Using appropriate editors (PE Explorer is an example of one such editor for Windows PE
files), it is often possible to grow a file??™s disk image without impacting the file??™s runtime
memory layout. In these cases, it is possible to inject code into the expanded regions
within the file??™s various sections.
Regardless of how you find a hole, using the hole generally involves replacing vulnerable
code with a jump to your hole, placing patched code within the hole, and finally
jumping back to the location following the original vulnerable code. This process is
shown in Figure 19-2.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
488
Chapter 19: Closing the Holes: Mitigation
489
PART IV
Once space is available within a binary, the act of inserting new code is often performed
using a hex editor. The raw byte values of the machine language, often obtained
using an assembler program such as Netwide Assembler (NASM), are pasted into the
appropriate regions in the file and the resulting file is saved to yield a patched executable.
It is important to remember that disassemblers such as IDA Pro are not generally
capable of performing a patch operation themselves. In the case of IDA Pro, while it will
certainly help you develop and visualize the patch you intend to make, all changes that
you observe in IDA are simply changes to the IDA database and do not change the original
binary file in any way.
Pages:
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857