❌

Normal view

There are new articles available, click to refresh the page.
Before yesterdayPosts on Lamprey Labs

Hacksys Extreme Vulnerable Driver(HEVD) Windows Driver Exploitation - Stack Buffer Overflow

11 January 2023 at 00:00
Table of Contents Brief Vulnerability Exploitation and Stabilization Case I: Intel OS Guard/SMEP not present, KVA Shadow/KPTI disabled Patch Analysis Honourable Mention Brief The vulnerability class in question that we are going to hunt for and exploit is a Stack Buffer Overflow in HEVD.sys Windows driver compiled without stack cookie/canary(/GS Buffer Security Check) or StackGuard mitigation. We are also going to look at productization and stabilization of the exploit later on.

Practical Reverse Engineering - Exercise 2, Page 35

28 August 2022 at 00:00
Table of Contents Question Answer Question In the example walk-through, we did a nearly one-to-one translation of the assembly code to C. As an exercise, re-decompile this whole function so that it looks more natural. What can you say about the developer’s skill level/experience? Explain your reasons. Can you do a better job? Answer We already saw a raw decompilation of the sample’s DllMain routine in the last exercise using the Hex-Rays decompiler but let’s further clean it up and polish it.

Practical Reverse Engineering - Exercise 1, Page 35

24 August 2022 at 00:00
Table of Contents Question Answer Question Repeat the walk-through by yourself. Draw the stack layout, including parameters and local variables. Answer Here is the VirusTotal link to the malware sample in question: wship4.dll And here is the raw disassembly of the DllMain routine as generated by IDA Pro for reference: .text:10001C60 ; =============== S U B R O U T I N E ======================================= .text:10001C60 .text:10001C60 ; Attributes: bp-based frame .

Practical Reverse Engineering - Exercise 4, Page 17

21 July 2022 at 00:00
Table of Contents Question Answer Question In all of the calling conventions explained, the return value is stored in a 32-bit register(EAX). What happens when the return value does not fit in a 32-bit register? Write a program to experiment and evaluate your answer. Does the mechanism change from compiler to compiler? Answer Let us consider the following C code: extern "C" __declspec(noinline) unsigned __int64 __stdcall fun( void ) { return 0x4141414142424242; } Compiling it with x86 msvc v19.

Practical Reverse Engineering - Exercise 3, Page 17

20 July 2022 at 00:00
Table of Contents Question Answer Question In the example function, addme, what would happen if the stack pointer were not properly restored before executing RET? Answer Here is the addme function for reference: push ebp mov ebp, esp movsx eax, word ptr [ebp + 8h] movsx ecx, word ptr [ebp + 0Ch] add eax, ecx mov esp, ebp pop ebp ret In this particular case, ESP remains unmodified(equal to EBP) so mov esp, ebp can be safely omitted from the function epilogue.

Practical Reverse Engineering - Exercise 2, Page 17

19 July 2022 at 00:00
Table of Contents Question Answer Question Come up with at least two code sequences to set EIP to 0xAABBCCDD. Answer There are several instructions in the x86 ISA to manipulate EIP register(control flow instructions) but in this exercise, we are going to see two of the most popular ones(and something which we’ve already encountered before in the previous exercise). CALL call 0xAABBCCDD The call instruction is used to call a procedure; it pushes the retdaddr on the stack before changing EIP to the call target effectively transferring control to it.

Practical Reverse Engineering - Exercise 1, Page 17

16 July 2022 at 00:00
Table of Contents Question Answer Question Given what you learned about CALL and RET, explain how you would read the value of EIP? Why can’t you just do MOV EAX, EIP? Answer mov eax, eip is seen as an invalid instruction(not encodable) by any assembler since EIP is not a General Purpose Register(GPR); it is a special purpose register that is used as a pointer to the next instruction to execute(hence known as, extended instruction pointer).

Practical Reverse Engineering - Exercise 1, Page 11

13 July 2022 at 00:00
Table of Contents Question Answer Question This function uses a combination SCAS and STOS to do its work. First, explain what is the type of the [EBP+8] and [EBP+C] in line 1 and 8, respectively. Next, explain what this snippet does. 01: mov edi, [ebp + 8] 02: mov edx, edi 03: xor eax, eax 04: or ecx, 0FFFFFFFFh 05: repne scasb 06: add ecx, 2 07: neg ecx 08: mov al, [ebp + 0Ch] 09: mov edi, edx 10: rep stosb 11: mov eax, edx Answer [EBP + 8h] appears to be a char buffer pointer/PCHAR(size = 4 bytes) since it is loaded into EDI register which is then implicitly used by scasb instruction with repne prefix as the memory operand address to compare for a particular byte value specified by AL register.
❌
❌