Industrial Strength Software Hacking Simon McPartlin Berlin, December 3 rd, 2015.

Slides:



Advertisements
Similar presentations
What Was I Thinking??. Key Terms 1. Control 1. Control 2. Design Mode 2. Design Mode 3. Event 3. Event 4. Form 4. Form 5. Interface 5. Interface 6. Properties.
Advertisements

COMP 2003: Assembly Language and Digital Logic
SMT Solvers for Malware Unpacking 8 July Authors and thanks 2 Ian Blumenfeld Roberta Faux Paul Li Work overseen by Mark Raugas – Director CyberPoint.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.
Let’s Get GUI! Understanding the Windows ® Graphical User Interface © 2006 by Ted Altenberg
Procedures and Stacks. Outline Stack organization PUSH and POP instructions Defining and Calling procedures.
©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager.
Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.
Refresh, V.10, July 2, 2010 Name Title, Date Copyright © 2011 Infor. All rights reserved. INFOR – A LOOK INTO THE FUTURE NameJamie Bridgman TitleAccount.
Debugging code with limited system resource. Minheng Tan Oct
PC hardware and x86 3/3/08 Frans Kaashoek MIT
Accessing parameters from the stack and calling functions.
Position Independent Code self sufficiency of combining program.
OllyDbg Debuger.
CS2422 Assembly Language & System Programming November 7, 2006.
BTEc unit 12 software development
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Application Security Tom Chothia Computer Security, Lecture 14.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
6.828: PC hardware and x86 Frans Kaashoek
Max Planck Institute for Psycholinguistics Tool development report H. Brugman MPI Nijmegen.
©2012 Check Point Software Technologies Ltd. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager Information Security – Theory vs.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Instrumentation - initial results Sung Kim, Jeff Perkins MIT.
Mr C Johnston ICT Teacher BTEC IT Unit 06 - Lesson 01 Introduction to Computer Programming.
Assembly Language for Intel-Based Computers, 6 th Edition Chapter 8: Advanced Procedures (c) Pearson Education, All rights reserved. You may.
1 cs205: engineering software university of virginia fall 2006 Forgiveness and Permissions.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June,
For each customer interface record, a new instance of Workflow main process is kicked off, as below Click to proceed…………
Analyzing Memory Accesses in Obfuscated x86 Executables Michael Venable Mohamed R. Choucane Md. Enamul Karim Arun Lakhotia (Presenter) DIMVA 2005 Wien.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.
3.9 to  Also refer to as Program  Contains set of instructions that tells the computer how to perform specific task.  Each line of code is referred.
Copyright © 2010 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Starting Out with Programming Logic & Design Second Edition by Tony Gaddis.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Reading Technical Directions Text Features Following Technical Directions Feature Menu.
Stack Usage with MS Visual Studio Without Stack Protection.
1 The Stack and Procedures Chapter 5. 2 A Process in Virtual Memory  This is how a process is placed into its virtual addressable space  The code is.
Remember…  Please do not…  Change the background.  Change the icons.  Change the font. Use Times New Roman (size 12 font).  Use color. We cannot print.
COMP1070/2002/lec1/H.Melikian COMP1070 Lecture #2 Computers and Computer Languages Some terminology What is Software? Operating Systems.
13/July/1999Third USENIX Windows NT Symposium1 Detours: Binary Interception of Win32 Functions Galen Hunt and Doug Brubacher Systems and Networking Group.
Assembly Language for Intel-Based Computers, 4 th Edition Lecture 22: Conditional Loops (c) Pearson Education, All rights reserved. You may modify.
Standardized Fault Reporting in Electronic Commerce Software University of St. Thomas MBIF 705 – Foundations of Electronic Commerce Jeff D. Conrad December.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.
ICS51 Introductory Computer Organization Accessing parameters from the stack and calling functions.
Chapter 8 String Operations. 8.1 Using String Instructions.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
Instruction Set Architecture
NAV 2013 Customer statistics and export to Excel
Static and dynamic analysis of binaries
Customizing the Quick Access Toolbar in Microsoft Office
Assembly IA-32.
Subroutine Call; Stack
Using Objects in Alice.
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Stack Frames and Advanced Procedures
Memory Segments Code (.code) Data (.data) Stack Heap
Lecture 19: 0xCAFEBABE (Java Byte Codes) CS201j: Engineering Software
Information Security - 2
Select the day from dropdown menu: Friday Select the workshop: W-23
Machine-Level Programming: Introduction
Multi-modules programming
3.1 Basic Concept of Directory and Sub-directory
X86 Assembly Review.
Low-Level Thread Dispatching on the x86
Code Composer Essentials 3.0
Custom Forms with VBA in Excel In-Class Exercise #11
You are the manager of a team of ARM programmers
Computer Architecture and System Programming Laboratory
Presentation transcript:

Industrial Strength Software Hacking Simon McPartlin Berlin, December 3 rd, 2015

Case study: Interacting with PowerPoint Function Detouring Detouring exercises Workshop Outline 2

Case study: Interacting with PowerPoint XML to customize the user interface APIs to access the PowerPoint object model Event notification mechanism 3

PowerPoint calls our Bold button handler and we can set the other labels to Bold PowerPoint calls our Italic button handler and we can set the other labels to Italic User selects label and clicks on Bold button No notification from PowerPoint for drop-down menu events 4 Diagram ADiagram CDiagram B Diagram ADiagram CDiagram B Diagram ADiagram C User selects label and clicks on Italic button User selects new font size from drop-down menu

Case study: Interacting with PowerPoint 5 run original function’s code call FontSizeMenuHandler NewOnFontSizeMenuClick... FontSizeMenuHandler... BoldButtonHandler... process font size click... OnFontSizeMenuClick... process bold click call BoldButtonHandler... OnBoldButtonClick POWERPOINT jmp NewOnFontSizeMenuClick

Case study: Interacting with PowerPoint Function Detouring Frequently asked questions Finding the target function Function detouring framework Detouring exercises Workshop Outline 6

Case study: Interacting with PowerPoint Function Detouring Frequently asked questions Finding the target function Function detouring framework Detouring exercises Workshop Outline 7

Frequently asked questions Is function detouring legal? Digital Millennium Copyright Act Electronic Frontier Foundation ( Does it really work? It’s just really for cracking, isn’t it? Function monitoring Bug fixing Undocumented APIs 8

Case study: Interacting with PowerPoint Function Detouring Frequently asked questions Finding the target function Function detouring framework Detouring exercises Workshop Outline 9

Finding the target function Public API function Search for candidate function(s) Disassemblers and debuggers Function entry/exit tracing Window sub-classing 10

Finding the target function 11 Call Stack Name BoldButtonHandler InternFunctionE InternFunctionD InternFunctionC InternFunctionB InternFunctionA...

Finding the target function Exported function OS call, e.g. GetProcAddress Internal function Store target function address Only valid for particular build Search for the target function 12

Finding the target function Search for binary code 13 push ebp mov ebp,esp pushesi mov esi,ecx cmp dword ptr [esi],0 jz done push 1Bh call sub_445DD3BB push mov ecx,esi call sub_451286E4 done: pop esi retn 55 8B EC 56 8B F1 83 3E A 1B E B CE E8 26 C3 B4 00 5E C3

Finding the target function Reduce size of binary code to match 14 push ebp mov ebp,esp pushesi mov esi,ecx cmp dword ptr [esi],0 jz done push 1Bh call sub_445DD3BB push mov ecx,esi call sub_451286E4 done: pop esi retn push ebp mov ebp,esp pushesi mov esi,ecx cmp dword ptr [esi],0 jz done push 1Bh call sub_445DD3BB push mov ecx,esi call sub_451286E4 done: pop esi retn 55 8B EC 56 8B F1 83 3E A 1B E B CE E8 26 C3 B4 00 5E C3 55 8B EC 56 8B F1 83 3E A 1B E B CE E8 26 C3 B4 00 5E C3

Finding the target function Partially defined instructions 15 push ebp mov ebp,esp pushesi mov esi,ecx cmp dword ptr [esi],0 jz done push 1Bh call sub_445DD3BB push mov ecx,esi call sub_451286E4 done: pop esi retn push ebp mov ebp,esp pushesi mov esi,ecx cmp dword ptr [esi],0 jz done push 1Bh call sub_445DD3BB push mov ecx,esi call sub_451286E4 done: pop esi retn 55 8B EC 56 8B F1 83 3E A 1B E B CE E8 26 C3 B4 00 5E C3 55 8B EC 56 8B F1 83 3E A 1B E B CE E8 26 C3 B4 00 5E C3

Case study: Interacting with PowerPoint Function Detouring Frequently asked questions Finding the target function Function detouring framework Detouring exercises Workshop Outline 16

Function detouring framework Patch the target function start Make the original target function code available As robust as possible 17

Function detouring framework 18 movzx ecx,[esp+8] movzx ecx,[esp+0Ch]... TargetFunction... call TargetFunction... DetourFunction

Function detouring framework 19 jmp DetourFunction movzx ecx,[esp+0Ch]... TargetFunction... call TargetFunction... DetourFunction movzx eax,[esp+8] jmp TargetFunction+5 OriginalFunction... call OriginalFunction...

jmp DetourStub movzx ecx,[esp+0Ch]... Function detouring framework 20 TargetFunction... call TargetFunction... DetourFunction movzx eax,[esp+8] jmp TargetFunction+5 OriginalFunction... call OriginalFunction... call DetourFunction... DetourStub

Function detouring framework 21 jmp DetourStub movzx ecx,[esp+0Ch]... TargetFunction... call TargetFunction... call OriginalStub... DetourFunction movzx eax,[esp+8] jmp TargetFunction+5 OriginalFunction... call DetourFunction... DetourStub... call OriginalFunction... OriginalStub

Case study: Interacting with PowerPoint Function Detouring Detouring exercises Workshop Outline 22

think-cell Chausseestraße 8/E Berlin Germany Tel Fax

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.