RCE Messageboard's Regroupment

IOCTL-Proxy

Posted 12-21-2008 at 01:10 PM by _g_

This is a POC of IOCTL fuzzer. It gave surprisingly good results.

IOCTL-Proxy works by hooking NtDeviceIoControlFile, manipulating its' parameters and feeding them to the real function.

Load the driver and simply click around in application you want to test.

You will get a lot of BSODS, be careful.

PreviousMode==KernelMode is ignored, since we are only interested in calls from UserMode to KernelMode, not Kernel->Kernel.

Get it here:
http://www.orange-bat.com

_g_

Registered User

Posted in Uncategorized

Views 1035 Comments 7 _g_ is offline

Command line version of OSR's DeviceTree

Posted 12-16-2008 at 11:06 AM by _g_

Get it here: http://orange-bat.com/code/device.tree.cmd.rar

Sample output:

Code:

Unloading ObjInfo driver
Loading driver: D:\tools\devicetree\i386\OBJINFO.SYS
No service, creating...
Service not running, starting...
Service started.
Driver object: 0x89c98a08
Service name: nvata
Device name: \Device\00000138, type: 0x00000007
Device name: \Device\NvAta2, type: 0x00000001
Device name: \Device\NvAta1, type: 0x00000001
Device name: \Device\NvAta0, type: 0x00000001

Driver object: 0x89c8a8d0
Service name: NDIS
Device name: \Device\Ndis, type: 0x00000012

Driver object: 0x89cdad28
Service name: KSecDD
Device name: \Device\KsecDD, type: 0x00000039

Driver object: 0x8897b218
Service name: Beep
Device name: \Device\Beep, type: 0x00000001

Driver object: 0x899e7418
Service name: Raspti
Device name: \Device\{AA56C973-4F1C-4D19-8BAC-4FA6F14D80CB}, type: 0x00000017

Driver object: 0x89aab928
Service name: Mouclass
Device name: \Device\PointerClass1, type: 0x0000000f
Device name: \Device\PointerClass0, type: 0x00000000
.
.
.

It's useful when coding IOCTL fuzzer for example

_g_

Registered User

Posted in Uncategorized

Views 917 Comments 0 _g_ is offline

Fighting Oreans' VM (code virtualizer flavour)

Posted 08-19-2008 at 10:41 AM by _g_
Updated 08-19-2008 at 01:32 PM by _g_

If you don't know what code virtualizer is, or how it works, you should read this first:
http://rapidshare.com/files/16968098/Inside_Code_Virtualizer.rar
(Inside Code Virtualizer by scherzo)

Now, as you probably already know from paper by scherzo

, one possible way recover virtualized code is to identify each mutated handler (find corresponding non-mutated version). After this done, we can trace virtual opcodes and "decompile" them to VM instructions. Having "clean" decompiled output, we can translate it to x86 assembly. I consider the last step, to be simple "find and replace" job with flex/yacc.

The problem is, oreans' vm obfuscation engine can be a bitch. Consider this piece of code:

Code:

	push ebx 
	mov ebx 0F06h
	inc ebx 
	shr ebx 15h
	push ecx 
	mov ecx 6156h
	xor ebx ecx
	pop ecx 
	add ebx 4114h
	shl ebx 7
	push ecx 
	mov ecx 51351Ch
	xor ebx ecx
	pop ecx 
	add ebx edi
	mov eax [ebx]
	pop ebx 
	push 67E0h 
	mov [esp] edx
	mov edx 1
	and eax edx
	mov edx [esp]
	push edx 
	mov edx esp
	add edx 4
	add edx 4
	xchg edx [esp]
	pop esp 
	or eax eax
	push eax 
	mov eax 3B02h
	not eax 
	push ecx 
	mov ecx 0FFFFC3FFh
	sub eax ecx
	pop ecx 
	and [edi+1Ch] eax
	mov eax [esp]
	add esp 4
	push 3328h 
	mov [esp] ebx
	mov ebx [esp]
	push ecx 
	mov ecx esp
	add ecx 4
	add ecx 4
	xchg ecx [esp]
	pop esp

It's one of VM's handlers. Can you tell what it does? Me neither, so let's try to deobfuscate this crap.

It turns out that simple strategies like contant folding (http://en.wikipedia.org/wiki/Constant_folding), dead code elimination (http://en.wikipedia.org/wiki/Dead_code), peephole optimisation (find and replace :P) plus some stack cleaning

, suffice to recover obfuscated code:

Code:

NEW = 47, OLD = 0, -47 lines removed
################################ NEXT ROUND ###########################
################################ original
push ebx 
mov ebx 00000f06 
inc ebx 
shr ebx 00000015 
push ecx 
mov ecx 00006156 
xor ebx ecx 
pop ecx 
add ebx 00004114 
shl ebx 00000007 
push ecx 
mov ecx 0051351c 
xor ebx ecx 
pop ecx 
add ebx edi 
mov eax [ebx ] 
pop ebx 
push 000067e0 
mov [esp ] edx 
mov edx 00000001 
and eax edx 
mov edx [esp ] 
push edx 
mov edx esp 
add edx 00000004 
add edx 00000004 
xchg edx [esp ] 
pop esp 
or eax eax 
push eax 
mov eax 00003b02 
not eax 
push ecx 
mov ecx ffffc3ff 
sub eax ecx 
pop ecx 
and [edi 0000001c ] eax 
mov eax [esp ] 
add esp 00000004 
push 00003328 
mov [esp ] ebx 
mov ebx [esp ] 
push ecx 
mov ecx esp 
add ecx 00000004 
add ecx 00000004 
xchg ecx [esp ] 
pop esp 
################################ after constant propagation and folding
push ebx 
mov ebx 00000000 
push ecx 
mov ecx 00006156 
xor ebx 00006156 
pop ecx 
add ebx 00004114 
shl ebx 00000007 
push ecx 
mov ecx 0051351c 
xor ebx 0051351c 
pop ecx 
add ebx edi 
mov eax [ebx ] 
pop ebx 
push 000067e0 
mov [esp ] edx 
mov edx 00000001 
and eax 00000001 
mov edx [esp ] 
push edx 
mov edx esp 
add edx 00000004 
add edx 00000004 
xchg edx [esp ] 
pop esp 
or eax eax 
push eax 
mov eax ffffc4fd 
push ecx 
mov ecx ffffc3ff 
sub eax ffffc3ff 
pop ecx 
and [edi 0000001c ] eax 
mov eax [esp ] 
add esp 00000004 
push 00003328 
mov [esp ] ebx 
mov ebx [esp ] 
push ecx 
mov ecx esp 
add ecx 00000004 
add ecx 00000004 
xchg ecx [esp ] 
pop esp 
################################ after dead code elimination
push ebx 
mov ebx 00000000 
push ecx 
xor ebx 00006156 
pop ecx 
add ebx 00004114 
shl ebx 00000007 
push ecx 
xor ebx 0051351c 
pop ecx 
add ebx edi 
mov eax [ebx ] 
pop ebx 
push 000067e0 
mov [esp ] edx 
and eax 00000001 
mov edx [esp ] 
push edx 
mov edx esp 
add edx 00000004 
add edx 00000004 
xchg edx [esp ] 
pop esp 
or eax eax 
push eax 
mov eax ffffc4fd 
push ecx 
sub eax ffffc3ff 
pop ecx 
and [edi 0000001c ] eax 
mov eax [esp ] 
add esp 00000004 
push 00003328 
mov [esp ] ebx 
mov ebx [esp ] 
push ecx 
mov ecx esp 
add ecx 00000004 
add ecx 00000004 
xchg ecx [esp ] 
pop esp 
################################ after peephole optimisation
push ebx 
mov ebx 00000000 
push ecx 
xor ebx 00006156 
pop ecx 
add ebx 00004114 
shl ebx 00000007 
push ecx 
xor ebx 0051351c 
pop ecx 
add ebx edi 
mov eax [ebx ] 
pop ebx 
push edx 
and eax 00000001 
pop edx 
or eax eax 
push eax 
mov eax ffffc4fd 
push ecx 
sub eax ffffc3ff 
pop ecx 
and [edi 0000001c ] eax 
pop eax 
push ebx 
pop ebx 
################################ after stack cleaning
mov ebx 00000000 
xor ebx 00006156 
add ebx 00004114 
shl ebx 00000007 
xor ebx 0051351c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
mov eax ffffc4fd 
sub eax ffffc3ff 
and [edi 0000001c ] eax 
NEW = 11, OLD = 47, 36 lines removed
################################ NEXT ROUND ###########################
################################ original
mov ebx 00000000 
xor ebx 00006156 
add ebx 00004114 
shl ebx 00000007 
xor ebx 0051351c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
mov eax ffffc4fd 
sub eax ffffc3ff 
and [edi 0000001c ] eax 
################################ after constant propagation and folding
mov ebx 0000001c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
mov eax 000000fe 
and [edi 0000001c ] 000000fe 
################################ after dead code elimination
mov ebx 0000001c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
and [edi 0000001c ] 000000fe 
################################ after peephole optimisation
mov ebx 0000001c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
and [edi 0000001c ] 000000fe 
################################ after stack cleaning
mov ebx 0000001c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
and [edi 0000001c ] 000000fe 
NEW = 5, OLD = 11, 6 lines removed
################################ NEXT ROUND ###########################
################################ original
mov ebx 0000001c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
and [edi 0000001c ] 000000fe 
################################ after constant propagation and folding
mov ebx 0000001c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
and [edi 0000001c ] 000000fe 
################################ after dead code elimination
mov ebx 0000001c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
and [edi 0000001c ] 000000fe 
################################ after peephole optimisation
mov ebx 0000001c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
and [edi 0000001c ] 000000fe 
################################ after stack cleaning
mov ebx 0000001c 
add ebx edi 
mov eax [ebx ] 
and eax 00000001 
or eax eax 
and [edi 0000001c ] 000000fe

Well almost

. Above trash is the verbose output of my little "cleaner" tool. Cleaner is usable, it'll give nice results for most of included code samples. In handlers.clean folder (see link at bottom) there are nonmutated versions of CV handlers. After deobfuscation, few heuristics can be applied to match deobfuscated and clean versions: edit distance / rare instruction matching (for example rol, ror, rcr are rare and show up only in one handler).

The problem is, I got bored with all of this, so if anyone would like to help, I will be more than happy

Here is the code:
http://www.orange-bat.com/oreans.rar

compile with make, will work without problems under cygwin. it should work under linux. to use rip_handlers.py you will need idapython.

There are some bugs in my code, beware

_g_

Registered User

Posted in Uncategorized

Views 1999 Comments 23 _g_ is offline

PEiD imports parsing DoS

Posted 08-19-2008 at 09:41 AM by _g_

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - Orange Bat advisory -

Name : PEiD v0.94 exe File Parsing DoS
Class : DoS
Published : 2008-08-18
Credit : g_ (g_ # orange-bat # com)

- - Details -

When parsing .exe files, PEiD will allocate memory to hold the
file content. Size of this memory chunk will be divisible by
0x1000 (4KB). If the file size is a multiple of 4KB and if
the import table is located at the end of the file, import parsing
procedure could try to read data off the heap -- to check if
there are more valid import descriptors, memory pointer is advanced
without bounds checking and this leads to access violation:

.text:0043958B loc_43958B:
.text:0043958B mov eax, [esi+10h] ;Oooops!
.text:0043958E add esi, 14h
.text:00439591 cmp eax, ebx
.text:00439593 mov [esp+60h+var_4C], esi
.text:00439597 jnz loc_4393FE

Exe file can still run normally after modifing the IAT btw, see POC.

- - Proof of concept -

http://www.orange-bat.com/adv/2008/poc.08.18.peid.rar

- - PGP -

All advisories from Orange Bat are signed. You can find our public
key here: http://www.orange-bat.com/g_.asc

- - Disclaimer -

This document and all the information it contains is provided "as is",
without any warranty. Orange Bat is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

(c) 2008 www.orange-bat.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70

iEYEARECAAYFAkiokJkACgkQIUHRVUfOLgUCcgCgxI1B4xeCqOV8prG6CisbRcTV
ZZ8An1HSq/W4+Gx6gI9UeNCPqgwmo6jU
=Ddln
-----END PGP SIGNATURE-----

_g_

Registered User

Posted in Uncategorized

Views 782 Comments 6 _g_ is offline

CrackZ	Fravia's Searchlores	Yates
ARTeam	The Reverse Engineering Community	Reverse Engineering Team
Fravia's Original Reversing Site	Collaborative RCE Tool Library	OpenRCE.org
NTCore	Ring3 Circus	Evilcry's Dark Cave
Rolf Rolles Site	Krobars Collection of tutorials	Tuts 4 You
OllyStuph OllyDbg Resources	The Original RCE-CD	The TiGa Video Tutorial Site

Archive
< November 2009
Su	Mo	Tu	We	Th	Fr	Sa
25	26	27	28	29	30	31
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	1	2	3	4	5

vBulletin Message

Cancel Changes