Presentation is loading. Please wait.

Presentation is loading. Please wait.

Industrial Strength Software Hacking Simon McPartlin Berlin, December 3 rd, 2015.

Published byAnastasia Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "Industrial Strength Software Hacking Simon McPartlin Berlin, December 3 rd, 2015."— Presentation transcript:

1 Industrial Strength Software Hacking Simon McPartlin Berlin, December 3 rd, 2015

2 Case study: Interacting with PowerPoint Function Detouring Detouring exercises Workshop Outline 2

3 Case study: Interacting with PowerPoint XML to customize the user interface APIs to access the PowerPoint object model Event notification mechanism 3

4 PowerPoint calls our Bold button handler and we can set the other labels to Bold PowerPoint calls our Italic button handler and we can set the other labels to Italic User selects label and clicks on Bold button No notification from PowerPoint for drop-down menu events 4 Diagram ADiagram CDiagram B Diagram ADiagram CDiagram B Diagram ADiagram C User selects label and clicks on Italic button User selects new font size from drop-down menu

5 Case study: Interacting with PowerPoint 5 run original function’s code call FontSizeMenuHandler NewOnFontSizeMenuClick... FontSizeMenuHandler... BoldButtonHandler... process font size click... OnFontSizeMenuClick... process bold click call BoldButtonHandler... OnBoldButtonClick POWERPOINT jmp NewOnFontSizeMenuClick

6 Case study: Interacting with PowerPoint Function Detouring Frequently asked questions Finding the target function Function detouring framework Detouring exercises Workshop Outline 6

7 Case study: Interacting with PowerPoint Function Detouring Frequently asked questions Finding the target function Function detouring framework Detouring exercises Workshop Outline 7

8 Frequently asked questions Is function detouring legal? Digital Millennium Copyright Act Electronic Frontier Foundation (www.eff.org) Does it really work? It’s just really for cracking, isn’t it? Function monitoring Bug fixing Undocumented APIs 8

9 Case study: Interacting with PowerPoint Function Detouring Frequently asked questions Finding the target function Function detouring framework Detouring exercises Workshop Outline 9

10 Finding the target function Public API function Search for candidate function(s) Disassemblers and debuggers Function entry/exit tracing Window sub-classing 10

11 Finding the target function 11 Call Stack Name BoldButtonHandler InternFunctionE InternFunctionD InternFunctionC InternFunctionB InternFunctionA...

12 Finding the target function Exported function OS call, e.g. GetProcAddress Internal function Store target function address Only valid for particular build Search for the target function 12

13 Finding the target function Search for binary code 13 push ebp mov ebp,esp pushesi mov esi,ecx cmp dword ptr [esi],0 jz done push 1Bh call sub_445DD3BB push 65345609 mov ecx,esi call sub_451286E4 done: pop esi retn 55 8B EC 56 8B F1 83 3E 00 74 13 6A 1B E8 09 10 00 00 68 09 56 34 65 8B CE E8 26 C3 B4 00 5E C3

14 Finding the target function Reduce size of binary code to match 14 push ebp mov ebp,esp pushesi mov esi,ecx cmp dword ptr [esi],0 jz done push 1Bh call sub_445DD3BB push 65345609 mov ecx,esi call sub_451286E4 done: pop esi retn push ebp mov ebp,esp pushesi mov esi,ecx cmp dword ptr [esi],0 jz done push 1Bh call sub_445DD3BB push 65345609 mov ecx,esi call sub_451286E4 done: pop esi retn 55 8B EC 56 8B F1 83 3E 00 74 13 6A 1B E8 09 10 00 00 68 09 56 34 65 8B CE E8 26 C3 B4 00 5E C3 55 8B EC 56 8B F1 83 3E 00 74 13 6A 1B E8 09 10 00 00 68 09 56 34 65 8B CE E8 26 C3 B4 00 5E C3

15 Finding the target function Partially defined instructions 15 push ebp mov ebp,esp pushesi mov esi,ecx cmp dword ptr [esi],0 jz done push 1Bh call sub_445DD3BB push 65345609 mov ecx,esi call sub_451286E4 done: pop esi retn push ebp mov ebp,esp pushesi mov esi,ecx cmp dword ptr [esi],0 jz done push 1Bh call sub_445DD3BB push 65345609 mov ecx,esi call sub_451286E4 done: pop esi retn 55 8B EC 56 8B F1 83 3E 00 74 13 6A 1B E8 09 10 00 00 68 09 56 34 65 8B CE E8 26 C3 B4 00 5E C3 55 8B EC 56 8B F1 83 3E 00 74 13 6A 1B E8 09 10 00 00 68 09 56 34 65 8B CE E8 26 C3 B4 00 5E C3

16 Case study: Interacting with PowerPoint Function Detouring Frequently asked questions Finding the target function Function detouring framework Detouring exercises Workshop Outline 16

17 Function detouring framework Patch the target function start Make the original target function code available As robust as possible 17

18 Function detouring framework 18 movzx ecx,[esp+8] movzx ecx,[esp+0Ch]... TargetFunction... call TargetFunction... DetourFunction

19 Function detouring framework 19 jmp DetourFunction movzx ecx,[esp+0Ch]... TargetFunction... call TargetFunction... DetourFunction movzx eax,[esp+8] jmp TargetFunction+5 OriginalFunction... call OriginalFunction...

20 jmp DetourStub movzx ecx,[esp+0Ch]... Function detouring framework 20 TargetFunction... call TargetFunction... DetourFunction movzx eax,[esp+8] jmp TargetFunction+5 OriginalFunction... call OriginalFunction... call DetourFunction... DetourStub

21 Function detouring framework 21 jmp DetourStub movzx ecx,[esp+0Ch]... TargetFunction... call TargetFunction... call OriginalStub... DetourFunction movzx eax,[esp+8] jmp TargetFunction+5 OriginalFunction... call DetourFunction... DetourStub... call OriginalFunction... OriginalStub

22 Case study: Interacting with PowerPoint Function Detouring Detouring exercises Workshop Outline 22

23 think-cell Chausseestraße 8/E 10115 Berlin Germany Tel+49-30-666473-10 Fax+49-30-666473-19 www.think-cell.com hr@think-cell.com

Download ppt "Industrial Strength Software Hacking Simon McPartlin Berlin, December 3 rd, 2015."

Similar presentations

What Was I Thinking??. Key Terms 1. Control 1. Control 2. Design Mode 2. Design Mode 3. Event 3. Event 4. Form 4. Form 5. Interface 5. Interface 6. Properties.

What Was I Thinking??. Key Terms 1. Control 1. Control 2. Design Mode 2. Design Mode 3. Event 3. Event 4. Form 4. Form 5. Interface 5. Interface 6. Properties.
COMP 2003: Assembly Language and Digital Logic

COMP 2003: Assembly Language and Digital Logic
SMT Solvers for Malware Unpacking 8 July 2013. Authors and thanks 2 Ian Blumenfeld Roberta Faux Paul Li Work overseen by Mark Raugas – Director CyberPoint.

SMT Solvers for Malware Unpacking 8 July Authors and thanks 2 Ian Blumenfeld Roberta Faux Paul Li Work overseen by Mark Raugas – Director CyberPoint.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.
Let’s Get GUI! Understanding the Windows ® Graphical User Interface © 2006 by Ted Altenberg www.MrAltenberg.net.

Let’s Get GUI! Understanding the Windows ® Graphical User Interface © 2006 by Ted Altenberg
Procedures and Stacks. Outline Stack organization PUSH and POP instructions Defining and Calling procedures.

Procedures and Stacks. Outline Stack organization PUSH and POP instructions Defining and Calling procedures.
©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager.

©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager.
Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.
Refresh, V.10, July 2, 2010 Name Title, Date Copyright © 2011 Infor. All rights reserved. INFOR – A LOOK INTO THE FUTURE NameJamie Bridgman TitleAccount.

Refresh, V.10, July 2, 2010 Name Title, Date Copyright © 2011 Infor. All rights reserved. INFOR – A LOOK INTO THE FUTURE NameJamie Bridgman TitleAccount.
Debugging code with limited system resource. Minheng Tan Oct 28 2002.

Debugging code with limited system resource. Minheng Tan Oct
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Position Independent Code self sufficiency of combining program.

Position Independent Code self sufficiency of combining program.
OllyDbg Debuger.

OllyDbg Debuger.
CS2422 Assembly Language & System Programming November 7, 2006.

CS2422 Assembly Language & System Programming November 7, 2006.
BTEc unit 12 software development

BTEc unit 12 software development
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Application Security Tom Chothia Computer Security, Lecture 14.

Application Security Tom Chothia Computer Security, Lecture 14.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google