00401098 lea edx,[esp+0x4]
0040109c mov [edi],eax
0040109e push edx
0040109f mov [edi+0x4],cl
004010a2 call Chapter7!system (00401110)
004010a7 mov ecx,[esp+0x6c]
004010ab add esp,0x4
004010ae pop edi
004010af call Chapter7!__security_check_cookie (004011d7)
004010b4 add esp,0x68
004010b7 retThe __security_check_cookiefunction is called before launch returns
in order to verify that the cookie has not been corrupted. Here is what
__security_check_cookiedoes.__security_check_cookie:
004011d7 cmp ecx,[Chapter7!__security_cookie (0040a428)]
004011dd jnz Chapter7!__security_check_cookie+0x9 (004011e0)
004011df ret
004011e0 jmp Chapter7!report_failure (004011a6)This idea was originally presented in [Cowan], Crispin Cowan, Calton Pu,
David Maier, Heather Hinton, Peat Bakke, Steve Beattie, Aaron Grier, Perry
Wagle, and Qian Zhang. Automatic Detection and Prevention of Buffer-Overflow
Attacks. The 7th USENIX Security Symposium. San Antonio, TX, January 1998
and has since been implemented in several compilers. The latest versions of
the Microsoft C/C++ compilers support stack checking, and the Microsoft
operating systems (starting with Windows Server 2003 and Windows XP Ser-
vice Pack 2) take advantage of this feature.
In Windows, the cookie is stored in a global variable within the protected
module (usually in __security_cookie). This variable is initialized by
__security_init_cookiewhen the module is loaded, and is randomized
based on the current process and thread IDs, along with the current time or the
value of the hardware performance counter (see Listing 7.1). In case you’re
wondering, here is the source code for __security_init_cookie. This
code is embedded into any program built using the Microsoft compiler that has
stack checking enabled.void __cdecl __security_init_cookie(void)
{
DWORD_PTR cookie;
FT systime;
LARGE_INTEGER perfctr;Listing 7.1 The __security_init_cookie function that initializes the stack-checking cookie in
code generated by the Microsoft C/C++ compiler. (continued)252 Chapter 7