26 June 2015

calling import function ( IAT )

Import Address Table.


Section: .data
IAT in section idata
During Application loading into memory by Windows, all value at IAT will be resolve.
Import Address has been populated in IAT 



Assembly code:
Call to Windows API(GetVersion)
Reffering at 0x004012c8:

  • FF 15 :    indirect call
  • 38604000  >> 0x00046038  : contains 0x775944c7(address of GetVersion function)
  • EIP will jump to GetVersion().
  • Since its a CALL, execution will return to 0x004012CE afterwords

ref: http://win32assembly.programminghorizon.com/pe-tut6.html



24 June 2015

Entry Point


PE.ImageBase + PE.AddressOfEntryPoint = Virtual Address



ps:
Entry point adalah dalam salah satu windows dll.
Kemudian akan sambung ke pre main function(hasil kerja compiler)
Last, baru masuk main().

Immunity Debugger boleh pilih 3 option: pause pada salah satu di atas.

18 June 2015

Cryptography

Key Type

  • Symmetric
    • same key to encrypt/decrypt
    • fast
    • Algorithms:
      • DES
      • 3DES
      • Blowfish
      • RC4, RC5, RC6
      • AES
  • Asymmetric
    • slow
    • public key
      • to encrypt
      • share to others/world
    • private key
      • to decrypt
      • keep by owner
    • Algorithms:
      • RSA
      • ECC
      • Diffie-Hellman
      • El Gamal
      • DSA


Methods Of Encryption
  • Block Cipher
    • use symmetric encryption
    • fix-length
      • pad added to short blocks

  • Stream Cipher
    • use symmetric encryption
    • 1 bit/byte at a time
    • should use different IV
  • Attributes
    • Confusion
      • cant determine the key based on ciphertext(encrypted data)
    • Diffusion
      • 1 change in plain text would output result at least 50% diff



Block Mode 


  • Mode is needed when data is larger than block size
  • Modes
    • ECB - Electronic Code Block
      • Weak
        • same chipher text for same block
          • refer https://www.youtube.com/watch?v=uPiqyQOMH1E , at 1:05
          • https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#/media/File:ECB_encryption.svg
    • CBC - Cipher Block Chaining
      • has additional parameter
        • use IV for first block
        • use ciphertext for the next block
      • usually just XOR the block with the extra param before encrypt using the key
      • ref: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#/media/File:CBC_decryption.svg
    • CFB - Cipher Feedback
    • OFB - Output Feedback
    • CTR - Counter
Types of Symmetric

04 June 2015

steghide (stegonography)

tools: steghide:



ref:
1) http://steghide.sourceforge.net/documentation/manpage.php

03 June 2015

Virtual Memory for Linux Process

Perbandingan Linux dan Windows:






Linux Virtual Process:




ref:
1)  http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/