- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Interrupts
Interrupts are a crucial part of any computational system. All external hardware must
communicate with the CPU to initiate input and output operations. A subversive program may
want to sniff or alter these input/output operations. This may be useful for providing stealth,
• Table of Contents
setting up covert channels, or simply eavesdropping on a conversation.
•Index
Exploiting Software How to Break Code
IntelByGr g HoglundInterrupt,Gary McGrawRequest (IRQ) Architecture
Publisher: Addison Wesley
On a typical Intel or look-alike motherboard, the IRQ for the keyboard controller chip is IRQ 1
(therePub Date:are aFebrutotalryof17,162004IRQs). IRQ means interrupt request. Older systems allow the user to
set theISBN:IRQ0number-201-78695for-8 peripherals manually. Systems that use Plug n Play configure this
informationP ges: 512manually as well. Here is a table of IRQs (available from http://webopedia.com):
IRQ 0 System timer
This interrupt is reserved for the internal system timer. It is never How does software break? How do attackers make software break on purpose? Why are
available to peripherals or other devices.
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? |
|
What tools can be used to break software? This book provides the answers. |
|
IRQ 1 |
Keyboard |
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and This interrupt is reserved for the keyboard controller. Even on
techniques used by bad guys to |
software. If you want to protect your software from |
|
|
devices withoutbreakkeyboard, this interrupt is exclusively for |
|
attack, you must first le n how real attacks are really carried out. |
||
|
keyboard input. |
|
IRQ 2 |
Cascade interrupt for IRQs 8–15 |
|
This must-have book may shock you—and it will certainly educate you.Getting beyond the |
||
script kiddie treatment found in many hacking books, you will learn about |
||
|
This interrupt cascades the second interrupt controller to the first. |
|
IRQ 3 |
Second serial port (COM2) |
Why software exploit will continue to be a serious problem
The interrupt for the second serial port and often the default When network security mechanisms do not work
interrupt for the fourth serial port (COM4).
Attack patterns
First serial port (COM1)
IRQ 4
Reverse engineering
This interrupt is normally used for the first serial port. On devices
that do not use a PS/2 mouse, this interrupt is almost always used Classic attacks against server software
by the serial mouse. This is also the default interrupt for the third
serial port (COM3). Surprising attacks against client software
IRQ 5 Sound card
Techniques for crafting malicious input
This interrupt is the first choice that most sound cards make when
The technical details of buffer overflows looking for an IRQ setting.
Rootkits |
Floppy disk controller |
IRQ 6 |
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break This interrupt is reserved for the floppy disk controller.
software. |
First parallel port |
IRQ 7 |
This interrupt is normally reserved for the use of the printer. If a
printer is not being used, this interrupt can be used for other
devices that use parallel ports.
IRQ 8 |
Real-time clock |
|
This interrupt is reserved for the system's real-time clock timer |
|
and can not be used for any other purpose. |
IRQ 9 |
Open interrupt |
|
This interrupt is typically left open on devices for the use of |
• |
Table of Contents |
|
peripherals. |
•Index
IRQ 10 Open interrupt
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
This interrupt is typically left open on devices for the use of
|
peripherals. |
Publisher: Addison Wesley |
|
IRQ 11 |
Open interrupt |
Pub Date: February 17, 2004 |
|
ISBN: 0-201-78695-8 |
|
Pages: 512 |
This interrupt is typically left open on devices for the use of |
peripherals. |
|
IRQ 12 |
PS/2 mouse |
This interrupt is reserved for the PS/2 mouse on machines that use
one. If a PS/2 mouse is not used, the interrupt can be used for
How does software break? How do attackers make software break on purpose? Why are other peripherals, such as a network card.
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
WhatIRQ 13tools can beFloatingused to breakpoint unit/coprocessorsoftware? This book provides the answers.
Exploiting SoftwareThisisinterruptloaded withis reservedexamplesforoftherealintegratedattacks, floatingattack patterns,point unittools,. It isand
techniques used byneverbad guysavailableto breakto peripheralssoftware. orIf youotherwantdevicesto protectbecauseyourit issoftwareused from
attack, you must firstexclusivelylearn howforrealinternalattackssignalingare really. carried out.
IRQ 14 Primary IDE channel
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
This interrupt is reserved for use by the primary IDE controller. On
systems that do not use IDE devices, the IRQ can be used for
Why softwareanotherexploitpurposewill continue. to be a serious problem
Secondary IDE channel
When network security mechanisms do not work
IRQ 15
This interrupt is reserved for use by the secondary IDE controller Attack patterns
Reverse engineering
The IDT supports 256 entries, only 16 of which are typically utilized as hardware interrupts
Classic attacks against server software
on an x86 system. The IDT contains an array of 8-byte segment descriptors called gates. The
IDT must always be in unswapped memory.
Surprising attacks against client software
Techniques for crafting malicious input
Hooking the Interrupt Descriptor Table (IDT)
The technical details of buffer overflows
Under Windows NT, interrupts handle many important system events. Interrupt 0x2E, for
Rootkits
example, is called for every system call. Even though our rootkit examples show how to hook
system calls on an individual basis, we could also hook interrupt 2E directly. We can also Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
hook other interrupts, such as the keyboard interrupt, and thus intercept keystrokes. software.
An interrupt hook can be installed with the following code:
[View full size image]
How does software break? How do attackers make software break on purpose? Why are
The Mystery of the Programmable Interrupt Controller (PIC)
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
If you have ever worked with interrupt hooks, you will realize that the IRQ numbers assigned
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and to hardware do not directly map to the interrupt descriptor table. For example, the IRQ for
techniques used by bad guys to break software. If you want to protect your software from the keyboard hardware is IRQ 1. But, interrupt 1 is not the keyboard! How can this be?
attack, you must first learn how real attacks are really carried out.
Clearly there is a translation occurring between the hardware IRQs and the interrupt vectors
stored in the interrupt descriptor table. The secret lies in the PIC. On most motherboards this
This must-have book may shock you—and it will certainly educate you.Getting beyond the will be an Intel 8259 or compatible chip. The 8259 can be programmed to map the IRQ
script kiddie treatment found in many hacking books, you will learn about
numbers to software interrupts. This means the hard-wired IRQ lines enter one side of the 8259, and a single interrupt line comes out the other side. The 8259 handles the conversion
to a software interrupt and informs the CPU that a given software interrupt has occurred. Why software exploit will continue to be a serious problem
There are typically 16 hardware interrupt lines handled by the 8259. By default, most BIOS
When network security mechanisms do not work
software will program the 8259 on boot to map IRQs 0–7 to software interrupts 8–15. Thus,
IRQ 1 for the keyboard is handled as interrupt 8. Thus the mystery of IRQ to interrupt is Attack patterns
solved.
Reverse engineering
Under Windows NT/2000/XP you will find that the old int-9 hook doesn't work for the
keyboard. The reason is that the 8259 has been reprogrammed by Windows to map IRQ Classic attacks against server software
0–15 to software interrupts 0x30–0x3F. Thus, to hook the keyboard interrupt under Windows you needSurprisingto hookattacksinterruptagainst0x31client. A secondftwaremystery solved.
You can,Techniquesof course,forreprogramcrafting maliciousthe 8259inputyourself. We now present some additional stealth tricks for a rootkit driver. The following code snippet illustrates reprogramming the 8259 so that IRQThe0technical–7 are mappeddetails toof buffersoftwareoverflowsinterrupts 20h–27h:
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
mov |
al, 11h |
Howout does20h,softwareal break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? Whatout toolsA0h,canalbe used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and |
||
mov |
al, 20h |
; starting interrupt number 20h |
techniques used by bad guys to break software. If you want to protect your software from |
||
attack, you must first learn how real attacks are really carried out. |
||
out |
21h, al |
; 21h for IRQ 0-7 |
This must-have book may shock you—and it will certainly educate you.Getting beyond the mov al, 28h ; starting interrupt number 28h
script kiddie treatment found in many hacking books, you will learn about
out |
A1h, al |
; A1h for IRQ 8-15 |
mov |
Why software exploit will continue to be a serious problem |
|
al, 04h |
|
|
out |
When network security mechanisms do not work |
|
21h, al |
|
|
mov |
Attack patterns |
|
al, 02h |
|
|
out |
Reverse engineering |
|
A1h, al |
|
|
mov |
Classic attacks against server software |
|
al, 01h |
|
|
|
Surprising attacks against client software |
|
out |
21h, al |
|
|
Techniques for crafting malicious input |
|
out |
A1h, al |
|
|
The technical details of buffer overflows |
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.