Category: C/C++

Reading another process memory via page combining in Windows 10

Windows page combining

It's not as scary as it looks, and you're not able to read memory of any arbitrary process. At least without some preconditions. The main vulnerability is almost completely fixed now. Therefore, this post is rather a historical reference and is offered for your self-improvement. In addition, to my knowledge, no one has yet described the exploitation method that I offer.

To begin with, Microsoft was notified about this problem around a year and a half ago. In response, they told me the vulnerability had been fixed mostly, and that I can publish my small research.

So let's begin. Windows 8.1 and Windows 10 brought a memory or page combining feature at some point (the Windows Internals, 7th edition, part 1 book describes it in detail). The idea is quite simple: every 15 minutes the operating system searches the physical memory for pages with the same content and combines them into a single one in order to save RAM. Those processes that owned the same pages receive links to a new shared page with the read-only and copy-on-write attributes. If any process changes its page, a copy-on-write exception occurs, and the system copies the page again to physical memory, and the process receives an individual copy of this page.

Continue reading "Reading another process memory via page combining in Windows 10"

Getting acquainted with ARM Cortex-M

arm

Today we'll discuss 32-bit microcontrollers with ARM Cortex-M cores and, in particular, STMicroelectronics (aka ST) controllers. This post will describe how to develop for these controllers, which development environments available, and how to use some popular libraries. If you are interested in Arduino development, but 8-bit AVR is no longer enough for you, and you want something more, then this post is for you.

Continue reading "Getting acquainted with ARM Cortex-M"

Filling up NTFS partition forever without admin privileges

NTFS logo

NTFS is an advanced file system that is one of the main parts of all modern Windows operating system versions. This file system supports logging, it has the ability to recover data, advanced security, file streams and many other features. However, sometimes with rich features you get problems that were absent in older file systems like FAT32.

Continue reading "Filling up NTFS partition forever without admin privileges"

Skype Preview – Skype link preview plugin

skype

Once upon a time I chatted in one cozy Skype conference and suddenly one of the members got a rather interesting idea: to develop a Skype plugin, which allows to view content of links thrown into chat without opening them. "Why not?", - I thought. It is possible to open pictures in reduced size, if the link points to the image (including animated ones). If the link leads to usual HTML page, it is possible to display its title. Running ahead, I'll show you the result:

skype_plugin

Continue reading "Skype Preview – Skype link preview plugin"

Developing PE file packer step-by-step. Step 12 – bugfixes

pack

Thanks to the guy from commentaries in previous posts about the packer, one amazing bug in the code was discovered, which I tried to fix quickly. The commentator, without analyzing the packer operation in detail, stated that the code packed with it will not be able to work with SEH if DEP is turned on. Under such conditions the code worked well (because all unpacked code in memory is located within one single PE file section marked as executable. UPX has same operation logic.). However, suddenly the following bug was discovered: if the program is built in MSVC++, uses SEH and has relocations, it will likely crash on first exception (more precisely, if the file was loaded to the address other than base). DEP, of course, has nothing to do with this. The thing is in disastrous IMAGE_LOAD_CONFIG_DIRECTORY directory. It is created by Visual Studio linker. Of useful information it contains the address table (RVA) of SE handlers and a pointer to CRT internal variable __security_cookie. As it turned out, this directory is necessary not only for CRT internals (although it, as it seems, actually doesn't care about this structure), but also for the system loader (at least, in Win7. WinXP, it seems, ignores this directory too). The packer, which I developed, moves this directory to other section (see here). Thus the issue can be fixed by adding several records to relocations table, which is created by the packer. These records will fix the addresses pointing to security cookie and SE handlers table, to let it read necessary information from this directory at loading stage.

Except correcting this bug I updated the packer code to make it buildable with latest version (1.0.0) of PE library (PE Bliss). It is always available to download here.

By the way, about PE Bliss library. Currently in my free time I develop new version, which will have the following features (the list is exemplary and can be changed):
- high-level work with additional types of PE file resources;
- detailed .NET binaries parsing (metadata, signatures, resources);
- library wrapper in C++/CLI, which allows .NET developers to use library functionality comfortably in C# or Visual Basic .NET software.

Download packer sources: packer source
Download binary: packer binary

PS. In Windows 8 and 8.1 image load configuraton directory has been exanded (to support Control Flow Guard), so the packer will be unable to pack newest binaries from that operation systems, if IMAGE_LOAD_CONFIG_DIRECTORY is present.

UPDATE 24.05.2016: relocations generation has been updated. In some rare cases (when TLS data was big enough, and load config directory was present, relocation table addresses could overflow, which resulted in corrupted packed binary).

Developing PE file packer step-by-step. Step 11. Command line interface. Final version

Previous step is here.

cli

At this step we will develop nice command line interface for our packer.

Continue reading "Developing PE file packer step-by-step. Step 11. Command line interface. Final version"

Developing PE file packer step-by-step. Step 9. Delay-loaded DLLs and Image Config

Previous step is here.

Today we will do that little things, which I've put aside during my old packer development. Our new packer can do everything already, but we have a couple of small nuances and it will be good to finish with them. The first one is delay-loaded import. It allows to load required PE file libraries when they are really needed, thus saving time on loading image to memory. This mechanism is implemented by compilers/linkers only and it is not related to the loader. However, there is IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT directory in PE header, which points to delayed import data. I don't know whether this is used by linker and built program, but the loader ignores it, but we better leave this directory and don't zero it. Let's remove the line

Continue reading "Developing PE file packer step-by-step. Step 9. Delay-loaded DLLs and Image Config"

Developing PE file packer step-by-step. Step 8. DLL’s and exports

Previous step is here.

Our packer can do almost everything already, except one thing - packing binaries with exports. This, in particular, is an absolute majority of DLL files and OCX components. Some EXE files also have exports. Our packer should rebuild export table and place it to available space, to make it accessible for the loader.

We can relax a bit for now - we have to add just a small amount of code to the packer (generally, the same for the unpacker, but it will be in assembler).

Continue reading "Developing PE file packer step-by-step. Step 8. DLL’s and exports"

Developing PE file packer step-by-step. Step 7. Relocations

Previous step is here. By the way, there was a bug in the code, I fixed it. It appeared when PE file had more than one callback.

Let's turn to the next important part of many PE files - relocations. They are used, when it is impossible to load an image to the base address indicated in its header. Mainly this is a typical behavior for DLL files (basically they can't work properly without relocations). Imagine that EXE file is being loaded to 0x400000 address. This EXE file loads the DLL, which is also loaded to this address. The addresses are the same, and the loader will look for DLL file relocations, because the DLL is loaded after the EXE. If there will be no relocations, loading will fail.

The relocations themselves are just the set of the tables with pointers to DWORDs, which should be calculated by the loader, if the image is loaded by an address other than base. There are many types of relocations, but actually only two are used in x86 (PE): IMAGE_REL_BASED_HIGHLOW = 3 and IMAGE_REL_BASED_ABSOLUTE = 0, and the second one does nothing, it is required only for relocation tables alignment.

I will just say, that loader loads EXE files to base address almost always, without using relocation. Our packer is unable to pack DLL yet, so to test relocation packing we should create an EXE file with incorrect base address, and then the loader will have to change it and apply relocations. I will not provide the test project source code here, you will find it in solution at the end of the article. I set 0x7F000000 as a base address (Linker - Advanced - Base Address).

We have to process relocations manually, like everything else, after unpacking a file. We should notify the loader in advance, that the file has relocations. Also, we need to know a new address, to which the loader moved the file.

We don't have to do anything to notify the loader, that our file has relocations - we still have necessary flags set in PE file headers left from original file. However, we need to know at which address the file was loaded.

Continue reading "Developing PE file packer step-by-step. Step 7. Relocations"

Developing PE file packer step-by-step. Step 6. TLS

Previous step is here.

It's time to manage such important thing as Thread Local Storage (TLS). What is it? It is a small structure, which tells PE loader where it has to place the data which should be allocated for each thread. The loader also calls TlsAlloc, and the return value is stored at the address specified in this structure (this is called index). Besides that, this structure may contain address of an array storing a set of callbacks (function addresses), which are called by loader when the file is loaded into memory or when a new thread in process is created.

To be honest, working with TLS will be somewhat more hardcore, than it was with other things, so get prepared and strain your brain. My old packer I mentioned one or two steps ago don't support TLS callbacks, it notifies cowardly that they exist but they are not processed. Basically, this is a reasonable behaviour, as TLS callbacks are contained mainly in rather weird files, which use them as anti-debugging trick. There is no regular linker like Borland or Microsoft linker, with TLS callback creation support. However, we will add their support to make our packer cool.

Continue reading "Developing PE file packer step-by-step. Step 6. TLS"