nullcon 2010 - Intelligent debugging and in memory fuzzing

2,907 views
2,792 views

Published on

nullcon 2010 - Intelligent debugging and in memory fuzzing by Amandeep Bharti & Vishwas Sharma

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,907
On SlideShare
0
From Embeds
0
Number of Embeds
75
Actions
Shares
0
Downloads
86
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

nullcon 2010 - Intelligent debugging and in memory fuzzing

  1. 1. Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma  Amandeep Bharti Rohan Thakur nullcon Goa 2010 http://nullcon.net
  2. 2. typedef struct presentation { <ul><ul><li>Basics of Debugging </li></ul></ul><ul><ul><li>Scripted Debugging techniques </li></ul></ul><ul><ul><li>In-Memory fuzzing Technique </li></ul></ul><ul><ul><li>Demo of </li></ul></ul><ul><ul><ul><li>Scripted Debugging (function trace analysis) </li></ul></ul></ul><ul><ul><ul><li>In-Memory fuzzing (A Microsoft bug.) </li></ul></ul></ul><ul><li>                                                                   } </li></ul>nullcon Goa 2010 http://nullcon.net
  3. 3. class Debugging { <ul><ul><li>Loading / attaching process in debugging enviornment </li></ul></ul><ul><ul><li>Types of Debugging Events </li></ul></ul><ul><ul><li>Concept of breakpoint at implementation level </li></ul></ul><ul><ul><ul><li>Soft Breakpoints </li></ul></ul></ul><ul><ul><ul><li>Hard Breakpoints </li></ul></ul></ul><ul><ul><ul><li>Memory Breakpoints </li></ul></ul></ul><ul><ul><li>Context (CPU registers) </li></ul></ul><ul><ul><li>Hooking  </li></ul></ul><ul><ul><ul><li>Soft Hooking </li></ul></ul></ul><ul><ul><ul><li>Hard Hooking </li></ul></ul></ul><ul><ul><li>Concept of injection in debugging                                          } </li></ul></ul>nullcon Goa 2010 http://nullcon.net
  4. 4. func Attach/Load   { HANDLE WINAPI OpenProcess (Attaching) Return process handler BOOL WINAPI CreateProcess (Loading) One of the output variable is process handler of loaded process BOOL WINAPI DebugActiveProcess  Attach to an active process   nullcon Goa 2010 http://nullcon.net
  5. 5. func DebugEvents   { BOOL WINAPI WaitForDebugEvent Wait for any debugging event if and when a perticular debugging event is triggered handle the event as you require   BOOL WINAPI ContinueDebugEvent Continue Looking for debugging events   BOOL WINAPI DebugActiveProcessStop  Detach to process from debugging enviornment nullcon Goa 2010 http://nullcon.net
  6. 6. func DebugEvents   { typedef struct _DEBUG_EVENT { DWORD dwDebugEventCode; DWORD dwProcessId; DWORD dwThreadId; union { EXCEPTION_DEBUG_INFO Exception; Event is thrown whenever an exception occurs in the application being debugged. CREATE_THREAD_DEBUG_INFO CreateThread; Event is thrown when thread is created in the process CREATE_PROCESS_DEBUG_INFO CreateProcessInfo; Event is thrown when a process is created EXIT_THREAD_DEBUG_INFO ExitThread; Event is Triggered when Thread Exits EXIT_PROCESS_DEBUG_INFO ExitProcess; Event is Triggered when Process Exits nullcon Goa 2010 http://nullcon.net
  7. 7. func DebugEvents   { LOAD_DLL_DEBUG_INFO LoadDll; Event is thrown when a dll is Loaded UNLOAD_DLL_DEBUG_INFO UnloadDll; Event is thrown when a dll is unloaded OUTPUT_DEBUG_STRING_INFO DebugString; Event occurs when the debugee calls the API call OutputDebugString to send debugging information to a debugger RIP_INFO RipInfo; Event is triggered if your process being debugged dies unexpectedly nullcon Goa 2010 http://nullcon.net
  8. 8. class Breakpoint { <ul><ul><li>Loading / attaching process in debugging enviornment </li></ul></ul><ul><ul><li>Types of Debugging Events </li></ul></ul><ul><ul><li>Concept of breakpoint at implementation level </li></ul></ul><ul><ul><ul><li>Soft Breakpoints </li></ul></ul></ul><ul><ul><ul><li>Hard Breakpoints </li></ul></ul></ul><ul><ul><ul><li>Memory Breakpoints </li></ul></ul></ul><ul><ul><li>Context (CPU registers) </li></ul></ul><ul><ul><li>Hooking  </li></ul></ul><ul><ul><ul><li>Soft Hooking </li></ul></ul></ul><ul><ul><ul><li>Hard Hooking </li></ul></ul></ul><ul><ul><li>Concept of injection in debugging                                          } </li></ul></ul>nullcon Goa 2010 http://nullcon.net
  9. 9. Concept of breakpoints <ul><li>Soft Breakpoint:- </li></ul><ul><li>A soft breakpoint is a single-byte instruction, INT3 that stops execution of the debugged process and passes control to the debugger’s breakpoint exception handler. </li></ul>nullcon Goa 2010 http://nullcon.net
  10. 10. <ul><li>Hard Breakpoint </li></ul>nullcon Goa 2010 http://nullcon.net
  11. 11. Concept of breakpoints <ul><li>Memory Breakpoint:- </li></ul><ul><li>This breakpoint can be triggered on  Execution, Read or Write  operations performed during the process execution. </li></ul>nullcon Goa 2010 http://nullcon.net
  12. 12. Soft Hooking <ul><li>Similar to setting a breakpoint but we can control </li></ul><ul><li>The thread context using our own scripting </li></ul><ul><li>techinque. </li></ul><ul><li>The hook you are really just extending a particular </li></ul><ul><li>piece of code to run your hook and then return to </li></ul><ul><li>the normal execution path. </li></ul>nullcon Goa 2010 http://nullcon.net
  13. 13. Hardware Break Points <ul><li>Hard hooking </li></ul><ul><li>Concept of injection in debugging </li></ul>nullcon Goa 2010 http://nullcon.net
  14. 14. Python Offering <ul><li>Ctypes  - which provides us interface between c type programming language and data types with ability to call function in Dll </li></ul><ul><li>Pydbg  - which provides us scripting debugging library </li></ul><ul><li>Utils - Which provide us hooking library with crash dump analysis function </li></ul><ul><li>IDAPython - Time for python to take control of IDA Pro </li></ul>nullcon Goa 2010 http://nullcon.net
  15. 15. Python offering <ul><li>Immlib  - Immunity debugger library for Ollydbg like experience with python </li></ul><ul><li>PyEmu - It’s like running a process without actually running it. Using this library we can test how the code would behave under certain circumstances. </li></ul><ul><li>PeachFuzz & Sulley - An python based fuzzer with over 700 known exploit heuristics </li></ul>nullcon Goa 2010 http://nullcon.net
  16. 16. In-Memory Fuzzing <ul><li>Virtual space - As we know that it is the virtual address space 4GB for 32 bit system. This virtual address space is typically divided into two parts user space (0x00000000 - 0x7fffffff) and kernel space (0x80000000-0xffffffff). Libraries is loaded into this virtual space in a flat memory model i.e. contiguous rather than fragmented - Purely performance reasons. </li></ul>nullcon Goa 2010 http://nullcon.net
  17. 17. nullcon Goa 2010 http://nullcon.net
  18. 18. In-Memory Fuzzing <ul><li>Pages - The concept of pages is basic to operating system. A page is the address translation between the virtual memory and physical memory and is the minimum amount of space that can be allocated from the physical to virtual space. There are specific paging access options that Windows set during the initialization of page. </li></ul>nullcon Goa 2010 http://nullcon.net
  19. 19. In-Memory Fuzzing nullcon Goa 2010 http://nullcon.net
  20. 20. In-Memory Fuzzing : Algo <ul><li>function (data) { </li></ul><ul><li>} </li></ul><ul><li>function in_mem_fuzz </li></ul><ul><li>if breakpoint hit = Function End </li></ul><ul><li>if snapshot_taken then </li></ul><ul><li>restore_process </li></ul><ul><li>virtual free previous allocated address </li></ul><ul><li>if breakpoint hit = Function Start </li></ul>nullcon Goa 2010 http://nullcon.net
  21. 21. <ul><li>take snapshot </li></ul><ul><li>set breakpoint at function end </li></ul><ul><li>addr = virtual allocate(datasize) </li></ul><ul><li>mutate = mutate(data) </li></ul><ul><li>write mutated data to addr </li></ul><ul><li>change esp+4 variable to our mutated data location </li></ul><ul><li>process snapshot </li></ul><ul><li>run funnction </li></ul>nullcon Goa 2010 http://nullcon.net
  22. 22. <ul><li>function access_voilation: </li></ul><ul><li>Print access violation synopsis </li></ul><ul><li>when encounter access violation </li></ul><ul><li>restore process </li></ul>nullcon Goa 2010 http://nullcon.net
  23. 23. Demo nullcon Goa 2010 http://nullcon.net
  24. 24. nullcon Goa 2010 http://nullcon.net
  25. 25. nullcon Goa 2010 http://nullcon.net
  26. 26. nullcon Goa 2010 http://nullcon.net
  27. 27. Demo nullcon Goa 2010 http://nullcon.net
  28. 28. Binary Analysis of these functions <ul><li>Integer overflow then a undersized buffer will be allocated </li></ul><ul><li>mov  eax ,  [ ebp +Points] </li></ul><ul><li>;Integer Overflow could happen here </li></ul><ul><li>lea eax, [edi+eax*2]  ; number of polygons + 2 * number of points </li></ul><ul><li>shl   eax ,  2  ; *4 </li></ul><ul><li>push   eax </li></ul><ul><li>mov   ecx ,  esi </li></ul><ul><li>call ? CreateRecordToModify@MfEnumState@@IAEHH@Z  ;MfEnumState::CreateRecordToModify(int) </li></ul>nullcon Goa 2010 http://nullcon.net
  29. 29. Questions nullcon Goa 2010 http://nullcon.net

×