Monday, December 28, 2009

pvefindaddr - ImmDbg plugin exposes attack surface

I've been interested in both the attack and the defenses involving various memory corruption bugs for some time as they are a staple of modern computer security concerns. Microsoft's protection schemes continue to improve over time and from a defenders perspective I like to see third party vendors begin using some of the same protection techniques, and I also like to be aware when vendors are not so extra awareness and attack surface reduction can be put into play.

Tonight I received a tweet from @Corelanc0d3r, who has done some nice research into a variety of IT and IT security related matters including exploitation techniques. His tweet:

released v1.7 of pvefindaddr ImmDdg plugin (

You can read his link for further information about this Immunity Debugger plugin, which does a good deal of time-saving enumeration.

Dropping his into my C:\Program Files\Immunity Inc\Immunity Debugger\PyScripts on a Vista box, I took notice of all the functionality, but especially of the ability to enumerate processes without ASLR and SafeSEH with the following command:

!pvefindaddr nosafesehaslr

Since client-side security bugs are a critical entryway, the list of such processes (well, a very limited list based on samples on one particular install) may be of interest to those who wish to reduce/eliminate such code to run hardened systems, and/or of interest to penetration testers or security researchers. Software vendors may also want to take note (not that any are actually reading far as I know) and consider re-architecting and re-compiling with /DYNAMICBASE and /SAFESEH when possible. Anyone running the plugin or equivalent can obtain the same information, however this might save someone some time and stimulate further ideas for research.

HP DeskJet printer software bundle DLL:

 Message=*[+] 0x003d0000 - 0x003db000 : hpzipr12.dll (*** No ASLR, No Safeseh ***)

# I've been concerned about the HP DeskJet printer software bundle for some time. The first clue was that the installation of this software to make a home printer function actually replaced patched versions with unpatched/vulnerable versions of specific code. On an XP box, Windows/Microsoft Update did not catch the issue, however on a Vista box Windows/Microsoft Update did notice and corrected the problem. The Secunia Personal Software Inspector (PSI) notified me pretty quickly that some critical files had regressed. With such a phenomenon taking place in the past I wasn't terribly surprised to see that this DLL was not taking advantage of newer protection techniques. Of course, the actual attack surface varies depending upon the system's usage profile, etc.

Cisco VPN client:
 Message=*[+] 0x00400000 - 0x0057a000 : cvpnd.exe (*** No ASLR, No Safeseh ***)
 Message=*[+] 0x10000000 - 0x1002f000 : vpnapi.dll (*** No ASLR, No Safeseh ***)

# Communication with another security researcher (who is a lot smarter and more experienced than myself) indicated that all the pre-auth memory corruption issues in this particular client had likely been weeded out. However we did not talk about these images being leveraged in a different part of the attack lifecycle.

google chrome DLL:
 Message=*[+] 0x4ad00000 - 0x4b50b000 : icudt38.dll (*** No ASLR, No Safeseh ***)

 Message=*[+] 0x05570000 - 0x05702000 : GPGee.dll (*** No ASLR, No Safeseh ***)

 Message=*[+] 0x04fe0000 - 0x05167000 : PKArchive87U.dll (*** No ASLR, No Safeseh ***)

 Message=*[+] 0x03210000 - 0x0323e000 : rarext.dll (*** No ASLR, No Safeseh ***)

Malware Bytes anti-malware:
 Message=*[+] 0x031f0000 - 0x03202000 : mbamext.dll (*** No ASLR, No Safeseh ***)

010 Hex editor:
 Message=*[+] 0x036f0000 - 0x03700000 : shlext010.dll (*** No ASLR, No Safeseh ***)

FileZilla shell extension:
 Message=*[+] 0x67080000 - 0x6709c000 : fzshellext.dll (*** No ASLR, No Safeseh ***)

 Message=*[+] 0x00400000 - 0x00586000 : TrueCrypt.exe (*** No ASLR, No Safeseh ***)

Found by attaching to VMAuthdService:
 *[+] 0x00160000 - 0x0024e000 : libxml2.dll (*** No ASLR, No Safeseh ***)
 *[+] 0x10000000 - 0x1006a000 : vmcryptolib.DLL (*** No ASLR, No Safeseh ***)
 *[+] 0x00b20000 - 0x00bf9000 : iconv.dll (*** No ASLR, No Safeseh ***)

Again, nothing earth-shattering here but an interesting survey of some typically deployed apps. With advances in exploitation techniques taking place constantly, it may be wise to audit your own apps in a similar way and reach for the uninstall.

Kudos to C0relanc0d3r for his plugin and for the discussions we had about it, and for his code tweak to scan all process memory instead of just the currently loaded/attached process.


  1. A very interesting article. The insights are really helpful and informative. Thanks for posting.

    123 HP Officejet 6709 Wireless Install Setup

  2. A very interesting article. The insights are really helpful and informative. Thanks for posting.
    Hp Officejet 6709 Wireless Setup

  3. Interesting article. Thanks for sharing

  4. Vast articles Thanks for sharing useful information.

  5. Formal Survey , Fortunate Taste , Forward-looking Term , Fraternal Theme , Free from doubt Theory

  6. Chivalrous Analysis , Choice Announcement , Citified Answer , Civil Approach , Civilized Arbitrary

  7. Accommodating Appreciation , Accomplished Appropriate , Ace Architecure , Acquiescent Arrangement , Active Case , Actual Chart

  8. Confronting issues with your HP printer? Need help with setup and installation? Dial the HP printer toll-free support phone number. The customer support service is available 24/7 to troubleshoot all technical issues.

  9. The experts at Dell Printer Support Number are available for 24*7 hours in a day that encourages and motivates our team to provide the best and reliable services.

    Installation of Dell printer drivers
    brother printer support


  10. This post will be very useful to us....i like your blog and helpful to me....nice thoughts for your great work....


  12. This comment has been removed by the author.

  13. Thanks for sharing ,its great content ,Here some information Regarding Printer Want to setup HP Envy 5055 wireless? Is an effortless process that won’t take much of your time Hardware Setup: Firstly, remove the printer from its box, then place it on a clean surface.Visit For more Details.

  14. Get the best Roku customer support by calling us @ +1-844-839-1180 toll-free number. We are experts in activation, troubleshooting Roku and also in channel activation on Roku.

  15. Roku( ) devices , as we all are aware of, are one of the most popular streaming devices out there. Below, we will talk about why Roku ( create account ) is as popular as it it, how different is it from the other streaming devices, and how to set up the device. To set up a Roku (roku com link ) device, there are three different steps. We will also take you through them, one after the other.

  16. Great Content here some tips regarding HP Printer, Want to Troubleshoot HP ENVY 5055,It is very simple Uninstall the existing driver and update the matching version. It’s important to cross-check and ensure that the drivers are compatible to use with your model After that, all you have to do is navigate to 5055 and download the Drivers.