Security Summer School

User Tools

Site Tools

session:extra:windows-security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
session:15 [2016/06/30 17:42] – [Extra: = 0x0E. Windows Security Mechanics] Razvan Deaconescusession:extra:windows-security [2020/07/19 09:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
-= Extra: Windows Security Mechanics+====== Extra: Windows Security Mechanics ======
  
 ===== Slides ===== ===== Slides =====
Line 44: Line 44:
 There are a lot of tools to help you peer into the an PE file. Among the most used: There are a lot of tools to help you peer into the an PE file. Among the most used:
  
-* [[http://www.ntcore.com/exsuite.php|CFF Explorer]] powerful x64 suppport a tad on the windows explorer side +  * [[http://www.ntcore.com/exsuite.php|CFF Explorer]] powerful x64 suppport a tad on the windows explorer side 
-* [[http://wjradburn.com/software/|PEView]] lightweight, portable but only x32 support +  * [[http://wjradburn.com/software/|PEView]] lightweight, portable but only x32 support 
-* [[http://www.woodmann.com/collaborative/tools/index.php/LordPE|LORDPE]] portable, x64 compatible with support for runtime process analysis+  * [[http://www.woodmann.com/collaborative/tools/index.php/LordPE|LORDPE]] portable, x64 compatible with support for runtime process analysis
  
  
Line 86: Line 86:
 **NumberOfSections** - States the number of sections that follow **NumberOfSections** - States the number of sections that follow
 **Characteristics** - gives us an idea of the type of file we are dealing with a few of which are: **Characteristics** - gives us an idea of the type of file we are dealing with a few of which are:
-* System file - IMAGE_FILE_SYSTEM(0x1000) +  * System file - IMAGE_FILE_SYSTEM(0x1000) 
-* Executable File - IMAGE_FILE_EXECUTABLE_IMAGE(0x0002) +  * Executable File - IMAGE_FILE_EXECUTABLE_IMAGE(0x0002) 
-* 32 bit machine - IMAGE_FILE_32BIT_MACHINE(0x1000)+  * 32 bit machine - IMAGE_FILE_32BIT_MACHINE(0x1000)
  
 === Image Optional Header  === === Image Optional Header  ===
Line 110: Line 110:
 Each section entry in the _IMAGE_SECTION_HEADER holds the following useful information: Each section entry in the _IMAGE_SECTION_HEADER holds the following useful information:
  
-** Name ** the name of the section +    * Name ** the name of the section 
-** VirtualAddress ** - the RVA relative to the ImageBase defined in the Optional Header +    * VirtualAddress ** - the RVA relative to the ImageBase defined in the Optional Header 
-** PointerToRawData ** - relative offset from the beginning of the file where the section starts +    * PointerToRawData ** - relative offset from the beginning of the file where the section starts 
-** VirtualSize ** - size that the section occupies in memory +    * VirtualSize ** - size that the section occupies in memory 
-** SizeOfRawData ** - size that the section occupies on disk+    * SizeOfRawData ** - size that the section occupies on disk
  
  
Line 227: Line 227:
 Every process is represented in kernel space by an EPROCESS which in turn references several ETHREAD  structures for threads. Thes,e in turn point in  user space to PEB and TEB structure containing some of the following information. Every process is represented in kernel space by an EPROCESS which in turn references several ETHREAD  structures for threads. Thes,e in turn point in  user space to PEB and TEB structure containing some of the following information.
  
-** PEB( Process Environment Block) **+    * PEB( Process Environment Block) **
  * basic image information (base address, version numbers, module list)  * basic image information (base address, version numbers, module list)
  * process heap information  * process heap information
Line 234: Line 234:
  * DLL search path  * DLL search path
    
-** TEB( Process Environment block) **+    * TEB( Process Environment block) **
  * stack information (stack-base and stack-limit)  * stack information (stack-base and stack-limit)
  * TLS (Thread Local Storage) array  * TLS (Thread Local Storage) array
Line 252: Line 252:
  
 For exploitation the following setup is recommended For exploitation the following setup is recommended
-** Dismissasembly** - actively disassembling the code as EIP moves +    * Dismissasembly** - actively disassembling the code as EIP moves 
-** Memory ** it's usually recommended that you set ESP so you can actively monitor the stack +    * Memory ** it's usually recommended that you set ESP so you can actively monitor the stack 
-** Registers ** - customizable view of the register values as the code executes +    * Registers ** - customizable view of the register values as the code executes 
-** Command ** - command window +    * Command ** - command window 
  
 You can add/remove windows from the View menu as you wish. To save a layout open windbg without attaching to a process setup the windows and go to **File> Save Workspace**. When you attach to a process ore just start one in windbg you can go to File > Open Workspace and instantly load all the process data to the workspace you wish.  You can add/remove windows from the View menu as you wish. To save a layout open windbg without attaching to a process setup the windows and go to **File> Save Workspace**. When you attach to a process ore just start one in windbg you can go to File > Open Workspace and instantly load all the process data to the workspace you wish. 
Line 272: Line 272:
 For a more complete list of commands For a more complete list of commands
  
-* [[http://msdn.microsoft.com/en-us/library/windows/hardware/ff561306(v=vs.85).aspx|WinDBG]] command line flags+  * [[http://msdn.microsoft.com/en-us/library/windows/hardware/ff561306(v=vs.85).aspx|WinDBG]] command line flags
 </note> </note>
  
Line 419: Line 419:
 <note> <note>
 Some other cheat sheets: Some other cheat sheets:
-* [[https://labs.snort.org/awbo/windbg.txt|Quick]] cheat sheet +  * [[https://labs.snort.org/awbo/windbg.txt|Quick]] cheat sheet 
-* [[http://windbg.info/doc/1-common-cmds.html|Big]] cheat sheet+  * [[http://windbg.info/doc/1-common-cmds.html|Big]] cheat sheet
 </note> </note>
  
Line 474: Line 474:
 For more information on how to use mona refere to the following links For more information on how to use mona refere to the following links
  
-* [[https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/|Mona Manual]] +  * [[https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/|Mona Manual]] 
-* [[http://www.slideshare.net/ajin25/exploit-research-and-development-megaprimer-monapy-exploit-writers-swiss-army|Mona Presentation]]+  * [[http://www.slideshare.net/ajin25/exploit-research-and-development-megaprimer-monapy-exploit-writers-swiss-army|Mona Presentation]]
  
  
Line 741: Line 741:
 That's it use one of the above addresses ant the rest work the same as standard SEH exploitation That's it use one of the above addresses ant the rest work the same as standard SEH exploitation
  
-== Tasks+===== Tasks =====
  
 <note important> <note important>
session/extra/windows-security.1467308569.txt.gz · Last modified: by Razvan Deaconescu