WhiteHat and the Exploit Factory

Every single program uses string to store file paths, labels, prompt text. But not everyone knows that plain text strings can be easily obtained with a debugger. Some programs even store passwords or any other important information in plain text strings. In this blog post I will go over the most popular ways of hiding/encrypting strings in programs. Passwords should newer be stored as plain text (but we will do it anyways for demonstration purposes)! Better thing to do is to store a hash of the password and compare hashes. First, let's demonstrate with an example what I mean by storing plain text strings: Now, let's look at this program with the debugger. By searching for all referenced strings in the program we can easily discover what the password is, no need for advanced techniques: Now, let's look at something more interesting. In this case we have an alphabet (char array), where we have defined our char set. When it comes to checking the string - we co...

Dynamically Loaded Libraries (DLL) are used in almost any project, because of their unique properties: modularity, ease to support, updatability. Unfortunately, this can be easily exploited and all it takes is for the attacker to simply replace the original DLL file with the malicious one (especially if project is no longer being maintained and does not have hashing to verify that the valid DLL is being loaded). Moreover attacker can load their DLL into a remote process (usually done to stay hidden, since after DLL is injected you can run malicious code "from within" a target process). To make is easier to visualize, here is a small diagram: For example, we have a program that displays number of seconds passed since it started (not to over complicate things): An attacker can create a malicious DLL that logs pressed keys, but in this case it simply displays a message box: And attacker also has an injector that will load their DLL into the target process: The way an...