[2013 CodeEngn Conference 09] BlueH4G - hooking and visualization

614 views
442 views

Published on

2013 CodeEngn Conference 09

리버서들이나 어플리케이션 분석가 들에게 hooking이란 뗄레야 뗄수가 없는 존재이다. 이러한 후킹을 위해 detours 등 매우 많은 라이브러리도 나와 있지만, 많은 수의 어플리케이션을 분석하거나, 심플하게 내부 플로우만 살펴보기에는 생각보다 손이 많이가는게 사실이다. 이를 좀 더 손쉽고 심플하도록 구현해 보고, visualization 을 도입하여 좀더 직관적으로 분석할 수 있도록 해 볼 것이다.

http://codeengn.com/conference/09
http://codeengn.com/conference/archive

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
614
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

[2013 CodeEngn Conference 09] BlueH4G - hooking and visualization

  1. 1. hooking & visualization Jaeyong Kim (BlueH4G at gmail dot com) 2013 CodeEngn Conference 09 www.CodeEngn.com 2013 CodeEngn Conference 09
  2. 2. AGENDA 1. Introduce 2. about this presentation 3. why did i do it? 4. what is hooking? 5. what to do with hooking? 6. Demo 7. QnA
  3. 3. who is me? 김재용 26세 (xx 염색체) 이글루시큐리티 & B10S & Hackerschool WG http://wargame.kr blueh4g at gmail dotcom
  4. 4. about this presentation
  5. 5. why did i do it?
  6. 6. why did i do it? Carnegie Mellon 의 FOE pydbg 를 이용한 커스텀 퍼저 기타 등등….
  7. 7. why did i do it?
  8. 8. why did i do it? EIP 4141414 1 ????? did you dream about dragon?
  9. 9. why did i do it? vtable! OLE Structure!
  10. 10. why did i do it?
  11. 11. what is hooking? I want to know flow application flow! Basic block? or… other?
  12. 12. what is hooking? WinAPI - Windows Application Programming Interface 윈도우에서 사용되는 모든 어플리케이션은 winapi를 사용한다. 모든 WinAPI에 후킹을 걸어두고 flow 를 tracing 한다면?
  13. 13. what to do with hooking? What is hooking?
  14. 14. what to do with hooking? APPLICATION APPLICATION Custom Func WinAPI WinAPI
  15. 15. so, what? 1. Application Flow Analysis 2. WinAPI Parameter, return value monitoring 3. Crash & Original sample diffing (in App) 4. Call Stack log of WinAPI 5. memcpy, heapalloc etc.. API tagging 6. invalid param & invalid ret tagging 7. basic rule is readability
  16. 16. hooking tools
  17. 17. hooking tools WinAPIOverride32/64 - Opensource (Thx!) - jacquelin.potier.free.fr/winapioverride32/ API Monitor v2 32/64 - not opensource (but free) - www.rohitab.com
  18. 18. Demo Demo
  19. 19. another episode.. 1. RtlWriteDecodedUcsDataIntoSmartLBlobUcsWritingContext 2. full GUI interface?
  20. 20. QnA Question & Answer …? 질문은 없는걸로...
  21. 21. thx 이후에도 궁금한점이 있으시면 메일 보내주세요 :D blueh4g [at] gmail {dot} com www.CodeEngn.com 2013 CodeEngn Conference 09

×