Presentation is loading. Please wait.

Presentation is loading. Please wait.

IDA Pr0wned Jason Geffner, NGS 8/25/10.

Published byKeshawn Milnor Modified over 9 years ago

Similar presentations

Presentation on theme: "IDA Pr0wned Jason Geffner, NGS 8/25/10."— Presentation transcript:

1 IDA Pr0wned Jason Geffner, NGS jason@ngssoftware.com 8/25/10

2 BACKGROUND “The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation.” -- http://hex-rays.com/idapro/overview.htmhttp://hex-rays.com/idapro/overview.htm

3 HOW IDA LOADS FILES IDA supports dozens of file formats One DLL per file format in IDA’s “loaders” subdirectory Each DLL exports the following two functions: accept_file(…) – Does loader recognize file format? load_file(…) – Load the file into the database

4 HOW IDA LOADS FILES IDA calls each loader DLL’s accept_file(…) function on the input file IDA then asks the user which loader to use to load the file

5 Loaders

6 QNX “QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market.” -- http://en.wikipedia.org/wiki/QNXhttp://en.wikipedia.org/wiki/QNX IDA Pro includes a QNX program file loader A code snippet from its accept_file(…) function follows…

7 for (uint32 at = sizeof(ex.lmf_header) + ex.lmf_header.data_nbytes; lmf_data.segment_index != _LMF_EOF_REC; at += sizeof(lmf_data) + lmf_data.offset) { qlseek( li, at, 0 ); if ( sizeof(_lmf_data) != qlread( li, &lmf_data, sizeof(_lmf_data) ) ) return 0; switch(lmf_data.segment_index) {... case _LMF_COMMENT_REC: break;... } The data for all structures below are read in from the input file. Code below iterates through each “ ex.lmf_data ” structure in the input file, advancing the file pointer based on “ sizeof(lmf_data) + lmf_data.offset ”. However, if “ lmf_data.offset ” == “ -sizeof(lmf_data) ” then “ at ” is never increased and this code will run in an infinite loop.

8 The code below shows the checks made before the vulnerable loop. The structure to the right shows the fields with required values.

9 We can make a COM file containing raw 16-bit assembly code. The NTVDM (NT Virtual DOS Machine) initializes AX to 0x0000, but since we’re in virtualized real-mode, we can write to that address without throwing an exception.

10 DEMO Running the COM file Opening the COM file in IDA Pro

11 ICING ON THE CAKE We can rename the.com file to a.exe file and Windows will still run it (and IDA will still fail to load it)

12 Q & A

Download ppt "IDA Pr0wned Jason Geffner, NGS 8/25/10."

Similar presentations

PC Operating Systems in Review lesson 12. UNIX DOS The Macintosh Operating System Windows 3.x OS/2 Warp Windows NT Windows 95 and 98 Linux Windows 2000.

PC Operating Systems in Review lesson 12. UNIX DOS The Macintosh Operating System Windows 3.x OS/2 Warp Windows NT Windows 95 and 98 Linux Windows 2000.
OPERATING SYSTEM An operating system is a group of computer programs that coordinates all the activities among computer hardware devices. It is the first.

OPERATING SYSTEM An operating system is a group of computer programs that coordinates all the activities among computer hardware devices. It is the first.
Chapter 2 How Hardware and Software Work Together.

Chapter 2 How Hardware and Software Work Together.
Lesson 4 0x004 100 Operating Systems.

Lesson 4 0x Operating Systems.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
DEV300: A Tiny CPU and OS in C# Scott Hanselman Technology Evangelist/Architect Corillian Corporation

DEV300: A Tiny CPU and OS in C# Scott Hanselman Technology Evangelist/Architect Corillian Corporation
COMPUTER PROGRAMMING I Essential Standard 5.02 Understand Breakpoint, Watch Window, and Try And Catch to Find Errors.

COMPUTER PROGRAMMING I Essential Standard 5.02 Understand Breakpoint, Watch Window, and Try And Catch to Find Errors.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Drives, Directories and Files. A computer file is a block of arbitrary information, or resource for storing information. Computer files can be considered.

Drives, Directories and Files. A computer file is a block of arbitrary information, or resource for storing information. Computer files can be considered.
Lab6 – Debug Assembly Language Lab

Lab6 – Debug Assembly Language Lab
Linux vs. Windows. Linux  Linux was originally built by Linus Torvalds at the University of Helsinki in 1991.  Linux is a Unix-like, Kernal-based, fully.

Linux vs. Windows. Linux  Linux was originally built by Linus Torvalds at the University of Helsinki in  Linux is a Unix-like, Kernal-based, fully.
Chapter 6 In introduction to System Software and Virtual Machine ***Assembly Language.

Chapter 6 In introduction to System Software and Virtual Machine ***Assembly Language.
Wednesday, June 07, 2006 “Unix is user friendly … it’s just picky about it’s friends”. - Anonymous.

Wednesday, June 07, 2006 “Unix is user friendly … it’s just picky about it’s friends”. - Anonymous.
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.

Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.
Systems Software Operating Systems.

Systems Software Operating Systems.
Types of software. Sonam Dema..

Types of software. Sonam Dema..
To run the program: To run the program: You need the OS: You need the OS:

To run the program: To run the program: You need the OS: You need the OS:
Computer Software. Evolution of Programming Languages Machine Languages Assembly Languages High-Level Languages Fourth-Generation Languages.

Computer Software. Evolution of Programming Languages Machine Languages Assembly Languages High-Level Languages Fourth-Generation Languages.

Similar presentations

Ads by Google