Reverse engineering techniques are used to analyze malware and understand obfuscated code. The document discusses various anti-research techniques used by malware authors to obstruct reverse engineering, including indirect jumps, self-modifying code, encryption, anti-debugging methods, and anti-emulation tricks. It also presents the author's research on a binary emulation system called BE-PUM that uses symbolic execution and pushdown modeling to analyze obfuscated code and handle anti-research obstructions.
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.
The document analyzes and de-virtualizes the FinSpy malware sample. It finds the malware uses virtualization techniques to hide its execution through a virtual machine-like implementation. The author details analyzing the virtual machine code and operations, then describes decrypting and de-obfuscating the virtual machine to generate equivalent native x86 code. Finally, it summarizes the malware's anti-analysis and evasion techniques as well as finding it drops additional payloads depending on the environment.
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
The document discusses using eBPF for instrumentation and logging in Golang applications without source code modifications. It provides an example of using eBPF to log function arguments by attaching a BPF program to the computeE function via uprobes. This allows viewing function parameters in production without recompiling or using a debugger. eBPF provides low overhead dynamic tracing of all application code compared to other options like debuggers or static tracing tools.
Lecture slides that I used in Advanced Information Security Summer School (AIS3, 2016 & 2018) in Taiwan. https://ais3.org/
台湾の高度セキュリティ人材育成プログラム(AIS3, 2016/2018)の講義で利用した講義資料です。
The document provides an introduction to pwn, which refers to fully controlling another person's device by exploiting vulnerabilities. It discusses what pwn is, how to infiltrate systems, common exploitation techniques like buffer overflows, and gives an example lab outline. The key points are that pwn involves using exploits to gain unauthorized access and control of servers by leveraging bugs in binaries or logic flaws. Common vulnerabilities include unfiltered user input, array index errors, and logical flaws.
The document summarizes the steps taken to analyze and exploit a DEFCON CTF binary file called "annyong". It describes using various Linux commands like file, strings, hexdump, readelf, and checksec to gather information about the binary. The analysis revealed the binary is position independent and has NX, PIE, and partial RELRO protections. The exploit uses return oriented programming (ROP) to execute a system call and spawn an interactive shell, bypassing protections by overwriting return addresses on the stack.
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
[Abstract]
When developing a 1-day exploit code, patch diffing (binary diffing) is one of the major techniques to identify the part that security fixes are applied. This technique is well-known since long ago among reverse engineers, and thus to support the diffing, various tools such as BinDiff, TurboDiff, and Diaphora have been developed. However, although those fantastic tools greatly support the analysis, patch diffing is still a difficult task because it requires deep knowledge and experience. In order to address this issue, we conducted a pilot study with the goal to achieve a semi-automated patch diffing by applying machine-learning techniques. Based on the hypothesis that “similar types of vulnerabilities will be fixed in a similar manner,” we have applied the unsupervised machine learning technique to extract those patterns and considered the way to achieve semi-automated patch diffing. In the talk, we will show the details of our pilot study and share the insights that we have gained it. We believe that our insights will help other researchers who will conduct similar research in the future.
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
The document discusses various techniques for debugging Linux kernel modules and device drivers, including:
1) Using printk statements to output debug messages from kernel space.
2) Watching system calls with strace to debug interactions between user and kernel space.
3) Adding /proc file system entries and write functions to dynamically modify driver values at runtime.
4) Enabling source-level debugging with tools like kgdb to debug at the level of C source code.
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.
The document analyzes and de-virtualizes the FinSpy malware sample. It finds the malware uses virtualization techniques to hide its execution through a virtual machine-like implementation. The author details analyzing the virtual machine code and operations, then describes decrypting and de-obfuscating the virtual machine to generate equivalent native x86 code. Finally, it summarizes the malware's anti-analysis and evasion techniques as well as finding it drops additional payloads depending on the environment.
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
The document discusses using eBPF for instrumentation and logging in Golang applications without source code modifications. It provides an example of using eBPF to log function arguments by attaching a BPF program to the computeE function via uprobes. This allows viewing function parameters in production without recompiling or using a debugger. eBPF provides low overhead dynamic tracing of all application code compared to other options like debuggers or static tracing tools.
Lecture slides that I used in Advanced Information Security Summer School (AIS3, 2016 & 2018) in Taiwan. https://ais3.org/
台湾の高度セキュリティ人材育成プログラム(AIS3, 2016/2018)の講義で利用した講義資料です。
The document provides an introduction to pwn, which refers to fully controlling another person's device by exploiting vulnerabilities. It discusses what pwn is, how to infiltrate systems, common exploitation techniques like buffer overflows, and gives an example lab outline. The key points are that pwn involves using exploits to gain unauthorized access and control of servers by leveraging bugs in binaries or logic flaws. Common vulnerabilities include unfiltered user input, array index errors, and logical flaws.
The document summarizes the steps taken to analyze and exploit a DEFCON CTF binary file called "annyong". It describes using various Linux commands like file, strings, hexdump, readelf, and checksec to gather information about the binary. The analysis revealed the binary is position independent and has NX, PIE, and partial RELRO protections. The exploit uses return oriented programming (ROP) to execute a system call and spawn an interactive shell, bypassing protections by overwriting return addresses on the stack.
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
[Abstract]
When developing a 1-day exploit code, patch diffing (binary diffing) is one of the major techniques to identify the part that security fixes are applied. This technique is well-known since long ago among reverse engineers, and thus to support the diffing, various tools such as BinDiff, TurboDiff, and Diaphora have been developed. However, although those fantastic tools greatly support the analysis, patch diffing is still a difficult task because it requires deep knowledge and experience. In order to address this issue, we conducted a pilot study with the goal to achieve a semi-automated patch diffing by applying machine-learning techniques. Based on the hypothesis that “similar types of vulnerabilities will be fixed in a similar manner,” we have applied the unsupervised machine learning technique to extract those patterns and considered the way to achieve semi-automated patch diffing. In the talk, we will show the details of our pilot study and share the insights that we have gained it. We believe that our insights will help other researchers who will conduct similar research in the future.
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
The document discusses various techniques for debugging Linux kernel modules and device drivers, including:
1) Using printk statements to output debug messages from kernel space.
2) Watching system calls with strace to debug interactions between user and kernel space.
3) Adding /proc file system entries and write functions to dynamically modify driver values at runtime.
4) Enabling source-level debugging with tools like kgdb to debug at the level of C source code.
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
"In a world of high volume malware and limited researchers we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the corporate sponsored research community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool for researchers alike."
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
The document discusses anti-debugging techniques, defining terms like debugging, anti-debugging, and dumping. It covers why anti-debugging is useful, references past work, and categorizes anti-debugging methods into classes like API based detection, process/thread blocking, hardware/register based detection, exception based detection, modified code based detection, and timing based detection. The goal is to make reversing applications more difficult by implementing multiple layers of defense.
The document discusses exploiting a vulnerability in Cisco ASA firewall devices. It begins with background on the target device and vulnerability, then outlines steps for getting access to the firmware, debugging the target, and identifying the vulnerability through static and dynamic analysis. The document then covers techniques for triggering the vulnerability and developing a controlled exploit to achieve remote code execution without user interaction.
論文紹介 Hyperkernel: Push-Button Verification of an OS Kernel (SOSP’17)mmisono
The document summarizes the Hyperkernel paper which presents a method for formally verifying an OS kernel. The key points are:
1) Hyperkernel transforms the kernel implementation into a finite-state model and verifies it is correct with respect to declarative specifications using SMT solvers.
2) It isolates the kernel from user processes using virtualization techniques like VT-x and verifies the kernel implementation is isolated and cannot be affected by user processes.
3) Hyperkernel transforms the xv6 kernel implementation into LLVM IR and links it with a verified hypercall interface to isolate the kernel while retaining most of the original xv6 source code. It successfully verifies isolation and functional correctness of the transformed kernel.
This document discusses exception handling in code. It begins with an overview of exceptions, including what they are, how to prevent, log, and check for them. It then discusses specific types of exceptions like checked, runtime, and errors. The rest of the document dives deeper into topics like causes of exceptions, global exception handling, using standard exceptions, silent exceptions to avoid, and testing exceptions. It provides examples of code and techniques for proper exception handling.
The document discusses crash-resistance in software and how it can be exploited. It explains how exceptions generated by crashes in callback functions in Windows are handled, allowing programs to continue running despite crashes. This crash-resistance property is demonstrated through a simple example program. The document then discusses how crash-resistant probing of memory can be used to bypass defenses like ASLR by scanning process memory from a web worker without crashing the browser. Techniques like heap spraying and type confusion are used to craft fake objects and scan memory in a crash-resistant manner to discover information like the TEB and DLL base addresses.
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
This document discusses secure coding practices related to timing attacks, random number generation, and string security. It provides examples of vulnerabilities in Java timing attacks, OpenSSL and .NET random number generation, and recommendations for using cryptographically secure random number generators and constant time comparisons to mitigate timing attacks.
This document describes TaintScope, a tool for automatic software vulnerability detection through checksum-aware directed fuzzing. It monitors program execution to identify input bytes that influence sensitive operations ("hot bytes") and checksum checks. It generates malformed inputs focusing on hot bytes, and alters execution to bypass checksum checks. When inputs cause crashes, it symbolically solves for valid checksum fields to generate exploitable test cases. TaintScope found 27 previously unknown vulnerabilities across applications like Acrobat Reader, Picasa, and Winamp. Its effectiveness is limited for strong integrity schemes like cryptography but it can dramatically reduce the mutation space for fuzzing through directed fuzzing and checksum bypass.
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
Презентация к моему воркшопу на PHDays 2017 на тему "Современные технологии и инструменты анализа вредоносного ПО"
Ссылка на анонс https://www.phdays.ru/program/197805/
Ссылка с моего блога https://www.phdays.ru/program/197805/
The document discusses exploring the x64 architecture, covering topics such as the x64 application binary interface, memory layout differences between x86 and x64, API hooking and code injection techniques for x64, and differences in system calls between x86 and x64. It provides an overview of key technical details and concepts for developers working with x64 platforms.
The document describes the implementation of a function that calculates the greatest common divisor (gcd) of two integers. It provides the C code for the gcd function, as well as the assembly code generated by the compiler. It also includes sample input and output, and shows the state of registers and memory during execution.
This document discusses fuzzing and exploiting OSX vulnerabilities for security research purposes. It provides an overview of passive fuzzing frameworks and techniques, and describes an approach the authors took using interception and poisoning of upstream data to create chaos and identify vulnerabilities downstream in the kernel. Specific implementation details are covered, such as the architecture of their passive fuzzing system, how they hook targeted functions and tamper with input data while checking for crashes or memory leaks, and how they use whitelisting and stack tracing to filter results and focus fuzzing.
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
This document describes an advanced technique to bypass Control Flow Guard (CFG) protections on Adobe Flash Player 18 and Windows 8.1. It details how the researchers were able to generate indirect call instructions in just-in-time (JIT) compiled Flash code to redirect execution to controlled addresses, bypassing CFG. This was done by manipulating parameters passed between functions to influence the JIT compiler's code generation and produce the desired indirect call opcodes. The technique allowed full control-flow hijacking on the protected systems.
Static analysis and writing C/C++ of high quality code for embedded systemsAndrey Karpov
This document discusses static analysis for improving code quality in embedded systems. It begins by introducing the speaker and providing background on trends in IoT devices and code size growth. Examples are given of potential errors like divide by zero, use of uninitialized variables, and returning addresses of stack variables. Frameworks for finding vulnerabilities like CWE and real vulnerabilities like CVE are described. The value of code reviews and dynamic analysis are discussed but their limitations for embedded code. Finally, standards like MISRA and SEI CERT for preventing errors and examples of correctly using static analysis are provided.
This document describes the implementation of a simple REST server in Qt using reflection. It discusses how the Qt meta-object compiler (moc) is used, the abstract and concrete server classes, building the route tree using reflection, handling new connections in worker threads, calling methods based on the request, and using reflection for testing. The abstract server class inherits from QTcpServer and uses slots decorated with tags to implement routes. Worker threads handle individual connections and parse requests to call the appropriate method. Reflection is leveraged throughout to build routes and dispatch requests without explicit registration or mapping.
The document discusses analyzing crashes using WinDbg. It provides tips on reconstructing crashed call stacks and investigating what thread or lock is causing a hang. The debugging commands discussed include !analyze, !locks, .cxr, kb to find the crashing function and stuck thread.
The document discusses exploiting vulnerabilities in the ProSSHD remote administration software. It begins by explaining how to set up a vulnerable virtual machine installation of ProSSHD. It then covers the steps of exploit development, including crashing the ProSSHD server process to gain control of EIP, determining the offset to overwrite EIP, finding opcodes to redirect execution, selecting and testing shellcode, and building the final exploit payload. Debugging tips are provided to analyze crashes, determine space constraints, and identify bad characters.
Maximizing SQL Reviews and Tuning with pt-query-digestPythian
PalominoDB's Mark Filipi feels that pt-query-digest is one of the more valuable components of the Percona Toolkit available as OSS to DBAs. In this talk, Mark will teach with an eye towards real world test cases, output reviews and anecdotal production experience.
The heterogeneous and dynamic nature of components making up a Web Application, the lack of effective programming mechanisms for implementing basic software engineering principles in it, and undisciplined development processes induced by the high pressure of a very short time-to-market, make Web Application maintenance a challenging problem. A relevant issue consists of reusing the methodological and technological experience in the sector of traditional software maintenance, and exploring the opportunity of using Reverse Engineering to support effective Web Application maintenance.
The Ph.D. Thesis presents an approach for Reverse Engineering Web Applications. The approach include the definition of Reverse Engineering methods and supporting software tools, that help to understand existing undocumented Web Applications to be maintained or evolved, through the reconstruction of UML diagrams. Some validation experiments have been carried out and they showed the usefulness of the proposed approach and highlighted possible areas for improvement of its effectiveness.
A prosthetic is a device that replaces any missing human body part visibly and functionally. Reverse engineering is a field of engineering wherein a model and further a prototype can be generated by extracting information from previous design or available model using the advanced tools of CAD/CAM. This paper aims at exploring the needs and advantages of connecting the prosthetic industry with reverse engineering in a developing country like India for patients with lower limb amputations under the brimming concept of “Make in India”.
Powerpoint from CodepaLOUsa 2011.
Learn the various techniques bad guys can use to extract information from your .NET or Java applications or at least how you can recover the source code that your predecessor deleted before he quit. A demo filled session on how easy it is to extract information from virtually any .NET or Java application (yes, including Silverlight).
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
"In a world of high volume malware and limited researchers we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the corporate sponsored research community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool for researchers alike."
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
The document discusses anti-debugging techniques, defining terms like debugging, anti-debugging, and dumping. It covers why anti-debugging is useful, references past work, and categorizes anti-debugging methods into classes like API based detection, process/thread blocking, hardware/register based detection, exception based detection, modified code based detection, and timing based detection. The goal is to make reversing applications more difficult by implementing multiple layers of defense.
The document discusses exploiting a vulnerability in Cisco ASA firewall devices. It begins with background on the target device and vulnerability, then outlines steps for getting access to the firmware, debugging the target, and identifying the vulnerability through static and dynamic analysis. The document then covers techniques for triggering the vulnerability and developing a controlled exploit to achieve remote code execution without user interaction.
論文紹介 Hyperkernel: Push-Button Verification of an OS Kernel (SOSP’17)mmisono
The document summarizes the Hyperkernel paper which presents a method for formally verifying an OS kernel. The key points are:
1) Hyperkernel transforms the kernel implementation into a finite-state model and verifies it is correct with respect to declarative specifications using SMT solvers.
2) It isolates the kernel from user processes using virtualization techniques like VT-x and verifies the kernel implementation is isolated and cannot be affected by user processes.
3) Hyperkernel transforms the xv6 kernel implementation into LLVM IR and links it with a verified hypercall interface to isolate the kernel while retaining most of the original xv6 source code. It successfully verifies isolation and functional correctness of the transformed kernel.
This document discusses exception handling in code. It begins with an overview of exceptions, including what they are, how to prevent, log, and check for them. It then discusses specific types of exceptions like checked, runtime, and errors. The rest of the document dives deeper into topics like causes of exceptions, global exception handling, using standard exceptions, silent exceptions to avoid, and testing exceptions. It provides examples of code and techniques for proper exception handling.
The document discusses crash-resistance in software and how it can be exploited. It explains how exceptions generated by crashes in callback functions in Windows are handled, allowing programs to continue running despite crashes. This crash-resistance property is demonstrated through a simple example program. The document then discusses how crash-resistant probing of memory can be used to bypass defenses like ASLR by scanning process memory from a web worker without crashing the browser. Techniques like heap spraying and type confusion are used to craft fake objects and scan memory in a crash-resistant manner to discover information like the TEB and DLL base addresses.
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
This document discusses secure coding practices related to timing attacks, random number generation, and string security. It provides examples of vulnerabilities in Java timing attacks, OpenSSL and .NET random number generation, and recommendations for using cryptographically secure random number generators and constant time comparisons to mitigate timing attacks.
This document describes TaintScope, a tool for automatic software vulnerability detection through checksum-aware directed fuzzing. It monitors program execution to identify input bytes that influence sensitive operations ("hot bytes") and checksum checks. It generates malformed inputs focusing on hot bytes, and alters execution to bypass checksum checks. When inputs cause crashes, it symbolically solves for valid checksum fields to generate exploitable test cases. TaintScope found 27 previously unknown vulnerabilities across applications like Acrobat Reader, Picasa, and Winamp. Its effectiveness is limited for strong integrity schemes like cryptography but it can dramatically reduce the mutation space for fuzzing through directed fuzzing and checksum bypass.
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
Презентация к моему воркшопу на PHDays 2017 на тему "Современные технологии и инструменты анализа вредоносного ПО"
Ссылка на анонс https://www.phdays.ru/program/197805/
Ссылка с моего блога https://www.phdays.ru/program/197805/
The document discusses exploring the x64 architecture, covering topics such as the x64 application binary interface, memory layout differences between x86 and x64, API hooking and code injection techniques for x64, and differences in system calls between x86 and x64. It provides an overview of key technical details and concepts for developers working with x64 platforms.
The document describes the implementation of a function that calculates the greatest common divisor (gcd) of two integers. It provides the C code for the gcd function, as well as the assembly code generated by the compiler. It also includes sample input and output, and shows the state of registers and memory during execution.
This document discusses fuzzing and exploiting OSX vulnerabilities for security research purposes. It provides an overview of passive fuzzing frameworks and techniques, and describes an approach the authors took using interception and poisoning of upstream data to create chaos and identify vulnerabilities downstream in the kernel. Specific implementation details are covered, such as the architecture of their passive fuzzing system, how they hook targeted functions and tamper with input data while checking for crashes or memory leaks, and how they use whitelisting and stack tracing to filter results and focus fuzzing.
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
This document describes an advanced technique to bypass Control Flow Guard (CFG) protections on Adobe Flash Player 18 and Windows 8.1. It details how the researchers were able to generate indirect call instructions in just-in-time (JIT) compiled Flash code to redirect execution to controlled addresses, bypassing CFG. This was done by manipulating parameters passed between functions to influence the JIT compiler's code generation and produce the desired indirect call opcodes. The technique allowed full control-flow hijacking on the protected systems.
Static analysis and writing C/C++ of high quality code for embedded systemsAndrey Karpov
This document discusses static analysis for improving code quality in embedded systems. It begins by introducing the speaker and providing background on trends in IoT devices and code size growth. Examples are given of potential errors like divide by zero, use of uninitialized variables, and returning addresses of stack variables. Frameworks for finding vulnerabilities like CWE and real vulnerabilities like CVE are described. The value of code reviews and dynamic analysis are discussed but their limitations for embedded code. Finally, standards like MISRA and SEI CERT for preventing errors and examples of correctly using static analysis are provided.
This document describes the implementation of a simple REST server in Qt using reflection. It discusses how the Qt meta-object compiler (moc) is used, the abstract and concrete server classes, building the route tree using reflection, handling new connections in worker threads, calling methods based on the request, and using reflection for testing. The abstract server class inherits from QTcpServer and uses slots decorated with tags to implement routes. Worker threads handle individual connections and parse requests to call the appropriate method. Reflection is leveraged throughout to build routes and dispatch requests without explicit registration or mapping.
The document discusses analyzing crashes using WinDbg. It provides tips on reconstructing crashed call stacks and investigating what thread or lock is causing a hang. The debugging commands discussed include !analyze, !locks, .cxr, kb to find the crashing function and stuck thread.
The document discusses exploiting vulnerabilities in the ProSSHD remote administration software. It begins by explaining how to set up a vulnerable virtual machine installation of ProSSHD. It then covers the steps of exploit development, including crashing the ProSSHD server process to gain control of EIP, determining the offset to overwrite EIP, finding opcodes to redirect execution, selecting and testing shellcode, and building the final exploit payload. Debugging tips are provided to analyze crashes, determine space constraints, and identify bad characters.
Maximizing SQL Reviews and Tuning with pt-query-digestPythian
PalominoDB's Mark Filipi feels that pt-query-digest is one of the more valuable components of the Percona Toolkit available as OSS to DBAs. In this talk, Mark will teach with an eye towards real world test cases, output reviews and anecdotal production experience.
The heterogeneous and dynamic nature of components making up a Web Application, the lack of effective programming mechanisms for implementing basic software engineering principles in it, and undisciplined development processes induced by the high pressure of a very short time-to-market, make Web Application maintenance a challenging problem. A relevant issue consists of reusing the methodological and technological experience in the sector of traditional software maintenance, and exploring the opportunity of using Reverse Engineering to support effective Web Application maintenance.
The Ph.D. Thesis presents an approach for Reverse Engineering Web Applications. The approach include the definition of Reverse Engineering methods and supporting software tools, that help to understand existing undocumented Web Applications to be maintained or evolved, through the reconstruction of UML diagrams. Some validation experiments have been carried out and they showed the usefulness of the proposed approach and highlighted possible areas for improvement of its effectiveness.
A prosthetic is a device that replaces any missing human body part visibly and functionally. Reverse engineering is a field of engineering wherein a model and further a prototype can be generated by extracting information from previous design or available model using the advanced tools of CAD/CAM. This paper aims at exploring the needs and advantages of connecting the prosthetic industry with reverse engineering in a developing country like India for patients with lower limb amputations under the brimming concept of “Make in India”.
Powerpoint from CodepaLOUsa 2011.
Learn the various techniques bad guys can use to extract information from your .NET or Java applications or at least how you can recover the source code that your predecessor deleted before he quit. A demo filled session on how easy it is to extract information from virtually any .NET or Java application (yes, including Silverlight).
ravi reverseengineeringitsapplication01 121101044845-phpapp02Akash Maurya
This document discusses reverse engineering and its application. It begins by defining reverse engineering as the systematic evaluation of a product to replicate, copy, or recover parts. Reverse engineering is important in product development by allowing optimization of existing resources and reducing development time. The document then provides an example of using reverse engineering to analyze why an impeller pump's performance degraded over time. It outlines the advantages and process of reverse engineering, as well as applications in various fields like manufacturing, software, chemical, film, and medical engineering. A case study describes how reverse engineering was used to design turbine blades by overcoming issues in existing digitization processes.
Reverse engineering involves duplicating an existing product without drawings or documentation by analyzing the product. It is commonly used when the original manufacturer no longer produces the product, documentation has been lost, or to improve and redesign products. The reverse engineering process involves analyzing a product to understand its components, operation, and manufacturing methods without reliance on original documentation.
The document discusses reverse engineering and several projects using 3D laser scanning and reverse engineering techniques. It describes reverse engineering as discovering how a device works through analysis of its structure and function. Several tools for reverse engineering are mentioned, including 3D printers, laser sintering machines, CMM, and 3D scanners. Several projects are summarized that used 3D laser scanning for applications like creating digital part catalogs, CAD-to-part inspection, digitizing sculptures for replication, mold design and manufacture, and digital 3D CAD catalogs for parts.
This document provides an introduction to reverse engineering and discusses cracking Windows applications. It begins with a disclaimer that reverse engineering copyrighted material is illegal. It then defines reverse engineering as analyzing a system to understand its structure and function in order to modify or reimplement parts of it. The document discusses reasons for learning reverse engineering like malware analysis, bug fixing, and customizations. It outlines some of the history of reverse engineering in software development. The remainder of the document focuses on tools and techniques for reverse engineering like PE identification, decompilers, disassemblers, debuggers, patching applications in OllyDbg, and analyzing key generation and phishing techniques.
Reverse engineering is the process of systematically evaluating a product to replicate or redesign it. It is an important step in product development that allows optimization of resources and reduction in development time and costs. The reverse engineering process involves digitizing an existing object through scanning or other methods, processing the captured data to create a CAD model, and then using that model to develop prototypes or redesign parts as needed. It has various applications in fields like manufacturing, software, chemicals, entertainment, and medicine. A case study described how reverse engineering and rapid prototyping were used together to redesign turbine blades by capturing high-quality surface data and iteratively digitizing to create accurate CAD models.
Rufat Babakishiyev will give a presentation on reverse engineering an Android application. The presentation will include an overview of reverse engineering and forensic research, a review of the Android OS architecture, an analysis of the Yahoo email client application, decompiling the application files and database, examining application artifacts after installation and uninstallation, and security best practices. The goal is to understand how the application stores and manages data and identify artifacts left behind after uninstall.
This document provides an overview of Windows user-mode debugging concepts like processes, threads, stack frames, and the WinDbg debugging tool. It discusses how to set up WinDbg and analyze crashes through examples like examining stack frames, debugging a simple crash, and commands commonly used in WinDbg. The document concludes with demonstrating how to analyze an IMA service crash using a memory dump.
Debugging linux kernel tools and techniquesSatpal Parmar
This document discusses tools and techniques for debugging the Linux kernel, including debuggers like gdb, built-in debugging facilities, system logs, and crash dump analysis tools like LKCD. It outlines common issues like kernel crashes and hangs, and provides an example of analyzing an "oops" crash dump to identify the failing line of code through tools like ksymoops. It also covers generating a full system memory dump using LKCD for thorough crash investigation.
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
Сегодня на .NET-конференциях мы все чаще мы слышим про WinDBG, но в тоже время он все еще остается в стороне среди .NET-разработчиков, считается крайне специфичным и даже ненужным инструментом.
В докладе мы попробуем привнести альтернативный взгляд. Покажем как выстроить процесс сбора дампов, их анализа и исправления, встроить его в жизненный цикл разработки вашего приложения, сделав неотъемлемой частью для диагностики как рядовых, так и уникальных случаев. Затем рассмотрим группы основных проблем (deadlocks, out of memory, access violation, logical errors, etc.), которые могут произойти с вашим приложением, и инструменты для их анализа. И, конечно же, разберем примеры каждой из проблем, которые встретились нам на практике в наших продуктах, в коде .NET и WPF:
— Как при помощи флэшки «повесить» WPF-приложение?
— Безопасно ли вызывать DateTime.Now?
и другие жизненные ситуации.
Moscow .Net Meetup #4·14 ноября 2016
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...David Beazley (Dabeaz LLC)
The document describes an embedded error recovery and debugging mechanism for scripting language extensions. It discusses how errors can occur both in script code and extension code built as shared libraries. Debugging errors in extension code is challenging as typical debuggers and tracebacks do not work. The document then presents the Wrapped Application Debugger (WAD) which allows debugging of extension code as if it were part of the script by capturing signals and integrating with the GNU Debugger (GDB).
The document discusses various techniques for debugging Linux kernel modules and device drivers, including:
1) Using printk statements to output debugging messages from within the kernel.
2) Examining the interaction between kernel and userspace using strace to see system calls.
3) Adding entries to /proc filesystem for additional output.
4) Enabling kernel debugging with kgdb or hardware debuggers.
5) Common error types like kernel panics and oops messages that indicate issues.
This document describes BE-PUM, a tool for generating control flow graphs (CFGs) from binary malware code to facilitate model checking. BE-PUM uses binary emulation and pushdown model generation to handle obfuscation techniques like indirect jumps, self-modifying code, decryption, and packers. It generates more precise models than tools like Jakstab and IDA Pro. The document outlines BE-PUM's approach, provides examples of how it handles different obfuscations, and compares it to other tools based on experiments. It is presented as both a model generator and emulator that can under-approximate programs through concolic testing and white-box testing.
The document discusses various components inside the Windows kernel, including system threads, work items, asynchronous procedure calls (APCs), deferred procedure calls (DPCs), timers, process and thread callbacks, completion routines, I/O request packets (IRPs), and the structure of a kernel driver. It provides data structure definitions and examples of how these components work and interact inside the kernel.
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
The document provides an overview of basic penetration testing techniques including buffer overflow vulnerabilities, return oriented programming (ROP), format string vulnerabilities, and ways to bypass data execution prevention (DEP) and address space layout randomization (ASLR). It discusses stack-based buffer overflows, the structure of the x86 stack, overwriting the return address, and controlling the instruction pointer. It also covers ROP techniques like ret2libc, gadgets, chaining, and using libc functions. Finally, it briefly mentions tools like pwntools, ROPgadget, and techniques like IO wrapping and LD_PRELOAD hijacking.
Reverse engineering of binary programs for custom virtual machinesSmartDec
This document discusses reverse engineering a binary program for an unknown custom virtual machine. Through analyzing byte frequencies and instruction patterns, the authors were able to deduce key aspects of the virtual machine's architecture like the calling convention, return instruction, jump instructions, register usage, and arithmetic operations. Their approach involved heuristics-based searching to find common instruction encodings without any prior knowledge of the processor. While limited to simple analysis, this showed it is possible to gain a high-level understanding and decompose a binary without documentation. The authors develop the SmartDec decompiler to help with further reverse engineering virtual machine binaries.
WinDbg is a low-level debugger for Windows that provides features like usermode debugging, kernel debugging, post-mortem debugging, and support for debugging extensions. It can be used to debug crashes, analyze memory leaks, find deadlocks, and investigate other issues when the higher-level Visual Studio debugger is not sufficient. The document provides examples of using WinDbg commands and extensions like SOS to debug memory leaks, analyze crashes based on offset or dump files, and investigate .NET deadlocks.
Linux has this great tool called strace, on OSX there’s a tool called dtruss - based on dtrace. Dtruss is great in functionality, it gives pretty much everything you need. It is just not as nice to use as strace. However, on Linux there is also ltrace for library tracing. That is arguably more useful because you can see much more granular application activity. Unfortunately, there isn’t such a tool on OSX. So, I decided to make one - albeit a simpler version for now. I called it objc_trace.
C++ in kernel mode, Roman Beleshev
Вы когда-нибудь писали драйвера для Windows? А на С++? Пора развенчать миф о том, что драйверописательство - это только С и только хардкор. О различиях между Kernel mode и User mode, о технических моментах реализации некоторых возможностей С++, и о том, что писать драйвера на С++ можно, нужно и очень приятно и увлекательно.
"HHVM is a high-performance, open source PHP execution engine developed at Facebook. It’s the fastest PHP runtime in the world, with support for PHP5, PHP7, and Hack—the programming language used for Facebook’s web server application logic. In addition to powering Facebook’s web tier, HHVM has also been adopted by other major services such as Wikipedia, Baidu, and Box.
HHVM uses just-in-time compilation to transform PHP and Hack source code into optimized machine code. Thanks to contributions from developers across the ARM community, HHVM can now target AArch64 in addition to x86-64 and successfully runs open source PHP frameworks like WordPress. Join us for an overview of HHVM, a quick demo, and some thoughts on where optimization efforts can go from here."
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019 corehard_by
The document describes the implementation of a function that calculates the greatest common divisor (gcd) of two integers. It provides the C code for the gcd function, as well as the assembly code generated by the compiler. It also includes sample calls to the gcd function and diagrams showing how the assembly code works.
The document discusses SEH (structured exception handling) overwrites and techniques to bypass protections against them. It explains that SEH overwrites can be used to exploit Windows software by overwriting exception handlers. Common protections like SafeSEH, software DEP, hardware DEP, and SEHOP aim to prevent this. However, the document demonstrates that under certain conditions, it is possible to bypass all of these protections simultaneously. Specifically, if an attacker knows addresses needed to recreate the SEH chain and has a non-SafeSEH module containing suitable "add esp, ret" instructions, they can exploit a buffer overflow to execute arbitrary code despite all protections. The document provides a detailed example of this technique on Windows 7.
The document discusses the Assembly programming language. It covers Assembly registers and instructions, the ELF file format, using objdump and readelf to disassemble and inspect Assembly programs, and examples of building Assembly programs and using inline Assembly in C code. Key topics include common Assembly registers like EAX, EBP, ESP; basic instructions like mov, add, jumps; the ELF header and section structure; and using tools like objdump to disassemble Assembly code.
Positive Hack Days. Oleksyuk. Automatic Search for Vulnerabilities in Program...Positive Hack Days
A participant will become familiar with theoretical basics and will acquire practical skills of detecting vulnerabilities in real programs via fuzzing. Attention will be given to both popular frameworks and the development of one's own tools for specific tasks. The masterclass also considers advanced and promising technologies of code analysis, which are only waiting for their turn to be applied in the day-to-day work of vulnerability researchers.
The document describes a .NET reversing challenge that appears simple but has a deception. Through static analysis, it seems the challenge involves decrypting a resource to obtain matrices A, B, C and vectors d, y, then calculating the flag as A^-1B^-1C^-1(y - d). However, running this approach yields an incorrect flag. The truth is that the binary modifies the just-in-time compiled code and method descriptor table to alter the real behavior of functions 3, 4, and 5, decrypting the real code from the resource.
What to do when you have a perfect model for your software but you are constrained by an imperfect business model?
This talk explores the challenges of bringing modelling rigour to the business and strategy levels, and talking to your non-technical counterparts in the process.
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid
IBM watsonx Code Assistant for Z, our latest Generative AI-assisted mainframe application modernization solution. Mainframe (IBM Z) application modernization is a topic that every mainframe client is addressing to various degrees today, driven largely from digital transformation. With generative AI comes the opportunity to reimagine the mainframe application modernization experience. Infusing generative AI will enable speed and trust, help de-risk, and lower total costs associated with heavy-lifting application modernization initiatives. This document provides an overview of the IBM watsonx Code Assistant for Z which uses the power of generative AI to make it easier for developers to selectively modernize COBOL business services while maintaining mainframe qualities of service.
Nashik's top web development company, Upturn India Technologies, crafts innovative digital solutions for your success. Partner with us and achieve your goals
Superpower Your Apache Kafka Applications Development with Complementary Open...Paul Brebner
Kafka Summit talk (Bangalore, India, May 2, 2024, https://events.bizzabo.com/573863/agenda/session/1300469 )
Many Apache Kafka use cases take advantage of Kafka’s ability to integrate multiple heterogeneous systems for stream processing and real-time machine learning scenarios. But Kafka also exists in a rich ecosystem of related but complementary stream processing technologies and tools, particularly from the open-source community. In this talk, we’ll take you on a tour of a selection of complementary tools that can make Kafka even more powerful. We’ll focus on tools for stream processing and querying, streaming machine learning, stream visibility and observation, stream meta-data, stream visualisation, stream development including testing and the use of Generative AI and LLMs, and stream performance and scalability. By the end you will have a good idea of the types of Kafka “superhero” tools that exist, which are my favourites (and what superpowers they have), and how they combine to save your Kafka applications development universe from swamploads of data stagnation monsters!
🏎️Tech Transformation: DevOps Insights from the Experts 👩💻campbellclarkson
Connect with fellow Trailblazers, learn from industry experts Glenda Thomson (Salesforce, Principal Technical Architect) and Will Dinn (Judo Bank, Salesforce Development Lead), and discover how to harness DevOps tools with Salesforce.
The Comprehensive Guide to Validating Audio-Visual Performances.pdfkalichargn70th171
Ensuring the optimal performance of your audio-visual (AV) equipment is crucial for delivering exceptional experiences. AV performance validation is a critical process that verifies the quality and functionality of your AV setup. Whether you're a content creator, a business conducting webinars, or a homeowner creating a home theater, validating your AV performance is essential.
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio, Inc.
Alluxio Webinar
June. 18, 2024
For more Alluxio Events: https://www.alluxio.io/events/
Speaker:
- Jianjian Xie (Staff Software Engineer, Alluxio)
As Trino users increasingly rely on cloud object storage for retrieving data, speed and cloud cost have become major challenges. The separation of compute and storage creates latency challenges when querying datasets; scanning data between storage and compute tiers becomes I/O bound. On the other hand, cloud API costs related to GET/LIST operations and cross-region data transfer add up quickly.
The newly introduced Trino file system cache by Alluxio aims to overcome the above challenges. In this session, Jianjian will dive into Trino data caching strategies, the latest test results, and discuss the multi-level caching architecture. This architecture makes Trino 10x faster for data lakes of any scale, from GB to EB.
What you will learn:
- Challenges relating to the speed and costs of running Trino in the cloud
- The new Trino file system cache feature overview, including the latest development status and test results
- A multi-level cache framework for maximized speed, including Trino file system cache and Alluxio distributed cache
- Real-world cases, including a large online payment firm and a top ridesharing company
- The future roadmap of Trino file system cache and Trino-Alluxio integration
Building API data products on top of your real-time data infrastructureconfluent
This talk and live demonstration will examine how Confluent and Gravitee.io integrate to unlock value from streaming data through API products.
You will learn how data owners and API providers can document, secure data products on top of Confluent brokers, including schema validation, topic routing and message filtering.
You will also see how data and API consumers can discover and subscribe to products in a developer portal, as well as how they can integrate with Confluent topics through protocols like REST, Websockets, Server-sent Events and Webhooks.
Whether you want to monetize your real-time data, enable new integrations with partners, or provide self-service access to topics through various protocols, this webinar is for you!
The Role of DevOps in Digital Transformation.pdfmohitd6
DevOps plays a crucial role in driving digital transformation by fostering a collaborative culture between development and operations teams. This approach enhances the speed and efficiency of software delivery, ensuring quicker deployment of new features and updates. DevOps practices like continuous integration and continuous delivery (CI/CD) streamline workflows, reduce manual errors, and increase the overall reliability of software systems. By leveraging automation and monitoring tools, organizations can improve system stability, enhance customer experiences, and maintain a competitive edge. Ultimately, DevOps is pivotal in enabling businesses to innovate rapidly, respond to market changes, and achieve their digital transformation goals.
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Paul Brebner
Closing talk for the Performance Engineering track at Community Over Code EU (Bratislava, Slovakia, June 5 2024) https://eu.communityovercode.org/sessions/2024/why-apache-kafka-clusters-are-like-galaxies-and-other-cosmic-kafka-quandaries-explored/ Instaclustr (now part of NetApp) manages 100s of Apache Kafka clusters of many different sizes, for a variety of use cases and customers. For the last 7 years I’ve been focused outwardly on exploring Kafka application development challenges, but recently I decided to look inward and see what I could discover about the performance, scalability and resource characteristics of the Kafka clusters themselves. Using a suite of Performance Engineering techniques, I will reveal some surprising discoveries about cosmic Kafka mysteries in our data centres, related to: cluster sizes and distribution (using Zipf’s Law), horizontal vs. vertical scalability, and predicting Kafka performance using metrics, modelling and regression techniques. These insights are relevant to Kafka developers and operators.
Manyata Tech Park Bangalore_ Infrastructure, Facilities and Morenarinav14
Located in the bustling city of Bangalore, Manyata Tech Park stands as one of India’s largest and most prominent tech parks, playing a pivotal role in shaping the city’s reputation as the Silicon Valley of India. Established to cater to the burgeoning IT and technology sectors
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...kalichargn70th171
Visual testing plays a vital role in ensuring that software products meet the aesthetic requirements specified by clients in functional and non-functional specifications. In today's highly competitive digital landscape, users expect a seamless and visually appealing online experience. Visual testing, also known as automated UI testing or visual regression testing, verifies the accuracy of the visual elements that users interact with.
4. Reverse Engineering
• Reverse engineering (RE) is the process of
inferring the insight knowledge from anything man
made.
• The Goal of RE is to obtain missing knowledge,
ideas and design philosophy when such information
is unavailable.
12. Motivation (cont.)
• Obfuscation techniques are used in software for
protecting against cracking, reverse engineering.
• Obfuscation techniques are used in malware for
protecting against automatic detection and analysis
of malicious code.
• Our goal: build a tool for handling most of
obfuscation techniques: Indirect Jump, Self-
modifying code, SEH, Encryption, Anti-Debugging,
Anti-Emulation.
5
13. Indirect Jump
• Idea: store the target address of JUMP instruction in
register or memory location
• Require simulation of executing x86 instructions
and Windows API
JMP EAX ?????
6
22. SEH
• SEH - Structured Exception Handler
• Used to handle error in running code
• Malware uses this method to intentionally cause a
change in the execution flow
push offset SEH_Handler
push dword ptr fs:[0]
mov fs:[0],esp
16
25. • Dead code insertion
push %ebx
pop %ebx
• Instruction substitution
mov $0, %eax -> xor %eax, %eax
• Variable renaming & register reassignment
mov $0, %eax -> mov $0, %ebx
• Code reordering
Change syntactic order of the code
Semantic execution path remains unchange
26. Anti-debugging
• Use NtGlobalFlag field which exists at offset 0x68 in the PEB
(Process Environemnt Block)
• PEB is a structure created in process initialization
• PEB contains data necessary to the execution of a process.
• Used by ExeCryptor
1: mov eax, fs:[30h] ;PEB
;check NtGlobalFlag
2: cmp byte [eax+68h], 70h
3: jne being_debugged
4: jmp real_code
being_debugged:
5: call ExitProcess
19
27. Anti-debugging (cont.)
• Use the process default heap to find presence of
debugging artifacts
1: mov eax, fs:[30h] ;PEB
;get process heap base
2: mov eax, [eax+18h]
3: mov eax, [eax+0ch] ;Flags
4: dec eax
5: dec eax
6: jne being_debugged
7: jmp real_code
being_debugged:
8: call ExitProcess
20
28. Special APIs
• The kernel32 IsDebuggerPresent() function was
introduced in Windows 95.
• It returns TRUE if a debugger is present
1: call IsDebuggerPresent
2: test al, al
3: jne being_debugged
4: jmp real_code
being_debugged:
5: call ExitProcess
21
29. Special APIs (cont.)
• Use kernel32 CheckRemoteDebuggerPresent() function
1: push eax
2: push esp
3: push -1 ;GetCurrentProcess()
4: call CheckRemoteDebuggerPresent
5: pop eax
6: test eax, eax
7: jne being_debugged
8: jmp real_code
being_debugged:
9: call ExitProcess
22
30. Time Attack
• Malware target on specific date.
E.g. CodeRed malware use Windows API
GetSystemTime
• Solution: On-Demand Symbolic Execution for
Windows API
The return value is symbol value (instead of real
execution with JNA)
32. Execution Timing
• Based on an idea: there is a significant delay between the
executions of the individual instructions in debugger mode
compared to normal execution.
1: call GetTickCount
2: xchg ebx, eax
3: call GetTickCount
4: sub eax, ebx
5: cmp eax, 1
6: jnb being_debugged
7: jmp real_code
being_debugged:
8: call ExitProcess
24
33. Exception
• Using exceptions to alter the value of eip
• An effective anti-debugging technique
• Used by packer PECompact
1: xor eax, eax
2: push offset l3
3: push dw fs:[eax]
4: mov fs:[eax], esp
l1:
5: call l1
l2:
6: jmp l3
l3:
7: pop eax
25
34. Exception (cont.)
• Used in packer Telock
00407A1B PUSHAD
00407A1C CALL 00407A27
00407A27 PUSH DWORD PTR FS:[0]
00407A2D MOV DWORD PTR FS:[0],ESP
00407A33 PUSHFD
00407A34 OR DWORD PTR SS:[ESP],100
00407A3B POPFD
00407A3C CLC
00407A3D JNB SHORT 00407A1B
26
35. Stalling Code
• The main idea is to delay the execution of malicious
activity in very long time.
• Stalling code make automated analysis systems to
give up on a sample.
27
37. Anti-Emulation
• Invalid API parameters: Attacker will intentionally
pass known invalid parameters to the function, and
expecting an error code to be returned
push 1
push 1
call Beep
call GetLastError
;ERROR_INVALID_PARAMET
ER (0x57)
push 5 ;sizeof(l2)
pop ecx
xchg edx, eax
mov esi, offset l2
mov edi, esi
l1: lodsb
xor al, dl
stosb
loop l1
...
l2: db 3fh, 32h,
3bh, 3bh, 38h
;secret message
29
38. GetProcAddress
• Attacker will intentionally pass known invalid
parameters to the function, and expecting no
function address to be returned.
• Any emulator that returns an address in such a
situation will be revealed
push offset l1
push 12345678h ;illegal value
call GetProcAddress
test eax, eax
jne being_debugged
...
l1: db "myfunction", 0
30
39. Undocumented instructions
• An anti-malware emulator might fail to support
undocumented instructions or undocumented
encodings of documented instructions
• Solution: Capstone disassembly
(http://www.capstone-engine.org/)
0040F0D0 > $ 0F6FE0 MOVQ MM4,MM0
0040F0D3 . E8 06000000 CALL 0040F0DE
31
40. Other Techniques
• Check Parent process for explore.exe
• Checksumming for detecting tampering
• Stolen bytes technique using
VirtualAlloc API.
41. Other Techniques (cont.)
• Prevent reverser from controlling the debugger with
user32!BlockInput()
• Debugger blocker by spawning a process which
becomes a debugger for the packed code
• API redirection with LoadLibrary and GetProcAddress
42. Packer
Self-modifying Code + SEH +
Encryption + Anti-Debugging +
Anti-Emulation + ...
•Bullet-proof jacket for software (and malware also):
Against Cracks
Against KeyGens
Against Stolen serial number
Against Unauthorized use
Packer
32
46. Advanced Persistent Threat
• W32.Stuxnet is discovered in 2009.
A compute worm targets to industrial control
systems for equipment made by Siement.
These systems are used in Iran for uranium
enrichment.
“the Most Menacing Malware in History”
• Flame is discovered in 2010
“most complex malware ever found” – main
component is ~6MB
Kaspersky researchers found chunks of code
from a 2009 Stuxnet variant inside Flame
48. BE-PUM
• BE-PUM - Binary Emulation for Pushdown Model
• Apply pushdown model generation of binary code
Apply concolic testing (dynamic symbolic execution) to
handle indirect jump
Apply on-the-fly model generation for handling self-
modifying code
Focus on obfuscation techniques which are used in
malware and packer tools.
3
49. Architecture
Frontiers
Single-step
Symbolic Execution
Instr(Env,m)
Jakstab 0.8.3
Feasibility check
SMT: Z3 4.3
Control
instructions
Data
instructions
Yes
No
Binary Emulation
Controlled
Sandbox
Stack
Memory
Register
Flag
(k, asmk,ψk)
(k, asmk,ψk) : New region?
〈 (k, asmk),ε 〉 ↪ 〈 (m, asm), (m’, asm’) 〉 : New rule?
Pushdown Model
〈 (k, asmk),ε 〉 ↪ 〈 (m, asm), (m’, asm’) 〉
Symbolic states
(k, asmk,ψk )
Stub of API
System call
(pre-condition)
Java API
(Output)
CFG Storage
〈 (k, asmk) 〉
50. Conclusion
• RE is very important in the fight for malware.
• It needs to evolve to keep up with the new types of
APT malwares.
• How ???
36
51. References
• “The Art of Unpacking”. Mark Vincent Yason.
• “Reversing: Secrets of Reverse Engineering”. Eldad
Eilam.
• “An Anti-Reverse Engineering Guide”. Josh_Jackson.
• “Anti-unpacker Tricks”. Peter Ferrie.
36
https://en.wikipedia.org/wiki/Stoned_(computer_virus)
Stoned is the name of a boot sector computer virus created in 1987.
One of the very first viruses, it is thought to have been written by a university student in Wellington, New Zealand.[1][2] By 1989 it had spread widely in New Zealand and Australia,[3] and variants became very common worldwide in the early 1990s.[4]
A computer infected with the original version had a one in eight probability[5][6] that the screen would declare: "Your PC is now Stoned!", a phrase found in infected boot sectors of infected floppy disks and master boot records of infected hard disks, along with the phrase "Legalise Marijuana". Later variants produced a range of other messages.
In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand.
Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic, in order to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source code.
Programs known as obfuscators transform readable code into obfuscated code using various techniques.
Eva.a : exception occurrence is obfuscated.
As Windows standard, fs:[0] initially points to the system exception handler.
New frame pushed at 00401012 and modified at 00401015.
At 00401018, access violation (inc at 00000000).
Win32 PE executables can set up a so-called SEH (Structured Exception Handler). Most runtime code, and several viruses use this method to trap errors, but it can also be used to intentionally cause a change in the execution flow. Viruses insert their SEH and create a fault condition, causing the exception handler to be run instead. The first virus really in ‘in-the-wild’ installing multiple exception handlers was W32/Magistr.A to confuse AV emulators.
What is PEB: Process Environment Block
Simulate PEB structure
using symbolic execution value
Solution: Simulate PEB structure using symbolic execution value
Solution: On-demand Symbolic Execution for APIs
Other APIs: NtQueryInformationProcess, NtQuerySystemInformation, NtQueryObject, SetInformationThread...
Determines whether the specified process is being debugged.
Solution: On-demand Symbolic Execution for APIs
Solution: On-demand Symbolic Execution for APIs
Stack overflow
This leads to a vulnerability, whereby an attacker will intentionally pass known invalid parameters to the function, and expecting an error code to be returned. In some cases, this error code is used as a key for decryption. Any emulator that fails to return the error code will not be able to decrypt the data.
Solution: On-demand Symbolic Execution for APIs