One of the most important design in Symbian is the well-known server/client framework. As the server and client are in different process spaces, hacking the server is generally difficult to achieve by means of normal application. But another important framework provided by Symbian give us a chance, the Plug-in framework, which is also merged into the ECOM framework in newer Symbian OS.
Take the Open Font System interface for example, any OFS plug-in installed in Symbian is actually loaded by Font and Bitmap Server at system start-up. Thus they are running just in the same process space of Font and Bitmap Server. So if you want to hack the server, you should first find the right key - the corresponding plug-in interface of that server. Not all servers have a plug-in interface, but the plug-in mechanism is so popular and you can find it in most of the common servers.
After breaking the door of server, we could still see nothing in the dark room. What we need now is a lamp, which can help us find the right things. Fortunately there is a lamp that could even light up all the corners of server heap. But how could you imagine such a powerful tool was even forgotten by people and only be treated as a part of the ordinary debug kit? OK, no more superfluous words, let me introduce the amazing lamp - class THeapWalk. It will walk through all the cells in the specified heap, and pass each one to the virtual function. We just need to identify each given cell and find out the cookie. As a restriction in Symbian, RTTI is not supported (in pre Symbian 9, and also not recommended in Symbian 9), but we could still simulate the typeid() for all CBase derived classes by extracting the pointer of virtual function table.
Some more words here, the address of allocated cells in heap are not the address of corresponding objects. Actually there is a small piece of cell header which keeps the information of cell length and pointer to next cell, in the beginning of each heap cell. The real object resides just behind its cell header.
Tip: For compatible reason, never assume that the length of cell header to be sizeof(RHeap::SCell), use a live constructed object and RHeap::GetAddress() to figure out.
Now, let's do a small wrap and help our Cinderella wear her glass slippers. (:
class THeapSearch : private THeapWalk
{
public :
THeapSearch(RHeap& aHeap);
TInt Search(CBase & aRefObject);
inline CBase * FirstResult() { return iObjectFound; }
// Override this function to deal with each object found.
virtual void DealL(CBase * /*aObject*/) {}
private:
void Info(TCellType aType,TAny *aBase,TInt aLength);
RHeap & iHeap; // The heap to search object in.
CBase * iObjectFound; // Object found (NULL if not found)
CBase * iRefObject; // Reference object
TInt iCellLengthExpected; // Expected length of cell
TInt iCellHeaderLength; // Length of cell header in current build
TInt iTypeId; // Address of virtual function table
};
Detailed implementation is omited and can be found in attachment.
Finally, we have all the essential bases ready for an exciting Server Heap Tour, and I will demonstrate the process by hacking our innocent CFontStore object of Font and Bitmap Server to change the default font render effect to enjoyable Anti-Aliased (Only available on Symbian 7 and later, because Symbian 6 has no anti-aliased bitmap type support.)
CFontStore * font_store = NULL, * ref = CFontStore::NewL(& User::Heap());
THeapSearch heap_search(User::Heap());
if (1 == heap_search.Search(* ref))
{
font_store = reinterpret_cast<CFontStore *>(heap_search.FirstResult());
if (font_store)
font_store->SetDefaultBitmapType(EAntiAliasedGlyphBitmap);
}
delete ref;
Sorry, attachment link is missing:
http://www.newlc.com/files/HeapSearch.txt
Hi,
First, I wonder how this solution work when most developers have no access to THeapWalk class.
Second, if I were the designer of a program offering a plug-in API (i.e. one that accepts plug-ins), I would make it so that some (not necessarily strong) capabilities would be required for plug-ins in order for them to attach to my process. Any capabilities would do, but of course, the more sensitive the data they can access the stronger capabilities would be required. And the stronger capability is required the more likely that your program will have to be officially undergo some testing. And even if your plug-in undergoes testing and does damage later on, you're still accountable. Of course, I'm not sure (as I can't be) if Font & Bitmap server has been designed this way, but I would be surprised if not.
So finally my question is if it's worth analyzing a process' heap? What can you do once you have the information you were looking for?
Tote
---
Gábor Török
Software architect, Agil Eight
http://www.agileight.com
Hi, Tote
This is an approved solution, and I've been using it in my freeware project "FontRouter" for quite a long time. It's available even in Symbian 9 which is considered to be the most secure Symbian OS ever.
Surely all server side ECOM plug-in in Symbian 9 need the "PROTSERV" capability, but this capability does no classification on access level to the server resources. As we all know, the common heap is open to all the threads within a process, so there's no more control that could be applied to a plug-in other than "PROTSERV" as a whole. Of course, "PROTSERV" capability is one of the must-sign capabilities, so official signing process is needed if you want to publish a server-side plug-in.
About your final question, I'm sure my freeware project "FontRouter" is a good example. It handles all the system font request, and forward it to more than one pre-defined fonts for different charsets, as you configurated. It's a perfect solution for reading an information mixed up with more than one languages on Symbian. (:
FontRouter is only available to Chinese users at present, and I'm now working on expanding it to an international version. I'm sure you can meet it soon.
Hi again,
Although I had concerns if your solution really worked, I now accept that it does. Why not?
However, my main concern was more general than solely limited to Font & Bitmap server's plug-in API (since the title of your article is more general than that). First off, I still can't see how anyone can implement their own solution when THeapWalk class is not available in the public SDK. For example, how could you do it?
Then based on what you wrote each developer of such a program that exposes public plug-in API should consider that the client of their API is a potential malware wanting to hack the main process' heap. And for that reason, they must apply strict policy on how those plug-ins can attach to the process. For example, by requiring that plug-ins hold ProtServ capability - or even more.
Tote
----
Gábor Török
Software architect, Agil Eight
http://www.agileight.com
Hi, Tote
Maybe you are looking into the SDK of Symbian 9. THeapWalk is a public API in pre-Symbian 9 SDKs. And even though this API is stripped away since version 9, you can still get a simulation of THeapWalk from my blog: (As I mentioned in the footer of the tutorial)
http://blog.oasisfeng.com/2007/02/23/theapwalk-for-symbian9/
(This blog post is written in Chinese, however the code snippet is still English.
I think the potential malware plug-in is not just a problem of Symbian, it also exists in most common OSes including Linux and Windows. So that'll be necessary if you want to build up a secure plug-in interface.
Hi there,
I AM looking at Symbian OS v9 SDK, indeed. THeapWalk class is not available at all. I don't dare to ask where did you get the source of THeapWalk class from. :-|
However, the main question still remains: why is it worth for anyone to hack the host process' heap?
Tote
Gábor Török
Software architect, Agil Eight
http://www.agileight.com
Hacking can be done for different reasons, the most common one being curiosity, I believe. In this particular case, the point of accessing the heap is that you can change the behaviour of the hacked program, as you have both read and write access to the heap. As for loading plugins, I don't remember the details of how capabilities and plugins interact, but I'd guess you could use it for privilege escalation, ie. use API:s that requires capabilities that you don't have, but that the server has (only applicable to SymbianOS >=9, of course).
http://ptrmobile.blogspot.com/
That's right! That's what I concluded, too: it's for hacking! May I dare to ask: is it the right forum to discuss about hacking? Although personally I'm also interested in the technical challenges of making use of a component's unpublished services, internal data structures, etc., BUT:
- I will never make use of it, just keep it in mind as examples, patterns to be avoided in my programs ==> i.e. learn from bad examples,
- I will never publish it to others so that everybody can exploit it.
Tote
---
Gábor Török
Software architect, Agil Eight
http://www.agileight.com
The word "hacking" seems to have very negative connotations to lots of people. It can be used for different things, eg. to get the system to do stuff that it wasn't supposed to do. Using undocumented/unsupported features might be poor development practice, but it really depends on what you're doing and what the user base wants.
Whether techniques that can be used for creating malware should be published is an interesting topic, which has been discussed to an absurt extent among security people during the last couple of decades. If you believe that you've found an exploitable security hole, I believe it's a good idea to inform the vendor before going public, but I do believe in publishing the information. I don't believe it's a good idea to put the lid on everything that might be used for malevolent purposes, because most system level knowledge lives in a grey zone.
/puterman
http://ptrmobile.blogspot.com/
Of course, plugins are DLL:s, and as such have to have at least the same capabilities as the app that uses them, so no privilege escalation.
http://ptrmobile.blogspot.com/
How to install Mac OS in intel based machine?
seo