Binary obfuscation is a mysterious ritual employed by malware authors and software vendors alike that no one really seems to talk about. It's almost like a secret society. Interestingly, you don't have to write a program to obfuscate the binary-- you can also write high-level code that obfuscates at compile-time, rather than afterward.
A short introduction on how functions work. Functions are the building blocks of any modern programming language. This tutorial shows you how functions are implemented and how the process stack plays an important role in supporting functions.
Slides from my workshop at Hack.LU 2010 in Luxembourg. This workshop introduced the basic concepts of Return Oriented Programming with some hands-on exercises.
Austin TX - Introduction to Reverse Engineering course - slides include x86 architecture, registers, assembly. Virtual memory layout of a process, code and data structures.
Le slide deck de l'Université que nous avons donnée avec Rémi Forax à Devoxx France 2019.
Comme promis, Java sort sa version majeure tous les 6 mois. Le train passe et amène son lot de nouveautés. Parmi elles, certaines sont sorties : une nouvelle syntaxe pour les clauses switch et l'instruction de byte code CONSTANT_DYNAMIC. D'autres sont en chantier, plus ou moins avancé : une nouvelle façon d'écrire des méthodes de façon condensée, un instanceof 'intelligent', des constantes évaluées au moment où elles sont utilisées. Les projets progressent. Loom, et son nouveau modèle de programmation concurrente que l'ont peut tester avec Jetty. Amber, qui introduit les data types et des nouvelles syntaxes. Valhalla, dont les value types donnent leurs premiers résultats. S'il est difficile de prévoir une date de sortie pour ces nouveautés, on sait en revanche qu'une fois prêtes elles sortiront en moins de 6 mois. De tout ceci nous parlerons donc au futur et en public, avec des démonstrations de code, des slides, du code, de la joie et de la bonne humeur !
In the world of social gaming, the classic 2-tier of web application does not cut it anymore. We need new and better solutions.
Follow along the evolution of game servers at Wooga and get an in-depth look into the next-generation backend putting the combined forces of Erlang and Ruby to work. Learn how scalability, reliability, concurrency control and beautiful code do not need to be mutually exclusive.
A short introduction on how functions work. Functions are the building blocks of any modern programming language. This tutorial shows you how functions are implemented and how the process stack plays an important role in supporting functions.
Slides from my workshop at Hack.LU 2010 in Luxembourg. This workshop introduced the basic concepts of Return Oriented Programming with some hands-on exercises.
Austin TX - Introduction to Reverse Engineering course - slides include x86 architecture, registers, assembly. Virtual memory layout of a process, code and data structures.
Le slide deck de l'Université que nous avons donnée avec Rémi Forax à Devoxx France 2019.
Comme promis, Java sort sa version majeure tous les 6 mois. Le train passe et amène son lot de nouveautés. Parmi elles, certaines sont sorties : une nouvelle syntaxe pour les clauses switch et l'instruction de byte code CONSTANT_DYNAMIC. D'autres sont en chantier, plus ou moins avancé : une nouvelle façon d'écrire des méthodes de façon condensée, un instanceof 'intelligent', des constantes évaluées au moment où elles sont utilisées. Les projets progressent. Loom, et son nouveau modèle de programmation concurrente que l'ont peut tester avec Jetty. Amber, qui introduit les data types et des nouvelles syntaxes. Valhalla, dont les value types donnent leurs premiers résultats. S'il est difficile de prévoir une date de sortie pour ces nouveautés, on sait en revanche qu'une fois prêtes elles sortiront en moins de 6 mois. De tout ceci nous parlerons donc au futur et en public, avec des démonstrations de code, des slides, du code, de la joie et de la bonne humeur !
In the world of social gaming, the classic 2-tier of web application does not cut it anymore. We need new and better solutions.
Follow along the evolution of game servers at Wooga and get an in-depth look into the next-generation backend putting the combined forces of Erlang and Ruby to work. Learn how scalability, reliability, concurrency control and beautiful code do not need to be mutually exclusive.
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
A tutorial created to introduce you to the core concepts of Return Oriented Programming (ROP). ROP is an essential technique in defeating exploit mitigation protection such as DEP, found in modern operating systems.
A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
What's new and changed in PHP 8.
- Major new changes in PHP 8
- New functions and classes
- OOP improvements
- Type system improvements
- Error handling improvements
- Resource to Object migration
- String related changes
- Removed functionality
https://php.watch/versions/8.0
This presentation goes over basic exploitation techniques. Topics include:
- Introduction to x86 paradigms used exploited by these techniques
- Stack overflows including the classic stack smashing attack
- Ret2libc
- Format string exploits
- Heap overflows and metadata corruption attacks
Applying Anti-Reversing Techniques to Machine CodeTeodoro Cipresso
CS266 Software Reverse Engineering (SRE)Applying Anti-Reversing Techniques to Machine Code
Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu
Department of Computer Science
San José State University
Spring 2015
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
A tutorial created to introduce you to the core concepts of Return Oriented Programming (ROP). ROP is an essential technique in defeating exploit mitigation protection such as DEP, found in modern operating systems.
A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
What's new and changed in PHP 8.
- Major new changes in PHP 8
- New functions and classes
- OOP improvements
- Type system improvements
- Error handling improvements
- Resource to Object migration
- String related changes
- Removed functionality
https://php.watch/versions/8.0
This presentation goes over basic exploitation techniques. Topics include:
- Introduction to x86 paradigms used exploited by these techniques
- Stack overflows including the classic stack smashing attack
- Ret2libc
- Format string exploits
- Heap overflows and metadata corruption attacks
Applying Anti-Reversing Techniques to Machine CodeTeodoro Cipresso
CS266 Software Reverse Engineering (SRE)Applying Anti-Reversing Techniques to Machine Code
Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu
Department of Computer Science
San José State University
Spring 2015
This paper covers a new technique that can help IDS/IPS solution developers to provide more protection against web attacks. The approach is very generic and can be “adopted” by any IDS/IPS solution provider. Presently the approach is just an Idea and it requires more research and experiment to convert it into a working solution.
This approach helps in enhancing quality of “signature based IDS/IPS solution” and provides good coverage with respect to the evasion techniques.
Obfuscation, Golfing and Secret Operators in PerlJosé Castro
Everything you always wanted to know about Obfuscation and Golfing, some strange techniques and odd operators many are not aware of.
Also, everything you *never* wished to know about Obfuscation and Golfing, some even stranger techniques and even odder operators many wished they were *not* aware of.
Video available at http://conferences.yapcasia.org/ya2008/talk/1007.
In order to harden kernel exploitation as much as possible was introduced variety of features including KASLR, SMEP and sometimes also SMAP.
Even those are powerful techniques their effectiveness rely on their cooperation, environment and their implementation.
We will present new and some not so new exploitation techniques, show ideas behind breaking trough before mentioned security features and why it is possible, and we will take a look at pool spraying on x64 as well.
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
There have been many recent publications that focused on malware evasion techniques – specifically techniques that malware employs to avoid detection and tools that can be used to defeat this evasion. But what happens when malware doesn’t need to evade detection because it first disables the very tools you’re using to detect malware and evade detection? It sounds complicated but the threat is very real and extremely easy to accomplish.
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
Cyber Security - What is a SQL Injection, Buffer Overflow & Wireless Network Attack. Types of SQL Injection, Buffer Overflow and Wireless Network Attack
With the advent of large malware in recent years, systems OS X can be vectors of attack us-ing Mach-O binaries. This presentation will illustrate the dissection of something malicious and also identifica-tion,analysis and some possibilities for mitigation.
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
In our recent work we targeted also win32k, what seems to be fruit giving target. @promised_lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them…
Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism.
In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail*, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs.
Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands { KASLR, SMEP, even imaginary SMAP or CFG } and bring you SYSTEM exec (from kernel driver to system calc).
* unfortunately bug was not fixed at the time of talk, so we do not exposed details about TTF vulnerability, and we skipped directly to some challenges during exploitation, and demonstrate how OS design can overpower introduced exploit mitigations.
Porting is a Delicate Matter: Checking Far Manager under LinuxPVS-Studio
Far Manager, which takes over from Norton Commander, created back in the times of DOS, is one of the most popular file managers on Microsoft Windows. Far Manager facilitates the file system management (file creation, editing, viewing, copying, moving, search, and deletion) and provides means to extend the standard feature set (handling of the network, archives, backup copies, and so on). Far Manager was recently ported to Linux, and there is currently an alpha version available. The PVS-Studio team couldn't ignore that event and miss the opportunity to test the quality of the ported code.
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
The talk will look at limitations of compilers when creating fast code and how to make more effective use of both the underlying micro-architecture of modern CPU's and how algorithmic optimizations may have surprising effects on the generated code. We shall discuss several specific CPU architecture features and their pros and cons in relation to creating fast C++ code. We then expand with several algorithmic techniques, not usually well-documented, for making faster, compiler friendly, C++.
Note that we shall not discuss caching and related issues here as they are well documented elsewhere.
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...Anne Nicolas
The Coccinelle C-program matching and transformation tool was first released in 2008 to facilitate specification and automation in the evolution of Linux kernel code. The novel contribution of Coccinelle is to allow software developers to write code manipulation rules in terms of the code structure itself, via a generalization of the patch syntax. Over the years, Coccinelle has been extensively used in Linux kernel development, resulting in over 6000 commits to the Linux kernel, and has found its place as part of the Linux kernel development process. This talk will review the history of Coccinelle and its impact on the Linux kernel. It will also briefly present two newer tools, prequel and spinfer, that have built on the Coccinelle infrastructure.
Know your platform. 7 things every scala developer should know about jvmPawel Szulc
Your Scala code can be cohesive, beautiful and fully functional. But at the end of the day, it runs on the JVM - powerful platform which also has its limits.
Is this fact fully transparent to a Scala developer or does basic understanding of the platform can be beneficial? Can we squeeze full potential out of our code? Are we aware of limits of our runtime environment? This talk will try to answer those questions.
we will show how Scala code is transformed to bytecode and what that implies
we will try to answer the question why @tailrec matters
we will look at the organization of the JVM memory
we will understand how different GC algorithms work
we will see if different GC algorithm can change performance of our code
we will look at toolkits located at JAVA_HOME/bin/
we will try to scratch a surface of JIT :)
This is basic introduction to the topic. We will not show you how compiler works internally :) But we will try to give you general overview of internals of the platform that you use on a daily basis.
A talk given to the New York CakePHP usergroup, discussing the specifics of changes within the CakePHP 2.0 feature set, motivations for those changes, and upcoming changes as development continues.
This is part 1 of fuzzing, an introduction to the subject. This presentation covers some of theory and thought process behind the subject, as well as an introduction to environment variable fuzzing and file format fuzzing.
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
"In a world of high volume malware and limited researchers we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the corporate sponsored research community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool for researchers alike."
JavaScript and popular programming paradigms (OOP, AOP, FP, DSL). Overview of the language to see what tools we can leverage to reduce complexity of our projects.
This part goes over more language features and looks at FP, and DSLs with JavaScript.
The presentation was delivered at ClubAJAX on 3/2/2010.
Blog post: http://lazutkin.com/blog/2010/mar/4/exciting-js-2/
Beginning is Part I: http://www.slideshare.net/elazutkin/exciting-javascript-part-i
Similar to Binary Obfuscation from the Top Down: Obfuscation Executables without Writing Assembly (20)
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
2. Binary Obfuscation
Why Top Down?
• Assembly, while “simple,” is tedious.
• It’s easier for us to write higher-level code.
• Some of us.
• Why do it by hand when you can be lazy?
5. Binary Obfuscation
What will not be covered?
• Anti-debug
• Source obfuscation where it does not
relate to binary transformations
• Obfuscation effectiveness
• Post-compilation obfuscation
8. Binary Obfuscation
Function Pointers
• Like string-format vulnerabilities, function
pointers are ancient Voodoo.
• I honestly don’t know who thought these
were a good idea, but I freakin’ love ‘em.
• See src/funcptr.c
10. Binary Obfuscation
Method Pointers
• Abuse of method pointers would probably
make Bjarne Stroustrup really angry.
• There is also one thing uglier than function
pointers. That’s method pointers.
• See src/methodptr.cpp
11. Binary Obfuscation
Method Pointers
int MyClass::foo(void) {
return 310;
}
int bar (void) {
MyClass baz;
int (MyClass::*fooPtr)(void);
fooPtr = &MyClass::foo;
return (MyClass.*baz)fooPtr();
}
16. Binary Obfuscation
Calling Conventions
• fastcall
• First two arguments less than a DWORD
moved into ecx and edx respectively
• Rest are pushed onto the stack
• Called function pops from the stack
• Called function cleans up the mess
17. Binary Obfuscation
Calling Conventions
• thiscall
• Used when a function within a class
object is called
• “this” pointer moved into ecx
• Function arguments pushed onto stack
• Called function pops from stack
• Cleans up its own mess
18. Compiler
Optimizations
The Dragon Book: Not Just for Furries Anymore
20. Binary Obfuscation
Compiler Optimizations
• At compile time, your code is separated
into multiple blocks.
• A “block” consists of code separated by
conditional (e.g. JLE, JNE, etc.) and
unconditional jumps (e.g. CALL and JMP).
• How this code is organized and how the
jumps occur affects the optimization of the
program.
24. Binary Obfuscation
Compiler Optimizations
• The compiler also looks at your variables
to make sure you’re not doing anything
repetitive or inconsequential.
• Algorithms like the directed acyclic graph
(DAG) algorithm and static variable analysis
make sure memory and math are fully
optimized.
29. Binary Obfuscation
Compiler Optimizations
• Your compiler is a neat-freak.
• If the compiler notices it doesn’t need a
variable anymore, it’s just going to get rid of
it, no matter what else you do to it.
33. Binary Obfuscation
Compiler Optimizations
• There exist cases (mostly in hardware
development) where you do NOT want
your compiler to optimize your variable.
• This is where the volatile keyword
comes in.
• Making your variable volatile tells the
compiler not to do any optimizations to it.
40. Binary Obfuscation
Binary Formats
• The most common formats you’ll likely
come across are the PE file format
(Windows) and the ELF format (Linux).
• Both of these formats have a “table” they
use for external library calls such as
printf, execv, etc.
• For Windows it’s called the IAT. For Linux
it’s the PLT.
41. Binary Obfuscation
Binary Formats
• If you obfuscate function pointers, they will
likely not show up in those lists and
therefore cause your library calls to fail.
• Circumventing this issue will be covered
later.
43. Binary Obfuscation
Methods of Analysis
• Someone can easily figure out the gist of
what your program is doing by analyzing
any of the API calls you make.
• There exist a few programs out there that
already do this for you: VirusTotal and
ZeroWine.
44. Binary Obfuscation
Methods of Analysis
• VirusTotal (virustotal.com) is a website that
allows you to upload suspected malware
files and analyze them against over thirty
different scanners.
• At the end of the analysis is a list of all
recognized Windows API calls made by the
program, as well as various data sections
within.
45. Binary Obfuscation
Methods of Analysis
• ZeroWine (zerowine.sourceforge.net) is a
malware analysis tool that executes a
program in a controlled environment and
collects data.
• This, too, collects and reports on API calls
made by the program, as well as any
possible servers it may have contacted or
files it may have written.
46. Binary Obfuscation
Methods of Analysis
• When analyzing a binary, there are two
schools of analysis: live-code and dead-
code.
• Dead-code is exactly how it sounds: you
look at the binary, as-is, without executing.
• Live-code is the opposite: you run the
program and watch what it does.
47. Binary Obfuscation
Methods of Analysis
• VirusTotal employs dead-code analysis. It
simply reads the binaries uploaded to it,
scans it with various virus scanners and
reports.
• ZeroWine, however, employs live-code
analysis. It runs the suspected program in a
controlled environment and watches what
happens.
48. Binary Obfuscation
Methods of Analysis
• Dead-code analysis can be frustrated
through polymorphism.
• Live-code analysis can be frustrated
through hiding, obfuscating and redirecting
data and control-flow under the eyes of the
reverser.
51. Binary Obfuscation
Obfuscation
• Layout obfuscation essentially means
scrambling the program around at the
source-level.
• The International Obfuscated C Contest
(ioccc.org) is a perfect example of this.
53. Binary Obfuscation
Obfuscation
• Control-flow obfuscation involves twisting
the typical downward-flow of a program to
into spaghetti code.
• It has the added benefit of obfuscating
source while simultaneously upsetting the
normal flow a reverse-engineer is used to.
54. Binary Obfuscation
Obfuscation
• Data obfuscation involves masking
whatever data you have in your program by
any means.
• Strings, numbers, even functions within your
program can be masked, obfuscated,
interwoven or encrypted without hand-
writing any assembly.
56. Binary Obfuscation
Obfuscation Techniques
• The goal is to obfuscate the binary without
doing binary transformations.
• We know how the compiler optimizes,
what it does to our data and how it stores
some information important for
programmatic logic.
• With this in mind, we can now leverage our
code against the compiler.
57. Binary Obfuscation
Obfuscation Techniques
• Layout obfuscation is essentially useless.
• Renaming variables, removing whitespace
and using #define routines for functions
typically has very little impact on the
underlying program.
• Sure you can do layout obfuscation on your
code, and some of it MAY translate to
obfuscated code, but the signal-to-noise
ratio is much too low for to be useful.
58. Control-Flow
Obfuscation
Turn that boring linear NOP sled into something
worthy of Raging Waters.
59. Binary Obfuscation
Control-Flow Obfuscation
• With function pointers, method pointers,
the volatile keyword and the goto
keyword on our side, we can do some
really fun stuff.
60. Binary Obfuscation
Control-Flow Obfuscation
• Opaque predicates are tautological IF
statements.
• An opaque predicate cannot be optimized
because the compiler cannot determine the
outcome.
• You see this frequently in obfuscated
JavaScript.
63. Binary Obfuscation
Control-Flow Obfuscation
int a,b,c,d;
srand(time(0));
a=rand()+1;b=rand()+1;
c=rand()+1;d=rand()+1;
if (a+b+c*d > 0)
{
puts(“yes”);
exit(0);
}
puts(“no”);
64. Binary Obfuscation
Control-Flow Obfuscation
int a,b,c,d;
...
srand(time(0));
TEST EAX,EAX
a=rand()+1;b=rand()+1;
JLE SHORT :NO
c=rand()+1;d=rand()+1;
PUSH “yes”
if (a+b+c*d > 0)
CALL $PUTS
{
PUSH 0
puts(“yes”);
CALL $EXIT
exit(0);
NO: PUSH “no”
}
CALL $PUTS
puts(“no”);
65. Binary Obfuscation
Control-Flow Obfuscation
• Control-flow flattening involves, quite
literally, flattening the graphical
representation of your program.
• Typically you have a top-down flow with
program graphs. With flattening, you cause
a central piece of code to control the flow
of the program.
• Control-flow obfuscation is employed by
bin/crackmes/leetkey.exe
70. Binary Obfuscation
Control-Flow Obfuscation
• Most programs are reducible-- meaning
they can easily be optimized.
• If a program is irreducible, then it cannot be
optimized, thus translating spaghetti code
into spaghetti assembly.
• A good example by Madou et. al. is making
a loop irreducible.
• See src/cflow-irreducible.c
71. Binary Obfuscation
Control-Flow Obfuscation
• Raising bogus exceptions is a common way
for malware to obfuscate and frustrate
reverse engineering.
• This is easily accomplished by setting up a
try block, intentionally triggering the
exception, then resuming at the caught
section.
• For Linux, you can do the same with signals.
• See src/cflow-exceptions.cpp
74. Binary Obfuscation
Data Obfuscation
• Data obfuscation takes a little more care
than control-flow obfuscation.
• The data must be obfuscated before the
compilation process, then de-obfuscated at
run-time.
• If the data is not obfuscated before run-
time, dead-code analysis is made trivial and
your obfuscation is useless.
75. Binary Obfuscation
Data Obfuscation
• One of the more obvious techniques is to
encrypt your strings.
• Even though strings don’t technically lead
to knowledge of the program, it can help
aide in reverse-engineering more often than
you think.
76. Binary Obfuscation
Data Obfuscation
• Recall the explanation of volatile:
volatile int x;
x = 7;
x <<= 2;
x *= 2;
x -= 12;
x += (x*x)<<2;
printf("%dn", x);
• With enough annoyances, this can be used
to frustrate analysis.
77. Binary Obfuscation
Data Obfuscation
• Data aggregation can be used to make
dead-code analysis confusing.
char aggr[7] = “fboaor”;
char foo[3], bar[3];
int i;
for (i=0;i<3;++i) {
foo[i]=aggr[i*2];
bar[i]=aggr[i*2+1];
}
/* foo = “foo” / bar = “bar” */
78. Binary Obfuscation
Data Obfuscation
• Functions in the PLT/IAT are certainly
considered data.
• To prevent dead-code analysis from
discovering our library calls, we can easily
“create” functions at run-time by using
system calls such as LoadLibrary and
GetProcAddress (Windows) and
dlopen and dlsym (Linux).
• See src/data-loadlib.c, src/data-dlopen.c and
src/mdl.cpp
80. Binary Obfuscation
Poor Man’s Packer
• Combines control-flow and data
obfuscation to cause all sorts of headaches.
• Revolves around compiling, copying data
and applying function pointers to
obfuscated or encrypted data.
• See bin/crackmes/manifest.exe
• If you have problems with this binary, ask
a DC949 member what the group motto
is.
81. Binary Obfuscation
Poor Man’s Packer
• Compile
• Disassemble
• Copy bytes of function, make an array
• Apply encryption, aggregation, etc.
• Recompile
• Decipher at run-time
• Cast as function-pointer
• Execute
• See src/pmp-concept.c
82. Binary Obfuscation
Poor Man’s Packer
• Problems
• Functions are broken because they are
no longer in the PLT/IAT.
• Data offsets are completely messed up.
• Functions in C++ objects cause
segmentation faults (due to broken
thiscall).
• Compiler might change calling
conventions.
• void pointers are scary.
83. Binary Obfuscation
Poor Man’s Packer
• If you pass a data structure containing data
required by the function (function offsets,
strings, etc.), you can circumvent the issue
caused by relative jumps and offsets.
• This also applies to method pointers and
C++ objects.
• This gives you the opportunity to
dynamically add and remove necessary
program data as you see fit.
84. Binary Obfuscation
Poor Man’s Packer
• Be sure your calling conventions match
after each step of compilation and byte-
copying!
• cdecl is the calling convention used by
vararg functions such as printf.
• fastcall and stdcall should be fine for all
other functions.
• Mismatched calling conventions will cause
headaches and segmentation faults.
85. Binary Obfuscation
Poor Man’s Packer
• Why is this beneficial?
• Ultimate control of all data
• Code is still portable and executable
• Adds a bizarre layer of obfuscation
• When done enough, severely obfuscates
source
86. Binary Obfuscation
Poor Man’s Packer
• Why does this suck?
• Makes binaries huge if you don’t
compress your functions due to enlarged
data-sections
• Takes a lot of work to accomplish
• It can be extremely frustrating to craft
the write code with the right keywords
with full optimization
88. Binary Obfuscation
Tools
• Code transformers
• TXL (txl.ca)
• SUIF (suif.standford.edu)
• TXL and SUIF are used to transform
source-code by a certain set of given rules
(such as regular expressions).
89. Binary Obfuscation
Sources
• M. Madou, B. Anckaert, B. De Bus, K. De
Bosschere, J. Cappaert, and B. Preneel, "On
the Effectiveness of Source Code
Transformations for Binary Obfuscation"
• B. M. Prasad, T. Chiueh, "A Binary Rewriting
Defense against Stack based Buffer
Overflows"
• C. I. Popov, S. Debray, G. Andrews, "Binary
Obfuscation Using Signals"