201403 microsoft mvp com camp 2014-한주성
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

201403 microsoft mvp com camp 2014-한주성

on

  • 157 views

리버스 엔지니어링 - Handle

리버스 엔지니어링 - Handle

Statistics

Views

Total Views
157
Views on SlideShare
157
Embed Views
0

Actions

Likes
1
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

201403 microsoft mvp com camp 2014-한주성 Presentation Transcript

  • 1. How am i?
  • 2. How am i?
  • 3. What is Reverse Engineering 목표 준비 분해분석 도출
  • 4. What is Reverse Engineering • Software Reverse Engineering(SRE) 소스코드나 관련 문서가 없는 프로그램에서 설계나 구현 내용을 알 아내는 작업 보안, 소프트웨어 개발(백신, 드라이버?) • Dynamic Analysis, Static Analysis 시스템 기반인지, 코드 기반인지에 따라 구분 • Why many engineer to develop Kernel Debugging? 더 빠르고 쉽게 문제를 해결 하기 위해
  • 5. What is Reverse Engineering
  • 6. Handle??
  • 7. View is Different 관리자 리버서 개발자 일반인 쉽게!!
  • 8. SE(Security Engineer)
  • 9. Developer • 자원 포인터!! HANDLE h = CreateFile(L"C:unicode.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
  • 10. Developer
  • 11. Reverser • Object  Desktop Heap • EPROCESS  OBJECTTABLE = _HANDLE_TABLE • _HANDLE_TABLE  HANDEL_TABLE_ENTRY • OBJECT  _OBJECT_HEADER • _FILE_OBJECT  _PRIVATE_CACHE_MAP, _SECTION_OBJECT_POINTERS
  • 12. Reverser - Object
  • 13. Reverser – Desktop heap Desktop Heap Monitor Version 8.1(dheapmon) http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17782
  • 14. Reverser – EPROCESS • lkd> dt nt!_EPROCESS 850a33d0 • ……….중략! • +0x0f0 ExceptionPortValue : 0x8624a278 • +0x0f0 ExceptionPortState : 0y000 • +0x0f4 ObjectTable : 0xadde2388 _HANDLE_TABLE • ……….중략! • lkd> dt _HANDLE_TABLE 0xadde2388 • nt!_HANDLE_TABLE • +0x000 TableCode : 0xb1e8f000 • +0x004 QuotaProcess : 0x850a33d0 _EPROCESS • ……….중략!
  • 15. Reverser – HANDLE(WIN7) • lkd> dt _HANDLE_TABLE_ENTRY 84e343d0 • nt!_HANDLE_TABLE_ENTRY • +0x000 Object : 0x84884171 Void • +0x000 ObAttributes : 0x84884171 • +0x000 InfoTable : 0x84884171 _HANDLE_TABLE_ENTRY_INFO • +0x000 Value : 0x84884171 • ----------------------------------------------- • +0x004 GrantedAccess : 0xf00ff • +0x004 GrantedAccessIndex : 0xff • +0x006 CreatorBackTraceIndex : 0xf • +0x004 NextFreeTableEntry : 0xf00ff • lkd> .formats 0x84884171 • Binary: 10000100 10001000 01000001 01110001
  • 16. Reverser – HANDLE(WIN8) • lkd> dt _HANDLE_TABLE_ENTRY ffffc000`0d45d0f0 • ntdll!_HANDLE_TABLE_ENTRY • +0x000 VolatileLowValue : 0n-2305842090310893567 • +0x000 LowValue : 0n-2305842090310893567 • +0x000 InfoTable : 0xe00000d5`f2e00001 _HANDLE_TABLE_ENTRY_INFO • +0x000 Unlocked : 0y1 • +0x000 RefCnt : 0y0000000000000000 (0) • +0x000 Attributes : 0y000 • +0x000 ObjectPointerBits : 0y11100000000000000000000011010101111100101110 (0xe00000d5f2e) lkd> dt _OBJECT_HEADER 0xe00000d5f2e0+ffff000000000000 … +0x030 Body : _QUAD lkd> dt _FILE_OBJECT 0xe00000d5f2e0+ffff000000000000+30
  • 17. Reverser • 핸들 테이블과 파일 개체의 구조
  • 18. Reverser • 파일 개체의 캐시 메모리
  • 19. Reverser • lkd> dt _SECTION_OBJECT_POINTERS 0xffffe000`03ee2768 • ntdll!_SECTION_OBJECT_POINTERS • +0x000 DataSectionObject : 0xffffe000`010ffcd0 Void • +0x008 SharedCacheMap : 0xffffe000`02e44b10 Void • +0x010 ImageSectionObject : (null) • lkd> dt nt!_SHARED_CACHE_MAP 0xffffe000`02e44b10 • +0x000 NodeTypeCode : 0n767 • +0x002 NodeByteSize : 0n520 • +0x004 OpenCount : 1 • +0x008 FileSize : _LARGE_INTEGER 0x296043 • +0x010 BcbList : _LIST_ENTRY [ 0xffffe000`02e44b20 - 0xffffe000`02e44b20 ] • +0x020 SectionSize : _LARGE_INTEGER 0x400000 • +0x028 ValidDataLength : _LARGE_INTEGER 0x0 • +0x030 ValidDataGoal : _LARGE_INTEGER 0x296043 • +0x038 InitialVacbs : [4] (null) • +0x058 Vacbs : 0xffffe000`03cdd5f0 -> (null) • lkd> dt _VACB 0xffffe000`003010f0
  • 20. Easy to way • !process • !handle • !filecache • !object • !fileobj • !ca
  • 21. Software Reverse Engineering Tech Flow 운영체제 멜웨어, 루트킷, 안티, 디버깅 침해사고, 포랜식
  • 22. http://itka.kr allmnet@naver.com