![捉虫日记 - [德] Tobias Klein](https://static.book345.com/covers/9787115290441.jpg)
AI导读
核心看点
- 真实记录8个经典漏洞挖掘案例
- 详解从发现到利用再到修复全流程
- 结合调试工具与汇编底层原理分析
适合谁读
- 信息安全与漏洞研究初学者
- 希望提升代码安全性的开发人员
- 对系统底层调试感兴趣的程序员
读前提醒
- 需具备C语言及汇编基础才能读懂
- 部分案例技术细节较深,建议耐心读
- 可结合附录中的调试工具章节辅助阅读
读者共识
- 漏洞挖掘领域不可多得的入门佳作
- 案例真实详尽,翻译流畅易读
- 对编写安全代码有极强的警示作用
本导读基于书籍简介、目录、原文摘录、短评和书评生成,不等同于全文精读。
精彩摘录
- "The Modular Debugger (mdb)"
- "EIP = 41414141 . . . Mission EIP control accomplished! I was able to build a working exploit, intended to achieve arbitrary code execution, using the well-known jmp reg technique, as described in “Variations in Exploit Methods Between Linux and Windows” by David Litchfield"
- "In line 19139, the value of error, which holds one of the error conditions, is explicitly set to 0. Error condition 0 means that no error has occurred so far. By supplying a colon directly followed by an ASCII zero and an arbitrary digit in the interface name, it is possible to trigger the code in l"
- "The system crash is caused by the NULL pointer dereference. As the zero or NULL page is normally not mapped, the dereference leads to an access violation that crashes the system (see also Section A.2). All I had to do to prevent the system from crashing was to map the zero page before triggering the"
- "The vulnerability affects the FFmpeg multimedia library that is used by many popular software projects, including Google Chrome, VLC media player, MPlayer, and Xine to name just a few. There are also rumors that YouTube uses FFmpeg as backend conversion software"
- "To gain control of the execution flow, I had to overwrite a memory location to gain control over EIP. In this example, I used a GOT entry. The RELRO mitigation technique has an operation mode called Full RELRO that (re)maps the GOT as read-only, thus making it impossible to use the described GOT ove"
- "To find the address of the NewObject() method, I started Internet Explorer from within WinDbg7 (also see Section B.2 for a description of the debugger commands) and set the following breakpoint at OLEAUT32!DispCallFunc (see also Figure 5-4):"
- "Next, I disassembled the binary C:\Program Files\WebEx\WebEx\824\ atucfobj.dll with IDA Pro.8 In IDA, the imagebase of atucfobj.dll was 0x10000000. So NewObject() was located at address 0x1000767f (imagebase + offset of NewObject(): 0x10000000 + 0x767F) in the disassembly (see Figure 5-6)."
作者简介
Tobias Klein 是德国著名信息安全咨询与研究公司NESO安全实验室创始人,资深软件安全研究员,职业生涯中发现的软件安全漏洞无数,更曾为苹果、微软等公司的产品找出不少漏洞。除本书外,还出版过两本信息安全方面的德文作品。
目录
用户评论
给代码安全漏洞检测指明了大方向,也从反面对程序员提供了编写安全代码的警示。
漏洞挖掘的最佳入门读物了吧
记得十年前刚工作那会儿,会用IIS diag tool分析一下dump,看看哪里是Memory leak或者application crash就已经觉得小牛了,哪想到遇上高手windbg用起来得心应手,各种断点,stack trace,寄存器 watch,耍得风生水起。当一个人就如本书的作者对操作系统和汇编有深厚的基础,那这个人就不是一个programmer而是一个真正的hacker了,里面的故事都非常棒!更棒的“缓冲区溢出”真的是操作系统的噩梦啊T_T
适合入门。虽是数年前的案例却充满真知灼见。
精巧;
第三次读,云淡风轻地把各种技术都涉猎了。一半以上的写源代码的。作为学习思路,极佳
需要有一定的项目经验或代码审计经验才能完全理解
看过吧也算
年代有点久远,不过内容确实不错
五星给内容, 2 星给排版, 代码环境居然不用等宽字体, 还少了些下划线强调
虽然看不懂里面的代码和专业术语,但因为作者写得很清晰明确,翻译也很舒服(没看作者名的时候我还以为是中国人写的书),所以我能看懂作者在做什么!以及怎样做!这样对于我就充分够用了。
下载
收藏