OpenRCE: Blog

When memory management goes bad...

Thu, 04 Mar 2010 13:00:59 -0600

Few months ago I've encountered a strange behavior in cmd.exe when I wanted to list some big collection of files and execute some command on every single file. I used for this task 'for' command similar to this:



for /R c:\ %c in (*.*) do echo %c >> cmd_ptc.log

After few hours of processing I get a very disturbing message:



"Not enough storage is available to process this command."

Actually cmd.exe can eat all memory available for the process. I decided to check why it needs such amount of memory and if it will be possible fix it. Below you can find link to the full article and package with the fixed binaries (from Windows Vista SP2):

http://rewolf.pl/stuff/rewolf_cmd_research.pdf - article
http://rewolf.pl/stuff/rewolf_cmd_research.zip - article and binaries

Happy reading !
ReWolf

Hacker Challenge 2008

Wed, 15 Apr 2009 15:10:10 -0500

My reports from Hacker Challenge 2008 are already available online:

(zip archives contains original challenge, cracked binary and report)

Phase 1:
http://rewolf.pl/stuff/rewolf_hc2008_phase1.zip
http://rewolf.pl/stuff/rewolf_hc2008_ph1_report.pdf

Phase 3 (third place in "quality of report" category):
http://rewolf.pl/stuff/rewolf_hc2008_phase3.zip
http://rewolf.pl/stuff/rewolf_hc2008_ph3_report.pdf

http://rewolf.pl

Old dbghelp and an old exploit...

Fri, 30 Jan 2009 08:42:38 -0600

    Recently I've came across some "strange" problems during loading some executables into OllyDbg. After loading the file, OllyDbg just crashed without any error. During a quick research I've figured out that the problem lays in the extension of the loaded file. In fact, the problem laid in the old version of dbghelp.dll (5.1.3590.0). I've asked google if "she" (or "he", who knows) knows something about this bug, and that was a good choice. I've found a discussion on tuts4you forum:

  http://forum.tuts4you.com/index.php?showtopic=16445

and a link to an exploit on milw0rm:

  http://www.milw0rm.com/exploits/6031

As you can read, it was related to "export name buffer overflow vulnerability". My problem was different, but debugging OllyDbg lead me to the call to SymLoadModule at the same place like in the mentioned exploit. Further debugging revealed that my problem is related to the wrong use of _splitpath function from msvcrt.dll. Calling tree looks like this:



SymLoadModule (exported)

  -> SymLoadModule64 (exported)

       -> SymLoadModuleEx (exported)

            -> InternalLoadModule

                 -> load

                      -> GetDebugData

                           -> FileNameIsPdb

                                -> msvcrt.splitpath

function FileNameIsPdb has a local variable:



  char _str_extension[20];

which is passed to the splitpath, and if our prepared file extension is longer than 20 bytes it overwrites values on the stack, next 8 bytes overwrite some local variables, and finaly next 4 bytes overwrites the return address:



  extension: ".dll1234567890qwertyuiopasdfxxxx"

it is not enough to crash OllyDbg though (for exploiting it should be sufficient), because there is SEH that can deal with this stack corruption. I figured out that overwriting another 26 bytes should crash OllyDbg, so the file extension should look like this:



  "sample.dll1234567890qwertyuiopasdfxxxxlzxcvbnmQWERTYUIOPASDFGHJK"

If someone has not updated dbghelp.dll in the olly directory, we can use this method as a simple anti-debug. We don't need to rename executable to such form, we can dump a sample dll (with malformed extension) on the disk during the execution of the program, and just load it with LoadLibrary function. Development of an exploit could prove to be problematic because of limitations of charset that can be used to craft filename.

This bug cannot be applied to newer versions of dbghelp.dll.

Original paper at: http://rewolf.pl/stuff/rewolf_dbghelp.txt

Hacker Challenge 2007

Fri, 31 Oct 2008 12:17:02 -0500

I've just put online my solutions and reports for Hacker Challenge 2007

Phase 1:
http://rewolf.pl/stuff/rewolf_hc2007_phase1.zip

Phase 3:
http://rewolf.pl/stuff/rewolf_hc2007_phase3.zip

Looking for a job...

Sun, 12 Aug 2007 06:14:09 -0500

Hello

Currently I'm looking for a remote job (full time) as reverse engineer/programmer. Previously I had worked for one of the AV companies for 18 months. During first month of my work I was virus researcher, I had analysed a few irc-bots (sdbot, agobot, padobot etc). Next I was promoted to work on 'static unpackers engine' (part of heuristic engine) and for the next 15 months I had done fully static, crossplatform unpackers for most common packers/protectors:

- FSG (all versions)
- PeX
- PESpin (all public versions, support for: stolen bytes, markers, code redirection)
- MEW (10 v1.1, 11 SE v1.1, 11 SE v1.2)
- PEtite (1.2, 1.3, 1.4, 2.2, 2.3)
- EXEStealth (2.6, 2.72, 2.73, 2.74, 2.75, 2.75a, 2.76)
- PEShield (0.1d, 0.25, 0.2b2)
- PECompact (2.x, support for: aPLib, BriefLZ, FFCE, JCALG1, LZMA, New LZMA, old aPLib)
- UPack (all available versions)
- EXE32Pack (1.3x)
- ASPack (all available versions 1.0b up to 2.1x)
- MoleBox (2.x.x, unpacks only main executable)

All unpackers are written in C++ and all try to rebuild fully working executables.

Already I work as a programmer, but it's completly not related to reverse engineering. Apart from work I like to code something more related to RE, like DLLPackager or x86 Virtualizer. You can check all my previous work at

http://rewolf.pl

So if you are looking for someone like me just drop me an e-mail: rewolf *at* rewolf *dot* pl