The CR4 register is not available in memory analysis. However, there are other clues that can indicate if PAE is enabled without direct access to CPU registers:
1. Check the MmPaeEnabled variable in the kernel's MM module. If this is set to 1, then PAE is enabled.
2. Examine the page directory pointer table (PDPT). In PAE mode, this table will have 4 entries instead of 2 in non-PAE mode.
3. Check the size of the page directory tables (PDTs). In PAE these will be larger (4KB instead of 2KB) to accommodate the extra level of address translation.
4. Try translating virtual addresses
Magic Clusters and Where to Find Them - Eugene PirogovElixir Club
The talk focuses on Erlang & Elixir facilities for distributed computing.
We'll explore how to build clusters and look at how testing a clustered setup might looks like. We'll create a Mnesia cluster and will talk about CAP theorem. We'll answer the questions of what distributed computing is for, and what Erlang has to offer with regards to balancing the load between the nodes in a cluster.
Experience this and much more in the "Magic Clusters and Where to Find Them" talk!
Elixir Meetup 4 Lviv
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
In recent time we see a large spike of complex threats with elaborate object-oriented architecture among which the most notorious examples are: Stuxnet, Flamer, Duqu.
The approaches to analysis of such malware are rather distinct compared to the malware developed using procedural programming languages.
This presentation will take an in-depth look at challenges related to reversing object-oriented code with respect to modern malware and demonstrate approaches and tools employed for reversing object-oriented code.
The art of reverse engineering flash exploitsPriyanka Aash
"Adobe Flash is one of the battlegrounds of exploit and mitigation methods. As most of the Flash exploits demonstrate native memory layer exploit technique, it is valuable to understand the memory layout and behavior of Adobe Flash Player. We developed fine-grained debugging tactics to observe memory exploit technique and the way to interpret them effectively. This eventually helps defenders to understand new exploit techniques that are used for current targets quickly. This information is also valuable in deciding which area should defenders focus on for mitigation and code fixes. Adobe Flash Player was one of the major attack targets in 2015. We observed at least 17 effective zero-days or 1-day attacks in the wild. Flash is not just used by exploit kits like Angler, it has also been commonly used for advanced persistent threat (APT) attacks. The bug class ranges from simple heap overflows, uninitialized memory to type confusion and use-after-free. At Microsoft, understanding exploits in-the-wild is a continuous process. Flash exploit is one of the hardest to reverse-engineer. It often involves multi-layer obfuscation, and by default, is highly obfuscated and has non-decompilable codes. The challenge with Flash exploit comes from the lack of tools for static and dynamic analysis. Exploits are written with ActionScript programming language and obfuscated in bytecode level using commercial-grade obfuscation tools. Understanding highly obfuscated logic and non-decompilable AVM bytecode is a big challenge. Especially, the lack of usable debuggers for Flash file itself is a huge hurdle for exploit reverse engineers. It is just like debugging PE binaries without using Windbg or Olly debugger. The ability of the researcher is highly limited.
With this presentation, I want to deliver two things: 1. The tactics and debugging technique that can be used to reverse engineer exploits. This includes using existing toolsets and combining them in an effective way. 2. The detailed exploit code reverse engineering examples that can help you understand what's the current and past status of attack and mitigation war. You might have heard of Vector corruption, ByteArray corruption and other JIT manipulation technique. Technical details will be discussed on how the exploits are using these and how the vendor defended against these."
(Source: Black Hat USA 2016, Las Vegas)
Magic Clusters and Where to Find Them - Eugene PirogovElixir Club
The talk focuses on Erlang & Elixir facilities for distributed computing.
We'll explore how to build clusters and look at how testing a clustered setup might looks like. We'll create a Mnesia cluster and will talk about CAP theorem. We'll answer the questions of what distributed computing is for, and what Erlang has to offer with regards to balancing the load between the nodes in a cluster.
Experience this and much more in the "Magic Clusters and Where to Find Them" talk!
Elixir Meetup 4 Lviv
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
In recent time we see a large spike of complex threats with elaborate object-oriented architecture among which the most notorious examples are: Stuxnet, Flamer, Duqu.
The approaches to analysis of such malware are rather distinct compared to the malware developed using procedural programming languages.
This presentation will take an in-depth look at challenges related to reversing object-oriented code with respect to modern malware and demonstrate approaches and tools employed for reversing object-oriented code.
The art of reverse engineering flash exploitsPriyanka Aash
"Adobe Flash is one of the battlegrounds of exploit and mitigation methods. As most of the Flash exploits demonstrate native memory layer exploit technique, it is valuable to understand the memory layout and behavior of Adobe Flash Player. We developed fine-grained debugging tactics to observe memory exploit technique and the way to interpret them effectively. This eventually helps defenders to understand new exploit techniques that are used for current targets quickly. This information is also valuable in deciding which area should defenders focus on for mitigation and code fixes. Adobe Flash Player was one of the major attack targets in 2015. We observed at least 17 effective zero-days or 1-day attacks in the wild. Flash is not just used by exploit kits like Angler, it has also been commonly used for advanced persistent threat (APT) attacks. The bug class ranges from simple heap overflows, uninitialized memory to type confusion and use-after-free. At Microsoft, understanding exploits in-the-wild is a continuous process. Flash exploit is one of the hardest to reverse-engineer. It often involves multi-layer obfuscation, and by default, is highly obfuscated and has non-decompilable codes. The challenge with Flash exploit comes from the lack of tools for static and dynamic analysis. Exploits are written with ActionScript programming language and obfuscated in bytecode level using commercial-grade obfuscation tools. Understanding highly obfuscated logic and non-decompilable AVM bytecode is a big challenge. Especially, the lack of usable debuggers for Flash file itself is a huge hurdle for exploit reverse engineers. It is just like debugging PE binaries without using Windbg or Olly debugger. The ability of the researcher is highly limited.
With this presentation, I want to deliver two things: 1. The tactics and debugging technique that can be used to reverse engineer exploits. This includes using existing toolsets and combining them in an effective way. 2. The detailed exploit code reverse engineering examples that can help you understand what's the current and past status of attack and mitigation war. You might have heard of Vector corruption, ByteArray corruption and other JIT manipulation technique. Technical details will be discussed on how the exploits are using these and how the vendor defended against these."
(Source: Black Hat USA 2016, Las Vegas)
How to find out production issues? Where to look for errors when application crashes in live environment? How to Visual Studio 2010 for replicating post mortem scenarios in difficult to reproduce errors? Using Source server, PDB symbols in old fashioned way for new age WCF services.
Azul Virtual Machine Engineer Douglas Hawkins describes how decisions made by the JVM affect how your code is compiled and run. Learn how this affects application performance and what steps you can take to optimize how the JVM acts on your code.
[HES2013] Nifty stuff that you can still do with android by Xavier MartinHackito Ergo Sum
Fact: It is generally assumed that reverse engineering of Android applications is much easier than on other architectures. Static program analysis is the way to go.You can go back and forth between application and bytecode assembly without much hassle.
Reality: Few techniques are willing to make their comeback on this platform, namely dynamically code loading and self modifying code : bringing the fun back ! Source code examples will be shown, with step by step explanation.
https://www.hackitoergosum.org
At first glance, Java byte code can appear to be some low level magic that is both hard to understand and effectively irrelevant to application developers. However, neither is true. With only little practice, Java byte code becomes easy to read and can give true insights into the functioning of a Java program. In this talk, we will cast light on compiled Java code and its interplay with the Java virtual machine. In the process, we will look into the evolution of byte code over the recent major releases with features such as dynamic method invocation which is the basis to Java 8 lambda expressions. Finally, we will learn about tools for the run time generation of Java classes and how these tools are used to build modern frameworks and libraries. Among those tools, I present Byte Buddy, an open source tool of my own efforts and an attempt to considerably simplify run time code generation in Java.
Distributed systems
1.Write a program for implementing Client Server communication model.
2.Write a program to show the object communication using RMI.
3.Show the implementation of Remote Procedure Call.
4.Show the implementation of web services.
5.Write a program to execute any one mutual exclusion algorithm.
6.Write a program to implement any one election algorithm
7.Show the implementation of any one clock synchronization algorithm.
8.Write a program to implement two phase commit protocol
New to MongoDB? This talk will introduce the philosophy and features of MongoDB. We’ll discuss the benefits of the document-based data model that MongoDB offers by walking through how one can build a simple app. We’ll cover inserting, updating, and querying the database of books. This session will jumpstart your knowledge of MongoDB development, providing you with context for the rest of the day's content.
This talk was given in ilJUG on the 29th of July 2014 and discusses the new Java8 StampedLock class. It compares it to different locking mechanism is Java and shows some insights deduced from a simple benchmark
Threads, Queues, and More: Async Programming in iOSTechWell
To keep your iOS app running butter-smooth at 60 frames per second, Apple recommends doing as many tasks as possible asynchronously or “off the main thread.” Joe Keeley introduces you to some basic concepts of asynchronous programming in iOS. He discusses what threads and queues are, how they are related, and the special significance of the main queue to iOS. Look at what options are available in the iOS SDK to work asynchronously, including NSOperationQueues and Grand Central Dispatch. Take an in depth look at how to implement some common use cases for those options in Swift. Joe pays special attention to networking, one of the most common asynchronous use cases. Spend some time discussing common asynchronous programming pitfalls—and how to avoid them. Leave this session ready to try out asynchronous programming in your iOS app.
Making Java more dynamic: runtime code generation for the JVMRafael Winterhalter
While Java’s strict type system is a great help for avoiding programming errors, it also takes away some of the flexibility that developers appreciate when using dynamic languages. By using runtime code generation, it is possible to bring some of this flexibility back to the Java virtual machine. For this reason, runtime code generation is widely used by many state-of-the-art Java frameworks for implementing POJO-centric APIs but it also opens the door to assembling more modular applications. This presentation offers an introduction to the complex of runtime code generation and its use on the Java platform. Furthermore, it discusses the up- and downsides of several code generation libraries such as ASM, Javassist, cglib and Byte Buddy.
Presentation about JNI basics for JDD 2018 09.10.2018.
Main topics:
- calling native methods from Java and vice versa
- exception handling
- accessing Java objects and arrays from native
How to find out production issues? Where to look for errors when application crashes in live environment? How to Visual Studio 2010 for replicating post mortem scenarios in difficult to reproduce errors? Using Source server, PDB symbols in old fashioned way for new age WCF services.
Azul Virtual Machine Engineer Douglas Hawkins describes how decisions made by the JVM affect how your code is compiled and run. Learn how this affects application performance and what steps you can take to optimize how the JVM acts on your code.
[HES2013] Nifty stuff that you can still do with android by Xavier MartinHackito Ergo Sum
Fact: It is generally assumed that reverse engineering of Android applications is much easier than on other architectures. Static program analysis is the way to go.You can go back and forth between application and bytecode assembly without much hassle.
Reality: Few techniques are willing to make their comeback on this platform, namely dynamically code loading and self modifying code : bringing the fun back ! Source code examples will be shown, with step by step explanation.
https://www.hackitoergosum.org
At first glance, Java byte code can appear to be some low level magic that is both hard to understand and effectively irrelevant to application developers. However, neither is true. With only little practice, Java byte code becomes easy to read and can give true insights into the functioning of a Java program. In this talk, we will cast light on compiled Java code and its interplay with the Java virtual machine. In the process, we will look into the evolution of byte code over the recent major releases with features such as dynamic method invocation which is the basis to Java 8 lambda expressions. Finally, we will learn about tools for the run time generation of Java classes and how these tools are used to build modern frameworks and libraries. Among those tools, I present Byte Buddy, an open source tool of my own efforts and an attempt to considerably simplify run time code generation in Java.
Distributed systems
1.Write a program for implementing Client Server communication model.
2.Write a program to show the object communication using RMI.
3.Show the implementation of Remote Procedure Call.
4.Show the implementation of web services.
5.Write a program to execute any one mutual exclusion algorithm.
6.Write a program to implement any one election algorithm
7.Show the implementation of any one clock synchronization algorithm.
8.Write a program to implement two phase commit protocol
New to MongoDB? This talk will introduce the philosophy and features of MongoDB. We’ll discuss the benefits of the document-based data model that MongoDB offers by walking through how one can build a simple app. We’ll cover inserting, updating, and querying the database of books. This session will jumpstart your knowledge of MongoDB development, providing you with context for the rest of the day's content.
This talk was given in ilJUG on the 29th of July 2014 and discusses the new Java8 StampedLock class. It compares it to different locking mechanism is Java and shows some insights deduced from a simple benchmark
Threads, Queues, and More: Async Programming in iOSTechWell
To keep your iOS app running butter-smooth at 60 frames per second, Apple recommends doing as many tasks as possible asynchronously or “off the main thread.” Joe Keeley introduces you to some basic concepts of asynchronous programming in iOS. He discusses what threads and queues are, how they are related, and the special significance of the main queue to iOS. Look at what options are available in the iOS SDK to work asynchronously, including NSOperationQueues and Grand Central Dispatch. Take an in depth look at how to implement some common use cases for those options in Swift. Joe pays special attention to networking, one of the most common asynchronous use cases. Spend some time discussing common asynchronous programming pitfalls—and how to avoid them. Leave this session ready to try out asynchronous programming in your iOS app.
Making Java more dynamic: runtime code generation for the JVMRafael Winterhalter
While Java’s strict type system is a great help for avoiding programming errors, it also takes away some of the flexibility that developers appreciate when using dynamic languages. By using runtime code generation, it is possible to bring some of this flexibility back to the Java virtual machine. For this reason, runtime code generation is widely used by many state-of-the-art Java frameworks for implementing POJO-centric APIs but it also opens the door to assembling more modular applications. This presentation offers an introduction to the complex of runtime code generation and its use on the Java platform. Furthermore, it discusses the up- and downsides of several code generation libraries such as ASM, Javassist, cglib and Byte Buddy.
Presentation about JNI basics for JDD 2018 09.10.2018.
Main topics:
- calling native methods from Java and vice versa
- exception handling
- accessing Java objects and arrays from native
On August 2017 a well established Corporation was hit by an advanced attacker. The techniques adopted to overcome security platforms and infrastructures showed a very dangerous and innovative attacker. This is the tale of the IR team hired to fight this advanced attacker, a tale of a team pushing all his resources and technical skills to overcome the threat and finally chase the Adder...
Vawtrak Trojan, also known as Neverquest or Snifula, has been an enduring banking Trojan for a long time and is still one of the most prevalent banking Trojans in the wild today.
This report forms part of Blueliv’s investigation into the Vawtrak group. Reversing the Trojan was a mandatory element of this investigation in order to understand and track the cybercriminal groups and malicious actors behind the Vawtrak malware technical security researchers and reverse engineers can use this report to increase their understanding of how the banking Trojan works.
.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
JVM Mechanics: When Does the JVM JIT & Deoptimize?Doug Hawkins
HotSpot promises to do the "right" thing for us by identifying our hot code and compiling "just-in-time", but how does HotSpot make those decisions?
This presentation aims to detail how HotSpot makes those decisions and how it corrects its mistakes through a series of demos that you run yourself.
How to write clean & testable code without losing your mindAndreas Czakaj
If you create software that is to be developed continuously over several years you'll need a sustainable approach to code quality.
In our early days of AEM development, however, we used to struggle with code that is rigid, hard to test and full of LOG.debug calls.
In this talk I will share some development best practices we have found that really work in actual AEM based software, e.g. to achieve 100% code coverage and provide high confidence in the code base.
Spoiler alert: no new libraries, frameworks or tools are required - once you know the ideas, plain old TDD and the S.O.L.I.D. principles of Clean Code will do the trick.
by Andreas Czakaj, mensemedia Gesellschaft für Neue Medien mbH
Presented at the adaptTo() 2017 conference in Berlin (https://adapt.to/2017/en/schedule/how-to-write-clean---testable-code-without-losing-your-mind.html).
Presentation video can be found on YouTube (https://www.youtube.com/watch?v=JbJw5oN_zL4)
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniquessecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
ironSource's security application expert, Tomer Zait, shares his insights on engineering in the stack. Tomer, an Ort Singalovsky alumnus himself, gave this presentation to the Ort Singalovsky students on their tour of ironSource's headquarters in Tel Aviv.
Want to learn more about ironSource? Visit our website: www.ironsrc.com
Follow us on Twitter @ironSource
ironSource is looking for new talent! Check out our openings: http://bit.ly/Work-at-ironSource
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
2. Outline
Code Injection Basics
User Mode Injection Techniques
Example Malware Implementations
Kernel Mode Injection Techniques
Advanced Code Injection Detection via Raw
Memory Analysis
1-2
3. Code Injection Basics
“Code Injection” refers to techniques
used to run code in the context of an
existing process
Motivation:
• Evasion: Hiding from automated or human
detection of malicious code
IR personnel hunt for malicious processes
• Impersonation: Bypassing restrictions
enforced on a process level
Windows Firewall, etc
Pwdump, Sam Juicer
1-3
4. User Mode Injection Techniques
Techniques
• Windows API
• AppInit_Dll
• Detours
1-4
5. Injecting code via the Windows API
Somewhat surprisingly, the Windows API
provides everything you need for process
injection
Functions:
• VirtualAllocEx()
• WriteProcessMemory()
• CreateRemoteThread()
• GetThreadContext() /
SetThreadContext()
• SetWindowsHookEx()
1-5
10. #Inject an infinite loop into a running process
import pydbg
k32 = pydbg.kernel32
payload = ‘xEBxFE’
pid = int(args[0])
...
h = k32.OpenProcess(PROCESS_ALL_ACCESS,
False, pid)
m = k32.VirtualAllocEx(h, None, 1024,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE)
k32.WriteProcessMemory(h, m, payload,
len(payload), None)
k32.CreateRemoteThread(h, None, 1024000,
m, None, 0, None) 10
11. Better Payloads
Breakpoints and Loops are fun, but what about
real payloads?
If we directly inject code it must be “position
independent”
Any addresses that were pre-calculated at
compile time would be wrong in the context of a
new process
1-11
12. Better Payloads
Building large position independent payloads is
possible, but not trivial
However, DLL injection is much simpler
DLLs are designed to be loaded in a variety of
processes, addresses are automatically fixed
up when the DLL is loaded
1-12
13. DLL Injection
Use the basic process we just described
DLLs are loaded using kernel32!LoadLibrary
kernel32 is at the same address in every
process we know its address in the remote
process (ignoring ASLR)
Allocate space for the name of the DLL to be
loaded, then create a thread with a start
address that points to LoadLibrary
1-13
15. User Mode API Variants
Rather than create a new remote thread, we
can hijack an existing thread using
GetThreadContext, SetThreadContext
SetWindowsHookEx can also be used to inject
a DLL into a single remote process, or every
process running on the current Desktop
1-15
16. SetWindowsHookEx
SetWindowsHookEx defines a hook procedure
within a DLL that will be called in response to
specific events
Example events: WH_KEYBOARD,
WH_MOUSE, WH_CALLWNDPROC, WH_CBT
Whenever the hooked event is first fired in a
hooked thread, the specified DLL is be loaded
1-16
17. Permissions and Security
To open a process opened by another user
(including SYSTEM), you must hold the
SE_DEBUG privilege
Normally SE_DEBUG is only granted to
member of the Administrator group
However, even if you are running as a
normal user, malware can still inject into
another process that you own
1-17
18. Injecting code via AppInit_DLLs
The AppInit_DLLs registry value provides
another convenient method of DLL
injection
1-18
19. Injecting code via Detours
Detours is a library developed by Microsoft
Research in 1999
The library uses the same techniques
already described, wrapped up in slick
package
1-19
20. Detours Features
Function hooking in running processes
Import table modification
Attaching a DLL to an existing program file
Detours comes with great sample
programs:
• Withdll
• Injdll
• Setdll
• Traceapi
1-20
21. Setdll
Detours can add a new DLL to an existing
binary on disk. How?
Detours creates a section named
“.detours” between the export table and
debug symbols
The .detours section contains the original
PE header, and a new IAT
Detours modifies the PE header to point at
the new IAT (reversible)
1-21
24. Avoiding the Disk
When we perform DLL injection,
LoadLibrary expects the DLL to be on
the disk (or at least an SMB share)
The Metasploit project eliminates this
requirement using a clever hooking
strategy
By hooking functions that are involved in
reading the file from disk, they fool
Windows into thinking the DLL is on disk
1-24
25. Meterpreter
Hook Call LoadLibrary Unhook
Hooked functions:
• NtMapViewOfSection
• NtQueryAttributesFile
• NtOpenFile
• NtCreateSection
• NtOpenSection
See remote_dispatch.c and libloader.c in
MSF 3.0
1-25
29. Step 1: Inject to Explorer
Poison Ivy client immediately injects to
Explorer and then exits
Output from WinApiOverride32 for pi.exe
1-29
30. Step 2: Inject again to msnmsgr.exe
Explorer.exe injected code then injects again…
Interestingly, PI does not grab the SE_DEBUG
privilege, so we can’t inject in many existing
processes
Output from WinApiOverride32 for explorer.exe
1-30
34. Two Halves of the Process
User land processes are comprised of two
parts
• Kernel Portion
EPROCESS and KPROCESS
ETHREAD and KTHREAD
Token
Handle Table
Page Tables
Etc.
1-34
35. Two Halves of the Process
User land Portion
• Process Environment Block (PEB)
• Thread Environment Block (TEB)
• Windows subsystem (CSRSS.EXE)
• Etc.
1-35
36. Kernel Process Injection Steps
Must find suitable target
• Has a user land portion
• Has kernel32.dll and/or ntdll.dll loaded in its address
space
• Has an alterable thread (unless hijacking an existing
thread)
Allocate memory in target process
Write the equivalent of “shellcode” that calls
LoadLibrary
Cause a thread in the parent to execute newly
allocated code
• Hijack an existing thread
• Create an APC
1-36
37. Allocate memory in parent process
Change virtual memory context to that of
the target
• KeAttachProcess/KeStackAttachProcess
• ZwAllocateVirtualMemory
(HANDLE) -1 means current process
MEM_COMMIT
PAGE_EXECUTE_READWRITE
1-37
38. Creating the Shellcode
“shellcode” that calls LoadLibrary
• Copy function parameters into address space
• Pass the address of function parameters to
calls
• Can use the FS register
FS contains the address of the TEB
TEB has a pointer to the PEB
PEB has a pointer to the PEB_LDR_DATA
PEB_LDR_DATA contains all the loaded DLLs
1-38
39. Creating the Shellcode
As an alternative to using the FS register
• Find the address of ntdll.dll from the driver
• Parse its exports section
• Does not work with all DLLs
Only address of ntdll.dll returned by
ZwQuerySystemInformation
1-39
40. Thread Hijacking
Cause a thread in the parent to execute
newly allocated code - Hijack an existing
thread
• Locate a thread within the parent process
• Change its Context record
• Change Context record back when done
Problems:
• Low priority threads
• Blocked threads
• Changing Context back
1-40
42. Alternative Method: APC
Cause a thread in the parent to execute
newly allocated code - Create an APC
• Threads can be notified to run an
Asynchronous Procedure Call (APC)
• APC has a pointer to code to execute
• To be notified, thread should be Alertable
1-42
46. Memory Analysis
Motivation
• APIs lie. The operating system can be
subverted.
Example: Unlink injected DLLs from the
PEB_LDR_DATA in the PEB.
Example: Hooking the Virtual Memory Manager
and diverting address translation.
• APIs are not available to “classic” forensic
investigations – offline analysis
1-46
47. Memory Analysis
Requirements
• No use of APIs to gather data.
• Ability to use any analysis solution on both live
memory and offline memory image dumps.
(Implies the ability to do all memory translation independently.)
• Do not require PDB symbols or any other operating
specific information.
1-47
48. Steps to Memory Analysis
Ability to access physical memory
Derive the version of the OS – important to
know how to interpret raw memory
Find all Processes and/or Threads
Enumerate File Handles, DLLs, Ports, etc.
1-48
49. Steps to Memory Analysis
Virtual to Physical Address Translation
• Determine if the host uses PAE or non-PAE
• Find the Page Directory Table – process
specific
• Translate prototype PTEs
• Use the paging file
1-49
50. Derive the version of the OS
Find the System Process
• Allows the derivation of:
The major operating system version in question
The System Page Directory Table Base
HandleTableListHead
Virtual address of PsInitialSystemProcess
PsActiveProcessHead
PsProcessType
Patent Pending
1-50
51. Operating System Version
Find the System image name
Walk backwards to identify the Process
Block
The spatial difference between major
versions of the OS is enough to begin to
tell us about the operating system version
Patent Pending
1-51
52. Operating System Version
Drawback: Ghosts
• There can be more than one System Process
Open a memory crash dump in Windbg
Run a Windows operating system in VMWare
• Solution:
Non-paged kernel addresses are global
We know the virtual address of
PsActiveProcessHead
PsActiveProcessHead and other kernel addresses
should be valid and present (translatable) in both
live or dead memory
Patent Pending
1-52
53. Memory Translation
PAE vs non-PAE
• Different ways to interpret the address tables
• The sixth bit in the CR4 CPU register
determines if PAE is enabled
• Problem: We do not have access to CPU
registers in memory analysis
• Solution?
Kernel Processor Control Region -> KPCRB ->
KPROCESSOR_STATE ->
KSPECIAL_REGISTERS -> CR4
1-53
54. Memory Translation
CR4 Heuristic
• Page Directory Table Base and the Page
Directory Table Pointer Base look very
different.
CR3 is updated in the KPCR
• This can be used to identify a valid Page
Directory Table
• The Page Directory can be used to validate
the PsActiveProcessHead
Patent Pending
1-54
55. Enumerating Injected DLLs
Problem:
• APIs lie.
• Malware can unlink from the
PEB_LDR_DATA lists of DLLs
Solution:
• Virtual Address Descriptors (VADs)
Patent Pending
1-55
56. VADs
Self balancing binary tree [1]
Contains:
• Virtual address range
• Parent
• Left Child and Right Child
• Flags – is the memory executable
• Control Area
1. Russinovich, Mark and Solomon, Dave, Microsoft Windows Internals, Microsoft Press 2005
1-56
57. A Memory Map to a Name
VAD contains a CONTROL_AREA
CONTROL_AREA contains a
FILE_OBJECT
A FILE_OBJECT contains a
UNICODE_STRING with the filename
We now have the DLL name
Patent Pending
1-57