Hacking With Css

[Beverly Zielonko]

Bothindividuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

This was a better, but not that great over all. I could sit for about 30 minutes before I had a leg going numb. Besides that, it was a little dangerous. I accidently bumped the start button a couple times and was launched off the back of the treadmill while perched atop the stool!

After I started sitting down, I began feeling bad about not exercising. To solve this problem, I decided to purchase an under desk elliptical machine. It took some creativity to figure out how to mount it so it would be out of the way for walking and rolling the deck in. This is what I came up with and I like it.

Debugging is a very important skill when it comes to software development and every software developer would have had times where they had to either debug something they wrote or something that was written by someone else. Depending on the platform you're working on, there are a bunch of tools that can help you with debugging with windbg being one of the most popular debugging tools for Windows. Windbg is something that I use heavily during my day to day work and I feel it's one of the most powerful tools ever written for Windows. There are many tutorials out there that give you an introduction to debugging with windbg, so this series will not focus on that. Instead, we will go through a few examples of how you can use windbg to do some reverse engineering and hacking and in the process, understand more about the different things you can do with windbg. While this particular part focuses on hacking Notepad through windbg, you can use similar techniques to hack something else. In future parts, I will show some advanced hacking and reverse engineering including some kernel mode examples.

While I will try to go over every single debugging command used here, this tutorial doesn't aim to be a starting point for learning windbg or learning assembly. Some familiarity with x64 assembly and windows programming is assumed. I use the word "windbg" to refer to the GUI tool but the same commands apply even if you're using CDB or NTSD.

In most of the windbg tutorials I have seen, Notepad seems to be the favorite demo application so for part 1, we will stick with that. The behavior we are trying to hack here is something you might have often seen and it annoys me a lot when I run into it. I saw a similar demo a couple of years back when someone else was doing it but I don't remember how they did it so I re-tried the same myself.

Let's say you open Notepad and then you click on "File->open" which opens up a dialog box to select the file you wish to open. You might have noticed while this dialog box is open, you cannot bring to the foreground the actual editing window. Clicking on the editing area throws an alert sound without bringing that window in foreground.

The rest of this tutorial will focus on how we can hack Notepad using windbg to change this behavior and actually keep switching back and forth between the two windows while both of them are open simultaneously.

The difference between these two options is in the first one (open executable), the debugger breaks in before the actual process starts executing its main routine. The debugger application basically calls CreateProcess API with a special flag that gives it control back after the application has been loaded in the memory but before it actually starts executing. In the second option (Attach to process), the debugger calls DebugActiveProcess API which attaches the debugger to the process which is already running and breaks-in.

How exactly the debugger communicates with the process being debugged is outside the scope of this tutorial but curious folks can read about it in the Advanced Windows Debugging book.

Once we have broken in, the next logical step is to first find out what is the function we want to hack. For example, what is the function that gets called when we click the open dialog box from the File Menu. For doing this, we will need symbols for notepad.exe and luckily, the Microsoft public server does have public symbols for it.

Without knowing the exact function name, we don't know what to search for but we can make an educated guess. If you were the developer writing the code for Notepad, what would you name the function that gets called when you click the open dialog box?. Well, I hope it atleast has the word open in it!

We now click on File->Open and you should see Notepad freeze when you do this. The debugger will have broken-in saying it hit our breakpoint and we can check the call stack at this time.

If you're familiar with Windows programming, you will know that Windows heavily uses the concept of objects and handles. Whenever you want to use an object, you always get a handle to it. If we think of the open dialog box and the editor area as two separate "window", then they would be two objects. Since we can't bring the editor window in the foreground till this dialogbox is open, that also suggests a parent-child relationship. At this stage, all this is speculation since we don't have the source code for Notepad but if our speculation is true, then this function will somehow know that its parent window is the editor window.

Without the private symbols, you can't dump local variables or parameters passed using the dv command but if you know your Microsoft x64 calling convention ( -us/library/ms235286.aspx), you would know that the first 4 parameters are passed in the rcx, rdx, r8 and r9 registers. So let's dump these using the r command.

I have highlighted the 4 registers in the output above. If you have used Window objects before which are represented by HWND (Handle to Window) and looked at the values it can have, you would instantly notice that only the rcx register has something that even remotely resembles a HWND.

To check this, we can close this instance of Notepad, and then open windbg again and this time, choose Open executable option pointing to the Notepad path. We want to see what's the HWND value that gets returned when we actually create a window in Notepad. So to do this, we will again use our friend x to search for functions that might resemble creating a window.

_imp_ represents that the actual function is inside the address of this _imp_CreateStatusWindowW. So we can dump the pointer value inside _imp_CreateStatusWindowW and unassemble it to get the actual function.

If you check MSDN for CreateWindowExW, you will see that it returns HWND, just what we are looking for! So let's put a breakpoint on this function and see what is the return value we get. Once we hit our breakpoint, we need to let this function execute and return back to the caller so we can use gu to go back one level in the stack to the function which actually called our function and then check the return value at this stage.

So how do we break this parent-child relationship between the two window objects? One easy way would be just clear the rcx register so the HWND value is 0. Of course, this may lead to a crash or not, but we don't have anything better to try at this stage.

We let the program resume now by hitting g and now if you click on the editor window while this dialog box is open, voila! It worked! Assuming you followed the steps listed here properly, you should be able to switch back and forth between the two windows now.

But wait! We don't want to keep setting this breakpoint everytime and changing the value of rcx everytime we open the dialogbox. Can we change the code to do this automatically for us from the debugger? You bet we can.

So for this, we need to make sure when the caller calls ShowOpenSaveDialog, it zeroes out the rcx register. The caller in this case is the InvokeOpenDialog function. Let's look at the assembly code just before it calls ShowOpenSaveDialog. You can use the ub command for this which unassembles backwards from a given address.

We see that rcx is getting the value from r14 which is highlighted above. What if instead of this mov instruction, we had something like xor ecx,ecx?. We just need to zero out the ecx register since HWND is a type of HANDLE datatype which are 32 bit values in practice even though it is defined as a PVOID. So essentially, we need something like this:

When using the a command, we must take care that the next instruction that follows the one which we are modifying, starts at the original offset. For example, the mov instruction before started at ae3 offset and the call instruction was at ae6. When we assemble xor ecx,ecx at ae3, it is a 2 byte instruction so we need to pad another 1 byte instruction at ae5. For this, we just use the nop instruction which doesn't really do anything.

Now using the ub command again, we see that our code is successfully modified with what we need. We can now disable all the breakpoints and resume Notepad. Since we didn't change rcx this time in the current invocation, we will not be able to switch back and forth between the windows yet. We can close this open dialog box this time and from the next subsequent times whenever we open it, we should be able to switch back and forth between the two windows now.

You should note that this code modification is done in the memory. So the actual binary doesn't get affected. Whenever you close Notepad and restart it, this hack won't be there so you will have to do it again if you wish to.

So here, we saw how we can use windbg to understand how the program execution works, search for functions inside an application and even change the behavior of an application whose source code we don't have! Hopefully, this gives you a greater sense of appreciation for windbg to see the different things you can do with it. In the next part, we will pick another application and do some more advanced hacking.

3a8082e126