go to http workshop didierstevens com
play

Go to http://workshop.DidierStevens.com Unzip - PowerPoint PPT Presentation

Oct 04, 2022 •233 likes •471 views

White Hat Shellcode Workshop Didier Stevens Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop . First example: loading/unloading a DLL Start calc.exe Start procexp.exe (Process Explorer) and

  1. White Hat Shellcode Workshop Didier Stevens Go to http://workshop.DidierStevens.com

  2. Unzip shellcode-workshop.zip to C:\ Password is workshop .

  3. First example: loading/unloading a DLL

  4. Start calc.exe Start procexp.exe (Process Explorer) and view the DLLs loaded in calc.exe Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe kernel32.dll LoadLibraryA str:c:\workshop\msgbox-hello.dll Click on the dialog box: the dialog box indicates that the DLL was successfully loaded.

  5. Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe kernel32.dll FreeLibrary 0xBC0000

  6. Reinject the DLL and take note of the base address Execute the following command from a command-line in c:\workshop: simple-shellcode-generator.py -o unload-dll.asm -l “kernel32.dll FreeLibrary 0xBC0000” (replace 0xBC0000 with the base address you wrote down) Start a NASM Shell from the Start \ All Programs \ Netwide Assembler menu From the NASM Shell: cd c:\workshop From the NASM Shell: nasm -o unload-dll.bin unload-dll.asm Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe unload-dll.bin

  7. Second example: enforcing DEP

  8. exit calc.exe from the previous example, and start it again Notice DEP is enabled (DEP column in Process Explorer) Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe kernel32.dll SetProcessDEPPolicy 0 refresh Process Explorer's view (F5) and notice that DEP has been turned off

  9. Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe kernel32.dll SetProcessDEPPolicy 1 refresh Process Explorer's view (F5) and notice that Permanent DEP is enabled Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe kernel32.dll SetProcessDEPPolicy 0 refresh Process Explorer's view (F5) and notice that Permanent DEP is still enabled

  10. Execute the following command from a command-line in c:\workshop: simple-shellcode-generator.py -o dep.asm -l “kernel32.dll SetProcessDEPPolicy 1” From the NASM Shell: nasm -o dep.bin dep.asm

  11. Execute the following command from a command-line in c:\workshop: copy \windows\system32\calc.exe calc- dep.exe Start LordPE.exe (LPE-DLX_1.4 folder): open calc- dep.exe Note the EntryPoint and the Image Base: 0x00012475 + 0x01000000 = 0x01012475 Edit dep.asm, replace ret with these 2 lines mov eax, 0x01012475 jmp eax

  12. From the NASM Shell: nasm -o dep.bin dep.asm From LordPE: add a section from file: dep.bin Notice the VOffset for dep.bin: 0x0001F000 Change the EntryPoint to 0x0001F000 From LordPE: Save From LordPE: Rebuild PE

  13. Third example: testing your security setup

  14. From the NASM Shell: nasm -o sc-createfile.bin sc- createfile.asm Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe sc- createfile.bin Check if file c:\windows\system32\testfile.txt has been created: it has.

  15. First delete c:\windows\system32\testfile.txt Psexec -ld c:\windows\system32\calc.exe Execute the following command from a command-line in c:\workshop: create-remote-thread.py calc.exe sc- createfile.bin Check if file c:\windows\system32\testfile.txt has been created: it has not.

  16. Fourth example: patching an application

  17. Install AdbeRdr910_en_US_Std.exe Open javascript.pdf, and notice the popup from the embedded JavaScript Disable JavaScript: Edit /Preferences / JavaScript / Enable Acrobat JavaScript Close and open javascript.pdf: notice the nagscreen from Adobe Reader

  18. From the NASM Shell: nasm -o sc-sar.bin sc-sar.asm Close javascript.pdf Start dbgview.exe Execute the following command from a command-line in c:\workshop: create-remote-thread.py AcroRd32.exe sc- sar.bin, and notice the message in dbgview after some time Open javascript.pdf: the nagscreen is gone.

  19. Fifth example: preventing heapsprays with shellcode

  20. uninstall Adobe Reader 9.1 install AdbeRdr812_en_US.exe start Adobe Reader unzip util-printf.zip (password is workshop) open util-printf.pdf and notice Adobe Reader crashing

  21. Execute the following command from a command-line in c:\workshop: simple-shellcode-generator.py -o sc- mba.asm -l "user32.dll MessageBoxA 0 str str 0" Edit sc-mba.asm with notepad and add 50 NOPs From the NASM Shell: nasm -o sc-mba.bin sc-mba.asm Start Adobe Reader 8 Execute the following command from a command-line in c:\workshop: create-remote-thread.py -a 0x30303020 AcroRd32.exe sc-nopsled-mba.bin Notice the message box (and then click the message box away)

  22. Now open util-printf.pdf Notice the 2 message boxes (and then click the message boxes away)

  23. Double click on heaplocker.reg and merge the entries to the registry Start Adobe Reader 8 Execute the following command from a command-line in c:\workshop: create-remote-thread.py AcroRD32.exe kernel32.dll LoadLibraryA str:c:\workshop\heaplocker.dll Notice the messages in DbgView Now open util-printf.pdf Notice the warning Take a look at the threads with Process Explorer

Recommend

x64 Workshop Didier Stevens Go to http://workshop-x64.DidierStevens.com Unzip x64-workshop.zip

x64 Workshop Didier Stevens Go to http://workshop-x64.DidierStevens.com Unzip x64-workshop.zip

x64 Workshop Didier Stevens Go to http://workshop-x64.DidierStevens.com Unzip x64-workshop.zip to c:\workshop Install: 010EditorWin32Installer402.exe nasm-2.10.05-installer.exe SysinternalsSuite.zip tdm64-gcc-4.7.1-2.exe

724 views • 40 slides
Penetration Document Format Didier@DidierStevens.com Didier@DidierStevens.com

Penetration Document Format Didier@DidierStevens.com Didier@DidierStevens.com

Penetration Document Format Didier@DidierStevens.com Didier@DidierStevens.com Didier@DidierStevens.com Identification and Analysis Didier@DidierStevens.com Didier@DidierStevens.com PDFiD PDFiD 0.0.9 hello-world.pdf PDF Header: %PDF-1.1 obj

868 views • 27 slides
Tutorial http://www.iterativemapreduce.org/ Workshop Workshop Jaliya Ekanayake Community Grids

Tutorial http://www.iterativemapreduce.org/ Workshop Workshop Jaliya Ekanayake Community Grids

Tutorial http://www.iterativemapreduce.org/ Workshop Workshop Jaliya Ekanayake Community Grids Laboratory, Digital Science Center Pervasive Technology Institute Indiana University SALSA Acknowledgements to: Team at IU SeungHee Bae,

930 views • 37 slides
A workshop of ICRA 2010 URL: http://dove.eng.sunysb.edu/~icraBQL/ Workshop Title: Robotics

A workshop of ICRA 2010 URL: http://dove.eng.sunysb.edu/~icraBQL/ Workshop Title: Robotics

A workshop of ICRA 2010 URL: http://dove.eng.sunysb.edu/~icraBQL/ Workshop Title: Robotics Research Towards Better Quality of Life Date and Time: Monday, Afternoon (2:00pm - 5:30pm) Location: ECSH Room 13 Organizers: Professor Imin Kao, SUNY at

391 views • 3 slides
Welcome to the 2017 Charm++ Workshop! Laxmikant (Sanjay) Kale http://charm.cs.illinois.edu

Welcome to the 2017 Charm++ Workshop! Laxmikant (Sanjay) Kale http://charm.cs.illinois.edu

Welcome to the 2017 Charm++ Workshop! Laxmikant (Sanjay) Kale http://charm.cs.illinois.edu Parallel Programming Laboratory Department of Computer Science University of Illinois at Urbana Champaign 2017 CHARM++ WORKSHOP 1 A bit of history

437 views • 26 slides
The Emergence of Stability in Diverse Supply Chains Self- Workshop 2004 * Owen Densmore Xerox,

The Emergence of Stability in Diverse Supply Chains Self- Workshop 2004 * Owen Densmore Xerox,

The Emergence of Stability in Diverse Supply Chains Self- Workshop 2004 * Owen Densmore Xerox, Apple, Sun Retired - Santa Fe http://complexityworkshop.com http://friam.org http://friam.org Talk Example Agent Based Models

224 views • 18 slides
Slides Available Now! Slides from Todays Workshop are available at:

Slides Available Now! Slides from Todays Workshop are available at:

R ETHINKING Y OUR B UDGET: Leading Your Organization Through a More Comprehensive Financial Planning Process Slides Available Now! Slides from Todays Workshop are available at: http://info.aafcpa.com/mnn-budgeting- workshop-2017 State

430 views • 32 slides
V Thorsten Ohl http://whizard.hepforge.org http://physik.uni-wuerzburg.de/ohl Institute

V Thorsten Ohl http://whizard.hepforge.org http://physik.uni-wuerzburg.de/ohl Institute

T P 2 WHIZARD Version 2.2.0 V Thorsten Ohl http://whizard.hepforge.org http://physik.uni-wuerzburg.de/ohl Institute for Theoretical Physics and Astrophysics Wrzburg University Americas Workshop on Linear Colliders 2014 Fermilab

1.25k views • 91 slides
Criteria for resource allocation ISPC Workshop 9 May 2017 Amsterdam http://ispc.cgiar.org

Criteria for resource allocation ISPC Workshop 9 May 2017 Amsterdam http://ispc.cgiar.org

Criteria for resource allocation ISPC Workshop 9 May 2017 Amsterdam http://ispc.cgiar.org Workshop on Resource Allocation Structure What we did to assess the quality of Phase II CRP proposals Update on work with the System to

449 views • 14 slides
EcoFINDERS http://www.ecofinders.eu/ Workshop, Brussels, 2nd Annual Meeting EcoFINDERS 10-11

EcoFINDERS http://www.ecofinders.eu/ Workshop, Brussels, 2nd Annual Meeting EcoFINDERS 10-11

Soil Biodiversity and functioning: Lessons/Examples from EcoFINDERS http://www.ecofinders.eu/ Workshop, Brussels, 2nd Annual Meeting EcoFINDERS 10-11 June 2013 21 23 November 2012, Wageningen EU Soil Thematic Strategy Main information

247 views • 24 slides
The 15 th Workshop on Domain-Specific Modeling http://www.dsmforum.org/events/DSM15 SPLASH 27

The 15 th Workshop on Domain-Specific Modeling http://www.dsmforum.org/events/DSM15 SPLASH 27

The 15 th Workshop on Domain-Specific Modeling http://www.dsmforum.org/events/DSM15 SPLASH 27 October 2015 Pittsburgh, Pennsylvania 1 Objectives Share new insights and observations Identify new areas of DSM research and practice needs

402 views • 14 slides
Moving data in DTNs with HTTP and MIME Making use of HTTP for delay- and disruption-tolerant

Moving data in DTNs with HTTP and MIME Making use of HTTP for delay- and disruption-tolerant

Moving data in DTNs with HTTP and MIME Making use of HTTP for delay- and disruption-tolerant networks with convergence layers Lloyd Wood, Daniel Floreani, Peter Holliday, Ioannis Psaras e-DTN workshop, ICUMT, St Petersburg, 14 October 2009. Why

406 views • 11 slides
LATIN Appreciation Workshop http://latinappreciation.wordpress.com/ Latin Level I Session 8 of

LATIN Appreciation Workshop http://latinappreciation.wordpress.com/ Latin Level I Session 8 of

AM + DG LATIN Appreciation Workshop http://latinappreciation.wordpress.com/ Latin Level I Session 8 of 9 Latin Made Fun & Easy AM + DG Prayer Before Class A Study Deus, qui corda illustratione: fidlium Sancti [Ab] the light

1.06k views • 47 slides
Ansible workshop workshop Ansible The easiest way to: The easiest way to: orchestrate, deploy

Ansible workshop workshop Ansible The easiest way to: The easiest way to: orchestrate, deploy

Ansible workshop workshop Ansible The easiest way to: The easiest way to: orchestrate, deploy and manage orchestrate, deploy and manage http://dag.wiee.rs/attic/ansible-workshop/ http://dag.wiee.rs/attic/ansible-workshop/ NLUUG Spring

417 views • 13 slides
and http://www.silx.org/ HDF5 European Workshop for science and industry, 18 th of September 2019,

and http://www.silx.org/ HDF5 European Workshop for science and industry, 18 th of September 2019,

and http://www.silx.org/ HDF5 European Workshop for science and industry, 18 th of September 2019, ESRF. silx contributors: T. Vincent; V. Valls; H. Payno; J. Kieffer; V. A. Sol; P. Paleo; D. Naudet; G. Communie; P. Knobel; M. Retegan; M.

604 views • 17 slides
ECFA HL-LHC Workshop for 21 st to 23 rd October October 2013 ECFA HL-LHC Experiments Workshop at

ECFA HL-LHC Workshop for 21 st to 23 rd October October 2013 ECFA HL-LHC Experiments Workshop at

ECFA HL-LHC Workshop for 21 st to 23 rd October October 2013 ECFA HL-LHC Experiments Workshop at Aix-les-Bains link at http://indico.cern.ch/conferenceDisplay.py?co nfId=252045 The report from this to ECFA can be found at

480 views • 11 slides
DEVELOPMENT IN THE ARTS & CREATIVE INDUSTRY Image credit: http://http://ow.ly/gI53I 3ddock /

DEVELOPMENT IN THE ARTS & CREATIVE INDUSTRY Image credit: http://http://ow.ly/gI53I 3ddock /

YOUTH EMPOWERMENT THROUGH ICT FOR SUSTAINABLE DEVELOPMENT IN THE ARTS & CREATIVE INDUSTRY Image credit: http://http://ow.ly/gI53I 3ddock / 123RF Stock Photo West Africa Regional Workshop on Youth, 5/31/2014 ICTs & Global Challenges

567 views • 14 slides
Rails Girls Rails Girls workshop workshop Sebastian Witowski 1 test 2

Rails Girls Rails Girls workshop workshop Sebastian Witowski 1 test 2

I went to a I went to a Rails Girls Rails Girls workshop workshop Sebastian Witowski 1 test 2 http://railsgirls.com/geneva 3 Our aim is to give tools and a community for women to understand technology and to build their ideas. We do

738 views • 14 slides
A new era of large-scale replication and collaboration? http://www.slideshare.net/holcombea

A new era of large-scale replication and collaboration? http://www.slideshare.net/holcombea

A new era of large-scale replication and collaboration? http://www.slideshare.net/holcombea Alex.Holcombe@sydney.edu.au @ceptional Reproducibility workshop 26 Nov http://bizlab.unsw.edu.au/website/conference-2015.php Where science is not

567 views • 25 slides
Repairing HTTP authn. for Web security - HTTP Mutual authentication proposal - Yutaka OIWA (AIST

Repairing HTTP authn. for Web security - HTTP Mutual authentication proposal - Yutaka OIWA (AIST

Repairing HTTP authn. for Web security - HTTP Mutual authentication proposal - Yutaka OIWA (AIST Japan) May 25, 2011 W3C Workshop on Identity in the Browser Some Keywords yesterday and today You can't get there from here directly

322 views • 13 slides
LaTeX Workshop While youre waiting, please make an account at http://sharelatex.com 1

LaTeX Workshop While youre waiting, please make an account at http://sharelatex.com 1

LaTeX Workshop While youre waiting, please make an account at http://sharelatex.com 1 High-level overview 2 Intro: What is LaTeX, why bother learning it? Structure of a LaTeX document What does a document look like? Basic

1.17k views • 55 slides
Workshop on 1 st JILP Data Prefetching Championship http://www.jilp.org/dpc/ Alaa Alameldeen

Workshop on 1 st JILP Data Prefetching Championship http://www.jilp.org/dpc/ Alaa Alameldeen

Workshop on 1 st JILP Data Prefetching Championship http://www.jilp.org/dpc/ Alaa Alameldeen Eric Rotenberg Intel Corporation North Carolina State University Organizing Committee Chair Program Committee Chair Results Summary

673 views • 7 slides
Gibbs-Markov-Young structures Jos e F. Alves International Workshop on Differentiable

Gibbs-Markov-Young structures Jos e F. Alves International Workshop on Differentiable

Gibbs-Markov-Young structures Jos e F. Alves International Workshop on Differentiable Dynamical Systems 5-9 August, 2019 Jilin University, China http://www.fc.up.pt/pessoas/jfalves/slides.pdf http://www.fc.up.pt/pessoas/jfalves/notes.pdf

1.23k views • 112 slides
LATIN Appreciation Workshop http://latinappreciation.wordpress.com/ Latin Level I Session 7 of

LATIN Appreciation Workshop http://latinappreciation.wordpress.com/ Latin Level I Session 7 of

AM + DG LATIN Appreciation Workshop http://latinappreciation.wordpress.com/ Latin Level I Session 7 of 9 Latin Made Fun & Easy AM + DG Prayer Before Class A Study Veni, Sancte reple: fill again Spirtus, reple turum corda corda:

723 views • 46 slides

More recommend