Your SlideShare is downloading. ×
  • Like
201403 microsoft mvp com camp 2014-한주성
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

201403 microsoft mvp com camp 2014-한주성

  • 91 views
Published

리버스 엔지니어링 - Handle

리버스 엔지니어링 - Handle

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
91
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
1
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. How am i?
  • 2. How am i?
  • 3. What is Reverse Engineering 목표 준비 분해분석 도출
  • 4. What is Reverse Engineering • Software Reverse Engineering(SRE) 소스코드나 관련 문서가 없는 프로그램에서 설계나 구현 내용을 알 아내는 작업 보안, 소프트웨어 개발(백신, 드라이버?) • Dynamic Analysis, Static Analysis 시스템 기반인지, 코드 기반인지에 따라 구분 • Why many engineer to develop Kernel Debugging? 더 빠르고 쉽게 문제를 해결 하기 위해
  • 5. What is Reverse Engineering
  • 6. Handle??
  • 7. View is Different 관리자 리버서 개발자 일반인 쉽게!!
  • 8. SE(Security Engineer)
  • 9. Developer • 자원 포인터!! HANDLE h = CreateFile(L"C:unicode.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
  • 10. Developer
  • 11. Reverser • Object  Desktop Heap • EPROCESS  OBJECTTABLE = _HANDLE_TABLE • _HANDLE_TABLE  HANDEL_TABLE_ENTRY • OBJECT  _OBJECT_HEADER • _FILE_OBJECT  _PRIVATE_CACHE_MAP, _SECTION_OBJECT_POINTERS
  • 12. Reverser - Object
  • 13. Reverser – Desktop heap Desktop Heap Monitor Version 8.1(dheapmon) http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17782
  • 14. Reverser – EPROCESS • lkd> dt nt!_EPROCESS 850a33d0 • ……….중략! • +0x0f0 ExceptionPortValue : 0x8624a278 • +0x0f0 ExceptionPortState : 0y000 • +0x0f4 ObjectTable : 0xadde2388 _HANDLE_TABLE • ……….중략! • lkd> dt _HANDLE_TABLE 0xadde2388 • nt!_HANDLE_TABLE • +0x000 TableCode : 0xb1e8f000 • +0x004 QuotaProcess : 0x850a33d0 _EPROCESS • ……….중략!
  • 15. Reverser – HANDLE(WIN7) • lkd> dt _HANDLE_TABLE_ENTRY 84e343d0 • nt!_HANDLE_TABLE_ENTRY • +0x000 Object : 0x84884171 Void • +0x000 ObAttributes : 0x84884171 • +0x000 InfoTable : 0x84884171 _HANDLE_TABLE_ENTRY_INFO • +0x000 Value : 0x84884171 • ----------------------------------------------- • +0x004 GrantedAccess : 0xf00ff • +0x004 GrantedAccessIndex : 0xff • +0x006 CreatorBackTraceIndex : 0xf • +0x004 NextFreeTableEntry : 0xf00ff • lkd> .formats 0x84884171 • Binary: 10000100 10001000 01000001 01110001
  • 16. Reverser – HANDLE(WIN8) • lkd> dt _HANDLE_TABLE_ENTRY ffffc000`0d45d0f0 • ntdll!_HANDLE_TABLE_ENTRY • +0x000 VolatileLowValue : 0n-2305842090310893567 • +0x000 LowValue : 0n-2305842090310893567 • +0x000 InfoTable : 0xe00000d5`f2e00001 _HANDLE_TABLE_ENTRY_INFO • +0x000 Unlocked : 0y1 • +0x000 RefCnt : 0y0000000000000000 (0) • +0x000 Attributes : 0y000 • +0x000 ObjectPointerBits : 0y11100000000000000000000011010101111100101110 (0xe00000d5f2e) lkd> dt _OBJECT_HEADER 0xe00000d5f2e0+ffff000000000000 … +0x030 Body : _QUAD lkd> dt _FILE_OBJECT 0xe00000d5f2e0+ffff000000000000+30
  • 17. Reverser • 핸들 테이블과 파일 개체의 구조
  • 18. Reverser • 파일 개체의 캐시 메모리
  • 19. Reverser • lkd> dt _SECTION_OBJECT_POINTERS 0xffffe000`03ee2768 • ntdll!_SECTION_OBJECT_POINTERS • +0x000 DataSectionObject : 0xffffe000`010ffcd0 Void • +0x008 SharedCacheMap : 0xffffe000`02e44b10 Void • +0x010 ImageSectionObject : (null) • lkd> dt nt!_SHARED_CACHE_MAP 0xffffe000`02e44b10 • +0x000 NodeTypeCode : 0n767 • +0x002 NodeByteSize : 0n520 • +0x004 OpenCount : 1 • +0x008 FileSize : _LARGE_INTEGER 0x296043 • +0x010 BcbList : _LIST_ENTRY [ 0xffffe000`02e44b20 - 0xffffe000`02e44b20 ] • +0x020 SectionSize : _LARGE_INTEGER 0x400000 • +0x028 ValidDataLength : _LARGE_INTEGER 0x0 • +0x030 ValidDataGoal : _LARGE_INTEGER 0x296043 • +0x038 InitialVacbs : [4] (null) • +0x058 Vacbs : 0xffffe000`03cdd5f0 -> (null) • lkd> dt _VACB 0xffffe000`003010f0
  • 20. Easy to way • !process • !handle • !filecache • !object • !fileobj • !ca
  • 21. Software Reverse Engineering Tech Flow 운영체제 멜웨어, 루트킷, 안티, 디버깅 침해사고, 포랜식
  • 22. http://itka.kr allmnet@naver.com