HOWTO: Change the default values of url_response.

Discussion created by middelthun on Sep 9, 2014
Latest reply on May 2, 2017 by middelthun

The hard coded default values of the url_response probe has long been an issue for us. People have a tendency to click through the probe configuration process and go with the defaults, even though our written routine says otherwise. Unfortunately it is practically impossible to stop this normal human behaviour from occuring - hence the need to define the default values ourselves. Unfortunately this is not possible at the moment, but luckily not possible only means hard.

We now have a working version of the url_reponse probe with the default values we want! If this has annoyed you too, here's how we did it.

The url_response package includes a Windows binary file, called conf_url_response.exe. This is the binary which is used to configure url_response. All the default values for the probe are stored within this file, and what you'll have to do is change them. In order to do this you will need some tools.

I will start off with describing these tools before I get on with describing the process I went through to locate the different values. If you are only interested in the result itself you will find a summary at the very bottom.

Note that all of this refers to version 4.18 of url_response, which is the latest version at time of writing.

Other versions will have the same general setup, but the hex addresses will be different. Let's hope the next version of url_response supports defining these default values out of the box, so this tedious process is rendered unnecessary.

The tools:

A hex editor

The main tool you will need to change the default values is a hex editor. Unless you want to go digging for values I'm not listing here, this is in fact the only tool that you will need. If you do choose to go digging for other values than the ones I present here, you will need one key virtue: patience.

Using the hex editor you are able to change the values in the binary file to whatever suits your needs.

I chose using a hex editor called «tweak», and will use this program as a reference in the following descriptions, but any hex editor will do the trick.

A disassembler

In order to locate things in the binary file a good disassembler is essential. Without one you will be left with interpreting the whole bitstream on your own.

A disassembler can not interprete anything completely, but makes a good guess of what it finds in the binary. In other words, you will not be able to reassemble a disassembled file. For instance, the hexadecimal value «68» could mean the ASCII character «j», but it could also mean the machine instruction «push dword». Which of the meanings is the correct one has to be determined at run time, and a disassembler will misinterprete a lot of these things. This is particularily true for strings, but happens with other things as well.

What the disassembler will be very helpful with is determining the location of instructions and their parameters. This is tremendously helpful when searching for values you would like to change. If you are only planning on changing values I have already identified you will not need a disassembler.

I chose to use «ndisasm» for the task.

On a few occasions I also used «objdump». «Objdump» has the extra functionality of actually understanding Windows PE executable files. This helps in understanding how the file is actually built, but I generally felt more comfortable with «ndisadm». It's a subjective matter of taste I suspect.

An important thing to mention about «ndisasm» is that it uses 16 bit mode by default. Since the binary file we are working with is a 32 bit file you will have to tell ndisasm to use 32 bit mode. Otherwise the machine code will be interpreted incorrectly. You do this by adding the switch -b32.