SlideShare a Scribd company logo

0x3E9 Ways To DIE

Y
ynvb

Introducing Dynamic IDA Enrichment - aka. DIE

Internet
1 of 30
Download to read offline
0x3e9 Ways to DIE
❖ Yaniv Balmas (@ynvb) ❖ Security Researcher @ Check Point Software Technologies ❖ Malware Research ❖ Vulnerability Research ❖ Spend most of my day
 staring at assembly 
 code and binary files. RECON 2015 Who am I? ynvb
❖ Static analysis tools contain a lot of useful data about binary files. ❖ Dynamic analysis tools (e.g Debuggers) contain all execution flow related data. ❖ It seems trivial to bridge those two approaches. “Well I wish you’d just tell me rather than try to engage my enthusiasm.” –Marvin RECON 2015 What is the problem? RE Problems
Previous Solutions
❖ 2014, Zach Riggle ❖ Uses Intel PIN framework ❖ Very extensive tracing ❖ Branch Statistics ❖ Data is stored as .IDB comments ❖ Only works on INTEL archs and is designed mainly for Windows. RECON 2015 IDA-Splode RE Solution I
❖ 2013, Andrzej Derezowski ❖ Uses IDA Debugging API ❖ Very intuitive solution ❖ Parses ASCIIUnicode string values ❖ New threads are not being followed ❖ Argument offsets are calculated “manually” RECON 2015 Funcap RE Solution II
❖ The extracted dynamic data is not indexed and searching through it can be a *pain*. ❖ Entry level for adding custom functionality is relatively high. NO Reference to value types!! RECON 2015 What is missing? Missing
( And Prepare to DIE…)
❖ DIE - “Dynamic IDA Enrichment” ❖ Collect context from function calls & returns only. ❖ Parse argument values and present them in a “Human Readable” format. ❖ Smart interaction between static & dynamic data. ❖ Use as much IDA-API Magic as possible. RECON 2015 Howto DIE? DIE
❖ How can we query IDA for function argument types? ❖ Once we have the argument values, how do we parse them? which values should we parse? ❖ How do we parse complex data types? (structs, unions, pointers, etc)? RECON 2015 Implementation Challenges DIE
❖ After hours of fun reading IDA-API, it turns out there are some objects we can actually use. ❖ tinfo_t objects holds a ridiculous amount of information about data types. ❖ Digging even deeper into tinfo_t object reveals the func_type_data_t, func_arg_t and arg_loc_t objects which store everything we need to parse function arguments. RECON 2015 Function Arguments DIE Howto
❖ Impossible to think of all parsing options! ❖ Makes more sense to create an open source plugin framework. Value Parser Plugin Argument Type Human Readable Value bool 0x1 TRUE 10 Raw Argument Value Score RECON 2015 Parsing Argument Values DIE Howto
❖ Impossible to think of all parsing options! ❖ Makes more sense to create an open source plugin framework. Value Parser Plugin Argument Type Human Readable Value ? 0x1 TRUE 4 Raw Argument Value Score RECON 2015 Parsing Argument Values DIE Howto
❖ What do we do when we encounter a complex data type? ❖ Simple. Break it up until we reach the simple types. structs unions udt = udt_idaapi.udt_type_data_t type_info.get_udt_details(udt) arrays arr = idaapi.array_type_data_t() type_info.get_array_details(arr) references type_info.get_pointed_object() RECON 2015 Complex Data Types DIE Howto
Dissasembler Debugger IDA API IDAD.I.E Value Parsers Core Die DB __cdecl main (int argc, char **argv) proc near push 1 lea eax, ds:string ; “Str1” push eax call func_1 add esp, 8 lea eax, ds:string ; “Str1” push eax call unknown
Dissasembler Debugger IDA API IDA D.I.E Value Parsers Core Die DB ; bool __cdecl func_1(char *a, int b) proc near push ebp mov esp, ebp sub esp, 0C0h mov eax, [ebp+name] push eax call _strcmp ret CHAR *a “Str1” int b 0x1
Dissasembler Debugger IDA API IDA D.I.E Value Parsers Core Die DB __cdecl main (int argc, char **argv) proc near push 1 lea eax, ds:string ; “Str1” push eax call func_1 add esp, 8 lea eax, ds:string ; “Str1” push eax call unknown bool True
Dissasembler Debugger IDA API IDA D.I.E Value Parsers Core Die DB ; int __cdecl unknown(int) proc near push ebp mov esp, ebp sub esp, 0C0h mov ebx, edx mov [ebp+var_4], ecx push esi xor esi, esi cmp ebx, esi jle loc_XXXXXX ret int 0x401234 “Str1”
Value Parsers 0x486176 “Have a Nice Day!”
String Parser Uses idc.GetString to parse ASCII, Unicode, Pascal and other strings Returns TRUE for 0x1 and FALSE for 0x0. (Duh!) bool Parser Returns the referenced function name.function Parser Returns the referenced module name. module Parser RECON 2015 Simple Value Parsers Parsers
❖ Works on Windows systems with local debugger (currently). ❖ Uses DuplicateHandle() to duplicate the handle associated with the raw value from the current running process. ❖ Uses NtQueryObject() on the local handle to retrieve the handles details. ❖ Returns the handle name and type. RECON 2015 Advanced Parser - Handles Parsers
❖ Great example of an ad-hoc parser. ❖ Check if the value pointed by offset 4 of raw address is either a string or references a string. ❖ Also, make sure raw value is not a string. RECON 2015 Advanced Parser - STD String Parsers
DEMO TIME “Demos, don't talk to me about demos…” -Marvin
Your Orders: Assigned By: Agent M Target Application: ATEN Firmware Upgrade Utility Mission: Bypass password protection Quickly! RECON 2015 Bypass Password Protection Use Case 1 Watch The DEMO
Your Orders: Assigned By: Agent M Target Application: 7zip cli (32-bit version) Mission: Get a complete code analysis Quickly! RECON 2015 Defeat C++ Code Use Case 2 Watch The DEMO
Your Orders: Assigned By: Agent M Target Application: Explosive Trojan Mission: Find the string de-obfuscation function Quickly! RECON 2015 String De-Obfuscation Use Case 3 Watch The DEMO
❖ Thunk Functions ❖ Complex function parsers ❖ Better GUI ❖ (Much) Better DB ❖ Solve (very) dramatic crashes RECON 2015 #TODO TODO
❖ Yes. ❖ DIE is an open source tool. ❖ https://github.com/ynvb/DIE ❖ If you like it, contribute. RECON 2015 Looks cool, Can I have it? GITHUB
SARK IDA Python Made Easy • Simple • Intuitive • Object Oriented API • Docs: sark.rtfd.org • Code: github.com/tmr232/sark • Written by Tamir Bahar @tmr232
42 @ynvb Yaniv Balmas

Recommended

Java basic data types
Java basic data typesJava basic data types
Java basic data types3trg
 
An Introduction to ANTLR
An Introduction to ANTLRAn Introduction to ANTLR
An Introduction to ANTLRMorteza Zakeri
 
32sql server
32sql server32sql server
32sql serverSireesh K
 
Using ANTLR on real example - convert "string combined" queries into paramete...
Using ANTLR on real example - convert "string combined" queries into paramete...Using ANTLR on real example - convert "string combined" queries into paramete...
Using ANTLR on real example - convert "string combined" queries into paramete...Alexey Diyan
 
Data types in Java
Data types in JavaData types in Java
Data types in JavaPlay Store
 
ANTLR4 and its testing
ANTLR4 and its testingANTLR4 and its testing
ANTLR4 and its testingKnoldus Inc.
 
Python programming l2
Python programming l2Python programming l2
Python programming l2Aishwarya Deshmukh
 
Clean code
Clean codeClean code
Clean codeSmita Prasad
 

Recommended

Java basic data types
Java basic data typesJava basic data types
Java basic data types3trg
 
An Introduction to ANTLR
An Introduction to ANTLRAn Introduction to ANTLR
An Introduction to ANTLRMorteza Zakeri
 
32sql server
32sql server32sql server
32sql serverSireesh K
 
Using ANTLR on real example - convert "string combined" queries into paramete...
Using ANTLR on real example - convert "string combined" queries into paramete...Using ANTLR on real example - convert "string combined" queries into paramete...
Using ANTLR on real example - convert "string combined" queries into paramete...Alexey Diyan
 
Data types in Java
Data types in JavaData types in Java
Data types in JavaPlay Store
 
ANTLR4 and its testing
ANTLR4 and its testingANTLR4 and its testing
ANTLR4 and its testingKnoldus Inc.
 
Python programming l2
Python programming l2Python programming l2
Python programming l2Aishwarya Deshmukh
 
Clean code
Clean codeClean code
Clean codeSmita Prasad
 
Java basic-data-types
Java basic-data-typesJava basic-data-types
Java basic-data-typesShahid Rasheed
 
Java basic data types
Java basic data typesJava basic data types
Java basic data typesjavaicon
 
(4) collections algorithms
(4) collections algorithms(4) collections algorithms
(4) collections algorithmsNico Ludwig
 
Beyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software ArchitectureBeyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software ArchitectureJayaram Sankaranarayanan
 
Value Types
Value TypesValue Types
Value TypesMichael Barker
 
Intro to Java for C++ Developers
Intro to Java for C++ DevelopersIntro to Java for C++ Developers
Intro to Java for C++ DevelopersZachary Blair
 
(4) collections algorithms
(4) collections algorithms(4) collections algorithms
(4) collections algorithmsNico Ludwig
 
Python Concepts
Python ConceptsPython Concepts
Python Conceptssaipreethi16
 
Advanced c c++
Advanced c c++Advanced c c++
Advanced c c++muilevan
 
Python training
Python trainingPython training
Python trainingsaijohn1997
 
An Introduction To Python - Files, Part 1
An Introduction To Python - Files, Part 1An Introduction To Python - Files, Part 1
An Introduction To Python - Files, Part 1Blue Elephant Consulting
 
Intro to python
Intro to pythonIntro to python
Intro to pythonMohamed Essam
 
Java Basics
Java BasicsJava Basics
Java Basicsshivamgarg_nitj
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caringsporst
 
Python - Logic Gates
Python - Logic GatesPython - Logic Gates
Python - Logic GatesGiovannie Díaz
 
Introduction to data science
Introduction to data scienceIntroduction to data science
Introduction to data scienceJoseph Itopa Abubakar
 
Generics In and Out
Generics In and OutGenerics In and Out
Generics In and OutJaliya Udagedara
 
Hema wt (1)
Hema wt (1)Hema wt (1)
Hema wt (1)SangeethaSasi1
 
Java
JavaJava
JavaZeeshan Khan
 
C++ to java
C++ to javaC++ to java
C++ to javaAjmal Ak
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Joxean Koret
 

More Related Content

What's hot

Java basic data types
Java basic data typesJava basic data types
Java basic data typesjavaicon
 
(4) collections algorithms
(4) collections algorithms(4) collections algorithms
(4) collections algorithmsNico Ludwig
 
Beyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software ArchitectureBeyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software ArchitectureJayaram Sankaranarayanan
 
Intro to Java for C++ Developers
Intro to Java for C++ DevelopersIntro to Java for C++ Developers
Intro to Java for C++ DevelopersZachary Blair
 
(4) collections algorithms
(4) collections algorithms(4) collections algorithms
(4) collections algorithmsNico Ludwig
 
Advanced c c++
Advanced c c++Advanced c c++
Advanced c c++muilevan
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caringsporst
 
C++ to java
C++ to javaC++ to java
C++ to javaAjmal Ak
 

What's hot (20)

Java basic-data-types
Java basic-data-typesJava basic-data-types
Java basic-data-types
 
Java basic data types
Java basic data typesJava basic data types
Java basic data types
 
(4) collections algorithms
(4) collections algorithms(4) collections algorithms
(4) collections algorithms
 
Beyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software ArchitectureBeyond PITS, Functional Principles for Software Architecture
Beyond PITS, Functional Principles for Software Architecture
 
Value Types
Value TypesValue Types
Value Types
 
Intro to Java for C++ Developers
Intro to Java for C++ DevelopersIntro to Java for C++ Developers
Intro to Java for C++ Developers
 
(4) collections algorithms
(4) collections algorithms(4) collections algorithms
(4) collections algorithms
 
Python Concepts
Python ConceptsPython Concepts
Python Concepts
 
Advanced c c++
Advanced c c++Advanced c c++
Advanced c c++
 
Python training
Python trainingPython training
Python training
 
An Introduction To Python - Files, Part 1
An Introduction To Python - Files, Part 1An Introduction To Python - Files, Part 1
An Introduction To Python - Files, Part 1
 
Intro to python
Intro to pythonIntro to python
Intro to python
 
Java Basics
Java BasicsJava Basics
Java Basics
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caring
 
Python - Logic Gates
Python - Logic GatesPython - Logic Gates
Python - Logic Gates
 
Introduction to data science
Introduction to data scienceIntroduction to data science
Introduction to data science
 
Generics In and Out
Generics In and OutGenerics In and Out
Generics In and Out
 
Hema wt (1)
Hema wt (1)Hema wt (1)
Hema wt (1)
 
Java
JavaJava
Java
 
C++ to java
C++ to javaC++ to java
C++ to java
 

Similar to 0x3E9 Ways To DIE

TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Joxean Koret
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksVadym Muliavka
 
GDG Helwan Introduction to python
GDG Helwan Introduction to pythonGDG Helwan Introduction to python
GDG Helwan Introduction to pythonMohamed Hegazy
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionRob Dunn
 
Tutorial on-python-programming
Tutorial on-python-programmingTutorial on-python-programming
Tutorial on-python-programmingChetan Giridhar
 
Dapper: the microORM that will change your life
Dapper: the microORM that will change your lifeDapper: the microORM that will change your life
Dapper: the microORM that will change your lifeDavide Mauri
 
Standardizing on a single N-dimensional array API for Python
Standardizing on a single N-dimensional array API for PythonStandardizing on a single N-dimensional array API for Python
Standardizing on a single N-dimensional array API for PythonRalf Gommers
 
web programming UNIT VIII python by Bhavsingh Maloth
web programming UNIT VIII python by Bhavsingh Malothweb programming UNIT VIII python by Bhavsingh Maloth
web programming UNIT VIII python by Bhavsingh MalothBhavsingh Maloth
 
Advance Python programming languages-Simple Easy learning
Advance Python programming languages-Simple Easy learningAdvance Python programming languages-Simple Easy learning
Advance Python programming languages-Simple Easy learningsherinjoyson
 
Functional Patterns for C++ Multithreading (C++ Dev Meetup Iasi)
Functional Patterns for C++ Multithreading (C++ Dev Meetup Iasi)Functional Patterns for C++ Multithreading (C++ Dev Meetup Iasi)
Functional Patterns for C++ Multithreading (C++ Dev Meetup Iasi)Ovidiu Farauanu
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to pythonMohammed Rafi
 
DEF CON 27 - workshop - EIGENTOURIST - hacking with monads
DEF CON 27 - workshop - EIGENTOURIST - hacking with monadsDEF CON 27 - workshop - EIGENTOURIST - hacking with monads
DEF CON 27 - workshop - EIGENTOURIST - hacking with monadsFelipe Prado
 

Similar to 0x3E9 Ways To DIE (20)

TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
 
GDG Helwan Introduction to python
GDG Helwan Introduction to pythonGDG Helwan Introduction to python
GDG Helwan Introduction to python
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 session
 
Tutorial on-python-programming
Tutorial on-python-programmingTutorial on-python-programming
Tutorial on-python-programming
 
Dapper: the microORM that will change your life
Dapper: the microORM that will change your lifeDapper: the microORM that will change your life
Dapper: the microORM that will change your life
 
Python Module-1.1.pdf
Python Module-1.1.pdfPython Module-1.1.pdf
Python Module-1.1.pdf
 
Python PPT.pptx
Python PPT.pptxPython PPT.pptx
Python PPT.pptx
 
My life as a cyborg
My life as a cyborg My life as a cyborg
My life as a cyborg
 
Standardizing on a single N-dimensional array API for Python
Standardizing on a single N-dimensional array API for PythonStandardizing on a single N-dimensional array API for Python
Standardizing on a single N-dimensional array API for Python
 
Python intro
Python introPython intro
Python intro
 
Class_X_PYTHON_J.pdf
Class_X_PYTHON_J.pdfClass_X_PYTHON_J.pdf
Class_X_PYTHON_J.pdf
 
web programming UNIT VIII python by Bhavsingh Maloth
web programming UNIT VIII python by Bhavsingh Malothweb programming UNIT VIII python by Bhavsingh Maloth
web programming UNIT VIII python by Bhavsingh Maloth
 
Advance Python programming languages-Simple Easy learning
Advance Python programming languages-Simple Easy learningAdvance Python programming languages-Simple Easy learning
Advance Python programming languages-Simple Easy learning
 
Python Demo.pptx
Python Demo.pptxPython Demo.pptx
Python Demo.pptx
 
Functional Patterns for C++ Multithreading (C++ Dev Meetup Iasi)
Functional Patterns for C++ Multithreading (C++ Dev Meetup Iasi)Functional Patterns for C++ Multithreading (C++ Dev Meetup Iasi)
Functional Patterns for C++ Multithreading (C++ Dev Meetup Iasi)
 
Python Demo.pptx
Python Demo.pptxPython Demo.pptx
Python Demo.pptx
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to python
 
DEF CON 27 - workshop - EIGENTOURIST - hacking with monads
DEF CON 27 - workshop - EIGENTOURIST - hacking with monadsDEF CON 27 - workshop - EIGENTOURIST - hacking with monads
DEF CON 27 - workshop - EIGENTOURIST - hacking with monads
 

Recently uploaded

VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 

Recently uploaded (20)

VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 

0x3E9 Ways To DIE

  • 2. ❖ Yaniv Balmas (@ynvb) ❖ Security Researcher @ Check Point Software Technologies ❖ Malware Research ❖ Vulnerability Research ❖ Spend most of my day
 staring at assembly 
 code and binary files. RECON 2015 Who am I? ynvb
  • 3. ❖ Static analysis tools contain a lot of useful data about binary files. ❖ Dynamic analysis tools (e.g Debuggers) contain all execution flow related data. ❖ It seems trivial to bridge those two approaches. “Well I wish you’d just tell me rather than try to engage my enthusiasm.” –Marvin RECON 2015 What is the problem? RE Problems
  • 5. ❖ 2014, Zach Riggle ❖ Uses Intel PIN framework ❖ Very extensive tracing ❖ Branch Statistics ❖ Data is stored as .IDB comments ❖ Only works on INTEL archs and is designed mainly for Windows. RECON 2015 IDA-Splode RE Solution I
  • 6. ❖ 2013, Andrzej Derezowski ❖ Uses IDA Debugging API ❖ Very intuitive solution ❖ Parses ASCIIUnicode string values ❖ New threads are not being followed ❖ Argument offsets are calculated “manually” RECON 2015 Funcap RE Solution II
  • 7. ❖ The extracted dynamic data is not indexed and searching through it can be a *pain*. ❖ Entry level for adding custom functionality is relatively high. NO Reference to value types!! RECON 2015 What is missing? Missing
  • 8. ( And Prepare to DIE…)
  • 9. ❖ DIE - “Dynamic IDA Enrichment” ❖ Collect context from function calls & returns only. ❖ Parse argument values and present them in a “Human Readable” format. ❖ Smart interaction between static & dynamic data. ❖ Use as much IDA-API Magic as possible. RECON 2015 Howto DIE? DIE
  • 10. ❖ How can we query IDA for function argument types? ❖ Once we have the argument values, how do we parse them? which values should we parse? ❖ How do we parse complex data types? (structs, unions, pointers, etc)? RECON 2015 Implementation Challenges DIE
  • 11. ❖ After hours of fun reading IDA-API, it turns out there are some objects we can actually use. ❖ tinfo_t objects holds a ridiculous amount of information about data types. ❖ Digging even deeper into tinfo_t object reveals the func_type_data_t, func_arg_t and arg_loc_t objects which store everything we need to parse function arguments. RECON 2015 Function Arguments DIE Howto
  • 12. ❖ Impossible to think of all parsing options! ❖ Makes more sense to create an open source plugin framework. Value Parser Plugin Argument Type Human Readable Value bool 0x1 TRUE 10 Raw Argument Value Score RECON 2015 Parsing Argument Values DIE Howto
  • 13. ❖ Impossible to think of all parsing options! ❖ Makes more sense to create an open source plugin framework. Value Parser Plugin Argument Type Human Readable Value ? 0x1 TRUE 4 Raw Argument Value Score RECON 2015 Parsing Argument Values DIE Howto
  • 14. ❖ What do we do when we encounter a complex data type? ❖ Simple. Break it up until we reach the simple types. structs unions udt = udt_idaapi.udt_type_data_t type_info.get_udt_details(udt) arrays arr = idaapi.array_type_data_t() type_info.get_array_details(arr) references type_info.get_pointed_object() RECON 2015 Complex Data Types DIE Howto
  • 15. Dissasembler Debugger IDA API IDAD.I.E Value Parsers Core Die DB __cdecl main (int argc, char **argv) proc near push 1 lea eax, ds:string ; “Str1” push eax call func_1 add esp, 8 lea eax, ds:string ; “Str1” push eax call unknown
  • 16. Dissasembler Debugger IDA API IDA D.I.E Value Parsers Core Die DB ; bool __cdecl func_1(char *a, int b) proc near push ebp mov esp, ebp sub esp, 0C0h mov eax, [ebp+name] push eax call _strcmp ret CHAR *a “Str1” int b 0x1
  • 17. Dissasembler Debugger IDA API IDA D.I.E Value Parsers Core Die DB __cdecl main (int argc, char **argv) proc near push 1 lea eax, ds:string ; “Str1” push eax call func_1 add esp, 8 lea eax, ds:string ; “Str1” push eax call unknown bool True
  • 18. Dissasembler Debugger IDA API IDA D.I.E Value Parsers Core Die DB ; int __cdecl unknown(int) proc near push ebp mov esp, ebp sub esp, 0C0h mov ebx, edx mov [ebp+var_4], ecx push esi xor esi, esi cmp ebx, esi jle loc_XXXXXX ret int 0x401234 “Str1”
  • 20. String Parser Uses idc.GetString to parse ASCII, Unicode, Pascal and other strings Returns TRUE for 0x1 and FALSE for 0x0. (Duh!) bool Parser Returns the referenced function name.function Parser Returns the referenced module name. module Parser RECON 2015 Simple Value Parsers Parsers
  • 21. ❖ Works on Windows systems with local debugger (currently). ❖ Uses DuplicateHandle() to duplicate the handle associated with the raw value from the current running process. ❖ Uses NtQueryObject() on the local handle to retrieve the handles details. ❖ Returns the handle name and type. RECON 2015 Advanced Parser - Handles Parsers
  • 22. ❖ Great example of an ad-hoc parser. ❖ Check if the value pointed by offset 4 of raw address is either a string or references a string. ❖ Also, make sure raw value is not a string. RECON 2015 Advanced Parser - STD String Parsers
  • 23. DEMO TIME “Demos, don't talk to me about demos…” -Marvin
  • 24. Your Orders: Assigned By: Agent M Target Application: ATEN Firmware Upgrade Utility Mission: Bypass password protection Quickly! RECON 2015 Bypass Password Protection Use Case 1 Watch The DEMO
  • 25. Your Orders: Assigned By: Agent M Target Application: 7zip cli (32-bit version) Mission: Get a complete code analysis Quickly! RECON 2015 Defeat C++ Code Use Case 2 Watch The DEMO
  • 26. Your Orders: Assigned By: Agent M Target Application: Explosive Trojan Mission: Find the string de-obfuscation function Quickly! RECON 2015 String De-Obfuscation Use Case 3 Watch The DEMO
  • 27. ❖ Thunk Functions ❖ Complex function parsers ❖ Better GUI ❖ (Much) Better DB ❖ Solve (very) dramatic crashes RECON 2015 #TODO TODO
  • 28. ❖ Yes. ❖ DIE is an open source tool. ❖ https://github.com/ynvb/DIE ❖ If you like it, contribute. RECON 2015 Looks cool, Can I have it? GITHUB
  • 29. SARK IDA Python Made Easy • Simple • Intuitive • Object Oriented API • Docs: sark.rtfd.org • Code: github.com/tmr232/sark • Written by Tamir Bahar @tmr232