Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

nosymbols - defcon russia 20

949 views

Published on

http://defcon-russia.ru

Published in: Technology
  • Be the first to comment

nosymbols - defcon russia 20

  1. 1. No symbols =( 19/11/2014 DCG #7812 Saint Petersburg by @IntR0Py @evdokimovds
  2. 2. © 2002—2014, Digital Security #whoami ‐ Dmitriy ‘D1g1’ Evdokimov ‐ Head of DSecRG ‐ Author of Python Arsenal for RE ‐ Section editor in the Xakep magazine ‐ Co-organizer of ZeroNights ‐ George Nosenko ‐ Security researcher at Digital Security ‐ Nominated at Pwnie awards
  3. 3. Agenda - Symbols?! - Approaches & ideas Defcon Russia (DCG #7812) 3
  4. 4. Symbols - Debug symbols - Variable names - Function names Defcon Russia (DCG #7812) 4
  5. 5. With and without symbols Defcon Russia (DCG #7812) 5 • *ntdll.dll
  6. 6. Problems * - We have much more code - Need a starting point for RE * in normal, non-obfuscated code Defcon Russia (DCG #7812) 6
  7. 7. At first - IDA can’t always define all functions Defcon Russia (DCG #7812) 7
  8. 8. Fix functions - Code template (PowerPC) Defcon Russia (DCG #7812) 8
  9. 9. Approaches - Logging functions - Specific strings - Meta information - Context - Function - Relationship of functions - Program - … Defcon Russia (DCG #7812) 9
  10. 10. A1: logging functions - Need to find a logging function - Backtrace - Decompile (hex-rays) Defcon Russia (DCG #7812) 10 Function String
  11. 11. Code template Defcon Russia (DCG #7812) 11
  12. 12. Example: WindowsPhone8 Defcon Russia (DCG #7812) 12 ‐ Tips: Restore information from Event Tracing for Windows (ETW) *InstallerWorker.exe
  13. 13. Example: Objective-C Defcon Russia (DCG #7812) 13 ‐ Idea: Restore xrefs from decompilation ‐ The decompiler backtraces parameters for you
  14. 14. Example: Objective-C Defcon Russia (DCG #7812) 14 Need Hex-Rays…
  15. 15. Example: Objective-C Defcon Russia (DCG #7812) 15 Patch binary!
  16. 16. Example: Objective-C Defcon Russia (DCG #7812) 16
  17. 17. A1: logging functions (+) good results (-) Function log has to be identified (-) need backtrace (-) platform dependent Defcon Russia (DCG #7812) 17 Function String
  18. 18. A2: strings - Main idea Defcon Russia (DCG #7812) 18 Function String
  19. 19. A2: strings - Code template Defcon Russia (DCG #7812) 19 Function String
  20. 20. A2: strings (+) platform independent (+) forget about the log function (+) general approach (relatively) (+) small, simple, flexible (-) need regexp (I hate them) (-) may need to customize (-) false positives Defcon Russia (DCG #7812) 20 Function String
  21. 21. A2: strings - It works! Defcon Russia (DCG #7812) 21 Function String
  22. 22. Defcon Russia (DCG #7812) A3: Meta information Function RTTI - RTTI (Run-Time Type Identification) - RTCI (Run Time Class Information)
  23. 23. Defcon Russia (DCG #7812) A3: IDA Plugins - http://sourceforge.net/projects/classinformer - Only PE32, C++ RTTI Function RTTI
  24. 24. Defcon Russia (DCG #7812) A3: Class Informer Function RTTI
  25. 25. A4.1: context of functions - API wrappers - special function - DriverEntry - RpcServerRegister - CoRegisterClassObject (DllGetObject) - … - special instruction - in/out - vmcall, vmwrite… - rdmsr, wrmsr - sc, bcctrl - switch - crypto Defcon Russia (DCG #7812) 25
  26. 26. A4.1: IDAScope - fix function - spot 'wrapper' functions - tagging - spot blocks of code that look like cryptography - colorizing - crypto signatures Defcon Russia (DCG #7812) 26
  27. 27. A4.2: Relationship of functions Defcon Russia (DCG #7812) 27
  28. 28. A3.2: Relationship of functions ‒ Renaming subroutine blocks Defcon Russia (DCG #7812) 28 http://hooked-on-mnemonics.blogspot.ru/2012/07/renaming-subroutine-blocks-and.html
  29. 29. A3.3: context of program - xN the most complex function - CC - Cyclomatic complexity - xN the largest function - Parsers, etc. - Four most frequently called functions, etc. - Runtime identification - … Defcon Russia (DCG #7812) 29
  30. 30. Extra ‒ Binaries share the same codebase (pdb) —> idb —> pat —> sig —> idb ‒ IDA plugin ida2pat.py Defcon Russia (DCG #7812) 30 http://www.idapro.ru/description/flirt
  31. 31. Plan - Take all techniques - Prioritize - Launch - Profit! Defcon Russia (DCG #7812) 31
  32. 32. Conclusions - All borders are in your head - Invent your own heuristics depending on the program traits and functions Defcon Russia (DCG #7812) 32

×