📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.








Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Free BSD php extension dynamic analysis

Topic created on: July 10, 2011 02:40 CDT by gemoroy .

Hi i'm reversing shared library which is an php zend extension.
My first goal was to determine which function of this module will be called by a standard php handler and it's input.
Problem is, apache is preforked so i can't determine which child will handle the request as a result i can't just attach with gdb and add rwatch to a prospective(after static analysis) function.
What i've done already in short: i've written a kernel module which marks memory region where module is mapped as non-executable, and hook's pagefault handing.
parsing exception frame to determine address of code that called lookup it's stack and so on.
So after that seems like i've achieved my goal, and now i can emulate this input by my own software and debug it as normal, or, for example put it into radare VM.
But i was wondering if there is a better way to do it?
What for example if i did't have xd bit or running i386 distro without PAE?
Thanks in advance!
PS:I was thinking about reloc redirection but loading address are randomized.

  NirIzr     July 13, 2011 13:17.10 CDT
won't it be easier to patch (i think you can even configure it in the appache conf files) it to it will only create one working thread to handle requests?..

  gemoroy     July 14, 2011 01:21.09 CDT
> NirIzr: won\'t it be easier to patch (i think you can even configure it in the appache conf files) it to it will only create one working thread to handle requests?..
Omg, sure it would! Solution was so simple that i somehow missed it, thank you, NirIzr =).
PS:However my solution now comes in handy in unpacking for example when unpacked code gets mapped in section, and you need to break there on execution to find OEP, So it is not lost in vain =))

  janjensen     September 26, 2011 05:06.50 CDT
Did they update the patch?

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit