Jurczyk windows kernel reference count vulnerabilities. case study
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Similar to 201403 microsoft mvp com camp 2014-한주성 (20)
Recently uploaded (20)
201403 microsoft mvp com camp 2014-한주성
- 1. How am i?
- 2. How am i?
- 3. What is Reverse Engineering 목표 준비 분해분석 도출
- 4. What is Reverse Engineering • Software Reverse Engineering(SRE) 소스코드나 관련 문서가 없는 프로그램에서 설계나 구현 내용을 알 아내는 작업 보안, 소프트웨어 개발(백신, 드라이버?) • Dynamic Analysis, Static Analysis 시스템 기반인지, 코드 기반인지에 따라 구분 • Why many engineer to develop Kernel Debugging? 더 빠르고 쉽게 문제를 해결 하기 위해
- 5. What is Reverse Engineering
- 6. Handle??
- 7. View is Different 관리자 리버서 개발자 일반인 쉽게!!
- 8. SE(Security Engineer)
- 9. Developer • 자원 포인터!! HANDLE h = CreateFile(L"C:unicode.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
- 10. Developer
- 11. Reverser • Object Desktop Heap • EPROCESS OBJECTTABLE = _HANDLE_TABLE • _HANDLE_TABLE HANDEL_TABLE_ENTRY • OBJECT _OBJECT_HEADER • _FILE_OBJECT _PRIVATE_CACHE_MAP, _SECTION_OBJECT_POINTERS
- 12. Reverser - Object
- 13. Reverser – Desktop heap Desktop Heap Monitor Version 8.1(dheapmon) http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17782
- 14. Reverser – EPROCESS • lkd> dt nt!_EPROCESS 850a33d0 • ……….중략! • +0x0f0 ExceptionPortValue : 0x8624a278 • +0x0f0 ExceptionPortState : 0y000 • +0x0f4 ObjectTable : 0xadde2388 _HANDLE_TABLE • ……….중략! • lkd> dt _HANDLE_TABLE 0xadde2388 • nt!_HANDLE_TABLE • +0x000 TableCode : 0xb1e8f000 • +0x004 QuotaProcess : 0x850a33d0 _EPROCESS • ……….중략!
- 15. Reverser – HANDLE(WIN7) • lkd> dt _HANDLE_TABLE_ENTRY 84e343d0 • nt!_HANDLE_TABLE_ENTRY • +0x000 Object : 0x84884171 Void • +0x000 ObAttributes : 0x84884171 • +0x000 InfoTable : 0x84884171 _HANDLE_TABLE_ENTRY_INFO • +0x000 Value : 0x84884171 • ----------------------------------------------- • +0x004 GrantedAccess : 0xf00ff • +0x004 GrantedAccessIndex : 0xff • +0x006 CreatorBackTraceIndex : 0xf • +0x004 NextFreeTableEntry : 0xf00ff • lkd> .formats 0x84884171 • Binary: 10000100 10001000 01000001 01110001
- 16. Reverser – HANDLE(WIN8) • lkd> dt _HANDLE_TABLE_ENTRY ffffc000`0d45d0f0 • ntdll!_HANDLE_TABLE_ENTRY • +0x000 VolatileLowValue : 0n-2305842090310893567 • +0x000 LowValue : 0n-2305842090310893567 • +0x000 InfoTable : 0xe00000d5`f2e00001 _HANDLE_TABLE_ENTRY_INFO • +0x000 Unlocked : 0y1 • +0x000 RefCnt : 0y0000000000000000 (0) • +0x000 Attributes : 0y000 • +0x000 ObjectPointerBits : 0y11100000000000000000000011010101111100101110 (0xe00000d5f2e) lkd> dt _OBJECT_HEADER 0xe00000d5f2e0+ffff000000000000 … +0x030 Body : _QUAD lkd> dt _FILE_OBJECT 0xe00000d5f2e0+ffff000000000000+30
- 17. Reverser • 핸들 테이블과 파일 개체의 구조
- 18. Reverser • 파일 개체의 캐시 메모리
- 19. Reverser • lkd> dt _SECTION_OBJECT_POINTERS 0xffffe000`03ee2768 • ntdll!_SECTION_OBJECT_POINTERS • +0x000 DataSectionObject : 0xffffe000`010ffcd0 Void • +0x008 SharedCacheMap : 0xffffe000`02e44b10 Void • +0x010 ImageSectionObject : (null) • lkd> dt nt!_SHARED_CACHE_MAP 0xffffe000`02e44b10 • +0x000 NodeTypeCode : 0n767 • +0x002 NodeByteSize : 0n520 • +0x004 OpenCount : 1 • +0x008 FileSize : _LARGE_INTEGER 0x296043 • +0x010 BcbList : _LIST_ENTRY [ 0xffffe000`02e44b20 - 0xffffe000`02e44b20 ] • +0x020 SectionSize : _LARGE_INTEGER 0x400000 • +0x028 ValidDataLength : _LARGE_INTEGER 0x0 • +0x030 ValidDataGoal : _LARGE_INTEGER 0x296043 • +0x038 InitialVacbs : [4] (null) • +0x058 Vacbs : 0xffffe000`03cdd5f0 -> (null) • lkd> dt _VACB 0xffffe000`003010f0
- 20. Easy to way • !process • !handle • !filecache • !object • !fileobj • !ca
- 21. Software Reverse Engineering Tech Flow 운영체제 멜웨어, 루트킷, 안티, 디버깅 침해사고, 포랜식
- 22. http://itka.kr allmnet@naver.com
