Last active
November 11, 2022 19:53
-
-
Save Monzer-Kamal/74d35a868b5447951a7ec91a4d371c37 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Knowledge Area | recommendations | |
---|---|---|
ASM x86 & WinDbg | Get Your self familiar with x86 Assembly. | |
Learn how to call Win32 APIs from assembly. | ||
Understand the use case of each register (Why it’s EAX not EBX) | ||
Custom and save your WingDBG workspace according to the binary/attack you are working on. | ||
Get familiar with common WinDbg command such as : | ||
1.Search for Bytes, ANSI, ASCI DWORDS, etc.. in memory | ||
2. Show Specific memory permissions (Read, Write, Execute) | ||
3. Manually explorer PE Headers and Sections. | ||
4. List out the loaded modules. | ||
5. Read the IAT Table. | ||
6. Dissassembling opcodes. | ||
7. Set Break points on specific function call. | ||
Resources : | ||
https://www.cs.virginia.edu/~evans/cs216/guides/x86.html | ||
https://cs.lmu.edu/~ray/notes/x86assembly/ | ||
https://web.stanford.edu/class/cs107/resources/x86-64-reference.pdf | ||
https://sites.google.com/site/taesaza0/etc/windbgcheatsheet | ||
SEH Overflows & Egghunters | Understand PE files architecture, what is TEB and TIB and Structured Exception Handlers. | |
Egghunters are deferent from OS to another, be careful to use the correct one. | ||
Resources : | ||
https://m0chan.github.io/2019/08/21/Win32-Buffer-Overflow-SEH.html | ||
https://github.com/epi052/osed-scripts | ||
Reverse-engineering & IDA Pro | Get yourself familiar with IDA UI. | |
Learn how to sync IDA with WinDbg. | ||
To find your entry point you need to understand how the application receives the data from the network socket and then how it will parse the received data (The Protocol) before (copying) it to the specific buffer. Here your overflow will be happened. | ||
there is very few function used to handle data from sockets in windows, find them master them. | ||
Resources : | ||
https://www-verimag.imag.fr/~mounier/Enseignement/Software_Security/BH_Eagle_ida_pro.pdf | ||
https://gist.github.com/cddc12346/b4c93325d84dfbedef2b9c0dbf60f972 | ||
DEP bypass | Understand what is ROP chain. | |
Learn how to get ROPs from PE files using tools like RP++ | ||
Learn how to make use of the gadgets ends with “CALL REG32” or “RETN 0xNN”. | ||
Understand DEP Bypass techniques (Skeleton Method & PUSHAD Method). | ||
Learn about the Windows APIs that are being used to bypass DEP.: | ||
1. VirtualAlloc() | ||
2. VirtualProtect() | ||
3. WriteProcessMemory() | ||
4. HeapCreate() | ||
5. SetProcessDEPPolicy() | ||
6. NtSetInformationProcess() | ||
Learn Them, Master Them | ||
Resources : | ||
https://vulndev.io/2022/06/14/bypassing-dep-with-virtualalloc-x86/ | ||
https://fahrishih.medium.com/bypassing-windows-dep-data-execution-prevention-using-rop-return-oriented-programming-6e288515716a | ||
https://vulndev.io/2022/06/12/bypassing-dep-with-writeprocessmemory/ | ||
https://cwinfosec.org/Intro-ROP-DEP-Bypass/ | ||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment