Sunday, September 20, 2009

SANS webcast - Developing exploits

SEC709 Developing Exploits for Penetration Tester and Security

From Stephen Sims

Precompile framework
-core impact
-immunity canvas

code analysis
code scanning tool,gcar lcar
(not really catch the application name he mentioned such as gcar and lcar)

Debugger : immunity debugger

OS monitoring tools
-ProcMon, RegMon,FileMon,RegShot

What happen during the crash?
-Analysis the status of each register
eg , strange 0x41414141 if the input is A
-is the Return Pointer or SEH chain overwritten?
analysis the stack segment and monitor ESP/EBP
-are heap overwritten?
analysis dynamic memory allocation

Tool : findjump kernel32.dll edx
-get pop-pop-return address

Several protection

-protect SEH pointer again overwrite

-randomises the location of libraries and memory segment

-prevent code execution on stack and heap

Security cookies
-pushes unique values onto the stack and heap during allocations which are

checked upon exit or free

Useful screenshot

No comments:

Post a Comment