PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover PDF Search Help Contact



Documenting the Undocumented Adding CFG Exceptions.pdf


Preview of PDF document documenting-the-undocumented-adding-cfg-exceptions.pdf

Page 1...3 4 56718

Text preview


6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

0:001> k 
ChildEBP RetAddr  
0017ca6c 7730c7a2 ntdll!RtlFailFast2 
0017ca98 7732aa88 ntdll!RtlpHandleInvalidUserCallTarget+0x73 
0017cb20 77318d7b ntdll!LdrpValidateUserCallTargetBitMapRet+0x3b

Looking at this call stack, things are starting to make sense. It looks like a call was made to
ntdll!LdrpValidateUserCallTargetBitMapRet.
Let’s take a look at ntdll!LdrpValidateUserCallTargetBitMapRet with IDA:

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­4­IDA­Functions­Windows­
LdrpValidateUserCallTarget.png)
Looking at the disassembly (after undefining these three functions and redefining them as one) we can probably
infer that the call was actually made to ntdll!LdrpValidateUserCallTarget. This can also be verified by further
examining the call stack – which we will do in a future post.

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

5/18