#reversing
Abusing undocumented features to spoof PE section headers https://secret.club/2023/06/05/spoof-pe-sections.html | https://lobste.rs/s/sfvqfs #reversing #security #windows
@dzervas The decompiler in all of the screenshots in this thread is @binaryninja !
There are a few additional things which make the decompilation look nicer here:
The Microsoft symbol servers provide symbols for these Rust binaries too; those have been downloaded and applied (automatically by Binary Ninja; IDA and Ghidra should also just do this automatically) to this binary.
The symbols have additionally been demangled by me, just using this plugin: https://github.com/inspier/BinjaRustDemangler
On top of that I have applied some additional type information, renamed variables and fields, etc. In general having symbols makes it a lot easier though!
The actual binaries I'm looking at are also available for download from the Microsoft Symbol Server, if you wanted to take a look at the binaries for yourself too; you can get them easily from there without needing an insider preview build of Windows. Details at https://infosec.exchange/@cxiao/110360594370994764
#rust #rustlang #reversing #reverseengineering #microsoft #windows #binaryninja
Finally, here's what's actually inside that custom panic handler function seh_unwind::implementation::raise_exception: setting up an EXCEPTION_RECORD structure using the information provided by Rust's panic implementation up to here, then calling RtlRaiseExceptionwith that EXCEPTION_RECORDpassed in.
#rust #rustlang #windows #microsoft #reversing #reverseengineering
![A screenshot of the decompilation of the function `seh_unwind::implementation::raise_exception`, with the following code contents:
```
int64_t seh_unwind::implementation::raise_exception::hc52a1220c03bdc19(int32_t exception_code, char* exception_message, int64_t exception_NumberParameters) __noreturn
{
int32_t var_ac = exception_code;
int32_t status_code_ = win_defs::ntstatus::NTSTATUSError::status::h71e417d20a1a2c45(&var_ac);
struct EXCEPTION_RECORD exception_record;
__builtin_memset(&exception_record.ExceptionInformation, 0, 0x78);
exception_record.ExceptionCode = status_code_;
exception_record.ExceptionFlags = 0;
exception_record.ExceptionRecord = 0;
exception_record.ExceptionAddress = 0;
*(uint32_t*)((char*)exception_record.ExceptionAddress)[4] = 0;
exception_record.NumberParameters = exception_NumberParameters;
int64_t* exception_info_ptr;
int64_t exception_info_len;
exception_info_ptr = core::slice::index::impl$4::index_mut<usize>(exception_NumberParameters, &exception_record.ExceptionInformation);
core::slice::<impl [T]>::copy_from_slice::h17325824e865690e(exception_info_ptr, exception_info_len, exception_message, exception_NumberParameters, &str_"seh_unwind\src\lib.rs");
RtlRaiseException(&exception_record);
trap(6); // ud2 instruction (invalid opcode panic)
}
```](https://assets.toot.cafe/cache/media_attachments/files/110/500/653/050/625/034/small/2aa449aa25ccc680.png)
The rust_begin_unwind function - more specifically, the rust_begin_unwind symbol - is a bit special. It is actually a symbol that the panic implementation in Rust's core library (specifically, the panic_impl function) expects to be resolved at link time, for any binary which doesn't just unconditionally abort upon panic: https://rustc-dev-guide.rust-lang.org/panic-implementation.html#core-definition-of-panic
For binaries which are using Rust's standard library, rust_begin_unwind normally just links against an implementation in the standard library (begin_panic_handler, in library/std/src/panicking.rs)
However, the Windows kernel code here is not using Rust's standard library - it has to be this way, because Rust's standard library assumes that it's running in an environment where an operating system is present underneath it to give it nice abstractions, which is clearly not the case here as the code is implementing part of the Windows operating system...
Rust programs which do not use the standard library are built with the attribute #[no_std], which means that they link against Rust's core library only, rather than both the core library and std library. The core library only provides a very limited set of APIs, does not do heap allocations, and makes no assumptions that your code is running on top of an operating system.
In this case, because the implementation of rust_begin_unwind doesn't have an implementation that the Rust core library can link against, the programmer must either provide one, or change the panic strategy to abort on panic instead (i.e. set panic = "abort" in Cargo.toml).
Luckily, other code in the kernel provides some facilities for handling and recording exceptions, via RtlRaiseException, so the code here can provide an implementation which calls that (via the wrapper function seh_unwind::implementation::raise_exception, which AFAIK is not part of any public crate)
The Rust Embedonomicon book, which is about writing Rust for embedded systems and similar restricted environments, has a chapter called "The smallest #![no_std] program" which explains this in a bit more detail, including the requirement for a panic handler implementation: https://docs.rust-embedded.org/embedonomicon/smallest-no-std.html
#rust #rustlang #windows #microsoft #reversing #reverseengineering
The Rust code in the new win32kbase_rs.sys in the Windows Kernel can also panic. What happens when it does?
There are several places where a panic is invoked in the code - they include bounds check failures (core::panicking::panic_bounds_check), indexing into a slice outside of the length of that slice (core::slice::index::slice_start_index_len_fail_rt), and assertion failures (core::panicking::assert_failed). These all eventually take a common code path through the following series of function calls:
core::panicking::panic_fmt::hd60a775b92204b91
-> rust_begin_unwind
--> seh_unwind::implementation::raise_exception::hc52a1220c03bdc19
This calls into a custom panic handler, seh_unwind::implementation::raise_exception, which calls RtlRaiseException, imported from the main ntoskrnl binary!
#rust #rustlang #windows #microsoft #reversing #reverseengineering
How one of Vladimir Putin’s most prized hacking units got pwned by the FBI https://arstechnica.com/information-technology/2023/05/how-the-fbi-pwned-turla-a-kremlin-jewel-and-one-of-worlds-most-skilled-apts/ | https://lobste.rs/s/jrf82t #reversing #security
AR glasses USB protocols: the Good, the Bad and the Ugly https://voidcomputing.hu/blog/good-bad-ugly/ | https://lobste.rs/s/j5nvbe #hardware #reversing
Rust to Assembly: Understanding the Inner Workings of Rust https://eventhelix.com/rust/ | https://lobste.rs/s/bykhdz #reversing #rust
#AsmResolver 5.3.0 is out!
More performance and #pe reader bugfixes, new docs, and we also made it easier to ignore errors when writing #dotnet modules.
Changelog and download links:
👉 https://github.com/Washi1337/AsmResolver/releases/tag/v5.3.0
The Group Decode ROM: The 8086 processor's first step of instruction decoding http://www.righto.com/2023/05/8086-processor-group-decode-rom.html | https://lobste.rs/s/ndo4ko #hardware #historical #reversing
The Rust Windows kernel GDI code also has symbols for fallible_vec::FallibleVec<T,A> , which looks like a non-panicking Vec implementation. try_extend, try_extend_from_slice, try_splice_in, and try_insert are all implemented.
In fact it looks suspiciously similar to the rust_fallible_vec crate, which Microsoft recently open-sourced: https://github.com/microsoft/rust_fallible_vec :thonking:
( @TehPenguin 👋 )
The methods are generic over the allocator type A; some of these FallibleVec method implementations use the registered global allocator gdi_alloc::Win32Allocator , and others use the gdi_alloc::TaggedAllocator with the GDI-specific pool tags.
#rust #rustlang #windows #microsoft #reversing #reverseengineering
For the specific GDI objects, there are still allocations made with the existing GDI-specific pool tags.
It looks like the rgncore::scan::ScanBuilder<gdi_alloc::TaggedAllocator<_>> object uses the existing GDI pool tag Gscn ( i.e. GDITAG_SCAN_ARRAY) for vector allocations. (Probably gdi_alloc::TaggedAllocator<_> requires specifying a pool tag)
I also see Gedg (i.e. GDITAG_EDGE) being used in gdi_rust::region::from_path::GlobalEdgeTable::add_edge, and gdi_rust::region::from_path::ActiveEdgeTable::new
, among other places.
#rust #rustlang #windows #microsoft #reversing #reverseengineering
In the new Rust Windows kernel GDI code, there is a new global allocator registered named gdi_alloc::Win32Allocator . It calls Win32AllocPool with a fun new pool tag name, "Rust"!
#rust #rustlang #windows #microsoft #reversing #reverseengineering
For the new Windows kernel Rust GDI stuff that is all the rage now (win32kbase_rs.sys, win32kfull_rs.sys): here are the links to download copies of those binaries, from the Microsoft Symbol Server:
https://msdl.microsoft.com/download/symbols/win32kbase_rs.sys/272C4A031b000/win32kbase_rs.sys
https://msdl.microsoft.com/download/symbols/win32kfull_rs.sys/8264C482a000/win32kfull_rs.sys
These should be the versions that are in Windows 11 Insider Preview 25357.1 (zn_release) amd64 . The SHA-256 hashes are:
87ee0235caf2c97384581e74e525756794fa91b666eaacc955fc7859f540430d win32kbase_rs.sys
2efb9ea4032b3dfe7bf7698bd35e3ea3817d52f4d9a063b966f408e196957208 win32kfull_rs.sys
(I first extracted these files myself from the update package for build 25357.1, then generated the symbol server download URLs from the PE metadata in the files)
Of course, in addition to the actual executables, symbols are available from the symbol server as well (see screenshot).
@analog_feelings already did some reversing of win32kbase_rs.sys several weeks ago, here: https://tech.lgbt/@analog_feelings/110232321999960466 🤘
Now, time for me to go figure out how to actually reverse Rust 🦀
#rust #rustlang #windows #reversing #reverseengineering #microsoft
Trying to find hashes for Snake (at least to see if it's different from the previous Snake samples).
So I was wondering if the YARA rule mentioned would help to find some recent samples in VirusTotal. Obviously the rule is too broad and it's quite common to have such non-standard icon size.
Will they share the samples at some point? or at least the hashes? Another good point that having the sample hashes is important (even if the pyramid of pain said the opposite).
El lado del mal - 5ª Edición del Máster en Reversing, Análisis de Malware y Bug Hunting https://www.elladodelmal.com/2023/05/5-edicion-del-master-en-reversing.html #malware #reversing #CSIRT #master #formación #bughunting #CampusCiberseg
Nintendo reportedly issues DMCA takedown for Switch homebrew projects, Skyline Switch emulator development ceased https://gbatemp.net/threads/nintendo-reportedly-issues-dmca-takedown-for-switch-homebrew-projects-skyline-switch-emulator-development-ceased.632406/ #reversing #law
Nintendo reportedly issues DMCA takedown for Switch homebrew projects, Skyline Switch emulator development ceased https://gbatemp.net/threads/nintendo-reportedly-issues-dmca-takedown-for-switch-homebrew-projects-skyline-switch-emulator-development-ceased.632406/ | https://lobste.rs/s/ewtjm3 #law #reversing
thanks @winload_exe for mirroring a 2016 build of Windows (x86) with private symbols
it's not 100% private symbols (there's a few public symbols only in there afaik), but the majority of them have full type/locals/params info, most of which is still relevant today depending on what components you are looking at.
having private symbols definitely helped with my windows bootloader research, for example.
https://archive.org/details/10.0.14361.1000.rs1_release_prs.160603-2123_x86PlusPrivateSyms
Unlocking North Korean songs on a karaoke machine https://www.northkoreatech.org/2020/06/02/unlocking-north-korean-songs-on-a-karaoke-machine/ #android #reversing
Unlocking North Korean songs on a karaoke machine https://www.northkoreatech.org/2020/06/02/unlocking-north-korean-songs-on-a-karaoke-machine/ | https://lobste.rs/s/ksvp55 #android #reversing
I've been experimenting with reversing Rust binaries recently. To help with this, I wrote a little @binaryninja plugin which imports type layout information from the Rust compiler: https://github.com/cxiao/rust_type_layout_helper_bn
You can install it now through the Binary Ninja plugin manager, by searching for "Rust Type Layout Helper".
The nightly versions of the Rust compiler support the print-type-sizes flag, which emit information about how types are laid out in memory. Its output looks like this:
print-type-size type: std::sys::windows::c::OBJECT_ATTRIBUTES: 48 bytes, alignment: 8 bytes
print-type-size field .Length: 4 bytes
print-type-size padding: 4 bytes
print-type-size field .RootDirectory: 8 bytes, alignment: 8 bytes
print-type-size field .ObjectName: 8 bytes0
print-type-size field .Attributes: 4 bytes
print-type-size padding: 4 bytes
print-type-size field .SecurityDescriptor: 8 bytes, alignment: 8 bytes
print-type-size field .SecurityQualityOfService: 8 bytes
The plugin parses that output from the Rust compiler, and creates the following type in Binary Ninja:
struct std::sys::windows::c::OBJECT_ATTRIBUTES __packed
{
int32_t .Length;
int32_t _padding;
int64_t .RootDirectory;
int64_t .ObjectName;
int32_t .Attributes;
int32_t _padding;
int64_t .SecurityDescriptor;
int64_t .SecurityQualityOfService;
};
This is an experimental plugin because the layout of data types in Rust is not stable, and can change between compilations; therefore, I'm not sure how useful this plugin will be for reversing targets for which you do not have the source code.
However, I think it will be useful if you're compiling your own Rust code, then examining the resulting binary in Binary Ninja as an exercise to get more familiar with certain core data types, or to get more familiar with how Rust lays out types in memory in general.
Happy reversing!
#rust #rustlang #binaryninja #malware #reverseengineering #reversing
Driver adventures for a 1999 webcam https://blog.benjojo.co.uk/post/quickcam-usb-userspace-driver | https://lobste.rs/s/4tyaay #hardware #reversing
Driver adventures for a 1999 webcam https://blog.benjojo.co.uk/post/quickcam-usb-userspace-driver #hardware #reversing
Diagnosing and repairing a Brother fax/printer USB failure https://www.downtowndougbrown.com/2023/04/diagnosing-and-repairing-a-brother-fax-printer-usb-failure/ #hardware #reversing
Diagnosing and repairing a Brother fax/printer USB failure https://www.downtowndougbrown.com/2023/04/diagnosing-and-repairing-a-brother-fax-printer-usb-failure/ | https://lobste.rs/s/pxgucj #hardware #reversing
A CTF Challenge using the Nintendo 3DS' unique features https://reswitched-weekly-reboot.github.io/posts/3ds-ctf/ #reversing #education
A CTF Challenge using the Nintendo 3DS' unique features https://reswitched-weekly-reboot.github.io/posts/3ds-ctf/ | https://lobste.rs/s/g7bc1z #education #reversing
Hacking the Nintendo DSi Browser https://farlow.dev/2023/03/02/hacking-the-nintendo-dsi-browser #security #reversing
Hacking the Nintendo DSi Browser https://farlow.dev/2023/03/02/hacking-the-nintendo-dsi-browser | https://lobste.rs/s/uxatzm #reversing #security
Realtek WiFi Firmware and a Fully 8051-based Keylogger Using RealWOW Technology (2021) https://8051enthusiast.github.io/2021/07/05/002-wifi_fun.html #hardware #reversing
Realtek WiFi Firmware and a Fully 8051-based Keylogger Using RealWOW Technology (2021) https://8051enthusiast.github.io/2021/07/05/002-wifi_fun.html | https://lobste.rs/s/r6mnn8 #hardware #reversing
touchHLE in depth, part 1: a day in the life of a function call https://hikari.noyu.me/blog/2023-04-13-touchhle-in-depth-1-function-calls.html #ios #assembly #reversing #rust
touchHLE in depth, part 1: a day in the life of a function call https://hikari.noyu.me/blog/2023-04-13-touchhle-in-depth-1-function-calls.html | https://lobste.rs/s/h601kl #ios #objectivec #reversing #rust
Fullscreen apps above the MacBook notch https://notes.alinpanaitiu.com/Fullscreen%20apps%20above%20the%20MacBook%20notch #reversing #mac
Fullscreen apps above the MacBook notch https://notes.alinpanaitiu.com/Fullscreen%20apps%20above%20the%20MacBook%20notch | https://lobste.rs/s/6l8rbu #mac #reversing
de_Fuse, the One True Pwn https://douevenknow.us/post/714056575412764672/defuse-the-one-true-pwn #hardware #reversing
de_Fuse, the One True Pwn https://douevenknow.us/post/714056575412764672/defuse-the-one-true-pwn | https://lobste.rs/s/g5iyvz #hardware #reversing
Reverse-engineering the division microcode in the Intel 8086 processor http://www.righto.com/2023/04/reverse-engineering-8086-divide-microcode.html #hardware #reversing #historical
Reverse-engineering the division microcode in the Intel 8086 processor http://www.righto.com/2023/04/reverse-engineering-8086-divide-microcode.html | https://lobste.rs/s/qqee9r #hardware #historical #reversing
CAN Injection: keyless car theft https://kentindell.github.io/2023/04/03/can-injection/ #security #reversing
CAN Injection: keyless car theft https://kentindell.github.io/2023/04/03/can-injection/ | https://lobste.rs/s/cg4j5t #reversing #security
The microcode and hardware in the 8086 processor that perform string operations http://www.righto.com/2023/04/8086-microcode-string-operations.html | https://lobste.rs/s/2ls8pg #hardware #historical #reversing
Source code archives of several video games for classic consoles http://shrigley.com/source_code_archive/#comments | https://lobste.rs/s/rs69wv #games #historical #reversing
Can we hide the orange dot without disabling SIP? https://notes.alinpanaitiu.com/Can%20we%20hide%20the%20orange%20dot%20without%20disabling%20SIP | https://lobste.rs/s/2hbam7 #mac #reversing
#FDA approves #overdose #reversing #Narcan for sale without #prescription. Move seen as a key strategy to control the US #overdose #crisis, which has been linked to more than 100,000 deaths a year https://www.fda.gov/news-events/press-announcements/fda-approves-first-over-counter-naloxone-nasal-spray #OTC #naloxone #opiod #overdoses
Fixing incredibly slow launching on Intel’s Rapid Storage Technology / Virtual RAID on CPU application https://codeinsecurity.wordpress.com/2023/03/29/fixing-incredibly-slow-launching-on-intels-rapid-storage-technology-virtual-raid-on-cpu-application/ | https://lobste.rs/s/vfbo68 #dotnet #reversing
bread: BIOS Reverse Engineering & Advanced Debugging https://github.com/Theldus/bread | https://lobste.rs/s/jyxbvs #assembly #debugging #osdev #reversing
Reverse-engineering the Globus INK, a Soviet spaceflight navigation computer http://www.righto.com/2023/03/reverse-engineering-globus-ink-soviet.html | https://lobste.rs/s/ddldbg #hardware #historical #reversing
Analysis of a Redline Based Malware https://serhack.me/articles/analysis-redline-based-malware/ | https://lobste.rs/s/bpobqd #reversing
#AsmResolver 5.2.0 is out now.
This version includes read support for many more #PDB symbols, #dotnet AppHost patching, .NET TypeSignature::IsAssignableTo(type), QoL improvements and bug fixes.
👉 Full changelog and download links:
https://github.com/Washi1337/AsmResolver/releases/tag/v5.2.0
Printing real headline news on the Commodore 64 with The Newsroom's Wire Service https://oldvcr.blogspot.com/2023/03/printing-real-headline-news-on.html?m=1 | https://lobste.rs/s/l0j0wi #historical #reversing
Printing real headline news on the Commodore 64 with The Newsroom's Wire Service https://oldvcr.blogspot.com/2023/03/printing-real-headline-news-on.html | https://lobste.rs/s/khlxxz #historical #reversing
Tutorial for extracting the GameBoy ROM from photographs of the die https://github.com/travisgoodspeed/gbrom-tutorial | https://lobste.rs/s/odoals #hardware #reversing
Reverse-engineering the multiplication algorithm in the Intel 8086 processor http://www.righto.com/2023/03/8086-multiplication-microcode.html | https://lobste.rs/s/dwziof #hardware #historical #reversing
Reverse-engineering the register codes for the 8086 processor's microcode http://www.righto.com/2023/03/8086-register-codes.html | https://lobste.rs/s/1wiec3 #hardware #historical #reversing
The kids just got home from school.
11yo: Dad, the TV’s not working!
Me: Oh yeah sorry. I moved it to a new network because I’m investigating its UPnP responses.
11yo: Stop breaking things for nerd reasons!
Sierra’s Macintosh Timebomb https://www.benshoof.org/blog/sierras-macintosh-timebomb | https://lobste.rs/s/ci5gut #reversing
Reverse Prompt Engineering for Fun and (no) Profit https://lspace.swyx.io/p/reverse-prompt-eng | https://lobste.rs/s/ohgntv #ai #reversing
Bro. I just stumbled upon the Bob Ross of Malware analysis. #Reversing #MalwareAnalysis #ChillAF
https://www.youtube.com/watch?v=uAb9aupRJ14
I just realised 6 months passed since my last #introduction (https://fosstodon.org/@mala/108340283629018455) so here is an updated one!
Names: +mala, Davide, da, Eddie, AiTTaLaM
Job: yes please 🙂 (aka formerly @ the birds place). #AI, #ML, but above all #teaching are my passions
Projects: 3564020356.org is the longest lasting one (~22yrs 😅), #PicoGopher the most recent... You go look and find the rest! 😜
Sports: #bouldering
Interests: #gopher #selfhosting #micropython #raspberrypi #opensource #reversing