How to locate file fields in File Vulnerability Analysis

 

Today, I saw someone asking me how to compare the file format document and what structure is being parsed In the debugging analysis program? I have summarized several methods here. You are welcome to add them, but sometimes you still need to rely on experience. (A) Stain Tracking Analysis: Mark the file content as a stain, and then use the ida stain analysis plug-in to analyze the file content corresponding to the register, combined with the 010editor file format analysis script to locate the file structure. (B) execution command comparison: record the execution commands of normal and abnormal files (od and immdbg all have trace functions), and then code diff to compare the differences in code, then, we analyze the differences in the file content as a whole. (C) conditional message breakpoint: When conditional message breakpoints are set for variables that may cause vulnerabilities, their values are recorded in the log, and many variables are operated cyclically, find the rule to locate the file structure based on the result of the variable record. (D) hypothesis: Sometimes the vulnerability analysis relies on guesses. Assume that the vulnerability corresponds to a file structure, and then debug and analyze the vulnerability to verify the vulnerability. (E) Open-Source Software symbol table loading: for example, to analyze the libpng Vulnerability, first find a software that uses libpng and is open-source and provides signed software, such as Firefox, when you analyze libpng, you can use the firefox symbol table to debug firefox to easily locate the structure. The libpng function also recognizes the structure directly, or you can compile libpng to create a symbol table.