- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Writing Interactive Disassembler (IDA) Plugins
IDA is short for Interactive Disassembler (available from www.datarescue.com) and is one of th popular reverse engineering tools for software. IDA supports plugin modules so customers can the functionality and automate tasks. For this book we created a simple IDA plugin that can sca
• |
Table of Contents |
through two binary files and compare them. The plugin will highlight any code regions that hav |
|
• |
Index |
changed. This can be used to compare a prepatch executable with a postpatch executable to de
Exploitingwhich linesSoftwareof codeHowwereto BreakfixedCode.
ByGreg Hoglund,Gary McGraw
In many cases, software vendors will "secretly" fix security bugs. The tool we provide here can
attacker find these secret patches. Be forewarned that this plugin can flag many locations that
Publisher: Addison Wesley
changed at all. If compiler options are changed or the padding between functions is altered, the
Pub Date: February 17, 2004
will return a nice set of false positives. Nonetheless, this is a great example to illustrate how to
ISBN: 0-201-78695-8
writing IDA plugins.
Pages: 512
Our example also emphasizes the biggest problem with penetrate-and-patch security. Patches a attack maps, and clever attackers know how to read them. To use this code you will need the I software development kit (SDK), which is available along with the IDA product. Code is comme inline. These are standard header files. Depending on which API calls you intend to use, you ma
to include other header files. Note that we have disabled a certain warning message and includ How does software break? How do attackers make software break on purpose? Why are
Windows header file as well. By doing this we are able to use Windows graphical user interface firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
code for pop-up dialogs and so on. The warning 4273 is thrown when you use the standard tem What tools can be used to break software? This book provides the answers.
library and it's customary to disable it.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
#include <windows.h>
When network security mechanisms do not work
#pragma warning( disable:4273 )
Attack patterns
#include <ida.hpp>
Reverse engineering
#include <idp.hpp>
Classic attacks against server software
#include <bytes.hpp>
Surprising attacks against client software
#include <loader.hpp>
Techniques for crafting malicious input
#includeThe technical<kernwindetails.hpp>of buffer overflows
#includeRootkits<name.hpp>
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
Because our plugin is based on a sample plugin supplied with the SDK, the following code is me of the sample. These are required functions and the comments were already part of the sample
// |
-------------------------------------------------------------------------- |
|
// This callback is called for UI |
notification events. |
|
• |
Table of Contents |
/*user_data*/, int event_id, va_list /*va*/) |
static int sample_callback(void * |
•Index
Exploiting{ Software How to Break Code
ByGreg Hoglund,Gary McGraw
if ( event_id != ui_msg ) // Avoid recursion.
Publisher: Addison Wesley
if ( event_id != ui_setstate
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
&& event_id ! = ui_showauto
Pages: 512
&& event_id ! = ui_refreshmarked ) // Ignore uninteresting events
msg("ui_callback %d\n", event_id);
return 0; // 0 means "process the event";
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
// otherwise, the event would be ignored.
What tools can be used to break software? This book provides the answers.
}Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from
//attack,--------------------------------------------------------------------------you must first learn how real attacks are really carried out.
This// Amustsample-haveofbookhowmayto generateshock you—userand-itdefinedwill certainlyline educateprefixesyou.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
static const int prefix_width = 8;
Why software exploit will continue to be a serious problem
When network security mechanisms do not work static void get_user_defined_prefix(ea_t ea,
Attack patterns
int lnnum,
Reverse engineering
int indent,
Classic attacks against server software
const char *line,
Surprising attacks against client software
char *buf,
Techniques for crafting malicious input
size_t bufsize)
The technical details of buffer overflows
{
Rootkits
buf[0] = '\0'; // Empty prefix by default
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
//We want to display the prefix only on the lines which
//contain the instruction itself.
if ( indent != -1 ) return; |
// A directive |
if ( line[0] == '\0' ) |
return; |
// Empty line |
||||
if |
( |
*line |
== |
COLOR_ON |
) line += 2; |
|
if |
( |
*line |
== |
ash.cmnt[0] ) return; // Comment line. . . |
•Table of Contents
•Index
//We don't want the prefix to be printed again for other lines of the
Exploiting Software How to Break Code
By//GregsameHoglundinstruction/data,Ga y McGraw . For that we remember the line number
// and compare it before generating the prefix.
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
static ea_t old_ea = BADADDR;
static int old_lnnum;
if ( old_ea == ea && old_lnnum == lnnum ) return;
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
// Let's display the size of the current item as the user-defined prefix.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from ulong our_size = get_item_size(ea);
attack, you must first learn how real attacks are really carried out.
// Seems to be an instruction line. We don't bother with the width
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
// because it will be padded with spaces by the kernel.
Why software exploit will continue to be a serious problem
snprintf(buf, bufsize, " %d", our_size);
When network security mechanisms do not work
//Remember the address and line number we produced the line prefix for.
Attack patterns
old_Reverseea = ea;engineering
old_Clnnumassic attacks= lnnum;against server software
Surprising attacks against client software
Techniques for crafting malicious input
}
The technical details of buffer overflows
Rootkits
//--------------------------------------------------------------------------
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
//
software.
//Initialize.
//IDA will call this function only once.
//If this function returns PLGUIN_SKIP, IDA will never load it again.
//If this function returns PLUGIN_OK, IDA will unload the plugin but
//remember that the plugin agreed to work with the database.
//The plugin will be loaded again if the user invokes it by
//pressing the hot key or by selecting it from the menu.
•Table of Contents
// After the second load, the plugin will stay in memory.
• Index
Exploiting Software How to Break Code
//If this function returns PLUGIN_KEEP, IDA will keep the plugin
ByGreg Hoglund,Gary McGraw
//in memory. In this case the initialization function can hook
Publisher: Addison Wesley
// PubintoDa e: Februarythe processor17, 2004 module and user interface notification points.
ISBN: 0-201-78695-8
// See the hook_to_notification_point() function.
Pages: 512
//
//In this example we check the input file format and make the decision.
How does software break? How do attackers make software break on purpose? Why are
// You may or may not check any other conditions to decide what you do, firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
// whether you agree to work with the database.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
//
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out. int init(void)
This must-have book may shock you—and it will certainly educate you.Getting beyond the
{
script kiddie treatment found in many hacking books, you will learn about
if ( inf.filetype == f_ELF ) return PLUGIN_SKIP;
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
// Please uncomment the following line to see how the notification works:
Attack patterns
// hook_to_notification_point(HT_UI, sample_callback, NULL);
Reverse engineering
Classic attacks against server software
// Please uncomment the following line to see how the user-defined prefix works
Surprising attacks against client software
// set_user_defined_prefix(prefix_width, get_user_defined_prefix);
Techniques for crafting malicious input
return PLUGIN_KEEP;
The technical details of buffer overflows
} Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
//--------------------------------------------------------------------------
//Terminate.
//Usually this callback is empty.
//The plugin should unhook from the notification lists if
//hook_to_notification_point() was used.
//IDA will call this function when the user asks to exit.
//This function won't be called in the case of emergency exits.
•Table of Contents
•Index
Exploiting Software How to Break Code
void term(void)
ByGreg Hoglund,Gary McGraw
{
Publisher: Addison Wesley
unhook_from_notification_point(HT_UI, sample_callback);
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
set_user_defined_prefix(0, NULL);
Pages: 512
}
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? A few more header files and some global variables are included here:
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
#include <process.h>
Why software exploit will continue to be a serious problem
#include "resource.h"
When network security mechanisms do not work
Attack patterns
DWORDReverseg tempestengineeringstate = 0;
Classic attacks against server software
LPVOID g_mapped_file = NULL;
Surprising attacks against client software
DWORD g_file_size = 0;
Techniques for crafting malicious input
The technical details of buffer overflows
This function loads a file into memory. This file is going to be used as the target to compare our Rootkits
binary against. Typically you would load the unpatched file into IDA and compare it with the pa
file:
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
bool load_file( char *theFilename )
{
HANDLE aFileH =
CreateFile( theFilename,
•Table of Contents
GENERIC_READ,
•Index
Exploiting Software How to Break Code
0,
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
How does software break? How do attackers make software break on purpose? Why are if(INVALID_HANDLE_VALUE == aFileH)
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What{tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and msg("Failed to open file.\n");
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out. return FALSE;
This must-have book may shock you—and it will certainly educate you.Getting beyond the
}
script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
HANDLE aMapH =
When network security mechanisms do not work
CreateFileMapping( aFileH,
Attack patterns
NULL,
Reverse engineering
PAGE_READONLY,
Classic attacks against server software
0,
Surprising attacks against client software
0,
Techniques for crafting malicious input
NULL );
The technical details of buffer overflows
if(!aMapH)
Rootkits
{
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
msg("failed to open map of file\n");
return FALSE;
}
LPVOID aFilePointer =
MapViewOfFileEx(
aMapH,
FILE_MAP_READ,
• Table of Contents
• Index
0,
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
0,
Publisher: Addison Wesley
0,
Pub Date: February 17, 2004
ISBN: 0-201-78695-NULL);8
Pages: 512
DWORD aFileSize = GetFileSize(aFileH, NULL);
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? g_file_size = aFileSize;
What tools can be used to break software? This book provides the answers.
g_mapped_file = aFilePointer;
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
return TRUE;
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
}
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
This function takes a string of opcodes and scans the target file for these bytes. If the opcodes c
Attack patterns
found in the target, the location will be marked as changed. This is obviously a simple techniqu
works in many cases. Because of the problems listed at the beginning of this section, this appro
Reverse engineering
cause problems with false positives.
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
bool check_target_for_string(ea_t theAddress, DWORD theLen)
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software{ .
bool ret = FALSE;
if(theLen > 4096)
{
msg("skipping large buffer\n");
return TRUE;
}
try
{
•Table of Contents
•//IndexScan the target binary for the string.
Exploiting Software How to Break Code
static char g_c[4096];
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
// I don't know any other way to copy the data string
ISBN: 0-201-78695-8
Pages://512out of the IDA database?!
for(DWORD i=0;i<theLen;i++)
{
How does software break? How do attackers make software break on purpose? Why are
g_c[i] = get_byte(theAddress + i);
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
}
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
// Here we have the opcode string; perform a search.
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
LPVOID curr = g_mapped_file;
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddieDWORDtreatmentsz = gfoundfileinsize;many hacking books, you will learn about
Why software exploit will continue to be a serious problem
while(curr && sz)
When network security mechanisms do not work
{
Attack patterns
LPVOID tp = memchr(curr, g_c[0], sz);
Reverse engineering
if(tp)
Classic attacks against server software
{
Surprising attacks against client software
Techniques forszcrafting-= ((charmalicious*)tpinput- (char *)curr);
The technical} details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break if(tp && sz >= theLen)
software.
{
if(0 == memcmp(tp, g_c, theLen))
{
// We found a match!
ret = TRUE;
break;
}
if(sz > 1)
•Table of Contents
{
•Index
Exploiting Software How to Break Code
curr = ((char *)tp)+1;
ByGreg Hoglund,Gary McGraw
}
Publisher: Addison Wesley
else
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
{
Pages: 512
break;
}
How does software break? How do attackers make software break on purpose? Why are
}
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. else
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
{
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out. break;
This must-have book may shock you—and it will certainly educate you.Getting beyond the
}
script kiddie treatment found in many hacking books, you will learn about
}
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
}
Attack patterns
catch(...)
Reverse engineering
{
Classic attacks against server software
msg("[!] critical failure.");
Surprising attacks against client software
return TRUE;
Techniques for crafting malicious input
}The technical details of buffer overflows
return ret;
Rootkits
}
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
This thread finds all the functions and compares them with a target binary:
void __cdecl _test(void *p)
{
•Table of Contents
//Wait for start signal.
•Index
Exploiting Software How to Break Code
while(g_tempest_state == 0)
ByGreg Hoglund,Gary McGraw
{
Publisher: Addison Wesley
Pub Date:Sleep(10);F bruary 17, 2004
ISBN: 0-201-78695-8
}Pages: 512
We call get_func_qty() to determine the number of functions in the loaded binary: How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
/////////////////////////////////////
// EnumerateWhy softwarethroughexploitallwillfunctionscontinue to. be a serious problem
/////////////////////////////////////When network security mechanisms do not work
Attack patterns
int total_functions = get_func_qty();
Reverse engineering
int total_diff_matches = 0;
Classic attacks against server software
Surprising attacks against client software
We now loop through each function. We call getn_func() to get the function structure for each Techniques for crafting malicious input
The function structure is of type func_t. The ea_t type is known as "effective address" and is a
just an unsigned long. We get the start address of the function and the end address of the funct The technical details of buffer overflows
the function structure. We then compare the sequence of bytes with the target binary:
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
for(int n=0;n<total_functions;n++)
{
•Table of Contents
•Index
//msg("getting next function \n");
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
func_t *f = getn_func(n);
Publisher: Addison Wesley
Pub Date: February 17, 2004
///////////////////////////////////////////////
ISBN: 0-201-78695-8
Pages: 512
//The start and end addresses of the function
//are in the structure.
///////////////////////////////////////////////
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? ea_t myea = f->startEA;
What tools can be used to break software? This book provides the answers.
ea_t last_location = myea;
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
while((myea <= f->endEA) && (myea != BADADDR))
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
{
// If the user has requested a stop we should return here.
Why software exploit will continue to be a serious problem
if(0 == g_tempest_state) return;
When network security mechanisms do not work
Attack patterns
Reverseea tenginenextearing= get_first_cref_from(myea);
Classic attacks against server software
ea_t amloc = get_first_cref_to(nextea);
Surprising attacks against client software
ea_t amloc2 = get_next_cref_to(nextea, amloc);
Techniques for crafting malicious input
The technical details of buffer overflows
// The cref will be the previous instruction, but we
Rootkits
// also check for multiple references.
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.if((amloc == myea) && (amloc2 == BADADDR))
{
//I was getting stuck in loops, so I added this hack
//to force an exit to the next function.
if(nextea > myea)
{
myea = nextea;
//----------------------------------------------
•Table of Contents
•Index // Uncomment the next two lines to get "cool"
Exploiting Software How to Break Code
// scanning effect in the GUI. Looks sweet but slows
ByGreg Hoglund,Gary McGraw
// down the scan.
Publisher: Addison Wesley
Pub Date: February 17, 2004 |
|
|
// ---------------------------------------------- |
ISBN: 0-201-78695-8 |
|
Pages: 512 |
// jumpto(myea); |
// refresh_idaview();
}
How does software break? How do attackers make software break on purpose? Why are else myea = BADADDR;
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
}
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
else
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
{
This must-have book may shock you—and it will certainly educate you.Getting beyond the
//I am a location. Reference is not last instruction _OR_ script kiddie treatment found in many hacking books, you will learn about
//I have multiple references.
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
// Diff from the previous location to here and make a comment
Attack patterns
// if we don't match
Reverse engineering
Classic attacks against server software
// msg("diffing location... \n");
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
We place a comment in our dead listing (using add_long_cmt) if the target doesn't contain our string:Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
bool pause_for_effect = FALSE;
int size = myea - last_location;
if(FALSE == check_target_for_string(last_location, size))
{
add_long_cmt(last_location, TRUE,
•Table of Contents
•Index
Exploiting Software How to Break Code
"===================================================
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
"= ** This code location differs from the
target ** =\n" \
ISBN: 0-201-78695-8
Pages: 512
"===================================================
msg("Found location 0x%08X that didn't match
How does software break? How do attackers make software break on purpose? Why are target!\n", last_location);
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. total_diff_matches++;
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
}
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the if(nextea > myea)
script kiddie treatment found in many hacking books, you will learn about
{
Why software exploit will continue to be a serious problem myea = nextea;
When network security mechanisms do not work
}
Attack patterns
else myea = BADADDR;
Reverse engineering
Classic attacks against server software
// goto next address.
Surprising attacks against client software
jumpto(myea);
Techniques for crafting malicious input
refresh_idaview();
The technical details of buffer overflows
Rootkits }
}
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
}
msg("Finished! Found %d locations that diff from the target.\n",
total_diff_matches);
}
This function displays a dialog box prompting the user for a filename. This is a nice-looking dial file selection:
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
char * GetFilenameDialog(HWND theParentWnd)
Pub Date: February 17, 2004
{ISBN: 0-201-78695-8
Pages: 512
static TCHAR szFile[MAX_PATH] = "\0";
strcpy( szFile, "");
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
OPENFILENAME OpenFileName;
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
OpenFileName.lStructSize = sizeof (OPENFILENAME); attack, you must first learn how real attacks are really carried out.
OpenFileName.hwndOwner = theParentWnd;
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
OpenFileName.hInstance = GetModuleHandle("diff_scanner.plw");
OpenFileNameWhy softw re.exlpstrFilterloit wi l continue= "w00t!to be allseriousfiles\0*problem.*\0\0";
OpenFileNameWhen network.securitylpstrCustomFiltermechanisms do= NULL;not work
Attack patterns
OpenFileName.nMaxCustFilter = 0;
Reverse engineering
OpenFileName.nFilterIndex = 1;
Classic attacks against server software
OpenFileName.lpstrFile = szFile;
Surprising attacks against client software
OpenFileName.nMaxFile = sizeof(szFile);
Techniques for crafting malicious input
OpenFileName.lpstrFileTitle = NULL;
The technical details of buffer overflows
OpenFileName.nMaxFileTitle = 0;
Rootkits
OpenFileName.lpstrInitialDir = NULL;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
softwareOpenFileName. .lpstrTitle = "Open";
OpenFileName.nFileOffset = 0;
OpenFileName.nFileExtension = 0;
OpenFileName.lpstrDefExt = "*.*";
OpenFileName.lCustData = 0;
OpenFileName.lpfnHook |
= NULL; |
OpenFileName.lpTemplateName |
= NULL; |
OpenFileName.Flags = OFN_EXPLORER | OFN_NOCHANGEDIR;
•Table of Contents
•if(GetOpenFileName(Index &OpenFileName ))
Exploiting Software How to Break Code
{
ByGreg Hoglund,Gary McGraw
return(szFile);
Publisher: Addison Wesley
Pub Date: February 17, 2004
}
ISBN: 0-201-78695-8
returnPages: 512NULL;
}
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
As with all "homegrown" dialogs, we need DialogProc to handle Windows messages: What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
BOOL CALLBACK MyDialogProc(HWND hDlg, UINT msg, WPARAM wParam, LPARAM lParam)
When network security mechanisms do not work
{
Attack patterns switch(msg)
Reverse engineering
{
Classic attacks against server software case WM_COMMAND:
Surprising attacks against client software
if (LOWORD(wParam) == IDC_BROWSE)
Techniques for crafting malicious input
{
The technical details of buffer overflows
char *p = GetFilenameDialog(hDlg);
Rootkits
SetDlgItemText(hDlg, IDC_EDIT_FILENAME, p);
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
}
if (LOWORD(wParam) == IDC_START)
{
char filename[255];
GetDlgItemText(hDlg, IDC_EDIT_FILENAME, filename, 254);
if(0 == strlen(filename))
{
MessageBox(hDlg, "You have not selected a target file", "Tr
again", MB_OK);
•Table of Contents
•Index }
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGrawelse if(load_file(filename))
{
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
g_tempest_state = 1;
EnableWindow( GetDlgItem(hDlg, IDC_START), FALSE);
}
else
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection{ systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
MessageBox(hDlg, "The target file could not be opened", "Er
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guysMBto_breakOK); software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
}
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
}
if (LOWORD(wParam) == IDC_STOP)
Why software exploit will continue to be a serious problem
{
When network security mechanisms do not work
g_tempest_state = 0;
Attack patterns
}
Reverse engineering
Classic attacksif (LOWORD(wParam)against server software== IDOK || LOWORD(wParam) == IDCANCEL)
Surprising{ attacks against client software
Techniques for crafting malicious input if(LOWORD(wParam) == IDOK)
The technical details of buffer overflows
{
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
}
software.
EndDialog(hDlg, LOWORD(wParam));
return TRUE;
}
break;
default:
break;
}
return FALSE;
•Table of Contents
}
•Index
Exploiting Software How to Break Code
void __cdecl _test2(void *p)
ByGreg Hoglund,Gary McGraw
{
Publisher: Addison Wesley
DialogBox( GetModuleHandle("diff_scanner.plw"), MAKEINTRESOURCE(IDD_DIALOG1
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
MyDialogProc);
Pages: 512
}
How does software break? How do attackers make software break on purpose? Why are
//--------------------------------------------------------------------------
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
//
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
// The plugin method.
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
//
This must-have book may shock you—and it will certainly educate you.Getting beyond the
//This is the main function of plugin.
script kiddie treatment found in many hacking books, you will learn about
//
Why software exploit will continue to be a serious problem
//It will be called when the user selects the plugin.
When network security mechanisms do not work
//
Attack patterns
//Arg - the input argument. It can be specified in the
Reverse engineering
//plugins.cfg file. The default is zero.
Classic attacks against server software
//
Surprising attacks against client software
//
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Therun function is called when the user activates the plugin. In this case we start a couple thre
post a short message to the log window:
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
void run(int arg)
{
// Testing.
msg("starting diff scanner plugin\n");
•Table of Contents
_beginthread(_test, 0, NULL);
•Index
Exploiting Software How to Break Code
_beginthread(_test2, 0, NULL);
ByGreg Hoglund,Gary McGraw
}
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
These global data items are used by IDA to display information about the plugin.
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
//--------------------------------------------------------------------------
attack, you must first learn how real attacks are really carried out.
char comment[] = "Diff Scanner Plugin, written by Greg Hoglund (www.rootkit.com
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about char help[] =
"A plugin to find diffs in binary code\n"
Why software exploit will continue to be a serious problem
"\n"
When network security mechanisms do not work
"ThisAttack modulepatternshighlights code locations that have changed.\n"
"\n";Reverse engineering
Classic attacks against server software
Surprising attacks against client software
//--------------------------------------------------------------------------
Techniques for crafting malicious input
// This is the preferred name of the plugin module in the menu system.
The technical details of buffer overflows
// The preferred name may be overridden in the plugins.cfg file.
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
char wanted_name[] = "Diff Scanner"; software.
//This is the preferred hot key for the plugin module.
//The preferred hot key may be overridden in the plugins.cfg file.
//Note: IDA won't tell you if the hot key is not correct.
//It will just disable the hot key.
char wanted_hotkey[] = "Alt-0";
//--------------------------------------------------------------------------
•Table of Contents
//
• Index
Exploiting Software How to Break Code
//PLUGIN DESCRIPTION BLOCK
ByGreg Hoglund,Gary McGraw
//
Publisher: Addison Wesley
//--------------------------------------------------------------------------Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
extern "C" plugin_t PLUGIN = {
IDP_INTERFACE_VERSION,
How does software break? How do attackers make software break on purpose? Why are
0, // Plugin flags.
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. init, // Initialize.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out. term, // Terminate. This pointer may be NULL.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
run, |
// Invoke plugin. |
Why software exploit will continue to be a serious problem |
|
When network security mechanisms do not work |
|
comment, |
// Long comment about the plugin |
Attack patterns |
|
// It could appear in the status line
Reverse engineering
// or as a hint.
Classic attacks against server software
Surprising attacks against client software |
|
|
|
help,Techniques for crafting// Multilinemalicioushelpinputabout the |
plugin |
|
|
The technical details of buffer overflows |
|
|
|
wantedRootkitsname, |
// The preferred short name |
of the |
plugin |
Exploitingwanted hotkeySoftware//is filledThe withpreferredthe tools,hotconcepts,key to andrunknowledgethe pluginnecessary to break
software.
};