Full Disclosure mailing list archives
Re: Fuzzing and SEH
From: Gynvael Coldwind <gynvael () coldwind pl>
Date: Fri, 5 Nov 2010 09:28:12 +0100
Hey, ("SEH" --> I assume we're talking MS Windows) A debugger attached is one solution (since a debugger is notified of an exception before SEH is executed). PyDbg seems like a good idea, but it can be done easily using the debugger API of Win32API too (just forward all events except exceptions to the app). However, this method won't work to well with apps that are protected (anti-reverse engineering, anti-debugging, etc). Personally I've used kernel-based exception detection, since It's not detectable from a user app (except for timing and approach similar to r0 rootkit detection, but that's neglectable). Check the app/code of ExcpHook (it's opensource). The downfall here is that it currently works only on 32-bit XP (didn't have time yet to port it to new Windows). Another idea would be to open a process and hook ntdll.KiUserExceptionDispatcher, which is the function called from kernel mode to user mode, and which handles inter alia SEH. The problem here is that if the stack gets corrupted, the hook-function will probably fail (hint: allocate some space you can use as a stack for the hook handler). Anyway, check out the 1st issue of Hack In The Box Magazine from this year (http://magazine.hackinthebox.org/hitb-magazine.html). I've posted an article there about exception detection there with more details. Have fun, On Thu, Nov 4, 2010 at 12:30 PM, primehaxor <primehaxor () gmail com> wrote:
Hi list, When i run some fuzzing tests i can't trap the exception when found some bug due invalid input. I'm trying to figure out a smart way to handle the exception, and tell me when it run. On the PoC i've got the daemon crashed but it still working whithout response the requests. I'm reading the Sulley framework and PyDBG doc to find some trick to get it working. Any ideia? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- gynvael.coldwind//vx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fuzzing and SEH primehaxor (Nov 04)
- Re: Fuzzing and SEH Marsh Ray (Nov 04)
- Re: Fuzzing and SEH Gynvael Coldwind (Nov 05)