CODEWITHSUNDEEP
debuggingcompilationreverse-engineeringreverse
Dpp
Dpp

Reputation: 1974

How to say if a binary is GS compiled or not, and without symbols?

I want to be able to determine if a binary is GS compiled or not? /GS being a buffer security check, using a cookie. I want to be able to find this without symbols and in a generic manner.

BinScope gives me the following when it tries to check for GS: E_PDB_NO_DEBUG_INFO (PDB is stripped of cv info)

Any idea?

Upvotes: 1

Views: 1596

Answers (2)

Willem Hengeveld
Willem Hengeveld

Reputation: 2776

if your binary does not have a 'load config' ( like for instance windows mobile binaries) i think it is still quite easy to recognize the pattern:

many functions will look like this:

... [function entry]
.text:01005188                 mov     eax, ___security_cookie
.text:0100518D                 mov     [ebp+var_1C], eax
... [function body]
.text:010057F6                 mov     ecx, [ebp+var_1C]
.text:010057F9                 call    sub_1007147
... [function exit]

then sub_1007147 looks like this:

.text:01007147                 cmp     ecx, ___security_cookie
.text:0100714D                 jnz     short loc_1007158
.text:0100714F                 test    ecx, 0FFFF0000h
.text:01007155                 jnz     short loc_1007158
.text:01007157                 retn

referencing the cookie which is stored together with it's inverse:

.data:01009600 dword_1009600   dd 0FFFF44BFh
.data:01009604 ___security_cookie dd 0BB40h

the __security_cookie will have lots of references while the preceeding inverse has only a few.

in the init list there will be a function to initialize the cookie with some pseudo random value.

searching the binary for these patterns should give you an idea if /GS was used.

Upvotes: 0

Igor Skochinsky
Igor Skochinsky

Reputation: 25288

If you don't have PDB, there is no good way to do it short of inspecting the binary and looking at the functions. I had thought it should be possible to check the loadconfig directory which records the location of the security cookie, but that's no good. Even if the program is compiled with /GS-, the linked CRT functions still use the cookie:

>dumpbin /loadconfig test.exe

Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file test.exe

File Type: EXECUTABLE IMAGE

  Section contains the following load config:

            00000048 size
                   0 time date stamp
                0.00 Version
                   0 GlobalFlags Clear
                   0 GlobalFlags Set
                   0 Critical Section Default Timeout
                   0 Decommit Free Block Threshold
                   0 Decommit Total Free Threshold
            00000000 Lock Prefix Table
                   0 Maximum Allocation Size
                   0 Virtual Memory Threshold
                   0 Process Heap Flags
                   0 Process Affinity Mask
                   0 CSD Version
                0000 Reserved
            00000000 Edit list
   >        00408000 Security Cookie      <
            00407840 Safe Exception Handler Table
                   3 Safe Exception Handler Count

    Safe Exception Handler Table

          Address
          --------
          004025D0
          00404200
          00405160

Upvotes: 1

Related Questions