WQL Injection

Generally in application security, the user input must be sanitized. When it comes to SQL injection the root cause most of the time is because the input not being sanitized properly. I was curious about Windows Management Instrumentation Query Language – WQL which is the SQL for WMI. Can we abuse WQL if the input is not sanitized?

I wrote a simple application in C++ which gets the service information from the Win32_Service class. It will display members such as Name, ProcessId, PathName, Description, etc.

This is the WQL Query.

SELECT * FROM win32_service where Name='User Input'

As you can see I am using the IWbemServices::ExecQuery method to execute the query and enumerte its members using the IEnumWbemClassObject::Next method. (more…)

Advertisements

Random Compiler Experiments on Arrays

One day a guy asked me how to print a 2d string array in C. So I coded an example for him. But just for curiosity, I examined the assembly code. In C both string[0][1] and *(*string + 1) are the same. But in reality, the compiler writes the assembly code in 2 different ways. If we use string[0][1] it will directly move the value from the stack. When we dereference a pointer *(*string + 1) it will actually dereference the address pointed inside the register. This happens only in the MinGW GCC compiler. I compiled this using the latest on Windows which is 8.2.0-3 by the time I am writing this.

The assembly code in the left is this one.

#include <stdio.h>

int main() {
    char *string[][2] = { 
     {"Osanda","Malith"},
     {"ABC","JKL"},
     {"DEF","MNO"}, 
};

	printf("%s %s\n", string[0][0], string[0][1]);
}

The assembly code on the right is this.

#include <stdio.h>

int main() {
    char *string[][2] = { 
     {"Osanda","Malith"},
     {"ABC","JKL"},
     {"DEF","MNO"}, 
};

	printf("%s %s\n", **string, *(*string + 1));
}

(more…)

IsDebuggerPresent API

I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things I’ve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Here’s an example code:

/*
 * IsDebuggerPresent Example
 * Author: Osanda Malith Jayathissa (@OsandaMalith)
 * Website: https://osandamalith.wordpress.com	
 */

#include <windows.h>

int main() {	
	MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);
}

If we open in a debugger “Debugger Found” text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.

MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]

(more…)

Hiding Data Inside Memory Addresses

This is a small finding I found while I was experimenting on pointers in C. Usually in C the arithmetic on pointers depend on the size of the data types. If we initialize a int variable, the compiler will allocate 4 bytes in memory since its 32 bits. I assume you are well aware of these basics in C 🙂 I wanted to store data inside the empty addresses allocated by int data type. This is a bit challenging in a high level programming language. Of course using inline assembly I could have achieved this. But I wanted to achieve this using native C operators.
To understand this let’s begin from a simple approach.

#include <stdio.h>

int main() {
	
	unsigned int var  = 100;
	unsigned int var2 = 200;
	
	printf("%u\n",var);
	printf("%u\n",var2);

}

(more…)