陈永恒 Yongheng Chen (Ne0)

我有功于人不可念,而过则不可不念;人有恩于我不可忘,而怨则不可不忘. -- 菜根谭

Home Writeup Friend

Windows Exploitation Tutorial: Prerequisite

1 October 2019

Hi I am Ne0. Long time no see! Recently I am learning Windows exploitation. During the process, I found that all the tutorials online are either out-of-date(targeting on win 7 or even older Windows) or super expensive. Therefore, I plan to write a series of blogposts about Windows exploitation, sharing my experience and also reflecting what I have learned. As I am very busy doing my PhD, I can’t promise that when the blogposts will be finished. And as I am also a learner, not an expert, of Win exploitation, there might be some inaccuracies or mistakes in the tutorials. Feel free to email me if you find any. One more thing, due to my experience, the best way to learn a exploitation technique is to use a simple example without anything unnecessary. So in this tutorial, I will write simple programs for practice and demostraction.

Outline for this tutorial

I want this tutorial to be a complete and systematic one. So I plan to divide it into several parts as the following:

  1. Basics
    1. Intruduction to Windows pwn
    2. Toolchains for Win pwn
    3. Mitigations in Win userspace
    4. Exploitation techniques for Win userspace
  2. Advanced
    1. Win kernel exploitation
    2. CVE playground

All of them are targeting at X86/64. If everything goes well, I will write a new blog for this tutorial twice a week. And today we will talk a little bit about the basics.

Introduction to Windows Pwn

Windows is a close-source operating system. And for many reasons such as compatibility, windows is big and complicated. What’s worse, different versions of windows are so different from each others, and more and more mitigations are added. These distinguish windows exploitation from linux exploitation. As we will see later, even if some mitigations that serve for the same purposes, their behaviors are different in linux and windows. So it’s important for us to be aware of that. However, we can’t focus on everything. So what differences should we care about?

Different Executable Format for Executable

Windows adopts a format called Portable Executable(PE) format for its executable, and Common Object File Format (COFF) for its object files. The idea is similar with Linux’s: headers and data. Details can be found at https://docs.microsoft.com/en-us/windows/win32/debug/pe-format.

Different Libary For Process

We are familar with glibc in Linux, but what about Windows? In windows, we have all kinds of libary with extension “.dll”. The most insteresting ones to us are:

  1. Ntdll.dll: This libary contains a series of undocumented apis and these apis can be changed in future versions of Windows. It is also the bridge between userspace and kernel space because many system calls happen in this libary.
  2. Kernel32.dll: This libary contains apis that wrap those in ntdll. And these apis are well-documented and remain unchanged in the future, so they are safe to use if you want your code to be run in different version of windows. Apis in kernel32 contains: Heap Api, Virtual memory Api, File IO api etc.
  3. Ucrtbase.dll: This is like the glibc in Windows 10. We need this libary a lot during exploitation.

Different Exploitation Mitigation

We don’t have many mitigations in Linux: Aslr, NX, PIE, Stack Protector etc. But there are much more in Windows: SafeSEH, SEHOP, CFG etc. We have to understand how they work before we can bypass them. We will talk about them in details in future blogposts.

Toolchain for Windows Exploitation

A good tool is the sword for hackers. When I started windows exploitation, I found it difficult because I didn’t find the correct toolchain. After I found more and more tools, and got used to them, exploiting became much easier. So here I would like to share some of them with you:

Terminal: Cmder

There are many good terminals in Windows, choose any one that you like. I personally prefer Cmder, as it’s Unix/Linux style and integrates Vim. Of course if you insist on using cmd, well, you win.

Disasembler/Decompiler: IDA pro

Well, this is the king.

Debugger: Windbg

Although it’s extremely difficult to use, but it’s still the best debugger for Windows in my mind. Just try it yourself, and you will fall in love with it. Also, there are many plugins for it. The one I use is https://github.com/0vercl0k/windbg-scripts as it implement telescope (This is one of the best command in gdb-peda).

Exploit script: Pwintools/ Pwntools

Pwintools is a simple version of pwntools and works in Windows. But I prefer using pwntools by remote debugging.

AppjailLauncher

This tool is like socat in Linux and becomes more and more popular in CTF.

Others: ROPGadget and Winchecksec

ROPGadget supports PE format! Just use it in Windows to find any gadget you want. Winchecksec is also an important tool(https://github.com/trailofbits/winchecksec). It’s the win version of checksec. What mitigations a binary has determines how we can exploit it.

Conclusion

Download a windows 10 vm and install all these tools above, and you are ready for exploiting the windows! In next blogpost I will talk about stack overflow and seh in windows(win10 specifically). See you soon!