-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathHACKING
69 lines (59 loc) · 2.99 KB
/
HACKING
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Technical Notes about OpenHIPS
------------------------------
--[ Development environment
- Software required or suggested
* Visual Studio 2010 Express for C# and C++ builds (http://www.microsoft.com/express/)
* TortoiseSVN
* WinMerge
* Notepad++
* Wix (http://wix.sourceforge.net/)
* Cygwin (http://www.cygwin.com/)
* Python (http://www.python.org/download/releases/3.2/)
--[ Design
Basic goal is to run inside a process we want to protect and then watch
for exploit attempts and block. Get inside the process via AppInit_Dll
to give "firststage" execution. This then determines if we should run
there, and if we should then protector (ohipsp) gets loaded.
Components:
* monitor (ohipsm*.exe): Makes sure the necessary AppInit_Dll and related reg
values are set.
* firststage (ohipsfs*.dll): Loaded into every process via AppInit_DLL and
determines if this process should be protected.
* protector (ohipsp*.dll): Loaded by firststage into processes we want to
protect.
--[ Debug output
Debug releases display output that is visible in debuggers or DbgView
from SysInternals.
Internet Explorer and some other products will create two process (a parent
and child) with the child being a "sandbox" that runs at low integrity levels.
If you attempt to see debug messages in DbgView you will need to first set
the integrity level of dbgview with:
icacls dbgview.exe /setintegritylevel low
You can confirm the integrity levels by looking in Process Explorer.
--[ Why AppInit_DLL?
I want a DLL loaded into any instances of Internet Explorer, Adobe Acrobat,
FireFox, and some other processes. The common way of doing this is to
use the AppInit_DLL registry value. There are concerns with this method,
specifically the post "AppInit_DLLs should be renamed
Deadlock_Or_Crash_Randomly_DLLs" at
http://blogs.msdn.com/b/oldnewthing/archive/2007/12/13/6648400.aspx, and
the doc "AppInit DLLs in Windows 7 and Windows Server 2008 R2 - 4" which
states "Because AppInit DLLs are loaded very early during process
initialization, they should use only APIs that are exported from
kernel32.dll in their initialization routines."
LoadDLLViaAppInit from Didier Stevens at
http://blog.didierstevens.com/2009/12/23/loaddllviaappinit/
implements this.
Also, with AppInit_Dll, you may need to set additional registry keys. These
are all in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Windows
- LoadAppInit_DLLs (REG_DWORD): Set to 1 to enable
- AppInit_DLLs (REG_SZ): space or comma separated list of DLL paths with
short names.
- RequireSignedAppInit_DLLs (REG_DWORD): Set to 0 to load any DLLs
--[ Why does the install take so long?
Depending on your system, the installer is likely creating a checkpoint
during the time when the installer states "Gathering required information".
To test this, run the installer with "msiexec /i openhips-setup.msi /l setup.log"
and you'll see the step "InstallInitialize" takes a long time. This occurs
by default, and I don't want to mess with it, especially until I feel my
installer is safe.