The Hardware Virus
While we are in the kernel, we have full access to the system and we can communicate with any
the address space. This means, among other things, that we can read/write to the BIOS memor
motherboard or in peripheral hardware.
•Table of Contents
In• the "old days,"Index BIOS memory was stored in ROM or in EEPROM chips, which could not be upd
fromExploitingsoftwareSoftware. TheseHow toolderBreaksystemsCode require the chips to be replaced or manually erased and re
Of course this isn't very cost effective, so new systems use EEPROM chips, otherwise known as f
ByGreg Hoglund,Gary McGraw
ROM. Flash ROM can be rewritten from software.
Publisher: Addison Wesley
A given computer can have several megabytes of flash ROM floating around on various controlle
Pub Date: February 17, 2004
and the motherboard. These flash ROM chips are almost never fully utilized, and this leaves us
tremendousISBN: 0-amounts201-78695-of8 room to store backdoor information and viruses. The compelling thing
using Pages:these512memory spaces is that they are hard to audit and almost never visible to software r
on a system. To access the hardware memory requires driver-level access. Furthermore, this m
immune against reboots and system reinstallation.
One key advantage of a hardware virus is that it will survive a reboot and a system reinstallatio
someone suspects a viral infection, restoring the system from tape or backup will not help. The How does software break? How do attackers make software break on purpose? Why are hardware virus has always been and will remain one of the best kept secrets of the "black magi firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? hackers. There is a disadvantage to hardware viruses, however. They only work on a particular What tools can be used to break software? This book provides the answers.
That is, any given hardware virus must be written to infect the specific hardware of the target.
means the virus will not easily propagate to other systems (if it can be propagated at all). This Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
problem for many uses in warfare, however. Many times the hardware virus is being used as a techniques used by bad guys to break software. If you want to protect your software from
or as a method of sniffing traffic. In this case, a virus may not need to self-replicate. In fact, sel attack, you must first learn how real attacks are really carried out.
replication may not be desired.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
A simple hardware virus may be designed to impart false data to a system or to cause the syste script kiddie treatment found in many hacking books, you will learn about
ignore certain events. Imagine an anti-aircraft radar that uses the VX-Works OS. Within the sys several flash RAM chips. A virus installed in one of these chips has trusted access to the entire b
virus has only one purpose—to cause the |
to ignore certain types of radar signatures. |
Why software exploit will continue toradarbe |
serious problem |
Viruses have long since been detected in the wild that write themselves into the motherboard B When network security m chanisms do not work
memory. In the late 1990s, the so-called F00F bug was able to crash a laptop completely. Altho
CIH virusAttack(ofpattChernobyl)s was widely popularized in the media, virus code that used the BIOS w published long before the release of CIH.[3]
Reverse engineering
[3] . For more on CIH, go to http://www.f-secure.com/cih/.
Classic attacks against server software
EEPROM memory is fairly common on many systems. Ethernet cards, video cards, and multime
peripheralsSurprisingmayattacksall contagainstEEPROMclientmemorysoftware. The hardware memory may contain flash firmwar
firmware may just be used for data storage. In the case of a backdoor, overwriting firmware is
to otherTechniquesapproachesfor craftingbecausemalithe changeious inputwill persist even if the system is cleaned and reinstalle
course, the task of overwriting firmware requires a detailed understanding of the target hardwa
The technical details of buffer overflows
peripheral. But in the case of the motherboard BIOS, the procedure is fairly straightforward.
Rootkits
Reading and Writing Hardware Memory
Exploiti Software s filled with the tools, concepts, and knowledge necessary to break software.
Nonvolatile memory chips are found in a variety of hardware devices: TV tuners and remote co
CD players, cordless and cellular phones, fax machines, cameras, radios, automotive airbags, a
brakes, odometers, keyless entry systems, printers and copiers, modems, pagers, satellite recei
barcode readers, point-of-sale terminals, smart cards, lock boxes, garage door openers, and te
measurement equipment.
Flash ROM can be accessed by simple in and out instructions. Typically a flash ROM chip will co
control register and a data port. Command messages are placed in the control register and the
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
HANDLE gWorkerThread;
PKTIMER gTimer;
PKDPC gDPCP;
UCHAR g_key_bits = 0;
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
What follow are various "defines" for the hardware operation. These are found in the document
the 8042 keyboard controller chip. The input/output "port" is 0x60 or 0x64, depending on the o
Publisher: Addison Wesley
These ports are designed for single-byte operations. The command byte that indicates that we
Pub Date: February 17, 2004
set the LEDs is 0xED.
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
// commands
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and #definetechn quesREADusedCONTROLLERby bad guys to break 0x20software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
#define WRITE_CONTROLLER |
0x60 |
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
// command bytes
Why software exploit will continue to be a serious problem
#define |
SET_LEDS |
0xED |
When network security mechanisms do not work |
||
#define |
KEY_RESET |
0xFF |
Attack patterns |
|
|
Reverse engineering
// responses from keyboard
Classic attacks against server software
#defineSurprisingKEY ACKattacks against client0xFAsoftware// ack
#defineTechniquesKEY AGAINfor crafting malicious0xFEinput // send again
The technical details of buffer overflows
Rootkits
// 8042 ports
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
// when you read from port 64, this is called STATUS_BYTE software.
// when you write to port 64, this is called COMMAND_BYTE
// read and write on port 64 is called DATA_BYTE
PUCHAR KEYBOARD_PORT_60 = (PUCHAR)0x60;
PUCHAR KEYBOARD_PORT_64 = (PUCHAR)0x64;
Why software exploit will continue to be a serious problem
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
The technical details of buffer overflows
DbgPrint("SendKeyboardCommand::sent\n");
}
else
{
•Table of Contents
DbgPrint("SendKeyboardCommand::timeout waiting for keyboard\n");
•Index
Exploiting Software How to Break Code
return FALSE;
ByGreg Hoglund,Gary McGraw
}
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
// TODO: wait for ACK or RESEND from keyboard
Pages: 512
return TRUE;
How does software break? How do attackers make software break on purpose? Why are
}
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from This is a handy routine that uses the specified bit mask to set the LED indicators on the keyboar
attack, you must first learn how real attacks are really carried out.
some keyboards setting the numlock indicator actually causes the numlock state to be activated
is a problem we leave it as an exercise for the reader to remove the numlock state from the pos This must-have book may shock you—and it will certainly educate you.Getting beyond the combinations.
script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
void SetLEDS( UCHAR theLEDS )
Classic attacks against server software
{
Surprising attacks against client software
// setup for setting LEDS
Techniques for crafting malicious input
if(FALSE == SendKeyboardCommand( 0xED ))
The technical details of buffer overflows
{Rootkits
DbgPrint("SetLEDS::error sending keyboard command\n");
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
}
// send the flags for the LEDs
if(FALSE == SendKeyboardCommand( theLEDS ))
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem 
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Surprising attacks against client software
Techniques for crafting malicious input
Rootkits
The most famous virus to overwrite hardware EEPROM memory is the CIH virus. CIH attacked o 430TX-compatible motherboards. Here are some snippets of code from CIH that write data into BIOS. Notice that operations are made against the configuration register of the 430TX. Dependi the values written to this port, different regions of EEPROM memory are mapped into memory. walks through several regions, attempting to destroy them all.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
; ***************************
Pub Date: February 17, 2004
ISBN: 0-201-78695-8 |
* |
; * Kill BIOS EEPROM |
|
Pages: 512 |
|
; ***************************
How does software break? How do attackers make software break on purpose? Why are |
|
mov |
bp, 0cf8h |
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? |
|
What tools can be used to break software? This book provides the answers. |
|
lea |
esi, IOForEEPROM-@7[esi] |
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
; ***********************
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
; * Show BIOS Page in |
* |
Why software exploit will continue to be a serious problem
; * 000E0000 - 000EFFFF *
When network security mechanisms do not work
; * |
( |
64 KB |
) |
* |
Attack patterns
;***********************
Reverse engineering
Classic attacks against server software
mov edi, 8000384ch
Surprising attacks against client software
mov dx, 0cfeh
Techniques for crafting malicious input
cli
The technical details of buffer overflows
Rootkitscall esi
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
; ***********************
; |
* |
Show BIOS Page in |
* |
; |
* |
000F0000 - 000FFFFF * |
|
; |
* |
( |
64 KB |
) |
* |
; |
*********************** |
||||
mov |
di, 0058h |
•Table of Contents
dec |
edx |
; and al,0fh |
•Index
Exploiting Software How to Break Code
mov |
word ptr (BooleanCalculateCode-@10)[esi], 0f24h |
ByGreg Hoglund,Gary McGraw
call esi
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
; ***********************
Pages: 512
; * Show the BIOS Extra *
How does software break? How do attackers make software break on purpose? Why are
; * ROM Data in Memory *
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
; * 000E0000 - 000E01FF *
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
; * ( 512 Bytes ) *
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
; * , and the Section *
This must-have book may shock you—and it will certainly educate you.Getting beyond the
; * of Extra BIOS can *
script kiddie treatment found in many hacking books, you will learn about
; * be Written... *
Why software exploit will continue to be a serious problem
; ***********************
When network security mechanisms do not work
lea |
ebx, EnableEEPROMToWrite-@10[esi] |
Attack patterns |
eax, 0e5555h |
mov |
|
Reverse engineering |
|
mov |
ecx, 0e2aaah |
Classic attacks against server software |
|
call |
ebx |
Surprising attacks against client software |
|
mov |
byte ptr [eax], 60h |
Techniques for crafting malicious input |
|
The technicalpush detailsecx of buffer overflows |
|
Rootkitsloop |
$ |
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
;***********************
;* Kill the BIOS Extra *
;* ROM Data in Memory *
; * 000E0000 - 000E007F *
; * ( 80h Bytes ) *
; ***********************
•Table of Contents
xor |
ah, ah |
•Index
Exploiting Software How to Break Code
mov |
[eax], al |
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
xchg ecx, eax
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
loop $
Pages: 512
; ***********************
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
; * Show and Enable the *
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
; * BIOS Main ROM Data *
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
; * 000E0000 - 000FFFFF *
This must-have book may shock you—and it will certainly educate you.Getting beyond the
; * ( 128 KB ) *
script kiddie treatment found in many hacking books, you will learn about
; * can be Written... *
Why software exploit will continue to be a serious problem
; ***********************
When network security mechanisms do not work
Attack patterns |
eax, 0f5555h |
mov |
|
Reverse engineering |
|
pop |
ecx |
Classic attacks against server software
mov ch, 0aah
Surprising attacks against client software
call ebx
Techniques for crafting malicious input
mov byte ptr [eax], 20h
The technical details of buffer overflows
Rootkitsloop $
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
; ***********************
; |
* |
Kill the |
BIOS Main |
* |
; |
* |
ROM Data |
in Memory |
* |
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
; ***************************
; |
* IO for EEPROM |
* |
; |
*************************** |
|
•Table of Contents
•Index
Exploiting Software How to Break Code
IOForEEPROM:
ByGreg Hoglund,Gary McGraw
@10 |
= |
IOForEEPROM |
Publisher: Addison Wesley
xchg eax, edi
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
xchg edx, ebp
Pages: 512
out |
dx, eax |
xchg |
eax, edi |
How does software break? How do attackers make software break on purpose? Why are xchg edx, ebp
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? |
|
What tools can be used to break software? This book provides the answers. |
|
in |
al, dx |
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
BooleanCalculateCode = $
This must-have book may shock you—and it will certainly educate you.Getting beyond the or al, 44h
script kiddie treatment found in many hacking books, you will learn about
xchg eax, edi
Why software exploit will continue to be a serious problem xchg edx, ebp
When network security mechanisms do not work
out |
dx, eax |
Attack patterns |
eax, edi |
xchg |
|
Reverse engineering |
|
xchg |
edx, ebp |
Classic attacks against server software
out dx, al
Surprising attacks against client software
ret
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
EEPROM and Timing
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Timing is very important for EEPROM operations. Here's an amusing anecdote: An attacker once program to flash over the EEPROM in a Cisco router during the attack. The original attack code include a timer. The result was that his code was too fast and only overwrote every fifth byte! T solution involved slowing down the write operations by putting a few hundred milliseconds betw write. Every chip is different. You will need to examine or test the timing required for read and operations to each chip.
This code snippet performs a read operation on the 3-Com 3C5x9 ethernet card's EEPROM.[4] N
call to sleep 162 msec.
[4] This code comes courtesy of the Linux driver found in the file 3c509.c. Open source OSs are filled with i about various drivers.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
/* Read the EEPROM. */
Publisher: Addison Wesley
Pub Date: February 17, 2004
for (i = 0; i < 16; i++) {
ISBN: 0-201-78695-8
Pages: 512
outw(EEPROM_READ + i, ioaddr + 10);
/* Pause for at least 162 msec for the read to take place. */
usleep(162);
How does software break? How do attackers make software break on purpose? Why are firewalls,eepromintrusioncontents[i]detection=systems,inw(ioaddrand antivirus+ 12); software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniquesprintf("EEPROMused by badindexguys to%d:break%4.4xsoftware.\n",. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
I,
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about eeprom_contents[i]);
}
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
The Ethernet EEPROM
Reverse engineering
Subversive code can be placed into an ethernet card. This is an optimal platform because packe Classic attacks against server software
analyzed and crafted with direct access to the network. A typical ethernet controller will have a chip thatSurprisinghandlesattacksalmostagainstevery hingclientinsoneftwarepackage. Inside the ASIC is a custom processor that micromachine. This micromachine has an instruction set just like a normal processor. There are
Techniques for crafting malicious input
subroutines that are called whenever a packet arrives on the interface. These subroutines are w
using the native opcodes of the micromachine. Of course, the micromachine opcodes are typical
The technical details of buffer overflows
proprietary and confidential to each manufacturer. To obtain access to this information may req
nondisclosure agreement with the manufacturer, so we can't publish any specific opcodes here.
Rootkits
However, we can discuss how an attack would work in theory.
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
An ethernet controller may have an onboard flash and/or EEPROM that can be reprogrammed fr
software.
device driver. For example, the Intel InBusiness 10/100 ethernet card includes an EEPROM me can be written to from software. The card is based on the 82559 ethernet controller chip. This is that contains a micromachine and several buffers for storing packets. Attached to the 82559 is serial EEPROM chip. The serial EEPROM is an ATMEL 93C46. The 93C46 contains 64 16-bit word total of 128K of storage space.
Using this information, we can hide code in the EEPROM of the ethernet card or even overwrite EEPROM. Because the serial EEPROM is not directly connected to the address bus of the comput cannot directly reference it. However, the 82559 exposes the EEPROM to read and write operati
The technical details of buffer overflows
Command |
value |
|
SHIFT_CLK |
0x01 |
shift clock |
CS |
0x02 |
EEPROM chip select |
WRITE |
0x04 |
|
•Table of Contents
READ |
0x08 |
•Index
Exploiting Software How to Break Code |
0x4802 |
ENABLE |
ByGreg Hoglund,Gary McGraw
To sendPublisher:a commandAddison Wesleyto the serial EEPROM, the software should perform the following operation testPubsystemDate: Februaryin our lab17, 2004the 82559 is based at 0x3000. Thus, operations are performed using this
as a base. The EEPROM register is 14 bytes above the base, thus it lands at 0x300E. Notice that
ISBN: 0-201-78695-8
EEPROM commands are OR'd together.
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
OUT( ENABLE | SHIFT_CLK, 0x300E );
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
// construct a 2-byte command
This must-have book may shock you—and it will certainly educate you.Getting beyond the
OUT( command, 0x300E );
script kiddie treatment found in many hacking books, you will learn about
// delay for EEPROM
Why software exploit will continue to be a serious problem
OUT( SHIFT_CLK, 0x300E );
When network security mechanisms do not work
// delay for EEPROM
Attack patterns
response_code = IN(0x300E);
Reverse engineering
OUT( ENABLE, 0x300E );
Classic attacks against server software
OUT( ENABLE | SHIFT_CLK, 0x300E ); // terminate EEPROM access
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
You may reverse engineer drivers or use open-source driver code to determine how a given har
component works. The Linux OS has a lot of driver support and is an invaluable source for learn Rootkits
control codes and offsets for a given hardware device. For example, this is a short snippet of co
[5]
Exploitingthe Linux 3C509Softwaredriveris filledthatwithillustheratestools,writingconcepto thes,andEEPROMknowledgeof th necessary3C509ethernetto breakcard: software.
[5] Once again, this code comes courtesy of the Linux driver found in the file 3c509.c.
Why software exploit will continue to be a serious problem
beWhenstashedn twork.In somesecuritycases,mect
Classic attacks against server software
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Large
SDAXXX
Other
24CXXX
•Table of Contents
24XX
•Index
Exploiting Software How to Break Code
AT17XXX
ByGreg Hoglund,Gary McGraw
AT90XXX
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
Detecting Chips via Common Flash Interface (CFI)
Writing code that will scan through a systems memory map and identify flash RAM devices is an good technique to know. The query access command is 0x98. The JEDEC ID mode is 0x90. The
How does software break? How do attackers make software break on purpose? Why are
query access code is written to the device base address plus an offset of 0x55. The device must
firewalls, intrusionDependingdetection systems, and antivirus software not keeping out the bad guys? read mode. the bus width, the value that needs to be written will be 0x98,0x0098
What tools can be usedalsoto break software? This book provides the answers.
0x00000098. You can try 0x98,0x9898, or 0x98989898. Some flash devices ignore the addr
will enter query mode if they see the value 0x98 on the data bus. The base may also be 0x55,0
Exploiting. Softwareis loaded with examples of real attacks, attack patterns, tools, and
0x154h
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
Once query mode is set, the chip should show the ASCII characters QR or QRY at offset 0x10.
follows is a vendor ID, a 16-bit value usually at location 0x13. Vendorand device-specific infor
This must-have book may shock you—and it will certainly educate you.Getting beyond the
can follow this. Using the query mode allows the attacker to determine exactly which kind of chi
script kiddie treatment found in many hacking books, you will learn about
are dealing with. The CFI specification is published and available in the public domain.
The following is a list of 16-bit vendor IDs:
|
Why software exploit will continue to be a serious problem |
|
0 |
When network security mechanisms do not work |
|
|
NULL |
|
1 |
Attack patterns |
Intel/Sharp |
|
||
2 |
Reverse engineering |
AMD/Fujitsu |
3 |
|
Intel |
|
Classic attacks against server software |
|
4 |
|
AMD/Fujitsu |
|
Surprising attacks against client software |
|
256 |
|
Mitsubishi |
|
Techniques for crafting malicious input |
|
257 |
|
Mitsubishi |
258 |
The technical details of buffer overflows |
|
|
SST |
|
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
Example:software. Detect a Flash RAM Chip
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
static inline u32 jedec_read_mfr(struct map_info *map, __u32 base,
struct cfi_private *cfi)
{
• |
Table of Contents |
|
u32 result, mask; |
•Index
Exploiting Software How to Break Code
mask = (1 << (cfi->device_type * 8)) -1;
ByGreg Hoglund,Gary McGraw
result = cfi_read(map, base);
Publisher: Addison Wesley
result &= mask;
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
return result;
Pages: 512
}
static inline u32 jedec_read_id(struct map_info *map, __u32 base,
How structdoes softwarecfi privatebre k? How*cfi)do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What{ tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and int osf;
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out. u32 result, mask;
This must-have book may shock you—and it will certainly educate you.Getting beyond the osf = cfi->interleave *cfi->device_type;
script kiddie treatment found in many hacking books, you will learn about
mask = (1 << (cfi->device_type * 8)) -1;
Why software exploit will continue to be a serious problem result = cfi_read(map, base + osf);
When network security mechanisms do not work result &= mask;
Attack patterns return result;
Reverse engineering
}
Classic attacks against server software
Surprising attacks against client software
static inline void jedec_reset(u32 base, struct map_info *map,
Techniques for crafting malicious input
struct cfi_private *cfi)
The technical details of buffer overflows
{
Rootkits
/* Reset */
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
cfi_send_gen_cmd(0xF0, 0, base, map, cfi, cfi->device_type, NULL);
/* Some misdesigned Intel chips do not respond for 0xF0 for a reset,
*so ensure we're in read mode. Send both the Intel and the AMD command
*for this. Intel uses 0xff for this, AMD uses 0xff for nop, so
* this should be safe.
*/
cfi_send_gen_cmd(0xFF, 0, base, map, cfi, cfi->device_type, NULL);
/* Manufacturers */
• |
Table of Contents |
0x0001 |
#define MANUFACTURER_AMD |
||
•Index
Exploiting Software How to Break Code |
|
0x001f |
|
#define MANUFACTURER_ATMEL |
|
||
ByGreg Hoglund,Gary McGraw |
|
|
|
#define MANUFACTURER_FUJITSU |
|
0x0004 |
|
Publisher: Addison Wesley |
|
|
|
#definePub Date:MANUFACTURERFebruary 17, 2004_INTEL |
|
0x0089 |
|
ISBN: 0-201-78695-8 |
|
|
|
#definePages:MANUFACTURER512 |
_MACRONIX |
0x00C2 |
|
#define MANUFACTURER_ST |
|
0x0020 |
|
#define MANUFACTURER_SST |
0x00BF |
||
How does software break? How do attackers make software break on purpose? Why are |
|
#define MANUFACTURER_TOSHIBA |
0x0098 |
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
/* AMD */
techniques used by bad guys to break software. If you want to protect your software from |
|
attack, you must first learn how real attacks are really carried out. |
|
#define AM29F800BB |
0x2258 |
This must-have book may shock you—and it will certainly educate you.Getting beyond the
#define AM29F800BT |
0x22D6 |
script kiddie treatment found in many hacking books, you will learn about
#define AM29LV800BB |
0x225B |
Why software exploit will continue to be a serious problem |
|
When network security mechanisms do not work |
|
/* Fujitsu */ |
|
Attack patterns |
0x22D7 |
#define MBM29LV650UE |
|
Reverse engineering |
0x22F6 |
#define MBM29LV320TE |
|
Classic attacks against server software
}
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
To wrap up our discussion of hardware, EEPROM chips remain a prime area for storing subversi
As more embedded devices become available, the EEPROM-based virus will be more applicable Rootkits
dangerous. Legitimate code exists that will query for EEPROM devices and perform operations.
Practitioners who wish to experiment with EEPROM code will need some test machines that hav Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
embedded EEPROM. Device driver code found in Linux and Windows provides plenty of fodder f software.
experiments.