Build and use PCRE in windows

Building PCRE(older version) source code in windows environment is quite easy with CMake build system. Once you checkout the code from their SVN server using following command:
    svn co svn:// pcre

Install the CMake build system and issue the following command from the “pcre” folder to build the visual studio project/solution files.
    cmake.exe .

Open the PCRE.sln file in visual studio and start compiling “pcre” project. It will create
a PCRE STATIC library file for linking it with other projects.


I used sample source code from this StackOverflow link. Created an empty visual studio project and added this code and compiled it. Initially i faced with the linking error and it can be fixed with added a #define for PCRE_STATIC.

You need to define it before including pcre.h file.
    #define PCRE_STATIC 1
    #include <string>
    #include <iostream>
    #include “pcre.h”

You need to include either pcred.lib or pcre.lib for building the final binary.

Posted in Regex, Windows, Windows VC++ | Tagged , , | 1 Comment

Compile avmplus in windows

In this post, i like to document the process and changes needed to build the avmplus in windows environment. Though Adobe provided the solution file, it didn’t work in the first try.

If you understand the vcproj file format, its all about adding few more CPP files in the project/solution and compile it. Here are the list of changes you need to make to this code base to compile it in windows environment.

diff –git a/core/Isolate.cpp b/core/Isolate.cpp
index fe88b87..1ae6e10 100644
— a/core/Isolate.cpp
+++ b/core/Isolate.cpp
@@ -6,7 +6,8 @@
#include “avmplus.h”
-#include “FixedHeapUtils.cpp”
+//#include “FixedHeapUtils.cpp”
+#include “FixedHeapUtils.h”
#include “Channels.cpp”
#include “VMThread.h”
diff –git a/platform/win32/avm2010.vcxproj b/platform/win32/avm2010.vcxproj
index 178927d..de10e4a 100644
— a/platform/win32/avm2010.vcxproj
+++ b/platform/win32/avm2010.vcxproj
@@ -47,11 +47,14 @@
     <ClCompile Include=”..\..\core\ArrayObject.cpp” />
     <ClCompile Include=”..\..\core\atom.cpp” />
     <ClCompile Include=”..\..\core\AvmSerializer.cpp” />
+    <ClCompile Include=”..\..\core\ConcurrencyGlue.cpp” />
     <ClCompile Include=”..\..\core\d2a.cpp” />
     <ClCompile Include=”..\..\core\DictionaryGlue.cpp” />
+    <ClCompile Include=”..\..\core\FixedHeapUtils.cpp” />
     <ClCompile Include=”..\..\core\Float4Class.cpp” />
     <ClCompile Include=”..\..\core\FloatClass.cpp” />
     <ClCompile Include=”..\..\core\InvokerCompiler.cpp” />
+    <ClCompile Include=”..\..\core\Isolate.cpp” />
     <ClCompile Include=”..\..\core\JSONClass.cpp” />
     <ClCompile Include=”..\..\core\ObjectIO.cpp” />
     <ClCompile Include=”..\..\core\ProxyGlue.cpp” />
@@ -242,6 +245,11 @@
     <ClCompile Include=”..\..\nanojit\NativeX64.cpp” />
     <ClCompile Include=”..\..\nanojit\njconfig.cpp” />
     <ClCompile Include=”..\..\nanojit\RegAlloc.cpp” />
+    <ClCompile Include=”..\..\other-licenses\lzma\Alloc.c” />
+    <ClCompile Include=”..\..\other-licenses\lzma\LzFind.c” />
+    <ClCompile Include=”..\..\other-licenses\lzma\LzmaDec.c” />
+    <ClCompile Include=”..\..\other-licenses\lzma\LzmaEnc.c” />
+    <ClCompile Include=”..\..\other-licenses\lzma\LzmaLib.c” />
     <ClCompile Include=”..\..\other-licenses\zlib\adler32.c” />
     <ClCompile Include=”..\..\other-licenses\zlib\compress.c” />
     <ClCompile Include=”..\..\other-licenses\zlib\crc32.c” />
@@ -318,6 +326,8 @@
     <ClCompile Include=”..\..\shell\FileClass.cpp” />
     <ClCompile Include=”..\..\shell\FileInputStream.cpp” />
     <ClCompile Include=”..\..\shell\ShellCore.cpp” />
+    <ClCompile Include=”..\..\shell\ShellWorkerDomainGlue.cpp” />
+    <ClCompile Include=”..\..\shell\ShellWorkerGlue.cpp” />
     <ClCompile Include=”..\..\shell\swf.cpp” />
     <ClCompile Include=”..\..\shell\SystemClass.cpp” />
     <ClCompile Include=”..\..\shell\WinFile.cpp” />
diff –git a/platform/win32/avm2010.vcxproj.filters b/platform/win32/avm2010.vcxproj.filters
index 54034dd..515d148 100644
— a/platform/win32/avm2010.vcxproj.filters
+++ b/platform/win32/avm2010.vcxproj.filters
@@ -671,6 +671,26 @@
     <ClCompile Include=”..\..\core\ObjectIO.cpp”>
+    <ClCompile Include=”..\..\core\FixedHeapUtils.cpp”>
+      <Filter>core</Filter>
+    </ClCompile>
+    <ClCompile Include=”..\..\core\ConcurrencyGlue.cpp”>
+      <Filter>core</Filter>
+    </ClCompile>
+    <ClCompile Include=”..\..\core\Isolate.cpp”>
+      <Filter>core</Filter>
+    </ClCompile>
+    <ClCompile Include=”..\..\other-licenses\lzma\LzmaLib.c” />
+    <ClCompile Include=”..\..\other-licenses\lzma\Alloc.c” />
+    <ClCompile Include=”..\..\other-licenses\lzma\LzmaEnc.c” />
+    <ClCompile Include=”..\..\other-licenses\lzma\LzFind.c” />
+    <ClCompile Include=”..\..\other-licenses\lzma\LzmaDec.c” />
+    <ClCompile Include=”..\..\shell\ShellWorkerGlue.cpp”>
+      <Filter>shell</Filter>
+    </ClCompile>
+    <ClCompile Include=”..\..\shell\ShellWorkerDomainGlue.cpp”>
+      <Filter>shell</Filter>
+    </ClCompile>
     <ClInclude Include=”..\..\core\AbcEnv.h”>

Posted in C/C++, Flash | Tagged , , , | 2 Comments

Defeat initial packers used in flash exploits using Sulo

Using Sulo it is quite easy to defeat the initial packers used in the recent flash exploits. All we need is setting up one VM environment as i mentioned in my previous blog and in Sulo Github page. Once you setup the environment it is just a process of drag & drop. We don’t need to worry about the technique(s) used in the packers. I mean packer means, most of the SWF exploits use Loader.loadBytes() to load the decrypted/decoded second stage SWF exploit file.

For example, i am going to show you how to dump the second stage flash exploit file using the sample (f5458eb4b0d7c18519bbf5fd92437485bff31f9abc6870beb4e8dc327cd24192).

The initial SWF file is decrypting/decoding a second stage SWF file(original exploit) and load it using Loader.loadBytes() as shown in this picture. It will take few hours to analyze it but with Sulo it is quite easy.


We need to start the sulo using “-fast” mode and drag & drop the flash file into IE. Within few seconds you will get the second stage.


Once you allowed IE load the initial flash file, Sulo will dump the second stage flash in the desktop. You can start analyzing the second stage flash file without worrying about the packer. Most interestingly you can use any version of flash Sulo supports.


Posted in Exploit, Exploit Kit, Flash Exploit Analysis | Tagged , , | 8 Comments

Use Sulo to analyze Flash Exploit files

In this blog post, i have decided to blog about my experience in using Sulo for analyzing flash exploit. I have played with Sulo for quite sometime now extending it to newer version of flash and used it to analyze few flash exploit(s).

Though Timo has good documentation in the Sulo Github, still i have decided to paste few command(s) here. At least for me whatever in Github documentation is not quite clear.

All traces:
pin.exe -t source\tools\sulo\Debug\sulo.dll — “C:\path\to\Adobe\Flash\Player.exe”

Fast Mode: (no JITed function detailes printed)
pin.exe -t source\tools\sulo\Debug\sulo.dll -logfile “C:\pintool.log” -fast — “C:\path\to\Adobe\Flash\Player.exe”

Decrypt SecureSWF obfuscated strings:
pin.exe -t source\tools\sulo\Debug\sulo.dll -logfile “C:\pintool.log” -secureswf “functionname” — “C:\path\to\Adobe\Flash\Player.exe”

We need to use the Sulo with a Single-process IE browser. Pin has some issue
in injecting the Dll into the multi-process IE browser. In the newer version of IE,
you can disable the multi-process IE browser mode using this registry key.
      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN
      TabProcGrowth: DWORD(32-bit) to 0

By default, Sulo will work with few specific set of flash version(s). If you want to use Sulo with other/newer flash versions/builds then you need to add few configurations in the FlashPlayerConfigBuilder.cpp file. You need to dig into the flash binary and find those offsets. That is the first tedious process in using Sulo. Thanks to Timo, he provided offsets for few of the flash versions/builds. Trick is, you need to first use “Debug” flash binary to find the offsets and “map” it later to the “release” flash binary.

Once you loaded Sulo inside flash/IE, by default it will produce lot of logs/traces. Sometimes it grows upto 3GB. The second problem we need to tackle with Sulo is, flash player will stop processing the scripts after 60 seconds. We need to fix this in flash binary. Without that it is really hard to analyze any new flash exploits using Sulo because the amount of information Sulo emits is so large(because of heap spraying) and the flash player stop processing scripts after 60 seconds. For quick analysis of flash exploits, use “-fast” mode. With “-fast” mode, it will dump any second stage flash objects and continue executing until the end. You will not get any “traces” in the “-fast” mode.

Sulo has some interesting features to work with SecureSWF obfuscated flash files. SecureSWF uses a function to decrypt the strings inside flash. First we need to run Sulo without “-secureswf” option and find the decryption function manually and pass that function name to the “-secureswf” option in the later runs. Once we pass the right SecureSWF decryption function, Sulo will start outputting decrypted strings.

Sulo outputs only functions that are JIT’ed. Few of the basic operations of the ActionScript VM are not executed using JIT’ed functions. So during our analysis using Sulo, we may miss some interesting information’s.

Thanks to Timo for releasing such a wonderful tool.

Posted in Exploit, Exploit Kit, Flash Exploit Analysis | Tagged , , | 8 Comments

Angler EK update

Recent Angler EK uses following keys to decrypt the encrypted binaries.

unsigned int keys[4]= {0x39525143, 0x75487832, 0x57645730, 0x79356332}; // IE exploit
unsigned int keys[4]= {0x47763879, 0x33767545, 0x66706F58, 0x65443372}; // flash exploit (CVE-2015-0311)

Posted in Exploit, Exploit Kit | Tagged , , | Leave a comment

Injecting code into .Net processes in WinXP

When we inject a piece of code into newly created suspended .Net process using CreateRemoteThread() technique, we will face a crash issue. The reason behind is, the .net framework will try to control the first running thread in the process and load the .net framework in order to run the .net process. We will see some surprise crashes when .net process took control of our injected thread. This is clearly explained in this thread.

ChristophHusse wrote Mar 6, 2009 at 8:48 AM

The problem is that NET seems to “adapt” the first running thread in a process. So if we start a suspended process, all things go as usual. But the moment when the remote thread is created, instead of executing the target invokation stub, NET seems to hijack this thread for its own purposes. Very funning thing ;-). I will now try to compensate this with another thread.

ChristophHusse wrote Mar 7, 2009 at 11:36 AM


It wasn’t that easy but after some debugging I found out that NET is hijacking
the first active thread in a process. And since CreateAndInject() is meant to
execute EasyHook in first place, NET hijacks the thread intended to run EasyHook.
So EasyHook is never executed and the host waits until the target terminates.
Then I tried to start another thread but the same problem occurred. It does not
matter how many suspended threads you create and which one you start, the first
active thread will always run the process instead of EasyHook!


The solution to solve this is, use usermode APC. You can queue an usermode APC using QueueUserAPC(). In this way, your code will execute before the control is passed to the “takeover” code.

Posted in .Net, Windows, Windows VC++ | Tagged , , , | Leave a comment

Angler EK Update

New keys used in Angler EK in recent days. You can use these keys to decrypt the binaries downloaded by various vulnerabilities.

unsigned int IE_keys[4]   = {0x4A397544, 0x6B67424F, 0x477A6662, 0x46466D76};    // IE vuln
unsigned int Sil_keys[4]  = {0x73556246, 0x344D4A63, 0x4147736E, 0x59664365};     // silverlight vuln
unsigned int flash_keys[4]= {0x64306C7A, 0x306D4761, 0x736B5443, 0x696F5345};  // flash vuln

Posted in Exploit Kit | Tagged , , | Leave a comment