Friday, February 24, 2012

Windows Update

Today I was performing Windows update it said that it needs to get two mandatory update I clicked on Okay and I was watching my SNORT IDS.  I saw two " FILE-IDENTIFY Portable Executable binary file magic detection" alerts in them what scared me was that they were from my ISP :-0. I know that we don't have any Micros0ft office in an around my place.

So I went to my windows machine and typed in netstat -aon sure enough I can see two established connection to the IP 122.165.249.90


 ID   < Signature >   < Timestamp >   < Source Address >   < Dest. Address >   < Layer 4 Proto > 
#0-(5-49658) [snort] DNS SPOOF query response with TTL of 1 min. and no authority 2012-02-24 05:38:37 192.168.1.1:53 192.168.56.200:57649 UDP
#1-(5-49659) [snort] FILE-IDENTIFY Portable Executable binary file magic detection 2012-02-24 05:39:33 122.165.249.90:80 192.168.56.200:49160 TCP
#2-(5-49660) [snort] FILE-IDENTIFY Portable Executable binary file magic detection 2012-02-24 05:39:34 122.165.249.90:80 192.168.56.200:49161 TCP

Next I clicked on the first IDS alert and found that it was trying to resolve dns.msftncsi.com and it resolves to the IP Address: 131.107.255.255. This increased my doubt, however drilling further down.  I started running PCAP and restarted my Windows machine.  I found that a second DNS query went out to download.windowsupdate.com which has a CNAME as shown below and my system at last ended up downloading from 122.165.xxx.xxx :-)

bala@bala-laptop:~$ nslookup download.windowsupdate.com
Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
download.windowsupdate.com    canonical name = download.windowsupdate.nsatc.net.
download.windowsupdate.nsatc.net    canonical name = main.dl.wu.akadns.net.
main.dl.wu.akadns.net    canonical name = intl.dl.wu.akadns.net.
intl.dl.wu.akadns.net    canonical name = dl.wu.ms.geo.akadns.net.
dl.wu.ms.geo.akadns.net    canonical name = a26.ms.akamai.net.
Name:    a26.ms.akamai.net
Address: 122.165.249.90
Name:    a26.ms.akamai.net
Address: 122.165.249.91




Saturday, February 4, 2012

Snort Action

Snort can take the following types of Actions.



The Activate and Dynamic are dropped for the more recent Tagging and Flowbits

The actions of Drop, Reject and SDrop are used when Snort is in Inline mode.

Friday, February 3, 2012

Functions In Assembly


Functions in Assembly
 * Defining a function in Assembly is as follows
.type MyFirstFunction, @fuction

MyFirstFunction:

ret


 * Function is called using "call MyFirstFunction"


Passing Arguments & Returing Values


 * Passing Arguments to Function
- Registers
- Global Memory locations
- Stack
 * Returning Value from a function
- Registers
- Global Memory locations


Program Starts here


.data
FirstString:
.asciz "firstfunctioncall\n"
SecondString:
.asciz "secondfunctioncall\n"
.text
.globl _start
.type MyFirstFunction , @function
MyFirstFunction: #String ptr & length will be added by caller
movl $4, %eax
movl $1, %ebx
int $0x80
ret
_start:
nop
#We will print firstfunctioncall here
movl $FirstString, %ecx
movl $18, %edx
call MyFirstFunction
#We will print secondfunctioncall here
movl $SecondString, %ecx
movl $19, %edx
call MyFirstFunction
#Now we will exit the program
movl $1, %eax
movl $0, %ebx
int $0x80


bala@bala-laptop:~/ASM$ as -ggstabs -o Function.o Function.s 
bala@bala-laptop:~/ASM$ ld -o Function Function.o
bala@bala-laptop:~/ASM$ ./Function 
firstfunctioncall
secondfunctioncall
bala@bala-laptop:~/ASM$ gdb ./Function 
(gdb) break *_start+1
Breakpoint 1 at 0x4000be: file Function.s, line 17.
(gdb) run
Starting program: /home/bala/ASM/Function 
Breakpoint 1, _start () at Function.s:17
17 movl $FirstString, %ecx
(gdb) print /x &FirstString 
$1 = 0x6000e8
(gdb) s
18 movl $18, %edx
(gdb) print /x $rcx
$3 = 0x6000e8
(gdb) s
19 call MyFirstFunction
(gdb) disassemble MyFirstFunction 
Dump of assembler code for function MyFirstFunction:
   0x00000000004000b0 <+0>: mov    $0x4,%eax
   0x00000000004000b5 <+5>: mov    $0x1,%ebx
   0x00000000004000ba <+10>: int    $0x80
   0x00000000004000bc <+12>: retq   
End of assembler dump.
(gdb) print /x $rip
$4 = 0x4000c8
(gdb) s
MyFirstFunction () at Function.s:10
10 movl $4, %eax
(gdb) print /x $rip
$5 = 0x4000b0
(gdb) s
11 movl $1, %ebx
(gdb) s
12 int $0x80
(gdb) s
firstfunctioncall
MyFirstFunction () at Function.s:13
13 ret
(gdb) s
_start () at Function.s:21
21 movl $SecondString, %ecx
(gdb) print /x $rip
$6 = 0x4000cd
(gdb) c
Continuing.
secondfunctioncall
Program exited normally.
(gdb) 


Program Starts here


.data
FirstString:
.asciz "firstfunctioncall\n"
SecondString:
.asciz "secondfunctioncall\n"
.bss
.lcomm StringPtr, 4
.lcomm StringLen, 4
.text
.globl _start
.type MyFirstFunction , @function
MyFirstFunction: #String ptr & length will be added by caller
movl $4, %eax
movl $1, %ebx
movl StringPtr, %ecx
movl StringLen, %edx
int $0x80
ret
_start:
nop
#We will print firstfunctioncall here
movl $FirstString, StringPtr
movl $18, StringLen
call MyFirstFunction
#We will print secondfunctioncall here
movl $SecondString, StringPtr
movl $19, StringLen
call MyFirstFunction
#Now we will exit the program
ExitCall:
movl $1, %eax
movl $0, %ebx
int $0x80


bala@bala-laptop:~/ASM$ as -ggstabs -o Function2.o Function2.s 
bala@bala-laptop:~/ASM$ ld -o Function2 Function2.o
bala@bala-laptop:~/ASM$ ./Function2
firstfunctioncall
secondfunctioncall
bala@bala-laptop:~/ASM$ gdb ./Function2
(gdb) break *_start+1
Breakpoint 1 at 0x4000cc: file Function2.s, line 22.
(gdb) run
Starting program: /home/bala/ASM/Function2 
Breakpoint 1, _start () at Function2.s:22
warning: Source file is more recent than executable.
22 movl $FirstString, StringPtr
(gdb) print /x &FirstString 
$1 = 0x600110
(gdb) x /1xw &StringPtr 
0x600138 : 0x00000000
(gdb) x /1xw &StringLen 
0x60013c : 0x00000000
(gdb) s
23 movl $18, StringLen
(gdb) s
24 call MyFirstFunction
(gdb) x /1xw &StringPtr 
0x600138 : 0x00600110
(gdb) x /1xw &StringLen 
0x60013c : 0x00000012
(gdb) x /1dw &StringLen 
0x60013c : 18
(gdb) s
MyFirstFunction () at Function2.s:13
13 movl $4, %eax
(gdb) s
14 movl $1, %ebx
(gdb) s
15 movl StringPtr, %ecx
(gdb) s
16 movl StringLen, %edx
(gdb) s
17 int $0x80
(gdb) s
firstfunctioncall
MyFirstFunction () at Function2.s:18
18 ret
(gdb) c
Continuing.
secondfunctioncall
Program exited normally.
(gdb) 

Thursday, February 2, 2012

Conditional Branching & Loop

Conditional Branching
 * JXX - JA, JAE, JE, JG, JZ, JNZ etc
 * These Jump depends on the state of eflags
    - Zero Flag (ZF)
    - Parity Flag (PF)
    - OverFlowFlag (OF)
    - Sign Flag (SF)
    - Carry Flag (CF)
 * Only Short & Near jumps are supported, Far Jumps not allowed

Program Start here
.data
    HelloWorld:
        .asciz "Hello Earth!\n"
    ZeroFlagSet:
        .asciz "Zero Flag was Set!\n"
    ZeroFlagNotSet:
        .asciz "Zero Flag Not Set!\n"
.text
    .globl _start
    _start:
        nop
        movl $10, %eax
        xorl %eax, %eax  #To set Zero Flag
        jz FlagSetPrint
    FlagNotSetPrint:
        # Write CallDemo
        movl $4, %eax
        movl $1, %ebx
        leal ZeroFlagNotSet, %ecx
        movl $20, %edx
        int $0x80
        jmp ExitProgram
    FlagSetPrint:
        # Write CallDemo
        movl $4, %eax
        movl $1, %ebx
        leal ZeroFlagSet, %ecx
        movl $20, %edx
        int $0x80
        jmp ExitProgram
    ExitProgram:
        # Exit the program
        movl $1, %eax
        movl $10, %ebx
        int $0x80

Jump on Zero Example
================

bala@bala-laptop:~/ASM$ as -ggstabs -o ConditionalBranch.o ConditionalBranch.s
bala@bala-laptop:~/ASM$ ld -o ConditionalBranch ConditionalBranch.o
bala@bala-laptop:~/ASM$ ./ConditionalBranch
Zero Flag was Set!
bala@bala-laptop:~/ASM$ gdb ./ConditionalBranch
(gdb) list 1
8    .text
9        .globl _start
10        _start:
(gdb) break *_start+1
Breakpoint 1 at 0x4000b1: file ConditionalBranch.s, line 12.
(gdb) run
Starting program: /home/bala/ASM/ConditionalBranch
Breakpoint 1, _start () at ConditionalBranch.s:12
12            movl $10, %eax
(gdb) s
13            xorl %eax, %eax  #To set Zero Flag
(gdb) info registers
rbp            0x0    0x0
rsp            0x7fffffffe3b0    0x7fffffffe3b0
rip            0x4000b6    0x4000b6 <_start+6>
eflags         0x202    [ IF ]
cs             0x33    51
ss             0x2b    43
(gdb) s
14            jz FlagSetPrint
(gdb) info registers
rbp            0x0    0x0
rsp            0x7fffffffe3b0    0x7fffffffe3b0
rip            0x4000b8    0x4000b8 <_start+8>
eflags         0x246    [ PF ZF IF ]
cs             0x33    51
ss             0x2b    43
(gdb) s
FlagSetPrint () at ConditionalBranch.s:25
25            movl $4, %eax
(gdb) s
26            movl $1, %ebx
(gdb) s
27            leal ZeroFlagSet, %ecx
(gdb) s
28            movl $20, %edx
(gdb) s
29            int $0x80
(gdb) s
Zero Flag was Set!
30            jmp ExitProgram

LOOP Instruction

 * This is a normal Loop instruction
 * Number of times to Loop given in ECX, i-- automatically
 *

Program Start here

.data
    HelloWorld:
        .asciz "Hello Earth!\n"
.text
    .globl _start
    _start:
        nop

        movl $5, %ecx
    PrintFiveTimes:
        pushq %rcx
        movl $4, %eax
        movl $1, %ebx
        leal HelloWorld, %ecx
        movl $13, %edx
        int $0x80
        popq %rcx
    loop PrintFiveTimes
    jmp ExitProgram

ExitProgram:
        # Exit the program
        movl $1, %eax
        movl $10, %ebx
        int $0x80


bala@bala-laptop:~/ASM$ gdb ./Loop
(gdb) break *_start+1
Breakpoint 1 at 0x4000b1: file Loop.s, line 9.
(gdb) run
Starting program: /home/bala/ASM/Loop
Breakpoint 1, _start () at Loop.s:9
9            movl $5, %ecx
(gdb) s
PrintFiveTimes () at Loop.s:11
11            pushq %rcx
(gdb) print /x $rsp
$1 = 0x7fffffffe3d0
(gdb) x/1xw 0x7fffffffe3d0
0x7fffffffe3d0:    0x00000001
(gdb) s
PrintFiveTimes () at Loop.s:12
12            movl $4, %eax
(gdb) print /x $rsp
$2 = 0x7fffffffe3c8
(gdb) x/1xw 0x7fffffffe3c8
0x7fffffffe3c8:    0x00000005
(gdb) s
13            movl $1, %ebx
(gdb) s
14            leal HelloWorld, %ecx
(gdb) s
15            movl $13, %edx
(gdb) s
16            int $0x80
(gdb) s
Hello Earth!
17            popq %rcx
(gdb) s
PrintFiveTimes () at Loop.s:18
18        loop PrintFiveTimes
(gdb) print /x $rcx
$4 = 0x5
(gdb) s
11            pushq %rcx
(gdb) s
PrintFiveTimes () at Loop.s:12
12            movl $4, %eax
(gdb) s
13            movl $1, %ebx
(gdb) s
14            leal HelloWorld, %ecx
(gdb) s
15            movl $13, %edx
(gdb) s
16            int $0x80
(gdb) s
Hello Earth!
17            popq %rcx
(gdb) print /x $rsp
$5 = 0x7fffffffe3c8
(gdb) x /1xw 0x7fffffffe3c8
0x7fffffffe3c8:    0x00000004
(gdb)

Wednesday, February 1, 2012

Program Execution Flow

Unconditional Branching
1 JMP:
 * Analogous to goto statement in C program
 * Syntax - JMP label
 * Short - JMP within +or-128 bytes
 * Near - Is jumping between both, Short & Far
 * Far - JMP from one segment to another segment

2 Call
 * Just like calling a function in C
 * Syntax - Call location
 * There is an associate RET statement with every call
 * Call pushes the next instruction address onto the stack

Program Code starts here

.data
    HelloWorld:
        .asciz "Hello Earth!"
    CallDemo:
        .asciz "CallDemo got called!"
.text
    .globl _start
    _start:
        nop
        #JMP ExitProgram #This to be enabled for JMP eg
        call Callme
        # Write HelloWorld
        movl $4, %eax
        movl $1, %ebx
        movl $HelloWorld, %ecx
        movl $12, %edx
        int $0x80
    ExitProgram:
        # Exit the program
        movl $1, %eax
        movl $10, %ebx
        int $0x80
    Callme:
        # Write CallDemo
        movl $4, %eax
        movl $1, %ebx
        movl $CallDemo, %ecx
        movl $20, %edx
        int $0x80
        ret



JUMP Example
==========


(gdb) break *_start+1
Breakpoint 2 at 0x4000b1: file ProgramExecutionFlow.s, line 10.
(gdb) info break
Num     Type           Disp Enb Address            What
2       breakpoint     keep y   0x00000000004000b1 (gdb) run
Starting program: /home/bala/ASM/ProgramExecFlow
Breakpoint 2, _start () at ProgramExecutionFlow.s:10
10            JMP ExitProgram
(gdb) print /x $rbp
$2 = 0x0
(gdb) print /x $rip
$3 = 0x4000b1
(gdb) disas _start
Dump of assembler code for function _start:
   0x00000000004000b0 <+0>:    nop
=> 0x00000000004000b1 <+1>:    jmp    0x4000c9
   0x00000000004000b3 <+3>:    mov    $0x4,%eax
   0x00000000004000b8 <+8>:    mov    $0x1,%ebx
   0x00000000004000bd <+13>:    mov    $0x6000ec,%ecx
   0x00000000004000c2 <+18>:    mov    $0xc,%edx
   0x00000000004000c7 <+23>:    int    $0x80
End of assembler dump.
(gdb) disas ExitProgram
Dump of assembler code for function ExitProgram:
   0x00000000004000c9 <+0>:    mov    $0x1,%eax
   0x00000000004000ce <+5>:    mov    $0xa,%ebx
   0x00000000004000d3 <+10>:    int    $0x80
End of assembler dump.
(gdb) s
ExitProgram () at ProgramExecutionFlow.s:19
19            movl $1, %eax
(gdb) print /x $rip
$4 = 0x4000c9
(gdb)


CALL Example
==========

bala@bala-laptop:~/ASM$ as -ggstabs -o ProgramExecFlow.o ProgramExecutionFlow.s 

bala@bala-laptop:~/ASM$ ld -o ProgramExecFlow ProgramExecFlow.o
bala@bala-laptop:~/ASM$ ./ProgramExecFlow

CallDemo got called!Hello Earth!bala@bala-laptop:~/ASM$ gdb ./ProgramExecFlow
(gdb) list
8        _start:
9            nop
10            #JMP ExitProgram #This to be enabled for JMP eg
(gdb) break *_start+1
Breakpoint 1 at 0x4000b1: file ProgramExecutionFlow.s, line 11.
(gdb) run
Starting program: /home/bala/ASM/ProgramExecFlow
Breakpoint 1, _start () at ProgramExecutionFlow.s:11
11            call Callme
(gdb) disassemble _start
Dump of assembler code for function _start:
   0x00000000004000b0 <+0>:    nop
=> 0x00000000004000b1 <+1>:    callq  0x4000d8

   0x00000000004000b6 <+6>:    mov    $0x4,%eax
   0x00000000004000bb <+11>:    mov    $0x1,%ebx
   0x00000000004000c0 <+16>:    mov    $0x6000f0,%ecx
   0x00000000004000c5 <+21>:    mov    $0xc,%edx
   0x00000000004000ca <+26>:    int    $0x80
End of assembler dump.
(gdb) disas Callme
Dump of assembler code for function Callme:
   0x00000000004000d8 <+0>:    mov    $0x4,%eax
   0x00000000004000dd <+5>:    mov    $0x1,%ebx
   0x00000000004000e2 <+10>:    mov    $0x6000fd,%ecx
   0x00000000004000e7 <+15>:    mov    $0x14,%edx
   0x00000000004000ec <+20>:    int    $0x80
   0x00000000004000ee <+22>:    retq  
End of assembler dump.
(gdb) print /x $rsp
$2 = 0x7fffffffe3b0
(gdb) print /x $rip
$3 = 0x4000b1
(gdb) s
Callme () at ProgramExecutionFlow.s:25
25            movl $4, %eax
(gdb) print /x $rip
$4 = 0x4000d8
(gdb) print /x $rsp
$5 = 0x7fffffffe3a8
(gdb) x/1xx 0x7fffffffe3a80x7fffffffe3a8:    0x004000b6
(gdb) s

26            movl $1, %ebx
(gdb) s
27            movl $CallDemo, %ecx
(gdb) s
28            movl $20, %edx
(gdb) s
29            int $0x80
(gdb) s
CallDemo got called!Callme () at ProgramExecutionFlow.s:30
30            ret
(gdb) s
_start () at ProgramExecutionFlow.s:13
13            movl $4, %eax
(gdb) s

14            movl $1, %ebx
(gdb) s
15            movl $HelloWorld, %ecx
(gdb) s
16            movl $12, %edx
(gdb) s
17            int $0x80
(gdb) s
Hello Earth!ExitProgram () at ProgramExecutionFlow.s:20
20            movl $1, %eax
(gdb) s
21            movl $10, %ebx
(gdb) s
22            int $0x80
(gdb) s
Program exited with code 012.
(gdb)