Re: Preventing exploitation with rebasing

From: David Litchfield (davidat_private)
Date: Wed Feb 05 2003 - 02:29:32 PST

Next message: Mandrake Linux Security Team: "MDKSA-2003:014 - Updated kernel packages fix a number of bugs"

Previous message: secureat_private: "[CLA-2003:567] Conectiva Linux Security Announcement - mcrypt"
Maybe in reply to: David Litchfield: "Preventing exploitation with rebasing"
Next in thread: Ilya Dubinsky: "RE: Preventing exploitation with rebasing"
Next in thread: Deus, Attonbitus: "Re: Preventing exploitation with rebasing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Going back to exe image files and rebasing. Surely they can be rebased even
without a .reloc section? All I need to do is edit the image base in the PE
header then parse the assembly looking for absolute addresses such as
function addresses, static variables etc and modify these addresses, too.

For example assume an image base for an exe is 0x00400000 and the c code
does

printf("hello");

This will generate something like

push 0x0042001C    // push pointer to hello
call 0x00401060       // call printf

If I then make the image base 0x00410000 and I also change

push 0x0042001C
call 0x00401060

to become

push 0x0043001C
call 0x00411060

then the exe should still run (as long as you get all the absolute
addresses) and it has been rebased.

?
David

Next message: Mandrake Linux Security Team: "MDKSA-2003:014 - Updated kernel packages fix a number of bugs"
Previous message: secureat_private: "[CLA-2003:567] Conectiva Linux Security Announcement - mcrypt"
Maybe in reply to: David Litchfield: "Preventing exploitation with rebasing"
Next in thread: Ilya Dubinsky: "RE: Preventing exploitation with rebasing"
Next in thread: Deus, Attonbitus: "Re: Preventing exploitation with rebasing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 11:40:18 PST