Key Logging

Port 0x64: 8042, keyboard status register

To read characters from the keyboard, you must hook the keyboard interrupt. This will change depending on your OS. For a Windows system, the hook will most likely be int 0x31. Once IRQ 1 has fired, the data must be read from 0x60 before any more keyboard interrupts will occur.

Here is a simple handler for the keyboard interrupt:

•Table of Contents

•Index

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

Pages: 512

KEY_INT:

push eax

How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion// do somethingd ection systems,with characterand antivinrusalsoftware not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

pop eax

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniquesjmpused by badDWORDguysPTRto break[old_KEYsoftwareINT]. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

Advanced Rootkit Topics

There isn't enough room in this book to cover all the advanced tricks that can be performed by rootkits. Fortunately, there are many resources and articles available on the Internet that cover this subject. One great resource is Phrack Magazine (http://www.phrack.com). Another

set of advanced techniques here, providing references to more information when applicable.

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

Using a Rootkit as a Debugger

Publisher: Addison Wesley

A kernelPub Date:rootkitFebruarydoesn't17, 2004have to be malicious. You can use one to keep watch on a system you own. OneISBN:great0-201-use78695of-8a rootkit is to replicate the functions of a debugger. A rootkit with a shell andPages:some512 debugging functions is really no different than a debugger like SoftIce. You can add a decompiler, the ability to read and write memory, and break point support.

Disabling Windows System File Protection

How does software break? How do attackers make software break on purpose? Why are

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? Thewinlogon.exe process loads a few DLLs that are responsible for implementing system

What tools can be used to break software? This book provides the answers.

file protection. The file sfc.dll is loaded, followed by sfcfiles.dll. The list of files to be

protected is loaded into a memory buffer. A simple patch can be made to the code within

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and sfc.dll that will disable all file protection. The patch can be made using standard Windows

techniques used by bad guys to break software. If you want to protect your software from debugging APIs.[10]

attack, you must first learn how real attacks are really carried out.

[10] For more on this issue, see 29/A Labs publications for work by Benny and Ratter.

This must-have book may shock you—and it will certainly educate you.Getting beyond the

script kiddie treatment found in many hacking books, you will learn about

Writing Directly to Physical Memory

Why software exploit will continue to be a serious problem

A rootkit does not need to use a loadable module or Windows device driver. A rootkit can be

When network security mechanisms do not work

installed by simply writing to data structures in the kernel. An excellent article on windows

objects and physical memory is available in Phrack Magazine, Issue 59, Article 16: "Playing

Attack patterns

with Windows /dev/(k)mem" by crazylord.

Reverse engineering

KernelClassicBufferattacksOverflowsagainst server software

Surprising attacks against client software

Code in the kernel is subject to the same bugs that affect all other software. Just because

code is running in the kernel doesn't mean it's immune to stack overflows and other

Techniques for crafting malicious input

standard-issue exploits. In fact, several kernel-level overflows have been made public.

The technical details of buffer overflows

Exploiting a buffer overflow in the kernel is a bit tricky because exceptions in the kernel tend

to crash the machine or cause a "blue screen of death." Exploits of the kernel are especially Rootkits

noteworthy because they can directly infect a machine with a rootkit and they bypass all

security mechanisms. An attacker does not need administrative privileges or the ability to Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

load a device driver if they can simply overflow the kernel stack. An article on kernel software.

overflows can be found in Phrack Magazine, issue 60, article 6: "Smashing The Kernel Stack

For Fun And Profit" by Sinan "noir" Eren.

Infecting the Kernel Image

Another way to get code into the kernel is to patch the kernel image itself. We illustrate in

this chapter a simple patch to remove security controls from the NT kernel. Any piece of code

can be modified in such a way. One needs to be sure to correct any integrity checks in the code, such as the file check sum. An article on patching the Linux kernel can be found in

Phrack Magazine, Issue 60, Article 8: "Static Kernel Patching" by jbtzhm.

Execute Redirection

perform execute redirection under Linux, see "Advances in Kernel Hacking II" in Phrack

Exploiting Software How to Break Code

Magazine, Issue 59, Article 5, by palmers.

ByGreg Hoglund,Gary McGraw

DetectingPublisher: AddisRootkitsn Wesley

Pub Date: February 17, 2004

There areISBN:several0-201-78695methods-8 to detect rootkits, all of which can be circumvented if the rootkit itself isPages:aware512of the trick. Patched memory can be detected by reading the call tables or functions and checking their values. Instructions can be counted during runtime and compared with a baseline. Any sort of behavior changes can, in theory, be detected. The key weakness is when the code that performs this sort of check lives on the same machine that has been compromised. At this point, the rootkit can subvert the code that performs the

check. An interesting trick to detect a rootkit is discussed in Phrack Magazine, Issue 59, How does software break? How do attackers make software break on purpose? Why are

Article 10, "Execution Path Analysis: Finding Kernel Based Rootkits" by Jan K. Rutkowski. A firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

tool to detect rootkits in the Solaris kernel can be downloaded from

What tools can be used to break software? This book provides the answers. http://www.immunitysec.com.

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.