- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Call Hooking
Call hooking is popular because it is so simple. Programs make subroutine calls as a matter of course. In machine language, these calls translate to variations of call or jump instructions. They pass arguments to the target function using a stack or CPU registers. The
• |
Table of Contents |
instruction always takes an address in memory. The memory location is the starting address |
|
• |
Index |
of the subroutine code. When the subroutine is finished, the original code location is restored
Exploitingand executionSoftwarecontinuesHow to BreaknormallyCode .
ByGreg Hoglund,Gary McGraw
The trick behind call hooking is to alter the address that the call jumps to. In this way an
alternative function can replace the original. Sometimes this is called trampolining. Call
Publisher: Addison Wesley
hooking can be applied in several places: in internal function calls within a program, at calls
Pub Date: February 17, 2004
into DLLs, or even to OS-supplied system calls. A call hook can emulate the behavior of the
ISBN: 0-201-78695-8
original call (usually by eventually calling the real function) so it will not be detected. Note that thePages:call512hook can apply special logic to the original call. For example, if the call is supposed to return the list of currently running processes, the call hook can hide certain processes from view. This kind of technique is standard practice when inserting backdoors into systems. Utility packages that provide call hooks are standard issue with many rootkits.
How does software break? How do attackers make software break on purpose? Why are
Hidingfirewalls, intrusiona Processdetection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
We must control what user-mode programs get in response to system calls. If we can control Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
system calls, we can control what the task manager is able to find out about the system techniques used by bad guys to break software. If you want to protect your software from
through standard queries. This includes controlling access to the process list. attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the Hookingscript ddieatreatmentSystemfoundCallin many hacking books, you will learn about
Our call hooking routine is very simple:
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
[View full size image]
Rootkits
We save the old pointer to ZwQuerySystemInformation. We replace the pointer in the call tableExploitingwith aSoftwarepointer toisourfilledownwithfunction,the tools,NewZwQuerySystemInformationconcepts, and knowledge necessary. Whentowebreakactually overwritesoftware. the function pointer, we disable interrupts temporarily. We do this so we don't collide with another thread. Once we reenable the interrupts, the system call hook is in place and will immediately start to receive calls.
Structure of Our Basic Call Hook
This is the generic call hook. It does nothing other than call the original function and return
the results. So, in effect, it does nothing at all. The computer continues to function normally (with an unnoticeable slowdown for the redirection):
[View full size image]
How does software break? How do attackers make software break on purpose? Why are
Removingfir walls, trusiona ProcessdetectionRecordsystems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
If our goal is to hide a process, we must add some code to our call hook. Our new process Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
hiding call hook looks like this:
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
[View full size image]
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Why are out the bad guys?
tools, and software from
beyond the
Figure 8-1 illustrates the way process records are stored in an array.
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Figure 8-1. How process records are stored in an array.
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
•Table of
•Index
Exploiting Software How
ByGreg Hoglund,Gary
Publisher: Addison
Pub Date: February 17,
ISBN: 0-201-78695
Pages: 512
How does software |
purpose? Why are |
firewalls, intrusion |
out the bad guys? |
What tools can be |
. |
Exploiting Software |
patterns, tools, and |
techniques used by |
software from |
attack, you must first |
|
This must-have book |
Getting beyond the |
script kiddie treatment |
|
Why software exploit will continue to be a serious problem |
|
When network security mechanisms do not work |
|
The code that removes an entry from the process list follows: |
|
Attack patterns |
|
[View full size image] |
|
Reverse engineering |
|
Classic attacks against server software |
|
Surprising attacks against client software |
|
Techniques for crafting malicious input |
|
The technical details of buffer overflows |
|
Rootkits |
|
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Why are out the bad guys?
tools, and software from
beyond the
Why software exploit will continue to be a serious problem
Once we have "snipped" the entry, we return from the function call. The task manager gets
When network security mechanisms do not work
the modified structure and skips the process record. We are now hiding the process.
Attack patterns
We have illustrated that on Windows NT a device driver can easily hook any system call. The
standard format for a device driver includes a DriverEntry function (the equivalent of
Reverse engineering
main() ). From here, any call hooks can be installed.
Classic attacks against server software
The driver load routine takes pointers to the original functions. These are stored globally for
use. Interrupts are disabled on the Intel x86 chip using the __asm cli/sti instructions. Surprising attacks against client software
During the time that interrupts are disabled, the function addresses are replaced with the
Trojan versions in the service table. We use a handy #define to find the correct offsets in the Techniques for crafting malicious input
table. Once all replacements are complete, we can safely reenable interrupts. When unloading,Thetechnicalwe followdetailsthe sameof bufferprocedureove flowsas before, only we put back the original function pointers.
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
Process Injection Alternative
software.
Another method for hiding a subversive program is to attach the subversive code to a process that is already running. For example, we can create a remote thread in an existing process. The remote thread runs the subversive program code. Once again, the process list remains unaffected. This method is completely effective from user mode and does not require kernel access. The fact that this trick was used by the popular Back Orifice 2000 program demonstrates its utility.