A.Bug.Hunters.Diary.A.Guided.Tour.Through.the.Wilds.of.Software.Security 笔记
2011-11-24 09:17
405 查看
一 kernel 漏洞 的空指针引用 利用
1. Trigger the NULL pointer dereference for a denial of service.
2. Use the zero page to get control over EIP/RIP.
第三章那个内核漏洞的利用真是经典啊
二 开源系统的系统驱动漏洞查找
Step 1: List the IOCTLs of the kernel.
? Step 2: Identify the input data.
? Step 3: Trace the input data.
三 内核驱动的挖掘
Step 1: Prepare a VMware guest for kernel
debugging.
? Step 2: Generate a list of the drivers and
device objects created by avast!
? Step 3: Check the device security settings.
? Step 4: List the IOCTLs.
? Step 5: Find the user-controlled input values.
? Step 6: Reverse engineer the IOCTL handler
irp 60 8 4 c currentstack inputlength outputlenght ioctrlcode
01 #include <windows.h>
02 #include <stdio.h>
03
04 int
05 main (int argc, char *argv[])
06 {
07 unsigned int method = 0;
08 unsigned int code = 0;
09
10 if (argc != 2) {
11 fprintf (stderr, "Usage: %s <IOCTL code>\n", argv[0]);
12 return 1;
13 }
14
15 code = strtoul (argv[1], (char **) NULL, 16);
16 method = code & 3;
17
18 switch (method) {
19 case 0:
20 printf ("METHOD_BUFFERED\n");
21 break;
22 case 1:
23 printf ("METHOD_IN_DIRECT\n");
24 break;
25 case 2:
26 printf ("METHOD_OUT_DIRECT\n");
27 break;
28 case 3:
29 printf ("METHOD_NEITHER\n");
30 break;
31 default:
32 fprintf (stderr, "ERROR: invalid IOCTL data transfer method\n");
33 break;
34 }
35
36 return 0;
37 }
METHOD_BUFFERED =====》Irp->AssociatedIrp.SystemBuffer====》mov eax, [ebx+0Ch] ; ebx = address of IRP mov eax, [eax]
dt -v _DRIVER_OBJECT
dt -v -r 3 _IRP
dt -v -r 2 _IRP
1. Trigger the NULL pointer dereference for a denial of service.
2. Use the zero page to get control over EIP/RIP.
第三章那个内核漏洞的利用真是经典啊
二 开源系统的系统驱动漏洞查找
Step 1: List the IOCTLs of the kernel.
? Step 2: Identify the input data.
? Step 3: Trace the input data.
三 内核驱动的挖掘
Step 1: Prepare a VMware guest for kernel
debugging.
? Step 2: Generate a list of the drivers and
device objects created by avast!
? Step 3: Check the device security settings.
? Step 4: List the IOCTLs.
? Step 5: Find the user-controlled input values.
? Step 6: Reverse engineer the IOCTL handler
irp 60 8 4 c currentstack inputlength outputlenght ioctrlcode
01 #include <windows.h>
02 #include <stdio.h>
03
04 int
05 main (int argc, char *argv[])
06 {
07 unsigned int method = 0;
08 unsigned int code = 0;
09
10 if (argc != 2) {
11 fprintf (stderr, "Usage: %s <IOCTL code>\n", argv[0]);
12 return 1;
13 }
14
15 code = strtoul (argv[1], (char **) NULL, 16);
16 method = code & 3;
17
18 switch (method) {
19 case 0:
20 printf ("METHOD_BUFFERED\n");
21 break;
22 case 1:
23 printf ("METHOD_IN_DIRECT\n");
24 break;
25 case 2:
26 printf ("METHOD_OUT_DIRECT\n");
27 break;
28 case 3:
29 printf ("METHOD_NEITHER\n");
30 break;
31 default:
32 fprintf (stderr, "ERROR: invalid IOCTL data transfer method\n");
33 break;
34 }
35
36 return 0;
37 }
METHOD_BUFFERED =====》Irp->AssociatedIrp.SystemBuffer====》mov eax, [ebx+0Ch] ; ebx = address of IRP mov eax, [eax]
dt -v _DRIVER_OBJECT
dt -v -r 3 _IRP
dt -v -r 2 _IRP
相关文章推荐
- 《Code:The Hidden Language Of Computer Hardware and Software》 ——笔记
- Anti Reverse Engineering Uncovered by Nicolas Brulez Chief of Security - The Armadillo Software Prot
- Introduction A Guided Tour of the POCO
- chrome javascript Uncaught SecurityError: An attempt was made to break through the security policy of the user agent
- Facebook, Google, and the Rise of Open Source Security Software
- The art of software testing 阅读笔记(一)
- Chapter 1 A Guided Tour Of The MySQL Source Code
- The art of software testing 阅读笔记(二)
- Maximizing the Spread of Influence through a Social Network
- XML Files - The Birth of Web Services 笔记 (一)
- Architectural Styles and the Design of Network-based Software Architectures
- The Elements of Computing Systems阅读笔记(2)
- Eloquent JavaScript 笔记 六:The Secret Life of Objects
- 解决web.xml配置bug之提示The content of element type "web-app" must match "(icon?,display- name?
- the diary of sleep jobs & fg command line in linux
- Secret of the JavaScript Ninja 学习笔记 - 4
- 【点击模型学习笔记】Predicting Clicks_Estimating the Click-Through Rate for New Ads_MS_www2007
- iOS 网络访问安全问题解决方法App Transport Security policy requires the use of a secure connection
- 10 Tips to Survive and Progress in the Field of Software Testing