|
|
BugTraq
Re: Preventing exploitation with rebasing Feb 05 2003 10:29AM David Litchfield (david ngssoftware com) (4 replies) Re: Preventing exploitation with rebasing Feb 05 2003 08:48PM D.C. van Moolenbroek (dc van moolenbroek chello nl) |
|
Privacy Statement |
> Going back to exe image files and rebasing. Surely they can be rebased even
> without a .reloc section? All I need to do is edit the image base in the PE
> header then parse the assembly looking for absolute addresses such as
> function addresses, static variables etc and modify these addresses, too.
This can't work in general. You need to have a list of what should be
relocated (the .reloc section), because otherwise you're just guessing
and may well guess wrong.
>
> For example assume an image base for an exe is 0x00400000 and the c code
> does
>
> printf("hello");
>
> This will generate something like
>
> push 0x0042001C // push pointer to hello
> call 0x00401060 // call printf
>
> If I then make the image base 0x00410000 and I also change
>
> push 0x0042001C
> call 0x00401060
>
> to become
>
> push 0x0043001C
> call 0x00411060
>
> then the exe should still run (as long as you get all the absolute
> addresses) and it has been rebased.
>
> ?
What would happen in this case?:
...
CheckSectionFlags (section,
IMAGE_SCN_ALIGN_8BYTES | IMAGE_SCN_MEM_PURGEABLE);
...
It may generate something like
push 0x00420000 // push flags
push 0x00420148 // push section
call 0x00401290 // call CheckSectionFlags
If you try to rebase that without a .reloc section, as you describe,
you'll change the meaning of the program because you have no way to
tell that the 0x00420000 is a constant and not a relocatable reference
to something else. (The IMAGE... flags are from winnt.h and probably
meaningless the way I've used them above, but you get the idea...)
--
Todd Sabin <tsabin (at) optonline (dot) net [email concealed]>
BindView RAZOR Team <tsabin (at) razor.bindview (dot) com [email concealed]>
[ reply ]