Re: Preventing /*exploitation with*/ rebasing

[dullien () gmx de]

Hey Riley, all,

RH> Research AV/VX trends from the late 80's and early 90's.

First off, thanks for this line. Reading some old VX magazines could
do some good here. The fact that most shellcodes still use hardcoded
addresses to retrieve GetProcAddress/GetModuleHandle should make
everyone think -- VLAD Boza (the first PE infector ever) did the same,
and was thus not very successful. VX folks abandoned the concept of
hardcoding offsets for KERNEL32 in about 1996-97. Ahwell. It's just
5-6 years. And it's not like you have to have clever ideas yourself,
it's all in easy-to-digest tutorial format.

Thanks for addressing the bogus idea of hooking GetProcAddress(),
too. Most serious win32 shellcodes do not use it anymore but do their
own PE parsing anyhow, so this would be (aside from being easily
bypassed otherwise) completely ineffective. User-mode policy
enforcement (e.g. doing policy enforcement on the same privilege level
as the malicious code) is bound to fail.

Concerning information on TIB and PEB: If you're too lazy to learn
russian/polish, you might consider taking (a) the wine header files
(which attempt to document parts of these structures) and (b) a
debugger and go spellunking yourself.
Oh, and MS does provide some limited information:
http://msdn.microsoft.com/msdnmag/issues/02/08/EscapefromDLLHell/default.aspx

Cheers,
dullien () gmx de