0day Notes (i)

1. The essence of modern attack technology is to confuse the boundaries of data and code so that the system mistakenly executes the data as code.

Differences between bugs and vulnerabilities:

Functional logic Flaw (bug): Affect the normal function of the software, for example, the execution result error, the icon display error.

Security logic FLAW (vulnerability): Normally does not affect the normal functionality of the software, but after successful exploitation by the attacker, the software may be brought back to execute additional malicious code. Common vulnerabilities include buffer overruns for software, cross-site scripting attacks (XSS), and SQL injection.

There are three ways to exploit vulnerability: white-box code audits, gray-box reverse engineering, black-box testing, where black-box fuzz testing is the most efficient.

Fuzz test: Also known as fuzzy testing, is a kind of mining software security vulnerabilities, testing software robustness of the test, it through to the software input illegal fields, observing the test software anomalies and realized.

PE file format

PE is a data format for executable files under the Win32 platform

An executable file contains not only binary machine code, but also many other information, such as strings, menus, icons, bitmaps, fonts, etc., and the PE file format specifies how all this information is organized in the executable file.

Virtual Memory:
Windows memory can be divided into two layers: virtual memory and physical memory

Physical memory allocates virtual memory to the process when it runs, such as 512MB of physical memory, 3 processes corresponding to three 4G of virtual memory, the value of virtual memory is greater than the value of physical memory, but this 4G of virtual memory is only a numeric value, representing the size of the stored data, see the relationship between bank funds and book deposits.

The mapping between PE files and virtual memory

(1) The position of an instruction in the PE file seen by the static disassembly tool is relative to the disk file, that is, the so-called file offset, we may also want to know where this instruction is located in memory, that is, the virtual memory address (VA)

(2) If the address of an instruction that you see in debugging is a virtual memory address, you also need to return to the PE file to find the machine code corresponding to the instruction

Several important concepts

1. File offset Location

The address of the data in the PE file is called the file offset address (perhaps the "file address" is more accurate) and is the offset of the file relative to the beginning of the file when it is stored on disk

2. Load Base Address

The base address of the PE when it is loaded into memory, by default, the EXE file in memory is the base address of the 0x00400000,dll file is 0x10000000. These locations can be changed by modifying the compilation options.

3. Virtual memory address

The address in the PE file after the instruction is loaded into memory

4. Relative Virtual Address

The relative virtual address is the offset of the memory address relative to the map base

By default, the 0 bytes of the generic PE file correspond to the location of the virtual memory 0x00400000, which is the Mount base address.

Stacks are two kinds of data structures. A stack is a sequential data structure of data items that can be inserted and deleted only at one end (called the top of the stack). In the monolithic computer application, the stack is a special storage area, the main function is temporarily holds the data and the address, commonly used to protect the breakpoint and the scene

Because the operating system in the "basic" on the load to maintain the various data structures in the PE, so the file offset address and RVA have a lot of consistency, but because the file data storage units and memory data storage units are different, so there will still be differences.

We call this difference in the node base difference caused by the storage unit

. text section offset =0xc00

. rdata section Offset =0xe00

. Data section Offset =0X1C00

. rsrc Section Offset =0x25800

File Offset address = Virtual memory address-mount base-section offset

=rva-section Offset

0day Notes (i)