-
See also the Binary analysis post Windows uses as format for the executeable files the PE Portable Executeable format. This is a binary format which can be used as a English (light ‘xkcd’) — Imgur has a graphical overview.
-
Registers General purpose registers Register x86 Register x64 Name Description EAX RAX Accumulator For results of calculations and return codes EBX RBX Base register General purpose ECX RCX Count register For number of iterations, often used for loops EDX RDX Data register For data of calculations or a pointer to large data ESI RSI Source index Pointer to a…
-
Keyboard functions CTRL+S Find sequence of commands SHIFT+F9 Pass exception
-
ASLR Address Space Layout Randomization is a technique which randomizes addresses in the stack and heap. If addresses of functions are randomized (e.g. from shared libraries like libc), then an attacker cannot use a predefined exploit with hard-coded addresses. Linux Disable ASLR: echo 0 > /proc/sys/kernel/randomize_va_space Enable ASLR: echo 2 > /proc/sys/kernel/randomize_va_space In GDB, ASLR is…
-
On the return-to-libc post, we described the process of injecting a system call with parameters via environment variables to start a new process. But this requires to execute another program (which maybe no available on the target). Instead of calling system we can call other instructions from somewhere in the memory. But it would be…
-
Assume that we detected a buffer overflow vulnerability, but we don’t have enough space on the stack for our shellcode or the binary’s stack is marked as not-executable (DEP enabled). Then we can try to call a common library which is also loaded (wie the plt). Walkthrough of a ret2lib attack Before we start, disable ASLR as…
-
General purpose debugger. Hint: gbd disables ASRL by default. Commands General set disassembly-flavor intel/att Process handling run runs a programm without parameters run `python -c 'print("a")'‘ runs a program with a parameter run < <(python -c 'print("a")') runs a program and enters the given string into STDIN c continue si step one instruction Breakpoints break $f…
-
See also the Buffer Overflow post Execute shellcode Scenario: You have shellcode. You want to run it to analyze it in a debugger. On Windows Add the shellcode after the breakpoint with i686-w64-mingw32-cc s.c -o s.exex86_64-w64-mingw32-cc s.c -o s.exe and run it in a debugger. On Linux Add the shellcode after the breakpoint with gcc [-m32] s.c…
-
PE Portable Executung or DLL Dynamic Linking Libraries can be edited to remove or add capabilities or own code. Read and modify a PE file The following Python3 script reads a file, prints out a header, modified it to remove ASLR and write a new file without this flag. f = pefile.PE('filename.exe') print(hex(f.OPTIONAL_HEADER.DllCharacteristics)) // print as hex to…
-
Simple protection A packer can be used to “optimize” / “compress” a binary which on the other hand also makes it harder to debug. A packer removes unesessary information and the minification can lead also to obfuscation to some extend. A standard tool is UPX. Minimize a binary with upx -9 bin.elf. Advanced protection Obfuscation…
-
This post describes methods to transform/obfuscate/minimize Linux ELF files. sstrip The sections are used for debugging and not neccessary for a program’s execution. The command sstrip removes all sections from the file. sstrip bin.elf After the command, it can be verified with readelf --sections bin.elf that there are not sections are in the file.
-
Concepts A segment is a piece of a information which is mapped into the memory (of a process). A ELF binary can have zero or multiple segments. It defines also where the OS should put it into the memory. Each segment has a Program Header which describes the sections within. A section is a distinctive…
-
Overwrite functions with LD_PRELOAD The LD_PRELOAD environment variable allows to inject a library which is loaded before the program libraries. This means that it is possible to redirect the execution flow to an injected function via an own library object.
-
This page collects tools for the Linux Executable and Linking Format (ELF) with some basic commands. checksec.sh Shows which exploits mitigations a program has. (Source) ./checksec.sh --file file.elf GDB See the gdb post. Objdump Objdump shows information about a binary (object) file. Show the assemble code from a ELF file. objdump -d bin.elf Show all symbols (e.g.…
-
Addresses within the memory are referenced with @ General Starting with directly analysing all referenced code. r2 -A $file ... e emu.str = true Starting with enabled debugger (only when I want to execute the program) r2 -AA -e dbg.follow.child=true -e dbg.forks=true -d $file ... e emu.str = true Fork parameter: If the process forks, the debugger halts Type…
-
General tools Imaging tools dd, of course. Note that it makes sense to set the proper block size (sometimes 4k, but most hard drives are using 512), so that, when an error occued, the exact sector is shown which can afterwards be skipped. dd if=/dev/sda of=/external/file.md5 bs=512 ewfacquire sudo ewfacquire /dev/sda Advantages: aff4 advanced forensic…
-
Check also IDEs like IntelliJ, Visual Studio, Eclipse, …