0-day security: second edition of software vulnerability analysis technology

To put it simply, there are two reasons for this re-release:

First of all, Chinese people are well aware of the principle of keeping pace with the times, especially in terms of technology. With the continuous improvement of Windows platform Protection Technology and the widespread use of win7, many of the methods described in the first version have taken a big picture.
Limits. For this reason, we have collected cutting-edge articles at various security summits in recent years, and re-painted them in the book after reading and digesting them. It can be said that in this reversion, we will describe and summarize the current Windows
Almost all of the most cutting-edge memory exploit technologies in the platform. Timeliness is an important reason for re-release.

Then, the compilation of the first version began with a simple impulse at the school stage: compile all the documents and manuscripts at hand into a book to share with you. Limited by my knowledge, the first version of 0 day is enthusiastic,
There are still great regrets about the depth and breadth. This time I invited four friends to join the compilation camp. The three are the public, not to mention the addition of four new attackers, which are far more powerful than the skypixer, should be "bright" and "quantitative" enough. Bo
Another important reason for the re-release is to take the lead of the masses.

Let's take a look at this compilation team.

Shineast: kernel debugging expert and vulnerability mining expert. Responsible for Windows Kernel security. He will teach you how to build a debugging environment, share his experiences in kernel mining, experience several Kernel Vulnerability Analysis experiments, and then teach you how to create your own kernel fuzz tool.

Zi Han: Windows security expert, professional penetration testing expert, and mobile phone commissioning expert. This is responsible for the content of advanced exploit technology. He will use a series of well-designed experiments
Windows protection mechanisms allow you to clearly describe and discuss how to bypass these protection mechanisms in a more intelligent way. In addition, zihan will discuss with you for the first time in a formal publication.
Exploit problems in Windows Mobile.

Wordless: vulnerability mining experts, debugging experts, and the supreme author of the black line of defense. This project is responsible for some content of vulnerability mining and case analysis. Without words, I will share his rich experience in vulnerability mining and debugging with you without reservation in the book. Many cases in the book come from the 0day he found.

Dflower: File Analysis Expert and vulnerability debugging expert. This time, I was responsible for writing the file type fuzz and some debugging chapters. He will discuss with you how to parse complex files and find valuable dirty data injection points in complex files to trigger unknown vulnerabilities.

In general, the second version has more than 70% new content. In addition to the basic exploit principle entry-level reserved and tool usage updated in the first article, almost all of the remaining content is newly added. Let's take a look at the differences between the 0day version 2 and the first version from the directory outline.

Views: 2175
File Size: 216.7 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 49074 & D = 1287148501 "border =" 0 "alt =" Name: 0day Second Edition 2.png
Views: 2175
File Size: 216.7 kb ">

(This article is inherited from the first version. The heap content has been revised and the mobile phone exploit content has been added)

Article 1 basics of exploits
Chapter 4 Basic Knowledge
Chapter 2 stack overflow Principles and Practices
Chapter 2 shellcode Development
Chapter 2 Use metasploit to develop Exploit
Chapter 3 Heap Overflow
Chapter 2 various memory attack Technologies
Chapter 4 mobile phone vulnerability Exploitation
7.1. Introduction to Windows Mobile
7.1.1. Windows Mobile Process Management
7.1.2. Windows Mobile Memory Management
7.2 arm assembly instructions
7.2.1 common registers for Arm Assembly
7.2.2. Arm Assembly function call
7.3 Windows Mobile exploit me Experiment
7.3.1. Mobile phone debugging method
7.3.2. Exploit me on the mobile phone
Chapter 4 other types of software vulnerabilities
8.1. Formatting String Vulnerability
8.1.1. Defects in printf
8.1.2. Use printf To Read Memory Data
8.1.3. Use printf to write data to memory
8.1.4. Detection and Prevention of formatting String Vulnerabilities
8.2. SQL injection attacks
8.2.1. SQL Injection principles
8.2.2. Attack the PHP + MySQL website
8.2.3. Attack ASP + SQL Server websites
8.2.4. Detection and Prevention of injection attacks
8.3. XSS attacks
8.3.1. reason why the script can be "Cross-Site"
8.3.2. XSS reflection attack scenario
8.3.3. Stored XSS attack scenario
8.3.4. Attack Case Review: XSS Worm
8.3.5. XSS Detection and Prevention
8.4. path tracing Vulnerability
8.4.1. Basic principles of path tracing
8.4.2. Normalization and path backtracking
8.5. ActiveX and "web Horse"

(This article has been greatly expanded and revised on the basis of the first version)

Article 2 challenges of exploits
Chapter 2 Windows Security Mechanism Overview
Chapter 3 guardian angel in stack: GS
10.1. Protection Principle of GS Security compilation options
10.2. use unprotected memory to break through GS
10.3. overwrite the virtual function breakthrough GS
10.4. Attack Exception Handling breakthrough GS
10.5. Replace the cookie in both the stack and. Data to break through the GS
Chapter 3: safeseh
11.1. Protection Principle of safeseh for Exception Handling
11.2. Attack return address bypassing safeseh
11.3. Use virtual functions to bypass safeseh
11.4. Bypass safeseh from the heap
11.5. Bypass safeseh using the disabled safeseh Module
11.6. Bypass safeseh using addresses outside the loading Module
11.7. Bypass safeseh using the Adobe Flash Player ActiveX Control
Chapter 2 watershed between data and Programs: Dep
12.1. Dep Protection Principle
12.2. Attack programs that do not enable Dep
12.3. Use ret2libc to challenge Dep
12.3.1. Use zwsetinformationprocess in ret2libc practice
12.3.2. Use virtualprotect in ret2libc practice
12.3.3. Use virtualalloc in ret2libc practice
12.4. Use executable memory to challenge Dep
12.5. Use. Net to challenge Dep
12.6. Use Java applet to challenge Dep
Chapter 4 hiding in memory: aslr
13.1. Principles of memory randomization Protection Mechanism
13.2. Attack Modules that do not enable aslr
13.3. Use partial coverage to locate the memory address
13.4. Use heap spray technology to locate memory addresses
13.5. Use Java Applet heap spray technology to locate memory addresses
13.6. Disable aslr for the. Net Control
Chapter 2 s.e. h ultimate protection: sehop
14.1. Principles of sehop
14.2. Attack return address
14.3. Attack virtual functions
14.4. Use modules with no sehop Enabled
14.5. Forged s.e. h linked list
Chapter 4 heap under heavy protection
15.1. Principles of heap Protection Mechanism
15.2. Variables stored in the attack heap
15.3. Use chunk to reset the size of the attack heap
15.4. Use lookaside tables for Heap Overflow

(Except for the tool introduction revision in Article 1, this document is newly added)

Article 3 vulnerability Mining
Chapter 2 vulnerability Mining Technology Overview
16.1. Vulnerability mining Overview
16.2. Establish a test environment
16.3. Automated Testing Using Python scripts
16.4. Introduction to common test tools
16.4.1. Spike
16.4.2. comraider
16.4.3. bestorm Introduction
16.5. Static code Audit
Chapter 2 smart fuzz and file type vulnerability Mining
17.1 smart fuzz Overview
17.1.1 basic methods for fuzz File Format
17.1.2 blind fuzz and smart fuzz
17.2 file mining vulnerability with peach
17.2.1 peach introduction and Installation
17.2.2 XML Introduction
17.2.3 simple Peach Pit
17.2.4 define the dependency between data
17.2.5 use peach fuzz PNG file
17.3 010 script, Swiss Army knife for parsing complex files
17.3.1 010 editor Introduction
17.3.2 getting started with script writing
17.3.3 010 script writing improvement-PNG File Parsing
17.3.4 in-depth analysis and mining-pptfile Parsing
Chapter 2 FTP vulnerability Mining
18.1. FTP protocol Introduction
18.2. Mining FTP Vulnerabilities
18.2.1. Manual FTP protocol test
18.2.2. Vulnerability Mining case: remote overflow of the easy FTP server v1.7.0.2 CWD command
18.2.3. Automated Testing Tool ftpfuzz
18.3. FTP non-memory vulnerability discovered
18.3.1. Special Characteristics of FTP service programs
18.3.2. completeftp Server Cross-Directory Access Vulnerability
18.4. develop automated FTP protocol testing tools
Chapter 1 e-mail vulnerability Mining
19.1. Explore SMTP Vulnerabilities
19.1.1. SMTP Protocol Introduction
19.1.2. SMTP protocol test method
19.1.3. Vulnerability Mining case: MailCarrier 2.51 smtp helo Overflow Vulnerability
19.2. Exploit POP3 Vulnerabilities
19.2.1. POP3 Protocol Introduction
19.2.2. POP3 protocol test method
19.2.3. Vulnerability Mining case: turbomail 4.3 POP3 Remote Denial of Service Vulnerability
19.3. Mining IMAP4 Vulnerabilities
19.3.1. Introduction to IMAP4 protocol
19.3.2. methods for testing the IMAP4 protocol
19.3.3. Vulnerability Mining case: turbomail 4.3 IMAP4 Remote Denial of Service Vulnerability
19.4. Non-memory Vulnerabilities
19.4.1. Remote Management Mode of the mail service program
19.4.2. Kerio MailServer management user permission out-of-bounds vulnerability
19.4.3. completeftp Server Cross-Directory Access Vulnerability
Chapter 2 ActiveX Control Vulnerability Mining
20.1. Introduction to ActiveX Controls
Article 1.1. Relationship between browsers and ActiveX Controls
V1.1.2. Permission Differentiation
1.3. location in the Registry
Objective 1.4. Significance of killbit
20.2. Test ActiveX Controls
2.1. Establishment of the test environment
Ipv2.2. parse the COM file
2.3. Interface for obtaining controls
2.4. Basic test ideas
20.3. ActiveX Vulnerability mining practices
3.1. ActiveX Vulnerability classification
Listen 3.2. memory overflow: The hyperstar Reader ActiveX executes arbitrary code
Authorization 3.3. Unauthorized search file: Microsoft comct233.ocx Control Remote File judgment Vulnerability
Protocol 3.4. Unauthorized File Reading: Cell ActiveX Control Remote File theft Vulnerability
Unauthorized File Deletion: Kaspersky 6.0 Remote Arbitrary File Deletion Vulnerability
20.4. Prevention of ActiveX Control Vulnerability attacks

(This article is entirely new)

Article 4 operating system kernel Security
Chapter 4 Kernel Vulnerability Introduction
21.1 Kernel Vulnerability Overview
21.2. Classification of kernel Vulnerabilities
21.3. Functions of kernel Vulnerabilities
21.4. Causes of kernel Vulnerabilities
21.5 Kernel Vulnerability research process
21.5.1. Vulnerability Learning Process
21.5.2. Vulnerability Mining Process
Chapter 4 Kernel Program Vulnerability Analysis
22.1 Kernel Vulnerability Analysis Method
22.1.1. kernel debugging tracking
22.1.2. Blue Screen analysis
22.2 Kernel Vulnerability Example Analysis
22.2.1. Remote Denial of Service Kernel Vulnerability
22.2.2. Local dos Kernel Vulnerability
22.2.3. Remote Buffer Overflow Kernel Vulnerability
22.2.4. Local Buffer Overflow Kernel Vulnerability
22.2.5. Arbitrary data kernel Write vulnerability at any address
22.2.6. fixed address write arbitrary data Kernel Vulnerability
22.2.7. Fixed data kernel Write vulnerability at any address
22.2.8. design defect Kernel Vulnerability
Chapter 4 exploitation of kernel program vulnerabilities
23.1 Kernel Vulnerability exploitation ideas
23.2 Kernel Vulnerability Exploitation
23.3 Kernel Vulnerability exploitation practices and Programming
Chapter 4 Kernel Program vulnerability Mining
24.1. Kernel Vulnerability mining mentality
24.2 Kernel Vulnerability mining ideas
24.3. Existing mining tools
24.4. self-developed mining tools
24.4.1. Fuzz object, fuzz policy, and fuzz item
24.4.2. iocontrol mitm fuzz
24.4.3. iocontrol driver fuzz
24.4.4. myiocontrol fuzzer
24.5. Kernel Vulnerability mining practices
24.5.1. Super patrol astdriver. sys Local Elevation of Privilege Vulnerability
24.5.2. Dongfang weidian mp110013.sys Local Elevation of Privilege Vulnerability
24.5.3. Rising hookcont. sys Driver Local Denial of Service Vulnerability
Chapter 4 Kernel Program vulnerability defense
25.1. Input and Output check
25.2. Security Verification and filtering
25.3. Security Code
25.4 challenges to the White List mechanism
Chapter 4 Kernel Program vulnerability prospects
26.1 Summary of kernel Vulnerabilities
26.2. Prospects for Kernel Vulnerabilities

(A few chapters in this article are revised to the first version. Others are newly added)

Article 5 vulnerability Case Analysis
Chapter 1 Vulnerability Analysis Technology Overview
27.1. thoughts and methods of vulnerability analysis
27.2. Seeking breakthroughs in sports: debugging technology
27.2.1. breakpoint skills
27.2.2. Backtracking
27.3. Instruction tracing technology: "White eyebrow"
27.3.1. Command tracking technology and paimei
27.3.2. Installation of Meimei
27.3.3. Use PE stalker
27.3.4. Quickly locate the code corresponding to a specific function
27.4. Zhuge Liang later: patch comparison Technology
Chapter 2 MS08-067 analysis: system intrusion and worms
28.1. MS08-067 Overview
28.2. Vulnerability Analysis
28.2.1. dynamic debugging
28.2.2. Static Analysis
28.3. Remote Exploit
28.3.1. RPC programming Overview
28.3.2. MS08-067 and worms
Chapter 2 MS06-055 analysis: Practice heap spray
29.1. MS06-055 Overview
29.1.1. Introduction to Vector Markup Language (VML)
29.1.2. 0-day security response documentary
29.2. Vulnerability Analysis
29.3. Vulnerability exploitation practices heap Spray Technology
Chapter 2 MS09-032 analysis: a blood case caused "&"
30.1. MS09-032 Overview
30.2. Vulnerability principle and utilization analysis
Chapter 3 ant cave of dam: lvba (aluminum overlord) ultra-long URL Overflow Vulnerability
31.1. lvba (aluminum overlord) Introduction
31.2. Vulnerability description
31.3. Vulnerability principle and utilization analysis
Chapter 2 CVE-2009-0927: javascript in PDF
32.1. Vulnerability Overview
32.2. pdf file format Overview
32.3. Vulnerability principle and utilization analysis
Chapter 2 0-day analysis of storm videos
33.1. Vulnerability Overview
33.2. Introduction to M3U files
33.3. Vulnerability principle and utilization analysis
Chapter 2: US-Middle School-Q-play remote overflow 0day
34.1. Vulnerability Overview
34.2. Vulnerability Analysis
34.3. Vulnerability Exploitation
Chapter 4 pppoint-to-point Malformed File Overflow
35.1. Vulnerability Overview
35.2. Vulnerability Analysis
35.3. Vulnerability Exploitation
Chapter 1 Non-memory Vulnerability Analysis
36.1. turbomail 4.3 email system XSS 0-Day Vulnerability
36.2 Path Traversal Vulnerability
36.3. lnk shortcut File Vulnerability

(This article was revised to the first version)

Article 6 software security
Chapter 2 software security from the developer's perspective
37.1. Threat modeling
37.1.1. Identify risk and attack vectors
37.1.2. Use the attacker's thinking to verify the System Design
37.2. Write Secure Code
37.3. Input and Output check
37.4. Use secure compilation options and memory Protection Technology
37.5. Product Security Testing
37.6. Vulnerability Management and Emergency Response
Chapter 2 product security practices
Appendix
List of published kernel program vulnerabilities
Other references

 

Original article reference

 

========================================================== ======================================

The technology in the security field is developing very fast, and the initiative is quickly shifting between the attacking and defending sides. The first version is almost finished, and some ideas and technologies in it are not very accurate, such as the compilation of general shellcode, heap Overflow. Coming soon!