Matasano Chargen - Latest Comments in Hand-Detouring Windows Function Calls With HT

Re: Hand-Detouring Windows Function Calls With HT

mikebason — Fri, 10 Jul 2009 13:27:32 -0000

Pretty informative post i like your explanation very much with diagram.

Thanks for the good post.

Re: Hand-Detouring Windows Function Calls With HT

mp3danyul — Wed, 08 Jul 2009 14:00:57 -0000

Thanks for this post, it was really helpful

Re: Hand-Detouring Windows Function Calls With HT

Traveller_Adventure — Tue, 07 Jul 2009 05:11:14 -0000

Great post, really help me alot. Thanks.

Cheers,
Buat Duit Dengan Blog

Re: Hand-Detouring Windows Function Calls With HT

anonymouse — Sat, 02 Dec 2006 11:29:31 -0000

ht is pretty nice
but since you say you like ollydbg you can do all you enumerated from ollydbg itself no need for hte :)

click in dump and hit ctrl+g and go to .rdata section
find the place of debug output as you mention hit : (colon) and label it egg

020D28E0 00 .

select disassembler window
and start typing jmp egg (assembler starts on typing or press spacebar to bring it up)

if it is trashing some opcodes in excess of your required 5 bytes ollydbg will automatically fill with nops till the next valid sequnce of opcodes

original
020C1028 |. FF1485 41A10C02 CALL NEAR DWORD PTR DS:[EAX*4+20CA141>

modified
020C1028 - E9 B3180100 JMP
020C102D 90 NOP
020C102E 90 NOP
020C102F |. 833D 51A10C02 01 CMP DWORD PTR DS:[20CA151], 1

after this do ctrl+g in disassembler window
and type egg

020D28E0 0000 ADD BYTE PTR DS:[EAX], AL
020D28E2 0000 ADD BYTE PTR DS:[EAX], AL

start adding the detour including the trashed instruction copy to executable (selection in rdata section as well as all modifications in code section)

and there you go all set

btw doesnt rdata section needs to be set exec charecteristics ? if you are executing code ?

nice plugin there this uhooker should be interesting to try and play with it thanks ivan for posting a link to it

Re: Hand-Detouring Windows Function Calls With HT

Thomas Ptacek — Tue, 28 Nov 2006 23:42:39 -0000

This is cool stuff, Ivan.

I'm going to note what all the cool kids already know: it is impossible to do any kind of reversing/modifying work without realizing how easy binary third-party patching has become. The project I was writing about here was hairy: inter-module, inter-thread, through virtual functions; if I was just trying to block a pathological input to stop an attack, there'd be 20 more tricks we could pull out of our bag to do that.

Re: Hand-Detouring Windows Function Calls With HT

ivan — Tue, 28 Nov 2006 15:19:11 -0000

That was then..the current version of Uhooker can hook on any address besides function calls

There are 3 different types of hooks:
1. Hook Before Entering the function (type 'B')
2. Hook After the function returns (type 'A')
3. Hook when executing reaches this address (type '*')

http://oss.coresecurity.com/uhooker/doc/index.html

Speaking about detours coolness... check out the third-party patch for MS06-057 from Determina
http://www.determina.com/security.research/patc...

Re: Hand-Detouring Windows Function Calls With HT

Thomas Ptacek — Tue, 28 Nov 2006 10:48:33 -0000

Back when I was trying to solve my binary netcat problem, Ivan and Hernan shot me a copy of this so I could pick data up directly from sockets. I like it!

Unfortunately for me, in this case my problem is that I have a tangled mess of virtual function calls, so I don't have a specific target function to hook.

Re: Hand-Detouring Windows Function Calls With HT

Max — Tue, 28 Nov 2006 10:07:22 -0000

If you are already trapping to ollydbg (sounds like you are) you might find Hernan's uhooker useful to hook the function you want via python. It is an ollydbg plugin

http://oss.coresecurity.com/projects/uhooker.htm

Re: Hand-Detouring Windows Function Calls With HT

Thomas Ptacek — Tue, 28 Nov 2006 08:25:15 -0000

I know I'm overstating HT's features, but I think you might be understating them. By "80% of IDA", I mean "cross-referenced PE disassembly with symbols", which objdump can't do.

Although I also think objdump is highly underrated. =)

Re: Hand-Detouring Windows Function Calls With HT

dre — Tue, 28 Nov 2006 00:57:54 -0000

HT is very nice, but it's not 80% of IDA Pro - it doesn't even support FLIRT, flow charts, et al -- let alone all the great plug-ins. I'd like to see you put a Unix preprocessor into HT as easily. Not to mention: PaiMei (including IDAPython and pGRAPH), Nintendo DS loader module (I just bought a DS Lite for Final Fantasy III and have a DS-Xtreme on the way), Determina PDB (and the general ease of downloading MS symbol tables and importing them), IDASync, IDACompare, idastruct, IDA RPC Enumerator, BinNavi, BinDiff, BinAudit, and HBGary Inspector.

i know you are overstating HT's value, as it barely has any features over objdump. it's nice to compare results between the 4 major toolsets (IDA Pro, OllyDbg, HT and gdb/binutils) just to make sure you are on the right track or miss something. I tend to jump from one to the other especially when I'm confused which is probably a lot more often than you are.

Btw - thanks for speaking about Detours. I was just playing around with binary patching as talked about at Recon 2006 in Luis Miras' talk on Fixing Bugs in Binaries. I downloaded CFF Explorer V. I normally roll VS2k5 to play with my wm5 device anyways, so a MS compiler is usually around.

Re: Hand-Detouring Windows Function Calls With HT

Gustavo Duarte — Tue, 28 Nov 2006 00:33:08 -0000

A pretty easy way to handle this is to add a value named "Debugger" to key

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NameOfService.exe

And point it to an exe of your choice (potentially a debugger). CreateProcess() will then execute whatever you have in 'Debugger' when the SCM tries to start the service. It's a useful trick for mucking with service startup.

cheers