The document analyzes and de-virtualizes the FinSpy malware sample. It finds the malware uses virtualization techniques to hide its execution through a virtual machine-like implementation. The author details analyzing the virtual machine code and operations, then describes decrypting and de-obfuscating the virtual machine to generate equivalent native x86 code. Finally, it summarizes the malware's anti-analysis and evasion techniques as well as finding it drops additional payloads depending on the environment.
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
Ever needed to add your custom logic into the network stack?
Ever hacked the network stack but wasn't certain you're doing it right?
Shmulik Ladkani talks about various mechanisms for customizing packet processing logic to the network stack's data path.
He covers covering topics such as packet sockets, netfilter hooks, traffic control actions and ebpf. We will discuss their applicable use-cases, advantages and disadvantages.
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Making OpenBSD Useful on the Octeon Network Gear by Paul Iroftieurobsdcon
Abstract
My work on the Octeon port made possible for OpenBSD to run on the D-Link DSR line of mid-range routers and also improved all supported models through the drivers I wrote. I'm continuing my work on improving the OpenBSD experience on the Octeon products by enhancing network support (including advanced switch support among other things) and adding disk support via USB and CFI. This presentation summarizes the developments I brought and the obstacles I faced.
Speaker bio
Paul is an OpenBSD developer since 2008, involved in ACPI, suspend and resume, power management, mips64, porting and currently with a keen interest in the Loongson and Octeon platforms. Currently he's a freelancer and also studying for his PhD in Parallel Algorithms for Signal Processing. In the past he worked for a telephony company developing VoIP, Voicemail and related software and after that as an antivirus engine developer and reverse engineer. In his spare time he enjoys a good game of Go, running or hiking.
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
Ever needed to add your custom logic into the network stack?
Ever hacked the network stack but wasn't certain you're doing it right?
Shmulik Ladkani talks about various mechanisms for customizing packet processing logic to the network stack's data path.
He covers covering topics such as packet sockets, netfilter hooks, traffic control actions and ebpf. We will discuss their applicable use-cases, advantages and disadvantages.
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Making OpenBSD Useful on the Octeon Network Gear by Paul Iroftieurobsdcon
Abstract
My work on the Octeon port made possible for OpenBSD to run on the D-Link DSR line of mid-range routers and also improved all supported models through the drivers I wrote. I'm continuing my work on improving the OpenBSD experience on the Octeon products by enhancing network support (including advanced switch support among other things) and adding disk support via USB and CFI. This presentation summarizes the developments I brought and the obstacles I faced.
Speaker bio
Paul is an OpenBSD developer since 2008, involved in ACPI, suspend and resume, power management, mips64, porting and currently with a keen interest in the Loongson and Octeon platforms. Currently he's a freelancer and also studying for his PhD in Parallel Algorithms for Signal Processing. In the past he worked for a telephony company developing VoIP, Voicemail and related software and after that as an antivirus engine developer and reverse engineer. In his spare time he enjoys a good game of Go, running or hiking.
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
Не так давно Гор Нишанов представил свой доклад: C++ Coroutines a negative overhead abstraction. В этом докладе Гор упомянул, что предложенный дизайн корутин позволяет их использовать практически в любых окружениях, в том числе и с "бедным" C++ рантаймом.
Я решил попробовать запустить корутины в следующих окружениях: обычное приложение, драйвер ОС Windows, EFI приложение. Только в одном из этих окружений есть полноценный C++ рантайм и поддержка исключений, в остальных ничего этого нет. Более того, EFI приложение вообще выполняется до старта ОС.
Я хочу рассказать о том, как мне удалось запустить корутины в этих окружениях, поговорим о том, какие проблемы существуют в асинхронном системном программировании и как их можно обойти.
Lecture slides that I used in Advanced Information Security Summer School (AIS3, 2016 & 2018) in Taiwan. https://ais3.org/
台湾の高度セキュリティ人材育成プログラム(AIS3, 2016/2018)の講義で利用した講義資料です。
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
Не так давно Гор Нишанов представил свой доклад: C++ Coroutines a negative overhead abstraction. В этом докладе Гор упомянул, что предложенный дизайн корутин позволяет их использовать практически в любых окружениях, в том числе и с "бедным" C++ рантаймом.
Я решил попробовать запустить корутины в следующих окружениях: обычное приложение, драйвер ОС Windows, EFI приложение. Только в одном из этих окружений есть полноценный C++ рантайм и поддержка исключений, в остальных ничего этого нет. Более того, EFI приложение вообще выполняется до старта ОС.
Я хочу рассказать о том, как мне удалось запустить корутины в этих окружениях, поговорим о том, какие проблемы существуют в асинхронном системном программировании и как их можно обойти.
Lecture slides that I used in Advanced Information Security Summer School (AIS3, 2016 & 2018) in Taiwan. https://ais3.org/
台湾の高度セキュリティ人材育成プログラム(AIS3, 2016/2018)の講義で利用した講義資料です。
This slide deck focuses on eBPF JIT compilation infrastructure and how it plays an important role in the entire eBPF life cycle inside the Linux kernel. First, it does quite a number of control flow checks to reject vulnerable programs and then JIT compiles the eBPF program to either host or offloading target instructions which boost performance. However, there is little documentation about this topic which this slide deck will dive into.
"HHVM is a high-performance, open source PHP execution engine developed at Facebook. It’s the fastest PHP runtime in the world, with support for PHP5, PHP7, and Hack—the programming language used for Facebook’s web server application logic. In addition to powering Facebook’s web tier, HHVM has also been adopted by other major services such as Wikipedia, Baidu, and Box.
HHVM uses just-in-time compilation to transform PHP and Hack source code into optimized machine code. Thanks to contributions from developers across the ARM community, HHVM can now target AArch64 in addition to x86-64 and successfully runs open source PHP frameworks like WordPress. Join us for an overview of HHVM, a quick demo, and some thoughts on where optimization efforts can go from here."
Linux has this great tool called strace, on OSX there’s a tool called dtruss - based on dtrace. Dtruss is great in functionality, it gives pretty much everything you need. It is just not as nice to use as strace. However, on Linux there is also ltrace for library tracing. That is arguably more useful because you can see much more granular application activity. Unfortunately, there isn’t such a tool on OSX. So, I decided to make one - albeit a simpler version for now. I called it objc_trace.
The presentation from SPbPython meetup about simple self-made just-in-time (JIT) compiler for Python code.
N-th Fibonacci sequence number returning function is JIT-ed in the example.
A compact bytecode format for JavaScriptCoreTadeu Zagallo
JavaScriptCore (JSC) is the multi-tiered JavaScript virtual machine in WebKit. The bytecode is a central piece in JSC: it’s executed by the interpreter and the source of truth for all of JSC’s compilers. In this talk we’ll look at the recent redesign of our bytecode format, which cut its size in half and enabled persisting the bytecode on disk without impacting the overall performance of the system.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
2. Outline
● Background info
● Main binary
● The first drop
○ Virtualization analysis
○ De-virtualization
● Further analysis
○ Collection of anti- tricks
○ The big picture
○ Crypto, MBR...
● Lessons learned
3. Background
● "From Bahrain with Love" post at citizenlab
○ Emails from a fake Aljazeera reporter account sent
to Bahrein "activists".
○ Using the RTL trick to pretend to be .jpg's
○ citizenlab analyzed the malware and announced it
as a component of FinFisher from Gamma Intl.
○ The post provides hashes for all the samples
analyzed. Let's take a look at
49000fc53412bfda157417e2335410cf69ac26b66b0
818a3be7eff589669d040
4. Main sample
● Looks like an apparently harmless Windows
application (WndProc does nothing)
7. Virtualization analysis
● VM setup
Context
ThreadID Instruction Decrypted
Index
Context (CTX) VM code
Table
● Offset to VM instruction code ● Copy of stack pointer
● Max valid address inside context ● Search VirtualEIP function
● Temp register ● Current instruction VEIP
● Return address ● Opcode
● Return via epilogue ● Relocation information
● Obfuscation relative offset ● Raw bytes
● Process imagebase ● First free address
8. Virtualization analysis
Basic flow of main loop
1. Disable NX if possible
2. Allocate an array of "VM
context" handles
3. Allocate a context for current
thread (CTX)
4. Unpack VM
5. Search for entry point
6. Prepare VM OP instruction
7. Decrypt VM code
8. Execute virtual OP
9. Goto 6
11. Virtualization analysis
● Opcodes: 11 opcodes used. Two types
○ Native: "Raw bytes" are used to construct x86 native
code and executed.
○ VM-level: just modifications on the CTX structure,
basically operations with the temp register
15. Virtualization analysis
Opcode 0x06: Native register to temp register
PUSHFD + PUSHAD
EFLAGS (+4)
POP EDI (CTX[op_bytes] = 7)
POP ESI (CTX[op_bytes] = 6)
POP ESP (CTX[op_bytes] = 5)
POP EBP (CTX[op_bytes] = 4)
POP EBX (CTX[op_bytes] = 3)
POP EDX (CTX[op_bytes] = 2)
POP ECX (CTX[op_bytes] = 1)
POP EAX (CTX[op_bytes] = 0)
16. Virtualization analysis
CTX[ret_eax] epilogue
[ESP-4] = EAX
POPF POPAD does
POP EDI POP EDI
POP ESI POP ESI
POP EBP POP EBP
POP EBX INC ESP+4 POPAD
POP EBX POP EBX
POP EDX POP EDX
POP ECX POP ECX
POP EAX POP EAX
JMP [ESP-0x28] ; Initial EAX value
29. De-virtualization
● Scan code for jump to the VM (PUSH
<VirtualEIP> + JMP VM_start)
● Calculate padding to next function (optional)
● Unpack and decrypt VM code
● Search for each VirtualEIP
● Translate VM into x86 code (easy!)
● Overwrite padding with generated x86 code
○ Stop when VirtualEIP is referenced by another VM
jump, as that's the entry point of another function.
○ Yes, we're lucky that instructions are sequential ;)
30. Analysis of de-virtualized code
● De-virtualized code contains several anti-*
tricks
● All of them are known, so not so much fun
● Lots of blacklisted id's (who were they trying
to avoid?)
32. Analysis of de-virtualized code
● Anti-debug:
○ Checks PEB for the BeingDebugged flag
○ Uses the Ollydbg float exploit (FFFF...3D40)
○ Replace DbgBreakPoint function (is a single int3) with
a NOP.
○ ZwSetInformationThread with ThreadInformationClass
== 0x11 (detach debugger)
○ CloseHandle() with invalid handle
○ ZwQueryInformationProcess with
ThreadInformationClass == 0x7 ProcessDebugPort and
0x1E ProcessDebugObjectHandle
○ ZwSetInformationThread enabling
ThreadHideFromDebugger
33. Analysis of de-virtualized code
● Misc anti-*:
○ Manual load of DLLs. Open, read, apply relocs and
then parse export directory to resolve APIs by hash.
○ Opens JobObjects with names like
LocalCOMODO_SANDBOX_0x%X_R%d (%X is PID and %d is
in range [1-6]).
■ If it succeeds, call BasicUIRestrictions and
ExtendLimitInformation (seems limiting memory
usage to a really low limit)
○ (Continues...)
34. Analysis of de-virtualized code
● Misc anti-*:
○ Check running process and modules looking for:
● cmdguard.sys and cfp.exe for Comodo
● klif.sys and avp.exe for Kaspersky
● bdspy.sys and bullguard.exe for BullGuard
● ccsvchst.exe for Symantec
● fsm32.exe and fsma32.exe for F-Secure
● rfwtdi.sys and rsfwdrv.sys for Beijing Rising
■ No AVKills, but depending on present AV the
sample uses different drop/inject methods
■ For Kaspersky, it even opens the avp.exe file and
checks for the version inside (ver 0xB000)
36. Analysis of de-virtualized code
● Enough anti-stuff, what is the payload??
● Actually it just drops more samples,
depending on the environment.
○ Sample drops a 32-bit or 64-bit DLL depending on
the OS
○ DLL is loaded/injected depending on what AV
product is present
● So, all this boring stuff just to get a couple of
dropped files? Now what?
○ Now we have a de-virtualizer, we can automate and
get rid of all this much faster...
37. RT_DIALOG RT_BITMAP RT_"BIN"
(XOR) (XOR) Drop101 (XOR) Drop101
Original DLL
Drop101 driver
sample encrypted
imports
RT_BITMAP RT_"BIN"
(XOR) (XOR +
RT_DIALOG DEFLATE)
(XOR)
Drop102
64-bit Drop102 injected in iexplore.exe
RT_"BIN" (communication module)
(PLAIN) DLL
Doc, fltlib.dll
PNG,
PDF Drop 101
DLL
de loa
...
cr ds
yp
ts
RT_"BIN"
&
(PLAIN)
Drop108
MBR
RT_"BIN"
(PLAIN) RT_"BIN"
Drop 257 (XOR)
DLL Drop 102
driver
RT_24 (XOR
RT_ICON + DEFLATE)
(RC4) Drop 104
RT_"BIN"
RT_"BIN" DLL encrypted
(PLAIN)
Drop109 (PLAIN) imports
DLL encrypted
imports
Drop 103
DLL encrypted
imports
RT_24
(RC4)
RT_24
(XOR, RC4?...)
RES_261
(RC4)
RC4 keys (size
RES_260 = 0x400)
!
me
sa
Plain executable Two blobs of data. First xor-
encrypted contains C2 hostname
and other strings. Second is RC4-
encrypted (key in the RT_ICON
Virtualized code
RT_ICON (RC4 resource)
encrypted)
kernel + virtualized
unknown
38. Analysis of de-virtualized code
● Crypto
○ XOR for most drops (key fixed or in some cases key
is timestamp from PE header)
○ RC4 for critical data resources, keys are stored in a
common config file.
○ In some cases, filename is the key.
● MBR
○ Probably worth another talk ;)
○ Is in charge to load the hiding driver during boot
○ MBR payload is constructed from a template, so
component that installs it has to "fill the blanks" like
disk geometry params and payloads.
○ Infection check: if MBR[0x2C:0x2D] == CD 18
(int18h), then you may have a problem
39. Lessons learned
● VM really well designed
○ Same VM works for x86-32 and 64bit
○ The conditional jump emulation was the key to avoid
having to worry about EFLAGS emulation.
● Complex malware == modular project.
○ However modular means you can face older/buggy
versions of components you already analyzed (ex:
APLib).
● Removing virtualization is sometimes
possible (cost < benefit)
○ In this case, benefit was obvious because of the
number of virtualized modules using the same VM