没有合适的资源?快使用搜索试试~ 我知道了~
Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques Without Native Executable Code
资源推荐
资源详情
资源评论
![pdf](https://img-home.csdnimg.cn/images/20210720083512.png)
![zip](https://img-home.csdnimg.cn/images/20210720083736.png)
![zip](https://img-home.csdnimg.cn/images/20210720083736.png)
![thumb](https://img-home.csdnimg.cn/images/20210720083646.png)
![zip](https://img-home.csdnimg.cn/images/20210720083736.png)
![zip](https://img-home.csdnimg.cn/images/20210720083736.png)
![](https://csdnimg.cn/release/download_crawler_static/11997970/bg1.jpg)
Exploiting the Hard-Working DWARF:
Trojan and Exploit Techniques Without
Native Executable Code
Dartmouth Computer Science Technical Report TR2011-688
James Oakley
Advised by Sergey Bratus
Computer Science Department.
Dartmouth College
Hanover, New Hampshire
james.oakley.11@alum.dartmouth.org
June 2, 2011
An earlier report of these results appeared as TR2011-680.
![](https://csdnimg.cn/release/download_crawler_static/11997970/bg2.jpg)
Abstract
The study of vulnerabilities and exploitation is one of finding mechanisms
affecting the flow of computation and of finding new means to perform un-
expected computation. In this paper we show the extent to which exception
handling mechanisms as implemented and used by gcc can be used to control
program execution. We show that the data structures used to store exception
handling information on UNIX-like systems actually contain Turing-complete
bytecode, which is executed by a virtual machine during the course of ex-
ception unwinding and handling. We discuss how a malicious attacker could
gain control over these structures and how such an attacker could utilize
them once control has been achieved.
1
![](https://csdnimg.cn/release/download_crawler_static/11997970/bg3.jpg)
Contents
Abstract 1
1 Introduction 4
1.1 Computational models. . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Attacking Exceptions. . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 DWARF and Exception Handling Details 8
2.1 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Call Frame Information . . . . . . . . . . . . . . . . . . . . . . 9
2.3 DWARF Expressions . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 Exception Handlers . . . . . . . . . . . . . . . . . . . . . . . . 12
2.5 Exception Process . . . . . . . . . . . . . . . . . . . . . . . . . 14
3 Katana and Dwarfscript 16
3.1 Katana Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 Dwarfscript . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4 Malicious DWARFs 20
4.1 A Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.2 Building a Dynamic Linker in DWARF . . . . . . . . . . . . . 23
4.3 Detection By Antivirus Software . . . . . . . . . . . . . . . . . 23
4.4 Combining with Traditional Exploits . . . . . . . . . . . . . . 25
4.5 Limitations and Workarounds . . . . . . . . . . . . . . . . . . 26
4.5.1 Registers and Parameter Passing . . . . . . . . . . . . 26
4.5.2 No Side Effects . . . . . . . . . . . . . . . . . . . . . . 27
4.5.3 DWARF Machine Implementation . . . . . . . . . . . . 28
4.5.4 Limited .eh frame space . . . . . . . . . . . . . . . . . 28
2
![](https://csdnimg.cn/release/download_crawler_static/11997970/bg4.jpg)
4.5.5 Debugging . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.6 Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5 History and Related Work 30
5.1 Security of Exception Handling . . . . . . . . . . . . . . . . . 30
5.2 Historical Exploitation . . . . . . . . . . . . . . . . . . . . . . 31
5.3 Auxiliary Computation . . . . . . . . . . . . . . . . . . . . . . 32
5.4 Where Does DWARF Fit In? . . . . . . . . . . . . . . . . . . 33
6 Conclusion 34
6.1 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.2 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 35
Bibliography 37
A CIE and FDE Structure Inside .eh frame 40
B .gcc except table Layout 41
C Dwarfscript Grammar 42
3
![](https://csdnimg.cn/release/download_crawler_static/11997970/bg5.jpg)
Chapter 1
Introduction
When a program is executed on a computer system, that system must be
able to transform the program on disk into a running process image. The
standard format used on Linux and most other UNIX-like systems for rep-
resenting both programs on disk and process images is the ELF (Executable
and Linking Format) [43]. An ELF structure consists of various header in-
formation and an array of named sections, each section containing the data
necessary for some specific part of the process or process lifecycle (e.g. pro-
gram text, writable data, symbol table, dynamic linking information, and so
on). For languages, such as C++, supporting exceptions, the process image
and surrounding mechanisms must include a facility for providing exception
handling. While on Windows a process stores this information on the stack
[28], on Linux and other systems exception handling information is stored in
ELF sections using a standardized format called DWARF (Debugging with
Attributed Records Format) [?]. We show that if an attacker can gain control
of the DWARF data he can perform sophisticated computations unhindered
by standard protections such as non-executable stacks and ASLR. This is
useful in at least two attack scenarios:
1. The adversary creates a trojan by modifying the DWARF sections of
the executable before it is run to create a backdoor. This is less likely
to be noticed than many other trojan techniques because no executable
code is modified and for further reasons discussed later.
2. The adversary exploits a vulnerability ability allowing data overwrite
but not code execution. He uses this exploit to overwrite the DWARF
portion of the executable (or the information used to locate the DWARF
4
剩余55页未读,继续阅读
资源评论
![avatar-default](https://csdnimg.cn/release/downloadcmsfe/public/img/lazyLogo2.1882d7f4.png)
![avatar](https://profile-avatar.csdnimg.cn/911942469121424f970c4d0e0f0eec26_npy_lp.jpg!1)
tanglinux
- 粉丝: 499
- 资源: 19
上传资源 快速赚钱
我的内容管理 展开
我的资源 快来上传第一个资源
我的收益
登录查看自己的收益我的积分 登录查看自己的积分
我的C币 登录后查看C币余额
我的收藏
我的下载
下载帮助
![voice](https://csdnimg.cn/release/downloadcmsfe/public/img/voice.245cc511.png)
![center-task](https://csdnimg.cn/release/downloadcmsfe/public/img/center-task.c2eda91a.png)
最新资源
- AI绘画工具介绍(文档)
- pandas-2.2.2-cp311-cp311-musllinux-1-1-aarch64.whl
- 小程序开发基础与简单示例.pdf
- matlab:读取图像+显示图像+显示图像的直方图+直方图均衡
- pandas-2.2.2-cp311-cp311-manylinux-2-17-x86-64.manylinux2014.whl
- 如何充分运用ansys的HELP
- pandas-2.2.2-cp311-cp311-musllinux-1-1-x86-64.whl
- C语言可变长数组(VLA)详解与应用
- android-studio-2024.1.1.12-windows-zip.zip.001
- 辰光PHP客服系统多商户全开源V3.1版+安装教程
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
![feedback](https://img-home.csdnimg.cn/images/20220527035711.png)
![feedback](https://img-home.csdnimg.cn/images/20220527035711.png)
![feedback-tip](https://img-home.csdnimg.cn/images/20220527035111.png)
安全验证
文档复制为VIP权益,开通VIP直接复制
![dialog-icon](https://csdnimg.cn/release/downloadcmsfe/public/img/green-success.6a4acb44.png)