OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Monday, June 11 2007 12:43.35 CDT

Printer Friendly ...

Tracing Naughty Functions

Author: jms

# Views: 2643

Well with Ero's release of ida2sql I wanted to test out some methods for tracing execution and data flow through dangerous functions. I am searching for feedback and comments here if you got them. If you haven't checked out ida2sql, then do so....NOW!

The main goal was to determine with a fuzzing session how close you are getting to a basic block that makes a call to a vulnerable function. By using the search operators like:

SELECT * FROM functions_1 WHERE name like '%cpy%' OR name like "%printf%";

We are able to now get a list of addresses where these bad functions reside, the beauty of ida2sql is that they have already determined address x-refs for you :) (great job again Ero). So by finding the x-ref'd basic blocks, we are able to then set breakpoints on them in pydbg, I call this "Ground Zero".

The beauty and power lies in the fact that we are able to determine a proximity to these ground zero points, by finding the x-refs to the basic blocks, and work our way back up the chain. So at the end of this callchain we have ground zero, but its also useful to understand that if our input is getting trounced at "Level 10" or 10 bb's away from ground zero, that we can hone in on that area and determine how to drive our input further.

Now don't get me wrong, I agree with DeMott and others that overall code coverage is a great metric, and useful for finding bugs, but I really think that doing this type of on the fly path analysis can help to weed out bugs and assist in more manual style fuzzing.

Anyways, I am short on time, and just wanted to drop this out there to anyone who is interested in this stuff, or has already seen something like this in action. Drop me any referring articles as well! Again thanks to Ero and Pedram for the wicked tools!

There are 31,323 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit