Fuzzing Win32 Interprocess Communication Mechanisms
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Inter-Process Communication, Analysis, Guidelines and Its Impact on Computer Security
The 7th International Conference for Informatics and Information Technology (CIIT 2010) INTER-PROCESS COMMUNICATION, ANALYSIS, GUIDELINES AND ITS IMPACT ON COMPUTER SECURITY Zoran Spasov Ph.D. Ana Madevska Bogdanova T-Mobile Macedonia Institute of Informatics, FNSM Skopje, Macedonia Skopje, Macedonia ABSTRACT Finally the conclusion will offer a summary of the available programming techniques and implementations for the In this paper we look at the inter-process communication Windows platforms. We will note the security risks and the (IPC) also known as inter-thread or inter-application best practices to avoid them. communication from other knowledge sources. We will look and analyze the different types of IPC in the Microsoft II. INTER -PROCESS COMMUNICATION (IPC) Windows operating system, their implementation and the usefulness of this kind of approach in the terms of Inter-Process Communication (IPC) stands for many communication between processes. Only local techniques for the exchange of data among threads in one or implementation of the IPC will be addressed in this paper. more processes - one-directional or two-directional. Processes Special emphasis will be given to the system mechanisms that may be running locally or on many different computers are involved with the creation, management, and use of connected by a network. We can divide the IPC techniques named pipes and sockets. into groups of methods, grouped by their way of This paper will discuss some of the IPC options and communication: message passing, synchronization, shared techniques that are available to Microsoft Windows memory and remote procedure calls (RPC). We should programmers. We will make a comparison between Microsoft carefully choose the IPC method depending on data load that remoting and Microsoft message queues (pros and cons). -
An Introduction to Linux IPC
An introduction to Linux IPC Michael Kerrisk © 2013 linux.conf.au 2013 http://man7.org/ Canberra, Australia [email protected] 2013-01-30 http://lwn.net/ [email protected] man7 .org 1 Goal ● Limited time! ● Get a flavor of main IPC methods man7 .org 2 Me ● Programming on UNIX & Linux since 1987 ● Linux man-pages maintainer ● http://www.kernel.org/doc/man-pages/ ● Kernel + glibc API ● Author of: Further info: http://man7.org/tlpi/ man7 .org 3 You ● Can read a bit of C ● Have a passing familiarity with common syscalls ● fork(), open(), read(), write() man7 .org 4 There’s a lot of IPC ● Pipes ● Shared memory mappings ● FIFOs ● File vs Anonymous ● Cross-memory attach ● Pseudoterminals ● proc_vm_readv() / proc_vm_writev() ● Sockets ● Signals ● Stream vs Datagram (vs Seq. packet) ● Standard, Realtime ● UNIX vs Internet domain ● Eventfd ● POSIX message queues ● Futexes ● POSIX shared memory ● Record locks ● ● POSIX semaphores File locks ● ● Named, Unnamed Mutexes ● System V message queues ● Condition variables ● System V shared memory ● Barriers ● ● System V semaphores Read-write locks man7 .org 5 It helps to classify ● Pipes ● Shared memory mappings ● FIFOs ● File vs Anonymous ● Cross-memory attach ● Pseudoterminals ● proc_vm_readv() / proc_vm_writev() ● Sockets ● Signals ● Stream vs Datagram (vs Seq. packet) ● Standard, Realtime ● UNIX vs Internet domain ● Eventfd ● POSIX message queues ● Futexes ● POSIX shared memory ● Record locks ● ● POSIX semaphores File locks ● ● Named, Unnamed Mutexes ● System V message queues ● Condition variables ● System V shared memory ● Barriers ● ● System V semaphores Read-write locks man7 .org 6 It helps to classify ● Pipes ● Shared memory mappings ● FIFOs ● File vs Anonymous ● Cross-memoryn attach ● Pseudoterminals tio a ● proc_vm_readv() / proc_vm_writev() ● Sockets ic n ● Signals ● Stream vs Datagram (vs uSeq. -
IPC: Mmap and Pipes
Interprocess Communication: Memory mapped files and pipes CS 241 April 4, 2014 University of Illinois 1 Shared Memory Private Private address OS address address space space space Shared Process A segment Process B Processes request the segment OS maintains the segment Processes can attach/detach the segment 2 Shared Memory Private Private Private address address space OS address address space space space Shared Process A segment Process B Can mark segment for deletion on last detach 3 Shared Memory example /* make the key: */ if ((key = ftok(”shmdemo.c", 'R')) == -1) { perror("ftok"); exit(1); } /* connect to (and possibly create) the segment: */ if ((shmid = shmget(key, SHM_SIZE, 0644 | IPC_CREAT)) == -1) { perror("shmget"); exit(1); } /* attach to the segment to get a pointer to it: */ data = shmat(shmid, (void *)0, 0); if (data == (char *)(-1)) { perror("shmat"); exit(1); } 4 Shared Memory example /* read or modify the segment, based on the command line: */ if (argc == 2) { printf("writing to segment: \"%s\"\n", argv[1]); strncpy(data, argv[1], SHM_SIZE); } else printf("segment contains: \"%s\"\n", data); /* detach from the segment: */ if (shmdt(data) == -1) { perror("shmdt"); exit(1); } return 0; } Run demo 5 Memory Mapped Files Memory-mapped file I/O • Map a disk block to a page in memory • Allows file I/O to be treated as routine memory access Use • File is initially read using demand paging ! i.e., loaded from disk to memory only at the moment it’s needed • When needed, a page-sized portion of the file is read from the file system -
Interprocess Communication
06 0430 CH05 5/22/01 10:22 AM Page 95 5 Interprocess Communication CHAPTER 3,“PROCESSES,” DISCUSSED THE CREATION OF PROCESSES and showed how one process can obtain the exit status of a child process.That’s the simplest form of communication between two processes, but it’s by no means the most powerful.The mechanisms of Chapter 3 don’t provide any way for the parent to communicate with the child except via command-line arguments and environment variables, nor any way for the child to communicate with the parent except via the child’s exit status. None of these mechanisms provides any means for communicating with the child process while it is actually running, nor do these mechanisms allow communication with a process outside the parent-child relationship. This chapter describes means for interprocess communication that circumvent these limitations.We will present various ways for communicating between parents and chil- dren, between “unrelated” processes, and even between processes on different machines. Interprocess communication (IPC) is the transfer of data among processes. For example, a Web browser may request a Web page from a Web server, which then sends HTML data.This transfer of data usually uses sockets in a telephone-like connection. In another example, you may want to print the filenames in a directory using a command such as ls | lpr.The shell creates an ls process and a separate lpr process, connecting 06 0430 CH05 5/22/01 10:22 AM Page 96 96 Chapter 5 Interprocess Communication the two with a pipe, represented by the “|” symbol.A pipe permits one-way commu- nication between two related processes.The ls process writes data into the pipe, and the lpr process reads data from the pipe. -
Interprocess Communications (Pipes)
Multiple methods for Interprocess Communications Three examples: files, pipes, shared memory. In this figure, Local domain sockets would be conceptually similar to a named pipe. The second method refers to pipes Sources for these slides include: • W. Stevens, Unix Network Programming, Volumes 1 and 2 • M. Mitchell, J. Oldham, A. Samuel, Advanced Linux Programming 1 Interprocess Communication (IPC) ⚫ Linux supports the following IPC mechanisms: – Half duplex pipes – Full duplex pipes –only by using 2 pipes (other unix systems do support FD over a single pipe) – FIFOS (also called named pipes) – SYSV style message queues – SYSV style shared memory – Local Domain (UNIX Domain) sockets – Similar to a socket but modifications to the address/name aspect. (PF_LOCAL rather than PF_INET). – Sockets: Two processes can communicate using localhost. But it’s more efficient to use 2 pipes or local domain sockets. Pipe – used in a shell pipeline ⚫ Example of a pipeline - issue the following in a shell: – who | sort | wc 2 10 110 – The shell program creates three processes, two pipes are used as shown below. – The shell would use the dup2 call to duplicate the read end of each pipe to standard input and the write end to standard output. ⚫ int fd[2]; ⚫ pid_t pid; ⚫ pipe(fd); ⚫ pid = fork(); ⚫ If(pid == 0) { – dup2(fd[0], STDIN_FILENO); – exec(whatever); ⚫ } ⚫ The use of dup2 by a shell allows a program or filter to simply operate on data arriving through standard in….and sends output to standard out. It does not need to know the pipe descriptors involved…. 3 – Note – modified the pipeline- the figure assumes lp instead of wc . -
Interacting Modelica Using a Named Pipe for Hardware-In-The-Loop Simulation
Interacting Modelica using a Named Pipe for Hardware-in-the-loop Simulation Interacting Modelica using a Named Pipe for Hardware-in-the-loop Simulation Arno Ebner Anton Haumer Dragan Simic Franz Pirker Arsenal Research Giefinggasse 2, 1210 Vienna, Austria phone: +43 50550 6663, fax: +43 50550 6595, e-mail: [email protected] Abstract tion for the system model considering the initial val- ues. The paper presents a concept and an implementation In some cases the user or other applications have to of Modelica simulation interaction using the operat- interact with the simulation, for example to: ing system inter-process communication method of • Start or interrupt the simulation the Named Pipe. The main aim of this presented • Change parameters or variables during the simu- work is to implement a hardware-in-the-loop simula- lation tion (HILS) environment based on Dymola which • Communicate with other applications, for exam- runs on a normal Microsoft Windows Personal Com- ple with another simulation environment puter. • Exchange data with an input/output-card or a pe- An energy storage test bench is connected by an ana- ripheral communication interface logue and digital data input/output card with the Dy- • Build up a hardware-in-the-loop simulation envi- mola simulation computer. With this proposed sys- ronment tem, particularly long-time simulations with sample rates up to 30 Hz can be executed very cost effective. Hardware-in-the-loop (HIL) is the integration of real Typical applications are simulations of drive cycles components and system models in a common simu- to test energy storage systems in electrified vehicles lation environment [1]. -
Deep Dive Into OS Internals with Windbg Malware and OS Internals
2012 Deep Dive into OS Internals with Windbg Malware and OS Internals An approach towards reversing malwares, shellcodes and other malicious codes to understand the ways in which they use the OS Internals for their functionality. Sudeep Pal Singh Honeywell 1/26/2012 Page 1 Table of Contents Preface ............................................................................................................................................................................ 3 Reversing Windows Internals .......................................................................................................................................... 4 Portable Executable Anatomy ......................................................................................................................................... 5 Data Directories of Interest ............................................................................................................................................. 7 Import Directory .............................................................................................................................................................. 8 Import Address Table .................................................................................................................................................... 12 Export Directory ............................................................................................................................................................ 13 Manual Walkthrough of Export Directory .................................................................................................................... -
Sample Content from Debugging Microsoft .NET 2.0 Applications
Debugging Microsoft®.NET 2.0 Applications John Robbins (Wintellect) To learn more about this book, visit Microsoft Learning at http://www.microsoft.com/MSPress/books/8650.aspx 9780735622029 Publication Date: November 2006 Table of Contents Acknowledgments. .xv Introduction . .xvii Part I The Gestalt of Debugging 1 Bugs: Where They Come From and How You Solve Them . .3 Bugs and Debugging . 3 What Are Bugs? . 4 Process Bugs and Solutions . 8 Planning for Debugging . 17 Prerequisites to Debugging . 18 The Skill Set . 18 Learning the Skill Set . 20 The Debugging Process. 21 Step 1: Duplicate the Bug . 22 Step 2: Describe the Bug . 23 Step 3: Always Assume That the Bug Is Yours . 24 Step 4: Divide and Conquer . 24 Step 5: Think Creatively . 25 Step 6: Utilize Tools . 26 Step 7: Start Heavy Debugging . 27 Step 8: Verify That the Bug Is Fixed . 27 Step 9: Learn and Share. 29 Final Debugging Process Secret. 29 Summary . 30 2 Preparing for Debugging . 31 Track Changes Until You Throw Away the Project. 31 Version Control Systems . 32 Bug Tracking Systems . 36 Choosing the Right Systems for You . 37 Microsoft is interested in hearing your feedback about this publication so we can What do you think of this book? continually improve our books and learning resources for you. To participate in a brief We want to hear from you! online survey, please visit: www.microsoft.com/learning/booksurvey/ ix x Table of Contents Schedule Time for Building Debugging Systems . 38 Build All Builds with Debugging Symbols . 38 Treat Warnings as Errors . 41 Know Where Your Assemblies Load . -
SMB Analysis
NAP-3 Microsoft SMB Troubleshooting Rolf Leutert, Leutert NetServices, Switzerland © Leutert NetServices 2013 www.wireshark.ch Server Message Block (SMB) Protokoll SMB History Server Message Block (SMB) is Microsoft's client-server protocol and is most commonly used in networked environments where Windows® operating systems are in place. Invented by IBM in 1983, SMB has become Microsoft’s core protocol for shared services like files, printers etc. Initially SMB was running on top of non routable NetBIOS/NetBEUI API and was designed to work in small to medium size workgroups. 1996 Microsoft renamed SMB to Common Internet File System (CIFS) and added more features like larger file sizes, Windows RPC, the NT domain service and many more. Samba is the open source SMB/CIFS implementation for Unix and Linux systems 2 © Leutert NetServices 2013 www.wireshark.ch Server Message Block (SMB) Protokoll SMB over TCP/UDP/IP SMB over NetBIOS over UDP/TCP SMB / NetBIOS was made routable by running Application over TCP/IP (NBT) using encapsulation over 137/138 139 TCP/UDP-Ports 137–139 .. Port 137 = NetBIOS Name Service (NS) Port 138 = NetBIOS Datagram Service (DGM) Port 139 = NetBIOS Session Service (SS) Data Link Ethernet, WLAN etc. Since Windows 2000, SMB runs, by default, with a thin layer, the NBT's Session Service, on SMB “naked” over TCP top of TCP-Port 445. Application 445 DNS and LLMNR (Link Local Multicast Name . Resolution) is used for name resolution. Port 445 = Microsoft Directory Services (DS) SMB File Sharing, Windows Shares, Data Link Ethernet, WLAN etc. Printer Sharing, Active Directory 3 © Leutert NetServices 2013 www.wireshark.ch Server Message Block (SMB) Protokoll NetBIOS / SMB History NetBIOS Name Service (UDP Port 137) Application • Using NetBIOS names for clients and services. -
Technical Standard IPC Mechanisms For
Technical Standard IPC Mechanisms for SMB NICAL H S C T A E N T D A R D [This page intentionally left blank] X/Open CAE Specification IPC Mechanisms for SMB X/Open Company Ltd. December 1991, X/Open Company Limited All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the copyright owners. X/Open CAE Specification IPC Mechanisms for SMB ISBN: 1 872630 28 6 X/Open Document Number: XO/CAE/91/500 Published by X/Open Company Ltd., U.K. Any comments relating to the material contained in this document may be submitted to X/Open at: X/Open Company Limited Apex Plaza Forbury Road Reading Berkshire, RG1 1AX United Kingdom or by Electronic Mail to: [email protected] ii X/Open CAE Specification (1991) Contents Chapter 1 Introduction............................................................................................... 1 Chapter 2 SMB IPC Service Model .................................................................... 3 2.1 Security Overview ...................................................................................... 3 2.2 Naming ......................................................................................................... 4 2.2.1 Named Pipe and Mailslot Names ........................................................ 4 2.2.2 NetBIOS Names ....................................................................................... 4 2.2.3 Messaging -
Production Debugging for .NET Framework Applications
Production Debugging for .NET Framework Applications Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft, MS-DOS, Windows, Visual C#, Visual Basic, Visual C++, Visual Studio, and Win32 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. © 2002 Microsoft Corporation. All rights reserved. Version 1.0 The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Contents Chapter 1 Introduction to Production Debugging for .NET Framework Applications 1 Production Debugging vs. Development Debugging . 2 Environment . 2 Tools . 3 Actions . 3 Debugging Tools . 4 Discovery Phase . 4 Debugging Phase . 5 ASP.NET Process Model and Health Monitoring . 6 What Is the ASP.NET Process Model? . 7 IIS 5.x Process Model . 7 Health Monitoring in IIS 5.x . 9 IIS 6.0 Process Model in Windows .NET Server Release Candidate 1 . -
Practical-Malware-Analysis Index.Pdf
INDEX Symbols and Numbers administrator privileges, for malware launchers, 254 ! (bang symbol), 305 Adobe Reader -- operation, 112 CVE-2010-0188 critical % operation, 112 vulnerability, 424 % symbol, 423 overflow in, 705 | (pipe symbol), in Snort, 304 ADS (Alternate Data Streams) ++ operation, 112 010 Editor, 468 feature, 139 32-bit applications, WOW64 and, 448 Advanced Encryption Standard 32-bit rotate-right-additive hash, 418 (AES), 618 64-bit malware, 441–449 decrypting, 625–626 clues to functionality, 448 advapi32.dll, 17 labs, 450–451 imports from, 20, 480, 481 solutions, 723–732 obtaining handle to, 237 advertisements, pop-up, 560–561 A AES (Advanced Encryption Standard), 618 A, at end of Windows function decrypting, 625–626 name, 17 Agobot, 376 absolute addresses, 443 air-gapped networks, 29 vs. relative addresses, in OllyDbg, _alloca_probe function, 522 184–185 alphabetic encoding, shellcode abstraction levels, in x86 disassembly, decoder with, 697 66–67 Alternate Data Streams (ADS) accept function, 143, 144, 454 feature, 139 access token, 246 ALU (arithmetic logic unit), 68 accuracy, vs. expediency, 304 AMD64 architecture, 441 active window, logging, 239 “Analysis of the Intel Pentium’s ADD encoding algorithm, 276 Ability to Support a Secure add instruction, 74, 349 Virtual Machine Monitor” AddCodeXref function (IDC), 342 (Robin and Irvine), 373 address space, loading executable AND logical operator, in x86 into another process’s, 595 architecture, 75 address space layout randomization anti-debugging, 351–366 (ASLR), 184 checks,