nullcon 2010 - Intelligent debugging and in memory fuzzing

nullcon Goa 2010 http://nullcon.net

Intelligent Debugging and in-memory Fuzzers

By Vishwas Sharma Amandeep Bharti

Rohan Thakur


typedef struct presentation {

• Basics of Debugging• Scripted Debugging techniques• In-Memory fuzzing Technique• Demo of

o Scripted Debugging (function trace analysis)o In-Memory fuzzing (A Microsoft bug.)

}


class Debugging {• Loading / attaching process in debugging enviornment• Types of Debugging Events• Concept of breakpoint at implementation level

o Soft Breakpointso Hard Breakpointso Memory Breakpoints

• Context (CPU registers)• Hooking

o Soft Hookingo Hard Hooking

• Concept of injection in debugging }


func Attach/Load {HANDLE WINAPI OpenProcess (Attaching)Return process handler

BOOL WINAPI CreateProcess (Loading)One of the output variable is process handler of loaded process

BOOL WINAPI DebugActiveProcess Attach to an active process


func DebugEvents {BOOL WINAPI WaitForDebugEventWait for any debugging event if and when a perticular debugging event is triggered handle the event as you require BOOL WINAPI ContinueDebugEvent Continue Looking for debugging events BOOL WINAPI DebugActiveProcessStop Detach to process from debugging enviornment


func DebugEvents {typedef struct _DEBUG_EVENT { DWORD dwDebugEventCode;DWORD dwProcessId;DWORD dwThreadId;union {EXCEPTION_DEBUG_INFO Exception;Event is thrown whenever an exception occurs in the application being debugged.

CREATE_THREAD_DEBUG_INFO CreateThread;Event is thrown when thread is created in the process

CREATE_PROCESS_DEBUG_INFO CreateProcessInfo;Event is thrown when a process is created

EXIT_THREAD_DEBUG_INFO ExitThread;Event is Triggered when Thread Exits

EXIT_PROCESS_DEBUG_INFO ExitProcess;Event is Triggered when Process Exits


func DebugEvents {LOAD_DLL_DEBUG_INFO LoadDll;Event is thrown when a dll is Loaded

UNLOAD_DLL_DEBUG_INFO UnloadDll;Event is thrown when a dll is unloaded

OUTPUT_DEBUG_STRING_INFO DebugString;Event occurs when the debugee calls the API call OutputDebugString to send debugging information to a debugger

RIP_INFO RipInfo;Event is triggered if your process being debugged dies unexpectedly


class Breakpoint {• Loading / attaching process in debugging enviornment• Types of Debugging Events• Concept of breakpoint at implementation level

o Soft Breakpointso Hard Breakpointso Memory Breakpoints

• Context (CPU registers)• Hooking

o Soft Hookingo Hard Hooking

• Concept of injection in debugging }


Concept of breakpoints

• Soft Breakpoint:-

A soft breakpoint is a single-byte instruction, INT3 that stops execution of the debugged process and passes control to the debugger’s breakpoint exception handler.


Hard Breakpoint


Concept of breakpoints

• Memory Breakpoint:-

This breakpoint can be triggered on Execution, Read or Write operations performed during the process execution.


Soft Hooking

Similar to setting a breakpoint but we can control

The thread context using our own scripting

techinque.

The hook you are really just extending a particular

piece of code to run your hook and then return to

the normal execution path.


Hardware Break Points

• Hard hooking

• Concept of injection in debugging


Python Offering

• Ctypes - which provides us interface between c type programming language and data types with ability to call function in Dll

• Pydbg - which provides us scripting debugging library

• Utils - Which provide us hooking library with crash dump analysis function

• IDAPython - Time for python to take control of IDA Pro


Python offering

• Immlib - Immunity debugger library for Ollydbg like experience with python

• PyEmu - It’s like running a process without actually running it. Using this library we can test how the code would behave under certain circumstances.

• PeachFuzz & Sulley - An python based fuzzer with over 700 known exploit heuristics


In-Memory Fuzzing

• Virtual space - As we know that it is the virtual address space 4GB for 32 bit system. This virtual address space is typically divided into two parts user space (0x00000000 - 0x7fffffff) and kernel space (0x80000000-0xffffffff). Libraries is loaded into this virtual space in a flat memory model i.e. contiguous rather than fragmented - Purely performance reasons.



In-Memory Fuzzing

• Pages - The concept of pages is basic to operating system. A page is the address translation between the virtual memory and physical memory and is the minimum amount of space that can be allocated from the physical to virtual space. There are specific paging access options that Windows set during the initialization of page.


In-Memory Fuzzing


In-Memory Fuzzing : Algofunction (data) {

}

function in_mem_fuzz

if breakpoint hit = Function End

if snapshot_taken then

restore_process

virtual free previous allocated address

if breakpoint hit = Function Start


take snapshot

set breakpoint at function end

addr = virtual allocate(datasize)

mutate = mutate(data)

write mutated data to addr

change esp+4 variable to our mutated data location

process snapshot

run funnction


function access_voilation:

Print access violation synopsis

when encounter access violation

restore process


Demo





Demo


Binary Analysis of these functions

Integer overflow then a undersized buffer will be allocated

mov eax, [ebp+Points]

;Integer Overflow could happen here

lea eax, [edi+eax*2] ; number of polygons + 2 * number of points

shl eax, 2 ; *4

push eax

mov ecx, esi

call ?CreateRecordToModify@MfEnumState@@IAEHH@Z ;MfEnumState::CreateRecordToModify(int)


Questions

Technology

nullcon 2010 - Intelligent debugging and in memory fuzzing