Results 1 to 5 of 5

Thread: My Search for knowledge and my explorations There and back and most often in a circle

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    My Search for knowledge and my explorations There and back and most often in a circle

    So I got tired of overloading 1 section. As I didnt feel I helped anything, glad someone said something...I tend to just do things without thinking it all through first,and then I redo it, over and over, slightly modifying or rethinking my steps it to understand it to the best of my ability... I know it sounds like hell..But I love it..So as Long as you are you and I am me, we are all good..glad to hear any responses..or criticisms..and most hopefully corrections..

    So from now on all my writings will be in this blog and separated more neatly into my areas that I seek to research and develop and over-analyze...be that defensive coding or offensive coding neither can do what both can combined..

    So if you haven't read my posting on Optimizing a fastcall with POASM/masm which isnt about optimizing at all is about using the minimalistic approach to get the most done with what is already give to you..if you didn't catch that; sorry to have mislead you..

    My other posting was About Tls not using API..I still have more questions..to why this works..and more of my own study to determine how it all works..But anyway I thought of another experiment..I leave that for later(tls 'debug awareness' with a dll loaded into olly...)

    This is the continuation to the posting 'experiment with relocs:finding a API with relocations...If any others can site some research other then mine please I beg of you to do so..

    This is a idea I have NOT finished yet, but it sounds logical to do.. I have identifying factor(s) and a brain and some knowledge in coding.So Im gonna try..

    Locating a Api with the reloc section.I've somewhat explained this to a few people out there..

    So what have I learned about the reloc section in general..

    1.It might contain locations to data that is used by code.

    I am in process of making a hello world with touching EAT, but it wont be pretty..and this method might be suitable for EAF(a paper written by skypher reference below) environments..completely unportable and 'target down to module specific'..so yea ..unusable everywhere.. ;P

    Ok So ive had time to invest in this, so I wanted to have a 'target' for this example. So I chose the simplest thing I could think of MessageBoxA..But then I added some caveats to this, just to make it funner.. I want this to be a dll(cant be done unless you hack activate the ldr portion for TLS Initialization properly) that ONLY works in a debugger that debugs dll's[edit]needs to be staticly linked in XP but the 'new' implementation in vista and 7 might allow this?(someone please test TLS cross read on them with a DLL!!)[/edit] similar to Olly.I dont want to import any API's (I have to to apply cross reading of sections..and I dont want any 'data' to be defined(this is probably the only one I could've implemented, but fuck it..lol)..within my code..

    So OFF I went...looking at user32 relocation section and MessageBoxA..and then my brain started to confuse itself... luckily I struck gold by picking this api as there is a cmp of actual data just 7 bytes into this function..

    Code:
    7E45058A >   8BFF                MOV EDI,EDI
    7E45058C  /. 55                  PUSH EBP
    7E45058D  |. 8BEC                MOV EBP,ESP
    7E45058F  |. 833D [here]BC04477E[is data 'attack surface'] 00    CMP DWORD PTR DS:[7E4704BC],0
    so I know I was wrong in the now deleted code...I make mistake(s) so I decided to visualize it.

    First Collect all the variable for HIOR(DWORD)+LOOR(WORD)+variant between 0 and 0fff = Data vector Point ...

    so user32 has a base address of 7e410000(IN MY SYSTEM)(But note this should in theory work across all windows versions,as TLS and relocations haven't changed(Even though I was tricked by olly into seeing a windows 7 ntdll without relocations(didn't really look closely) and subsequently told otherwise upon discussion of it..)..and to get to my address which is ImageBase + 00000400 + the offset of 591..(a few tricks of the mind in there for my readers..)

    So I then verified this..

    Code:
    7E49ED38  00 00 04 00 64 00 00 00 82 30 9B 30 EA 30 F7 30  ...d...‚0›000
    7E49ED48  0A 31 42 31 9D 31 BC 31 D3 31 D9 31 F7 31 18 32  .1B1𸜓󞨅12
    7E49ED58  2C 32 56 32 68 32 75 32 7D 32 8A 32 CB 32 DB 32  ,2V2h2u2}2Š2󆕆
    7E49ED68  EA 32 0A 33 17 33 34 33 3E 33 5A 33 6A 33 74 33  2.3343>3Z3j3t3
    7E49ED78  E7 33 FA 33 1C 34 2C 34 80 34 76 35 81 35 91 35  334,4€4v55‘5
    7E49ED88  A4 35 AA 35 B4 35 99 38 CD 38 94 39 85 3B 4A 3D  񏊛5™88”9…;J=
    Then I need to Modify my code in order to work under these circumstances. But this is small task seeing that I documented my code ...To be continued..

    If you got the TLS idea..then Tls debug awareness without debug api is achieved by reading a module section you dont load and 'olly' does..
    Last edited by BanMe; January 31st, 2011 at 13:32.

  2. #2
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    So writing the test I got more then a few ideas..

    So on with the code writing..reading again the paper on EAF and comments by piotr and skypher( I had not noticed before o0)..I decided to think more..and try to see the extents of the TLS cross section read bit..I tried to read everything from 00010000 to
    7ffe0000..it failed most expectedly..but with error c0000017..NO memory on load into olly. So it trys as well, with proper error handling to free the Heap memory of not interesting areas..This in theory should trigger EAF and be ignored as the same 'ret to libc',except this is the ldr reading it.

    So I tried to hack TLS..just for the fun of it..
    Code:
    .386
    .model flat,STDCALL
    option casemap:none
    option DOTNAME
    include \masm32\include\windows.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\ntdll.inc
    includelib \masm32\lib\kernel32.lib
    includelib \masm32\lib\ntdll.lib
    PUBLIC _tls_used
    .data
    __tls_index DWORD 0
    TlsEntry DWORD 07C97E208h
    LdrpInitializeTls DWORD 07C92276Eh
    LdrpTlsList DWORD 07C91B92Bh
    .TLS	SEGMENT DWORD FLAT PUBLIC 'TLS'
    __tls_start:
    	_tls_data DWORD  0
    __tls_end:
    .TLS	ENDS
    
    .rdata SEGMENT READONLY DWORD FLAT PUBLIC 'DATA'
    _tls_used IMAGE_TLS_DIRECTORY <__tls_start,__tls_end,__tls_index,0,0,0>
    .rdata ENDS
    PUBLIC _LdrRewriteTls_end
    .code
    start:
    DllMain proc h:DWORD, r:DWORD,y:DWORD
    	mov edx,h
    	call fool_ldr_tls
    	Ret
    DllMain endp
    fool_ldr_tls PROC hModule:DWORD
    	LOCAL tlssize:DWORD
    	LOCAL oprotect:DWORD
    	assume fs:nothing
    	int 3
    	mov eax,DWORD ptr [TlsEntry]
    	mov ecx,eax
    	mov eax,[ecx]
    	test eax,eax
    	je Manuel_TlsAlloc
    _LdrRewriteTls_start:
    	mov eax,fs:[18h]
    	mov eax,[eax+2ch]
    	cmp dword ptr [eax],0
    	jne parse_modules_loaded
    	mov eax,fs:[2ch]
    	sub eax,30h
    	mov ecx,_LdrRewriteTls_start
    	mov [eax],ecx
    	mov ecx,_LdrRewriteTls_end
    	mov [eax+4],ecx
    	parse_modules_loaded:
    _LdrRewriteTls_end::
    	ret
    Manuel_TlsAlloc:
    	inc DWORD ptr [ecx]
    MOV EAX,DWORD PTR FS:[18h]
    MOV EAX,DWORD PTR DS:[EAX+30h]
    MOV ESI,DWORD PTR DS:[EAX+0Ch]
    ADD ESI,0Ch
    	mov DWORD ptr [esi],00181EACh
    	;invoke RtlImageDirectoryEntryToData,hModule,1,9,addr tlssize
    	mov ebx, DWORD ptr [LdrpTlsList]
    	invoke VirtualProtect,ebx,4,PAGE_READWRITE,addr oprotect
    	mov DWORD ptr [ebx],10002000h	
    	mov eax, LdrpInitializeTls
    	call eax
     	jmp _LdrRewriteTls_end
    fool_ldr_tls EndP
    end start
    this code is XP sp 2 specific.. need to run that dam update..

    http://www.youtube.com/watch?v=GnqAZ9HXmmg

    I tricked very specific things for the ldr..but still need 1 more trick..

    I still need to work on editing and adding in comments and stuff to videos but w/e..
    Last edited by BanMe; January 29th, 2011 at 00:02.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  3. #3
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    outta boredom..

    Code:
    .386
    .model flat,STDCALL
    option casemap:none
    option DOTNAME
    include \masm32\include\windows.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\user32.inc
    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\kernel32.lib
    PUBLIC _tls_used
    .data
    __tls_index DWORD 0
    user32 db "user32.dll",0
    .TLS	SEGMENT DWORD FLAT PUBLIC 'TLS'
    __tls_start:
    	_tls_data DWORD  0
    __tls_end:
    .TLS	ENDS
    
    .rdata SEGMENT READONLY DWORD FLAT PUBLIC 'DATA'
    _tls_used IMAGE_TLS_DIRECTORY <07E49D000h,07E4A0000h,__tls_index,0,0,0>;try to map user32 relocation section on XP sp 2.
    .rdata ENDS
    
    .code
    start:
    Main proc
    	assume fs:nothing
    	int 3
    	invoke IsGUIThread,0
    	mov eax,fs:[2ch]
    	mov ecx,[eax]
    	sub ecx,50h
    	mov esi, ecx
    find_my_section:
    	lodsd
    	cmp eax,040000h
    	loopne find_my_section
    	push eax
    	invoke GetModuleHandle,addr user32
    	push eax
    	lodsd
    	mov ecx,eax;number of entries
    	xor eax, eax
    locate_messageboxA:
    	lodsw
    	and ax,0fffh
    	cmp ax,0591h
    	jne locate_messageboxA
    	pop ecx
    	add ecx,eax
    	pop eax
    	add ecx,eax
    	sub ecx,7
    	xor eax,eax
    	push eax
    	push offset user32
    	push offset user32
    	push eax
    	call ecx
    safe_ret:
    	Ret
    Main endp
    
    end start
    calls messageboxA by parsing the cross read reloc section of my user32.POC.zip
    this errors epicly if it reads the wrong area...o0 I give no gaurentees that drwatson wont pop up on you saying corrupt file..!!and causing you to chkdsk and such on reboot..I take no responsibility for damage caused if you run this ...

    mods for sp 3 to get above to work..

    Code:
    _tls_used IMAGE_TLS_DIRECTORY <07E49E000h,07E4A1000h,__tls_index,0,0,0>;try map user32's reloc
    and MessageBoxA reloc went further into the section

    7f1..is the new cmp
    Code:
    cmp ax, 07f1h
    The real non-portability of this got me thinking..how could one make it portable,even if its just increments of portability like across service packs...
    And then I read Kayakers paper, and the idea about xrefs to data within code similar to IDA's gave me a thought..if locations changes and code is added and all this crap changes what remains constant..In most cases 'how' the data is used doesnt change... So I've circled back to what I was doing in analyzing opcodes around relocations..This time with renewed interest..

    I am thinking about a a vision of a double list with code on 1 said and with data on the other, showing the intermingling of data between..have the code start from a zoomed out view..mmm data usages..are key I think someone already said this but "each point of data exchange is a point of vulnerability." taken out a bit,
    every bit of information that can be gleaned about the data in a application is important. long will that be but maybe ill write a GUI application, I haven't in some years.. xD

    regards BanMe
    Last edited by BanMe; January 31st, 2011 at 13:10.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  4. #4
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    Writing shellcode XP sp 3..

    My first attempt at writing one of these..so THIS Code is for educational purposes only and I give it to all... you may modify it and use it..just give me a Gr33tz :}

    Really sorry I haven't got back to this been working 12 ~ 16 hr days.. :[ But its worth it..

    The concept around this code is really simple,the key is to develop something that does the following

    1. Loads a library that uses a static string such as a dll name.

    2.This should also get a procedure address from a loaded module that uses a static string for the procedure name...

    3.It will do it with non service pack specific code relative to XP x86 and PE relocation parsing.

    What I chose as the target for this was from a article referring to ntdll!LoadOle32Export which meets and exceeds the requirements.

    Code:
     
    ;$+41E69  >/$ 8BFF           MOV EDI,EDI
    ;$+41E6B  >|. 55             PUSH EBP
    ;$+41E6C  >|. 8BEC           MOV EBP,ESP
    ;$+41E6E  >|. 83EC 14        SUB ESP,14
    ;$+41E71  >|. 8365 FC 00     AND DWORD PTR SS:[EBP-4],0
    ;$+41E75  >|. 56             PUSH ESI
    ;$+41E76  >|. 68 D69B957C    PUSH ntdll.7C959BD6                                         ;  UNICODE "ole32.dll"
    ;$+41E7B  >|. 8D45 F4        LEA EAX,DWORD PTR SS:[EBP-C]
    ;$+41E7E  >|. 50             PUSH EAX
    ;$+41E7F  >|. E8 0977FAFF    CALL ntdll.RtlInitUnicodeString
    ;$+41E84  >|. 8B75 08        MOV ESI,DWORD PTR SS:[EBP+8]
    ;$+41E87  >|. 56             PUSH ESI
    ;$+41E88  >|. 8D45 F4        LEA EAX,DWORD PTR SS:[EBP-C]
    ;$+41E8B  >|. 50             PUSH EAX
    ;$+41E8C  >|. 6A 00          PUSH 0
    ;$+41E8E  >|. 6A 00          PUSH 0
    ;$+41E90  >|. E8 26C8FBFF    CALL ntdll.LdrLoadDll
    ;$+41E95  >|. 85C0           TEST EAX,EAX
    ;$+41E97  >|. 7D 06          JGE SHORT ntdll.7C959BA7
    ;$+41E99  >|. 50             PUSH EAX                                                    ; /Arg1
    ;$+41E9A  >|. E8 F9CA0000    CALL ntdll.RtlRaiseStatus                                   ; \RtlRaiseStatus
    ;$+41E9F  >|> FF75 0C        PUSH DWORD PTR SS:[EBP+C]
    ;$+41EA2  >|. 8D45 EC        LEA EAX,DWORD PTR SS:[EBP-14]
    ;$+41EA5  >|. 50             PUSH EAX
    ;$+41EA6  >|. E8 7276FAFF    CALL ntdll.RtlInitString
    ;$+41EAB  >|. 8D45 FC        LEA EAX,DWORD PTR SS:[EBP-4]
    ;$+41EAE  >|. 50             PUSH EAX                                                    ; /Arg4
    ;$+41EAF  >|. 6A 00          PUSH 0                                                      ; |Arg3 = 00000000
    ;$+41EB1  >|. 8D45 EC        LEA EAX,DWORD PTR SS:[EBP-14]                               ; |
    ;$+41EB4  >|. 50             PUSH EAX                                                    ; |Arg2
    ;$+41EB5  >|. FF36           PUSH DWORD PTR DS:[ESI]                                     ; |Arg1
    ;$+41EB7  >|. E8 E4E2FBFF    CALL ntdll.LdrGetProcedureAddress                           ; \LdrGetProcedureAddress
    ;$+41EBC  >|. 85C0           TEST EAX,EAX
    ;$+41EBE  >|. 5E             POP ESI
    ;$+41EBF  >|. 7D 06          JGE SHORT ntdll.7C959BCF
    ;$+41EC1  >|. 50             PUSH EAX                                                    ; /Arg1
    ;$+41EC2  >|. E8 D1CA0000    CALL ntdll.RtlRaiseStatus                                   ; \RtlRaiseStatus
    ;$+41EC7  >|> 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
    ;$+41ECA  >|. C9             LEAVE
    ;$+41ECB  >\. C2 0800        RETN 8
    ;$+41ECE  > . 6F00 6C00 6500 3300 3200 2E00 6400 6C00        UNICODE "ole32.dl"
    ;$+41EDE  > . 6C00 0000                                      UNICODE "l",0
    This also has a supporting functions 1 and 2 relocations away..This will have to be explored....
    Last edited by BanMe; February 10th, 2011 at 19:16.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  5. #5
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Code:
    .486
    .model flat,stdcall
    option casemap:none
    code SEGMENT DWORD flat PUBLIC  'text'
    Scstart:
    assume fs:nothing
    push 006c006fh ;- 8
    mov esi,dword ptr fs:[30h]
    add esi,20h;RtlEnterCriticalSection
    lodsd
    and eax,0ffff0000h;get ntdll's base;clear off the extra
    mov esi,[eax+170h];read reloc offset from PE
    mov ebx,[eax+174h];read reloc size from PE
    push eax ;- 4
    add esi,eax
    next_section:
    lodsd
    mov edx,eax
    lodsd
    sub ebx,eax
    sub eax,8h
    mov ecx,eax
    find_data:
    lodsw
    and eax,0fffh
    pop edi ;get base address
    add eax,edi
    add eax,edx
    push edi
    push esi
    mov esi, dword ptr [eax]
    cmp esi,060000000h
    jl next_entry
    mov edi,dword ptr [esp+8h]
    cmp dword ptr [esi],edi
    je data_found
    next_entry:
    pop esi
    sub ecx,2
    cmp ecx,2
    jne find_data
    add esi,2
    jmp next_section
    end_this:
    ret
    data_found:
    ;unicode ws2_32.dll
    mov edi,eax
    mov eax, 77007300h
    call write_edi
    mov eax, 32005F00h
    call write_edi
    mov eax, 33003200h
    call write_edi
    mov eax, 2E006400h
    call write_edi
    mov eax, 6C006C00h
    call write_edi
    mov dword ptr [ebp],0h
    call find_data
    write_edi::
    stosd
    ret
     end Scstart 
    code ENDS
    A little more to enjoy?..Still not done yet I needs me some NtProtectVirtualMemory so I can overwrite this string...

    The above is much more thoroughly tested..

    So locating a api without the export table is kinda restrictive,to say the least o0..But if I read the PE for offset of start and Size of ntdll's export table and add the 2 to module base I should end at the first call to a exported api of ntoskernel..

    it works for me..7c900000 + 3400 + 9a5e = 7C90CE5E
    Code:
    7C90CE5E >/$ B8 00000000                                    MOV EAX,0
    7C90CE63  |. BA 0003FE7F                                    MOV EDX,7FFE0300
    7C90CE68  |. FF12                                           CALL DWORD PTR DS:[EDX]
    7C90CE6A  \. C2 1800                                        RETN 18
    Its to easy to whip out concept code for this brute force locate of NtProtectVirtualMemoy by its call index for XP..
    Code:
    	and edx,0ffff0000h
    	mov edi,edx
    	mov ecx,[edx+14ch]
    	add edx,[edx+148h]
    	add edx,ecx
    	mov esi,edx
    	xor eax,eax
    find_NtProtect:
    	lodsw
    	cmp eax,089b8h
    	jne find_NtProtect
    	sub esi,2
    	push ebp
    	push 4
    	mov dword ptr [ebp+4],0b20000h
    	push [ebp+4]
    	mov dword ptr [ebp+8],edi
    	push dword ptr [ebp+8]
    	push -1
    	call esi
    	mov edi,[esp+68h]
    	jmp now_safe
    included is a winasm project and my 1k PE with default settings, source and obj file..

    stack based dll main >.< ..

    Code:
    	mov eax,08c200h
    	push eax
    	push 01b8h
    	push 0cc48390h
    	push esp
    	retn
    a test dll is attached..
    Attached Files Attached Files
    Last edited by BanMe; February 13th, 2011 at 13:53.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. Replies: 6
    Last Post: June 17th, 2004, 23:14
  2. zero knowledge
    By Jera in forum The Newbie Forum
    Replies: 8
    Last Post: December 22nd, 2003, 19:04
  3. Search for 'IT Add by SV'
    By Instructor in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: June 7th, 2001, 05:24
  4. Softice knowledge sharing and questions
    By Lou Cypher in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: April 14th, 2001, 17:55
  5. For people with more knowledge about Buttons!!VB!!!
    By NeO'X'QuiCk in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: January 17th, 2001, 17:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •