Windows Defender's antivirus emulator was reverse engineered to better understand its behavior analysis techniques. The author analyzed the emulation process, which loads potentially malicious binaries into a virtual environment to observe runtime behavior. Key components like the CPU emulator and virtual filesystem were reversed. The author also developed tools to interact with and instrument the emulator. This exposed internal Defender functions and allowed fuzzing of the emulator's API implementations to search for vulnerabilities. The research provided insight into Defender's emulation-based behavior detection approach.
Automatic Exploit Generation (AEG) aims to automatically find vulnerabilities and generate exploits by analyzing source code through a series of steps:
1. It pre-processes source code to generate intermediate representations for binary and source code analysis.
2. It performs source code analysis to determine the maximum size of symbolic data.
3. It uses symbolic execution guided by an "unsafe path predicate" to find bugs in the source code and collect related information.
4. It performs dynamic binary analysis to gather runtime information needed for exploit generation.
5. It generates an "exploit predicate" using the collected information to hijack program control flow and execute shellcode.
6. It verifies whether the generated
- MAYHEM is a system for automatically generating exploits by combining concrete and symbolic execution. It aims to maximize the amount of work done while minimizing wasted effort.
- It uses a hybrid execution approach where it concurrently runs a concrete executor client and symbolic executor server. The client explores new paths while the server performs symbolic analysis.
- A key challenge is handling symbolic memory addresses, which MAYHEM addresses through techniques like value set analysis to bound possible addresses and index search trees to efficiently search the memory state space.
This document summarizes a research paper that presents FIRMADYNE, an automated dynamic analysis system for analyzing Linux-based embedded firmware. FIRMADYNE extracts firmware filesystems, emulates the firmware using QEMU, and performs dynamic analysis by hooking system calls, testing for vulnerabilities, and crawling accessible webpages. The researchers applied FIRMADYNE to a dataset of firmware images from 42 vendors and found that emulation enabled discovery of vulnerabilities, with original equipment manufacturers having the most.
This document discusses binary exploitation techniques, specifically buffer overflows. It begins with an overview of program memory sections like the stack, heap, data, and text. It then covers security options like RELRO, stack canaries, and ASLR that aim to prevent exploits. Finally, it dives into buffer overflows, explaining how overflowing a buffer can overwrite the return address on the stack to redirect program flow and potentially execute shellcode to get remote code execution. The goal of "pwn" techniques is to leverage program vulnerabilities to gain control of the target system.
This document summarizes a zero-day attack on the TP-Link SR20 router. It describes how the router runs an unauthenticated debugging protocol (TDDP version 1) that allows downloading files from TFTP if the second byte of a packet is 0x31, enabling arbitrary code execution. The document discusses initial reverse engineering efforts, including identifying the "tddp" file using binwalk and analyzing its functions in Ghidra to understand how it handles network packets and triggers the vulnerable configuration function.
Penetration test introduction for beginner.
It only contains a little of web pen-test .
(This is my first lesson teaching others about security!)
這是我在中正大學開的一堂滲透測試入門課程,裡面主要是一些入門的知識,沒有太深的東西,因此很適合初學的資安愛好者觀看。
(這是我第一次做關於資安的校內課程,因此有不對的地方還煩請告知我,謝謝您!)
More Related Content
More from Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Windows Defender's antivirus emulator was reverse engineered to better understand its behavior analysis techniques. The author analyzed the emulation process, which loads potentially malicious binaries into a virtual environment to observe runtime behavior. Key components like the CPU emulator and virtual filesystem were reversed. The author also developed tools to interact with and instrument the emulator. This exposed internal Defender functions and allowed fuzzing of the emulator's API implementations to search for vulnerabilities. The research provided insight into Defender's emulation-based behavior detection approach.
Automatic Exploit Generation (AEG) aims to automatically find vulnerabilities and generate exploits by analyzing source code through a series of steps:
1. It pre-processes source code to generate intermediate representations for binary and source code analysis.
2. It performs source code analysis to determine the maximum size of symbolic data.
3. It uses symbolic execution guided by an "unsafe path predicate" to find bugs in the source code and collect related information.
4. It performs dynamic binary analysis to gather runtime information needed for exploit generation.
5. It generates an "exploit predicate" using the collected information to hijack program control flow and execute shellcode.
6. It verifies whether the generated
- MAYHEM is a system for automatically generating exploits by combining concrete and symbolic execution. It aims to maximize the amount of work done while minimizing wasted effort.
- It uses a hybrid execution approach where it concurrently runs a concrete executor client and symbolic executor server. The client explores new paths while the server performs symbolic analysis.
- A key challenge is handling symbolic memory addresses, which MAYHEM addresses through techniques like value set analysis to bound possible addresses and index search trees to efficiently search the memory state space.
This document summarizes a research paper that presents FIRMADYNE, an automated dynamic analysis system for analyzing Linux-based embedded firmware. FIRMADYNE extracts firmware filesystems, emulates the firmware using QEMU, and performs dynamic analysis by hooking system calls, testing for vulnerabilities, and crawling accessible webpages. The researchers applied FIRMADYNE to a dataset of firmware images from 42 vendors and found that emulation enabled discovery of vulnerabilities, with original equipment manufacturers having the most.
This document discusses binary exploitation techniques, specifically buffer overflows. It begins with an overview of program memory sections like the stack, heap, data, and text. It then covers security options like RELRO, stack canaries, and ASLR that aim to prevent exploits. Finally, it dives into buffer overflows, explaining how overflowing a buffer can overwrite the return address on the stack to redirect program flow and potentially execute shellcode to get remote code execution. The goal of "pwn" techniques is to leverage program vulnerabilities to gain control of the target system.
This document summarizes a zero-day attack on the TP-Link SR20 router. It describes how the router runs an unauthenticated debugging protocol (TDDP version 1) that allows downloading files from TFTP if the second byte of a packet is 0x31, enabling arbitrary code execution. The document discusses initial reverse engineering efforts, including identifying the "tddp" file using binwalk and analyzing its functions in Ghidra to understand how it handles network packets and triggers the vulnerable configuration function.
Penetration test introduction for beginner.
It only contains a little of web pen-test .
(This is my first lesson teaching others about security!)
這是我在中正大學開的一堂滲透測試入門課程,裡面主要是一些入門的知識,沒有太深的東西,因此很適合初學的資安愛好者觀看。
(這是我第一次做關於資安的校內課程,因此有不對的地方還煩請告知我,謝謝您!)
More from Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan. (18)