live_dont_exist
April 15th, 2013, 16:48
Hi All,
Been doing a pentest for a client and it's a very large program. Lots of exes, dlls and sys files. Now I ran a few basic IDA Pro scripts on these and have 2 nice lists of functions:
a) List of files with offsets which call function vuln to Buffer overflows. - Say List A
b) List of files which use DPAPI. This I need to find how the key is stored as everything is encrypted. - Say List B
c) List of imports for each Exe, Dll and Sys file. - Say List C
Now to simplify the problem lets say I have 10 EXE files in total. I have List C for all 10 EXE files. Now I look at List A and List B and think ah 5 DLLs are using strcpy. Let me see which of the 10 EXE files import any of the DLLs in List A and List B.
Strangely though, I get very very few hits.
So I'm thinking...if those DLLs are not imported at all...is it even a problem if it has insecure code? Is it possible that a DLL is never imported by any file anywhere ..but still runs? Or is there some other way in which these DLLs are imported?
I highly doubt everything is dead code. I guess it's possible (as I don't have code) but it's unlikely. So I wanted to check with all the great people here before I conclude
All the scripts in List A, B and C were written using IdaPython and using the latest IDA Pro version 6.4.
All help is much much appreciated and if you need more info..please let me know.
Thanks
Arvind
Been doing a pentest for a client and it's a very large program. Lots of exes, dlls and sys files. Now I ran a few basic IDA Pro scripts on these and have 2 nice lists of functions:
a) List of files with offsets which call function vuln to Buffer overflows. - Say List A
b) List of files which use DPAPI. This I need to find how the key is stored as everything is encrypted. - Say List B
c) List of imports for each Exe, Dll and Sys file. - Say List C
Now to simplify the problem lets say I have 10 EXE files in total. I have List C for all 10 EXE files. Now I look at List A and List B and think ah 5 DLLs are using strcpy. Let me see which of the 10 EXE files import any of the DLLs in List A and List B.
Strangely though, I get very very few hits.
So I'm thinking...if those DLLs are not imported at all...is it even a problem if it has insecure code? Is it possible that a DLL is never imported by any file anywhere ..but still runs? Or is there some other way in which these DLLs are imported?
I highly doubt everything is dead code. I guess it's possible (as I don't have code) but it's unlikely. So I wanted to check with all the great people here before I conclude
All the scripts in List A, B and C were written using IdaPython and using the latest IDA Pro version 6.4.
All help is much much appreciated and if you need more info..please let me know.
Thanks
Arvind