SEC709 Developing Exploits for Penetration Tester and Security
From Stephen Sims
code scanning tool,gcar lcar
(not really catch the application name he mentioned such as gcar and lcar)
Debugger : immunity debugger
OS monitoring tools
What happen during the crash?
-Analysis the status of each register
eg , strange 0x41414141 if the input is A
-is the Return Pointer or SEH chain overwritten?
analysis the stack segment and monitor ESP/EBP
-are heap overwritten?
analysis dynamic memory allocation
Tool : findjump kernel32.dll edx
-get pop-pop-return address
-protect SEH pointer again overwrite
-randomises the location of libraries and memory segment
-prevent code execution on stack and heap
-pushes unique values onto the stack and heap during allocations which are
checked upon exit or free