"Safe Hiking" (6): Windows Vulnerability Protection mechanism

2015/5/21 11:07:55

We've been parsing the vulnerability on the Linux platform, because it's easier for most hacker to get a Linux platform, and the mainstream server system is basically Linux/unix, and another benefit is that Linux provides user-defined, powerful features We can compile the assembler code according to need, close the corresponding security protection mechanism, so as to facilitate our research and study.

The malicious code Analysis Section continues.

• Understanding SEH

• Windows System memory Protection

• Introduction to Windows system memory protection mechanism bypass

I. Understanding SEH

seh (structured Exception hadnling) , the structured exception handling mechanism, which is generally passed try-exception , such as the following:

int Main () 
 {
    _try {
            //code that could crash 
        } 
    _except (exception_execute_ HANDLER) {
            //exception handlers 
        } 
    return 0; 
} 
  

exception_registration the structure, which has two members:

• prev : Pointer to the next SEH record;

• handler : Pointer to the actual handler code;

>tib (Thread information Block) is stored in the fs:[0] register in the x86 computer. The end of the list is always the default handler, and the pointer to the default handler is always 0xFFFFFFFF. Concrete structure such as:

650) this.width=650; "src=" Http://i.imgur.com/lpoUNmZ.png "style=" margin-top:0px;margin-right:0px;margin-bottom:0 px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px; border-right-width:0px;border-bottom-width:0px;border-left-width:0px; "alt=" Lpounmz.png "/>

second, Windows system memory protection

If you want to fully explore the security protection mechanism under Windows, it will take a lot of space, here we only make an introduction to the important, in order to play a role, interested friends can continue to query more information.

1. Stack-based buffer overflow detection (GS)

, which is located above the saved EBP and RETN (EIP) address, checks the value of the tag as it is returned from the function to see if it has been modified. Because it is located above the EBP, so a change in the value of a file, it can be determined that RETN has also been modified, that is, a buffer overflow attack occurred. The new function opening is as follows:

push EBP 
 mov ebp, esp 
 Sub ESP, 24h    ; These three steps are consistent with the normal prologue 
 Move ax, DWORD ptr [Vuln!_security_cookie] 
 xor eax, EBP    ;xor cookie with EBP 
 mov DWORD ptr [ebp-4] 
  

mov ecx, DWORD ptr [ebp-4] 
 xor ecx, EBP    ;if Cooki E or EBP changed 
 call Vuln!_security_check_cookie (004012e8) 
 Leave 
 ret 
  

In fact, the security cookie and EBP are stored on the stack after the XOR operation, and then the function returns when the security cookie is removed, and the EBP is again different or tested to match the system value. An improvement is to add a copy of the parameter on this basis so that the original function parameters are not used even if they are overwritten, with the following structure:

650) this.width=650; "src=" Http://i.imgur.com/CyK4qwA.png "style=" margin-top:0px;margin-right:0px;margin-bottom:0 px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px; border-right-width:0px;border-bottom-width:0px;border-left-width:0px; "alt=" Cyk4qwa.png "/>

2. SafeSEH

SafeSEH is primarily a protection mechanism for the SEH structure, which prevents overwriting and using the SEH structure stored on the stack. The following checks are SAFESEH when an exception is triggered:

• Ensure that the exception record is on the stack of the current thread;

• Ensure that the handler pointer does not have a back-pointing stack;

• Ensure that the handler is registered in the authorization handler list;

• Ensure that the handler is in an executable memory image;

3. Heap Protection

A traditional heap vulnerability attack overrides a block header, and the view creates a forged block that can be used to write any 4 bytes at any memory address when the memory-release routine executes. The specific:

• Safe removal: The operating system verifies the same block that the forward and backward pointers point to before it is removed;

• Heap metadata Cookie: Stores a 1-byte cookie in the heap block header and checks the value before removing it from the free list. The XOR encryption measures are added to several key header fields in Vista and are checked before use to prevent tampering.

4. DEP

DEP (Data Execution Prevention), which is the goal of a secure operating system design, is to prevent code execution from being stored in heaps, stacks, or data memory, which is the protection of the database. 2004 AMD provides the NX bit in its CPU, allowing the hardware to identify memory pages for the first time and take appropriate action. Intel later introduced the XD feature to achieve similar functionality.

5. ASLR

ASLR (address space Layout randomization) , that is, addressing spatial randomization, when thinking about the use of memory addresses in the process to introduce randomness, which makes the attack more difficult. Some randomization is:

• dll image, the Ntdll.dll is randomly loaded into one of 256 random locations, and the other DLL files are randomly loaded to another random location;

• peb (process enviroment block, progress environment block)/ TEB (thread enviroment block, threading environment blocks)

However, it should be noted that due to the limitations of the Windows system 64KB memory pages, memory address randomization when some of the memory area of the entropy value is small, that is, the randomization space is small, so you can use brute force crack.

three, Windows system memory protection mechanism bypass introduction

Safe attack and defense is always a kind of competition situation, alternating development. In this part, we will briefly introduce the protection bypass mechanism under Windows, focusing on some of the ideas of GS and ASLR, mainly to inspire everyone's thinking, online has more abundant information.

1. Round off GS Protection

1. Guessing cookie value: Because GS protection uses several weaker cookie sources, attackers can calculate and predict \ Guess cookie values, which is suitable for local system attacks;

2. Override Call function pointer: when calling a virtual function, the caller function puts the object or structure on the stack, so if you can override the virtual function's vtable and then create a forged vtable, you can redirect the virtual function and get the code to execute;

3. Replacement Cookie: Because the value of the cookie is written in the. Data area, and this area is writable, you can overwrite the value if there is any memory write permission.

4. Override Seh Records: The GS mechanism does not protect seh, so if you can write enough data to overwrite SEH and trigger an exception before the function ends white check cookie, the execution of the process-directed SEH can be performed by the program.

2. Bypassing the ASLR

The simplest way to circumvent ASLR is to return to a module that does not have a link to the ASLR protection mechanism, and you can use the Noasir option of the PVEFINDADDR tool to list all modules that do not have link ASLR. For example, the MSVCR71.dll module is not protected by ASLR and we can return to the module.

* * refer:gray Hat hacking:the Ethical Hacker ' s handbook, third Edition * *

This article is from the "Run Yang Hang" blog, make sure to keep this source http://windhawkfly.blog.51cto.com/10171660/1653458

"Safe Hiking" (6): Windows Vulnerability Protection mechanism