reverse engineering grant curell. what is reverse engineering? reverse engineering is the process of...

of 55/55
Reverse Engineering Grant Curell

Post on 18-Dec-2015

215 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Slide 1
  • Reverse Engineering Grant Curell
  • Slide 2
  • What is reverse engineering? Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation
  • Slide 3
  • Why does the military care and more specifically, why should you?
  • Slide 4
  • General reversing What is the x86 architecture? What is a computer? What is the general structure of a computer? What differentiates malicious instructions from legitimate instructions?
  • Slide 5
  • Registers EAX - Accumulator Register EBX - Base Register ECX - Counter Register EDX - Data Register ESI - Source Index EDI - Destination Index EBP - Base Pointer ESP - Stack Pointer
  • Slide 6
  • EAX - All major calculations take place in EAX, making it similar to a dedicated accumulator register. EDX - The data register is the an extension to the accumulator. It is most useful for storing data related to the accumulator's current calculation. ECX - Like the variable i in high-level languages, the count register is the universal loop counter. EDI - Every loop must store its result somewhere, and the destination index points to that place. With a single-byte STOS instruction to write data out of the accumulator, this register makes data operations much more size-efficient. ESI - In loops that process data, the source index holds the location of the input data stream. Like the destination index, EDI had a convenient one-byte instruction for loading data out of memory into the accumulator. ESP - ESP is the sacred stack pointer. With the important PUSH, POP, CALL, and RET instructions requiring it's value, there is never a good reason to use the stack pointer for anything else. EBP - In functions that store parameters or variables on the stack, the base pointer holds the location of the current stack frame. In other situations, however, EBP is a free data-storage register. EBX - In 16-bit mode, the base register was useful as a pointer. Now it is completely free for extra storage space.
  • Slide 7
  • Commands command operand1, operand2 command reg1, op1/reg2 command op1/reg1 Where an operator can be fixed number or a register
  • Slide 8
  • Commands The basics sub dest, src - The source is subtracted from the destination and the result is stored in the destination. (dest-src=dest) add dest, src - Adds "src" to "dest" and replacing the original contents of "dest". Both operands are binary. mov dest, src - Copies byte or word from the source operand to the destination operand.
  • Slide 9
  • Commands push and pop push src - Decrements SP by the size of the operand (two or four, byte values are sign extended) and transfers one word from source to the stack top (SS:SP). Transfers word at the current stack top (SS:SP) to the destination then increments SP by two to point to the new stack top. CS is not a valid destination.
  • Slide 10
  • Slide 11
  • Slide 12
  • commands comparison operators xor dest, src - Performs a bitwise exclusive OR of the operands and returns the result in the destination. test dest, src - Performs a logical AND of the two operands updating the flags register without saving the result. cmp - Subtracts source from destination and updates the flags but does not save result. Flags can subsequently be checked for conditions.
  • Slide 13
  • Commands call call - Pushes Instruction Pointer (and Code Segment for far calls) onto stack and loads Instruction Pointer with the address of proc- name. Code continues with execution at CS:IP.
  • Slide 14
  • Commands leave and ret Leave
  • Slide 15
  • commands - jumps Details on Jumps
  • Slide 16
  • commands pointers and lea lea dest, src - Transfers offset address of "src" to the destination register. Question? Is the value of ESI the same or different after each of these instructions? What is its value(s)? MOV ESI, [EBX + 8*EAX + 4] and LEA ESI, [EBX + 8*EAX + 4]
  • Slide 17
  • Example 1 Well talk about these later.
  • Slide 18
  • The original code...
  • Slide 19
  • Calling Conventions The C Convention: pushes arguments onto the stack from right to left (i.e., the first argument of the function is placed on the stack last, and thus appears on top). Deleting arguments from the stack is entrusted not to the function, but to the code calling the function. The Pascal convention pushes arguments on the stack from left to right (i.e., the first argument of the function is placed on the stack first, and thus appears on the bottom). The deletion of function arguments is entrusted to the function itself,
  • Slide 20
  • Example 1 Whats happening here?
  • Slide 21
  • Example 2 Meow
  • Slide 22
  • Example 2 Where was our string stored?
  • Slide 23
  • Example 3: Now you know enough to be dangerous Hint: Youll need this ASCII TABLEASCII TABLE
  • Slide 24
  • Some review Buffer Overflows
  • Slide 25
  • Where is data stored? Generally: All local variables are stored on the stack. Dynamically allocated variables are generally placed in the heap.
  • Slide 26
  • Example 4 -There are two flaws in this program. Can you spot them?
  • Slide 27
  • What is an access violation and why did it occur? (Pay close attention because the answer will help you with your assignment.)
  • Slide 28
  • Slide 29
  • As compiled with Dev C++
  • Slide 30
  • Slide 31
  • A quick comparison with what it looked like when compiled with Visual Studio Whats happening here?
  • Slide 32
  • What do we expect the stack to look like when we reach this point? What is this for? What is this?
  • Slide 33
  • Stack after the sub esp, 68
  • Slide 34
  • Can you identify what is on the stack right now?
  • Slide 35
  • Assuming NO access violation occurred, what do you think happened?
  • Slide 36
  • So now what? We want control. How do you think we should do it?
  • Slide 37
  • Time for some math. Start of our buffer Return address 0022FF60-22FF10 = 0x50 or 80 bytes first 76 bytes are buffer last 4 overwrite return address.
  • Slide 38
  • What it looks like after input notice the return address overwritten by B instead of A. Return address
  • Slide 39
  • So thats great, but where are we gonna put our shell code? Registers just before the return Stack just before the return
  • Slide 40
  • Finding a suitable jmp ecx
  • Slide 41
  • Now we write some shell code
  • Slide 42
  • Lets take a look right before gets
  • Slide 43
  • Right after gets looks good
  • Slide 44
  • It didnt work why?
  • Slide 45
  • This still wont work. Why?
  • Slide 46
  • So we need a new exploitation technique. Example 5
  • Slide 47
  • SEH What is that?
  • Slide 48
  • Lets get a better look
  • Slide 49
  • What it looks like in Ollydbg your target This is the unfiltered exception handler. It is called if no other EH can handle the problem.
  • Slide 50
  • So heres generally what to do See later slides for why step 4 is different.
  • Slide 51
  • What your malicious payload should look like NOPs Exploit Code Short JMP Address of Pop Pop Ret 16 NOPsLong Jump To NOP SledLarge amount of garbage
  • Slide 52
  • One difference conceptually Because we do not have space after the SEH, we must put our shellcode before. This means we will have to jump to the nopsled above and let it slide down. The encoding you will want to use is: \xE9\x14\xFD\xFF\xFF
  • Slide 53
  • Generating a Payload Using Backtrack 1)Open a console 2)Type msfconsole 3)Type use payload/windows/messagebox 4)Type show options to see exploit options. Mess with these as you wish. 5)Type generate to generate the payload Note: My payload code is in the notes if you wish to use that.
  • Slide 54
  • Lets take a pictorial look
  • Slide 55
  • That questions slide Insert a generic picture of question marks here