Most people know that ASLR randomizes the base address of the binary when loaded, but how does the loader know that a binary is ASLR capable? This is a fairly easy question to answer but from what I can tell is rarely documented as a detection method and the subject of this post.
In the PEHeader->IMAGE_OPTIONAL_HEADER there is a flag called DLLCharacteristics that defines many features for the executable on load, 1 of them being ASLR. If you look here IMAGE_OPTIONAL_HEADER structure sand croll down about mid way you will see the values it defines. If you look you will also notice this defines if DEP is enabled as well.
I created a little ruby script to give you access to these values over your whole file system, directories, or a file. There are many tools like cff explorer you can use to view these per a file but this one will give you the ability to crawl a file system to find multiple files with ASLR disabled, DEP disabled and more.
git dllcharacteristics
enjoy
Monday, January 23, 2012
Thursday, January 19, 2012
QnA -> What is FS
First off
1. I promise I will get the video out for Derbycon heap. I just got bored of doing editing so it is just sitting there raw right now.
2. I plan on updating and redoing the Journy into exploitation post to have some updated information and more content eventually.
Ok now the reason for this post, because I am so bad at posting or finishing posts on this blog and I have people asking for content I am going to attempt a new strategy. To help get information back out so people can learn and also help people along way I am going to start posting questions I get and the answers to them.
I am going to avoid posting questions on really easy topics and will usually link someone to a place to read on those topics but for topics that are either poorly documented or hard I will try to cover them. One of the major advantages for myself is if I don't know the answer it will give me something to do research on as well.
Topics i will cover.
Reverse Engineering:
Exploitation:
Security in general:
Preview question.
Q: What is FS?
I wrote a challenge some time back on Securabit podcast I am a part of as a fun exercise. The question came from someone trying to reverse this challenge.
The anti-debugging technique was accessing the PEB offset +68 to detect if the debugger is attached. This is set to 70 when a debugger is attached. To find the base address of PEB I accessed FS[30] and stored that in a register.
Ok I skimmed over some items there like why is it set to 70 and what is the PEB but that is not the question. The question is what is FS.?
FS is a segment register that was added with the release of protected x86 32bit operating systems. Typically, in win32, FS points to the base of the Thread Information Block of the current active thread in PEs.
To break this down even more when you commends such as
the DWORD pointer is saying start with base address of DS (another segment register) and add the value EAX to this and store that in EBX. so when I accessed
I was saying take the value in FS and add 30 to that and return what is there. This address stores the Base of the PEB.
Few other notes on FS:
FS[0] stores the pointer to the first SEH in the link list. This is usually called when an exception occurs in code.
FS points to the current active thread. This means a single application with multiple threads will have multiple pointers to different Thread Blocks.
Challenge
Source for Challenge
1. I promise I will get the video out for Derbycon heap. I just got bored of doing editing so it is just sitting there raw right now.
2. I plan on updating and redoing the Journy into exploitation post to have some updated information and more content eventually.
Ok now the reason for this post, because I am so bad at posting or finishing posts on this blog and I have people asking for content I am going to attempt a new strategy. To help get information back out so people can learn and also help people along way I am going to start posting questions I get and the answers to them.
I am going to avoid posting questions on really easy topics and will usually link someone to a place to read on those topics but for topics that are either poorly documented or hard I will try to cover them. One of the major advantages for myself is if I don't know the answer it will give me something to do research on as well.
Topics i will cover.
Reverse Engineering:
Exploitation:
Security in general:
Preview question.
Q: What is FS?
I wrote a challenge some time back on Securabit podcast I am a part of as a fun exercise. The question came from someone trying to reverse this challenge.
The anti-debugging technique was accessing the PEB offset +68 to detect if the debugger is attached. This is set to 70 when a debugger is attached. To find the base address of PEB I accessed FS[30] and stored that in a register.
Ok I skimmed over some items there like why is it set to 70 and what is the PEB but that is not the question. The question is what is FS.?
FS is a segment register that was added with the release of protected x86 32bit operating systems. Typically, in win32, FS points to the base of the Thread Information Block of the current active thread in PEs.
To break this down even more when you commends such as
mov EBX, DWORD PTR DS[EAX]
the DWORD pointer is saying start with base address of DS (another segment register) and add the value EAX to this and store that in EBX. so when I accessed
mov EAX, DWORD PTR FS[30]
I was saying take the value in FS and add 30 to that and return what is there. This address stores the Base of the PEB.
Few other notes on FS:
FS[0] stores the pointer to the first SEH in the link list. This is usually called when an exception occurs in code.
FS points to the current active thread. This means a single application with multiple threads will have multiple pointers to different Thread Blocks.
Challenge
Source for Challenge
Subscribe to:
Posts (Atom)