Kbouncer

2,509 views

Published on

Published in: Technology
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total views
2,509
On SlideShare
0
From Embeds
0
Number of Embeds
42
Actions
Shares
0
Downloads
1
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

Kbouncer

  1. 1. • • •
  2. 2. • • • • 0x00040100 Code ESP Memory 0x00040100 0xFF 0xE4 (JMP ESP) RET JMP ESP
  3. 3. • • • 0x00040100 Code ESP Memory 0x00040100 0xFF 0xE4 (JMP ESP) RET JMP ESP EXCEPTION!
  4. 4. • • • • • • UINT WinExec( LPCSTR lpCmdLine, // コマンドラインへのポインタ UINT uCmdShow // ウィンドウの表示状態 );
  5. 5. • • • • • • • STACK VirtualAlloc memcpy CreateFile Args for VirtualAlloc Args for memcpy Args for CreateFile VirtualAlloc memcpy CreateFile (Somewhere)
  6. 6. • • • ?????? Code ESP Memory ?????? 0xFF 0xE4 (JMP ESP) RET JMP ESP
  7. 7. • • • • • • • • ... pop eax pop ecx mov pop eax ret pop ecx ret mov [ecx], eax ret 0x12345678 0x07FF5090 STACK RET RET RET
  8. 8. • • • • • • • • • call後のSTACK ret args … … Push 0 push eax call WinExec mov [edx], eax … 1番目の関数 呼び出し後のSTACK ret args … 1番目の関数 … ret 次に実行したい関数 … ret 普通の関数呼び出し ROP ????
  9. 9. • • • • •
  10. 10. • • • • • • • • • • •
  11. 11. • • • • • • FROM1 LBR Stack TO1 FROM2 TO2 FROM3 TO3 FROM0 TO0
  12. 12. MyDbgPrint("Address 'add' : %pn", add); // Print address of “add” __writemsr(IA32_DEBUGCTL, 1); // 0x1D9 Start Branch Recording tmp = add(10,20); // The Address Here is 0x9db8f258 tmp += add(10,30); // The Address Here is 0x9db8f264 __writemsr(IA32_DEBUGCTL, 0); // End Branch Recording TOS = __readmsr(MSR_LASTBRANCH_TOS); // 0x1C9 Get Top of the Stack MyDbgPrint("TOS:%d", TOS); for( i = 0; i<4 ; i++ ){ FROM_IP[i] = __readmsr(MSR_LASTBRANCH_0_FROM_IP+i); // 0x680 + i TO_IP[i] = __readmsr(MSR_LASTBRANCH_0_TO_IP+i); // 0x6C0 + i } for( i = 0 ; i < 4; i++ ){ MyDbgPrint("FROM_IP%d : 0x%016I64xn", i, FROM_IP[i]); MyDbgPrint("TO_IP%d : 0x%016I64xn", i, TO_IP[i]); }
  13. 13. Address 'add' : 9DB8F180 TOS:3 FROM_IP0 : 0x000000009db8f258 // From first add() call TO_IP0 : 0x000000009db8f180 // To “add” function FROM_IP1 : 0x000000009db8f18c // From end of “add” function (return) TO_IP1 : 0x000000009db8f25d // To next of “FROM_IP0” FROM_IP2 : 0x000000009db8f264 // From second add() call TO_IP2 : 0x000000009db8f180 // To “add” function FROM_IP3 : 0x000000009db8f18c // From end of “add” function (return) TO_IP3 : 0x000000009db8f269 // To next of “FROM_IP2”
  14. 14. • • • •
  15. 15. • • •
  16. 16. • • • • •
  17. 17. • • • •
  18. 18. • • • • • •

×