This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals like debug flags and objects, anti-dumping methods, VM detection, and debugger-specific tricks. The author also announces a public malware repository and API called VXCage for sharing samples.
Malware Analysis on a Shoestring BudgetMichael Boman
How can you build a infrastructure using mainly free and open source software to analyze potential malicious code. How you can leverage free public services together with in-house systems to compete against expensive commercial solutions which makes it cost-prohibible for many researchers.
A client-side vulnerability under the microscope!Nelson Brito
Understanding reverse engineer using MS08-078. This presentation is an updated version of a previous series of presentations, which shows a practical methodology to perform a reverse engineering... The approach can be broader applied to any/most of the vulnerabilities targeting client-side applications.
For further details and informations, please, refer to:
- http://www.vimeo.com/nbrito
- https://www.slideshare.net/nbrito01/inception-support-slides
Malware Analysis on a Shoestring BudgetMichael Boman
How can you build a infrastructure using mainly free and open source software to analyze potential malicious code. How you can leverage free public services together with in-house systems to compete against expensive commercial solutions which makes it cost-prohibible for many researchers.
A client-side vulnerability under the microscope!Nelson Brito
Understanding reverse engineer using MS08-078. This presentation is an updated version of a previous series of presentations, which shows a practical methodology to perform a reverse engineering... The approach can be broader applied to any/most of the vulnerabilities targeting client-side applications.
For further details and informations, please, refer to:
- http://www.vimeo.com/nbrito
- https://www.slideshare.net/nbrito01/inception-support-slides
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
In this presentation, you can learn many practical resources about WAF, how you can create your WAF, and how you can bypass protections in common WAFs.
A survey of Ferrie\’s Virus Bulletin series on anti-unpacking techniques and an examination of these techniques (or lack) in prevalent malware families.
Presented at Virus Bulletin 2009.
http://www.virusbtn.com
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...Wayne Huang
This talk was given at DEF CON 2010 by Jeremy Chiu, Benson Wu, and Wayne Huang
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
For antivirus vendors and malware researchers today, the challenge lies not in "obtaining" the malware samples - they have too many already. What's needed is automated tools to speed up the analysis process. Many sandboxes exist for behavior profiling, but it still remains a challenge to handle anti-analysis techniques and to generate useful reports.
The problem with current tools is the monitoring mechanism - there's always a "sandbox" or some type of monitoring mechanism that must be loaded BEFORE malware execution. This allows malware to detect whether such monitoring mechanisms exist, and to bail out thus avoiding detection and analysis.
Here we release 0box--an afterDark analyser that loads AFTER malware execution. No matter how well a piece of malware hides itself, there will be runtime forensics data that can be analyzed to identify "traces" of a process trying to hide itself. For example, evidences within the process module lists or discrepancies between kernel- and user-space datastructures. Since analysis is done post mortem, it is very hard for malware to detect the analysis.
By using runtime forensics to extract evidences, we turn a piece of malware from its original binary space into a feature space, with each feature representing the existence or non-existence of a certain behavior (ex, process table tampering, unpacking oneself, adding hooks, etc). By running clustering algorithms in this space, we show that this technique not only is very effective and very fast at detecting malware, but is also very accurate at clustering the malware into existing malware families. Such clustering is helpful for deciding whether a piece of malware is just a variation or repacking of an existing malware family, or is a brand new find.
Using three case studies, we will demo 0box, compare 0box with 0box with recent talks at BlackHat and other security conferences, and explain how 0box is different and why it is very effective. 0box will be released at the conference as a free tool.
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
A Security Barrier Device protects PC and other control devices by relaying every port between the motherboard and the peripherals. The SBD is totally transparent from the PC and can be installed regardless of OS or application. At this presentation I will discuss the storage securing function achieved by the SBD relaying the SATA port.
The SBD has a security information disk only accessible to itself where it stores the access privilege information of the original disk in the PC. When the PC issues a data access request to the original disk, the SBD will reference the access privileges of that particular sector, if the sector is read-deny then returns dummy data of 0 , if the sector is write-deny then it won’t write to that sector. The SBD not only allows for sector based protection but also a file based protection. In case of a file write-deny, there were some issues with the disc related cache in memory not being synchronised or the pointer’s position to the file in regards to its directory being shifted , but I will show how it was solved.
I will also talk about the fact that a SBD is an effective protection against any malware that attempts to manipulate the boot data sector or system files, once it detects any access right violations it can shutdown the ethernet port remotely and thwart the spreading of malware.
Kenji Toda
At the National Institute of Advanced Industrial Science and Technology conducted research and development of 30 Gbps intrusion detection systems , 60 Gbps URL filtering systems and or network devices testing equipment for such systems. Currently co-developing security barrier devices with the Research and Development Control System Security Center. (Presented at international conferences regarding MST and real-time systems)
http://codeblue.jp/en-speaker.html#KenjiToda
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.
The last bugs are finished, testing is complete, and business is ready. What do you do next? In this talk we will cover the topics to ensure that you are prepared for a successful launch of your MongoDB based product, including:
- Key counters and metrics: Page Faulting? IO Bound? What's my working set? How do I know?
- Load Testing and Capacity Planning: How much resource is my MongoDB going to use? When do I need to add replicas and shards?
- Monitoring: What should I be watching and how do I know if things are running correctly?
We will map the theory to the practice by illustrating with real world examples.
Bright talk voip vofi webinar jan2015-v2Savvius, Inc
With over 10 years of deployment history, VoIP is the primary voice solution for just about every company in existence - large, medium, or small. But even with all that history, recent research from TRAC shows that VoIP is still the number one IT initiative impacting network performance. And with the growth of 802.11 and Wi-Fi enabled smart phones, the use of voice over Wi-Fi (VoFi) promises to increase the volume of VoIP traffic even more.
Analyzing VoIP traffic alone is not enough. VoIP analysis must be part of your overall network performance analysis. After all, VoIP is just another data type on your network, and according to TRAC, it is impacting your network performance, so you must monitor and analyze the network as a whole, including voice and video over IP. Watch to see how easy it is to capture and analyze voice, video, and data traffic simultaneously, allowing you to pinpoint the impact of each data type on your overall network performance.
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
In this presentation, you can learn many practical resources about WAF, how you can create your WAF, and how you can bypass protections in common WAFs.
A survey of Ferrie\’s Virus Bulletin series on anti-unpacking techniques and an examination of these techniques (or lack) in prevalent malware families.
Presented at Virus Bulletin 2009.
http://www.virusbtn.com
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...Wayne Huang
This talk was given at DEF CON 2010 by Jeremy Chiu, Benson Wu, and Wayne Huang
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
For antivirus vendors and malware researchers today, the challenge lies not in "obtaining" the malware samples - they have too many already. What's needed is automated tools to speed up the analysis process. Many sandboxes exist for behavior profiling, but it still remains a challenge to handle anti-analysis techniques and to generate useful reports.
The problem with current tools is the monitoring mechanism - there's always a "sandbox" or some type of monitoring mechanism that must be loaded BEFORE malware execution. This allows malware to detect whether such monitoring mechanisms exist, and to bail out thus avoiding detection and analysis.
Here we release 0box--an afterDark analyser that loads AFTER malware execution. No matter how well a piece of malware hides itself, there will be runtime forensics data that can be analyzed to identify "traces" of a process trying to hide itself. For example, evidences within the process module lists or discrepancies between kernel- and user-space datastructures. Since analysis is done post mortem, it is very hard for malware to detect the analysis.
By using runtime forensics to extract evidences, we turn a piece of malware from its original binary space into a feature space, with each feature representing the existence or non-existence of a certain behavior (ex, process table tampering, unpacking oneself, adding hooks, etc). By running clustering algorithms in this space, we show that this technique not only is very effective and very fast at detecting malware, but is also very accurate at clustering the malware into existing malware families. Such clustering is helpful for deciding whether a piece of malware is just a variation or repacking of an existing malware family, or is a brand new find.
Using three case studies, we will demo 0box, compare 0box with 0box with recent talks at BlackHat and other security conferences, and explain how 0box is different and why it is very effective. 0box will be released at the conference as a free tool.
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
A Security Barrier Device protects PC and other control devices by relaying every port between the motherboard and the peripherals. The SBD is totally transparent from the PC and can be installed regardless of OS or application. At this presentation I will discuss the storage securing function achieved by the SBD relaying the SATA port.
The SBD has a security information disk only accessible to itself where it stores the access privilege information of the original disk in the PC. When the PC issues a data access request to the original disk, the SBD will reference the access privileges of that particular sector, if the sector is read-deny then returns dummy data of 0 , if the sector is write-deny then it won’t write to that sector. The SBD not only allows for sector based protection but also a file based protection. In case of a file write-deny, there were some issues with the disc related cache in memory not being synchronised or the pointer’s position to the file in regards to its directory being shifted , but I will show how it was solved.
I will also talk about the fact that a SBD is an effective protection against any malware that attempts to manipulate the boot data sector or system files, once it detects any access right violations it can shutdown the ethernet port remotely and thwart the spreading of malware.
Kenji Toda
At the National Institute of Advanced Industrial Science and Technology conducted research and development of 30 Gbps intrusion detection systems , 60 Gbps URL filtering systems and or network devices testing equipment for such systems. Currently co-developing security barrier devices with the Research and Development Control System Security Center. (Presented at international conferences regarding MST and real-time systems)
http://codeblue.jp/en-speaker.html#KenjiToda
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.
The last bugs are finished, testing is complete, and business is ready. What do you do next? In this talk we will cover the topics to ensure that you are prepared for a successful launch of your MongoDB based product, including:
- Key counters and metrics: Page Faulting? IO Bound? What's my working set? How do I know?
- Load Testing and Capacity Planning: How much resource is my MongoDB going to use? When do I need to add replicas and shards?
- Monitoring: What should I be watching and how do I know if things are running correctly?
We will map the theory to the practice by illustrating with real world examples.
Bright talk voip vofi webinar jan2015-v2Savvius, Inc
With over 10 years of deployment history, VoIP is the primary voice solution for just about every company in existence - large, medium, or small. But even with all that history, recent research from TRAC shows that VoIP is still the number one IT initiative impacting network performance. And with the growth of 802.11 and Wi-Fi enabled smart phones, the use of voice over Wi-Fi (VoFi) promises to increase the volume of VoIP traffic even more.
Analyzing VoIP traffic alone is not enough. VoIP analysis must be part of your overall network performance analysis. After all, VoIP is just another data type on your network, and according to TRAC, it is impacting your network performance, so you must monitor and analyze the network as a whole, including voice and video over IP. Watch to see how easy it is to capture and analyze voice, video, and data traffic simultaneously, allowing you to pinpoint the impact of each data type on your overall network performance.
Omnipliance family - Powerful Precise AffordableSavvius, Inc
In a recent survey by WildPackets, we reconfirmed the obvious – a large majority of you are already supporting 10G networks. But we also uncovered some surprises. It appears that although networks are moving to 10G (and beyond), network visibility does not seem to be keeping up. Real-time network analysis—until now, recognized as an essential tool for NOCs and IT engineers generally--is seen as no longer a viable option. In the opinions of survey respondents, current network analysis solutions simply lack the flexibility, along with the power, reliability, and accuracy, to address network analysis needs at 10G and beyond.
Join us as we dive into our survey results, and then compare perception and reality. Are network analysis tools really not keeping up with 10G? Is the era of real-time analysis finally over? As data volumes rise, must every forensic search be slow and laborious? Is 10G turning out to be a step forward for network throughput but a step backward for network management?
It's time for an open and honest assessment of what's really possible. We'll dispel the myths, confirm the realities, and present the best techniques available for performing network analysis at 10G and beyond. No more compromising.
In this web seminar, we will cover:
- The state of faster networks
- The myths and realities in high-speed network analysis and forensics
- How to use the latest technologies to meet your network analysis and forensics needs
What you will learn:
- How your colleagues view high-speed network analysis and forensics
- How to scale your network analysis and forensics capabilities as your network scales
- How to eliminate compromises in network analysis and forensics at 10G and beyond
All Hope is Not LostNetwork Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
Do you think it requires an advanced degree to initiate an advanced security attack? Think again. Tool kits are readily available for immediate download that guide those with even just basic computer skills through the steps to initiate complex network attacks. But all hope is not lost. One of the best defenses is readily available in the market today – network recorders with network forensics – and when combined with the appropriate visibility fabric architecture, these solutions defend against attacks on even the fastest networks available today.
Join WildPackets and Gigamon as we explore the current state of network attacks, network vulnerabilities, and the solutions available to combat the most aggressive, and the most subtle, attacks.
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersSavvius, Inc
When you suspect an attack, you need to answer the questions who, what, when and how - fast. Network forensics is the answer. In this webinar, you'll learn from our special guest, Keatron Evans, how network forensics—network traffic recording along with powerful search and analysis tools—can enable your in–house security team to track down, verify, and characterize attacks. Keatron will walk you through a few real-world security breach scenarios and demonstrate live best practices for attack analysis using network forensics to find the proof you need quickly to take action.
Special Guest: Keatron Evans:
Keatron, one of the two lead authors of "Chained Exploits: Advanced Hacking Attacks From Start to Finish", is regularly engaged in training and consulting for members of the United States intelligence community, military, and federal law enforcement agencies. Keatron specializes in penetration testing, network forensics, and malware analysis. Keatron serves as Senior Security Researcher and Principle of Blink Digital Security which performs penetration tests and forensics for government and corporations.
Network Forensics Backwards and ForwardsSavvius, Inc
When you suspect an attack, you need to answer the questions who, what, when and how - fast. Network forensics is the answer. In this webinar, you'll learn from our special guest, Keatron Evans, how network forensics—network traffic recording along with powerful search and analysis tools—can enable your in–house security team to track down, verify, and characterize attacks. Keatron will walk you through a few real-world security breach scenarios and demonstrate live best practices for attack analysis using network forensics to find the proof you need quickly to take action.
Special Guest: Keatron Evans:
Keatron, one of the two lead authors of "Chained Exploits: Advanced Hacking Attacks From Start to Finish", is regularly engaged in training and consulting for members of the United States intelligence community, military, and federal law enforcement agencies. Keatron specializes in penetration testing, network forensics, and malware analysis. Keatron serves as Senior Security Researcher and Principle of Blink Digital Security which performs penetration tests and forensics for government and corporations.
Network Analysis Tips & Tricks with OmnipeekSavvius, Inc
With a corporate history spanning 25 years, and hundreds of person-years of customer-facing network analysis and troubleshooting experience, we’ve come across more than a few best practices along the way. OmniPeek Enterprise is WildPackets’ flagship product, offering an intuitive, easy-to-use graphical interface that you can use to rapidly analyze and troubleshoot enterprise networks. In this web seminar, our subject matter experts will demonstrate some of their favorite OmniPeek features, including steps on how to quickly analyze, drill down and fix network performance bottlenecks across multiple network segments.
Planning For Success - Wireless Network Design, Analysis, and TroubleshootingSavvius, Inc
Watch the full OnDemand Webcast: http://bit.ly/wirelessnetworkdesign
Wireless networks are extremely flexible and cost-effective, but they are also highly complex, especially when the scale of the network is large. Wireless networks can no longer "grow organically". They require very careful planning, including a specific design that is verified and possibly modified based on empirical data before wide-scale implementation. They require rigorous testing prior to roll-out to ensure that the specified design achieves the desired goals. They require instrumentation for ongoing analysis and testing, immediately after roll-out to again ensure that design assumptions are correct, and throughout the entire lifecycle of the network, as even the best design is not fool-proof and detailed troubleshooting will be required along the way to properly manage the network. The best approach is to use an integrated set of products that work together to address the entire lifecycle, from preliminary design to live network monitoring to detailed troubleshooting and analysis. This is exactly what the joint solution from WildPackets and Ekahau achieves. This web seminar will walk you through the entire life cycle, using real products to address each step of the process.
In this web seminar, we will cover:
- Wireless network design and verification
- Pre-deployment analysis
- Real-time network analysis and troubleshooting
- Managing expanded usage
What you will learn:
1. How to use site survey software for design and verification
2. How to use network analysis software for monitoring and troubleshooting
3. How to use spectrum analysis software to confirm cases of interference
Savvius Vigil is the first network appliance able to intelligently store months of packet-level information to enhance security investigations. Savvius Vigil integrates with your existing SIEM platform to examine packets related to a breach weeks or months after the incident occurred. This information is often vital to a full understanding of the threat.
44CON 2014: Using hadoop for malware, network, forensics and log analysisMichael Boman
The number of new malware samples are over a hundred thousand a day, network speeds are measured in multiple of ten gigabits per second, computer systems have terabytes of storage and the log files are just piling up. By using Hadoop you can tackle these problems in a whole different way, and “Too Much Data to Process” will be a thing of the past.
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniquessecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
Unity3D is one of the most promising and rapidly developing game engines to date. Every now and then, the developers upload new libraries and components to the official repository, many of which weren't available in as open-source projects until recently. Unfortunately, the Unity3D developer team allowed the public to dissect only some of the components, libraries, and demos employed by the project, while keeping the bulk of its code closed. In this article, we will try to find bugs and typos in those components with the help of PVS-Studio static analyzer.
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...CODE BLUE
An embedded system has a stub to connect with a host PC and debug a program on the system remotely. A stub is an independent control program that controls a main program to enable debugging by a debugger. A stub is simplified by only processing the simple controls such as reading or writing of the register or of a memory, and a debugger processes a complicated analysis on the host PC.
Communication with a debugger on the host PC and a stub on the embedded system is performed by a protocol called Remote Serial Protocol (RSP) over a serial communication or TCP/IP communication. If this communication is taken away, it becomes possible to operate a stub arbitrarily. We considered what kind of attack possibility there was in that case, and identified that execution of arbitrary code constructed from pieces of machine code, combined with (SOP: Step-Oriented Programming) is possible by repeating step execution while changing the value of the program counter. Therefore it is possible to construct an arbitrary code and execute it from existing machine code, even if execution of the injected machine code is impossible because execution on data area is prevented by DEP or only machine code on the flash ROM are allowed execution.
I will explain about an attack principle by SOP and the results from constructed attack code and actual inspection.
Это будет 6 живых демо взлома. Идея не обсудить сухую теория, а увидеть на практике, как не всегда очевидные ошибки являются источником серьезных уязвимостей в твоем JavScript приложении.
6 ways to hack your JavaScript application by Viktor Turskyi OdessaJS Conf
This will be 6 live hacking demos. We will not do theory, but will see in practice how small and not always obvious errors lead to significant vulnerabilities in your JavaScript application.
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
Greg Hoglund explained at BlackHat 2010 that the development environments that malware authors use leaves traces in the code which can be used to attribute malware to a individual or a group of individuals. Not with the precision of name, date of birth and address but with evidence that a arrested suspects computer can be analysed and compared with the "tool marks" on the collected malware sample.
44CON 2013 - Controlling a PC using ArduinoMichael Boman
Slides from the workshop "Controlling a PC using Arduino" conducted at 44CON 2013 in London. It goes through hardware and software used to remotely control a PC (power/reset). Future developments will be including a telnet/rs232 and environment variables.
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...Michael Boman
This short workshop will teach attendees how to easily and quickly find vulnerabilities in Windows applications by using some easy to use tools. I will detail step by step some simple techniques that can be used by experts and non experts. While the techniques are simple the results can be great. Learning these easy and fast techniques will allow attendees to do quick audits on Windows applications to determine how secure they are. I will show how to spot vulnerabilities with just a couple of clicks or with very simple and short debugging sessions. The techniques I will be showing are the same that allowed me to find dozen of vulnerabilities in Windows applications, I'm sure that after the workshop attendees will be able to do the same.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
How to drive a malware analyst crazy
1. How to drive a malware
analyst crazy
MICHAEL BOMAN, MALWARE RESEARCH INSTITUTE
2. About me
4th year speaking at 44CON
- 2012: Malware as a hobby [P]
- 2013: Controlling a PC using Arduino [WS]
- 2014: Malware analysis as a big data problem [P]
- 2015: Malware anti-reversing [P], Indicators of Compromise [WS]
Malware Researcher, Founder Malware Research Institute
6 kids, one more on the way…
5. Disclaimer
These are the techniques I’ve come across trying to keep malware
researchers out of the game
Or just waste a heck of a lot time doing quite silly things…
Not a complete list of techniques
The techniques discussed are aimed towards a x86/win32 environment
7. How INT3 breakpoints work
mov eax, fs:[0x30]
mov eax, [eax + 0x0c] // <- Break here
mov eax, [eax + 0x0c]
mov dword ptr [eax + 0x20], NewSize
8. How INT3 breakpoints work
mov eax, fs:[0x30]
int 3h [garbage] // <- EP
mov eax, [eax + 0x0c]
mov dword ptr [eax + 0x20], NewSize
9. How INT3 breakpoints work
mov eax, fs:[0x30]
mov eax, [eax + 0x0c] // <- restored by debugger
mov eax, [eax + 0x0c]
mov dword ptr [eax + 0x20], NewSize
10. Memory Breakpoints
Allocate memory, mark PAGE_GUARD
When accessed
STATUS_GUEARD_PAGE_VIOLATION is
raised, handled by program
Allocate memory as buffer
Fill buffer with RET instruction
Mark buffer with PAGE_GUARD
PUSH potential return address to stack
JMP to buffer
If debugger:
RET will jump back to potential return address
else:
STATUS_GUARD_PAGE_VIOLATOIN exception
occur
11. Hardware breakpoints
Hardware breakpoints are a technology implemented by Intel in their
processor architecture, and are controlled by the use of
Special registers DR0 - DR7
DR0 - DR3 - 32 bit registers for the breakpoint address
DR4, DR5 - obsolete synonyms for DR6 and DR7
DR6 – Debug status
DR7 – Debug control
12. Technique #1: Breakpoints
INT 3h
Look for code that scans memory for 0xCC [INT3] and/or 0xCD 0x03 [INT
(immediate) 3]
Memory Breakpoints
Look for memory allocations with PAGE_GUARD flag set
Hardware Breakpoints
Win32 GetThreadContext and SetThreadContext
Structured Exception Handling
14. Technique #2: Timing
RDTSC (ReaD TimeStampClock)
Mark RDTSC as a elevated instruction (can then be intercepted and modified)
Win32 Timing Functions
Use DLL-injection to overload the function with one that lies nicely in our favour
Please remember to lie consistently to all timing methods.
16. ProcessDebugFlags
Pass undocumented class ProcessDebugFlags (0x1f) to the
NtQueryProcessInformation() function.
When NtQueryProcessInformation is called with the ProcessDebugFlags
class, returns the inverse of EPROCESS -> NoDebugInherit
FALSE == Debugger present
17. Debug Object Handle
Windows XP or later
When debugged a Debug Object created
Can be queried using NtQueryInformationProcess
Originating from kernel -> hard to hide
18. Thread Hiding
Windows 2000 and later
HideThreadFromDebugger class, passed into NtSetInformationThread,
The class prevents debuggers from receiving events from any thread that
has had NtSetInformationThread with the HideThreadFromDebugger class
called on it.
These events include breakpoints, and the exiting of the program if it is
called on the main thread of an application.
19. BlockInput
BlockInput() blocks mouse and keyboard messages from reaching the
desired application
Only the thread that called BlockInput can call it to remove the block
Not really Anti-RE, but can mess with you
21. Technique #3: Windows Internals
ProcessDebugFlags
Check NtQueryProcessInformation() calls for [undocumented] ProcessDebugFlags (0x1f) object
Hook NtQueryProcessInformation(), lie about the ProcessDebugFlags value
Debug Object Handle
Hook NtQueryInformationProcess(), remove any links to debug objects
Thread Hiding
Remove any HideThreadFromDebugger class passed into NtSetInformationThread
BlockInput
Hook it to a NO-OP
OutputDebugString
Hook it to always return error
22. Technique #4: Process Exploitation
Open Process
Parent Process
Self-Debugging
UnhandledExceptionFilter
NtQueryObject
23. Open Process
Debugger not properly resets process privileges
Open privileged process like csrss.exe
If succeed we are running under a debugger
24. Parent Process
Check if GetParentProcessId() and GetExplorerPIDbyShellWindow()) is the
same
Or however you are expecting your malware to be executed
26. UnhandledExceptionFilter
UnhandledExceptionFilter is the
exception handler that is called when
there are no other handlers to handle
the exception.
When utilizing this technique, the
process will exit instead of resuming
execution which is fine for Anti-RE
purposes.
UnhandledExceptionFilter
SEH Chain
Vectored Exception Handlers
27. NtQueryObject
NtQueryObject() called with ObjectAllTypesInformation class, returns
information about the host system and the current process including
DebugObjects in the environment.
ObjectAllTypesInformation can be traversed to locate DebugObjects
28. Technique #4: Process Exploitation
Open Process – Make sure debugger drops SeDebugPrivilege
Parent Process – Fake GetParentProcessId()
Self-Debugging - Set PsGetProcessId()->EPROCESS->DebugPort to 0
UnhandledExceptionFilter – Make sure the debugger do “the right thing”
NtQueryObject – Intercept and filter
30. Nanomites
Replace JUMP (Jxx) instructions with INT 3h breakpoints
Store original JUMP (Jxx) instruction in an encrypted table
Use self-debugging, debugger process will substitute the INT 3h code with
the correct JUMP instruction depending on encryption algorithm.
Put some stray INT 3h in the execution flow and you have made a real
mess
31. Stolen Bytes (Stolen Code)
Code or bytes from the original process protected by the packer are
copied and encrypted somewhere inside the packing code
The original (copied) code is replaced with jumps to a dynamic allocated
buffer for the decrypted bytes and then jumps back to the original flow
32. SizeOfImage
Modifying PE -> IMAGE_OPTION_HEADER -> SizeOfImage can cause
problems for tools that weren't developed to handle this problem.
33. Virtual Machines (think JVM, not VBox)
Protectors like Themida and VMProtect already use virtual machines in
their protection schemes.
Themida uses a technology that creates a unique virtual machine for
every protected executable
Prevents the use of a generic attack against its virtualization protection
Many protection schemes implement junk code instructions
34. Guard Pages
Discussed earlier
Can be used for an on-demand decryption/decompression system
Mark all pages that were not immediately needed as guard pages
When accessed, an EXCEPTION_GUARD_PAGE exception will be raised
Additional data can be decrypted or decompressed either from file or
memory.
35. Removing the PE Header
Removes an executable's portable executable from memory at runtime
A dumped image would be missing important information such as the RVA
(Relative Virtual Address) of important tables (Reloc, Import, Export etc..),
the entry point, and other information that the Windows loader needs to
utilize when loading an image
38. Interrupt 2D
INT 2D instruction can be used as a debugger detection method
When executed
No Debugger Present -> Exception
Debugger Present -> No Exception
Debugger specific
39. Stack Segment
Manipulate stack segment using push
ss and pop ss cause the debugger to
execute instructions unwillingly
In the following code, when stepping
over the code with any debugger, the
mov eax, 9 line will execute, but will
not be stepped on by the debugger.
push ss
pop ss
mov eax, 9 // This line executes
but is stepped over
xor edx, edx // This is where the
debugger will step to
40. Instruction Prefixes
Takes advantage of the way debuggers
handle instruction prefixes.
When stepping over this code in OllyDBG
or in Visual Studio 2008, we will reach the
first emit and immediately be taken to
the end of the __try block. What
happens is that the debugger essentially
skips over the prefix and handles the INT
1.
When running this code without a
debugger, there will be an exception
that SEH will catch and the program will
continue along.
inline bool IsDbgPresentPrefixCheck()
{
__try
{
__asm __emit 0xF3 // 0xF3 0x64 disassembles as PREFIX REP:
__asm __emit 0x64
__asm __emit 0xF1 // One byte INT 1
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return false;
}
return true;
}
42. Technique #7: VM Detection
VM Artefacts
Hardware
Drivers
OS version / serial number
Add-ons
WMI calls
Interactivity
Is the computer being used?
Click on invisible or very small buttons no human could see
43. Technique #7: VM Detection
VM Artefacts
Hardware – Clone real system configuration
Drivers – Don’t use VM-specific drivers
OS version / serial number – Use ”real” serial numbers
Add-ons – Never install VM Guest tools
WMI calls – Patch hypervisor, use real hardware
Interactivity
Is the computer being used? – Fake interactivity
Click on invisible or very small buttons no human could see – Make sure your
fake interactivity is plausible
45. Debugger specific techniques
OllyDBG
FindWindow – Hijack function call or modify OllyDBG binary
OutputDebugString Exploit – Run patched version
WinDBG
FindWindow – Hijack function call or modify WinDBG binary
Cuckoo Sandbox
Check if hooked – Run unhooked, patch the hook-check function
49. Announcement
Public VXCage-server
Available at vxcage.malwareresearch.institute (http, soon https)
Feel free to apply for a personal account, free of charge:
TO: michael@michaelboman.org
SUBJECT: VXCage Access
BODY:
Who you are: name, twitter handle (if any, for cyberstalking), other contact info
Why you want access
Proposed username for the system (the password will be generated for you)
Please contact me at the above address for raw access to the archive
50. VXCage API: Quick intro
REST with JSON output
/malware/add – upload sample
/malware/get/<sha256> - download sample
/malware/find – search sample based on hash, date, tag
/tags/list – list tags
Docs & Source code at https://github.com/mboman/vxcage
51. Thank you
Michael Boman (@mboman)
michael@michaelboman.org (soon also
michael.boman@malwareresearch.institute)
Malware repository: vxcage.malwareresearch.institute
Malware blog: blog.malwareresearch.institute