Archive

Archive for January, 2017

running vlc in debug mode

January 31, 2017 Leave a comment

vlc –extraintf=http:logger –verbose=2 –file-logging –logfile=vlc-log.txt

Categories: Uncategorized

Control Flow Guard – win10_64bit

January 16, 2017 Leave a comment

I downloaded sample programs from https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/ and decided to see using windbg. following are my observations with file cfg_guard_ignore.exe which you get on compilinh cfg_guard_ignore.cpp file.

  1. On load ntdll_address! LDRSystemDLLInitBlock has following strucutre:

ntdll_1

LDRSystemDLLInitBlock+60 will have address of cfg bitmap and  LDRSystemDLLInitBlock+68 will have size of it.

2.following is the memory:

ntdll_2

3. more on memory:

cfg_entry

doing x cfg_guard_ignore!safe_calls gives the address of the function which is 0x013d2ac0 as shown in the above picture and then remove last 2 bytes will give 0x013d2a

on multiplying 0x013d2a by 4 and adding it to base address of cfg bitmap address will give 00000004 which is the entry in the bitmap. on calling this function or the address inside this function,a  value will be calculated and if it doesnot equal to 4 then call will be aborted otherwise execution will be continued as normal.

 

now if we run the exe, there are two arguments 0 or 1. if we pass 1 then cfg check will not be enforced but if call 0 then cfg will come in to the picture. following are some live debugging screenshots with argument 0:

  1. cfg_load_configcfg_guard_ignore!_load_config_used+48 will give details on the function pointer which is used to call validate function which calculates the above mentioned value and then it will be compared with the bitmap.
  2. cfg_guard_ignore!__guard_fids_table will be having all the valid address offset. as shown in above pic.
  3. below is where guard_check_icall_ptr is called, which has address of Ldrpvalidateusercalltarget api:
  4. call_validateusercalltarget

5.following is when we step in to the api:

call_inside

 

following is how the value is calculated:

screenshot_4

screenshot_5

if bt result is 0 then control jumps and we get int 29h:

screenshot_7

i will try to write detailed blog on the algorithm used to calculate the value and how it searches in the bitmap.

 

this is a quick post and so might have certain errors.

Categories: Uncategorized
%d bloggers like this: