PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When...
Transcript of PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When...
![Page 1: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/1.jpg)
Enumerating PE File Structure Security and Custom Base 64 Steganography
PE File Structure Security Enumeration
AtlSecCon - 2016
![Page 2: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/2.jpg)
To my mentors, without them I wouldn't be here today.
Travis Barlow
Kathryn Dumke
Special Thanks
![Page 3: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/3.jpg)
Who is the new girl?
We will be doing pictures
They are faster than words trust me
Introduction
![Page 4: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/4.jpg)
Who I think I am
![Page 5: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/5.jpg)
What I really am
![Page 6: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/6.jpg)
What my family thinks I doMe Apparently
![Page 7: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/7.jpg)
What I actually do
![Page 8: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/8.jpg)
Disclaimer
Presentation Legal Notes
This presentation is for informational purposes only
Use this information at your own risk
I won't bail you out of jail
This presentation does not reflect the views or
interests of GoSecure
![Page 9: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/9.jpg)
PE File Structure
The Ground Rules
When we talk about PE File Structures we will be
referring directly to DLLs (Dynamic Link Libraries)
We are only interested in gaining information to
leverage an exploit on a particular application, all other
information we can leave behind
Slides and PE File Structure Security Roadmap will be
available on GitHub after the presentation
I'm in no way responsible for your actions based on
the information presented today
![Page 10: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/10.jpg)
PE File Structure
What can this be used for?
Analysis of Malware
Enumerate Security Protections
Securing Vendor Applications without Source
Exploit Development
![Page 11: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/11.jpg)
PE File Structure
High Level Overview
Microsoft moved to the PE file
format for their executable in
Windows NT 3.1 (DOS Header)
It has retained legacy support
This is where we find data for
typical segments when reverse
engineering .text, .data, etc.
![Page 12: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/12.jpg)
PE File Structure
Going into more detail...
Our main focus is in the
IMAGE_NT_HEADERS
Section
Take note of how we get
pointers to each respective
section in the binary from
the headers
.data and .text
![Page 13: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/13.jpg)
PE File Structure
Going Deeper
We will be looking for the Export Names table
Then we will use a few functions of windows.h to
help use extract their location in memory when
loaded
I will then go over a algorithm that can extract
how many bits of entropy we are dealing with
Before we begin we must know the difference
between a RVA and a Raw Address.
![Page 14: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/14.jpg)
PE File Structure
RVA and Raw Pointers
RVA (Relative Virtual Address) – The address
of an item after it's loaded into memory
If there is a difference between the RVA and
Pointer to Raw Data then we must take their
difference into consideration
Now let's zoom in closer to the file structure
![Page 15: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/15.jpg)
PE Security Road Map
![Page 16: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/16.jpg)
How you probably feel right now
![Page 17: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/17.jpg)
Break it down!
![Page 18: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/18.jpg)
PE Security Road Map
IMAGE_NT_HEADERS
![Page 19: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/19.jpg)
Forgetting the DOS Header
![Page 20: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/20.jpg)
IMAGE_NT_HEADERS
IMAGE_FILE_HEADER
Contains the generic information
about the PE file
Machine contains information
on the architecture
Number of
Sections, .text, .data, .edata, etc.
![Page 21: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/21.jpg)
IMAGE_NT_HEADERS
IMAGE_FILE_HEADER → Machine
Example of the values
that can be in the machine
entry
Checking these with bit
masking is a good plan
We are only concerned
with x86 for this
presentation
![Page 22: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/22.jpg)
IMAGE_NT_HEADERS
IMAGE_OPTIONAL_HEADER
Contains information that
pertains to security
enumeration
DllCharacteristics (ASLR,
DEP, SEH)
Address of Entry Point
Reserve for the Heap and
the Stack
![Page 23: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/23.jpg)
IMAGE_NT_HEADERS
IMAGE_OPTIONAL_HEADER → DllCharacteristics
ASLR
DEP/NX
SEH
![Page 24: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/24.jpg)
IMAGE_NT_HEADERS
DllCharacteristics → The Code
Bit masking
Structs
If/else logic
![Page 25: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/25.jpg)
IMAGE_NT_HEADERS
IMAGE_DATA_DIRECTORY (within optional header)
Several of these stacked
together create a list of
offsets to different tables
Using this we can find the
IMAGE LOAD CONFIG
DIRECTORY and the
IMAGE EXPORT
DIRECTORY
![Page 26: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/26.jpg)
IMAGE_SECTION_HEADER
IMAGE_SECTION_HEADER
The number of these in the
file are based on the
number of sections that
were talked about before
VirtualAddress,
SizeOfRawData,
PointerToRawData
![Page 27: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/27.jpg)
IMAGE_LOAD_CONFIG_DIRECTORY
SecurityCookie
SEHandlerTable
SEHandlerCount
![Page 28: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/28.jpg)
IMAGE_LOAD_CONFIG_DIRECTORY → GetProcAddress()
Pay Dirt!
LoadLibrary(FileName)
![Page 29: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/29.jpg)
IMAGE_LOAD_CONFIG_DIRECTORY → LoadLibrary()
![Page 30: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/30.jpg)
Back to the PE Security Road Map
![Page 31: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/31.jpg)
![Page 32: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/32.jpg)
Enumerating DLL Function Calls
![Page 33: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/33.jpg)
Enumerating DLL Function Calls
![Page 34: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/34.jpg)
Enumerating DEP, SEH, and ASLR
![Page 35: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/35.jpg)
Enumerating DEP, SEH, and ASLR
![Page 36: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/36.jpg)
ASLR Entropy Algorithm
![Page 37: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/37.jpg)
ASLR Entropy Algorithm
Loading and Unloading
Bit Masking
![Page 38: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/38.jpg)
ASLR Entropy Algorithm
Print Flipped Nibbles
Calculate Entropy
![Page 39: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/39.jpg)
ASLR Entropy Algorithm
Setting the Limitations
Currently only works on libraries that aren't currently
loaded into memory as kernel32.dll and user32.dll
only change addresses upon reboot as they are
loaded into memory on boot.
Only x86 at this time
Use as much itterations as you like however don't let
your computer get hot enough to catch fire or fry eggs
(this totally didn't happen to me)
Suggestions are welcome after the talk
![Page 40: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/40.jpg)
Badger Demo
![Page 41: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/41.jpg)
GCC DEP/NX and SSP Protections Overview
Exploitation Knowledge Base
Canaries
Smashing Stack Protection (SSP)
--fno-stack-protector disables the feature
Default since GCC 4.1
DEP/NX
Data Execution Prevention
Non-Executable Stack
-z execstac disables the feature
Default since GCC 4.1
ASLR
Address Space Layout Randomization
Kernel Level
![Page 42: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/42.jpg)
Exploitation Knowledge Base
Used to overwrite eip/rip
Avoid null bytes for code execution
Happens when a buffer receives too much data
and proper error checking isn't present
Allows an attacker to obtain code execution or
remote code execution
Can be used for privledge escalation
Smashing the Stack
![Page 43: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/43.jpg)
Exploitation Knowledge Base
Buffer starts at c[0]
Buffer ends at c[11]
Pointer to char *bar
Saved Frame Pointer (ebp)
Return Address (eip)
Step through the process
Smashing the Stack
![Page 44: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/44.jpg)
Exploitation Knowledge Base
Normal buffer
'\x00' / null / terminator
Return Address (eip) OK
Normal execution
Smashing the Stack
![Page 45: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/45.jpg)
Exploitation Knowledge Base
Control User Input
Enter too much data
Check for security controls
Find offset of eip/rip
Addresses stored in memory
are in Little Endian format
Point to your code
Smashing the Stack
![Page 46: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/46.jpg)
Smashing The Stack → Example Code
Exploitation Knowledge Base
No error checking
Argv[1] moved into
buffer with no check
if size is over 256
bytes
Vulnerable to
overflow
![Page 47: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/47.jpg)
Smashing The Stack → Bypassing DEP
Exploitation Knowledge Base
Since DEP (Data
Execution Prevention)
makes certain parts of
memory NX how can we
bypass this?
Feel free to shout your
answers to me!
Hmmm...
![Page 48: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/48.jpg)
Smashing The Stack → Bypassing DEP
Exploitation Knowledge Base
DLLs → (why can we use
this?)
Why can we use the
Program Image?
What instructions are
useful to us?
What technique is it
called?
Hmmm...
![Page 49: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/49.jpg)
Smashing The Stack → Bypassing DEP with ROP
Exploitation Knowledge Base
Before the overflow
![Page 50: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/50.jpg)
Smashing The Stack → Bypassing DEP with ROP
Exploitation Knowledge Base
After the overflow
In this case we used a bogus
return address
'\x41' is = 'A'
How do we chain this together?
![Page 51: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/51.jpg)
Smashing The Stack → Bypassing DEP with ROP
Exploitation Knowledge Base
We can chain these together
using pop-ret or pop-pop-ret or
any combination of pop-ret
We use these pop-ret sections
from parts of the memory space
that is marked executable
These little pieces of code are
called ROP Gadgets
![Page 52: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/52.jpg)
Smashing The Stack → Bypassing DEP with ROP
Exploitation Knowledge Base
The code to jmp esp works as
well if DEP is only enabled for
Windows Services or a library
has protection disabled.
Code: jmp esp = '\xff\xe4'
Code: pop esp; ret; = '\x5c\xc3'
Same idea however not
chaining multiple gadgets
![Page 53: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/53.jpg)
![Page 54: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/54.jpg)
What is TEBs and PEB?
Exploitation Knowledge Base
TEB – Thread
Environment Block
PEB – Process
Environment Block
Let's go over what these
blocks contain as wellTEB/PEB
![Page 55: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/55.jpg)
What is TEB and PEB, how do I access them?
TEB and PEB Overview
This isn't required knowledge
Since it's part of memory space we will briefly
touch on the subject
![Page 56: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/56.jpg)
What is TEB, how do I access it?
Accessing TEB
TEB is simply a data
structure that hold
information about the
current thread.
Here is an example of
how to get the pointer to
TIB
Let's have a look at what
TIB contains
![Page 57: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/57.jpg)
Accessing TEB
![Page 58: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/58.jpg)
Accessing TEB
![Page 59: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/59.jpg)
What is PEB, how do I access it?
Accessing PEB
PEB – is a data structure that is opaque. It's used
internally by the Windows Operating System itself
Handles Mutual Exclusion
Close to EPROCESS or Kernel Space
Pointer located inside TEB
![Page 60: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/60.jpg)
Accessing PEB
![Page 61: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/61.jpg)
Make Way for the Shellcode
![Page 62: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/62.jpg)
Make Way!
Making Space for your Shellcode
VirtualAlloc(MEM_COMMIT + PAGE READWRITE
EXECUTE) + copy memory
Allows creation of new executable memory
region, now copy your shellcode to it, and
execute
HeapCreate(HEAP_CREATE_ENABLE_EXECUTE) +
HeapAlloc() + copy memory
A very similar technique to VirtualAlloc()
![Page 63: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/63.jpg)
Make Way!
Making Space for your Shellcode
SetProcessDEPPolicy()
Changes DEP policy for the current process
(Vista SP1, XP SP3, Server 2008, and only when
DEP Policy is set to OptIn or OptOut)
NtSetInformationProcess()
Changes the DEP policy for the current process
![Page 64: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/64.jpg)
Make Way!
Making Space for your Shellcode
VirtualProtect(PAGE_READ_WRITE_EXECUTE)
Change the access protection level to executable
of a given memory page.
WriteProcessMemory(). Copies shellcode to another
executable location, jump to it and execute. (Must be
a writable executable)
![Page 65: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/65.jpg)
Choose your Weapon
![Page 66: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/66.jpg)
Choose your Weapon
![Page 67: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/67.jpg)
VirtualProtect() Overview
Starting Address Pointer
Size of Shellcode
Protection Options
A Place to Save your Settings*A Writable Memory Location
![Page 68: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/68.jpg)
ROP Demo
![Page 69: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/69.jpg)
Chameleon Demo
![Page 70: PE File Structure Security Enumeration · 2020. 3. 20. · PE File Structure The Ground Rules When we talk about PE File Structures we will be referring directly to DLLs (Dynamic](https://reader036.fdocuments.net/reader036/viewer/2022071211/60236c91f692201d3f7566a5/html5/thumbnails/70.jpg)
Questions?