Your SlideShare is downloading. ×
0
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
nullcon 2010 - Intelligent debugging and in memory fuzzing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

nullcon 2010 - Intelligent debugging and in memory fuzzing

2,622

Published on

nullcon 2010 - Intelligent debugging and in memory fuzzing by Amandeep Bharti & Vishwas Sharma

nullcon 2010 - Intelligent debugging and in memory fuzzing by Amandeep Bharti & Vishwas Sharma

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,622
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
84
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma  Amandeep Bharti Rohan Thakur nullcon Goa 2010 http://nullcon.net
  • 2. typedef struct presentation { <ul><ul><li>Basics of Debugging </li></ul></ul><ul><ul><li>Scripted Debugging techniques </li></ul></ul><ul><ul><li>In-Memory fuzzing Technique </li></ul></ul><ul><ul><li>Demo of </li></ul></ul><ul><ul><ul><li>Scripted Debugging (function trace analysis) </li></ul></ul></ul><ul><ul><ul><li>In-Memory fuzzing (A Microsoft bug.) </li></ul></ul></ul><ul><li>                                                                   } </li></ul>nullcon Goa 2010 http://nullcon.net
  • 3. class Debugging { <ul><ul><li>Loading / attaching process in debugging enviornment </li></ul></ul><ul><ul><li>Types of Debugging Events </li></ul></ul><ul><ul><li>Concept of breakpoint at implementation level </li></ul></ul><ul><ul><ul><li>Soft Breakpoints </li></ul></ul></ul><ul><ul><ul><li>Hard Breakpoints </li></ul></ul></ul><ul><ul><ul><li>Memory Breakpoints </li></ul></ul></ul><ul><ul><li>Context (CPU registers) </li></ul></ul><ul><ul><li>Hooking  </li></ul></ul><ul><ul><ul><li>Soft Hooking </li></ul></ul></ul><ul><ul><ul><li>Hard Hooking </li></ul></ul></ul><ul><ul><li>Concept of injection in debugging                                          } </li></ul></ul>nullcon Goa 2010 http://nullcon.net
  • 4. func Attach/Load   { HANDLE WINAPI OpenProcess (Attaching) Return process handler BOOL WINAPI CreateProcess (Loading) One of the output variable is process handler of loaded process BOOL WINAPI DebugActiveProcess  Attach to an active process   nullcon Goa 2010 http://nullcon.net
  • 5. func DebugEvents   { BOOL WINAPI WaitForDebugEvent Wait for any debugging event if and when a perticular debugging event is triggered handle the event as you require   BOOL WINAPI ContinueDebugEvent Continue Looking for debugging events   BOOL WINAPI DebugActiveProcessStop  Detach to process from debugging enviornment nullcon Goa 2010 http://nullcon.net
  • 6. func DebugEvents   { typedef struct _DEBUG_EVENT { DWORD dwDebugEventCode; DWORD dwProcessId; DWORD dwThreadId; union { EXCEPTION_DEBUG_INFO Exception; Event is thrown whenever an exception occurs in the application being debugged. CREATE_THREAD_DEBUG_INFO CreateThread; Event is thrown when thread is created in the process CREATE_PROCESS_DEBUG_INFO CreateProcessInfo; Event is thrown when a process is created EXIT_THREAD_DEBUG_INFO ExitThread; Event is Triggered when Thread Exits EXIT_PROCESS_DEBUG_INFO ExitProcess; Event is Triggered when Process Exits nullcon Goa 2010 http://nullcon.net
  • 7. func DebugEvents   { LOAD_DLL_DEBUG_INFO LoadDll; Event is thrown when a dll is Loaded UNLOAD_DLL_DEBUG_INFO UnloadDll; Event is thrown when a dll is unloaded OUTPUT_DEBUG_STRING_INFO DebugString; Event occurs when the debugee calls the API call OutputDebugString to send debugging information to a debugger RIP_INFO RipInfo; Event is triggered if your process being debugged dies unexpectedly nullcon Goa 2010 http://nullcon.net
  • 8. class Breakpoint { <ul><ul><li>Loading / attaching process in debugging enviornment </li></ul></ul><ul><ul><li>Types of Debugging Events </li></ul></ul><ul><ul><li>Concept of breakpoint at implementation level </li></ul></ul><ul><ul><ul><li>Soft Breakpoints </li></ul></ul></ul><ul><ul><ul><li>Hard Breakpoints </li></ul></ul></ul><ul><ul><ul><li>Memory Breakpoints </li></ul></ul></ul><ul><ul><li>Context (CPU registers) </li></ul></ul><ul><ul><li>Hooking  </li></ul></ul><ul><ul><ul><li>Soft Hooking </li></ul></ul></ul><ul><ul><ul><li>Hard Hooking </li></ul></ul></ul><ul><ul><li>Concept of injection in debugging                                          } </li></ul></ul>nullcon Goa 2010 http://nullcon.net
  • 9. Concept of breakpoints <ul><li>Soft Breakpoint:- </li></ul><ul><li>A soft breakpoint is a single-byte instruction, INT3 that stops execution of the debugged process and passes control to the debugger’s breakpoint exception handler. </li></ul>nullcon Goa 2010 http://nullcon.net
  • 10. <ul><li>Hard Breakpoint </li></ul>nullcon Goa 2010 http://nullcon.net
  • 11. Concept of breakpoints <ul><li>Memory Breakpoint:- </li></ul><ul><li>This breakpoint can be triggered on  Execution, Read or Write  operations performed during the process execution. </li></ul>nullcon Goa 2010 http://nullcon.net
  • 12. Soft Hooking <ul><li>Similar to setting a breakpoint but we can control </li></ul><ul><li>The thread context using our own scripting </li></ul><ul><li>techinque. </li></ul><ul><li>The hook you are really just extending a particular </li></ul><ul><li>piece of code to run your hook and then return to </li></ul><ul><li>the normal execution path. </li></ul>nullcon Goa 2010 http://nullcon.net
  • 13. Hardware Break Points <ul><li>Hard hooking </li></ul><ul><li>Concept of injection in debugging </li></ul>nullcon Goa 2010 http://nullcon.net
  • 14. Python Offering <ul><li>Ctypes  - which provides us interface between c type programming language and data types with ability to call function in Dll </li></ul><ul><li>Pydbg  - which provides us scripting debugging library </li></ul><ul><li>Utils - Which provide us hooking library with crash dump analysis function </li></ul><ul><li>IDAPython - Time for python to take control of IDA Pro </li></ul>nullcon Goa 2010 http://nullcon.net
  • 15. Python offering <ul><li>Immlib  - Immunity debugger library for Ollydbg like experience with python </li></ul><ul><li>PyEmu - It’s like running a process without actually running it. Using this library we can test how the code would behave under certain circumstances. </li></ul><ul><li>PeachFuzz & Sulley - An python based fuzzer with over 700 known exploit heuristics </li></ul>nullcon Goa 2010 http://nullcon.net
  • 16. In-Memory Fuzzing <ul><li>Virtual space - As we know that it is the virtual address space 4GB for 32 bit system. This virtual address space is typically divided into two parts user space (0x00000000 - 0x7fffffff) and kernel space (0x80000000-0xffffffff). Libraries is loaded into this virtual space in a flat memory model i.e. contiguous rather than fragmented - Purely performance reasons. </li></ul>nullcon Goa 2010 http://nullcon.net
  • 17. nullcon Goa 2010 http://nullcon.net
  • 18. In-Memory Fuzzing <ul><li>Pages - The concept of pages is basic to operating system. A page is the address translation between the virtual memory and physical memory and is the minimum amount of space that can be allocated from the physical to virtual space. There are specific paging access options that Windows set during the initialization of page. </li></ul>nullcon Goa 2010 http://nullcon.net
  • 19. In-Memory Fuzzing nullcon Goa 2010 http://nullcon.net
  • 20. In-Memory Fuzzing : Algo <ul><li>function (data) { </li></ul><ul><li>} </li></ul><ul><li>function in_mem_fuzz </li></ul><ul><li>if breakpoint hit = Function End </li></ul><ul><li>if snapshot_taken then </li></ul><ul><li>restore_process </li></ul><ul><li>virtual free previous allocated address </li></ul><ul><li>if breakpoint hit = Function Start </li></ul>nullcon Goa 2010 http://nullcon.net
  • 21. <ul><li>take snapshot </li></ul><ul><li>set breakpoint at function end </li></ul><ul><li>addr = virtual allocate(datasize) </li></ul><ul><li>mutate = mutate(data) </li></ul><ul><li>write mutated data to addr </li></ul><ul><li>change esp+4 variable to our mutated data location </li></ul><ul><li>process snapshot </li></ul><ul><li>run funnction </li></ul>nullcon Goa 2010 http://nullcon.net
  • 22. <ul><li>function access_voilation: </li></ul><ul><li>Print access violation synopsis </li></ul><ul><li>when encounter access violation </li></ul><ul><li>restore process </li></ul>nullcon Goa 2010 http://nullcon.net
  • 23. Demo nullcon Goa 2010 http://nullcon.net
  • 24. nullcon Goa 2010 http://nullcon.net
  • 25. nullcon Goa 2010 http://nullcon.net
  • 26. nullcon Goa 2010 http://nullcon.net
  • 27. Demo nullcon Goa 2010 http://nullcon.net
  • 28. Binary Analysis of these functions <ul><li>Integer overflow then a undersized buffer will be allocated </li></ul><ul><li>mov  eax ,  [ ebp +Points] </li></ul><ul><li>;Integer Overflow could happen here </li></ul><ul><li>lea eax, [edi+eax*2]  ; number of polygons + 2 * number of points </li></ul><ul><li>shl   eax ,  2  ; *4 </li></ul><ul><li>push   eax </li></ul><ul><li>mov   ecx ,  esi </li></ul><ul><li>call ? CreateRecordToModify@MfEnumState@@IAEHH@Z  ;MfEnumState::CreateRecordToModify(int) </li></ul>nullcon Goa 2010 http://nullcon.net
  • 29. Questions nullcon Goa 2010 http://nullcon.net

×