The following shows you how to patch the code using IMM: JZ 0x401138 # if EAX=0, will skip printf("BBBB") Notice that this occurs only when the instruction "inc EAX" is skipped. If EAX is 0 (here "JZ" means Jump if Zero), the program will jump to 0x401138, which skips the printf("BBBB"). Intuitively, the code tests the value of EAX after the int 2d call. We now add the following assembly code at location 0x4010F9 of Int2dPrint.exe (the first "int a=0" before the printf("BBBB")). Make sure that your XP guest is running in NON-DEBUG mode! You can choose to compile it by yourself, or use the one provided in the zipped project folder. To run it, you need the cygwin1.dll in Cygwin's bin folder. The binary program is compiled using g++ under Cygwin. Now let us roll our sleeves and prepare the patch the Int2dPrint.exe. In fact, you can infer that the stdout is located at offset 0x8 of the reentrant structure.įigure 2. It is to get the thread specific re-entrant structure so that the stdout (file descriptor of the standard output) can be retrieved. Also note that before the fflush call at 0x4010F4, the program calls cygwin._getreent. The "MOV, 0X402020" at 0x4010DD is to push the parameter (the starting address of constant string "AAAA") into the stack, for the printf() call. We added a fflush(stdout) to enforce the output in an eager mode and before each printf() statement, there are five integer operations to allow us insert additional machine code later.įigure 2 shows the assembly of the compiled code.Clearly,the 'MOV, 0' instructions between 0x4010BA and 0x4010D6 correspond to the integer assignments "int a=0" etc. The output of the program should be "AAAABBBB". The C++ source of the program is shown in the following. In the following, we demonstrate some of the interesting behaviors of Int 2d using a simple program Int2dPrint.exe. This is because WinDbg stops its running, Simply type " g" (standing for "go") in the WinDbg window, and let the XP Guest continue. You might notice that currently you are not able to access your XP Guest. Windbg -b -k com:pipe,port=\\.\pipe\com_11 You should be able to get a window as shown in Figure 1. Change directory to "c:\Program Files\Debugging Tools for Windows(x86)" and type the following. Now in the host machine, launch the "Windows SDK 7.1" command window coming with WinDbg. Start your XP guest in the debug mode (2nd option). It consists of two steps: (1) manually add a COM port in Control Panel and (2) manually configure COM1 as the port number. You can follow jorgensen's tutorial on " How to Add a Serial Port in Windows XP and 7 Guest" (follow the XP part). In some versions of XP, COM ports have to be manually configured. Multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="DEBUGGED VERSION" /noexecute=optin /fastdetect /debug /debugport=com1 /baudrate=115200 Multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect Note that we set COM1 as the debug port.ĭefault=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS The file is shown as below, you can modify yours correspondingly. This is to set up a second booting option for the debug mode. We need to further configure the XP guest to make it work. The installation of WinDbg on the host machine can follow the instructions on MSDN. In the following we assume that the pipe path on the host machine is \\.\pipe\com_11 and the guest OS is using COM1. Pay special attention to Seciton 3.1 (how to set up the serial port of the XP Guest). If you have not installed the guest VM, please follow the instructions of Tutorial 1. Before we proceed, we need to configure it properly on the host machine and the guest XP. In addition the the immunity debugger, we are going to use WinDbg in this tutorial. In the following, we use an experimental approach to explore the possible ways to make a program behave differently when running in a virtual machine and debugged environment. The behavior of int 2d instructions may be affected by many factors, e.g., the SEH handler installed by the program itself, whether the program is running under a ring 3 debugger, whether the OS is running in the debugged mode, the program logic of the OS exception handler (KiDispatch), the value of registers when int 2d is requested (determining the service that is requested).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |