List of Figures | Shellcoders Programming Uncovered (Uncovered series)

Chapter 1: Required Tools

Figure 1.1: The NASM logo
Figure 1.2: SoftIce is a professional-oriented debugger
Figure 1.3: The compact and fast OllyDbg
Figure 1.4: The console version of IDA Pro is the natural habitat of professional code diggers
Figure 1.5: There are disassemblers even for the Palm PC
Figure 1.6: Debugging a virus using the integrated debugger of the Bochs emulator started under Windows 2000
Figure 1.7: Investigating the behavior of UNIX viruses using the Iceix disassembler

Chapter 3: Hacking Using GPRS Uncovered

Figure 3.1: The http://www.showmyip.com proxy-checking service displays as much information as is possible to collect
Figure 3.2: The Secret Surfer program automatically builds a chain of anonymous proxies
Figure 3.3: General principle of GPRS communications
Figure 3.4: GPRS modem connected to a notebook via a USB part
Figure 3.5: GPRS modem implemented in the form of a PCI adapter. The 8-pin chip above the center is EEPROM
Figure 3.6: Disassembling the firmware
Figure 3.7: Format of MIN representation
Figure 3.8: IMEI calculator

Chapter 4: Buffers Subject to Overflow (Lane of Monsters)

Figure 4.1: The number of security holes detected during the recent year (according to data reported by CERT)
Figure 4.2: Using NOP s to simplify the penetration into the shellcode limits
Figure 4.3: Map of stack memory allocation
Figure 4.4: Dynamic memory blocks
Figure 4.5: Approximate map of dynamic memory allocation

Chapter 5: Exploiting SEH

Figure 5.1: Global exception-handling chain (according to MSDN documentation)

Chapter 6: Specifiers Under Control

Figure 6.1: Stack status at the moment of the call to the printf function
Figure 6.2: Reaction of the demo program at the sequence of six %s specifiers
Figure 6.3: Demonstration of memory cell overwriting

Chapter 7: Practical Overflow Example

Figure 7.1: Dynamic memory of Internet Explorer being investigated using LordPE Deluxe (dump dump region)
Figure 7.2: The rate of memory usage growth when the exploit is started for execution
Figure 7.3: A fragment of the original exploit all strings are Unicode strings, and the 0D0D0D0Dh code is in the end
Figure 7.4: The same fragment after replication All strings are ASCII strings, and the 0D0D0D0Dh code is replaced by 3F3Fh
Figure 7.5: Security settings in the browser

Chapter 8: Searching for Overflowing Buffers

Figure 8.1: The IDA Pro navigator. The domination of blue means that most library functions remain unrecognized, because the disassembler could not determine the type of compiler. In this case, appropriate signatures must be loaded manually
Figure 8.2: The list of signatures known to IDA
Figure 8.3: The domination of blue filling means that now everything is OK
Figure 8.4: Drawing a conclusion about the possibility (or impossibility ) of overflow
Figure 8.5: Hierarchy of function calls in graphical representation
Figure 8.6: Reaction of the system to buffer overflow
Figure 8.7: Passing control to the root function

Chapter 9: Methods of Protecting Buffers Against Overflow

Figure 9.1: Overhead for the explicit check of the buffer boundaries before each function call

Chapter 10: Shellcoding Problems

Figure 10.1: An example illustrating how system calls can be used for malicious purposes

Chapter 12: Self-Modification Basics

Figure 12.1: Encrypting the protected procedure using HIEW
Figure 12.2: Fragment of the opcodes table from the Tech Help reference manual
Figure 12.3: Generalized structure of the machine command
Figure 12.4: Possible values of the Mod R/M field

Chapter 13: Playing Hide-and-Seek Under Linux

Figure 13.1: Consequences of starting Adore 0.42 under Knoppix 3.7 LiveCD
Figure 13.2: Consequences of disguising the module using the Solar Designer method commands such as insmod/Ismod/rmmod cease to work
Figure 13.3: Process organization in Linux
Figure 13.4: Removing the process from a double-linked list of processes
Figure 13.5: The consequences of a failed attempt at trapping syscalls
Figure 13.6: Viewing /dev/mem in a HEX editor

Chapter 14: Capturing Ring 0 Under Linux

Figure 14.1: The virtual memory state when the page fault handler is called by two concurrent threads
Figure 14.2: The virtual memory state at the moment of the page fault handler exit

Chapter 15: Compiling and Decompiling Shellcode

Figure 15.1: IDA visualizer displaying flow control in the form of a diagram (large scale)

Chapter 16: Life Cycle of a Worm

Figure 16.1: Something is obstinately trying to force its way to port 135, which contains vulnerability
Figure 16.2: The worm sends requests to different IP addresses
Figure 16.3: The worm receives the reply identifying the suitable target and sends to it the head containing the shellcode
Figure 16.4: The worm head overflows the buffer, captures control, and uploads the tail
Figure 16.5: The captured host becomes a new bulwark that continues worm propagation
Figure 16.6: Rapid propagation of worms causes network congestion
Figure 16.7: Dependence of the worm propagation rate on time
Figure 16.8: Hardware traffic analyzer

Chapter 17: Local Viruses in the UNIX World

Figure 17.1: Viruses spawn even on the UNIX platform

Chapter 19: ELF Files

Figure 19.1: Typical structure of the virus code
Figure 19.2: Typical method of infecting an executable file by merging
Figure 19.3: An example illustrating an executable file merged by the UNIX.a.out virus. A tiny code section (about 300 bytes) indicates a high probability of infection
Figure 19.4: The file infected with the PolyEngine.Linux.LIME.poly virus, which has inserted its body into the end of the .data section and set the entry point there
Figure 19.5: Typical method of infecting an executable file by extending its last section
Figure 19.6: The cat utility before (a) and after (b) infection
Figure 19.7: Fragment of the file infected with the Lin/Vit virus (fields modified by the virus are enclosed in frames )
Figure 19.8: Typical method of infecting an executable file by extending its code section
Figure 19.9: Fragment of the HEX dump of the file infected by the UNIX.inheader.6666 virus, which inserts its body into the ELF header

Chapter 21: Main Symptoms of Virus Infection

Figure 21.1: Fragment of a file infected with the VirTool.Linux.Mmap.443 virus. When viewing the file in the HEX dump mode, the ELF string used by the virus for searching possible targets for infection is clearly visible
Figure 21.2: Fragment of a file infected with the VirTool.Linux.Mmap.443 virus, which discloses its presence by direct calls to the native API of the operating system
Figure 21.3: Fragment of a normal file (the cat utility from the FreeBSD distribution set). Note that native API calls are carefully enclosed in wrapper functions

Chapter 22: Simplest Windows NT Virus

Figure 22.1: NTFS supports several streams within a file
Figure 22.2: WinRAR is capable of archiving streams
Figure 22.3: The file has been infected successfully
Figure 22.4: Reaction of the infected file when started for execution

Chapter 23: Bypassing Firewalls

Figure 23.1: Network nodes protected by firewalls are as safe as if protected by a brick wall
Figure 23.2: Typical structure of a local area network
Figure 23.3: Contents of an IP header
Figure 23.4: Structure of a TCP header
Figure 23.5: The nmap utility
Figure 23.6: Fragmentation of TCP packets as method of bypassing firewalls

Chapter 24: Escaping through the Firewall

Figure 24.1: The attacker sends the shellcode to the vulnerable server, where the shellcode opens the new port N, to which the attacker will then connect, provided that no firewalls are encountered along the connection router
Figure 24.2: The attacker sends the shellcode to the vulnerable server, and the shellcode opens the new port N. But the incoming connection to port N is blocked by the firewall, after which the attack fails
Figure 24.3: The attacker opens the new port N and sends the shellcode to the vulnerable server, from which the shellcode establishes a connection to the attacker's host. As a rule, such connections are not blocked by firewalls
Figure 24.4: The attacker opens a new port N at the attacking host and sends the shellcode to the vulnerable server, from which the shellcode establishes a connection to the attacker's host. If the firewall is configured correctly, it ruthlessly blocks this connection
Figure 24.5: The attacker sends the shellcode to the vulnerable server, which makes a brute-force check for the socket of the established connection, and contacts the attacking host without causing any suspicions at the firewall
Figure 24.6: The attacking server sends the shellcode to the vulnerable server. The shellcode then rebinds to the opened public port and captures all further connections (including the ones established by the attacker)
Figure 24.7: The intruder sends the shellcode to the vulnerable server, which makes the server process sleep, and reopens the public port

Chapter 26: Hackerz Love Honey

Figure 26.1: Flowchart of the simplest honeypot
Figure 26.2: Attacked server happened to be a honeypot

Chapter 27: Sniffing a LAN

Figure 27.1: Common bus network topology
Figure 27.2: Star network topology
Figure 27.3: Sniffer at work
Figure 27.4: Attack of the MiM type, even in networks with an intellectual hub
Figure 27.5: Terminating a connection between hosts
Figure 27.6: Capturing a fictitious ARP request
Figure 27.7: Turning a normal network adapter into a stealth card
Figure 27.8: The main menu of the ettercap program

Chapter 28: Databases Under Attack

Figure 28.1: Password for accessing the database, captured by a sniffer
Figure 28.2: Fragment of PHP-Nuke responsible for formulating the query to the database
Figure 28.3: MySQL server tracks port 3306
Figure 28.4: The toolset for monitoring SQL servers. Without using such tools, an attacker has no chance of remaining unnoticed

Chapter 29: Attacking Bluetooth

Figure 29.1: Bluetooth is omnipresent nowadays
Figure 29.2: Operating method of the Bluetooth transmission protocol
Figure 29.3: Bluetooth adapter
Figure 29.4: Directional pattern of the HG2415Y antenna
Figure 29.5: Directional pattern of the HG2424G antenna
Figure 29.6: Generation of the private keys on the basis of the PIN
Figure 29.7: The authentication process
Figure 29.8: The Bluetooth protocol stack
Figure 29.9: Scanning Bluetooth devices using the hcitool utility

Chapter 30: Economizing on GPRS

Figure 30.1: Working through an HTTP proxy server
Figure 30.2: Google Web Accelerator panel
Figure 30.3: Working through a Web accelerator
Figure 30.4: The Rabbit Web accelerator logo
Figure 30.5: Secure iXplorer at work
Figure 30.6: WinSCP freeware shell for UNIX

Chapter 31: Legends and Myths about Flashing BIOS

Figure 31.1: There are various types of BIOS
Figure 31.2: The Award WinFlash program allows you to update BIOS without exiting Windows
Figure 31.3: Depending on the design, BIOS is connected to the south bridge using either an ISA bus or a special-purpose internal bus
Figure 31.4: Interface of a typical BIOS flashing utility
Figure 31.5: Die Hard Lite supports emergency recovery of the firmware from the backup copy saved to the diskette by leaving the boot kernel intact
Figure 31.6: Die Hard BIOS is made up of two memory chips, one writable and one not
Figure 31.7: The Die Hard II chip is made up of two chips that are equal in rights. Both chips can be flashed
Figure 31.8: Dual BIOS is a variant of Die Hard II
Figure 31.9: Manually implemented Dual BIOS
Figure 31.10: A Self-made programmator

Chapter 32: Viruses Infecting BIOS

Figure 32.1: Different types of Flash memory chips
Figure 32.2: BIOS Saviour simplifies removal of the chip from the operating motherboard
Figure 32.3: The BP utility outputs the list of BIOS modules with their main characteristics
Figure 32.4: Hacked BIOS waits for the user to supply a password
Figure 32.5: Standard password-protection set in BIOS Setup can be removed by removing a single jumper on the motherboard; however, this method won't work with the hacked BIOS
Figure 32.6: Memory performance in the default mode
Figure 32.7: Performance of the memory subsystem after overclocking