Nullcon Goa 2010http://nullcon.net Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma Amandeep Bharti Rohan Thakur.

Slides:



Advertisements
Similar presentations
Advanced Troubleshooting with Debug Diagnostics on IIS 6
Advertisements

Process A process is usually defined as an instance of a running program and consists of two components: A kernel object that the operating system uses.
Part IV: Memory Management
John Heasman Stanford University, April Agenda Introductions What is fuzzing? What data can be fuzzed? What does fuzzed data look like? When (not)
Exceptional Control Flow Processes Today. Control Flow Processors do only one thing: From startup to shutdown, a CPU simply reads and executes (interprets)
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
MuTek BugTrapper. Win32 API Debugging support IMAGEHLP.
OS Spring’03 Introduction Operating Systems Spring 2003.
CS533 Concepts of Operating Systems Class 3 Integrated Task and Stack Management.
03/22/2004CSCI 315 Operating Systems Design1 Virtual Memory Notice: The slides for this lecture have been largely based on those accompanying the textbook.
OllyDbg Debuger.
03/05/2008CSCI 315 Operating Systems Design1 Memory Management Notice: The slides for this lecture have been largely based on those accompanying the textbook.
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 4: Threads.
Chapter 2 Software Tools and Assembly Language Syntax.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
Win32 Programming Lesson 9: Jobs & Thread Basics.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Practical Malware Analysis Ch 8: Debugging Rev
Programming Translators.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Software attacks Lorenzo Dematté Software attacks Advanced buffer overflow: heap smashing.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Fall 2012 Chapter 2: x86 Processor Architecture. Irvine, Kip R. Assembly Language for x86 Processors 6/e, Chapter Overview General Concepts IA-32.
Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
8.1 Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Paging Physical address space of a process can be noncontiguous Avoids.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Chapter 4 Memory Management Virtual Memory.
Implementing Precise Interrupts in Pipelined Processors James E. Smith Andrew R.Pleszkun Presented By: Ravikumar Source:
CSNB374: Microprocessor Systems Chapter 5: Procedures and Interrupts.
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.
Main Memory. Chapter 8: Memory Management Background Swapping Contiguous Memory Allocation Paging Structure of the Page Table Segmentation Example: The.
Processes CS 6560: Operating Systems Design. 2 Von Neuman Model Both text (program) and data reside in memory Execution cycle Fetch instruction Decode.
Exceptional Control Flow Topics Exceptions except1.ppt CS 105 “Tour of the Black Holes of Computing”
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Operating Systems CSE 411 CPU Management Sept Lecture 10 Instructor: Bhuvan Urgaonkar.
University of Washington Exceptional Control Flow The Hardware/Software Interface CSE351 Winter 2013.
Unit - V. Debugging GNU Debugger helps you in getting information about the following: 1.If a core dump happened, then what statement or expression did.
Windows Threading Colin Roby Jaewook Kim.
13/July/1999Third USENIX Windows NT Symposium1 Detours: Binary Interception of Win32 Functions Galen Hunt and Doug Brubacher Systems and Networking Group.
Interrupts and Exception Handling. Execution We are quite aware of the Fetch, Execute process of the control unit of the CPU –Fetch and instruction as.
Exceptional Control Flow
Operating System Debugging Support and How Win32 Debuggers Work
OPERATING SYSTEM CONCEPT AND PRACTISE
Interrupts and exceptions
Virtualization Virtualize hardware resources through abstraction CPU
Static and dynamic analysis of binaries
Live Phishing Attack Authentication Activity from a Foreign Address.
Exceptional Control Flow
Process Management Process Concept Why only the global variables?
Dynamic Analysis ddaa.
Chapter 9: Virtual Memory
Chapter 2: System Structures
Malware Incident Response  Dynamic Analysis - 2
Exceptional Control Flow: System Calls, Page Faults etc.
Threads and Locks.
O.S Lecture 13 Virtual Memory.
Background Program must be brought into memory and placed within a process for it to be run. Input queue – collection of processes on the disk that are.
Chapter 9: Virtual Memory
Lecture 3: Main Memory.
Morgan Kaufmann Publishers Memory Hierarchy: Virtual Memory
Threads Chapter 4.
System Calls System calls are the user API to the OS
Following Malware Execution in IDA
OPERATING SYSTEMS MEMORY MANAGEMENT BY DR.V.R.ELANGOVAN.
Computer Architecture and System Programming Laboratory
Presentation transcript:

nullcon Goa 2010http://nullcon.net Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma Amandeep Bharti Rohan Thakur

nullcon Goa 2010http://nullcon.net typedef struct presentation { Basics of Debugging Scripted Debugging techniques In-Memory fuzzing Technique Demo of o Scripted Debugging (function trace analysis) o In-Memory fuzzing (A Microsoft bug.) }

nullcon Goa 2010http://nullcon.net class Debugging { Loading / attaching process in debugging enviornment Types of Debugging Events Concept of breakpoint at implementation level o Soft Breakpoints o Hard Breakpoints o Memory Breakpoints Context (CPU registers) Hooking o Soft Hooking o Hard Hooking Concept of injection in debugging }

nullcon Goa 2010http://nullcon.net func Attach/Load { HANDLE WINAPI OpenProcess (Attaching) Return process handler BOOL WINAPI CreateProcess (Loading) One of the output variable is process handler of loaded process BOOL WINAPI DebugActiveProcess Attach to an active process

nullcon Goa 2010http://nullcon.net func DebugEvents { BOOL WINAPI WaitForDebugEvent Wait for any debugging event if and when a perticular debugging event is triggered handle the event as you require BOOL WINAPI ContinueDebugEvent Continue Looking for debugging events BOOL WINAPI DebugActiveProcessStop Detach to process from debugging enviornment

nullcon Goa 2010http://nullcon.net func DebugEvents { typedef struct _DEBUG_EVENT { DWORD dwDebugEventCode; DWORD dwProcessId; DWORD dwThreadId; union { EXCEPTION_DEBUG_INFO Exception; Event is thrown whenever an exception occurs in the application being debugged. CREATE_THREAD_DEBUG_INFO CreateThread; Event is thrown when thread is created in the process CREATE_PROCESS_DEBUG_INFO CreateProcessInfo; Event is thrown when a process is created EXIT_THREAD_DEBUG_INFO ExitThread; Event is Triggered when Thread Exits EXIT_PROCESS_DEBUG_INFO ExitProcess; Event is Triggered when Process Exits

nullcon Goa 2010http://nullcon.net func DebugEvents { LOAD_DLL_DEBUG_INFO LoadDll; Event is thrown when a dll is Loaded UNLOAD_DLL_DEBUG_INFO UnloadDll; Event is thrown when a dll is unloaded OUTPUT_DEBUG_STRING_INFO DebugString; Event occurs when the debugee calls the API call OutputDebugString to send debugging information to a debugger RIP_INFO RipInfo; Event is triggered if your process being debugged dies unexpectedly

nullcon Goa 2010http://nullcon.net class Breakpoint { Loading / attaching process in debugging enviornment Types of Debugging Events Concept of breakpoint at implementation level o Soft Breakpoints o Hard Breakpoints o Memory Breakpoints Context (CPU registers) Hooking o Soft Hooking o Hard Hooking Concept of injection in debugging }

nullcon Goa 2010http://nullcon.net Concept of breakpoints Soft Breakpoint:- A soft breakpoint is a single-byte instruction, INT3 that stops execution of the debugged process and passes control to the debugger’s breakpoint exception handler.

nullcon Goa 2010http://nullcon.net Hard Breakpoint

nullcon Goa 2010http://nullcon.net Concept of breakpoints Memory Breakpoint:- This breakpoint can be triggered on Execution, Read or Write operations performed during the process execution.

nullcon Goa 2010http://nullcon.net Soft Hooking Similar to setting a breakpoint but we can control The thread context using our own scripting techinque. The hook you are really just extending a particular piece of code to run your hook and then return to the normal execution path.

nullcon Goa 2010http://nullcon.net Hardware Break Points Hard hooking Concept of injection in debugging

nullcon Goa 2010http://nullcon.net Python Offering Ctypes - which provides us interface between c type programming language and data types with ability to call function in Dll Pydbg - which provides us scripting debugging library Utils - Which provide us hooking library with crash dump analysis function IDAPython - Time for python to take control of IDA Pro

nullcon Goa 2010http://nullcon.net Python offering Immlib - Immunity debugger library for Ollydbg like experience with python PyEmu - It’s like running a process without actually running it. Using this library we can test how the code would behave under certain circumstances. PeachFuzz & Sulley - An python based fuzzer with over 700 known exploit heuristics

nullcon Goa 2010http://nullcon.net In-Memory Fuzzing Virtual space - As we know that it is the virtual address space 4GB for 32 bit system. This virtual address space is typically divided into two parts user space (0x x7fffffff) and kernel space (0x xffffffff). Libraries is loaded into this virtual space in a flat memory model i.e. contiguous rather than fragmented - Purely performance reasons.

nullcon Goa 2010http://nullcon.net

nullcon Goa 2010http://nullcon.net In-Memory Fuzzing Pages - The concept of pages is basic to operating system. A page is the address translation between the virtual memory and physical memory and is the minimum amount of space that can be allocated from the physical to virtual space. There are specific paging access options that Windows set during the initialization of page.

nullcon Goa 2010http://nullcon.net In-Memory Fuzzing

nullcon Goa 2010http://nullcon.net In-Memory Fuzzing : Algo function (data) { } function in_mem_fuzz if breakpoint hit = Function End if snapshot_taken then restore_process virtual free previous allocated address if breakpoint hit = Function Start

nullcon Goa 2010http://nullcon.net take snapshot set breakpoint at function end addr = virtual allocate(datasize) mutate = mutate(data) write mutated data to addr change esp+4 variable to our mutated data location process snapshot run funnction

nullcon Goa 2010http://nullcon.net function access_voilation: Print access violation synopsis when encounter access violation restore process

nullcon Goa 2010http://nullcon.net Demo

nullcon Goa 2010http://nullcon.net

nullcon Goa 2010http://nullcon.net

nullcon Goa 2010http://nullcon.net

nullcon Goa 2010http://nullcon.net Demo

nullcon Goa 2010http://nullcon.net Binary Analysis of these functions Integer overflow then a undersized buffer will be allocated mov eax, [ebp+Points] ;Integer Overflow could happen here lea eax, [edi+eax*2] ; number of polygons + 2 * number of points shl eax, 2 ; *4 push eax mov ecx, esi call ;MfEn umState::CreateRecordToModify(int)

nullcon Goa 2010http://nullcon.net Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.