Blog

Wednesday 5 August 2009 - Calling API Functions

Introduction

An alternative approach for position independent code, such as shellcode, to call Windows API functions is shown below. Their are all ready many existing methods available, typically relying on parsing either the Import Address Table (IAT) or Export Address Table (EAT) of a specific module in order to locate the address of a required function. Some methods use a variation of the above where the kernel32 modules EAT (or a modules IAT entry referencing kernel32) is parsed in order to locate the functions LoadLibraryA and GetProcAddress and these two functions are then used to resolve the remaining function addresses (as well as loading in any modules not all ready present in the processes address space). If relying on GetProcAddress to resolve functions, the ASCII names of the functions must also be available, increasing the shellcodes size considerably. It is therefore common to use a hashing technique, typically based off the assembly rotate (ROR/ROL) instructions, in order to avoid this problem and create a more optimized solution.

The 2003 paper 'Understanding Windows Shellcode' by Skape[1] is an excellent read to understand the various techniques fully. A good example of a well optimized shellcode is SkyLined's w32-bind-ngs-shellcode[2].

An Alternative Approach

Another way to resolve function addresses is to use a hash combined of both the desired function name and its module name. The entire list of modules loaded in a process can be iterated over, calculating the respective hash value for each exported function and comparing it to that of the desired hash we are searching for. Once located we can proceed to resolve the functions address. Further more, we can wrap this functionality in a function which will act as a proxy, allowing the caller to indirectly call the desired API function. A pseudo x86 code example of using this technique is shown below on the left and for comparison a more traditional approach of achieving the same is shown on the right.

push param2 // push the second parameter push param1 // push the first parameter push hash // push the hash of the function+module call api_call // resolve and indirectly call the desired function

push hash // push the hash of the function + module push module_address // push the address of the module call resolve_api_address // resolve the desired function push param2 // push the second parameter push param1 // push the first parameter call api_address // directly call the desired function

We can see from the above that their are some advantages, namely it takes only one call to both resolve and call any API function. We also do not need to keep track of any modules base addresses.

All the source code shown below can be downloaded from this zip file CallingAPIFunctions.zip. Also included in the zip are the x86 and x64 versions of the eggtest application used to run and aid debugging of shellcode.

Implementation – Win32 x86

Listed below is a 137 byte implementation of the technique described above. This implementation works on all versions of 32-bit Windows (Windows 7, 2008, Vista, 2003, XP, 2000, NT4). It is implemented as a function called 'api_call'. Its parameters are the hash value of the desired API function to call as well as all the desired API functions parameters. It returns the result of indirectly calling the desired API function. The stdcall calling convention (Used by all Win32 API functions) is honored in that the EAX, ECX and EDX registers are expected to be clobbered while the remaining registers will not be clobbered.

Example - Win32 x86

Using the implementation given above (and assuming it has been saved to a file called 'x86_api_call.asm'), we can build a simple example which will execute the calc program and then terminate the process.

We can build the above example using the NASM assembler[4] with the command:
>nasm -f bin -O3 -o x86_example.bin x86_example.asm
We can run the example with the eggtest (included in zip file) program:
>eggtest_x86.exe x86_example.bin

Implementation - Win64 x64

We can of course use the same technique on 64bit Windows. Listed below is a 192 byte implementation of the technique described above for the x64 architecture. As before, it is implemented as a function called 'api_call'. The Win64 API use quite a different calling convention[3] to that of the Win32 API. The first four parameters to any function are passed in via the registers RCX, RDX, R8 and R9 respectively, with any remaining parameters being pushed onto the stack (Their are exception to this convention for floating point parameters). Another notable difference when coding for Win64 is that the Process Environment Block (PEB) must be retrieved from gs:96 as opposed to fs:48 on Win32. The desired functions hash value is passed in via register R10 in order to allow the registers RCX, RDX, R8 and R9 to be used for the desired function parameters. We can note that the hash values used do not need to be changed between architectures.

Example - Win64 x64

Using the x64 implementation given above (and assuming it has been saved to a file called 'x64_api_call.asm'), we can build another simple example which will execute the calc program and then terminate the process.

We can build the above example using the NASM assembler with the command:
>nasm -f bin -O3 -o x64_example.bin x64_example.asm
We can run the example with the eggtest (included in zip file) program:
>eggtest_x64.exe x64_example.bin

Forwarded Exports

Modules may contain entries in their EAT which is actually a forwarded entry[5]. This means that instead of a modules export resolving to a function within that module, this export is instead intended to resolve to a function within another module. For example on Windows Vista, 2008 and 7 the export kernel32.dll!ExitThread is a forwarded export that points to ntdll.dll!RtlExitUserThread. This is achieved by storing the ASCII module name and function name that the forwarded export wishes to point to in the respective EAT entry (instead of an RVA). I am unaware of any shellcode implementations that attempt to resolve forwarded exports correctly (unless using kernel32.dll!GetProcAddress) and the implementation given above does not resolve forwarded exports either. It gets awkward quickly as you must first recognize that the export is a forwarded one, proceed to use LoadLibraryA to load the forwarded module (in order to retrieve its base address, and load it into the processes address space if it is not all ready present) and then GetProcAddress to resolve the forwarded function based off the ASCII function name given.

For typical shellcodes the only function required which is a forwarded export is ExitThread as mentioned above. A workaround for this problem is to check at run time the current Windows platform and call the appropriate function to avoid calling a forwarded export as shown in the Win32 snippet below:

Hash Collisions

An obvious concern when using hash values in the manner described here, is the occurrence of collisions between the hash of the function you are searching for and an arbitrary function in an arbitrary module which computes to the same hash value. To help determine the possibility of this, a simple python script can be used to scan all modules on a system, computing their exported functions hashes and detecting if a collision occurs against any predefined functions (e.g. common functions we might need to use such as kernel32.dll!WinExec or ws2_32!recv). The python script is included in the zip file (see start of this post) and uses the pefile package[6] to process a modules exports. This script has been run on multiple systems (Windows 7 RC1, 2008 SP1, Vista SP2, 2003 SP2, XP SP3, 2000 SP4 and NT4 SP6a), processing a total of 1,864,417 functions across 35,178 modules and detected no collisions against the functions defined (Please see the python script for more details).

Metasploit Integration

The majority of the Metasploit[7] x86 Windows payloads have been rewritten using the techniques presented here in order to bring Windows 7 and backwards compatibility to the stagers, stages and singles as well as considerable size reductions for the stagers and stages. Work on x64 payloads is under way.

References

[1] http://hick.org/code/skape/papers/win32-shellcode.pdf
[2] http://code.google.com/p/w32-bind-ngs-shellcode/
[3] http://msdn.microsoft.com/en-us/library/9b372w95.aspx
[4] http://sourceforge.net/projects/nasm/
[5] http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
[6] http://code.google.com/p/pefile/
[7] http://www.metasploit.com/

Labels: Exploitation, Reverse Engineering, Shellcode

Comments: 1

 

Friday 19 June 2009 - Retrieving Kernel32's Base Address

For shellcode, a common method to resolve the addresses of library functions needed, is to get the base address of the kernel32.dll image in memory and retrieve the addresses of GetProcAddress and LoadLibraryA by parsing the kernel32 images Export Address Table (EAT). These two functions can then be used to resolve the remaining functions needed by the shellcode. To retrieve the kernel32.dll base address most shellcodes use the Process Environment Block (PEB) structure to retrieve a list of modules currently loaded in the processes address space. The InInitializationOrder module list pointed to by the PEB's Ldr structure holds a linked list of modules. Typically the second entry in this list has always been that of kernel32.dll. The code used to retrieve the kernel32 base address based on this method is shown below:

This method has worked for all versions of Windows from Windows 2000 up to and including Windows Vista. The introduction of Windows 7 (rc1) has broken this method of retrieving the kernel32 base address due to the new MinWin kernel structure employed by Windows 7. A new module kernelbase.dll is loaded before kernel32.dll and as such appears in the second entry of the InInitializationOrder module list.

To retrieve the kernel32.dll base address in a generic manner on all versions of Windows from Windows 2000 up to and including Windows 7 (rc1) a slightly modified approach can be used. Instead of parsing the PEB's InInitializationOrder module list, the InMemoryOrder module list can be parsed instead. The third entry in this list will always be that of kernel32.dll (The first being that of the main module and the second being that of ntdll.dll). The code used to retrieve the kernel32 base address based on this method is shown below:

Update: Their appears to be some cases on Windows 2000 whereby the above method will not yield the correct result. A more robust method, albeit a more lengthy one, can be seen below. We search the InMemoryOrder module list for the kernel32 module using a hash of the module name for comparison. We also normalise the module name to uppercase as some systems store module names in uppercase and some in lowercase.

To verify these methods on your own system you can use the following tool: GetKernel32Base.zip

This code has been verified on the following systems:

• Windows 2000 SP4
  
• Windows XP SP2
  
• Windows XP SP3
  
• Windows 2003 SP2
  
• Windows Vista SP1
  
• Windows 2008 SP1
  
• Windows 7 RC1

The following WinDbg session shows how we can manually verify the above methods on a Windows 7 RC1 system:

Labels: Exploitation, Reverse Engineering

Comments: 7

 

Saturday 7 March 2009 - Windows 2000 UEF Overwrite Oddity

After firing up an old Windows 2000 SP4 VM during the week to code up a heap overflow PoC, I came across a small oddity when attempting to gain code execution by overwriting kernel32's top level Unhandled Exception Filter (Halvar Flake - Third Generation Exploitation) after I had run Windows Update.

Previously, overwriting kernel32's top level UEF would give you control after an unhandled exception occurred, however this didn't seem to be working as it previously had done.

After digging around kernel32!SetUnhandledExceptionFilter and kernel32!UnhandledExceptionFilter in the current kernel32 version (5.00.2195.7135) and a previous one (5.00.2195.7006) it seems MS changed the way kernel32 accesses the top level UEF. Previously the UEF was set and handled as shown in the summarized snippet below:

We can see that as long as the current process is not being debugged and the top level UEF is not NULL it will be executed, so if we patch the UEF address before an exception we can get control. However the latest kernel32 sets and handles its top level UEF differently as shown in the summarized snippet below:

We can see that when an application now sets a top level UEF via SetUnhandledExceptionFilter(), some meta data about the new UEF is recorded, including the module name where the new UEF lies, the module handle (equal to the modules base address), as well as the size and type of the memory block where the UEF lives, as returned by a call to VirtualQuery().

Later when UnhandledExceptionFilter() attempts to execute the top level UEF it first double checks that the saved UEF meta data is equal to the current UEF's meta data. If it is the top level UEF is called.

A problem then arises after we patch kernel32's top level UEF. When UnhandledExceptionFilter() is called the meta data won't match up and our patched UEF will not be called. We could look for a suitable address in the same memory region as the original one so as to satisfy these checks, however there is an easier way around it.

By default most processes have their kernel32's top level UEF set to msvcrt!__CxxUnhandledExceptionFilter. This function in turn will call an exception filter whose address is stored in a fixed location (0x7803A148 in msvcrt.dll 6.10.9844.0). Simply patching this location with our arbitrary address will allow us to ignore the checks in kernel32 and gain control after an unhandled exception. For a typical heap overflow we can get back to our shellcode via a 'CALL [ESI+0x4C]'.

Labels: Exploitation, Reverse Engineering

Comments: 1

 

Thursday 21 August 2008 - [New Tool] OllySocketTrace

OllySocketTrace is a plugin for OllyDbg to trace the socket operations being performed by a process. It will record all buffers being sent and received. All parameters as well as return values are recorded and the trace is highlighted with a unique color for each socket being traced.

The socket operations currently supported are: WSASocket, WSAAccept, WSAConnect, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSAAsyncSelect, WSAEventSelect, WSACloseEvent, listen, ioctlsocket, connect, bind, accept, socket, closesocket, shutdown, recv, recvfrom, send and sendto.

You can download OllySocketTrace from here:

http://www.harmonysecurity.com/OllySocketTrace.html

Labels: OllyDbg, Reverse Engineering, Tools

 

 

Archives March 2007 June 2007 August 2007 October 2007 November 2007 December 2007 January 2008 February 2008 April 2008 May 2008 June 2008 August 2008 October 2008 March 2009 April 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 February 2010

Last 10 Posts EMC HomeBase Arbitrary File Upload Remote Code Exe... HP Application Recovery Manager Stack Buffer Overf... HP Operations Manager Backdoor Account Code Execut... Implementing a Win32 Kernel Shellcode EMC & OpenText Hummingbird STR Service Stack Overf... Adobe RoboHelp Server Arbitrary File Upload and Ex... Calling API Functions Akamai Download Manager Stack Buffer Overflow Vuln... Novell Privileged User Manager Remote DLL Injectio... Retrieving Kernel32's Base Address