{"id":867,"date":"2014-08-27T21:15:32","date_gmt":"2014-08-27T21:15:32","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=867"},"modified":"2014-08-27T21:15:53","modified_gmt":"2014-08-27T21:15:53","slug":"quicky-utility-plus-updates","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2014\/08\/quicky-utility-plus-updates\/","title":{"rendered":"Quicky utility plus updates"},"content":{"rendered":"

It’s been a while, so its time to update the blog. <\/p>\n

Here’s a quick utility I wrote for finding hard coded addresses of functions within loaded modules.
\nWhat possible reason could there be for hard coding addresses? Shell code mostly. Even then, most decent shellcode will not bother hard coding any addresses as it makes the exploit unreliable on other OS’s.<\/p>\n

Example:<\/p>\n

Say I wanted to know the hard coded address of CsrGetProcessId for use within shell code or calling by address within asm. This little program will do this:<\/p>\n

\"kon\"<\/a><\/p>\n

<\/p>\n

\n
#include "stdafx.h"<\/span>\r\n#include <Windows.h><\/span>\r\n\r\nint<\/span> main<\/span>(int<\/span> argc, char<\/span>*<\/span> argv[])\r\n{\r\n\tif<\/span>(argc <<\/span> 2<\/span>)\r\n\t{\r\n\t\tprintf("Prints the hard coded addresses of functions for use with shellcode or whatever.<\/span>\\r\\n<\/span>"<\/span>);\r\n\t\tprintf("Usage is %s dll function-name<\/span>\\r\\n<\/span>"<\/span>,argv[0<\/span>]);\r\n\t\treturn<\/span> -<\/span>1<\/span>;\r\n\t}\r\n\t\r\n\tFARPROC ptr =<\/span> GetProcAddress(GetModuleHandleA(argv[1<\/span>]),argv[2<\/span>]);\r\n    printf("The address 0x%8x is the hard coded address we use for function %s<\/span>\\r\\n<\/span>"<\/span>,ptr,argv[2<\/span>]); \r\n\treturn<\/span> 0<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
So using that,<\/p>\n
<\/p>\n
\n
\t__asm<\/span>\r\n\t{\r\n\t\tmov eax,0x7760cc92<\/span>\r\n\t\tcall eax\r\n\t\t; ^^<\/span> same as call CsrGetProcessId\r\n\t\tpush eax\r\n\t\tpush 0<\/span>\r\n\t\tpush 1f0ff<\/span>fh ;PROCESS_ALL_ACCESS \/<\/span> 0<\/span>C3Ah\r\n                mov edx,0x76a11952<\/span>\r\n\t\tcall edx;OpenProcess \r\n\t\ttest eax, eax\r\n\t\tjne admin_with_debug_priv\r\n\t\tret\r\nadmin_with_debug_priv:<\/span>\r\n\t\t_emit 0xEB<\/span>\r\n\t\t_emit 0xFE<\/span>\r\n\t}\r\n<\/pre>\n<\/div>\n
<\/p>\n
\n
\/\/ inliner.cpp : Defines the entry point for the console application.<\/span>\r\n\/\/<\/span>\r\n\r\n#include "stdafx.h"<\/span>\r\n#include <windows.h><\/span>\r\nvoid<\/span> BeingDbgd2<\/span>();\r\nvoid<\/span> BeingDbgd1<\/span>();\r\n\r\nint<\/span> _tmain<\/span>(int<\/span> argc, _TCHAR*<\/span> argv[])\r\n{\r\n\tchar<\/span> *<\/span>what =<\/span> "CsrGetProcessId"<\/span>;\r\n\tFARPROC ptr =<\/span> GetProcAddress(GetModuleHandle(L"ntdll.dll"<\/span>),what);\r\n\tprintf("%p<\/span>\\r\\n<\/span>"<\/span>, &<\/span>ptr);\r\n\tprintf("The address 0x%8x is the hard coded address we use for %s<\/span>\\r\\n<\/span>"<\/span>,ptr,what); \r\n\tprintf("0x%8x<\/span>\\r\\n<\/span>"<\/span>,&<\/span>ptr);\r\n\tsystem("pause"<\/span>);\r\n\tBeingDbgd1();\r\n\tBeingDbgd2();\r\n\treturn<\/span> 0<\/span>;\r\n}\r\n\r\nvoid<\/span> BeingDbgd2<\/span>()\r\n{\r\n\t__asm<\/span>\r\n\t{\r\n\t\tmov eax,0x7760cc92<\/span>\r\n\t\tcall eax\r\n\t\t; ^^<\/span> same as call CsrGetProcessId\r\n\t\tpush eax\r\n\t\tpush 0<\/span>\r\n\t\tpush 0<\/span>C3Ah;PROCESS_ALL_ACCESS \/<\/span> 1f0ff<\/span>fh \r\n\t\tcall OpenProcess\r\n\t\ttest eax, eax\r\n\t\tjne admin_with_debug_priv\r\n\t\tret\r\nadmin_with_debug_priv:<\/span>\r\n\t\t_emit 0xEB<\/span>\r\n\t\t_emit 0xFE<\/span>\r\n\t}\r\n}\r\n\r\nvoid<\/span> BeingDbgd1<\/span>()\r\n{\r\n\tchar<\/span> *<\/span>fuckit =<\/span> "fuckthisshitforreal"<\/span>;\r\n    int<\/span> lol =<\/span> 31<\/span>;\r\n    __asm<\/span>{\r\n\t\txor eax,eax\r\n\t\tint<\/span> 0x2d<\/span>\r\n\t\tinc eax\r\n\t\tje dbg\r\n\t\tret\r\n\tdbg:<\/span>\r\n\t\t_emit 0xEB<\/span>\r\n\t\t_emit 0xFE<\/span>\r\n\t}\r\n\r\n\t\/\/ awesome dont need to use _emit 0x2d<\/span>\r\n    printf("%d"<\/span>,lol);\r\n\tprintf("%s"<\/span>,fuckit);\r\n}\r\n<\/pre>\n<\/div>\n
Other than that, I was working through a variant of ‘torpig’ which made some good use of anti-debugging features I don’t normally encounter such as process memory manipulation, section header adding, and anti-dumping. It doesn’t have to be dumped for me to see what’s going on, so I wasn’t too annoyed:
\n\"zomg\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
It’s been a while, so its time to update the blog. Here’s a quick utility I wrote for finding hard coded addresses of functions within loaded modules. What possible reason could there be for hard coding addresses? Shell code mostly. Even then, most decent shellcode will not bother hard coding any addresses as it makes […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/867"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=867"}],"version-history":[{"count":5,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/867\/revisions"}],"predecessor-version":[{"id":878,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/867\/revisions\/878"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}