Skip to content

CTF Wiki EN

Hijack Control Flow

mahaloz/ctf-wiki-en

CTF Wiki EN

mahaloz/ctf-wiki-en

Introduction
Introduction
Misc
Misc
- Miscellaneous Introduction
- Information Gathering Method
- Encoding Analysis
  Encoding Analysis
- Forensic and Steganography Prerequisite
- Image Analysis
  Image Analysis
- Audio Steganography
- Traffic Packet Analysis
  Traffic Packet Analysis
  - Introduction to Traffic Packet Analysis
  - PCAP File Repairing
  - Protocol Analysis
    Protocol Analysis
    
    Overview of Protocol Analysis
    
    Wireshark
    
    HTTP
    
    HTTPS
    
    FTP
    
    DNS
    
    WIFI
    
    USB
  - Data Extraction
- Compressed Package Analysis
  Compressed Package Analysis
  - ZIP Format
  - RAR Format
- Disk and Memory Analysis
  Disk and Memory Analysis
  - Introduction
Crypto
Crypto
- Introduction to Cryptography
- Basic Mathematics
  Basic Mathematics
  - Introduction
- Classical Cipher
  Classical Cipher
- Stream Cipher
  Stream Cipher
  - Introduction
  - Pseudo Random Number Generator
    Pseudo Random Number Generator
    
    Introduction
    
    Cryptographic Security Pseudo-random Number Generator
    
    Challenge Examples
  - Linear Congruence Generator
    Linear Congruence Generator
    
    Introduction
    
    Example
  - Feedback Shift Register
    Feedback Shift Register
    
    Introduction
    
    Linear Feedback Shift Register
    
    Nonlinear Feedback Shift Register
  - Special Stream Cipher
    Special Stream Cipher
    
    RC4
- Block Cipher
  Block Cipher
  - Introduction to Block Cipher
  - ARX
  - DES
  - IDEA
  - AES
  - Simon and Speck
  - Group Mode
    Group Mode
    
    Introduction
    
    Padding Methods
    
    ECB
    
    CBC
    
    PCBC
    
    CFB
    
    OFB
    
    CTR
    
    Padding Oracle Attack
- Asymmetric Cryptography
  Asymmetric Cryptography
  - Introduction to Asymmetric Cryptography
  - RSA
    RSA
    
    RSA Introduction
    
    Modulo-related Attacks
    
    Public Key Index Related Attacks
    
    Private Key d Related Attacks
    
    Coppersmith Related Attacks
    
    Chosen Plain Cipher Attack
    
    Side Channel Attack
    
    Bleichenbacher Attack
    
    Challenge Examples
  - Knapsack Cipher
  - Discrete Log Correlation
    Discrete Log Correlation
    
    Discrete Logarithm
    
    Elgamal
    
    ECC
  - Lattice-based Cryptography
    Lattice-based Cryptography
    
    Lattice Overview
    
    Introduction to Lattices
    
    Lattice-based Algorithm
    
    CVP
- Hash Function
  Hash Function
- Digital Signature
  Digital Signature
- Summary of Attack Techniques
  Summary of Attack Techniques
- Certificate Format
Web
Web
Assembly
Assembly
- x86_x64
- mips
- arm
Executable
Executable
- ELF file
  ELF file
- PE file
  PE file
Reverse Engineering
Reverse Engineering
- Reverse Overview
  Reverse Overview
- Linux Reverse
  Linux Reverse
  - Linux Reverse Technology
    Linux Reverse Technology
    
    LD_PRELOAD
    
    Incorrect Disassembly Fix
    
    Detecting Breakpoints Bypassing
    
    Detecting Debugging Bypassing
- Windows Reverse
  Windows Reverse
  - Shelling Technique
    Shelling Technique
    
    Introduction to the Protective case
    
    Single Step Tracking Method
    
    ESP Law
    
    One Step to the OEP Method
    
    Memory Mirroring Method
    
    Last Exception Method
    
    SFX Method
    
    DUMP and IAT Reconstruction
    
    Manually Find the IAT and Rebuild It Using ImportREC
    
    DLL File Unpacking
  - Anti-debugging Technique
    Anti-debugging Technique
    
    NtGlobalFlag
    
    Heap Flags
    
    The Heap
    
    Interrupt 3
    
    IsDebuggerPresent
    
    CheckRemoteDebuggerPresent
    
    NtQueryInformationProcess
    
    ZwSetInformationThread
    
    Flower command
    
    Anti-debug Technical Example
Pwn
Pwn
- Pwn Overview
  Pwn Overview
  - Readme
- Linux Pwn
  Linux Pwn
  - Security Protection Mechanism
    Security Protection Mechanism
    
    Canary
  - Stack Overflow
    Stack Overflow
    
    Stack Introduction
    
    Stack Overflow Principle
    
    Basic ROP
    
    Intermediate ROP
    
    Advanced ROP
    
    ROP Tricks
  - Format String Vulnerability
    Format String Vulnerability
    
    Format String Vulnerability Principle
    
    Format String Exploit
    
    Format String Vulnerability Example
    
    Format String Vulnerability Detection
  - Glibc Heap Related
    Glibc Heap Related
    
    Introduction to Heap
    
    Heap Overview
    
    Heap Related Data Structure
    
    In-depth Explanation of Ptmalloc2
    In-depth Explanation of Ptmalloc2
    
    Implementation
    
    Basic Functions in the heap implementation
    
    Heap Initialization
    
    Allocate Heap Memory
    
    Free Heap Memory
    
    Tcache
    
    malloc_state
    
    Other
    
    Heap Overflow
    
    Heap-based Off-By-One
    
    Chunk Extend/Overlapping
    
    Unlink
    
    Use After Free
    
    Fastbin Attack
    
    Unsorted Bin Attack
    
    Large Bin Attack
    
    Tcache Attack
    
    House of Einherjar
    
    House of Force
    
    House of Lore
    
    House of Orange
    
    House of Rabbit
    
    House of Roman
  - IO_FILE Related
    IO_FILE Related
    
    FILE Structure Description
    
    Forged Vtable to Hijack Control Flow
    
    FSOP
    
    Use of IO_FILE Under Glibc 2.24
  - Race Condition
    Race Condition
    
    Race Condition Introduction
    
    Example
  - Integer Overflow
    Integer Overflow
    
    Introduction to The Principle of Integer Overflow
  - Sandbox Escape
    Sandbox Escape
    
    Python Sandbox Escape
  - Linux Kernel
    Linux Kernel
    
    Environment Setup
    
    Basics
    
    Kernel-UAF
    
    Kernel-ROP
    
    ret2usr
    
    bypass-smep
    
    Double Fetch
  - arm-pwn
    arm-pwn
    
    Environment Setup
    
    arm-rop
  - Summary
    Summary
    
    Address Leaking
    
    Hijack Control Flow Hijack Control Flow
    Table of contents
    
    Direct control EIP
    
    return address
    
    Jump pointer
    
    function pointer
    
    Modify control flow related variables
    
    Get Shell
- Windows Pwn
  Windows Pwn
  - Overview
  - Stack Overflow
    Stack Overflow
    
    Stack Introduction
    
    Stack Overflow Basics
    
    shellcode-in-stack
Android
Android
- Android Development Basics
- Android Application Operating Mechanism Brief
  Android Application Operating Mechanism Brief
  - Basics
  - The Operating Mechanism of the Java Layer in Android
    The Operating Mechanism of the Java Layer in Android
    
    Andriod Native
    
    Smali Introduction
    
    Dex and ODEX
    Dex and ODEX
    
    DEX
    
    ODEX
  - Android Native Layer Introduction
    Android Native Layer Introduction
    
    Android Shared Object
  - Android Reverse Basic Introduction
    Android Reverse Basic Introduction
    
    Brief Overview
    
    Android Key Part Location
    
    Android Simple Static Analysis
    Android Simple Static Analysis
    
    Android Java Layer Static Analysis
    
    Android Native Layer Static Analysis
    
    Android Static Analysis Hybrid Example
    
    Android Simple Dynamic Analysis
    Android Simple Dynamic Analysis
    
    Dynamic Debugging
    
    Android Dynamic Debugging SO
ICS
ICS

Control program execution flow¶

In the process of controlling the execution flow of the program, we can consider the following ways.

Direct control EIP¶

return address¶

That is, control the return address on the program stack.

Jump pointer¶

Here we can consider the following way

call
jmp

function pointer¶

Common function pointers have

vtable, function table，如 IO_FILE 的 vtable，printf function table。
hook pointers, such as malloc_hook, free_hook.
acting

本页面的全部内容在 CC BY-NC-SA 4.0 协议之条款下提供，附加条款亦可能应用。

Comments