DISQUS

Matasano Chargen: Hand-Detouring Windows Function Calls With HT

  • Gustavo Duarte · 2 years ago
    A pretty easy way to handle this is to add a value named "Debugger" to key

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NameOfService.exe

    And point it to an exe of your choice (potentially a debugger). CreateProcess() will then execute whatever you have in 'Debugger' when the SCM tries to start the service. It's a useful trick for mucking with service startup.

    cheers
  • dre · 2 years ago
    HT is very nice, but it's not 80% of IDA Pro - it doesn't even support FLIRT, flow charts, et al -- let alone all the great plug-ins. I'd like to see you put a Unix preprocessor into HT as easily. Not to mention: PaiMei (including IDAPython and pGRAPH), Nintendo DS loader module (I just bought a DS Lite for Final Fantasy III and have a DS-Xtreme on the way), Determina PDB (and the general ease of downloading MS symbol tables and importing them), IDASync, IDACompare, idastruct, IDA RPC Enumerator, BinNavi, BinDiff, BinAudit, and HBGary Inspector.

    i know you are overstating HT's value, as it barely has any features over objdump. it's nice to compare results between the 4 major toolsets (IDA Pro, OllyDbg, HT and gdb/binutils) just to make sure you are on the right track or miss something. I tend to jump from one to the other especially when I'm confused which is probably a lot more often than you are.

    Btw - thanks for speaking about Detours. I was just playing around with binary patching as talked about at Recon 2006 in Luis Miras' talk on Fixing Bugs in Binaries. I downloaded CFF Explorer V. I normally roll VS2k5 to play with my wm5 device anyways, so a MS compiler is usually around.
  • Thomas Ptacek · 2 years ago
    I know I'm overstating HT's features, but I think you might be understating them. By "80% of IDA", I mean "cross-referenced PE disassembly with symbols", which objdump can't do.

    Although I also think objdump is highly underrated. =)
  • Max · 2 years ago
    If you are already trapping to ollydbg (sounds like you are) you might find Hernan's uhooker useful to hook the function you want via python. It is an ollydbg plugin

    http://oss.coresecurity.com/projects/uhooker.htm
  • Thomas Ptacek · 2 years ago
    Back when I was trying to solve my binary netcat problem, Ivan and Hernan shot me a copy of this so I could pick data up directly from sockets. I like it!

    Unfortunately for me, in this case my problem is that I have a tangled mess of virtual function calls, so I don't have a specific target function to hook.
  • ivan · 2 years ago
    That was then..the current version of Uhooker can hook on any address besides function calls

    There are 3 different types of hooks:
    1. Hook Before Entering the function (type 'B')
    2. Hook After the function returns (type 'A')
    3. Hook when executing reaches this address (type '*')

    http://oss.coresecurity.com/uhooker/doc/index.html

    Speaking about detours coolness... check out the third-party patch for MS06-057 from Determina
    http://www.determina.com/security.research/patc...
  • Thomas Ptacek · 2 years ago
    This is cool stuff, Ivan.

    I'm going to note what all the cool kids already know: it is impossible to do any kind of reversing/modifying work without realizing how easy binary third-party patching has become. The project I was writing about here was hairy: inter-module, inter-thread, through virtual functions; if I was just trying to block a pathological input to stop an attack, there'd be 20 more tricks we could pull out of our bag to do that.
  • anonymouse · 2 years ago
    ht is pretty nice
    but since you say you like ollydbg you can do all you enumerated from ollydbg itself no need for hte :)

    click in dump and hit ctrl+g and go to .rdata section
    find the place of debug output as you mention hit : (colon) and label it egg

    020D28E0 00 .

    select disassembler window
    and start typing jmp egg (assembler starts on typing or press spacebar to bring it up)

    if it is trashing some opcodes in excess of your required 5 bytes ollydbg will automatically fill with nops till the next valid sequnce of opcodes

    original
    020C1028 |. FF1485 41A10C02 CALL NEAR DWORD PTR DS:[EAX*4+20CA141>

    modified
    020C1028 - E9 B3180100 JMP
    020C102D 90 NOP
    020C102E 90 NOP
    020C102F |. 833D 51A10C02 01 CMP DWORD PTR DS:[20CA151], 1


    after this do ctrl+g in disassembler window
    and type egg

    020D28E0 0000 ADD BYTE PTR DS:[EAX], AL
    020D28E2 0000 ADD BYTE PTR DS:[EAX], AL

    start adding the detour including the trashed instruction copy to executable (selection in rdata section as well as all modifications in code section)

    and there you go all set

    btw doesnt rdata section needs to be set exec charecteristics ? if you are executing code ?

    nice plugin there this uhooker should be interesting to try and play with it thanks ivan for posting a link to it
  • Traveller_Adventure · 4 months ago
    Great post, really help me alot. Thanks.

    Cheers,
    Buat Duit Dengan Blog
  • mp3danyul · 4 months ago
    Thanks for this post, it was really helpful
  • real estate mountain lake · 4 months ago
    Pretty informative post i like your explanation very much with diagram.

    Thanks for the good post.