Csci 5957-904 Ethical Hacking – Final Pape

CSCI 5957-904 Ethical Hacking – Final Paper

The Python debugger PyDBG is very useful tool for reverse engineering applications and analyzing behavior of data used by applications. There are several features built in to PyDBG that help with the probing of applications. Providing a means for user defined call back functions are one of these features that is very useful. These functions can be used to read memory, introduce breakpoints, or change the flow of data. The next feature that PyDBG contains is access violation handlers. These handlers help capture significant information about the program being debugged anytime it crashes. This information can be used to discover vulnerabilities in the program. The next feature that is widely used in PyDBG is process snapshots. This feature allows a process to be frozen and all of its memory to be captured and then allows for the process to resume as normal. The process can also be reverted to this snapshot at any later point which is very nice.

The Gray Hat Python book mentions several other methods of analyzing programs for vulnerabilities. The first method mentioned, hooking, is a technique that monitors an application and can change the flow of that program and/or alter the data of the application. This technique is used by debuggers, rootkits, and keyloggers. A lot of newer malware / adware programs also use this method to avoid detection by the programs that try and detect them running in memory. There are two primary types of hooks on the Windows platform. The first, a soft hook, is attached to a process and uses breakpoint handlers to analyze the flow in the application. The second, a hard hook, is a hard coded attempt to interrupt the flow of assembly code and inject a call to the hook which is also written in assembly.

The next method mentioned is, well actually its two methods, DLL injection and code injection. The concept behind these two methods is that a remote process can be used to attack a...