Memory Corruption Part I Stacks in Software

Create QR-Code in Software Memory Corruption Part I Stacks
5
Paint QR Code ISO/IEC18004 In Visual C#.NET
Using Barcode generator for VS .NET Control to generate, create Denso QR Bar Code image in VS .NET applications.
Memory Corruption Part I Stacks
Make QR In VS .NET
Using Barcode printer for ASP.NET Control to generate, create QR Code image in ASP.NET applications.
000380db 000380dd 000380e3 000380e8
QR Code ISO/IEC18004 Printer In Visual Studio .NET
Using Barcode encoder for .NET framework Control to generate, create Denso QR Bar Code image in VS .NET applications.
0000 00adba0df0ad ba0df0adba 0df0adba0d
Drawing QR Code In Visual Basic .NET
Using Barcode encoder for Visual Studio .NET Control to generate, create QR image in .NET framework applications.
add add mov or
Printing Bar Code In .NET
Using Barcode creator for ASP.NET Control to generate, create bar code image in ASP.NET applications.
byte ptr [eax],al byte ptr [ebp-520FF246h],ch edx,0BAADF00Dh eax,0DBAADF0h
Data Matrix 2d Barcode Encoder In C#
Using Barcode printer for .NET Control to generate, create Data Matrix image in VS .NET applications.
A few observations can be made from this output First, we are trying to move data into a location pointed to by the ecx register, which points to the following address: 0x7c80240f If you unassemble this address, you will find that it actually points to code and not data, per se As a matter of fact, the code resolves to kernel32!SleepEx:
UPCA Drawer In Java
Using Barcode printer for Java Control to generate, create UPC A image in Java applications.
0:000> u 7c80240f kernel32!SleepEx+0x8a: 7c80240f c20800 7c802412 8975d8 7c802415 c745dc00000080 7c80241c 8d45d8 7c80241f 8945e4 7c802422 ebbd 7c802424 3d01010000 7c802429 75ca
Making Code 39 In Visual Basic .NET
Using Barcode creation for Visual Studio .NET Control to generate, create Code 3 of 9 image in VS .NET applications.
ret mov mov lea mov jmp cmp jne
Printing ECC200 In Java
Using Barcode creation for Java Control to generate, create ECC200 image in Java applications.
8 dword ptr [ebp-28h],esi dword ptr [ebp-24h],80000000h eax,[ebp-28h] dword ptr [ebp-1Ch],eax kernel32!SleepEx+0x55 (7c8023e1) eax,101h kernel32!SleepEx+0x70 (7c8023f5)
Generate Code 39 Extended In VS .NET
Using Barcode creator for Visual Studio .NET Control to generate, create USS Code 39 image in .NET framework applications.
Next, the address that eip points to does not fall into the address range of any currently loaded modules Each module (both code and data) loaded into a process is located at a starting address The starting address is determined either by the module itself or the operating system if a collision occurs In either case, the instruction pointer almost always points to a location within a currently loaded module s loading address You can very easily determine the address range of the modules loaded into your process by using the lm command:
Bar Code Drawer In .NET
Using Barcode maker for .NET framework Control to generate, create barcode image in VS .NET applications.
0:000> lm start end 01000000 01003000 77c10000 77c68000 77dd0000 77e6b000 77e70000 77f01000 7c800000 7c8f4000 7c900000 7c9b0000 module name 05async (deferred) msvcrt (deferred) ADVAPI32 (deferred) RPCRT4 (deferred) kernel32 (pdb symbols) ntdll (pdb symbols)
Code 128A Scanner In VS .NET
Using Barcode decoder for .NET framework Control to read, scan read, scan image in .NET applications.
Our current eip location (000380d1) does not fall within any of the address ranges shown
Draw Code 128C In Visual Studio .NET
Using Barcode creator for ASP.NET Control to generate, create Code 128 Code Set A image in ASP.NET applications.
Stack Corruptions
Barcode Creator In VS .NET
Using Barcode generation for ASP.NET Control to generate, create bar code image in ASP.NET applications.
Last, the code at the eip location seems to be incorrect For example, the following instruction ORs the contents of the eax register with a very interesting value:
UPC-A Supplement 2 Encoder In Visual Studio .NET
Using Barcode drawer for ASP.NET Control to generate, create UPC-A Supplement 5 image in ASP.NET applications.
or eax,0DBAADF0h
Data Matrix ECC200 Creation In .NET Framework
Using Barcode printer for ASP.NET Control to generate, create Data Matrix 2d barcode image in ASP.NET applications.
Armed with these observations, our theory is that a stack location containing a return address has been corrupted, causing the processor to jump to a valid memory region containing invalid code Furthermore, we know that the address of the invalid memory region is (or is close to) 000380d1 We say close to because the processor really doesn t care too much where it is executing code, as long as it is valid memory As such, if the instructions that the processor is executing are benign (from a crashing perspective), it will continue executing and advancing eip until a real failure occurs In our case, we are most certainly executing in a valid memory area, albeit not the right code In order to find the corruptor of our stack, we need to do some detective work on the stack itself Let s begin by dumping out the contents of the stack, and then see if we can recognize what the execution flow was We already know that the established range for our code module (05asyncexe) is 01000000-01003000 By looking at the stack contents, we can see if any elements on the stack are within that range If so, we might have found a return address that will help us construct the call chain Listing 513 shows the contents of the stack Listing 513
Creating UPC-A Supplement 2 In Visual Studio .NET
Using Barcode generator for VS .NET Control to generate, create UCC - 12 image in Visual Studio .NET applications.
0:000> dd 0007fd00 0007fd10 0007fd20 0007fd30 0007fd40 0007fd50 0007fd60 0007fd70 0007fd80 0007fd90 0007fda0 0007fdb0 0007fdc0 0007fdd0 0007fde0 0007fdf0 0007fe00 esp esp+100 7c9118f1 0007fd10 0007ff44 0100156a 000007d0 00000001 00740073 00000000 00000000 00000000 a9b81a60 a9b81a74 00000000 c0000034 e44b1738 87cd0e00 00000000 00000068 00000005 a9b81adc 8056a267 a9b81b98 00000000 00000000 00000038 00000023 7c9118f1 7ffde000 01001a83 7c910570 00000200 0007fffc 8056aa94
Painting Code-128 In C#.NET
Using Barcode encoder for .NET framework Control to generate, create Code 128 image in VS .NET applications.
5 MEMORY CORRUPTION PART I STACKS
Data Matrix 2d Barcode Encoder In VB.NET
Using Barcode generation for .NET Control to generate, create Data Matrix ECC200 image in Visual Studio .NET applications.
01001a7a 0007fd2c 000007d0 00000000 00000000 89e3cc00 888b7370 888b73d0 c0000034 8056a251 00000000 e4657bc8 00000023 00090000 7c810665 00000023
Decoding Barcode In .NET Framework
Using Barcode reader for .NET Control to read, scan read, scan image in .NET framework applications.
00001770 00000004 00650054 00000000 00000005 80543dfd 00f80084 00000000 00000000 888b7370 00000000 00000000 00011970 0007fa18 0000001b 8056a267
5
Memory Corruption Part I Stacks
Note that we dump the stack contents from the current location all the way up to the current location plus an offset of 100 Because the stack grows downward, we need to add an offset in order to get a good look at the stack from start to finish Is 100 a magic offset Not really it all depends on how much data is put on the stack (local variables for each frame, and so on) Generally, an offset of 100 is a good starting number If you don t find anything useful, you can increase it and try again As you can see, three locations on the stack fall within the range of our module To see where in our module these locations correspond to, we use the ln command:
0:000> ln 01001a7a 05async!DisplayError+0x5a | (01001a83) 05async!wmainCRTStartup (01001a20) 0:000> ln 0100156a 05async!wmain+0xca | (010015d0) 05async!RegEnum (010014a0) 0:000> ln 01001a83 05async!wmainCRTStartup | (01001c0a) 05async!operator new (01001a83) Exact matches: 05async!wmainCRTStartup (void)
From the output, we can now hypothesize the following call chain: