[28788] in bugtraq
Re: Preventing exploitation with rebasing
daemon@ATHENA.MIT.EDU (Bugtraq User)
Wed Feb 5 17:35:14 2003
Date: Wed, 5 Feb 2003 17:43:00 -0500 (EST)
From: Bugtraq User <bq@soft-analysts.com>
To: David Litchfield <david@ngssoftware.com>
In-Reply-To: <000701c2cd01$78c960c0$2601010a@recovery>
Message-ID: <Pine.LNX.4.44.0302051730460.21094-100000@ns.rodonsigns.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
> Going back to exe image files and rebasing. Surely they can be rebased even
> without a .reloc section? All I need to do is edit the image base in the PE
> header then parse the assembly looking for absolute addresses such as
> function addresses, static variables etc and modify these addresses, too.
>
I'm sorry but I don't think this is feasible in real life. In a test
program it may seem possible, but try and apply it to a real PE executable
that actually does something and you will see that it is not. To even
begin to do what you suggest, you would need to:
1) Write a functional disassembler that understands instruction
boundaries and knows which instructions reference absolute addresses
(easy).
2) Understand parts of the code section that are not assembly
instructions, such as JMP tables used by switch statements, and similar
constructs (getting harder).
3) Understand and be able to predict unknown data types, or infer their
data type by where they may or may not be referenced within code (quite
difficult).
How do you know if \x44\x42\x41\x00 within a .data section is an absolute
address 0x414244 or if it is actually the string DBA\0?
For all that effort, you might as well develop a more worthwhile security
measure.
