Monday, January 29, 2007

Let's global!

Today, I and Zektonic were working on a program to be exploited by us only. We incorporated a few techniques to make the experience tough, even for us. The details will come out after the assignment is due.

However, during studying the variable allocation. We discovered something very eerie. Look at the two tables below, generated by a very similar program, taking note of the location of the variables of the right table ( in1 , in3 , in4 ) :

















gcc version 4.1.2 20061020 (prerelease) (Debian 4.1.1-17)

Kernel 2.6.8-2-386
gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)

Kernel 2.4.20-8smp
int main(){
int a;
int b[10];
int c[10];
char d;
char e[10];
char f;
int g;
printf("%p\n",&a);
printf("%p\n",&b);
printf("%p\n",&c);
printf("%p\n",&d);
printf("%p\n",&e);
printf("%p\n",&f);
printf("%p\n",&g);
}
int main(){
int in1;
int in2;
char b1[16];
int in3;
char b2[16];
int in4;
char b3[16];
printf("in1 %p\n",in1);
printf("in2 %p\n",in2);
printf("in3 %p\n",in3);
printf("in4 %p\n",in4);
printf("b1 %p\n",b1);
printf("b2 %p\n",b2);
printf("b3 %p\n",b3);
}
0xbffff890
0xbffff868
0xbffff840
0xbffff83f
0xbffff835
0xbffff834
0xbffff830
in1 0x80483ce
in2 0xbfffed28
in3 0x80482a6
in4 0x40015a38
b1 0xbfffed00
b2 0xbfffece0
b3 0xbfffecc0


Follow ups ( 2007/1/30 00:51 ) :
After re-entry into the system, I reviewed the source code. As seen above, the difference turns out to be the reference operator ( & , the ampersand ).

If you do not understand, look at this modified program and it's output.

Source :
int main(){
int in1;
int in2;
char b1[16];
int in3;
char b2[16];
int in4;
char b3[16];
in1 = 5;
printf("in1 %d %p\n",in1,in1);
printf("in2 %d %p\n",in2,in2);
printf("in3 %d %p\n",in3,in3);
printf("in4 %d %p\n",in4,in4);
printf("b1 %d %p\n",b1,b1);
printf("b2 %d %p\n",b2,b2);
printf("b3 %d %p\n",b3,b3);
}

Output :
in1 5 0x5
in2 -1073745912 0xbffff008
in3 134513318 0x80482a6
in4 1073830456 0x40015a38
b1 -1073745952 0xbfffefe0
b2 -1073745984 0xbfffefc0
b3 -1073746016 0xbfffefa0


Do the values in the output look obvious? They are exactly uninitialized variables you often see in C programs.
Posted by at 2 comments:
Labels: ,

Sunday, January 28, 2007

APT loop

Today, I was trying to install Damn Small Linux for some experiments. It is truly a dedicated LiveCD tool. It is even lacking "apt-get" and "make". Also, there is a APT-get loop in the packages. The first one is easy, just make sure your computer has network support and

right-click anywhere -> Apps -> Tools -> Enable Apt

done.
Afterwards, it is suggested you switch to another apt-source. The default might not be optimal speed. For me, it works :

http://ftp.jp.debian.org/debian/ unstable main non-free contrib

Then, get "make" as well.



The latter one is a little bit trouble.

E: This installation run will require temporarily removing the essential package e2fsprogs due to a Conflicts/Pre-Depends loop. This is often bad, but if you really want to do it, activate the APT::Force-LoopBreak option. E: Internal Error, Could not early remove e2fsprogs

The APT man entry in my DSL is missing, and is my other server. Tough luck, I tried googling on the net and found a solution at ( http://gnuru.org/?node_id=953 )

apt-get -o APT::Force-LoopBreak=yes install make

Just input this command, and boo! Done!
Posted by at No comments:
Labels:

Saturday, January 27, 2007

SYSTEM_PROCESS struct

Learning Windows Kernel lately. The two struct below seems very similar. However, it turned out they serve different purposes. The one to be used for keeping track of process nodes was the right one. Having the wrong file would not BSOD the computer, but probably cause a crash.
(My mistake caused me lost a 1GB file in the memory buffer.)

The funny ( but of no value ) thing is to keep everything hidden in this way :

SystemInformation->NextEntryDelta = 0;







struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; // win2k only
struct _SYSTEM_THREADS Threads[1];
};
/* Defined in ntdll.h */
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
BYTE Reserved1[48];
PVOID Reserved2[3];
HANDLE UniqueProcessId;
PVOID Reserved3;
ULONG HandleCount;
BYTE Reserved4[4];
PVOID Reserved5[11];
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION;

Reference : Rootkits : Subverting the Windows Kernel
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)