01/10/2016 (Updated 12/22/2019 move from ImmunityDB to IDA Pro Free, the standard)
While the computer truly understands only 0s and 1s, the practicality of programming that way is just not feasible. Thus, processors have a language that is one step above the Ons and Offs, the Trues and Falses, called Machine Language or Assembly, sometimes Assembler. In this article, we will go through the process of preparing our Virtual Machine with IDA Pro Free, a powerful disassembler and Dev C++ a small compiler. After installation, we will build small C programs and review them in Assembly.
Windows XP SP2
First, we will use Windows XP SP2 to begin our Windows Exploit work. This should be installed in the Virtual Machine of your choice. Most newer programs will no longer run on this OS. This is where we will begin our exploitation journey for Windows. However, since many programs will no longer run, we will use Windows 7 and 10. Install Windows XP into the VM for setup only.
Windows 7
Second, install Windows 7 64 bit in the Virtual Machine software of your choice. These articles will use both VMWare Workstation Pro and Virtual Box. Windows 7 can be found with some work… 😀 this system will be used for all Windows work in the coming weeks.
IDA Pro Free
Next, we will install IDO Pro Free and with that Python 2.7.1. While this is a very old Python, the Python used in the Linux systems will be up to date. The main IDA PRO site can be found here: https://hex-rays.com/IDA-pro/ and the download can be found here: https://hex-rays.com/ida-free/.
The IDA Pro Free installation is very simple and straight forward. IDA Pro is very expensive but it is the defacto standard for disassembly and reverse engineering.
As the installation progresses choose the defaults. Once the installation is complete, a short cut will be added to the desktop. A .exe file can be dragged onto the file or IDA can be opened and then the EXE loaded from within the program.
Dev C++ Integrated Development Environment
Dev C++ is a basic interface on top of the GNU compilers, GCC, GPP, etc. The compilers work almost the same as on *Nix and let us be consistent with some of the same tools across Operating Systems.
To install Dev C++, visit the following URL: https://sourceforge.net/projects/orwelldevcpp/.
The C Language
This article assumes you have experience with some programming language. While completing the rest of the articles, many deep dives will be using C, C++, .NET (C#), Java and Python for exploits. Some perl may be used where applicable. The rapid consumption of knowledge is critical in this field.
The best way to learn any programming language is to code in it. No amount of article reading or tutorials can prepare like actually working with the IDE and the language. A brief over view of C syntax is covered here, but if your knowledge is weak, take a few extra days and prepare before jumping to the C to Assembly section. Take the samples and add on to them, include new libraries and call their functions. Do not focus too much on writing secure code or calling advanced libraries until much later. I am not saying to over look this, but if you are new, get the basic syntax down and come back to C when it can be given the rigor that it deserves.
The C language is to Assembly as Assembly is to Binary. C is one of the closest languages to the machine that can be coded in. This human readable language is power and allows direct memory manipulation. A PDF can be found here going over the basic syntax.
At the top of the file, we include references to other libraries. This allows for the calling of their functions. A function has a definition that indicates what variables are taken in, what values are returned, and contains encapsulated logic. The main function is our direct entry point into the program.
#include <stdio.h>
// this is a comment
int main() { // here an integer is returned
// printf prints to the screen. \n is a
// new line.
printf("Hello, World\n");
return 0; // Standard return value of 0 required
}
Open Dev C++. Go to File and new. Copy the code here into the programs text area. Click Save As and save the file and FirstProgram.c
Next, choose in the drop down the type of build you want to make. Until otherwise, use 32 bit debug.
The Execute drop down contains most of the features we need to for development. Compile builds the program. Parameters allow you to add parameters to console applications (more on this in the future).
For debugging, click on a line, and click on Toggle Breakpoint, or right click on the line. Father there are function commands that can be used. More on debugging below.
If you wish to run the program, you can also go to the folder, run cmd.exe and open the file.
The following block of code can be saved and built the same way. This code demonstrates multiple function types. Examine the code by walking through it. Add a breakpoint in main, step through using F8 and F7. Uncomment a function and comment out another. Use the basic template to copy and paste and make new functions. Some suggestions are given in the comments.
#include <stdio.h>
int BasicFunction() {
return 0;
}
int Add(int a, int b) {
int c = a + b;
return c;
}
bool IsEqual(int a, int b) {
// Basic conditional logic
// If a equals b execute what is
// in the block {}.
if(a == b) {
return true;
}
return false;
}
void Loop(int a, int b) {
// A while loop will execute what is
// inbetween the {} if the a++, which increments
// a was not increased by one, the loop could
// run forever.
while(a < b) {
printf("I am less");
a++;
}
}
// create multiply *, divide /, subtract -
// a basic template that can be copied and
// pasted. The 'int' for integer can be
// changed to double, char* for string
// and other types.
int TemplateFunction(int a, int b) {
int c;
//c = ?? x ??
return c;
}
int main() {
BasicFunction();
//int res = Add(1,2);
//bool isNumbersEqual = IsEqua(1,2);
//Loop(1, 10);
return 0;
}
To get a handle on Assembly language, we will use all these examples and decompile them. Then step through the assembly to learn how C is converted to lower level machine language.
In the Dev C++ IDE, go to Edit -> Insert Snippet, to find basic code snippets. If your familiarity with C is not what you would like, all these fields should be tried and used with real code samples. If something does not make sense or more samples are needed, Google “C programming Language for loop examples” or the like. Google or Duck Duck Go is your friend when coding.
The Art of Debugging
Debugging software can be painful and downright tedious. Most IDEs leave something to be desired when it comes to debugging. The most powerful IDE, the author has found, is Visual Studio. The higher level languages seem to have more features as well, especially with the push toward productivity.
The trusty old break point should have been used many times by now. Another trick, is the use of print statements. These can be added and used when running the program and printed to the screen. Most compilers also have debugging directives that can be conditionally compiled.
In the example below, print statements were used to slowly build the Buffer function. If char* buff is null, no argument passed in via the parameters, the program will crash if strcpy is called. To prevent this, print statements were used to find the error.
#include <stdio.h>
#include <string.h>
void Buffer(char* buff) {
char buff2[25] = "";
printf("Len B: %u\n", (unsigned)strlen(buff));
if(strlen(buff) > 0) {
strcpy(buff2, buff);
printf("Len B2: %u\n", (unsigned)strlen(buff2));
printf("Buff2: %s", buff2);
}
}
int main(int argc, char* argv[]) {
printf("Buff: %s\n", argv[1]);
Buffer(argv[1]);
return 0;
}
Another great feature, is the ability to “watch” variables.
Some other tips:
- A search engine is your friend. Sites like stack overflow will help you solve most problems.
- Add breakpoints a little before where an error is occurring and step through until you find the problem.
- Comment out code and slowly uncomment until you can narrow down the location of an error.
- Use print out statements to get the value of variables, show your location, etc
- Add an if statement with a breakpoint within if the condition only occurs in select instances. For example, say a for loop will run 1,500 times, and the error is known to occur after a 1,000. Add an if(val == 1000 || val === 1250) and slowly narrow down the val that is being processed throwing an error.
- Use the watch feature to follow variables.
Hopefully this article helped you get a Windows 7 64 bit machine setup in a VM for future security research. IDA Pro should be installed, as well as a compiler. Next C to Assembly will be discussed in great detail. That upcoming section will be key to almost all exploitation we will perform.