This document discusses automated static deobfuscation in the context of reverse engineering. It describes challenges with deobfuscation like side effects, code blowup, and address mapping. It summarizes the authors' approach of translating obfuscated assembly to REIL and running algorithms on it. However, it notes limitations like inability to debug and side effects. It considers alternatives like effect comments, formula extraction, and a full compiler to better address problems but notes the significant work required.
Is Advanced Verification for FPGA based Logic neededchiportal
The document discusses the need for advanced verification in FPGA-based logic design. It argues that FPGAs have similar complexity issues as ASICs for high-quality applications. While FPGAs allow for reprogramming, current FPGA verification relies on manual testing and debugging which has long cycle times and lacks visibility into test quality. The document proposes a new coverage-driven verification methodology using constrained random testing to improve productivity, quality, and certification. It demonstrates this methodology and discusses how it can find more bugs than manual testing while being less expensive.
This document discusses return-oriented programming (ROP) techniques for exploiting systems with non-executable memory pages. It provides an overview of ROP, describes algorithms for automatically finding "gadgets" (snippets of code) within a binary that can be chained together to perform tasks, and introduces a ROP compiler called The Wolf that helps chain gadgets while accounting for side effects. The goal is to execute attacker-controlled code on systems with protections like code signing and sandboxing enabled.
Platform-independent static binary code analysis using a meta-assembly languagezynamics GmbH
This document describes a platform-independent static code analysis framework called MonoREIL that uses abstract interpretation. It introduces an intermediate representation called REIL that can be extracted from disassembled binary code. MonoREIL implements abstract interpretation over REIL code to perform analyses like register tracking and detecting negative array indexing without dependence on platform or source code. The framework is intended for offensive security purposes like binary analysis where source is unavailable.
This document discusses techniques for improving the performance of OCL query evaluation, including:
Fast OCL queries are achieved through direct OCL to Java code generation, eliminating run-time parsing costs.
Faster OCL queries use an OCL Virtual Machine with efficient dispatch tables to improve performance over code generation alone.
Super-fast queries enabled by declarative languages like EMF-IncQuery can optimize re-evaluation through incremental change processing, achieving performance far superior to typical Java implementations, especially for large models.
Scalable Product Line Configuration:
A Straw to Break the Camel’s Back
Abdel Salam Sayyad
Joseph Ingram
Tim Menzies
Hany Ammar
IEEE Automated SE,
Palo Alto, CA
Nov 2013
Teseda provides test systems and diagnostic software to help customers debug chips and analyze failures. Their V520 and V550 test systems can test up to 348 and 512 I/O pins respectively and generate test patterns. Teseda Workbench software allows users to import test patterns, execute tests, analyze failures, and map failing scan cells to the chip design. The Diagnostic Manager NetXY software further diagnoses scan failures by analyzing the chip design and test patterns to identify the likely location of faults. Teseda's solutions help reduce time to fix design and manufacturing issues.
Asynchronous programming is the one of most interesting technique for PHP. You can find a lot of interesting in this talk: one-way calls, threads, processes, signals.
Is Advanced Verification for FPGA based Logic neededchiportal
The document discusses the need for advanced verification in FPGA-based logic design. It argues that FPGAs have similar complexity issues as ASICs for high-quality applications. While FPGAs allow for reprogramming, current FPGA verification relies on manual testing and debugging which has long cycle times and lacks visibility into test quality. The document proposes a new coverage-driven verification methodology using constrained random testing to improve productivity, quality, and certification. It demonstrates this methodology and discusses how it can find more bugs than manual testing while being less expensive.
This document discusses return-oriented programming (ROP) techniques for exploiting systems with non-executable memory pages. It provides an overview of ROP, describes algorithms for automatically finding "gadgets" (snippets of code) within a binary that can be chained together to perform tasks, and introduces a ROP compiler called The Wolf that helps chain gadgets while accounting for side effects. The goal is to execute attacker-controlled code on systems with protections like code signing and sandboxing enabled.
Platform-independent static binary code analysis using a meta-assembly languagezynamics GmbH
This document describes a platform-independent static code analysis framework called MonoREIL that uses abstract interpretation. It introduces an intermediate representation called REIL that can be extracted from disassembled binary code. MonoREIL implements abstract interpretation over REIL code to perform analyses like register tracking and detecting negative array indexing without dependence on platform or source code. The framework is intended for offensive security purposes like binary analysis where source is unavailable.
This document discusses techniques for improving the performance of OCL query evaluation, including:
Fast OCL queries are achieved through direct OCL to Java code generation, eliminating run-time parsing costs.
Faster OCL queries use an OCL Virtual Machine with efficient dispatch tables to improve performance over code generation alone.
Super-fast queries enabled by declarative languages like EMF-IncQuery can optimize re-evaluation through incremental change processing, achieving performance far superior to typical Java implementations, especially for large models.
Scalable Product Line Configuration:
A Straw to Break the Camel’s Back
Abdel Salam Sayyad
Joseph Ingram
Tim Menzies
Hany Ammar
IEEE Automated SE,
Palo Alto, CA
Nov 2013
Teseda provides test systems and diagnostic software to help customers debug chips and analyze failures. Their V520 and V550 test systems can test up to 348 and 512 I/O pins respectively and generate test patterns. Teseda Workbench software allows users to import test patterns, execute tests, analyze failures, and map failing scan cells to the chip design. The Diagnostic Manager NetXY software further diagnoses scan failures by analyzing the chip design and test patterns to identify the likely location of faults. Teseda's solutions help reduce time to fix design and manufacturing issues.
Asynchronous programming is the one of most interesting technique for PHP. You can find a lot of interesting in this talk: one-way calls, threads, processes, signals.
Introduction to Aspect Oriented Programming (DDD South West 4.0)Yan Cui
Introduction to AOP talk at DDD SouthWest 4.0, including examples of AOP using dynamic proxies, functional programming, dynamic language and PostSharp.
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
Effective development of a finite-element solver at the UniversityRomain Boman
Keynote lecture presented at ICSAAM 2018 - The 8th International Conference on Structural Analysis of Advanced Materials
August 28-31, 2018 – Tarbes, France
https://icsaam2018.sciencesconf.org/
Software development is usually neglected by academic researchers in the field of computational solid mechanics. This lack of long-term strategy often leads to the loss of valuable numerical models and algorithms. In the first part of this talk, the key ideas behind the management of the source code of METAFOR, a nonlinear finite-element solver developed at the University of Liège, are presented in detail. The primary goal is to continuously integrate all the developments into a single application so that future projects can safely rely on the results from the past. The second part of the talk exhibits several applications of metal forming processes computed with METAFOR and based on the Arbitrary Lagrangian Eulerian formalism.
Build software like a bag of marbles, not a castle of LEGO®Hannes Lowette
If you have ever played with LEGO®, you will know that adding, removing or changing features of a completed castle isn’t as easy as it seems. You will have to deconstruct large parts to get to where you want to be, to build it all up again afterwards. Unfortunately, our software is often built the same way. Wouldn’t it be better if our software behaved like a bag of marbles? So you can just add, remove or replace them at will?
Most of us have taken different approaches to building software: a big monolith, a collection of services, a bus architecture, etc. But whatever your large scale architecture is, at the granular level (a single service or host), you will probably still end up with tightly couple code. Adding functionality means making changes to every layer, service or component involved. It gets even harder if you want to enable or disable features for certain deployments: you’ll need to wrap code in feature flags, write custom DB migration scripts, etc. There has to be a better way!
So what if you think of functionality as loose feature assemblies? We can construct our code in such a way that adding a feature is as simple as adding the assembly to your deployment, and removing it is done by just deleting the file. We would open the door for so many scenarios!
In this talk, I will explain how to tackle the following parts of your application to achieve this goal: WebAPI, Entity Framework, Onion Architecture, IoC and database migrations. And most of all, when you would want to do this. Because… ‘it depends’.
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...Anne Nicolas
The Coccinelle C-program matching and transformation tool was first released in 2008 to facilitate specification and automation in the evolution of Linux kernel code. The novel contribution of Coccinelle is to allow software developers to write code manipulation rules in terms of the code structure itself, via a generalization of the patch syntax. Over the years, Coccinelle has been extensively used in Linux kernel development, resulting in over 6000 commits to the Linux kernel, and has found its place as part of the Linux kernel development process. This talk will review the history of Coccinelle and its impact on the Linux kernel. It will also briefly present two newer tools, prequel and spinfer, that have built on the Coccinelle infrastructure.
Build software like a bag of marbles, not a castle of LEGO®Hannes Lowette
Hannes Lowette discusses how to structure software code like a bag of marbles rather than a LEGO castle. The document describes challenges faced with a tightly coupled codebase and how adopting an onion architecture approach using plugins allowed for more modular and maintainable code. Key points include defining clean dependencies and interfaces, making core business logic decoupled and testable, and enabling new features to be added and removed through plugins without polluting the core codebase.
Introduction to Aspect Oriented Programming by Donald Belcham.NET Conf UY
Aspect-oriented programming (AOP) is a programming paradigm that aims to increase modularity by allowing separation of cross-cutting concerns. It does this through aspects, which can encapsulate code that implements a cross-cutting concern and be attached to other code to augment its behavior. There are two main AOP styles - interception, which modifies code execution at runtime through decorators, and IL weaving, which modifies the code during compilation. Both allow aspects to be cleanly separated from core concerns and attached to any code construct.
Aspect-oriented programming (AOP) is a programming paradigm that aims to increase modularity by allowing separation of cross-cutting concerns. It does this through aspects, which can encapsulate code that implements a cross-cutting concern and attach it to other code, known as join points. There are two main AOP styles - interception, which modifies code execution at runtime through decorators, and IL weaving, which modifies the code during compilation. Both allow clean separation of concerns while maintaining full debuggability.
H.264, also known as MPEG-4 Part 10 or AVC, is a video compression standard that provides significantly better compression than previous standards such as MPEG-2. It achieves this through spatial and temporal redundancy reduction techniques including intra-frame prediction, inter-frame prediction, and entropy coding. Motion estimation, which finds motion vectors between frames to enable inter-frame prediction, is the most computationally intensive part of H.264 encoding. Previous GPU implementations of H.264 motion estimation have sacrificed quality for parallelism or have not fully addressed dependencies between blocks. This document proposes a pyramid motion estimation approach on GPU that can better address dependencies while maintaining quality.
When Node.js Goes Wrong: Debugging Node in Production
The event-oriented approach underlying Node.js enables significant concurrency using a deceptively simple programming model, which has been an important factor in Node's growing popularity for building large scale web services. But what happens when these programs go sideways? Even in the best cases, when such issues are fatal, developers have historically been left with just a stack trace. Subtler issues, including latency spikes (which are just as bad as correctness bugs in the real-time domain where Node is especially popular) and other buggy behavior often leave even fewer clues to aid understanding. In this talk, we will discuss the issues we encountered in debugging Node.js in production, focusing upon the seemingly intractable challenge of extracting runtime state from the black hole that is a modern JIT'd VM.
We will describe the tools we've developed for examining this state, which operate on running programs (via DTrace), as well as VM core dumps (via a postmortem debugger). Finally, we will describe several nasty bugs we encountered in our own production environment: we were unable to understand these using existing tools, but we successfully root-caused them using these new found abilities to introspect the JavaScript VM.
Compilers have been improving programmer productivity ever since IBM produced the first FORTRAN compiler in 1957. Today, we mostly take them for granted but even after more than 60 years, compiler researchers and practitioners continue to push the boundaries for what compilers can achieve as well as how easy it is to leverage the sophisticated code bases that encapsulate those six decades of learning in this field. In this talk, I want to highlight how industry trends like the migration to cloud infrastructures and data centers as well as the rise of flexibly licensed open source projects like LLVM and Eclipse OMR are paving the way towards even more effective and powerful compilation infrastructures than have ever existed: compilers with the opportunity to contribute to programmer productivity in even more ways than simply better hardware instruction sequences, and with simpler APIs so they can be readily used in scenarios where even today's most amazing Just In Time compilers are not really practical.
Applications of the Reverse Engineering Language REILzynamics GmbH
1) REIL is a platform-independent intermediate language designed for reverse engineering. It has a small instruction set and simple operand types to simplify analysis.
2) Applications of REIL include register tracking to follow data flow, index underflow detection to find bugs, automated deobfuscation to make code more readable, and ROP gadget generation to create return-oriented shellcode.
3) Future work includes developing BinAudit with more vulnerability research algorithms and type reconstruction to determine higher-level data types in registers.
Developers spend up to 20% of their time writing repetitive code that machines could generate more reliably. This presentation explores the problem of duplicated source code that stems from manual implementation of patterns and reveals how to automate the boring side of programming and get a 19x ROI.
The presentation provides insight into:
- the problem of manual implementation of patterns, resulting in boilerplate code
- the cost of boilerplate for companies
- existing technologies for pattern automation
- the key reasons to consider pattern-aware compiler extensions
The white paper was written for CTOs, software architects and senior developers in software-driven organizations—specifically in financial, insurance, healthcare, energy and IT industries that typically write a lot of repetitive code.
The document introduces aspect-oriented programming (AOP), which aims to increase modularity by allowing separation of cross-cutting concerns. It is not a programming language, solution to all problems, or replacement for object-oriented programming, but rather a programming pattern and tool. Aspects in AOP can exist encapsulated and be attached to code constructs. Cross-cutting concerns are aspects of a program that affect other concerns and are difficult to separate cleanly. AOP uses interception or IL weaving to inject execution of concerns. The document discusses AOP styles, constructs, tools, arguments against it, and considerations for new and existing projects.
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
Patching Windows Executives with the Backdoor Factory is a presentation about binary patching techniques. It discusses the history of patching, how key generators and Metasploit patch binaries, and how the author learned to manually patch binaries. The presentation then introduces the Backdoor Factory tool, which can automatically patch Windows binaries by injecting shellcode into code caves. It demonstrates patching via code cave insertion, single cave jumps, and cave jumping. Mitigations like self-validation and antivirus are discussed.
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...frank2
Binary obfuscation is a mysterious ritual employed by malware authors and software vendors alike that no one really seems to talk about. It's almost like a secret society. Interestingly, you don't have to write a program to obfuscate the binary-- you can also write high-level code that obfuscates at compile-time, rather than afterward.
Pipiot - the double-architecture shellcode constructorMoshe Zioni
The document describes a method called PIPIOT for creating a polyglot shellcode that works on both x86 and ARM architectures. PIPIOT stands for "Double-Edged" in old Hebrew. It works by finding a "Magic Block" sequence of bytes that functions as a no-op-like instruction on one architecture and a relative jump on the other. The document outlines the step-by-step process for deriving such a Magic Block, focusing on constraints from both x86 and ARM instruction sets. It results in a 4-byte Magic Block that performs an XOR on an ARM register to create a reversible operation, and a short relative jump on x86. This Magic Block can be repeated to combine x
Multicore processors are becoming prevalent due to the limitations of increasing single core clock speeds. This presents challenges for software to effectively utilize multiple cores. Functional programming is one option that avoids shared state and parallel access issues, but requires a significant mindset shift. Refactoring existing code using tools is another option to incrementally introduce parallelism. Hybrid approaches combining paradigms may also help transition. Key application areas currently benefiting include servers, scientific computing, and packet processing. However, significant existing code is not easily parallelized and performance gains have yet to be fully realized.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
Automated Mobile Malware Classificationzynamics GmbH
This document discusses developing an automated system called VxClass for classifying mobile malware. It summarizes the current state of mobile malware, the problem of variant detection, and proposes using program comparison tools to analyze malware variants at scale. The system would allow users to upload files to check against a malware database, identify variants, and optionally share samples. Pricing models and a roadmap are proposed to adapt the system to emerging mobile platforms and file types.
VxClass is a malware classification tool that analyzes binary code samples through structural comparison rather than byte-by-byte matching. It automatically unpacks samples using emulation, extracts structural information, compares samples to known malware families, and stores results in a database for correlation and visualization. This allows unknown samples to be categorized even if they were obtained or obfuscated differently, aiding incident response and malware analysis.
More Related Content
Similar to Automated static deobfuscation in the context of Reverse Engineering
Introduction to Aspect Oriented Programming (DDD South West 4.0)Yan Cui
Introduction to AOP talk at DDD SouthWest 4.0, including examples of AOP using dynamic proxies, functional programming, dynamic language and PostSharp.
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
Effective development of a finite-element solver at the UniversityRomain Boman
Keynote lecture presented at ICSAAM 2018 - The 8th International Conference on Structural Analysis of Advanced Materials
August 28-31, 2018 – Tarbes, France
https://icsaam2018.sciencesconf.org/
Software development is usually neglected by academic researchers in the field of computational solid mechanics. This lack of long-term strategy often leads to the loss of valuable numerical models and algorithms. In the first part of this talk, the key ideas behind the management of the source code of METAFOR, a nonlinear finite-element solver developed at the University of Liège, are presented in detail. The primary goal is to continuously integrate all the developments into a single application so that future projects can safely rely on the results from the past. The second part of the talk exhibits several applications of metal forming processes computed with METAFOR and based on the Arbitrary Lagrangian Eulerian formalism.
Build software like a bag of marbles, not a castle of LEGO®Hannes Lowette
If you have ever played with LEGO®, you will know that adding, removing or changing features of a completed castle isn’t as easy as it seems. You will have to deconstruct large parts to get to where you want to be, to build it all up again afterwards. Unfortunately, our software is often built the same way. Wouldn’t it be better if our software behaved like a bag of marbles? So you can just add, remove or replace them at will?
Most of us have taken different approaches to building software: a big monolith, a collection of services, a bus architecture, etc. But whatever your large scale architecture is, at the granular level (a single service or host), you will probably still end up with tightly couple code. Adding functionality means making changes to every layer, service or component involved. It gets even harder if you want to enable or disable features for certain deployments: you’ll need to wrap code in feature flags, write custom DB migration scripts, etc. There has to be a better way!
So what if you think of functionality as loose feature assemblies? We can construct our code in such a way that adding a feature is as simple as adding the assembly to your deployment, and removing it is done by just deleting the file. We would open the door for so many scenarios!
In this talk, I will explain how to tackle the following parts of your application to achieve this goal: WebAPI, Entity Framework, Onion Architecture, IoC and database migrations. And most of all, when you would want to do this. Because… ‘it depends’.
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...Anne Nicolas
The Coccinelle C-program matching and transformation tool was first released in 2008 to facilitate specification and automation in the evolution of Linux kernel code. The novel contribution of Coccinelle is to allow software developers to write code manipulation rules in terms of the code structure itself, via a generalization of the patch syntax. Over the years, Coccinelle has been extensively used in Linux kernel development, resulting in over 6000 commits to the Linux kernel, and has found its place as part of the Linux kernel development process. This talk will review the history of Coccinelle and its impact on the Linux kernel. It will also briefly present two newer tools, prequel and spinfer, that have built on the Coccinelle infrastructure.
Build software like a bag of marbles, not a castle of LEGO®Hannes Lowette
Hannes Lowette discusses how to structure software code like a bag of marbles rather than a LEGO castle. The document describes challenges faced with a tightly coupled codebase and how adopting an onion architecture approach using plugins allowed for more modular and maintainable code. Key points include defining clean dependencies and interfaces, making core business logic decoupled and testable, and enabling new features to be added and removed through plugins without polluting the core codebase.
Introduction to Aspect Oriented Programming by Donald Belcham.NET Conf UY
Aspect-oriented programming (AOP) is a programming paradigm that aims to increase modularity by allowing separation of cross-cutting concerns. It does this through aspects, which can encapsulate code that implements a cross-cutting concern and be attached to other code to augment its behavior. There are two main AOP styles - interception, which modifies code execution at runtime through decorators, and IL weaving, which modifies the code during compilation. Both allow aspects to be cleanly separated from core concerns and attached to any code construct.
Aspect-oriented programming (AOP) is a programming paradigm that aims to increase modularity by allowing separation of cross-cutting concerns. It does this through aspects, which can encapsulate code that implements a cross-cutting concern and attach it to other code, known as join points. There are two main AOP styles - interception, which modifies code execution at runtime through decorators, and IL weaving, which modifies the code during compilation. Both allow clean separation of concerns while maintaining full debuggability.
H.264, also known as MPEG-4 Part 10 or AVC, is a video compression standard that provides significantly better compression than previous standards such as MPEG-2. It achieves this through spatial and temporal redundancy reduction techniques including intra-frame prediction, inter-frame prediction, and entropy coding. Motion estimation, which finds motion vectors between frames to enable inter-frame prediction, is the most computationally intensive part of H.264 encoding. Previous GPU implementations of H.264 motion estimation have sacrificed quality for parallelism or have not fully addressed dependencies between blocks. This document proposes a pyramid motion estimation approach on GPU that can better address dependencies while maintaining quality.
When Node.js Goes Wrong: Debugging Node in Production
The event-oriented approach underlying Node.js enables significant concurrency using a deceptively simple programming model, which has been an important factor in Node's growing popularity for building large scale web services. But what happens when these programs go sideways? Even in the best cases, when such issues are fatal, developers have historically been left with just a stack trace. Subtler issues, including latency spikes (which are just as bad as correctness bugs in the real-time domain where Node is especially popular) and other buggy behavior often leave even fewer clues to aid understanding. In this talk, we will discuss the issues we encountered in debugging Node.js in production, focusing upon the seemingly intractable challenge of extracting runtime state from the black hole that is a modern JIT'd VM.
We will describe the tools we've developed for examining this state, which operate on running programs (via DTrace), as well as VM core dumps (via a postmortem debugger). Finally, we will describe several nasty bugs we encountered in our own production environment: we were unable to understand these using existing tools, but we successfully root-caused them using these new found abilities to introspect the JavaScript VM.
Compilers have been improving programmer productivity ever since IBM produced the first FORTRAN compiler in 1957. Today, we mostly take them for granted but even after more than 60 years, compiler researchers and practitioners continue to push the boundaries for what compilers can achieve as well as how easy it is to leverage the sophisticated code bases that encapsulate those six decades of learning in this field. In this talk, I want to highlight how industry trends like the migration to cloud infrastructures and data centers as well as the rise of flexibly licensed open source projects like LLVM and Eclipse OMR are paving the way towards even more effective and powerful compilation infrastructures than have ever existed: compilers with the opportunity to contribute to programmer productivity in even more ways than simply better hardware instruction sequences, and with simpler APIs so they can be readily used in scenarios where even today's most amazing Just In Time compilers are not really practical.
Applications of the Reverse Engineering Language REILzynamics GmbH
1) REIL is a platform-independent intermediate language designed for reverse engineering. It has a small instruction set and simple operand types to simplify analysis.
2) Applications of REIL include register tracking to follow data flow, index underflow detection to find bugs, automated deobfuscation to make code more readable, and ROP gadget generation to create return-oriented shellcode.
3) Future work includes developing BinAudit with more vulnerability research algorithms and type reconstruction to determine higher-level data types in registers.
Developers spend up to 20% of their time writing repetitive code that machines could generate more reliably. This presentation explores the problem of duplicated source code that stems from manual implementation of patterns and reveals how to automate the boring side of programming and get a 19x ROI.
The presentation provides insight into:
- the problem of manual implementation of patterns, resulting in boilerplate code
- the cost of boilerplate for companies
- existing technologies for pattern automation
- the key reasons to consider pattern-aware compiler extensions
The white paper was written for CTOs, software architects and senior developers in software-driven organizations—specifically in financial, insurance, healthcare, energy and IT industries that typically write a lot of repetitive code.
The document introduces aspect-oriented programming (AOP), which aims to increase modularity by allowing separation of cross-cutting concerns. It is not a programming language, solution to all problems, or replacement for object-oriented programming, but rather a programming pattern and tool. Aspects in AOP can exist encapsulated and be attached to code constructs. Cross-cutting concerns are aspects of a program that affect other concerns and are difficult to separate cleanly. AOP uses interception or IL weaving to inject execution of concerns. The document discusses AOP styles, constructs, tools, arguments against it, and considerations for new and existing projects.
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
Patching Windows Executives with the Backdoor Factory is a presentation about binary patching techniques. It discusses the history of patching, how key generators and Metasploit patch binaries, and how the author learned to manually patch binaries. The presentation then introduces the Backdoor Factory tool, which can automatically patch Windows binaries by injecting shellcode into code caves. It demonstrates patching via code cave insertion, single cave jumps, and cave jumping. Mitigations like self-validation and antivirus are discussed.
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...frank2
Binary obfuscation is a mysterious ritual employed by malware authors and software vendors alike that no one really seems to talk about. It's almost like a secret society. Interestingly, you don't have to write a program to obfuscate the binary-- you can also write high-level code that obfuscates at compile-time, rather than afterward.
Pipiot - the double-architecture shellcode constructorMoshe Zioni
The document describes a method called PIPIOT for creating a polyglot shellcode that works on both x86 and ARM architectures. PIPIOT stands for "Double-Edged" in old Hebrew. It works by finding a "Magic Block" sequence of bytes that functions as a no-op-like instruction on one architecture and a relative jump on the other. The document outlines the step-by-step process for deriving such a Magic Block, focusing on constraints from both x86 and ARM instruction sets. It results in a 4-byte Magic Block that performs an XOR on an ARM register to create a reversible operation, and a short relative jump on x86. This Magic Block can be repeated to combine x
Multicore processors are becoming prevalent due to the limitations of increasing single core clock speeds. This presents challenges for software to effectively utilize multiple cores. Functional programming is one option that avoids shared state and parallel access issues, but requires a significant mindset shift. Refactoring existing code using tools is another option to incrementally introduce parallelism. Hybrid approaches combining paradigms may also help transition. Key application areas currently benefiting include servers, scientific computing, and packet processing. However, significant existing code is not easily parallelized and performance gains have yet to be fully realized.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
Similar to Automated static deobfuscation in the context of Reverse Engineering (20)
Automated Mobile Malware Classificationzynamics GmbH
This document discusses developing an automated system called VxClass for classifying mobile malware. It summarizes the current state of mobile malware, the problem of variant detection, and proposes using program comparison tools to analyze malware variants at scale. The system would allow users to upload files to check against a malware database, identify variants, and optionally share samples. Pricing models and a roadmap are proposed to adapt the system to emerging mobile platforms and file types.
VxClass is a malware classification tool that analyzes binary code samples through structural comparison rather than byte-by-byte matching. It automatically unpacks samples using emulation, extracts structural information, compares samples to known malware families, and stores results in a database for correlation and visualization. This allows unknown samples to be categorized even if they were obtained or obfuscated differently, aiding incident response and malware analysis.
The document describes the Reverse Engineering Intermediate Language (REIL), which aims to provide a simple, platform-independent intermediate representation for binary code analysis. REIL uses a small set of instructions that can be easily translated from various processor architectures into a common format. This allows analyses like register tracking to be implemented using the same algorithms regardless of the original platform. REIL is implemented using a technique called MonoREIL that models the program as a graph and solves it using a lattice-based dataflow analysis approach. This enables powerful analyses to be built from the common REIL representation.
The document summarizes post-exploitation techniques on OSX and iPhone. It describes a technique called "userland-exec" that allows executing applications on OSX without using the kernel. This technique was adapted to work on jailbroken iPhones by injecting a non-signed library and hijacking the dynamic linker (dlopen) to map and link the library. With some additional patches, the authors were able to load an arbitrary non-signed library into the address space of a process on factory iPhones, representing the first reliable way to execute payloads on these devices despite code signing protections.
This document outlines a technique for executing arbitrary binaries in memory on a Mac OS X machine by defeating address space layout randomization (ASLR). It discusses:
1. The structure of Mach-O files and how binaries are executed by the kernel and dynamic linker in Mac OS X.
2. A proposed attack that embeds a shellcode and crafted stack in a binary to impersonate the kernel and load a new binary into memory.
3. How ASLR works in Mac OS X Leopard and a method to retrieve the base address of the libSystem library to adjust symbol addresses and defeat ASLR, enhancing the attack.
4. A demonstration of the technique executing Nmap and Safari
Automated static deobfuscation in the context of Reverse Engineering
1. Automated static deobfuscation in
the context of Reverse Engineering
Sebastian Porst (sebastian.porst@zynamics.com)
Christian Ketterer (cketti@gmail.com)
2. Sebastian Christian
• zynamics GmbH • Student
• Lead Developer • University of Karlsruhe
– BinNavi • Deobfuscation
– REIL/MonoREIL
4. Motivation
• Combat common obfuscation
techniques
• Can it be done?
• Will it produce useful results?
• Can it be integrated into our
technology stack?
6. Our Deobfuscation Approach
I. Copy ancient algorithms
from compiler theory books
II. Translate obfuscated
assembly code to REIL
III. Run algorithms on REIL code
IV. Profit (?)
7. We‘re late in the game ...
199X 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
U of Auckland
U of Wisc + zynamics
F. Perriot
TU Munich
Mathur
U of Ghent
M. Mohammed
Mathur
Christodorescu
(see end of this presentation for proper source references)
Bruschi
9. REIL
• Reverse Engineering Intermediate Language
• Specifically designed for Reverse Engineering
• Design Goal: As simple as possible, but not
simpler
• In use since 2007
10. Uses of REIL
Register Tracking: Helps Reverse Engineers follow data flow through code
(Never officially presented)
Index Underflow Detection: Automatically find negative array accesses
(CanSecWest 2009, Vancouver)
Automated Deobfuscation: Make obfuscated code more readable
(SOURCE Barcelona 2009, Barcelona)
ROP Gadget Generator: Automatically generates return-oriented shellcode
(Work in progress; scheduled for Q1/2010)
11. The REIL Instruction Set
Arithmetical Bitwise Data Transfer Logical Other
ADD AND STR BISZ NOP
SUB OR LDM JCC UNDEF
MUL XOR STM UNKN
DIV
MOD
BSH
12.
13. Why REIL?
• Simplifies input code
• Makes effects obvious
• Makes algorithms platform-independent
14. MonoREIL
• Monotone Framework for REIL
• Based on Abstract Interpretation
• Used to write static code analysis algorithms
http://www.flickr.com/photos/wedrrc/3586908193/
15. Why MonoREIL?
• In General: Makes complicated algorithms
simple (trade brain effort for runtime)
• Deobfuscator: Wrong choice really, but we
wanted more real-life test cases for MonoREIL
16. Building the Deobfuscator
• Java
• BinNavi Plugin
• REIL + MonoREIL
http://www.flickr.com/photos/mattimattila/3602654187/
17. Block Merging
• Long chains of basic blocks ending with
unconditional jumps
• Confusing to follow in text-based
disassemblers
• Advantage of higher abstraction level in
BinNavi
– Block merging is purely cosmetic
21. Dead Branch Elimination
• Removes branches that are never executed
– Turns conditional jumps into unconditional jumps
– Removes code from unreachable branch
• Requires constant propagation/folding
23. Dead Code Elimination
• Removes code that computes unused values
• Gets rid of inserted garbage code
• Cleans up after constant propagation/folding
25. Dead Store Elimination
• Comparable to dead code elimination
• Removes useless memory write accesses
• Limited to stack access in our implementation
• Only platform-specific part of our optimizer
29. Problem: Side effects
push 10
mov eax, 10
pop eax
Removed code was used
• in a CRC32 integrity check
• as key of a decryption routine
• as part of an anti-debug check
• ...
30. Problem: Code Blowup
mov eax, 10 mov eax, 20
add eax, 10 clc
...
Good luck setting
• AF
• CF
• OF
• PF
• ZF
31. Problem: Moving addresses
0000: jmp ecx
0000: jmp ecx
0002: push 10
0002: mov eax, 10
0003: pop eax
ecx is 0003 but we just missed the
static analysis pop instruction
can not know this
32. Problem: Inability to debug
mov eax, 10
Executable Input File Deobfuscated list of
Instructions but no
executable file
33. The only way to solve all* problems:
A full-blown native
code compiler with an
integrated optimizer
Too much work, maybe we can approximate ...
* except for the side-effects issue
35. Only generate optimized REIL code
• Produces excellent input for • Side effects problem remains
other analysis algorithms • Pretty much unreadable for
• Code blow-up solved human reverse engineers
• Keeps address/instruction
mapping
• Code can not be debugged
natively but interpreted
37. Effect comments
• Results can easily be used by • Side effects problem remains
human reverse engineers • Address mapping problem
• Code blow-up solved • Code can not be debugged
• Comments have semantic
meaning
39. Extract formulas from code
• Results can easily be used by • Not really deobfuscation (but
human reverse engineers produces similar result?)
• No code generation necessary,
only extraction of semantic
information
• Solves all problems because
original program remains
unchanged
41. Implement a small pseudo-compiler
• This is what we did • Side effects problem remains
• Closest thing to the real deal • Address mapping problem
• Code blow-up is solved remains
• Partially • Why not go for a complete
• Natively debug the output compiler?
• not in our case
• pseudo x86 instructions
42. Economic value in creating a complete
optimizing compiler for RE?
Not for us
• Small company
• Limited market
• Wrong approach?
43. Alternative Approaches
• Deobfuscator built into disassembler
• REIL-based formula extraction
• Hex-Rays Decompiler
• Code optimization and generation based on
LLVM
• Emulation / Dynamic deobfuscation
44. Conclusion
• The concept of static deobfuscation is sound
– Except for things like side-effects, SMC, ...
• A lot of work
• Expression reconstruction might be much
easier and still produce comparable results
45. Related work
• A taxonomy of obfuscating transformations
• Defeating polymorphism through code
optimization
• Code Normalization for Self-Mutating Malware
• Software transformations to improve malware
detection
• Zeroing in on Metamorphic Computer Viruses
• ...