Difference between revisions of "Dinis Cruz Research - Draft Notes"

From OWASP
Jump to: navigation, search
(.Net framework using reflection to invoke a private member)
(Found Jitted Code)
 
Line 3: Line 3:
 
This example shows a method to find the final address of JITTED (and preJiTed code)
 
This example shows a method to find the final address of JITTED (and preJiTed code)
  
 
+
<pre>
 
FindingJit.cs
 
FindingJit.cs
  
Line 162: Line 162:
  
  
 
+
</pre>
  
  
Line 252: Line 252:
  
  
 
+
<pre>
 
     static void patchPostJitMethod2WithPostJitMethod1()
 
     static void patchPostJitMethod2WithPostJitMethod1()
  
Line 286: Line 286:
  
 
     }
 
     }
 
+
</pre>
  
  
Line 354: Line 354:
  
  
 
+
<pre>
 
     static void patchPostJitMethod2WithPostJitMethod1()
 
     static void patchPostJitMethod2WithPostJitMethod1()
  
Line 462: Line 462:
  
  
 
+
</pre>
  
  
 
-- what is weird is why it only works in VS.NEt (all cmd.exe, ollybdg and PEBrowe barf at this jmp)
 
-- what is weird is why it only works in VS.NEt (all cmd.exe, ollybdg and PEBrowe barf at this jmp)
 
       
 
 
 
 
  
 
== .Net framework using reflection to invoke a private member  ==
 
== .Net framework using reflection to invoke a private member  ==

Latest revision as of 22:43, 16 January 2007

Found Jitted Code

This example shows a method to find the final address of JITTED (and preJiTed code)

FindingJit.cs

using System;
using System.Collections.Generic;
using System.Text;
using System.Reflection;



namespace FindingJit

{

    class FindingJit

    {

        static void Main(string[] args)

        {            

            Console.WriteLine(@"Finding JIT");   

	    outputMethodInfoPointers();                    

            FindingJit_ClassA.method1();

            outputMethodInfoPointers();

            FindingJit_ClassA.method1();

            outputMethodInfoPointers();

            FindingJit_ClassA.method2();

            outputMethodInfoPointers();

            FindingJit_ClassA.method3();

            outputMethodInfoPointers();

            Console.WriteLine(@"Done, press enter to terminate process");

            Console.ReadLine();

        }



        static void outputMethodInfoPointers()

        {

            FindingJit_ClassA fcaObject = new FindingJit_ClassA();

            getMethodProperties(fcaObject.GetType(), "method1");

            getMethodProperties(fcaObject.GetType(), "method2");

            getMethodProperties(fcaObject.GetType(), "method3");

        }

        static  void getMethodProperties(Type tObject, string strMethodName)

        {         



            MethodInfo miMethodInfo = tObject.GetMethod(strMethodName);

          

            IntPtr ipFunctionPointer = miMethodInfo.MethodHandle.GetFunctionPointer();

            Console.WriteLine("ipFunctionPointer: {0}", Convert.ToString(ipFunctionPointer.ToInt32(),16));

            //obfcaObjectject asd = FindingJit_ClassA;

          //  if (null != tType)

           // {

            //    MethodInfo miMethod = tType.GetMethod(strMethodName);



//            }

        }

    }

        



}





FindingJit_ClassA.cs



using System;

using System.Collections.Generic;

using System.Text;



namespace FindingJit

{

    public class FindingJit_ClassA

    {

        public static void method1()

        {

            Console.WriteLine(@"In FindingJit_ClassA.method1");

        }



        public static void method2()

        {

            Console.WriteLine(@"In FindingJit_ClassA.method2");

        }



        public static void method3()

        {

            Console.WriteLine(@"In FindingJit_ClassA.method3");

        }



    }

}





---


Finding JIT

ipFunctionPointer: 4909ed0

ipFunctionPointer: 4909ee0

ipFunctionPointer: 4909ef0

In FindingJit_ClassA.method1

ipFunctionPointer: 4b6a690

ipFunctionPointer: 4909ee0

ipFunctionPointer: 4909ef0

In FindingJit_ClassA.method1

ipFunctionPointer: 4b6a690

ipFunctionPointer: 4909ee0

ipFunctionPointer: 4909ef0

In FindingJit_ClassA.method2

ipFunctionPointer: 4b6a690

ipFunctionPointer: 4b6a6c0

ipFunctionPointer: 4909ef0

In FindingJit_ClassA.method3

ipFunctionPointer: 4b6a690

ipFunctionPointer: 4b6a6c0

ipFunctionPointer: 4b6a6f0

Done, press enter to terminate process






Note how the value of ipFunctionPointer changes with the JIT events.


from the above values we can make the following assumption


Value preJIT value postJIT

In FindingJit_ClassA.method1 4909ed0 4b6a690

In FindingJit_ClassA.method2 4909ee0 4b6a6c0

In FindingJit_ClassA.method3 4909ef0 4b6a6f0



doing the following patch




     static void patchPostJitMethod2WithPostJitMethod1()

        {

            Console.WriteLine(" in patchPostJitMethod2WithPostJitMethod1");

     

            string strPatch = "\xB8" + 

                              "AAAA" + 

                              "\xFF\xE0"; // jmp EAX



            //B8 41414141      MOV EAX,41414141

            //FFE0             JMP EAX





            //int iInt = Int32.Parse(strPatchRaw.Substring(0, 2), 16);            

            PatchMemory(ipMethod2.ToInt32(), strPatch); // \xE9 XXXXXXXX is JMP XXXXXXXX

            Console.WriteLine("done patchPostJitMethod2WithPostJitMethod1");

        }

    }


results in




Unhandled Exception: System.AccessViolationException: Attempted to read or write

protected memory. This is often an indication that other memory is corrupt.



which is the framework sort of handeling the exception


is cdb we see that we controled EIP


In FindingJit_ClassA.method2

ipFunctionPointer: 116bac8

ipFunctionPointer: 116bb38

ipFunctionPointer: 9136f8

in patchPostJitMethod2WithPostJitMethod1

ipFunctionPointer: 116bac8

ipFunctionPointer: 116bb38

done patchPostJitMethod2WithPostJitMethod1

(9bc.120): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=41414141 ebx=0012f4ac ecx=0126d180 edx=00000000 esi=00180de8 edi=00000000

eip=41414141 esp=0012f480 ebp=0012f490 iopl=0 nv up ei pl nz ac pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216

41414141 ??  ???


)



This patches below work if I run it from Visual Studio but don't work if I run it from cmd.exe


     static void patchPostJitMethod2WithPostJitMethod1()

        {

            Console.WriteLine(" in patchPostJitMethod2WithPostJitMethod1....***");

            FindingJit_ClassA fcaObject = new FindingJit_ClassA();

            IntPtr ipMethod1 = getMethodProperties(fcaObject.GetType(), "method1");

            IntPtr ipMethod2 = getMethodProperties(fcaObject.GetType(), "method2");



	    // 		This work, but only if the exe is executed from VS.net 2005

            byte bRelativeJmpAddress = (byte)(ipMethod1.ToInt32() - ipMethod2.ToInt32() -2);



            string strPatchRaw = string.Format("{0}", Convert.ToString(bRelativeJmpAddress, 16));

            string strPatch = "\xEB" + Encoding.UTF7.GetString(new byte[] { bRelativeJmpAddress });



		// EB xx is Jmp Short (current EIP + xx)     // the [target] - [destination] needs to be adusted by two

            /* 

		This work, but only if the exe is executed from VS.net 2005

                int iRelativeJmpAddress = ipMethod1.ToInt32() - ipMethod2.ToInt32();

                string strPatch = "\xE9" + Encoding.UTF7.GetString(new byte[] { 

                  Convert.ToByte(strPatchRaw.Substring(6, 2), 16) ,

                  Convert.ToByte(strPatchRaw.Substring(4, 2),16),

                  Convert.ToByte(strPatchRaw.Substring(2, 2),16),

                  Convert.ToByte(strPatchRaw.Substring(0, 2),16)});

             */

            char[] ctest = strPatch.ToCharArray();

            string dDummy = "";

            //7C81086A   EA 41414141 0000   JMP FAR 0000:41414141                    ; Far jump

            /*

            string strPatch = "\xEA" + "AAAA" + "\x00\x00";

            

           /*



		This doesn' work because we corrupt EAX



             string strPatchRaw = "0" + Convert.ToString(ipMethod1.ToInt32(), 16);

             

             string strPatch = "\xB8" +

                                Encoding.ASCII.GetString(new byte[] { 

                                Convert.ToByte(strPatchRaw.Substring(6, 2), 16) ,

                                Convert.ToByte(strPatchRaw.Substring(4, 2),16),

                                Convert.ToByte(strPatchRaw.Substring(2, 2),16),

                                Convert.ToByte(strPatchRaw.Substring(0, 2),16)}) + 

                              //"AAAA" + 

                              "\xFF\xE0"; // jmp EAX

            */

            //B8 41414141      MOV EAX,41414141

            //FFE0             JMP EAX





            //int iInt = Int32.Parse(strPatchRaw.Substring(0, 2), 16);            

            PatchMemory(ipMethod2.ToInt32(), strPatch); // \xE9 XXXXXXXX is JMP XXXXXXXX

            Console.WriteLine("done patchPostJitMethod2WithPostJitMethod1");

        }

    }



-- what is weird is why it only works in VS.NEt (all cmd.exe, ollybdg and PEBrowe barf at this jmp)

.Net framework using reflection to invoke a private member

  • Example from the .Net framework of using reflection to invoke a private member from another class

in : System.Data, Version=2.0.0.0


in System.Data.SqlClient.SqlCachedBuffer.ToXmlReader() : XmlReader


internal XmlReader ToXmlReader() {

     XmlReader reader1;
     SqlCachedStream stream1 = new SqlCachedStream(this);
     XmlReaderSettings settings1 = new XmlReaderSettings();
     settings1.ConformanceLevel = ConformanceLevel.Fragment;
     MethodInfo info1 = typeof(XmlReader).GetMethod("CreateSqlReader", BindingFlags.NonPublic | BindingFlags.Static);
     object[] objArray1 = new object[3];
     objArray1[0] = stream1;
     objArray1[1] = settings1;
     object[] objArray2 = objArray1;
     new ReflectionPermission(ReflectionPermissionFlag.MemberAccess).Assert();
     try
     {
           reader1 = (XmlReader) info1.Invoke(null, objArray2);
     }
     finally
     {
           CodeAccessPermission.RevertAssert();
     }
     return reader1;

}

to see other similar example of this use the Analyzer on System.Security.Permissions.ReflectionPermissionFlag

System.Security.Permissions.ReflectionPermissionFlag

Depends On Used By System.AppDomainInitializerInfo.Unwrap() : AppDomainInitializer System.Data.SqlClient.SqlCachedBuffer.ToXmlReader() : XmlReader System.Data.SqlClient.SqlStream.ToXmlReader() : XmlReader System.Data.SqlTypes.SqlXml.CreateReader() : XmlReader System.DelegateSerializationHolder.GetDelegate(DelegateEntry, Int32) : Delegate System.DelegateSerializationHolder.GetDelegateSerializationInfo(SerializationInfo, Type, Object, MethodInfo, Int32) : DelegateEntry System.Reflection.Emit.DynamicMethod.PerformSecurityCheck(Module, StackCrawlMark&, Boolean) : Void System.Reflection.Emit.DynamicMethod.PerformSecurityCheck(Type, StackCrawlMark&, Boolean) : Void System.Reflection.Emit.DynamicMethod+RTDynamicMethod.Invoke(Object, BindingFlags, Binder, Object[], CultureInfo) : Object System.RuntimeType+ActivatorCache.InitializeDelegateCreator() : Void System.Security.Permissions.ReflectionPermission..ctor(ReflectionPermissionFlag) System.Security.Permissions.ReflectionPermission.Copy() : IPermission System.Security.Permissions.ReflectionPermission.Flags : ReflectionPermissionFlag System.Security.Permissions.ReflectionPermission.FromXml(SecurityElement) : Void System.Security.Permissions.ReflectionPermission.get_Flags() : ReflectionPermissionFlag System.Security.Permissions.ReflectionPermission.Intersect(IPermission) : IPermission System.Security.Permissions.ReflectionPermission.IsSubsetOf(IPermission) : Boolean System.Security.Permissions.ReflectionPermission.IsUnrestricted() : Boolean System.Security.Permissions.ReflectionPermission.m_flags : ReflectionPermissionFlag System.Security.Permissions.ReflectionPermission.Reset() : Void System.Security.Permissions.ReflectionPermission.set_Flags(ReflectionPermissionFlag) : Void System.Security.Permissions.ReflectionPermission.SetUnrestricted(Boolean) : Void System.Security.Permissions.ReflectionPermission.ToXml() : SecurityElement System.Security.Permissions.ReflectionPermission.Union(IPermission) : IPermission System.Security.Permissions.ReflectionPermission.VerifyAccess(ReflectionPermissionFlag) : Void System.Security.Permissions.ReflectionPermissionAttribute.CreatePermission() : IPermission System.Security.Permissions.ReflectionPermissionAttribute.Flags : ReflectionPermissionFlag System.Security.Permissions.ReflectionPermissionAttribute.get_Flags() : ReflectionPermissionFlag System.Security.Permissions.ReflectionPermissionAttribute.get_MemberAccess() : Boolean System.Security.Permissions.ReflectionPermissionAttribute.get_ReflectionEmit() : Boolean System.Security.Permissions.ReflectionPermissionAttribute.get_TypeInformation() : Boolean System.Security.Permissions.ReflectionPermissionAttribute.m_flag : ReflectionPermissionFlag System.Security.Permissions.ReflectionPermissionAttribute.set_Flags(ReflectionPermissionFlag) : Void System.Security.Permissions.ReflectionPermissionAttribute.set_MemberAccess(Boolean) : Void System.Security.Permissions.ReflectionPermissionAttribute.set_ReflectionEmit(Boolean) : Void System.Security.Permissions.ReflectionPermissionAttribute.set_TypeInformation(Boolean) : Void System.Security.Permissions.ReflectionPermissionFlag.AllFlags System.Security.Permissions.ReflectionPermissionFlag.MemberAccess System.Security.Permissions.ReflectionPermissionFlag.NoFlags System.Security.Permissions.ReflectionPermissionFlag.ReflectionEmit System.Security.Permissions.ReflectionPermissionFlag.TypeInformation System.Security.Policy.ApplicationSecurityManager.DecodeAppTrustManagerFromElement(SecurityElement) : IApplicationTrustManager System.Security.SecurityManager.GetSpecialFlags(PermissionSet, PermissionSet) : Int32 System.Security.SecurityManager.MapToSpecialFlags(SecurityPermissionFlag, ReflectionPermissionFlag) : Int32 System.Security.Util.XMLUtil.CreateCodeGroup(SecurityElement) : CodeGroup System.Security.Util.XMLUtil.CreateMembershipCondition(SecurityElement) : IMembershipCondition System.Security.Util.XMLUtil.CreatePermission(SecurityElement, PermissionState, Boolean) : IPermission System.Web.InternalSecurityPermissions.get_Reflection() : IStackWalk