[2024]蓝队工具Door-scanner更新:栈欺骗检测 huoji 蓝队 2024-06-21 73 次浏览 0 次点赞 增加shadow stack walk(100%检测各种 栈欺骗、'栈加密'、检测ROP漏洞利用技术) shadow stack walk需要芯片支持CET与系统支持CET机制,大部分intel的CPU需要bios开启, AMD的CPU则默认开启这个机制. 地址: https://github.com/RoomaSec/RmTools ### 关于CET: ### CET Base Stack Walk In the ever-evolving landscape of cybersecurity, the introduction of Control-flow Enforcement Technology (CET) marks a significant stride towards safeguarding software integrity. This article delves into the CET Base Stack Walk, unraveling its mechanisms, principles, and how it stacks up against traditional stack unwinding methods. We'll also explore some code snippets to illustrate its practical application. ### Introduction to CET Control-flow Enforcement Technology (CET) is Intel's answer to the increasing complexity and sophistication of modern cyber threats. At its core, CET aims to prevent common attack vectors such as Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) by reinforcing the control flow integrity of programs. ### Understanding the CET Mechanism #### Shadow Stack The cornerstone of CET is the Shadow Stack. Unlike the traditional stack, which is prone to tampering, the Shadow Stack maintains a separate, protected stack that mirrors the call and return addresses. This dual-stack architecture ensures that any deviation between the two stacks signals a potential attack, allowing for immediate intervention. #### Indirect Branch Tracking Another critical component of CET is Indirect Branch Tracking (IBT). This mechanism ensures that indirect calls and jumps only target valid destinations, significantly mitigating the risk of control-flow hijacking. By verifying the legitimacy of these branches, IBT strengthens the overall security posture of the application. #### Principles of CET Base Stack Walk The CET Base Stack Walk leverages the Shadow Stack to perform reliable stack unwinding. This process involves traversing the stack frames to retrieve the call chain, ensuring that the control flow has not been compromised. The integrity of the Shadow Stack is paramount, as it provides a trusted source of return addresses. #### Traditional Stack Unwinding vs. CET Base Stack Walk Efficiency and Security Traditional stack unwinding relies on the conventional stack, which can be manipulated by attackers to divert the control flow. This method is inherently less secure due to its susceptibility to stack-smashing attacks. In contrast, the CET Base Stack Walk uses the Shadow Stack, offering a tamper-proof alternative that significantly enhances security. #### Performance Overhead While CET introduces additional overhead due to the maintenance of the Shadow Stack and IBT, the performance impact is minimal compared to the security benefits. Modern processors are equipped to handle these operations efficiently, ensuring that the performance trade-off is justified. 本文由 huoji 创作,采用 知识共享署名 3.0,可自由转载、引用,但需署名作者且注明文章出处。 点赞 0
还不快抢沙发