Proj 9x: Understanding PE Files and ASLR on Windows (15 pts.)

Purpose

What You Need

• A Windows machine, real or virtual, to exploit.

WARNING

Preparing the Vulnerable Server

http://sites.google.com/site/lupingreycorner/vulnserver.zip

If that link doesn't work, try this alterative download link.

Save the "vulnserver.zip" file on your desktop.

On your desktop, right-click vulnserver.zip.

Click "Extract All...", Extract.

A "vulnserver" window opens. Double-click vulnserver. The Vulnserver application opens, as shown below.

Downloading Process Explorer

https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Download Process Explorer.

Double-click the ZIP file to open it.

Double-click procexp.exe to run it.

Click Run, Run, Agree.

Examining DLL Files

In Process Explorer, click View, "Select Columns".

In the "Select Columns" box, click the DLL tab.

Check "Base Address", as shown below. Click OK.

In the top pane of Process Explorer, scroll down and click vulnserver.exe.

The lower pane shows the DLL files used by vulnserver, along with their Base Address, as shown below.

The Base Address of vulnserver.exe should be 0x400000, just as shown above.

Pick a DLL, such as advapi (or some other DLL if advapi is not visible), and note its address.

Restarting the Windows Machine

Allow the machine to shut down and restart normally.

Log in.

Launch vulnserver and Process Explorer again.

Examine the DLL files for vulnserver again.

You should see the same address for vulnserver.exe, as shown below, but the DLL file should have a different address.

This is the effect of Address Space Layout Randomization--the processes that have it enabled move each time the machine reboots.

Saving a Screen Image

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 9xa", replacing "YOUR NAME" with your real name.

Exploring PE Files with PEview

http://wjradburn.com/software/

Click the "PEview version 0.9.9" link, as shown below.

Double-click the ZIP file to open it.

Double-click PEview.exe to run it.

Click Run, Accept.

Opening vulnserver.exe in PEview

Using Hexadecimal View

Scroll down in the rignt pane to find the program's greeting text, "Welcome to Vulnerable Server", as shown below.

Saving a Screen Image

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 9xb", replacing "YOUR NAME" with your real name.

Viewing File Sections

In the left pane, click IMAGE_DOS_HEADER.

The right pane shows details of the first file section, which is a very old part of the file, only present for backwards compatibility, as shown below.

In the left pane, click "MS-DOS Stub Program". This is where the message you saw before lives, and it's also unused now, only present for backwards compatibility.

In the left pane, expand IMAGE_NT_HEADERS and click IMAGE_FILE_HEADER.

The most important items here are Machine of type I386 (that is, 32-bit, not 64-bit) and IMAGE_FILE_EXECUTABLE_IMAGE (which makes the file executable), as shown below.

In the left pane, click IMAGE_OPTIONAL_HEADER.

The first screen shows the "Base of Code", which is 00400000, as shown below.

In the right pane, scroll down to find these items, as shown below.

"Size of Stack" and "Size of Heap", as we saw them in Linux.

"EXPORT Table" and "IMPORT Table".

Examine the five IMAGE_SECTION_HEADER items--they contain information about the size and location of the five program sections:

• .text -- executable program instructions (object code)
• .data -- uninitialized variable data
• .rdata -- constant data; the read-only version of the .data segment
• .bss -- global program-wide initialized data
• .idata -- import directory

Viewing the Five Major Sections

The right pane shows gibberish--these are hexadecimal machine language instructions, which appear random when viewed without using a disassembler, as shown below.

In the left pane, click "Section .data".

The right pane shows that this section contains mostly null bytes. This portion of memory is reserved for variables that aren't initialized, so it's mostly sitting empty now, as shown below.

In the left pane, click "Section .rdata".

The right pane shows the contents--fixed strings used by the program. Scrolling down, you can find the "Welcome to Vulnerable Server" message you saw earlier in Hexadecimal view, as shown below.

In the left pane, expand "Section .idata" and click "IMPORT Directory Table".

The right pane shows the four DLLs (Dynamic Link Libraries) this program loads, including KERNEL_32.dll, as shown below.

In the left pane, click "IMPORT Name Table".

The right pane shows the functions used from each library. As shown below, there are many functions imported from the KERNEL_32.dll library.

Saving a Screen Image

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 9xc", replacing "YOUR NAME" with your real name.

Turning in your Project

Sources

Operating Systems Development - Portable Executable (PE)