Rop Analysis II

Author: David Zimmer
Date: 02.23.13 - 10:01pm

Here is another quick post on ROP analysis.

I didnt really know the best place to begin, so I started where I could.

First I built a quick app that would scan a directory for dlls and load the sections and map the virtual addresses each covered. It also scanned the import table of each dll and built a list of IAT addresses and what they corresponded to. I also added some other stuff to the IAT marker list to include scans of some known gadget addresses and their comments from various public exploits to help identify ROP start offsets.

So with the base info built, I took a rop exploit (MD5: 805538FF200EC714A735EF3BC1FFF1F0) got the shellcode, and extracted the ROP portion into a seperate file for simplicity. One problem is not knowing what alignment the ROP part starts on, so the app will also allow you to specify the start offset. When you scan the file, it will dump it to 32bit numbers and if any of the known markers are found, or if the addresses fit within the sections loaded, then you know you have the right alignment. (1-3 tries required max).
(click to enlarge)

If the address is found to be within an executable section of a loaded dll, then we disassemble the address and extract the opcodes and disasm up until a terminating instruction is encountered.

Once all of the data is collected, then you can have the interface generate a scdbg .scmd file which will poke the utilized opcodes into memory at the necessary addresses, and set the start offset to the entry you specify.

You can download sample files and output here At first wasnt sure what was going on, but a little googling revealed that this sample is using a NtAccessCheckAndAuditAlarm egg hunter

Test 2 successful. Next comes a full rop only shellcode test and possibly adding a handler for int 0x2e to scdbg. Note: if you want to record all of the register values at every instruction, edit the scmd file and set verbosity to two (eg. -vv) I have uploaded the test tool shown above so I dont lose it.

Comments: (0)

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 78 + 74 = ? followed by the letter: N 

About Me
More Blogs
Main Site
Yara WorkBench
vbdec dbg updates
vb6 PCode NOP
vb6 API and call backs
how pcode works Pt1
Reversing PCode Args
VB6 PCode Disassembly
VB6 PCode Debugger
UConnect Disable Cell Modem
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
anterior lines
misc news/updates
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation