Bugtraq mailing list archives
Re: Preventing exploitation with rebasing
From: Todd Sabin <tsabin () optonline net>
Date: 05 Feb 2003 16:30:45 -0500
David Litchfield <david () ngssoftware com> writes:
Going back to exe image files and rebasing. Surely they can be rebased even without a .reloc section? All I need to do is edit the image base in the PE header then parse the assembly looking for absolute addresses such as function addresses, static variables etc and modify these addresses, too.
This can't work in general. You need to have a list of what should be relocated (the .reloc section), because otherwise you're just guessing and may well guess wrong.
For example assume an image base for an exe is 0x00400000 and the c code does printf("hello"); This will generate something like push 0x0042001C // push pointer to hello call 0x00401060 // call printf If I then make the image base 0x00410000 and I also change push 0x0042001C call 0x00401060 to become push 0x0043001C call 0x00411060 then the exe should still run (as long as you get all the absolute addresses) and it has been rebased. ?
What would happen in this case?: ... CheckSectionFlags (section, IMAGE_SCN_ALIGN_8BYTES | IMAGE_SCN_MEM_PURGEABLE); ... It may generate something like push 0x00420000 // push flags push 0x00420148 // push section call 0x00401290 // call CheckSectionFlags If you try to rebase that without a .reloc section, as you describe, you'll change the meaning of the program because you have no way to tell that the 0x00420000 is a constant and not a relocatable reference to something else. (The IMAGE... flags are from winnt.h and probably meaningless the way I've used them above, but you get the idea...) -- Todd Sabin <tsabin () optonline net> BindView RAZOR Team <tsabin () razor bindview com>
Current thread:
- Re: Preventing exploitation with rebasing, (continued)
- Re: Preventing exploitation with rebasing Crispin Cowan (Feb 05)
- Re: Preventing exploitation with rebasing David S Goldberg (Feb 05)
- Re: Preventing exploitation with rebasing Alun Jones (Feb 05)
- Re: Preventing exploitation with rebasing Deus, Attonbitus (Feb 06)
- RE: Preventing exploitation with rebasing Riley Hassell (Feb 05)
- Re: [VulnDiscuss] Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 05)
- Re: Preventing exploitation with rebasing Bugtraq User (Feb 05)
- Re: Preventing exploitation with rebasing D.C. van Moolenbroek (Feb 05)
- Re: Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing Todd Sabin (Feb 05)
- Re: Preventing exploitation with rebasing Seth Breidbart (Feb 06)
- Re: Preventing exploitation with rebasing Richard Moore (Feb 06)
- Re: Preventing exploitation with rebasing Carolyn Meinel (Feb 07)
- Re: Preventing exploitation with rebasing Dave Aitel (Feb 05)
- Preventing exploitation with rebasing Fred Cohen (Feb 06)
- RE: Preventing exploitation with rebasing Jason Coombs (Feb 07)
- RE: Preventing exploitation with rebasing Ilya Dubinsky (Feb 07)