Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... ·...
Transcript of Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... ·...
Tools and Basic Reverse Engineering – Part 2
Modern Binary Exploitation
CSCI 4968 – Spring 2015
Jeremy Blackthorne
MBE - 01/30/2015 Tools and Basic RE 1
Lecture Overview
1. Review of Last Lecture
2. Introduction to Dynamic Analysis
3. Tools!
4. Resources
MBE - 01/30/2015 Tools and Basic RE 2
Review
Reversing Concepts:
–Static vs dynamic
–Diffing
–patching
MBE - 01/30/2015 Tools and Basic RE 3
Review
Tools:
–file
–md5sum
–ssdeep
–strings
–readelf
–objdump
–IDA Pro.exe
MBE - 01/30/2015 Tools and Basic RE 4
Review
IDA Pro:
–Rename variables
–Insert comments
–Recognize structures
–Cross reference
–Stack usage in assembly
MBE - 01/30/2015 Tools and Basic RE 5
Lecture Overview
1. Review of Last Lecture
2. Introduction to Dynamic Analysis
3. Tools!
4. Resources
MBE - 01/30/2015 Tools and Basic RE 6
RE Domain
Process, t=0 Process, t=i Process, t=n Binary File
Load Step Step
Static Dynamic MBE - 01/30/2015 Tools and Basic RE 7
Slide Colors
• Linux Tool
– Command
• Windows Tool
– ToolName.exe
• Associated Challenges:
– ChallengeName
MBE - 01/30/2015 Tools and Basic RE 8
Debugger – IDA Pro
•crackme0x04_win.exe
•IDA Pro.exe
MBE - 01/30/2015 Tools and Basic RE 9
RE Domain
Code Registers
Stack Other Memory
Libraries
Stack
c
b
a
Old EIP
Old EBP
x
y
z 0x00
0x01
0x02
0x03
0x04
0x05
0x06
0x07
ESP
EBP
MBE - 01/30/2015 Tools and Basic RE 11
Lecture Overview
1. Review of Last Lecture
2. Introduction to Dynamic Analysis
3. Tools!
4. Resources
MBE - 01/30/2015 Tools and Basic RE 12
Debugger – Evan’s Debugger
• crackme0x00a.exe
• edb
– edb->options->Preferences->Appearance
MBE - 01/30/2015 Tools and Basic RE 13
ELF Memory Layout
MBE - 01/30/2015 14
Virtual Memory Layout
MBE - 01/30/2015 15
Physical Memory Layout
MBE - 01/30/2015 16
Physical Memory Layout
MBE - 01/30/2015 17
Debugger – GNU Debugger
• crackme0x00a
• gdb
MBE - 01/30/2015 Tools and Basic RE 18
GNU Debugger - Basics
• crackme0x00a
• gdb
– disassemble main (disas main)
– set disassembly-flavor intel
– break main (b main)
– run
– stepi (s), step into
– nexti (n), step over
MBE - 01/30/2015 Tools and Basic RE 19
GNU Debugger – Examine Memory
• gdb
– Examine memory: x/NFU address
– N = number
– F = format
– U = unit
• Examples
– x/10xb 0xdeadbeef, examine 10 bytes in hex
– x/xw 0xdeadbeef, examine 1 word in hex
– x/s 0xdeadbeef, examine null terminated string
MBE - 01/30/2015 Tools and Basic RE 20
GNU Debugger - python
• gdb
– python print ‘A’ *10
MBE - 01/30/2015 Tools and Basic RE 21
GNU Debugger – Init File
• mv special ~/.gdbinit
• gdb
– help user
– hexdump
MBE - 01/30/2015 Tools and Basic RE 22
Tracing
• ltrace, library calls
• strace, system calls
MBE - 01/30/2015 Tools and Basic RE 23
Lecture Overview
1. Review of Last Lecture
2. Introduction to Dynamic Analysis
3. Tools!
4. Resources
MBE - 01/30/2015 Tools and Basic RE 24
Additional Resources
• Gdb customizations – http://reverse.put.as/gdbinit/ – https://github.com/dholm/voidwalker – http://stackoverflow.com/questions/209534/pret
tify-my-gdb – https://github.com/longld/peda
• Ring security – http://duartes.org/gustavo/blog/post/cpu-rings-
privilege-and-protection/ – http://www.amazon.com/The-Rootkit-Arsenal-
Evasion-Corners/dp/1598220616 MBE - 01/30/2015 Tools and Basic RE 25