I downloaded sample programs from https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/ and decided to see using windbg. following are my observations with file cfg_guard_ignore.exe which you get on compilinh cfg_guard_ignore.cpp file.
- On load ntdll_address! LDRSystemDLLInitBlock has following strucutre:
2.following is the memory:
3. more on memory:
doing x cfg_guard_ignore!safe_calls gives the address of the function which is 0x013d2ac0 as shown in the above picture and then remove last 2 bytes will give 0x013d2a
on multiplying 0x013d2a by 4 and adding it to base address of cfg bitmap address will give 00000004 which is the entry in the bitmap. on calling this function or the address inside this function,a value will be calculated and if it doesnot equal to 4 then call will be aborted otherwise execution will be continued as normal.
now if we run the exe, there are two arguments 0 or 1. if we pass 1 then cfg check will not be enforced but if call 0 then cfg will come in to the picture. following are some live debugging screenshots with argument 0:
- cfg_guard_ignore!_load_config_used+48 will give details on the function pointer which is used to call validate function which calculates the above mentioned value and then it will be compared with the bitmap.
- cfg_guard_ignore!__guard_fids_table will be having all the valid address offset. as shown in above pic.
- below is where guard_check_icall_ptr is called, which has address of Ldrpvalidateusercalltarget api:
5.following is when we step in to the api:
following is how the value is calculated:
if bt result is 0 then control jumps and we get int 29h:
i will try to write detailed blog on the algorithm used to calculate the value and how it searches in the bitmap.
this is a quick post and so might have certain errors.
use -g switch to compile a debug build.
run openssl server:
openssl s_server -cert cert.pem -key key.pem -www -tls1_2 -accept 4433
openssl s_client -connect localhost:4433
if you want to know where a particular sequence of byte will be loaded at run time in memory and you only have there offset from 0 position in exe file then use following:
- open exe and check sections tables
- check which section this offset belong to.
- load exe and get base address.
- you can calculate offset as below:
- RVA = offset in exe – rawaddress from section + virtual address + base address of exe
use following code:
var fileRef:FileReference = new FileReference();
fileRef.save(<var to dump here>,”NewFileName.txt”);
use following command:
mxmlc -omit-trace-statements=false -static-link-runtime-shared-libraries=true -compiler.source-path=. C:\scripts\file.as
Following are the quick steps:
- use jpex decompiler to extract all the data.
- copy all the scripts and binary data to same folder.
- create a new project and import all the files in flash develop.
- right click on main file and select always compile
- press f8 to build.
you need to make few changes in the function calls and folder hierarchy in case you face any compile problems.