Thursday, April 28, 2011

Debugging the Native Windows API

We are going to play a little game. We will search inside the Native Windows Application Programming Interface (API) for functions that used internally by the Windows 7 operating system. The use of such functions is not suggested by Microsoft. We are not only going to uncover such functions, but also we will use them and we will examine their results. 
The Native API is behind the Base API that Microsoft suggests to use for compatibility and portability reasons.

The Native API is the last layer (in user mode) that performs direct calls to the windows kernel mode and more specific to the NTOSKRNL.EXE that is the core windows kernel.

I must say that, in my opinion, the method of checking the API of windows is not the easiest thing. I could say that it is more difficult than this in Linux while windows source is not available. Its a closed source.  How then is possible to study a specific API function? Only disassembly code can be extracted by processes that are not belong to core kernel. In case that we want to debug kernel, we will need special programs (a windows  kernel debugger for example), but this is beyond the scope of this article. We will see from a user-mode point of view the procedures and functions (even undocumented) inside the Native API, aka ntdll.dll.

A question that one might ask, is: But why we do this?
Hmm... there are more than one reason:
1. It is a very good elementary lesson for the wannabe operating systems reverser's.
2. We will learn how to administer our operating system's basic internal actions.
3. We will see live the operation of the (somehow) cryptic native windows API.

What knowledge is required to read this article?
Well, not deep.
1. Elementary knowledge of some reversing techniques, for example how to use Olly debugger.
2. Little (yes little!) knowledge of assembly. We will meet inevitability a lot of assembly code in our trip but I am not willing to make this article an assembly listing with explanations! We will see how to achieve our goals without the need to be an assembly programmer.
Lets start!

Tuesday, April 26, 2011

Resetting root pass without livecd in two steps

[tested on Gentoo 2.6.36 r8]
There are cases that we forget our root password and we don't have any live CD to boot from in order to mount our file system. Is there any solution?
Yes it is. It is a two steps procedure. We will:
1. Enter to our system in a single user mode.
2. Mount our disk volumes, chroot and create a new password.

Suppose that we have a linux box with the following configuration:
Device      Boot    Start   End    Blocks   Id  System
/dev/sda1   *         1      14    105808+  83  Linux
/dev/sda2            15      81    506520   82  Linux swap
/dev/sda3            82    3876  28690200   83  Linux


Monday, April 25, 2011

Old, Good and Funny Trick

This is a very small and simple program that just writes... something to an underused registry value (tested on Win2k, WinXP). Registry is used in Windows (from version 95 and later) to store information that will be used for several purposes by the operating system or by any other application.

There are entries that perform specific tasks...
Does anyone remember the autoexec.bat or config.sys in old good DOS times? Ok, ok... these files still exists in our disks…. but their modern counterparts located in registry, specifically in keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Anyway, I will not go too far with this, because my purpose is not to explain the use of the above, instead I would like to expose a less known and underused  (I suppose) registry value which is:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The above key has 2 special string values named
(1)LegalNoticeCaption and
(2)LegalNoticeText.
You can go & see the above registry key using the registry editor. You can call it by Start|Run|Regedit. So, if you go in this key normally you will not see  the two special strings (1) and (2). Instead you will see other “important & useful keys” but again this is not our goal.
You can Add manually the above string by Right Click| New| StringValue.
Now,…. What is special with those string value…..  Hmmm, when the operating system starts & finds these string values it shows a message box with title the value of LegalNoticeCaption and Text the value of LegalNoticeText. …..


A required step to understand buffer overflow

This is not a buffer overflow exploit, but a required background that will help to understand how CPU & memory "collaborate" each other to execute a program.
I have read many articles about 'buffer overflow'. Most of them starting from a specific point by 'stowing' the basic knowledge one must have to deeply understand what is going on (behind the scenes). I wrote this article to cover (I hope) this gap.

If at the end of this article you feel more comfortable with concepts like CALL, RETN and how a function is executed using the memory (buffer, stack, etc) then I will consider this article as a successful one...

First, I would like to point out that everything we say, is about the processor xx86 family. In addition, most memory addresses are expressed in a decimal notation (for the shake of clarity, for beginners) instead of hexadecimal that actually represented by real world software systems.

Requirements in order to read this article:
1. A basic understanding of assembly language.
2. A basic understanding of C language.

Every process starts in a computer memory (RAM – Random Access Memory) in three basic segments:
-Code Segment
-Data Segment (the well known BSS)
-Stack Segment