When trying to install vmware, if you get an error like empty messagebox then check in your vmware isntall log file in %temp% directory. if you see a error message that “unable to generate ssl keys” then it means that you have another version of ssl install on your local system somwhere. you need to rename/remove it to have vmware install work correctly.
so simply rename the existing openssl file or remove it and then run vmware installation again.
vlc –extraintf=http:logger –verbose=2 –file-logging –logfile=vlc-log.txt
I downloaded sample programs from https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/ and decided to see using windbg. following are my observations with file cfg_guard_ignore.exe which you get on compilinh cfg_guard_ignore.cpp file.
- On load ntdll_address! LDRSystemDLLInitBlock has following strucutre:
2.following is the memory:
3. more on memory:
doing x cfg_guard_ignore!safe_calls gives the address of the function which is 0x013d2ac0 as shown in the above picture and then remove last 2 bytes will give 0x013d2a
on multiplying 0x013d2a by 4 and adding it to base address of cfg bitmap address will give 00000004 which is the entry in the bitmap. on calling this function or the address inside this function,a value will be calculated and if it doesnot equal to 4 then call will be aborted otherwise execution will be continued as normal.
now if we run the exe, there are two arguments 0 or 1. if we pass 1 then cfg check will not be enforced but if call 0 then cfg will come in to the picture. following are some live debugging screenshots with argument 0:
- cfg_guard_ignore!_load_config_used+48 will give details on the function pointer which is used to call validate function which calculates the above mentioned value and then it will be compared with the bitmap.
- cfg_guard_ignore!__guard_fids_table will be having all the valid address offset. as shown in above pic.
- below is where guard_check_icall_ptr is called, which has address of Ldrpvalidateusercalltarget api:
5.following is when we step in to the api:
following is how the value is calculated:
if bt result is 0 then control jumps and we get int 29h:
i will try to write detailed blog on the algorithm used to calculate the value and how it searches in the bitmap.
this is a quick post and so might have certain errors.
use -g switch to compile a debug build. also use –openssldir=/usr/local to install it in to a local dir. you need to create a symbolic link to libssl.so and libcrypto.so in /usr/lib in some cases.
run openssl server:
openssl s_server -cert cert.pem -key key.pem -www -tls1_2 -accept 4433
openssl s_client -connect localhost:4433
if you want to know where a particular sequence of byte will be loaded at run time in memory and you only have there offset from 0 position in exe file then use following:
- open exe and check sections tables
- check which section this offset belong to.
- load exe and get base address.
- you can calculate offset as below:
- RVA = offset in exe – rawaddress from section + virtual address + base address of exe
use following code:
var fileRef:FileReference = new FileReference();
fileRef.save(<var to dump here>,”NewFileName.txt”);