When network security mechanisms do not work
Rootkits
the results. So, in effect, it does nothing at all. The computer continues to function normally (with an unnoticeable slowdown for the redirection):
[View full size image]
How does software break? How do attackers make software break on purpose? Why are
Removingfir walls, trusiona ProcessdetectionRecordsystems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
If our goal is to hide a process, we must add some code to our call hook. Our new process Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
hiding call hook looks like this:
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
[View full size image]
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Why are out the bad guys?
tools, and software from
beyond the
Figure 8-1 illustrates the way process records are stored in an array.
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Figure 8-1. How process records are stored in an array.
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
•Table of
•Index
Exploiting Software How
ByGreg Hoglund,Gary
Publisher: Addison
Pub Date: February 17,
ISBN: 0-201-78695
Pages: 512
How does software |
purpose? Why are |
firewalls, intrusion |
out the bad guys? |
What tools can be |
. |
Exploiting Software |
patterns, tools, and |
techniques used by |
software from |
attack, you must first |
|
This must-have book |
Getting beyond the |
script kiddie treatment |
|
Why software exploit will continue to be a serious problem |
|
When network security mechanisms do not work |
|
The code that removes an entry from the process list follows: |
|
Attack patterns |
|
[View full size image] |
|
Reverse engineering |
|
Classic attacks against server software |
|
Surprising attacks against client software |
|
Techniques for crafting malicious input |
|
The technical details of buffer overflows |
|
Rootkits |
|
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Why are out the bad guys?
tools, and software from
beyond the
Why software exploit will continue to be a serious problem
Once we have "snipped" the entry, we return from the function call. The task manager gets
When network security mechanisms do not work
the modified structure and skips the process record. We are now hiding the process.
Attack patterns
We have illustrated that on Windows NT a device driver can easily hook any system call. The
standard format for a device driver includes a DriverEntry function (the equivalent of
Reverse engineering
main() ). From here, any call hooks can be installed.
Classic attacks against server software
The driver load routine takes pointers to the original functions. These are stored globally for
use. Interrupts are disabled on the Intel x86 chip using the __asm cli/sti instructions. Surprising attacks against client software
During the time that interrupts are disabled, the function addresses are replaced with the
Trojan versions in the service table. We use a handy #define to find the correct offsets in the Techniques for crafting malicious input
table. Once all replacements are complete, we can safely reenable interrupts. When unloading,Thetechnicalwe followdetailsthe sameof bufferprocedureove flowsas before, only we put back the original function pointers.
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
Process Injection Alternative
software.
Another method for hiding a subversive program is to attach the subversive code to a process that is already running. For example, we can create a remote thread in an existing process. The remote thread runs the subversive program code. Once again, the process list remains unaffected. This method is completely effective from user mode and does not require kernel access. The fact that this trick was used by the popular Back Orifice 2000 program demonstrates its utility.