WhiteHat and the Exploit Factory

To begin understanding why process memory patching is a serious issue we need to understand what it is and how it works. So, without further ado let's answer these questions. Memory patching is modification of process memory in runtime (in this post I am not going to talk about patching binary files). To help you better understand, let's imagine the following scenario: you created a game that has a high score system, user's score is stored in a variable in memory and at game over it is sent to the server. Now, imagine if someone changes the variable in memory right before it is sent. Sounds unfair to other honest players, doesn't it? To better demonstrate how it works I wrote a simple demo in c++ (which you can compile and test on your system). It this post I will be only talking about how it's done in user mode . Target program: Attacker program: First we compile and run a target program, it will display it's process identifier (PID) and a memory loca...

Buffer overflow is a vulnerability, which is usually caused by uncareful handling of user input, but it does not end there. Most of the time it happens when data is being copied into a buffer, which does not have enough space and as a result part of the process memory is being overwritten. It might seem as not that big of a deal at first, but it should not be underestimated. Here is a very basic example of a variable overflow: In this example we are continuously adding 10 to a variable. It may seem like this code will never exit the while statement, because we can keep adding 10 to a variable forever, but that's not quite how it works in programming languages. The thing is that every variable type has some amount of memory allocated to store it's value, thus creating a limit. In this case I created an Integer, which only can store values that can be represented in 4 bytes of space (approximately from -2 billion to +2 billion). When we reach the maximum positive value and ...