the real application.

Static compilation of prevent ROP: these jobs are separated into sequential steps through basic

block code. Every time the code is recompiled, it will changes in the basic block code of address.

The attacker will not find fix address for ROP gadget.

Weakness: there is no compiler support the feature.

• Background

• Our Approach

• Case Study

• Optimization

• Summary


Observation

Usually the valid entry points of a module (the target of control flow transfer, the function address

in vftable, jump table, export table, etc) are pre-defined at compilation time, whereas the invalid

entry points of code execution (e.g., ROP) are not; and such invalid entries typically hit the middle

of a legitimate instruction.

Our approach

Separate valid entries from those invalid entries of execution, and then try to trap the invalid

execution.

What ROP exploitation types can our approach cover?

An exploit that leverages non-ASLR modules to launch ROP

Memory info leak, dynamically calculate the randomized base address of the ROP module

How our approach works?

Copy the .text section (code section) of the ROP module to a new memory region “new_text_code”.

Set the memory attribute of the original .text section of ROP module to NO_EXECUTE (Read Only).

Hook the INT 0xe and capture the page fault in kernel mode, and judge whether the fault is

generated on the original .text section of ROP module; if so, redirect this faulting code execution

access to the same point on the new .text section new_text_code for continue executing, in this

way the page fault is handled by us transparently without the intervention of OS.

Since we can see and analyze each attempt to execute code on the original .text section in our page

fault handler, whenever there is a ROP instruction like execution happening, we can catch/block it

immediately.

Our advantages?

Not subject to hook hopping bypass

Able to locate the 1st ROP gadget instruction, and trace back to the place where the vulnerability

is triggered.

Among 5,6 is important key point:

• Step 5: determine the source of the page fault: from which process, the range of the

faulting instruction address, and the error code value.

• Step 6: based on the faulting instruction address, calculate a new address (on the new .text

section) for redirection. When the current fault handling is done, the control flow will be

returned to the new calculated address, and the normal execution will resume from the

new address.

Our Approach How is kernel page fault handled?

1 Hook kernel exception handler (Page Fault).

__asm cli

idt_entries[IDT_INT_PAGE_FAULT].LowOffset = (USHORT) IDT_PageFault_Hook;

idt_entries[IDT_INT_PAGE_FAULT].HighOffset = (USHORT)((ULONG) IDT_PageFault_Hook>>16);

__asm sti

2 Determine the source of the fault (from which process), the range of the faulting instruction

address, Error Code value.

3 Based on the faulting instruction address, calculate a new address (on the new .text section)

for redirection. When the current fault handling is done, the control flow will be returned to the

new calculated place, and the normal execution will go on.

In order to know about all the context information when the vulnerability is triggered, including

the call stack information on the ROP module, we need to analyze the offending instruction and

output the analysis results.

1) [ring0->eip] = pfnStub_PrintRelocInfoAndAnalysis (kernel will first return to our instruction

analyzing and logging function)

2) [ring3-> esp-4] = new_text_code_by_redirect_offset(assign the new redirection address to esp-

4)

3) [ring0->esp -16 ] = addr(Ring3->esp-4) (modify the ring3 stack pointer to esp-4)

Initialization

Inject our own DLL (i.e., myring3.dll) into the target process

Parse the PE structure of the ROP module, and copy the entire .text section to a new allocated

memory region ”new_text_code”; Set the memory attribute of the original .text section of ROP

module to PAGE_READONLY to make it NO_EXECUTE

Suspend all threads, except for the current thread itself

Notify the Ring0 driver to start the address redirection

ROP detection

DLL module does instruction analysis and logs the exception information and analysis results

Why the relocated code can still run?

Executing the instructions within the original .text section

The execution of the normal instructions or relative address control transfer within the new

memory region ”new_text_code” continues in this region, until it hits some control transfer

instructions (i.e., jmp/ret/call) that use an absolute address, which leads to an access to the

original .text section, thus causes a page fault.

External calls

An external module’s call into the original .text section will cause a page fault and then be

redirected to the new memory region to continue execution.

Already running threads

If some threads are already running into the ROP module before the .text section relocation is done,

these threads will then be redirected to run on the new region; however some function return

addresses that have been pushed in the thread stacks by previous function calls may still point to

the original .text section. These old return address may cause some page faults for a few times, but

eventually they will be gradually resolved to the new region along with the nested function call

return.

The code access (instruction fetch) faults, i.e., copy-unfriendly instruction/address types

Some control transfer instructions “new_text_code” using absolute address may go back to the

original code region

A module passes information (interface pointer, function or data address etc) out to the external

modules through some interface call.

Call/jmp instructions via function address table (containing a list of absolute addresses) within a

module, such as virtual function table or jump table.

Export function address to the external modules via PE’s export address table (EAT).

“Copy-friendly” instructions

normal instructions (mov , xor ,inc ,add…) always run unaffected no matter where you move them

to

relative control transfer call/jump also run “self-contained” within the new region where they are

moved to

“Copy-unfriendly” instructions

Control transfer using absolute address

“Copy-unfriendly” instructions (cont’d)

Module passes interface pointer out to the external modules

Old code exported interface pointer to giving reference modules


call/jmp instructions via function address table (containing a list of absolute addresses) within a

module, such as virtual function table or jump table.


Export function address to the external modules via PE’s EAT.

By redirecting the faulting code access, any code execution attempt from the original .text section

will be transparently forwarded to the execution of the same corresponding code from the new

code region (new_text_code)

Page faults will be generated during this process, either by the relocated module (the new code

region) or from other external modules

Our page fault handler is able to catch any code execution attempt on the original .text section

checks for validity against the faulting instruction to determine whether this is a valid or ROP like

entry

ROP exploit via a ROP module loaded to a fixed address constructs the fake stack using hard-coded

sequence of addresses; such addresses point to the gadgets on the original .text section of the ROP

module. In the following example, address attribute at 0x51BE5B98 is set to non-executable;

therefore when the ROP exploit executes the needed instructions, we can catch this faulting

instruction and identify the ROP attack.

In the case of Information leak, the base address where the ROP module is loaded to is calculated

at runtime, then why is the leaked address still pointing to the original module after we do the

redirection?

For example, CVE-2013-0640

We can see that a string is allocated first ,58 58 58 58 00 =“XXXX”,by triggering the vulnerability,

the null terminator after 0x58 is modified to ’0xfe’.

The attacker deliberately places a Node object after the string array, and using a vulnerability try

to out-of-bound read the Node object’s vtable address, i.e., 0x4da7af4

The offset of vtable of Node object relative to the ROP module base (AcroForm.api) is fixed, i.e.,

0x7A7AF4 .Therefore, the randomized (ASLRed) base address of the ROP module = vtable address

– offset = 04da7af4 - 7A7AF4 = 0x4600000.In this example, Node object’s vtable is in the .rdata

section. We relocate the only the .text section, whereas ROP exploit calculates the randomized

base address of the ROP module via the leaked vtable address in .rdata section. Since the calculated

base address of the ROP module is still in the original .text section, we can catch the ROP attack.

• Background

• Our Approach

• Case Study

• Optimization

• Summary


Case Study CVE-2013-3893 ROP via a module with a fixed address

CVE-2013-3893 is an IE vulnerability, the attacker leverages a non-ASLR module hxds.dll in MS

Office product to do ROP.

load a non-ASLR hxds.dll into IE; fixed address @ 0x51be5b98; controllable fake stack @

0x12121212

Demo.

CVE-2013-0640,Adobe Acrobat And Reader CVE-2013-0640 Remote Code Execution Vulnerability.

The module AcroForm.api is the target of info leak and the subsequent ROP chain construction.

We can catch stack pivot from the original .text section.

• Background

• Our Approach

• Case Study

• Optimization

• Summary

Acknowledgement & Reference

Challenge

Without optimization, both some legitimate entries and ROP execution attempts may cause page

faults; excessive number of page faults not only elongates the exploit execution, thus may cause

the exploits to fail, but also slows down the system and make the application unusable.

Goal: From the ROP detection’s perspective, we are only interested in those page faults that are

generated by ROP.

Observation: The majority of the page faults are caused by control transfer to the old code section

using absolute addresses and many of those originate from the function address table based

call/jmp within the ROP module

• .code relocation value: dwRelocCodeAddr ,value = *(DWORD) dwRelocCodeAddr

• value >= nCodeStart && value <= nCodeStart +nCodeSize

• .data relocation value: dwRelocDataAddr, value = *(DWORD) dwRelocCodeAddr


• .rdata relocation value: dwRelocRDataAddr, value = *(DWORD) dwRelocRDataAddr


Results

Taking CVE-2013-0640 as an example. The ROP module is AcroForm.api. Our internal testing

showed that without any optimization we might need to experience ~15 million of page faults

before the ROP instruction is identified. After fixing up the PE’s relocation section, only thousands

of page faults were seen, where almost all of those page faults were introduced by ROP exploits.

Summary

1) Make a shadow copy of the .text code section of the ROP module and mark the original .text

code section NON_EXECUTE

2) Change all the necessary addresses so that the shadow copy transparently runs in lieu of the

original .text code section

3) Any ROP attempt into the original .text code section will cause page faults, thus will be caught

by our exception handler with (ROP instruction, stack info, register info, current thread info,

etc) detail

Acknowledgement

Thanks Bing Sun for providing the research direction and help on the implementation; we would

also like to thank the colleagues of McAfee Labs IPS Team for sharing many great technical

information and ideas.

References

[1] YAN Tao, WANG Yi-jun, XUE Zhi,Research and Application of ROP Automatica Generation

Technology on Windows

[2] Elias Bachaalany , Inside EMET4.0

[3] Haifei Li, Smashing the Heap with Vector: Advanced Exploitation Technique in Recent Flash Zero-

day Attack.

[4] Lucas Daviy, Ahmad-Reza Sadeghiy, Marcel Winandyz, ROPdefender: A Detection Tool to Defend

Against Return-Oriented Programming Attacks

Appendix

About Detection the CVE-2014-0640 information by Anti-ROP project

00000001 0.00000000 [2376] Dll Entry

00000002 0.00005881 [2376] ###---> [Exploit Detection:1] Dll was Injection to

Process:AcroRd32.exe !

00000003 0.00018571 [2376] ###---> [Exploit Detection:2] Find Target

Process:AcroRd32.exe

00000004 0.00025681 [2376] ###---> [Exploit Detection: ] Found AcroRd32.exe !

00000005 0.00095662 [2376] ###---> [Exploit Detection:3] GetParentProcessName falil!

00000006 0.06557223 [3396] Dll Entry

00000007 0.06564619 [3396] ###---> [Exploit Detection:1] Dll was Injection to

Process:AcroRd32.exe !

00000008 0.06577128 [3396] ###---> [Exploit Detection:2] Find Target

Process:AcroRd32.exe

00000009 0.06580690 [3396] ###---> [Exploit Detection: ] Found AcroRd32.exe !

00000010 0.06686674 [3396] [Exploit Detection:3] Find target Process Pid:3396!

00000011 0.06701019 [3396] ###---> [Exploit Detection:4] freopen fail!

00000012 0.06703967 [3396] ###---> [Exploit Detection:5] CreateDirectory Success!

00000013 0.06712634 [3396] ###---> [Exploit Detection:6] Injection of MyThreadRoutine is

Running!

00000014 0.09817512 [3396] ###---> [Exploit Detection:7] MyThreadRoutine

00000015 1.11598337 [3396] ###---> [Exploit Detection] C:\Program Files\Adobe\Reader

11.0\Reader\plug_ins\AcroForm.api

00000016 1.11598337 [3396] --> base module address is :0x69160000

00000017 1.11611617 [3396] section name .text,Characteristics 60000020 --- and

SectionNumber :5

00000018 1.11611617 [3396]

00000019 1.12164426 [3396] New VirtualAddress: 5af0000

00000020 1.12164426 [3396]

00000021 1.12173831 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader

11.0\Reader\AcroRd32.exe

00000022 1.12173831 [3396] Address:0x00940000 ~ 0x00a91000

00000023 1.12179983 [3396] ***---> Load modules:C:\Windows\SYSTEM32\ntdll.dll

00000024 1.12179983 [3396] Address:0x77030000 ~ 0x7716c000

00000025 1.12183964 [3396] ***---> Load modules:C:\Windows\system32\kernel32.dll

00000026 1.12183964 [3396] Address:0x757c0000 ~ 0x75894000

00000027 1.12187850 [3396] ***---> Load

modules:C:\Windows\system32\KERNELBASE.dll

00000028 1.12187850 [3396] Address:0x75310000 ~ 0x7535a000

00000029 1.12191617 [3396] ***---> Load modules:C:\Windows\system32\USER32.dll

00000030 1.12191617 [3396] Address:0x75f20000 ~ 0x75fe9000

00000031 1.12195373 [3396] ***---> Load modules:C:\Windows\system32\GDI32.dll

00000032 1.12195373 [3396] Address:0x762e0000 ~ 0x7632e000

00000033 1.12201893 [3396] ***---> Load modules:C:\Windows\system32\LPK.dll

00000034 1.12201893 [3396] Address:0x76230000 ~ 0x7623a000

00000035 1.12205577 [3396] ***---> Load modules:C:\Windows\system32\USP10.dll

00000036 1.12205577 [3396] Address:0x75ce0000 ~ 0x75d7d000

00000037 1.12209225 [3396] ***---> Load modules:C:\Windows\system32\msvcrt.dll

00000038 1.12209225 [3396] Address:0x75510000 ~ 0x755bc000

00000039 1.12212908 [3396] ***---> Load modules:C:\Windows\system32\ADVAPI32.dll

00000040 1.12212908 [3396] Address:0x76240000 ~ 0x762e0000

00000041 1.12216592 [3396] ***---> Load modules:C:\Windows\SYSTEM32\sechost.dll

00000042 1.12216592 [3396] Address:0x763c0000 ~ 0x763d9000

00000043 1.12220335 [3396] ***---> Load modules:C:\Windows\system32\RPCRT4.dll

00000044 1.12220335 [3396] Address:0x758a0000 ~ 0x75941000

00000045 1.12224078 [3396] ***---> Load modules:C:\Windows\system32\SHLWAPI.dll

00000046 1.12224078 [3396] Address:0x75c20000 ~ 0x75c77000

00000047 1.12229431 [3396] ***---> Load modules:C:\Windows\system32\IMM32.DLL

00000048 1.12229431 [3396] Address:0x75cc0000 ~ 0x75cdf000

00000049 1.12233353 [3396] ***---> Load modules:C:\Windows\system32\MSCTF.dll

00000050 1.12233353 [3396] Address:0x75b50000 ~ 0x75c1c000

00000051 1.12237895 [3396] ***---> Load modules:c:\rc.dll

00000052 1.12237895 [3396] Address:0x71f20000 ~ 0x71fad000

00000053 1.12241733 [3396] ***---> Load modules:C:\Windows\system32\SHELL32.dll

00000054 1.12241733 [3396] Address:0x763e0000 ~ 0x7702a000

00000055 1.12245822 [3396] ***---> Load

modules:C:\Windows\WinSxS\x86_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32.dll

00000056 1.12245822 [3396] Address:0x74110000 ~ 0x742ae000

00000057 1.12249780 [3396] ***---> Load modules:C:\Windows\system32\uxtheme.dll

00000058 1.12249780 [3396] Address:0x73f90000 ~ 0x73fd0000

00000059 1.12253642 [3396] ***---> Load modules:C:\Windows\system32\dwmapi.dll

00000060 1.12253642 [3396] Address:0x73c60000 ~ 0x73c73000

00000061 1.12257671 [3396] ***---> Load modules:C:\Windows\system32\ole32.dll

00000062 1.12257671 [3396] Address:0x759c0000 ~ 0x75b1c000

00000063 1.12261653 [3396] ***---> Load modules:C:\Windows\system32\CRYPTBASE.dll

00000064 1.12261653 [3396] Address:0x75080000 ~ 0x7508c000

00000065 1.12266016 [3396] ***---> Load modules:C:\Windows\system32\ntmarta.dll

00000066 1.12266016 [3396] Address:0x73af0000 ~ 0x73b11000

00000067 1.12270081 [3396] ***---> Load modules:C:\Windows\system32\WLDAP32.dll

00000068 1.12270081 [3396] Address:0x77210000 ~ 0x77255000


11.0\Reader\AcroRd32.dll

00000070 1.12274706 [3396] Address:0x65a20000 ~ 0x675ef000


11.0\Reader\AGM.dll

00000072 1.12280190 [3396] Address:0x69e10000 ~ 0x6a2e9000

00000073 1.12284458 [3396] ***---> Load modules:C:\Windows\system32\MSVCR100.dll

00000074 1.12284458 [3396] Address:0x6df90000 ~ 0x6e04f000

00000075 1.12288618 [3396] ***---> Load modules:C:\Windows\system32\MSVCP100.dll

00000076 1.12288618 [3396] Address:0x6e230000 ~ 0x6e299000

00000077 1.12292778 [3396] ***---> Load modules:C:\Windows\system32\VERSION.dll

00000078 1.12292778 [3396] Address:0x74680000 ~ 0x74689000


11.0\Reader\CoolType.dll

00000080 1.12297153 [3396] Address:0x6aa90000 ~ 0x6ad4b000


11.0\Reader\BIB.dll

00000082 1.12301648 [3396] Address:0x70b20000 ~ 0x70b3e000


11.0\Reader\ACE.dll

00000084 1.12306142 [3396] Address:0x6cb20000 ~ 0x6cc0a000

00000085 1.12310565 [3396] ***---> Load modules:C:\Windows\system32\profapi.dll

00000086 1.12310565 [3396] Address:0x75180000 ~ 0x7518b000


11.0\Reader\plug_ins\AcroForm.api

00000088 1.12315667 [3396] Address:0x69160000 ~ 0x69e0d000

00000089 1.12320161 [3396] ***---> Load modules:C:\Windows\system32\OLEAUT32.dll

00000090 1.12320161 [3396] Address:0x76330000 ~ 0x763bf000

00000091 1.12324631 [3396] ***---> Load modules:C:\Windows\system32\SensApi.dll

00000092 1.12324631 [3396] Address:0x70690000 ~ 0x70696000

00000093 1.12330341 [3396] ***---> Load modules:C:\Windows\system32\CRYPT32.dll

00000094 1.12330341 [3396] Address:0x75360000 ~ 0x7547d000

00000095 1.12335229 [3396] ***---> Load modules:C:\Windows\system32\MSASN1.dll

00000096 1.12335229 [3396] Address:0x751f0000 ~ 0x751fc000


11.0\Reader\AXSLE.dll

00000098 1.12339973 [3396] Address:0x6b3e0000 ~ 0x6b476000


11.0\Reader\plug_ins\Annots.api

00000100 1.12344849 [3396] Address:0x68a80000 ~ 0x69160000


11.0\Reader\plug_ins\DigSig.api

00000102 1.12349892 [3396] Address:0x6b270000 ~ 0x6b3dc000


11.0\Reader\AXE8SharedExpat.dll

00000104 1.12354851 [3396] Address:0x729d0000 ~ 0x729fc000


11.0\Reader\cryptocme.dll

00000106 1.12360275 [3396] Address:0x6c9e0000 ~ 0x6ca2d000


11.0\Reader\ccme_base.dll

00000108 1.12365162 [3396] Address:0x6afd0000 ~ 0x6b032000


11.0\Reader\ccme_base_non_fips.dll

00000110 1.12370121 [3396] Address:0x6b870000 ~ 0x6b8a8000


11.0\Reader\ccme_asym.dll

00000112 1.12375069 [3396] Address:0x6af90000 ~ 0x6afce000


11.0\Reader\ccme_ecc.dll

00000114 1.12381458 [3396] Address:0x6af00000 ~ 0x6af90000


11.0\Reader\ccme_ecdrbg.dll

00000116 1.12386620 [3396] Address:0x6aa10000 ~ 0x6aa88000

00000117 1.12391782 [3396] ***---> Load modules:C:\Windows\system32\CRYPTSP.dll

00000118 1.12391782 [3396] Address:0x74c00000 ~ 0x74c16000

00000119 1.12396801 [3396] ***---> Load modules:C:\Windows\system32\rsaenh.dll

00000120 1.12396801 [3396] Address:0x749a0000 ~ 0x749db000


11.0\Reader\plug_ins\PPKLite.api

00000122 1.12401986 [3396] Address:0x67c60000 ~ 0x68362000

00000123 1.12407935 [3396] ***---> Load modules:C:\Windows\system32\WSOCK32.dll

00000124 1.12407935 [3396] Address:0x6f3b0000 ~ 0x6f3b7000

00000125 1.12413371 [3396] ***---> Load modules:C:\Windows\system32\WS2_32.dll

00000126 1.12413371 [3396] Address:0x75c80000 ~ 0x75cb5000

00000127 1.12418461 [3396] ***---> Load modules:C:\Windows\system32\NSI.dll

00000128 1.12418461 [3396] Address:0x77200000 ~ 0x77206000


11.0\Reader\plug_ins\EScript.api

00000130 1.12423694 [3396] Address:0x6a6b0000 ~ 0x6a85f000


11.0\Reader\icucnv40.dll

00000132 1.12432003 [3396] Address:0x6a930000 ~ 0x6aa04000


11.0\Reader\icudt40.dll

00000134 1.12437689 [3396] Address:0x706a0000 ~ 0x706b8000

00000135 1.12443125 [3396] ***---> Load modules:C:\Windows\system32\CLBCatQ.DLL

00000136 1.12443125 [3396] Address:0x75480000 ~ 0x75503000

00000137 1.12448585 [3396] ***---> Load

modules:C:\Users\Jifeng\AppData\Local\cache\LangBar32.dll

00000138 1.12448585 [3396] Address:0x02880000 ~ 0x028c4000

00000139 1.12454045 [3396] ***---> Load modules:C:\Windows\system32\WININET.DLL

00000140 1.12454045 [3396] Address:0x75ff0000 ~ 0x760e5000

00000141 1.12460029 [3396] ***---> Load modules:C:\Windows\system32\urlmon.dll

00000142 1.12460029 [3396] Address:0x760f0000 ~ 0x76226000

00000143 1.12465465 [3396] ***---> Load modules:C:\Windows\system32\iertutil.dll

00000144 1.12465465 [3396] Address:0x755c0000 ~ 0x757bb000

00000145 1.12470937 [3396] ***---> Load modules:C:\Windows\system32\propsys.DLL

00000146 1.12470937 [3396] Address:0x73fd0000 ~ 0x740c5000


11.0\Reader\plug_ins\Accessibility.api

00000148 1.12477791 [3396] Address:0x6a8b0000 ~ 0x6a929000

00000149 1.12483585 [3396] ***---> Load modules:C:\Windows\system32\SETUPAPI.dll

00000150 1.12483585 [3396] Address:0x75d80000 ~ 0x75f1d000

00000151 1.12489271 [3396] ***---> Load modules:C:\Windows\system32\CFGMGR32.dll

00000152 1.12489271 [3396] Address:0x75200000 ~ 0x75227000

00000153 1.12494946 [3396] ***---> Load modules:C:\Windows\system32\DEVOBJ.dll

00000154 1.12494946 [3396] Address:0x75230000 ~ 0x75242000

00000155 1.12497735 [3396] ###---> [Exploit Detection:8] EnumProcessModules

success!

00000156 1.12500679 [3396] ###---> [Exploit Detection:9]

00020841 52.24734116 [3396] ***************************[Record

Log]***********************************************

00020842 52.24736786 [3396] 69636B8C: 6A08 PUSH

08 ;

00020843 52.24739075 [3396] 69636B8E: B8 E5457369 MOV EAX,

697345E5 ;

00020844 52.24741364 [3396] [count:11245007]address :69205459 | opcode :6a 18

00020845 52.24743652 [3396] 69205459: 6A18 PUSH

18 ;

00020846 52.24745941 [3396] 6920545B: B8 ED217369 MOV EAX,

697321ED ;

00020847 52.24748230 [3396] [count:11245008]address :69516096 | opcode :56 8b

00020848 52.24750137 [3396] 69516096: 56 PUSH

ESI ;

00020849 52.24752045 [3396] 69516097: 8BF1 MOV ESI,

ECX ;

00020850 52.24754333 [3396] [count:11245009]address :69205459 | opcode :6a 18

00020851 52.24756622 [3396] 69205459: 6A18 PUSH

18 ;

00020852 52.24758911 [3396] 6920545B: B8 ED217369 MOV EAX,

697321ED ;


00020854 52.24768066 [3396] 69516096: 56 PUSH

ESI ;

00020855 52.24770355 [3396] 69516097: 8BF1 MOV ESI,

ECX ;


00020857 52.24774933 [3396] 69648486: 56 PUSH

ESI ;

00020858 52.24777222 [3396] 69648487: 8BF1 MOV ESI,

ECX ;

00020859 52.24779510 [3396] [count:11245012]address :6920618b | opcode :56 8b

00020860 52.24781418 [3396] 6920618B: 56 PUSH

ESI ;

00020861 52.24783707 [3396] 6920618C: 8BF1 MOV ESI,

ECX ;

00020862 52.24785995 [3396]

00020863 52.24785995 [3396]**[[[[[[[[[[[[[[[ Found exploit form AcroForm.api ]]]]]]]]]]]]]]]**

00020864 52.24788284 [3396] [PID:3396][count:11245013]

00020865 52.24788284 [3396] PageFault address:0x69319f50!AcroForm.api New

eip:0x5ca8f50

00020866 52.24788284 [3396]

eax:1184732c:ebx:00000001:ecx:11853c50:edx:00000000:esi:1776ebb4:edi:050b0294:esp:002d

dbd0

00020867 52.24788284 [3396]

00020868 52.24790955 [3396] 69319F50: 50 PUSH

EAX ;

00020869 52.24792862 [3396] 69319F51: 5C POP

ESP ;

00020870 52.24795151 [3396] current esp->0x5B944D5

00020871 52.24797058 [3396]

*******************************************************************************

************************************************

00020872 52.24797058 [3396] caller information:

00020873 52.24799728 [3396] 05B944C1: FF4704 INC DWORD

PTR DS:[EDI+04H] ;

00020874 52.24802017 [3396] 05B944C4: 8B4E44 MOV

ECX,DWORD PTR DS:[ESI+44H] ;

00020875 52.24804306 [3396] 05B944C7: 85C9 TEST ECX,

ECX ;

00020876 52.24806595 [3396] 05B944C9: 740A JZ

05B944D5 ;

00020877 52.24808502 [3396] 05B944CB: FF4904 DEC DWORD

PTR DS:[ECX+04H] ;

00020878 52.24810791 [3396] 05B944CE: 7505 JNZ

05B944D5 ;

00020879 52.24812698 [3396] 05B944D0: 8B01 MOV

EAX,DWORD PTR DS:[ECX] ;

00020880 52.24814987 [3396] 05B944D2: 53 PUSH

EBX ;

00020881 52.24817276 [3396] 05B944D3: FF10 CALL DWORD

PTR DS:[EAX] ;

00020882 52.24819565 [3396] 05B944D5: 56 PUSH

ESI ;

00020883 52.24821854 [3396] 05B944D6: 8BCF MOV ECX,

EDI ;

00020884 52.24824142 [3396] 05B944D8: 897E44 MOV DWORD

PTR DS:[ESI+44H],EDI ;

00020885 52.24826431 [3396] 05B944DB: E8 8C35FEFF CALL

05B77A6C ;

00020886 52.24828339 [3396] 05B944E0: 8B45F0 MOV

EAX,DWORD PTR SS:[EBP-10H] ;

00020887 52.24830627 [3396] 05B944E3: 8B404C MOV

EAX,DWORD PTR DS:[EAX+4CH] ;

00020888 52.24832916 [3396] 05B944E6: 33464C XOR

EAX,DWORD PTR DS:[ESI+4CH] ;

00020889 52.24835205 [3396] 05B944E9: 8B4D08 MOV

ECX,DWORD PTR SS:[EBP+08H] ;

00020890 52.24837494 [3396] 05B944EC: 23C3 AND EAX,

EBX ;

00020891 52.24839783 [3396] 05B944EE: 31464C XOR DWORD

PTR DS:[ESI+4CH],EAX ;

00020892 52.24842072 [3396] 05B944F1: 8D45E4 LEA

EAX,DWORD PTR SS:[EBP-1CH] ;

00020893 52.24843979 [3396]

*******************************************************************************

************************************************

00020894 52.24843979 [3396]

00020895 52.24846268 [3396] [count:11245014]address :69161049 | opcode :c3 74

00020896 52.24848557 [3396] 69161049: C3

RET ; Pop IP

00020897 52.24850845 [3396] 6916104A: 7409 JZ

69161055 ;


00020899 52.24855423 [3396] 69161049: C3

RET ; Pop IP

00020900 52.24857712 [3396] 6916104A: 7409 JZ

69161055 ;


00020902 52.24868393 [3396] 69161049: C3

RET ; Pop IP

00020903 52.24870682 [3396] 6916104A: 7409 JZ

69161055 ;


00020905 52.24874878 [3396] 69161049: C3

RET ; Pop IP

00020906 52.24877167 [3396] 6916104A: 7409 JZ

69161055 ;


00020908 52.24881744 [3396] 69161049: C3

RET ; Pop IP

00020909 52.24884033 [3396] 6916104A: 7409 JZ

69161055 ;


00020911 52.24888229 [3396] 69161049: C3

RET ; Pop IP

00020912 52.24890518 [3396] 6916104A: 7409 JZ

69161055 ;


00020914 52.24895096 [3396] 69161049: C3

RET ; Pop IP

00020915 52.24897385 [3396] 6916104A: 7409 JZ

69161055 ;


00020917 52.24901962 [3396] 69161049: C3

RET ; Pop IP

00020918 52.24903870 [3396] 6916104A: 7409 JZ

69161055 ;


00020920 52.24908447 [3396] 69161049: C3

RET ; Pop IP

00020921 52.24910736 [3396] 6916104A: 7409 JZ

69161055 ;


00020923 52.24915314 [3396] 69161049: C3

RET ; Pop IP

00020924 52.24917603 [3396] 6916104A: 7409 JZ

69161055 ;


00020926 52.24921799 [3396] 69161049: C3

RET ; Pop IP

00020927 52.24924088 [3396] 6916104A: 7409 JZ

69161055 ;


00020929 52.24928665 [3396] 69161049: C3

RET ; Pop IP

00020930 52.24930954 [3396] 6916104A: 7409 JZ

69161055 ;


00020932 52.24934769 [3396] 69161049: C3

RET ; Pop IP

00020933 52.24937057 [3396] 6916104A: 7409 JZ

69161055 ;


00020935 52.24941635 [3396] 69161049: C3

RET ; Pop IP

00020936 52.24943924 [3396] 6916104A: 7409 JZ

69161055 ;


00020938 52.24948120 [3396] 69161049: C3

RET ; Pop IP

00020939 52.24950409 [3396] 6916104A: 7409 JZ

69161055 ;


00020941 52.24954987 [3396] 69161049: C3

RET ; Pop IP

00020942 52.24957275 [3396] 6916104A: 7409 JZ

69161055 ;


00020944 52.24964523 [3396] 69161049: C3

RET ; Pop IP

00020945 52.24966812 [3396] 6916104A: 7409 JZ

69161055 ;


00020947 52.24972153 [3396] 69161049: C3

RET ; Pop IP

….

---------------------------------------------------------------------------------------------------------------------------------

combating the advanced memory exploitation techniques ... · combating the advanced memory...

Documents