📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  compiler /GS flag detection?

Topic created on: January 8, 2009 09:35 CST by aMIr .

hi guys,
I'll be glad to know a way or an automation such as an olly plugin or anything else to detect that a program has been compiled with /GS flag or not.

thank you,

  nezumi     January 8, 2009 22:37.12 CST
check for __security_check_cookie? it could be find via signatures...

  aMIr     January 13, 2009 04:36.51 CST
thanks Kris, but may you explain it more?

  nezumi     January 13, 2009 06:29.14 CST
yep, no problem. to perform stack control (/GS key) the complier uses __security_check_cookie function. this is RTL function and it look like this:


.text:77C065AB ; __fastcall __security_check_cookie(x)
.text:77C065AB __security_check_cookie proc near
.text:77C065AB 3B 0D 8C 40 C4 77                 cmp     ecx, ___security_cookie
.text:77C065B1 0F 85 E4 AB 03 00                 jnz     ___report_gsfailure
.text:77C065B7 F7 C1 00 00 FF FF                 test    ecx, 0FFFF0000h
.text:77C065BD 0F 85 D8 AB 03 00                 jnz     ___report_gsfailure
.text:77C065C3 C3                                retn
.text:77C065C3 __security_check_cookie


__security_check_cookie is stored inside RunTmChk.lib (gs_cookie.obj) amd in my version of MS VC it looks:


$dumpbin /all /disasm RunTmChk.lib >out
@__security_check_cookie@4:
  00000000: 3B 0D 00 00 00 00  cmp         ecx,dword ptr [@__security_check_cookie@4]
  00000006: 75 02              jne         $failure$26774
  00000008: F3 C3              rep ret
$failure$26774:
  0000000A: E9 00 00 00 00     jmp         0000000F

RAW DATA #3
  00000000: 3B 0D 00 00 00 00 75 02 F3 C3 E9 00 00 00 00


of course, to recognize __security_check_cookie you have to know the signatures (IDA-Pro probably knows them, but I'm not 100% sure), but there is another way. since, __security_check_cookie is called form many functions, control flow becomes very specific. also there are cross references to ___security_cookie memory cell.

btw, MS06-040 Reloaded: The (More) Easy Way to Bypass Windows 2003 SP0 Stack Protection

it's easy to write IDA Script for automatic scanning files to check if they were compiled with /GS key or not.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit