Flylib.com
List of Listings
Previous page
Table of content
Next page
Chapter 2: Assembly Language Quick Start
Listing 2.1: Main methods of data exchange
Listing 2.2: Main types of conditional jumps
Listing 2.3: Calling API functions of the operating system
Listing 2.4: The simplest Assembly insert that adds two numbers
Chapter 3: Hacking Using GPRS Uncovered
Listing 3.1: IDA script that automatically computes the checksum
Chapter 4: Buffers Subject to Overflow (Lane of Monsters)
Listing 4.1: Sequential buffer overflow in the course of a write operation
Listing 4.2: Index overflow in the course of a read operation
Listing 4.3: Vulnerability to buffer overflow that overwrites the pointer to executable code
Listing 4.4: Vulnerability to sequential write overflow, with overwriting of the pointer to the virtual table
Listing 4.5: Disassembled listing of the vulnerable program with brief comments
Listing 4.6: Vulnerability to sequential write overflow and overwriting a scalar variable and pointer to data
Listing 4.7: Vulnerability to sequential write overflow with index overwriting
Listing 4.8: Vulnerability to overflow with overwriting a scalar variable
Listing 4.9: Vulnerability to sequential write overflow with overwriting another buffer
Listing 4.10: An example of a structure with an overflowing buffer (highlighted in bold)
Listing 4.11: An example of a dynamic memory block vulnerable to overflow
Chapter 5: Exploiting SEH
Listing 5.1: Description of the EXCEPTION_REGISTRATION structure
Listing 5.2: Simple tracer for SEH frames
Listing 5.3: Layout of SEH frames in the memory
Listing 5.4: Investigation of the SEH frame layout in a multithreaded environment
Listing 5.5: Layout of the SEH frame in memory
Listing 5.6: Determining the address of the pointer to the current SEH frame
Listing 5.7: Registration of the custom handlers of structured exceptions
Chapter 6: Specifiers Under Control
Listing 6.1: The cfingerd patch
Listing 6.2: Demo example of a program vulnerable to various types of overflows errors
Listing 6.3: Program's reaction to the %s specifier
Listing 6.4: Program's reaction to the %X specifier
Listing 6.5: Viewing the memory dump using specifiers
Listing 6.6: Manually viewing the memory dump at the artificially formed pointer
Listing 6.7: Disassembled fragment of the demo program
Listing 6.8: Forming the pointer in the end of buffer and displaying it on the screen
Listing 6.9: Overwriting the cell with the %n specifier
Listing 6.10: An example that demonstrates overflow of the target buffer
Chapter 7: Practical Overflow Example
Listing 7.1: Disassembled Internet Explorer fragment, ensuring control is passed to shellcode
Listing 7.2: The code of the exploit (abbreviated)
Chapter 8: Searching for Overflowing Buffers
Listing 8.1: The rabbit hole
Listing 8.2: Program vulnerable to overflow despite protection measures
Listing 8.3: Direct value of the maximum buffer length passed to the function
Listing 8.4: Local variables automatically recovered by IDA
Listing 8.5: Passing the pointer to a local buffer
Listing 8.6: The example for investigating overflow errors
Listing 8.7: Disassembling under the field conditions
Listing 8.8: Preparing the shellcode
Listing 8.9: Entering the shellcode from the keyboard
Chapter 9: Methods of Protecting Buffers Against Overflow
Listing 9.1: A wrapper for malloc
Listing 9.2: An example of poor implementation of memory-allocation success or failure
Listing 9.3: An improved variant of the implementation of the memory-allocation check
Chapter 10: Shellcoding Problems
Listing 10.1: Placing string arguments in the stack with dynamic generation of the terminating zero
Listing 10.2: The table of offsets of the " low-frequency " characters counted from the beginning of the encrypted code
Listing 10.3: The table of remainders from offset division by four
Listing 10.4: The table of suitable positions of the key characters in the range
Listing 10.5: Disassembled listing of the shellcode decryptor taken from the Love San worm
Listing 10.6: The _EXCEPTION_REGISTRATION structure
Listing 10.7: Determining the base load address of kernel32.dll using SEH
Listing 10.8: Determining the base load address by searching the main memory for MZ and PE signatures
Listing 10.9: Implementing the PEB structure in Windows 2000/XP
Listing 10.10: Implementing the PEB_LDR_DATA structure under Windows 2000/XP
Listing 10.11: Fragment of the Love San worm
Listing 10.12: Love San worm fragment that determines the table of exported names address
Listing 10.13: Love San worm fragment that determines the function index in the table
Listing 10.14: Love San worm fragment that determines the actual address of an API function in the main memory
Listing 10.15: Fragment of the mworm worm using remote shell under xBSD/x86
Listing 10.16: Numbers of system calls in Solaris/SPARC
Listing 10.17: An example illustrating shellcode under Solaris/SPARC
Listing 10.18: Numbers of system calls under Solaris/x86
Listing 10.19: An example of shellcode under Solaris/x86
Listing 10.20: Numbers of system calls under Linux/x86
Listing 10.21: An example of shellcode under Linux/x86
Listing 10.22: Numbers of system calls in BSD/x86
Listing 10.23: An example illustrating shellcode under BSD/x86
Chapter 11: The Technique of Writing Portable Shellcode
Listing 11.1: Determining the location of the shellcode B memory
Listing 11.2: Eliminating parasitic zeros from the shellcode
Listing 11.3: Determining absolute address of the GetCurrentThreadld function
Listing 11.4: Direct call to the API function by its absolute address
Listing 11.5: Pseudocode demonstrating the procedure of calling arbitrary functions
Listing 11.6: Searching for the base addresses of all loaded modules by PE signature
Listing 11.7: Manually parsing the export table
Listing 11.8: Determining the base address of kernel32.dll by analyzing PEB
Listing 11.9: Determining base address of kernel32.dll using SEH
Listing 11.10: Main native API functions
Chapter 12: Self-Modification Basics
Listing 12.1: An example of inefficient use of self-modifying code
Listing 12.2: IDA Pro automatically recognizes the self-modification of the code
Listing 12.3: Improved version of self-modifying code that deceives IDA Pro
Listing 12.4: Disassembled listing of self-modifying code without cross-references produced by IDA Pro
Listing 12.5: Modifying a machine command that has already entered the pipeline
Listing 12.6: Self-modifying code in the stack (heap)
Listing 12.7: Self-modification used for encryption
Listing 12.8: What the encrypted procedure looks likey
Listing 12.9: Using VirtualProtect to temporarily disable write protection on a local section
Listing 12.10: Using HIEW to obtain the opcodes of machine commands
Listing 12.11: Machine commands corresponding to the xor eax,66 command
Listing 12.12: Classical method of function calling makes code unrelocatable
Listing 12.13: Calling functions by pointers passed through arguments ensures the possibility of relocating the code
Chapter 13: Playing Hide-and-Seek Under Linux
Listing 13.1: The skeleton of the simplest module for version 2.4 kernels
Listing 13.2: The skeleton of the simplest module for version 2.6 kernels
Listing 13.3: Modules displayed by the Ismod command
Listing 13.4: Disguising the module using the Solar Designer method
Listing 13.5: The scheduler's "heart"
Listing 13.6: The procedure that needs to be inserted into the scheduler's body
Listing 13.7: Technique of trapping system calls
Listing 13.8: New filter for the proc_root file system
Listing 13.9: Reading from and writing to /dev/kmem from the application level
Listing 13.10: Fragment of the disassembled code of the int 80h interrupt handler
Listing 13.11: Searching for the int 80h interrupt handler inside /dev/kmem
Chapter 14: Capturing Ring 0 Under Linux
Listing 14.1: Key fragment of the Kernel Bluetooth Local Root exploit
Listing 14.2: Key fragment of the elf_core_dump() function vulnerable to overflow
Listing 14.3: Key fragment of the create_elf_tables function
Listing 14.4: Key fragment of load_elf_library containing the thread synchronization bug
Listing 14.5: Key fragment of sys_brk() with the auxiliary data structures coherence bug
Listing 14.6: Key fragment of the /mm/fault.c function containing a synchronization error
Chapter 15: Compiling and Decompiling Shellcode
Listing 15.1: A typical Assembly template for creating shellcode
Listing 15.2: An example illustrating insertion of the shellcode into the C program
Listing 15.3: Classical variant compiled in a normal way
Listing 15.4: An optimized variant of the program shown in Listing 15.3
Listing 15.5: Fragment of IIS-Worm with shellcode inside
Chapter 16: Life Cycle of a Worm
Listing 16.1: Head of the Code Red worm, arriving in the first TCP packet of the request
Listing 16.2: Fragment of the tail of the Morris worm
Listing 16.3: Five heads of the worm, striking the most vulnerable services
Listing 16.4: One of the worm's heads (see Listing 16.5 for its disassembled code)
Listing 16.5: Disassembled code of the MWorm worm
Listing 16.6: Head of the Code Red worm arriving in the first packet
Listing 16.7: Head of the Nimda worm
Listing 16.8: Fragment of the MWorm virus
Listing 16.9: Fragment of the Love San worm after unpacking
Chapter 18: Viruses in Scripts
Listing 18.1: Example of a virus that discloses its presence by an untypical formatting style
Listing 18.2: Fragment of the UNIX Tail.a virus that writes itself to the tail of the target file
Listing 18.3: Fragment of UNIX.Head.b inserting its body into the beginning of the target file
Listing 18.4: Fragment of the UNIX.Demo Perl virus
Chapter 19: ELF Files
Listing 19.1: Structure of the executable ELF file
Listing 19.2: Structure of the ELF file header
Listing 19.3: Structure of the program segment header
Listing 19.4: Structure of the section header
Listing 19.5: Typical memory map of a typical UNIX executable file
Listing 19.6: Fragment with UNIX.NuxBe.quilt, whose body " spreads " over the code section
Listing 19.7: Fragment with UNIX.NuxBe.jullet, whose body "spreads" over the data section
Listing 19.8: The .bss section of most files supplied as part of the FreeBSD distribution set
Listing 19.9: The disassembled .bss section viewed with IDA Pro and most disassemblers
Listing 19.10: Method of locating the code sections of a typical file
Listing 19.11: Fragment of ping using relative references between code segment sections
Listing 19.12: Map of the file infected by the virus that inserts its code into a special section
Chapter 20: Method of Capturing Control
Listing 20.1: Method used by the Is utility for calling the printf function
Chapter 21: Main Symptoms of Virus Infection
Listing 21.1: Fragment of the Lotek virus that carefully conceals its interest in ELF files
Listing 21.2: Fragment of the Linux.ZipWorm virus that confuses IDA Pro
Listing 21.3: An example of a normal start-up function with classical prologue and epilogue
Listing 21.4: Alternative example of the normal start-up function
Listing 21.5: Start-up code of the PolyEngine.Linux.LIME.poly virus
Chapter 22: Simplest Windows NT Virus
Listing 22.1: Source code of the key fragment of the lab virus
Listing 22.2: Batch file for recovery of infected files
Chapter 23: Bypassing Firewalls
Listing 23.1: Tracing the route stops at the firewall
Listing 23.2: Successful completion of tracing doesn't mean the firewall is missing
Chapter 24: Escaping through the Firewall
Listing 24.1: Key fragment of the shellcode that opens a new port at the server being attacked
Listing 24.2: Key fragment of the shellcode that establishes an outgoing connection
Listing 24.3: Key shellcode fragment that finds the socket corresponding to "its" connection
Listing 24.4: Key fragment of the shellcode that rebinds the opened port
Chapter 25: Organizing a Remote Shell Under UNIX and Windows NT
Listing 25.1: Key fragment of the simplest remote shell
Listing 25.2: Key fragment of the fully featured remote shell with the input/output scheduler
Chapter 27: Sniffing a LAN
Listing 27.1: Creating a raw socket under Linux/UNIX and switching it to promiscuous mode
Listing 27.2: Key fragment of the packet sniffer for Windows 2000/XP
Chapter 28: Databases Under Attack
Listing 28.1: Encryption of the password hash by a random string
Listing 28.2: Master password to the database stored as plaintext in the script body
Listing 28.3: A typical method of forming the database query
Chapter 31: Legends and Myths about Flashing BIOS
Listing 31.1: An example of the description of a BIOS firmware update
Listing 31.2: BSODs and critical application errors possibly caused by BIOS design errors
Listing 31.3: Environment of the entry point to ASUS AMI BIOS
Listing 31.4: Environment of the entry point to EPOX Award BIOS
Listing 31.5: Disassembled BIOS code
Chapter 32: Viruses Infecting BIOS
Listing 32.1: Hex dump of the last 30h bytes of the firmware
Listing 32.2: Disassembled listing of the environment of the firmware entry point
Listing 32.3: Start of the disassembled boot block
Listing 32.4: Unpacked code of BIOS firmware
Listing 32.5: The 9a69vpa1.bin module with the entry point at the 10h offset from the end
Listing 32.6: The pxe.lom module containing the 55 AA signature
Listing 32.7: The decomp_blk.bin module with the text header terminated by zero
Listing 32.8: The awardeyt.rom module starts with the entry point
Listing 32.9: An ISA module implementing additional password protection
Listing 32.10: Simple IDA script that automatically computes the checksum
Listing 32.11: Interrupt handler passes control the virus code when loading the boot sector
Listing 32.12: Fragment of a typical boot block
Listing 32.13: The magic 55 AA 7x sequence
Listing 32.14: BIOS extension that enables interleaving of the DRAM banks
Previous page
Table of content
Next page
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164
Authors:
Kris Kaspersky
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Introduction
File System Information
Key Terms and Concepts
Using Broadcasting to Search for an RPC Service
C.1. Introduction
Beginning Cryptography with Java
The JCA and the JCE
Message Digests, MACs, and HMACs
Asymmetric Key Cryptography
Key and Certificate Management Using Keystores
CMS and S/MIME
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
The Cisco 7940G and 7960G IP Phones
Using H.450.x Tandem IP-to-IP Gateway
Call Redirection into Voice Mail
Cisco Voice Network Management Solutions
General Troubleshooting Techniques
Documenting Software Architectures: Views and Beyond
For Further Reading
The Pipe-and-Filter Style
Deployment Style
Combined Views
Building the Documentation Package
Java How to Program (6th Edition) (How to Program (Deitel))
(Optional) Software Engineering Case Study: Identifying the Classes in a Requirements Document
Exercises
Common GUI Event Types and Listener Interfaces
Layout Managers
Handling HTTP get Requests Containing Data
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
Telecommunications Technology Fundamentals
The Transport Network Infrastructure
IP QoS
5G: Enhanced Data Services
3G: Moving Toward Broadband Wireless
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy
This website uses cookies. Click
here
to find out more.
Accept cookies