Posted by Preacher on
The stack is a memory segment just like the heap, or bss. It's used as a temporary frame
during function calls, and for local variables inside a function. Let's see how it works.
First, below is an illustration of the memory segmentation:
It's named stack because of how it works.
It follows the LIFO principle,
which is a data structure where we can push and pop objects. The last pushed object will be the first one to be popped
off the stack. The first pushed object will be the last one to be popped off....
Posted by Preacher on
The heap is a data segment, just like the stack or bss, except that it's used to store dynamic data.
Unlike the other data segments, it's size isn't fixed and can be extended using the s/brk system calls.
Those are actually used internally by the glibc's malloc function, which is also known as ptmalloc.
Heap based overflows differ from stack based ones in that you can't overwrite EIP/RIP.
It's important to understand how malloc and free work in order to exploit a heap based overflow, so I'll
give a quick explanation about this. Keep in mind we're talking about ptmalloc here, since that's the ...
Posted by Preacher on
First let me clarify what LD_PRELOAD is. On UNIX, ld is a program which takes care of linking executables
with
their needed shared libraries, or
object files when building a single executable. ld.so or ld-linux.so, located in /lib/, takes care of
loading
dynamically linked executable into memory, it contains a special section which allows us to run it as an
executable.
Some environment variables tell the linker where to look for the needed libs.
This LD_PRELOAD variable is used to specify the libs which will be loaded before the others in the default
paths.
Posted by Preacher on
In this paper, we'll go over some basic anti-debug tricks. I won't introduce
anti-dump
techniques nor other adavanced protections. By the way, all of this is Windows specific.
Most (if not all) anti-debug techniques rely on the fact that the system and the concerned app have a
different behaviour when an app is being debugged than when it isn't.
We'll simply use these differences to check the presence of a debugger.
Posted by Preacher on
This paper is a brief introduction to unpacking. We'll begin with a simple packer named UPX. A packer is a
program generally used by
professional/commercial developers to protect their software from being cracked.
The packer generally add a bunch of code to the program, this code is called the loader, this
loader will compress the code of the program to protect it.
When the program will
be executed and mapped into the memory, the loader added by the packer will be executed before the program
itself and it will decompress...