View
2.599
Download
4
Embed Size (px)
DESCRIPTION
nullcon 2010 - Intelligent debugging and in memory fuzzing by Amandeep Bharti & Vishwas Sharma
Citation preview
nullcon Goa 2010 http://nullcon.net
Intelligent Debugging and in-memory Fuzzers
By Vishwas Sharma Amandeep Bharti
Rohan Thakur
nullcon Goa 2010 http://nullcon.net
typedef struct presentation {
• Basics of Debugging• Scripted Debugging techniques• In-Memory fuzzing Technique• Demo of
o Scripted Debugging (function trace analysis)o In-Memory fuzzing (A Microsoft bug.)
}
nullcon Goa 2010 http://nullcon.net
class Debugging {• Loading / attaching process in debugging enviornment• Types of Debugging Events• Concept of breakpoint at implementation level
o Soft Breakpointso Hard Breakpointso Memory Breakpoints
• Context (CPU registers)• Hooking
o Soft Hookingo Hard Hooking
• Concept of injection in debugging }
nullcon Goa 2010 http://nullcon.net
func Attach/Load {HANDLE WINAPI OpenProcess (Attaching)Return process handler
BOOL WINAPI CreateProcess (Loading)One of the output variable is process handler of loaded process
BOOL WINAPI DebugActiveProcess Attach to an active process
nullcon Goa 2010 http://nullcon.net
func DebugEvents {BOOL WINAPI WaitForDebugEventWait for any debugging event if and when a perticular debugging event is triggered handle the event as you require BOOL WINAPI ContinueDebugEvent Continue Looking for debugging events BOOL WINAPI DebugActiveProcessStop Detach to process from debugging enviornment
nullcon Goa 2010 http://nullcon.net
func DebugEvents {typedef struct _DEBUG_EVENT { DWORD dwDebugEventCode;DWORD dwProcessId;DWORD dwThreadId;union {EXCEPTION_DEBUG_INFO Exception;Event is thrown whenever an exception occurs in the application being debugged.
CREATE_THREAD_DEBUG_INFO CreateThread;Event is thrown when thread is created in the process
CREATE_PROCESS_DEBUG_INFO CreateProcessInfo;Event is thrown when a process is created
EXIT_THREAD_DEBUG_INFO ExitThread;Event is Triggered when Thread Exits
EXIT_PROCESS_DEBUG_INFO ExitProcess;Event is Triggered when Process Exits
nullcon Goa 2010 http://nullcon.net
func DebugEvents {LOAD_DLL_DEBUG_INFO LoadDll;Event is thrown when a dll is Loaded
UNLOAD_DLL_DEBUG_INFO UnloadDll;Event is thrown when a dll is unloaded
OUTPUT_DEBUG_STRING_INFO DebugString;Event occurs when the debugee calls the API call OutputDebugString to send debugging information to a debugger
RIP_INFO RipInfo;Event is triggered if your process being debugged dies unexpectedly
nullcon Goa 2010 http://nullcon.net
class Breakpoint {• Loading / attaching process in debugging enviornment• Types of Debugging Events• Concept of breakpoint at implementation level
o Soft Breakpointso Hard Breakpointso Memory Breakpoints
• Context (CPU registers)• Hooking
o Soft Hookingo Hard Hooking
• Concept of injection in debugging }
nullcon Goa 2010 http://nullcon.net
Concept of breakpoints
• Soft Breakpoint:-
A soft breakpoint is a single-byte instruction, INT3 that stops execution of the debugged process and passes control to the debugger’s breakpoint exception handler.
nullcon Goa 2010 http://nullcon.net
Hard Breakpoint
nullcon Goa 2010 http://nullcon.net
Concept of breakpoints
• Memory Breakpoint:-
This breakpoint can be triggered on Execution, Read or Write operations performed during the process execution.
nullcon Goa 2010 http://nullcon.net
Soft Hooking
Similar to setting a breakpoint but we can control
The thread context using our own scripting
techinque.
The hook you are really just extending a particular
piece of code to run your hook and then return to
the normal execution path.
nullcon Goa 2010 http://nullcon.net
Hardware Break Points
• Hard hooking
• Concept of injection in debugging
nullcon Goa 2010 http://nullcon.net
Python Offering
• Ctypes - which provides us interface between c type programming language and data types with ability to call function in Dll
• Pydbg - which provides us scripting debugging library
• Utils - Which provide us hooking library with crash dump analysis function
• IDAPython - Time for python to take control of IDA Pro
nullcon Goa 2010 http://nullcon.net
Python offering
• Immlib - Immunity debugger library for Ollydbg like experience with python
• PyEmu - It’s like running a process without actually running it. Using this library we can test how the code would behave under certain circumstances.
• PeachFuzz & Sulley - An python based fuzzer with over 700 known exploit heuristics
nullcon Goa 2010 http://nullcon.net
In-Memory Fuzzing
• Virtual space - As we know that it is the virtual address space 4GB for 32 bit system. This virtual address space is typically divided into two parts user space (0x00000000 - 0x7fffffff) and kernel space (0x80000000-0xffffffff). Libraries is loaded into this virtual space in a flat memory model i.e. contiguous rather than fragmented - Purely performance reasons.
nullcon Goa 2010 http://nullcon.net
nullcon Goa 2010 http://nullcon.net
In-Memory Fuzzing
• Pages - The concept of pages is basic to operating system. A page is the address translation between the virtual memory and physical memory and is the minimum amount of space that can be allocated from the physical to virtual space. There are specific paging access options that Windows set during the initialization of page.
nullcon Goa 2010 http://nullcon.net
In-Memory Fuzzing
nullcon Goa 2010 http://nullcon.net
In-Memory Fuzzing : Algofunction (data) {
}
function in_mem_fuzz
if breakpoint hit = Function End
if snapshot_taken then
restore_process
virtual free previous allocated address
if breakpoint hit = Function Start
nullcon Goa 2010 http://nullcon.net
take snapshot
set breakpoint at function end
addr = virtual allocate(datasize)
mutate = mutate(data)
write mutated data to addr
change esp+4 variable to our mutated data location
process snapshot
run funnction
nullcon Goa 2010 http://nullcon.net
function access_voilation:
Print access violation synopsis
when encounter access violation
restore process
nullcon Goa 2010 http://nullcon.net
Demo
nullcon Goa 2010 http://nullcon.net
nullcon Goa 2010 http://nullcon.net
nullcon Goa 2010 http://nullcon.net
nullcon Goa 2010 http://nullcon.net
Demo
nullcon Goa 2010 http://nullcon.net
Binary Analysis of these functions
Integer overflow then a undersized buffer will be allocated
mov eax, [ebp+Points]
;Integer Overflow could happen here
lea eax, [edi+eax*2] ; number of polygons + 2 * number of points
shl eax, 2 ; *4
push eax
mov ecx, esi
call ?CreateRecordToModify@MfEnumState@@IAEHH@Z ;MfEnumState::CreateRecordToModify(int)
nullcon Goa 2010 http://nullcon.net
Questions