The document discusses Binee, an emulator that extends existing PE emulators by mocking Windows functions, system calls, and OS subsystems to enable deeper malware analysis. It loads PE files and DLLs, resolves imports, and maps them into emulated memory. Binee defines hooks for functions to intercept calls and interact with mocked subsystems for file I/O, registry, memory, and other OS services. Configuration files define the emulated OS environment to provide context and rapidly change configurations for analysis. This approach aims to reduce the cost of dynamic analysis while extracting more features through emulation at scale.
Outlines of this lecture:
- What is stream?
- File Output Stream Class
- File Input Stream Class
- Byte Array Output Stream Class
- Sequence Input Stream Class
- File Reader Class
- File Writer Class
- Scanner with String
Magic Clusters and Where to Find Them - Eugene PirogovElixir Club
The talk focuses on Erlang & Elixir facilities for distributed computing.
We'll explore how to build clusters and look at how testing a clustered setup might looks like. We'll create a Mnesia cluster and will talk about CAP theorem. We'll answer the questions of what distributed computing is for, and what Erlang has to offer with regards to balancing the load between the nodes in a cluster.
Experience this and much more in the "Magic Clusters and Where to Find Them" talk!
Elixir Meetup 4 Lviv
ActiveTcl 8.5 has become the standard on which people build their Tcl applications, but Tcl 8.6 is just around the corner. Currently in beta, Tcl 8.6 is expected to have a final release in 2011. What new tricks will 8.6 pull out of the hat? Should you start using Tcl 8.6 soon? Join us on January 26, 2011 and find out.
Our resident Tcl expert Jeff Hobbs, Director of Engineering at ActiveState and long-time Tcl community leader and member of the Tcl Core Team, provides an overview of the major features in Tcl 8.6, including Tk. Starting with a new core OO system, going through improvements to string and list handling, and caps it off with lots of extras, this webinar covers the major changes in Tcl 8.6 and how to take advantage of them.
Outlines of this lecture:
- What is stream?
- File Output Stream Class
- File Input Stream Class
- Byte Array Output Stream Class
- Sequence Input Stream Class
- File Reader Class
- File Writer Class
- Scanner with String
Magic Clusters and Where to Find Them - Eugene PirogovElixir Club
The talk focuses on Erlang & Elixir facilities for distributed computing.
We'll explore how to build clusters and look at how testing a clustered setup might looks like. We'll create a Mnesia cluster and will talk about CAP theorem. We'll answer the questions of what distributed computing is for, and what Erlang has to offer with regards to balancing the load between the nodes in a cluster.
Experience this and much more in the "Magic Clusters and Where to Find Them" talk!
Elixir Meetup 4 Lviv
ActiveTcl 8.5 has become the standard on which people build their Tcl applications, but Tcl 8.6 is just around the corner. Currently in beta, Tcl 8.6 is expected to have a final release in 2011. What new tricks will 8.6 pull out of the hat? Should you start using Tcl 8.6 soon? Join us on January 26, 2011 and find out.
Our resident Tcl expert Jeff Hobbs, Director of Engineering at ActiveState and long-time Tcl community leader and member of the Tcl Core Team, provides an overview of the major features in Tcl 8.6, including Tk. Starting with a new core OO system, going through improvements to string and list handling, and caps it off with lots of extras, this webinar covers the major changes in Tcl 8.6 and how to take advantage of them.
The basics of Python are rather straightforward. In a few minutes you can learn most of the syntax. There are some gotchas along the way that might appear tricky. This talk is meant to bring programmers up to speed with Python. They should be able to read and write Python.
The goal of this presentation is to broaden your knowledge of Python, exploring some concepts and techniques you might have never heard about. I won't go into too much detail, the goal is only to inspire you to research those features and patterns.
Material ini digunakan untuk kelas teknologi pengenalan pemrograman dengan bahasa pengantar Python http://oo.or.id/py
Dipublikasikan dengan lisensi Atribusi-Berbagi Serupa Creative Commons (CC BY-SA) oleh oon@oo.or.id
File Handling is used in C language for store a data permanently in computer.
Using file handling you can store your data in Hard disk.
http://www.tutorial4us.com/cprogramming/c-file-handling
The basics of Python are rather straightforward. In a few minutes you can learn most of the syntax. There are some gotchas along the way that might appear tricky. This talk is meant to bring programmers up to speed with Python. They should be able to read and write Python.
The goal of this presentation is to broaden your knowledge of Python, exploring some concepts and techniques you might have never heard about. I won't go into too much detail, the goal is only to inspire you to research those features and patterns.
Material ini digunakan untuk kelas teknologi pengenalan pemrograman dengan bahasa pengantar Python http://oo.or.id/py
Dipublikasikan dengan lisensi Atribusi-Berbagi Serupa Creative Commons (CC BY-SA) oleh oon@oo.or.id
File Handling is used in C language for store a data permanently in computer.
Using file handling you can store your data in Hard disk.
http://www.tutorial4us.com/cprogramming/c-file-handling
eBPF Tooling and Debugging InfrastructureNetronome
eBPF, in particular with its driver-level hook XDP, has increased in importance over the past few years. As a result, the ability to rapidly debug and diagnose problems is becoming more relevant. This session will cover common issues faced and techniques to diagnose them, including the use of bpftool for map and program introspection, the disassembling of programs to inspect generated eBPF instructions and other methods such as using debug prints and how to apply these techniques when eBPF programs are offloaded to the hardware.
The slides from Software Diagnostics Services seminar (30th of December 2013) about physical memory analysis on desktop and server Windows platforms (a revised version of the previous seminars on complete crash and hang memory dump analysis). Topics include: memory acquisition and its tricks; user vs. kernel vs. physical memory space; fibre bundle space; challenges of physical memory analysis; common WinDbg commands; memory analysis patterns and their classification; common mistakes; a hands-on WinDbg analysis example with logs; a guide to further study.
(1) c sharp introduction_basics_dot_netNico Ludwig
This presentation comes with many additional notes (pdf): http://de.slideshare.net/nicolayludwig/1-c-sharp-introductionbasicsdotnet-38638887
- History
- Bird's Eye View of Features
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
Slides from my ROOTCON12 training. This material contains an introduction to stack-based buffer overflow. This is also helpful for those who are doing OSCP and wanted to learn exploit development.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. The Problem: getting information from binaries
Each sample contains some total set of information. Our goal is to extract as
much of it as possible
Time/Cost to analyze
Samplecoverage
Static
Dynamic
High coverage
Immediate discovery
Few features
Low coverage
Long discovery
Many features
Core Problems
1. Obfuscation hides much of the info
2. Anti-analysis is difficult to keep up with
3. Not all Malware is equal opportunity
3. Our Goal: Reduce cost of information extraction
1. Reduce the cost of features
extracted via dynamic analysis
2. Increase total number of features
extracted via static analysis
3. Ideally, do both of these at scale
Time/Cost to analyze
SampleCoverage
Dynamic
Static +
Emulation
High coverage
Immediate discovery
Many features
Low coverage
Long discovery
Many features
5. Existing PE Emulators
● PyAna https://github.com/PyAna/PyAna
● Dutas https://github.com/dungtv543/Dutas
● Unicorn_pe https://github.com/hzqst/unicorn_pe
● Long list of other types of emulators
https://www.unicorn-engine.org/showcase/
6. Requirements: What are we adding/extending from
current work?
1. Mechanism for loading up a PE file with its dependencies
2. Framework for defining function and API hooks
3. Mock OS subsystems such as
a. Memory management
b. Registry
c. File system
d. Userland process structures
4. Mock OS environment configuration file
a. Config file specifies language, keyboard, registry keys, etc…
b. Rapid transition from one Mock OS configuration to another
8. Where to start? Parse the PE and DLLs, then map
them into emulation memory...
9. Build hook table by linking DLLs outside emulator
Target PE
DLL1
DLL2
DLL3
Emulated
Process Memory
Binee Address to
Hook table
1. Open PE and all dependencies
2. Update DLL base addresses
3. Update relocations
4. Build Binee exports lookup table
5. Resolve Import Address Tables
for each
6. Map PE and DLLs into memory
12. Requirements for hooking
1. A mapping of real address to Binee’s Hook for that specific function?
2. The calling convention used?
3. How many parameters are passed to the function?
4. Need to determine the return value if any?
type Hook struct {
Name string
Parameters []string
Fn func(*WinEmulator, *Instruction) bool
Return uint64
...
}
13. emu.AddHook("", "Sleep", &Hook{
Parameters: []string{"dwMilliseconds"},
Fn: func(emu *WinEmulator, in *Instruction) bool {
emu.Ticks += in.Args[0]
return SkipFunctionStdCall(false, 0x0)(emu, in)
},
})
Partial Hook, where the function itself is emulated within the DLL
emu.AddHook("", "GetCurrentThreadId", &Hook{Parameters: []string{}})
emu.AddHook("", "GetCurrentProcess", &Hook{Parameters: []string{}})
emu.AddHook("", "GetCurrentProcessId", &Hook{Parameters: []string{}})
Two types of hooks in Binee
Full Hook, where we define the implementation
14. Hook Parameters field defines how many
parameters will be retrieved from emulator and The
name/value pair in output
[1] 0x21bc0780: P memset(dest = 0xb7feff1c, char = 0x0, count = 0x58)
emu.AddHook("", "memset", &Hook{Parameters: []string{"dest", "char", "count"}})
Output is the following
16. At this point, we have a simple loader that will
handle all mappings of imports to their proper DLL.
We’re basically done, right?
17. Still have some functions that require user land memory objects that do not
transition to kernel via system calls
We need segment registers to point to the correct memory locations (thanks
@ceagle)
Not inside of main yet…
18. Userland structures, TIB/PEB/kshareduser
We need a TIB and PEB with some reasonable values
Generally, these are configurable.
Many just need some NOP like value, e.g. NOP function pointer for approximate
malware emulation.
19. All address resolution and mappings are built
outside of the emulator
type ThreadInformationBlock32 struct {
CurentSEH uint32 //0x00
StackBaseHigh uint32 //0x04
StackLimit uint32 //0x08
SubSystemTib uint32 //0x0c
FiberData uint32 //0x10
ArbitraryDataSlock uint32 //0x14
LinearAddressOfTEB uint32 //0x18
EnvPtr uint32 //0x1c
ProcessId uint32 //0x20
CurrentThreadId uint32 //0x24
…
}
20. PEs are parsed and loaded. Basic structures like the
segment registers and TIB/PEB are mapped with
minimum functionality.
We’re defining the entire environment outside of
the emulator...
21. Almost Everything in Windows needs HANDLEs
type Handle struct {
Path string
Access int32
File *os.File
Info os.FileInfo
RegKey *RegKey
Thread *Thread
}
type WinEmulator struct {
...
Handles map[uint64]*Handle
...
}
What is the minimum we need for a HANDLE
in Binee?
1. An abstraction over subsystem data types
2. Helper methods for reading/writing/etc...
to and from subsystems.
22. HANDLEs get allocated directly from the Heap
The Heap plays a central role in Binee
The Heap is what enables and ultimately distributes HANDLEs for all other
emulation layers, including file IO and the registry.
kernel32:*
ntdll:*
Binee MM
Basically, anything not in the stack after
execution has started goes into Binee’s
Heap Manager.
23. Now we have a decent core, at least with respect to
the user land process. Now it is time to build out the
Mock OS subsystems
24. Starting with the Mock File System
What are the requirements for
CreateFileA?
Returns a valid HANDLE into EAX
register
25. Creating Files in the Mock File Subsystem
CreateFile
Emulator
Full Hook Handler
HANDLE Lookup Table
Full hook captures HANDLE from
parameters to CreateFile
If file exists in Mock File System or
permissions are for “write”. Create a
new Handle object and get unique ID
from Heap Manager
Write HANDLE back to EAX
26. Writing Files in the Mock File Subsystem
WriteFile
Emulator
Full Hook Handler
HANDLE
Lookup
Table
Temp
Real File
System
(Sandboxed)
Full hook captures HANDLE from
parameters to WriteFile
HANDLE is used as key to lookup
actual Handle object outside of
emulator
All writes are written to sandboxed
file system for later analysis.
Malware thinks file was written to
proper location and continues as if
everything is successful
27. [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'ERROR_SUCCESS = 0x%xn', p0 = 0x0) =
0x403380
[1] 0x21970b80: F CreateFileA(lpFileName = 'malfile.exe', dwDesiredAccess = 0xc0000000, dwShareMode = 0x0,
lpSecurityAttributes = 0x0, dwCreationDisposition = 0x2, dwFlagsAndAttributes = 0x80, hTemplateFile = 0x0)
= 0xa00007b6
[1] 0x219c8fbe: F VerSetConditionMask() = 0xa00007b6
[1] 0x20af60a0: P __acrt_iob_func() = 0xa00007b6
[1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0xa00007b6) =
0x403380
[1] 0x219c8fbe: F VerSetConditionMask() = 0x403380
[1] 0x20af60a0: P __acrt_iob_func() = 0x403380
[1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0x403380) = 0x403380
[1] 0x219c8fbe: F VerSetConditionMask() = 0x403380
[1] 0x20af60a0: P __acrt_iob_func() = 0x403380
[1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0x403380) = 0x403380
[1] 0x218f5780: P memset(dest = 0xb7feff1c, char = 0x0, count = 0x58) = 0xb7feff1c
[1] 0x21971000: F WriteFile(hFile = 0xa00007b6, lpBuffer = 0xb7feff10, nNumberOfBytesToWrite = 0xb,
lpNumberOfBytesWritten = 0xb7feff0c, lpOverlapped = 0x0) = 0xb
[1] 0x21969500: F IsProcessorFeaturePresent(ProcessorFeature = 0x17) = 0x1
[1] 0x2196cef0: F SetUnhandledExceptionFilter(lpTopLevelExceptionFilter = 0x0) = 0x4
28. And in the console
> ls temp
malfile.exe
> cat temp/malfile.exe
hello world
Now you can see the file contents. Obviously
trivial… more to come….
29. At this point, the user space is largely mocked.
We also have the ability to hook functions, dump
parameters and modify the call execution.
Additionally, we have some mock HANDLEs.
Can we emulate more?!
30. Mock Registry Subsystem
RegOpenKeyA
Mock Registry EmulatorFull Hook on Registry functions
Our hook interacts with the Mock Registry
subsystem that lives outside of the
emulation
Mock Registry has helper functions to
automatically convert data to proper types
and copy raw bytes back into emulation
memory
31. Configuration files defines OS environment quickly
● Yaml definitions to describe as much of the OS context as possible
○ Usernames, machine name, time, CodePage, OS version, etc…
● All data gets loaded into the emulated userland memory
root: "os/win10_32/"
code_page_identifier: 0x4e4
registry:
HKEY_CURRENT_USERSoftwareAutoIt v3AutoItInclude: "yep"
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlArbitersInaccessibleRangePsi: "PhysicalAddress"
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlArbitersInaccessibleRangeRoot: "PhysicalAddress"
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlArbitersInaccessibleRangePhysicalAddress:
"hex(a):48,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,0
0,00,00,01,00,00,00,00,03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,ff,ff,ff,ff,ff,f
f,ff,ff"
33. Configuration files can be used to make subtle
modifications to the mock environment which
allows you to rapidly test malware in diverse
environments
Let’s do more...
34. Mocked Threading
Round robin scheduler approximately simulates a multi-thread environment.
Time slices are configurable but equal for each “thread” of execution. Thread
manager handles all the context switching and saving of registers.
Allows us to hand wave (punt for later) most multithreading issues.
Thread 1
Thread 2
Thread 3
Thread 4
Thread Manager Threads inside the emulator
36. Increasing fidelity with proper DllMain execution
Need to setup stack for DllMain call, set up proper
values for DLLs loaded by the PE.
Call this for every DLL loaded by the PE.
But how to do this in the emulator?
Start emulation at each DllMain and stop at ???
BOOL WINAPI DllMain(
_In_ HINSTANCE hinstDLL,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
);
37. ROP Gadgets — an easy shortcut to loading DLLs
A simpler approach is to only start the emulator once when the entire process
space is layed out. However, the start point is no longer the PE entry point.
Instead, entry point is now the start of our ROP chain that calls each loaded
DllMain in order and ending with the PE’s entry point address
lpvReserved
fdwReason
hinstDll
ret
lpvReserved
fdwReason
hinstDll
ret
lpvReserved
fdwReason
hinstDll
ret
envp
argv
argc
dll_1 dll_2 dll_3 malware
38. Demos
● ea6<sha256> shows unpacking and service starting
● ecc<sha256> shows unpacking and wrote malicious dll to disk, loaded dll
and executed it
39. We’ve open-sourced this — What’s next
● Increase fidelity with high quality hooks
● Single step mode, debugger style
● Networking stack and implementation, including hooks
● Add ELF (*nix) and Mach-O (macOS) support
● Anti-Emulation
40. Thank you and come hack with us
https://github.com/carbonblack/binee