Archive for the ‘discussions’ Category

# chilly suspicions of new win32 bug

wandering over Windows kernel nezumi found very screwy code – another loophole to bypass DEP. W2K SP4 gives PEB/TEB r-w-x attributes, so, PEB and TEB are executable! easy to check it with OllyDbg (View -> Memory).

W2K SP4 gives PEB/TEB r-w-x attributes

W2K SP4 gives PEB/TEB r-w-x attributes

XP SP3 and S2K3 SP1 come without this bug, but what’s about other systems? let’s found out! please, download a simple system info collector (it comes with full sources), run it and send the result to or leave your comment here. it’s absolute safe for your system. no harm, no fault.
thanks in advance!

W2K SP4: PEB/TEB are executable;
XP SP3: PEB/TEB are _not_ executable;
S2K3 SP1: PEB/TEB are _not_ executable;


# TLS callbacks w/o USER32 (part III)

the story had a continue. read this:
Peter Ferrie> The requirement is not user32.dll, just a DLL
Peter Ferrie> that imports from kernel32.dll. I changed tls-nousr.exe
Peter Ferrie> to import from kernel31.dll instead of kernel32.dll.
Peter Ferrie> I created a kernel31.dll that imports from kernel32.dll
Peter Ferrie> the LoadLibraryA and GetProcAddress, and also exports them.
Peter Ferrie> The TLS code runs normally in that case.
Peter Ferrie> For the OllyDbg case, maybe a plug-in called LoadLibrary(“kernel32″)
Peter Ferrie>from inside the process. It’s probably some reference counting thing.

yeah, right. I figured out that the MSVCR71.dll is suitable as well (see my previous post), just not changed the subject. anyway, it’s a bug of XP/S2K3 and eventually we found a workaround for it.

I wonder if Vista is buggy or it has been fixed there? guys! if you have Vista under your hands, plz, run the examples and tell us the result. thanks!


# TLS callbacks w/o USER32 (part II)

Peter Ferrie posted an interesting comment on my previous article. I decided to reply here, coz not everybody reads comments, but it’s discussion worth to be read.

Peter Ferrie> That’s not correct. You can’t display a message anymore from a TLS callback
Peter Ferrie> because USER32 is not initialised at that point,

I don’t try to display a message from TLS callback, I try do _not_ display it :)
XP SP3 and S2K3 allow me to call MessageBox form TLS, Vista does not, but I’m not talking about calling something from TLS. the point is – if there is no USER32, TLS isn’t called at all. check out FSC08_Level2.exe. it’s F-Secure’ crack-me, written by Kamil (very clever guy!), who packed a file with UPX and added TLS callback, thus “upx -d” loses the TLS. it’s easy and you probably noticed this. but you definitely missed the point. there is MSVCR71.dll!exit there that is imported, but not actually used. UPX does not use MSVCR71.dll, so it was added by someone else. guess it was Kamil :-) who added it manually. but for what’s reason? the answer is – without it XP and S2K3 refuse to call TLS. so, F-Secure guy met the bug and found the workaround. it proves that I’m right and the bug does exist :-)

Peter Ferrie> but it does really run. Create a TLS callback that looks like this:
Peter Ferrie> mov eax, dword ptr fs:[30h]
Peter Ferrie> l1: cmp byte ptr [eax + 2], 0
Peter Ferrie> je l1
Peter Ferrie> int 3
Peter Ferrie> and run it. The file will wait until the debugger attaches.
Peter Ferrie> That shows that the callback is running.

guess, your TLS callback is executed when the process is about the end, you don’t check for the reason argument. could you please show me your exe file? I show you mines. plz, download two examples. they are very simple:

#define Msg (int (WINAPI *)(int, char*, char*, int))
#define Box GetProcAddress(LoadLibrary(“USER32.DLL”),”MessageBoxA”)

#define TLS_B ” not”
#define TLS_C ” executed! *\n\n”
#define TLS_A “\n* TLS callback has been”

char TLS[] = TLS_A TLS_B TLS_C;

BOOL WINAPI TLS_callback(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
if (fdwReason == 1) memmove(&TLS[sizeof(TLS_A)], &TLS[sizeof(TLS_A TLS_B)], sizeof(TLS_C));
return 0×666;

nezumi(){Msg Box (0, TLS, “[x]“, 0);}

DWORD ptr[] = { (DWORD) TLS_callback, 0 };
DWORD *xl[] = { (DWORD*) 0xEFBEADDE, ptr, ptr, (DWORD*) xl, ptr, 0, 0};

TLS callback just removes “not ” from the string displayed from the main functions. compile it, apply TLS Dir and run. under W2K TLS is executed, but it does not executed under XP/W2K3, however if you replace GetProcAddress(LoadLibrary(“USER32.DLL”),”MessageBoxA”) by a direct MessageBox call it will work fine.

btw, I found another interesting thing. run TLS-nousr.exe under Olly 1.10 (have not checked another ver) under XP/S2K3. ops! TLS callback is called. ok, run it under IDA-Pro debugger (console ver). wow! it’s not called! so, OllyDbg forces system to execute TLS somehow. have not found out how yet.