go to http workshop didierstevens com
play

Go to http://workshop.DidierStevens.com Unzip - PowerPoint PPT Presentation

Oct 04, 2022 •233 likes •471 views

White Hat Shellcode Workshop Didier Stevens Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop . First example: loading/unloading a DLL Start calc.exe Start procexp.exe (Process Explorer) and

  1. White Hat Shellcode Workshop Didier Stevens Go to http://workshop.DidierStevens.com

  2. Unzip shellcode-workshop.zip to C:\ Password is workshop .

  3. First example: loading/unloading a DLL

  4. Start calc.exe Start procexp.exe (Process Explorer) and view the DLLs loaded in calc.exe Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe kernel32.dll LoadLibraryA str:c:\workshop\msgbox-hello.dll Click on the dialog box: the dialog box indicates that the DLL was successfully loaded.

  5. Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe kernel32.dll FreeLibrary 0xBC0000

  6. Reinject the DLL and take note of the base address Execute the following command from a command-line in c:\workshop: simple-shellcode-generator.py -o unload-dll.asm -l “kernel32.dll FreeLibrary 0xBC0000” (replace 0xBC0000 with the base address you wrote down) Start a NASM Shell from the Start \ All Programs \ Netwide Assembler menu From the NASM Shell: cd c:\workshop From the NASM Shell: nasm -o unload-dll.bin unload-dll.asm Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe unload-dll.bin

  7. Second example: enforcing DEP

  8. exit calc.exe from the previous example, and start it again Notice DEP is enabled (DEP column in Process Explorer) Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe kernel32.dll SetProcessDEPPolicy 0 refresh Process Explorer's view (F5) and notice that DEP has been turned off

  9. Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe kernel32.dll SetProcessDEPPolicy 1 refresh Process Explorer's view (F5) and notice that Permanent DEP is enabled Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe kernel32.dll SetProcessDEPPolicy 0 refresh Process Explorer's view (F5) and notice that Permanent DEP is still enabled

  10. Execute the following command from a command-line in c:\workshop: simple-shellcode-generator.py -o dep.asm -l “kernel32.dll SetProcessDEPPolicy 1” From the NASM Shell: nasm -o dep.bin dep.asm

  11. Execute the following command from a command-line in c:\workshop: copy \windows\system32\calc.exe calc- dep.exe Start LordPE.exe (LPE-DLX_1.4 folder): open calc- dep.exe Note the EntryPoint and the Image Base: 0x00012475 + 0x01000000 = 0x01012475 Edit dep.asm, replace ret with these 2 lines mov eax, 0x01012475 jmp eax

  12. From the NASM Shell: nasm -o dep.bin dep.asm From LordPE: add a section from file: dep.bin Notice the VOffset for dep.bin: 0x0001F000 Change the EntryPoint to 0x0001F000 From LordPE: Save From LordPE: Rebuild PE

  13. Third example: testing your security setup

  14. From the NASM Shell: nasm -o sc-createfile.bin sc- createfile.asm Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe sc- createfile.bin Check if file c:\windows\system32\testfile.txt has been created: it has.

  15. First delete c:\windows\system32\testfile.txt Psexec -ld c:\windows\system32\calc.exe Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe sc- createfile.bin Check if file c:\windows\system32\testfile.txt has been created: it has not.

  16. Fourth example: patching an application

  17. Install AdbeRdr910_en_US_Std.exe Open javascript.pdf, and notice the popup from the embedded JavaScript Disable JavaScript: Edit /Preferences / JavaScript / Enable Acrobat JavaScript Close and open javascript.pdf: notice the nagscreen from Adobe Reader

  18. From the NASM Shell: nasm -o sc-sar.bin sc-sar.asm Close javascript.pdf Start dbgview.exe Execute the following command from a command-line in c:\workshop: create-remote-thread.py AcroRd32.exe sc- sar.bin, and notice the message in dbgview after some time Open javascript.pdf: the nagscreen is gone.

  19. Fifth example: preventing heapsprays with shellcode

  20. uninstall Adobe Reader 9.1 install AdbeRdr812_en_US.exe start Adobe Reader unzip util-printf.zip (password is workshop) open util-printf.pdf and notice Adobe Reader crashing

  21. Execute the following command from a command-line in c:\workshop: simple-shellcode-generator.py -o sc- mba.asm -l "user32.dll MessageBoxA 0 str str 0" Edit sc-mba.asm with notepad and add 50 NOPs From the NASM Shell: nasm -o sc-mba.bin sc-mba.asm Start Adobe Reader 8 Execute the following command from a command-line in c:\workshop: create-remote-thread.py -a 0x30303020 AcroRd32.exe sc-nopsled-mba.bin Notice the message box (and then click the message box away)

  22. Now open util-printf.pdf Notice the 2 message boxes (and then click the message boxes away)

  23. Double click on heaplocker.reg and merge the entries to the registry Start Adobe Reader 8 Execute the following command from a command-line in c:\workshop: create-remote-thread.py AcroRD32.exe kernel32.dll LoadLibraryA str:c:\workshop\heaplocker.dll Notice the messages in DbgView Now open util-printf.pdf Notice the warning Take a look at the threads with Process Explorer

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

x64 Workshop Didier Stevens Go to http://workshop-x64.DidierStevens.com Unzip x64-workshop.zip

x64 Workshop Didier Stevens Go to http://workshop-x64.DidierStevens.com Unzip x64-workshop.zip

x64 Workshop Didier Stevens Go to http://workshop-x64.DidierStevens.com Unzip x64-workshop.zip to c:\workshop Install: 010EditorWin32Installer402.exe nasm-2.10.05-installer.exe SysinternalsSuite.zip tdm64-gcc-4.7.1-2.exe

724 views • 40 slides
Penetration Document Format Didier@DidierStevens.com Didier@DidierStevens.com

Penetration Document Format Didier@DidierStevens.com Didier@DidierStevens.com

Penetration Document Format Didier@DidierStevens.com Didier@DidierStevens.com Didier@DidierStevens.com Identification and Analysis Didier@DidierStevens.com Didier@DidierStevens.com PDFiD PDFiD 0.0.9 hello-world.pdf PDF Header: %PDF-1.1 obj

868 views • 27 slides
Tutorial http://www.iterativemapreduce.org/ Workshop Workshop Jaliya Ekanayake Community Grids

Tutorial http://www.iterativemapreduce.org/ Workshop Workshop Jaliya Ekanayake Community Grids

Tutorial http://www.iterativemapreduce.org/ Workshop Workshop Jaliya Ekanayake Community Grids Laboratory, Digital Science Center Pervasive Technology Institute Indiana University SALSA Acknowledgements to: Team at IU SeungHee Bae,

930 views • 37 slides
A workshop of ICRA 2010 URL: http://dove.eng.sunysb.edu/~icraBQL/ Workshop Title: Robotics

A workshop of ICRA 2010 URL: http://dove.eng.sunysb.edu/~icraBQL/ Workshop Title: Robotics

A workshop of ICRA 2010 URL: http://dove.eng.sunysb.edu/~icraBQL/ Workshop Title: Robotics Research Towards Better Quality of Life Date and Time: Monday, Afternoon (2:00pm - 5:30pm) Location: ECSH Room 13 Organizers: Professor Imin Kao, SUNY at

391 views • 3 slides
Welcome to the 2017 Charm++ Workshop! Laxmikant (Sanjay) Kale http://charm.cs.illinois.edu

Welcome to the 2017 Charm++ Workshop! Laxmikant (Sanjay) Kale http://charm.cs.illinois.edu

Welcome to the 2017 Charm++ Workshop! Laxmikant (Sanjay) Kale http://charm.cs.illinois.edu Parallel Programming Laboratory Department of Computer Science University of Illinois at Urbana Champaign 2017 CHARM++ WORKSHOP 1 A bit of history

437 views • 26 slides
The Emergence of Stability in Diverse Supply Chains Self- Workshop 2004 * Owen Densmore Xerox,

The Emergence of Stability in Diverse Supply Chains Self- Workshop 2004 * Owen Densmore Xerox,

The Emergence of Stability in Diverse Supply Chains Self- Workshop 2004 * Owen Densmore Xerox, Apple, Sun Retired - Santa Fe http://complexityworkshop.com http://friam.org http://friam.org Talk Example Agent Based Models

224 views • 18 slides
Slides Available Now! Slides from Todays Workshop are available at:

Slides Available Now! Slides from Todays Workshop are available at:

R ETHINKING Y OUR B UDGET: Leading Your Organization Through a More Comprehensive Financial Planning Process Slides Available Now! Slides from Todays Workshop are available at: http://info.aafcpa.com/mnn-budgeting- workshop-2017 State

430 views • 32 slides
V Thorsten Ohl http://whizard.hepforge.org http://physik.uni-wuerzburg.de/ohl Institute

V Thorsten Ohl http://whizard.hepforge.org http://physik.uni-wuerzburg.de/ohl Institute

T P 2 WHIZARD Version 2.2.0 V Thorsten Ohl http://whizard.hepforge.org http://physik.uni-wuerzburg.de/ohl Institute for Theoretical Physics and Astrophysics Wrzburg University Americas Workshop on Linear Colliders 2014 Fermilab

1.25k views • 91 slides
Criteria for resource allocation ISPC Workshop 9 May 2017 Amsterdam http://ispc.cgiar.org

Criteria for resource allocation ISPC Workshop 9 May 2017 Amsterdam http://ispc.cgiar.org

Criteria for resource allocation ISPC Workshop 9 May 2017 Amsterdam http://ispc.cgiar.org Workshop on Resource Allocation Structure What we did to assess the quality of Phase II CRP proposals Update on work with the System to

449 views • 14 slides
EcoFINDERS http://www.ecofinders.eu/ Workshop, Brussels, 2nd Annual Meeting EcoFINDERS 10-11

EcoFINDERS http://www.ecofinders.eu/ Workshop, Brussels, 2nd Annual Meeting EcoFINDERS 10-11

Soil Biodiversity and functioning: Lessons/Examples from EcoFINDERS http://www.ecofinders.eu/ Workshop, Brussels, 2nd Annual Meeting EcoFINDERS 10-11 June 2013 21 23 November 2012, Wageningen EU Soil Thematic Strategy Main information

247 views • 24 slides
The 15 th Workshop on Domain-Specific Modeling http://www.dsmforum.org/events/DSM15 SPLASH 27

The 15 th Workshop on Domain-Specific Modeling http://www.dsmforum.org/events/DSM15 SPLASH 27

The 15 th Workshop on Domain-Specific Modeling http://www.dsmforum.org/events/DSM15 SPLASH 27 October 2015 Pittsburgh, Pennsylvania 1 Objectives Share new insights and observations Identify new areas of DSM research and practice needs

402 views • 14 slides
Moving data in DTNs with HTTP and MIME Making use of HTTP for delay- and disruption-tolerant

Moving data in DTNs with HTTP and MIME Making use of HTTP for delay- and disruption-tolerant

Moving data in DTNs with HTTP and MIME Making use of HTTP for delay- and disruption-tolerant networks with convergence layers Lloyd Wood, Daniel Floreani, Peter Holliday, Ioannis Psaras e-DTN workshop, ICUMT, St Petersburg, 14 October 2009. Why

406 views • 11 slides
LATIN Appreciation Workshop http://latinappreciation.wordpress.com/ Latin Level I Session 8 of

LATIN Appreciation Workshop http://latinappreciation.wordpress.com/ Latin Level I Session 8 of

AM + DG LATIN Appreciation Workshop http://latinappreciation.wordpress.com/ Latin Level I Session 8 of 9 Latin Made Fun & Easy AM + DG Prayer Before Class A Study Deus, qui corda illustratione: fidlium Sancti [Ab] the light

1.06k views • 47 slides
Ansible workshop workshop Ansible The easiest way to: The easiest way to: orchestrate, deploy

Ansible workshop workshop Ansible The easiest way to: The easiest way to: orchestrate, deploy

Ansible workshop workshop Ansible The easiest way to: The easiest way to: orchestrate, deploy and manage orchestrate, deploy and manage http://dag.wiee.rs/attic/ansible-workshop/ http://dag.wiee.rs/attic/ansible-workshop/ NLUUG Spring

417 views • 13 slides
and http://www.silx.org/ HDF5 European Workshop for science and industry, 18 th of September 2019,

and http://www.silx.org/ HDF5 European Workshop for science and industry, 18 th of September 2019,

and http://www.silx.org/ HDF5 European Workshop for science and industry, 18 th of September 2019, ESRF. silx contributors: T. Vincent; V. Valls; H. Payno; J. Kieffer; V. A. Sol; P. Paleo; D. Naudet; G. Communie; P. Knobel; M. Retegan; M.

604 views • 17 slides
ECFA HL-LHC Workshop for 21 st to 23 rd October October 2013 ECFA HL-LHC Experiments Workshop at

ECFA HL-LHC Workshop for 21 st to 23 rd October October 2013 ECFA HL-LHC Experiments Workshop at

ECFA HL-LHC Workshop for 21 st to 23 rd October October 2013 ECFA HL-LHC Experiments Workshop at Aix-les-Bains link at http://indico.cern.ch/conferenceDisplay.py?co nfId=252045 The report from this to ECFA can be found at

480 views • 11 slides
Leveraging Executable Language Engineering for Domain-Specific Transformation Languages (Position

Leveraging Executable Language Engineering for Domain-Specific Transformation Languages (Position

Observations From xDSMLs to DSTLs Conclusion and future work Leveraging Executable Language Engineering for Domain-Specific Transformation Languages (Position Paper) EXE 2016, Saint-Malo, France Erwan Bousse 1 Manuel Wimmer 1 Wieland Schwinger

594 views • 34 slides
A study of practical deduplication Dutch T. Meyer University of British Columbia Microsoft

A study of practical deduplication Dutch T. Meyer University of British Columbia Microsoft

A study of practical deduplication Dutch T. Meyer University of British Columbia Microsoft Research Intern William Bolosky Microsoft Research A study of practical deduplication Dutch T. Meyer University of British Columbia Microsoft

492 views • 32 slides
Reversing a firmware uploader & Others NFC stories 1

Reversing a firmware uploader & Others NFC stories 1

7/1/2019 Reversing a Firmware uploader & others NFC stories Reversing a firmware uploader & Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader & others NFC stories

920 views • 41 slides
Unix API 1 1 Changelog swtch() of animation 9 September 2019: exec and PCBs: remove init.

Unix API 1 1 Changelog swtch() of animation 9 September 2019: exec and PCBs: remove init.

Unix API 1 1 Changelog swtch() of animation 9 September 2019: exec and PCBs: remove init. val. from fjrst frame with arrows 4 September 2019: xv6: where the context is: mark where pointers point identifying what an address space is to

2.07k views • 128 slides
Semantic Networks and Topic Modeling A Comparison Using Small and Medium-Sized Corpora Loet

Semantic Networks and Topic Modeling A Comparison Using Small and Medium-Sized Corpora Loet

Semantic Networks and Topic Modeling A Comparison Using Small and Medium-Sized Corpora Loet Leydesdor ff & Adina Nerghes D I G I TA L H U M A N I T I E S L A B Networks of words Semantic Networks Networks of concepts Content networks

408 views • 27 slides
Outline Modern architectures Spring 2006 Delay slots Introduction to instruction

Outline Modern architectures Spring 2006 Delay slots Introduction to instruction

Outline Modern architectures Spring 2006 Delay slots Introduction to instruction scheduling List scheduling Code Scheduling Resource constraints Interaction with register allocation Scheduling across basic blocks

887 views • 22 slides
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing security research for the last

774 views • 48 slides
Desig ign of f a Symboli licall lly Executable le Embedded Hyperv rvis isor Jan Nordholz

Desig ign of f a Symboli licall lly Executable le Embedded Hyperv rvis isor Jan Nordholz

Technische Universitt Berlin Desig ign of f a Symboli licall lly Executable le Embedded Hyperv rvis isor Jan Nordholz <j.nordholz@tu-berlin.de> 15 th EUROSYS, 27-30 April, 2020 PHIDIAS Type PHI ype I I Em Embedded Hype

388 views • 10 slides

More recommend