Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack cookie check + edge case #5

Closed
woodruffw opened this issue Aug 23, 2018 · 1 comment
Closed

Stack cookie check + edge case #5

woodruffw opened this issue Aug 23, 2018 · 1 comment
Labels
enhancement New feature or request

Comments

@woodruffw
Copy link
Member

We should also probably check whether the program was built with /GS, which inserts stack cookies.

Like /DYNAMICBASE, /GS has an interesting edge case: if the user defines a custom entry point via /ENTRY and forgets to call __security_init_cookie() within it, then the cookie value is set to a default value that makes circumvention much easier.
@woodruffw woodruffw added the enhancement New feature or request label Aug 23, 2018
@woodruffw
Copy link
Member Author

Based on https://reverseengineering.stackexchange.com/a/6709, the right approach is:

  1. First, check IMAGE_LOAD_CONFIG_DIRECTORY.SecurityCookie. If that's nonzero, then the cookie is at that VA and GS is enabled.
  2. If SecurityCookie is zero, then scan for either the default cookie (0xBB40E64E) or for one of the characteristic signatures for __security_check_cookie.

Just doing step 1 is probably sufficient for our purposes -- it looks like a false negatives with zeroed SecurityCookies have been seen with older binaries, but not with anything that SL2 is targeting.

This was referenced Aug 24, 2018
Closed
Closed
woodruffw added a commit that referenced this issue Aug 27, 2018
@woodruffw
checksec: RFG, SafeSEH, GS support
771d070 
Closes #5.
Closes #9.
Closes #10.
woodruffw added a commit that referenced this issue Aug 27, 2018
@woodruffw
checksec: RFG, SafeSEH, GS support
c663115 
Closes #5.
Closes #9.
Closes #10.
@woodruffw woodruffw mentioned this issue Aug 27, 2018
Merged
@woodruffw woodruffw mentioned this issue Aug 30, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@woodruffw