Security lesson no.3: Pointer Subterfuge
March 01, 2006 8:36The last buffer overflow technique I treated in my lessons was Pointer Subterfuge. With this technique you try to clobber a function pointer, and make it point to a memory location containing your own code.
My students instantly objected: there is almost no function pointer in our code!
No? What about C++ objects? COM components? Kernel functions exposed as APIs?
A common way to intercept kernel-mode APIs is to patch the kernel’s system service table, a table made of function pointers!
Are you interested? Go ahead and read the powerpoint slides and the sample source!
PointerSubterfuge.ppt (255.5 KB)
ex9-vptrSmash.zip (38.35 KB)
My students instantly objected: there is almost no function pointer in our code!
No? What about C++ objects? COM components? Kernel functions exposed as APIs?
A common way to intercept kernel-mode APIs is to patch the kernel’s system service table, a table made of function pointers!
Are you interested? Go ahead and read the powerpoint slides and the sample source!
PointerSubterfuge.ppt (255.5 KB)
ex9-vptrSmash.zip (38.35 KB)