PDA

View Full Version : My Search for knowledge and my explorations There and back and most often in a circle


BanMe
January 28th, 2011, 00:18
So I got tired of overloading 1 section. As I didnt feel I helped anything, glad someone said something...I tend to just do things without thinking it all through first,and then I redo it, over and over, slightly modifying or rethinking my steps it to understand it to the best of my ability... I know it sounds like hell..But I love it..So as Long as you are you and I am me, we are all good..glad to hear any responses..or criticisms..and most hopefully corrections..

So from now on all my writings will be in this blog and separated more neatly into my areas that I seek to research and develop and over-analyze...be that defensive coding or offensive coding neither can do what both can combined..

So if you haven't read my posting on Optimizing a fastcall with POASM/masm which isnt about optimizing at all is about using the minimalistic approach to get the most done with what is already give to you..if you didn't catch that; sorry to have mislead you..

My other posting was About Tls not using API..I still have more questions..to why this works..and more of my own study to determine how it all works..But anyway I thought of another experiment..I leave that for later(tls 'debug awareness' with a dll loaded into olly...)

This is the continuation to the posting 'experiment with relocs:finding a API with relocations...If any others can site some research other then mine please I beg of you to do so..

This is a idea I have NOT finished yet, but it sounds logical to do.. I have identifying factor(s) and a brain and some knowledge in coding.So Im gonna try..

Locating a Api with the reloc section.I've somewhat explained this to a few people out there..

So what have I learned about the reloc section in general..

1.It might contain locations to data that is used by code.

I am in process of making a hello world with touching EAT, but it wont be pretty..and this method might be suitable for EAF(a paper written by skypher reference below) environments..completely unportable and 'target down to module specific'..so yea ..unusable everywhere.. ;P

Ok So ive had time to invest in this, so I wanted to have a 'target' for this example. So I chose the simplest thing I could think of MessageBoxA..But then I added some caveats to this, just to make it funner.. I want this to be a dll(cant be done unless you hack activate the ldr portion for TLS Initialization properly) that ONLY works in a debugger that debugs dll'sneeds to be staticly linked in XP but the 'new' implementation in vista and 7 might allow this?(someone please test TLS cross read on them with a DLL!!) similar to Olly.I dont want to import any API's (I have to to apply cross reading of sections..and I dont want any 'data' to be defined(this is probably the only one I could've implemented, but fuck it..lol)..within my code..

So OFF I went...looking at user32 relocation section and MessageBoxA..and then my brain started to confuse itself... luckily I struck gold by picking this api as there is a cmp of actual data just 7 bytes into this function..

Code:

7E45058A > 8BFF MOV EDI,EDI
7E45058C /. 55 PUSH EBP
7E45058D |. 8BEC MOV EBP,ESP
7E45058F |. 833D [here]BC04477E[is data 'attack surface'] 00 CMP DWORD PTR DS:[7E4704BC],0


so I know I was wrong in the now deleted code...I make mistake(s) so I decided to visualize it.

First Collect all the variable for HIOR(DWORD)+LOOR(WORD)+variant between 0 and 0fff = Data vector Point ...

so user32 has a base address of 7e410000(IN MY SYSTEM)(But note this should in theory work across all windows versions,as TLS and relocations haven't changed(Even though I was tricked by olly into seeing a windows 7 ntdll without relocations(didn't really look closely) and subsequently told otherwise upon discussion of it..)..and to get to my address which is ImageBase + 00000400 + the offset of 591..(a few tricks of the mind in there for my readers..)

So I then verified this..

Code:

7E49ED38 00 00 04 00 64 00 00 00 82 30 9B 30 EA 30 F7 30 ...d...‚0›000
7E49ED48 0A 31 42 31 9D 31 BC 31 D3 31 D9 31 F7 31 18 32 .1B1𸜓󞨅12
7E49ED58 2C 32 56 32 68 32 75 32 7D 32 8A 32 CB 32 DB 32 ,2V2h2u2}2Š2󆕆
7E49ED68 EA 32 0A 33 17 33 34 33 3E 33 5A 33 6A 33 74 33 2.3343>3Z3j3t3
7E49ED78 E7 33 FA 33 1C 34 2C 34 80 34 76 35 81 35 91 35 334,4€4v55‘5
7E49ED88 A4 35 AA 35 B4 35 99 38 CD 38 94 39 85 3B 4A 3D 񏊛5™88”9…;J=


Then I need to Modify my code in order to work under these circumstances. But this is small task seeing that I documented my code ...To be continued..

If you got the TLS idea..then Tls debug awareness without debug api is achieved by reading a module section you dont load and 'olly' does..

BanMe
January 28th, 2011, 20:01
So on with the code writing..reading again the paper on EAF and comments by piotr and skypher( I had not noticed before o0)..I decided to think more..and try to see the extents of the TLS cross section read bit..I tried to read everything from 00010000 to
7ffe0000..it failed most expectedly..but with error c0000017..NO memory on load into olly. So it trys as well, with proper error handling to free the Heap memory of not interesting areas..This in theory should trigger EAF and be ignored as the same 'ret to libc',except this is the ldr reading it.

So I tried to hack TLS..just for the fun of it..
Code:

.386
.model flat,STDCALL
option casemap:none
option DOTNAME
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\ntdll.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\ntdll.lib
PUBLIC _tls_used
.data
__tls_index DWORD 0
TlsEntry DWORD 07C97E208h
LdrpInitializeTls DWORD 07C92276Eh
LdrpTlsList DWORD 07C91B92Bh
.TLS SEGMENT DWORD FLAT PUBLIC 'TLS'
__tls_start:
_tls_data DWORD 0
__tls_end:
.TLS ENDS

.rdata SEGMENT READONLY DWORD FLAT PUBLIC 'DATA'
_tls_used IMAGE_TLS_DIRECTORY <__tls_start,__tls_end,__tls_index,0,0,0>
.rdata ENDS
PUBLIC _LdrRewriteTls_end
.code
start:
DllMain proc hWORD, rWORD,yWORD
mov edx,h
call fool_ldr_tls
Ret
DllMain endp
fool_ldr_tls PROC hModuleWORD
LOCAL tlssizeWORD
LOCAL oprotectWORD
assume fs:nothing
int 3
mov eax,DWORD ptr [TlsEntry]
mov ecx,eax
mov eax,[ecx]
test eax,eax
je Manuel_TlsAlloc
_LdrRewriteTls_start:
mov eax,fs:[18h]
mov eax,[eax+2ch]
cmp dword ptr [eax],0
jne parse_modules_loaded
mov eax,fs:[2ch]
sub eax,30h
mov ecx,_LdrRewriteTls_start
mov [eax],ecx
mov ecx,_LdrRewriteTls_end
mov [eax+4],ecx
parse_modules_loaded:
_LdrRewriteTls_end::
ret
Manuel_TlsAlloc:
inc DWORD ptr [ecx]
MOV EAX,DWORD PTR FS:[18h]
MOV EAX,DWORD PTR DS:[EAX+30h]
MOV ESI,DWORD PTR DS:[EAX+0Ch]
ADD ESI,0Ch
mov DWORD ptr [esi],00181EACh
;invoke RtlImageDirectoryEntryToData,hModule,1,9,addr tlssize
mov ebx, DWORD ptr [LdrpTlsList]
invoke VirtualProtect,ebx,4,PAGE_READWRITE,addr oprotect
mov DWORD ptr [ebx],10002000h
mov eax, LdrpInitializeTls
call eax
jmp _LdrRewriteTls_end
fool_ldr_tls EndP
end start


this code is XP sp 2 specific.. need to run that dam update..

http://www.youtube.com/watch?v=GnqAZ9HXmmg

I tricked very specific things for the ldr..but still need 1 more trick..

I still need to work on editing and adding in comments and stuff to videos but w/e..

BanMe
January 30th, 2011, 15:54
Code:

.386
.model flat,STDCALL
option casemap:none
option DOTNAME
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
PUBLIC _tls_used
.data
__tls_index DWORD 0
user32 db "user32.dll",0
.TLS SEGMENT DWORD FLAT PUBLIC 'TLS'
__tls_start:
_tls_data DWORD 0
__tls_end:
.TLS ENDS

.rdata SEGMENT READONLY DWORD FLAT PUBLIC 'DATA'
_tls_used IMAGE_TLS_DIRECTORY <07E49D000h,07E4A0000h,__tls_index,0,0,0>;try to map user32 relocation section on XP sp 2.
.rdata ENDS

.code
start:
Main proc
assume fs:nothing
int 3
invoke IsGUIThread,0
mov eax,fs:[2ch]
mov ecx,[eax]
sub ecx,50h
mov esi, ecx
find_my_section:
lodsd
cmp eax,040000h
loopne find_my_section
push eax
invoke GetModuleHandle,addr user32
push eax
lodsd
mov ecx,eax;number of entries
xor eax, eax
locate_messageboxA:
lodsw
and ax,0fffh
cmp ax,0591h
jne locate_messageboxA
pop ecx
add ecx,eax
pop eax
add ecx,eax
sub ecx,7
xor eax,eax
push eax
push offset user32
push offset user32
push eax
call ecx
safe_ret:
Ret
Main endp

end start


calls messageboxA by parsing the cross read reloc section of my user32.2420
this errors epicly if it reads the wrong area...o0 I give no gaurentees that drwatson wont pop up on you saying corrupt file..!!and causing you to chkdsk and such on reboot..I take no responsibility for damage caused if you run this ...

mods for sp 3 to get above to work..

Code:

_tls_used IMAGE_TLS_DIRECTORY <07E49E000h,07E4A1000h,__tls_index,0,0,0>;try map user32's reloc


and MessageBoxA reloc went further into the section

7f1..is the new cmp
Code:

cmp ax, 07f1h


The real non-portability of this got me thinking..how could one make it portable,even if its just increments of portability like across service packs...
And then I read Kayakers paper, and the idea about xrefs to data within code similar to IDA's gave me a thought..if locations changes and code is added and all this crap changes what remains constant..In most cases 'how' the data is used doesnt change... So I've circled back to what I was doing in analyzing opcodes around relocations..This time with renewed interest..

I am thinking about a a vision of a double list with code on 1 said and with data on the other, showing the intermingling of data between..have the code start from a zoomed out view..mmm data usages..are key I think someone already said this but "each point of data exchange is a point of vulnerability." taken out a bit,
every bit of information that can be gleaned about the data in a application is important. long will that be but maybe ill write a GUI application, I haven't in some years.. xD

regards BanMe

BanMe
February 2nd, 2011, 19:40
My first attempt at writing one of these..so THIS Code is for educational purposes only and I give it to all... you may modify it and use it..just give me a Gr33tz :}

Really sorry I haven't got back to this been working 12 ~ 16 hr days.. :[ But its worth it..

The concept around this code is really simple,the key is to develop something that does the following

1. Loads a library that uses a static string such as a dll name.

2.This should also get a procedure address from a loaded module that uses a static string for the procedure name...

3.It will do it with non service pack specific code relative to XP x86 and PE relocation parsing.

What I chose as the target for this was from a article referring to ntdll!LoadOle32Export which meets and exceeds the requirements.

Code:

;$+41E69 >/$ 8BFF MOV EDI,EDI
;$+41E6B >|. 55 PUSH EBP
;$+41E6C >|. 8BEC MOV EBP,ESP
;$+41E6E >|. 83EC 14 SUB ESP,14
;$+41E71 >|. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
;$+41E75 >|. 56 PUSH ESI
;$+41E76 >|. 68 D69B957C PUSH ntdll.7C959BD6 ; UNICODE "ole32.dll"
;$+41E7B >|. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
;$+41E7E >|. 50 PUSH EAX
;$+41E7F >|. E8 0977FAFF CALL ntdll.RtlInitUnicodeString
;$+41E84 >|. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
;$+41E87 >|. 56 PUSH ESI
;$+41E88 >|. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
;$+41E8B >|. 50 PUSH EAX
;$+41E8C >|. 6A 00 PUSH 0
;$+41E8E >|. 6A 00 PUSH 0
;$+41E90 >|. E8 26C8FBFF CALL ntdll.LdrLoadDll
;$+41E95 >|. 85C0 TEST EAX,EAX
;$+41E97 >|. 7D 06 JGE SHORT ntdll.7C959BA7
;$+41E99 >|. 50 PUSH EAX ; /Arg1
;$+41E9A >|. E8 F9CA0000 CALL ntdll.RtlRaiseStatus ; \RtlRaiseStatus
;$+41E9F >|> FF75 0C PUSH DWORD PTR SS:[EBP+C]
;$+41EA2 >|. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
;$+41EA5 >|. 50 PUSH EAX
;$+41EA6 >|. E8 7276FAFF CALL ntdll.RtlInitString
;$+41EAB >|. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
;$+41EAE >|. 50 PUSH EAX ; /Arg4
;$+41EAF >|. 6A 00 PUSH 0 ; |Arg3 = 00000000
;$+41EB1 >|. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] ; |
;$+41EB4 >|. 50 PUSH EAX ; |Arg2
;$+41EB5 >|. FF36 PUSH DWORD PTR DS:[ESI] ; |Arg1
;$+41EB7 >|. E8 E4E2FBFF CALL ntdll.LdrGetProcedureAddress ; \LdrGetProcedureAddress
;$+41EBC >|. 85C0 TEST EAX,EAX
;$+41EBE >|. 5E POP ESI
;$+41EBF >|. 7D 06 JGE SHORT ntdll.7C959BCF
;$+41EC1 >|. 50 PUSH EAX ; /Arg1
;$+41EC2 >|. E8 D1CA0000 CALL ntdll.RtlRaiseStatus ; \RtlRaiseStatus
;$+41EC7 >|> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
;$+41ECA >|. C9 LEAVE
;$+41ECB >\. C2 0800 RETN 8
;$+41ECE > . 6F00 6C00 6500 3300 3200 2E00 6400 6C00 UNICODE "ole32.dl"
;$+41EDE > . 6C00 0000 UNICODE "l",0


This also has a supporting functions 1 and 2 relocations away..This will have to be explored....

BanMe
February 10th, 2011, 20:46
Code:

.486
.model flat,stdcall
option casemap:none
code SEGMENT DWORD flat PUBLIC 'text'
Scstart:
assume fs:nothing
push 006c006fh ;- 8
mov esi,dword ptr fs:[30h]
add esi,20h;RtlEnterCriticalSection
lodsd
and eax,0ffff0000h;get ntdll's base;clear off the extra
mov esi,[eax+170h];read reloc offset from PE
mov ebx,[eax+174h];read reloc size from PE
push eax ;- 4
add esi,eax
next_section:
lodsd
mov edx,eax
lodsd
sub ebx,eax
sub eax,8h
mov ecx,eax
find_data:
lodsw
and eax,0fffh
pop edi ;get base address
add eax,edi
add eax,edx
push edi
push esi
mov esi, dword ptr [eax]
cmp esi,060000000h
jl next_entry
mov edi,dword ptr [esp+8h]
cmp dword ptr [esi],edi
je data_found
next_entry:
pop esi
sub ecx,2
cmp ecx,2
jne find_data
add esi,2
jmp next_section
end_this:
ret
data_found:
;unicode ws2_32.dll
mov edi,eax
mov eax, 77007300h
call write_edi
mov eax, 32005F00h
call write_edi
mov eax, 33003200h
call write_edi
mov eax, 2E006400h
call write_edi
mov eax, 6C006C00h
call write_edi
mov dword ptr [ebp],0h
call find_data
write_edi::
stosd
ret
end Scstart
code ENDS

A little more to enjoy?..Still not done yet I needs me some NtProtectVirtualMemory so I can overwrite this string...

The above is much more thoroughly tested..

So locating a api without the export table is kinda restrictive,to say the least o0..But if I read the PE for offset of start and Size of ntdll's export table and add the 2 to module base I should end at the first call to a exported api of ntoskernel..

it works for me..7c900000 + 3400 + 9a5e = 7C90CE5E
Code:

7C90CE5E >/$ B8 00000000 MOV EAX,0
7C90CE63 |. BA 0003FE7F MOV EDX,7FFE0300
7C90CE68 |. FF12 CALL DWORD PTR DS:[EDX]
7C90CE6A \. C2 1800 RETN 18


Its to easy to whip out concept code for this brute force locate of NtProtectVirtualMemoy by its call index for XP..
Code:

and edx,0ffff0000h
mov edi,edx
mov ecx,[edx+14ch]
add edx,[edx+148h]
add edx,ecx
mov esi,edx
xor eax,eax
find_NtProtect:
lodsw
cmp eax,089b8h
jne find_NtProtect
sub esi,2
push ebp
push 4
mov dword ptr [ebp+4],0b20000h
push [ebp+4]
mov dword ptr [ebp+8],edi
push dword ptr [ebp+8]
push -1
call esi
mov edi,[esp+68h]
jmp now_safe


included is a winasm project and my 1k PE with default settings, source and obj file..

stack based dll main >.< ..

Code:

mov eax,08c200h
push eax
push 01b8h
push 0cc48390h
push esp
retn


a test dll is attached..