Re: Preventing exploitation with rebasing

[Todd Sabin <tsabin () optonline net>]

David Litchfield <david () ngssoftware com> writes:

> Going back to exe image files and rebasing. Surely they can be rebased even
> without a .reloc section? All I need to do is edit the image base in the PE
> header then parse the assembly looking for absolute addresses such as
> function addresses, static variables etc and modify these addresses, too.

This can't work in general.  You need to have a list of what should be
relocated (the .reloc section), because otherwise you're just guessing
and may well guess wrong.

> For example assume an image base for an exe is 0x00400000 and the c code
> does
>
> printf("hello");
>
> This will generate something like
>
> push 0x0042001C    // push pointer to hello
> call 0x00401060       // call printf
>
> If I then make the image base 0x00410000 and I also change
>
> push 0x0042001C
> call 0x00401060
>
> to become
>
> push 0x0043001C
> call 0x00411060
>
> then the exe should still run (as long as you get all the absolute
> addresses) and it has been rebased.
>
> ?

What would happen in this case?:

   ...
   CheckSectionFlags (section,
                      IMAGE_SCN_ALIGN_8BYTES | IMAGE_SCN_MEM_PURGEABLE);
   ...

It may generate something like

push 0x00420000   // push flags
push 0x00420148   // push section
call 0x00401290   // call CheckSectionFlags

If you try to rebase that without a .reloc section, as you describe,
you'll change the meaning of the program because you have no way to
tell that the 0x00420000 is a constant and not a relocatable reference
to something else.  (The IMAGE... flags are from winnt.h and probably
meaningless the way I've used them above, but you get the idea...)

-- 
Todd Sabin                                          <tsabin () optonline net>
BindView RAZOR Team                            <tsabin () razor bindview com>