About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> jms's Blog

Created: Monday, June 11 2007 12:43.35 CDT  
Printer Friendly ...
Tracing Naughty Functions
Author: jms # Views: 2696

Well with Ero's release of ida2sql I wanted to test out some methods for tracing execution and data flow through dangerous functions. I am searching for feedback and comments here if you got them. If you haven't checked out ida2sql, then do so....NOW!

The main goal was to determine with a fuzzing session how close you are getting to a basic block that makes a call to a vulnerable function. By using the search operators like:

SELECT * FROM functions_1 WHERE name like '%cpy%' OR name like "%printf%";

We are able to now get a list of addresses where these bad functions reside, the beauty of ida2sql is that they have already determined address x-refs for you :) (great job again Ero). So by finding the x-ref'd basic blocks, we are able to then set breakpoints on them in pydbg, I call this "Ground Zero".

The beauty and power lies in the fact that we are able to determine a proximity to these ground zero points, by finding the x-refs to the basic blocks, and work our way back up the chain. So at the end of this callchain we have ground zero, but its also useful to understand that if our input is getting trounced at "Level 10" or 10 bb's away from ground zero, that we can hone in on that area and determine how to drive our input further.

Now don't get me wrong, I agree with DeMott and others that overall code coverage is a great metric, and useful for finding bugs, but I really think that doing this type of on the fly path analysis can help to weed out bugs and assist in more manual style fuzzing.

Anyways, I am short on time, and just wanted to drop this out there to anyone who is interested in this stuff, or has already seen something like this in action. Drop me any referring articles as well! Again thanks to Ero and Pedram for the wicked tools!




Add New Comment
Comment:









There are 31,326 total registered users.


Recently Created Topics
what\'s the big idea...
Nov/13
Oct/23
Oct/23
Oct/23
Oct/23
Oct/23
Oct/23
Oct/23
Oct/23
Oct/23


Recent Forum Posts
Reverse Engineering ...
bytecod3r
Reverse Engineering ...
bytecod3r
Reverse Engineering ...
bytecod3r
Reverse Engineering ...
bytecod3r
Reverse Engineering ...
bytecod3r
let 'IDAPython' impo...
bytecod3r
Reverse Engineering ...
bytecod3r
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit