SlideShare a Scribd company logo

Reversing Microsoft patches to reveal vulnerable code

β€’
β€’
Harsimran Walia
Harsimran Walia
Technology
1 of 26
Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia http://null.co.in/ http://nullcon.net/
Introduction Need Process
Introduction Birth of a security patch Discussion in the presentation Vulnerability Releases a Finding a 0day Reverse Vendor finds a Locate the Microsoft reaches the patch to fix the Highlight the vulnerability engineer the fix vulnerability patches vendor vulnerability difficulties patch patched http://null.co.in/ http://nullcon.net/
Introduction For reversing and obtaining binary difference in my demos I would be using DarunGrim2 How DarunGrim works? β€’ The schema of DarunGrim is shown in the figure β€’ To generate diffing results – Binaries are disassembled in IDA Pro in the background and darungrim IDA plugin is run which creates the sqlite database – Diffing Engine, the heart of DarunGrim2. The sqlite db from IDA and the binaries from GUI are fed into this engine as inputs http://null.co.in/ http://nullcon.net/
Introduction Algorithm ? β€’ Main algorithm of DarunGrim is Basic block fingerprint hash map β€’ Each basic block is 1 entity whose fingerprint is generated from the instruction sequence β€’ Fingerprint hash generated by IDA Pro β€’ Two fingerprint hash tables one each for unpatched and patched binary β€’ For finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a match β€’ All fingerprints in the original binary hash tables are either matched or unmatched http://null.co.in/ http://nullcon.net/
Introduction Algorithm ? Contd.. β€’ For a function to be called matching, all the basic blocks in the function should be matching β€’ For unmatched functions DarunGrim calculates percentage match β€’ Match rate based on fingerprint string match – Similar to GNU Diff algorithm which is finding longest common subsequence http://null.co.in/ http://nullcon.net/
Introduction Vulnerability Vs Exploit based signatures Exploit signatures β€’ Created by using byte string patterns or regular expressions β€’ These are exploit specific β€’ They are used widely mainly because of the ease of their creation β€’ Cater to only one type of input satisfying that vulnerability condition β€’ Fail: different attacks can exploit the same vulnerability, so exploit based signatures will fail β€’ For eg. Exploit based signature – ESig = β€œdocx?AAAAAAAAAAA...” – It will fail if some exploit uses a long string of B’s instead of A’s http://null.co.in/ http://nullcon.net/
Introduction Vulnerability Vs Exploit based signatures Vulnerability signatures β€’ Based on the properties of the vulnerability and not on the properties of the exploit Vulnerability β€’ It is a superset of all the inputs satisfying a particular Signature vulnerability condition β€’ For eg. Vulnerability based signature for previous case – VSig = MATCH_STR (Buffer,"docx?(.*)$",limit) – Matches string in buffer with the regex – It is effective against any alphabet unlike exploit signature Exploit Signature http://null.co.in/ http://nullcon.net/
Introduction Vulnerability Vs Exploit based signatures Vulnerability signatures contd.. β€’ For a good vulnerability signature – It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network. – It should allow very few false positives, as too many false positives may lead to a DoS attack for the system. – The signature matching time should not create a considerable delay for the software and services. http://null.co.in/ http://nullcon.net/
Need β€’ The first step of creating an undisclosed exploit is to find the vulnerability to exploit it. β€’ To verify if the patch released by Microsoft is working as per it is designed. β€’ To create vulnerability based signatures. http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files Binary Differencing Differencing Analysis Debugging http://null.co.in/ http://nullcon.net/
Process Finding patches β€’ Pick a vulnerability and download its patch β€’ Pick a vulnerability just before this one that patched the same program or dll – If unavailable, use the same dll from your system Quick-fix Use open source β€’ GDR or QFE/LDR ?? ms-patch-tools to easily get the file β€’ File Versioning versions to compare http://null.co.in/ http://nullcon.net/
Process Finding patches DEMO http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files β€’ The traditional way of extracting file from patch – <patchfilename>.exe /x – Works only till Windows XP and earlier versions of Windows β€’ Above method cannot be used on Win7 and Vista patches delivered as msu http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files β€’ Use expand command – expand -F:* <Saved_MSU_File_Name>.msu C:<Folder_to_extract_in> – expand -F:* <Saved_MSU_File_Name>.cab C:<Folder_to_extract_in> http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files DEMO http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files Binary Differencing β€’ DarunGrim v2 used for binary difference – Feed in the two binaries to be compared – Generates a list of functions with the %age match between the two files β€’ Not every function %age < 100 is changed β€’ Includes false positives which requires manual analysis http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files Binary Differencing DEMO http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files Binary Differencing Differencing Analysis β€’ Manual inspection of functions with less than 100% match – Remove false positives generated by problems like β€’ Instruction reordering Lot of reordering happening over different releases marks even the same blocks as unmatched β€’ Split blocks Block in the graph which has only parent and the parent has only one child leads to a split block. causing a problem in the matching process Can be improved by merging the two blocks and treating as a single block. http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files Binary Differencing Differencing Analysis β€’ Hot patching Instructions like mov eax, eax at the start of functions are a sign of hot patching leading to a mismatch in the block By just ignoring the instruction we can get a match β€’ Compiler optimizations Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper difference – Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patched http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files Binary Differencing Differencing Analysis DEMO http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files Binary Differencing Differencing Analysis β€’ push [ebp-2Ch] ; unsigned int β€’ push [ebp-2Ch] ; unsigned int call ??2@YAPAXI@Z ; operator new(uint) call ??2@YAPAXI@Z ; operator new(uint) mov ebx, eax pop ecx pop ecx mov [ebp-14h], eax ; ebp-14h = pBuffer mov [ebp-18h], ebx mov [ebp-40h], eax mov [ebp-3Ch], ebx mov byte ptr [ebp-4], 2 mov byte ptr [ebp-4], 1 push [ebp-2Ch] push dword ptr [ebp-2Ch] mov ecx, esi mov ecx, esi push ebx push ebx push edi push [ebp-30h] call sub_118000C func(const *,void *,long) call sub_118000C func(const *,void *,long) mov esi, eax mov edi, eax test esi, esi test edi, edi jge short loc_118158A jge short http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files Binary Differencing Differencing Analysis Debugging β€’ To validate our finding of analysis by debugging – Getting a crash of the application – Creating a malformed file to get the crash β€’ Would be using Immunity Debugger http://null.co.in/ http://nullcon.net/
Process Finding patches Extraction of files Binary Differencing Differencing Analysis Debugging DEMO http://null.co.in/ http://nullcon.net/
Conclusion β€’ Presented an overview of how the 1-day exploits and Vulnerability signatures can be created β€’ Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process β€’ Only talked about Microsoft patches but concept not limited to this. β€’ Concepts presented can be perfected by interested audience http://null.co.in/ http://nullcon.net/
Thanks Questions?? http://null.co.in/ http://nullcon.net/

Recommended

The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
Β 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
Β 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
Β 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
Β 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...Felipe Prado
Β 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
Β 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
Β 
Microservices: How loose is loosely coupled?
Microservices: How loose is loosely coupled?Microservices: How loose is loosely coupled?
Microservices: How loose is loosely coupled?John Rofrano
Β 

Recommended

The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
Β 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
Β 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
Β 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
Β 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...Felipe Prado
Β 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
Β 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
Β 
Microservices: How loose is loosely coupled?
Microservices: How loose is loosely coupled?Microservices: How loose is loosely coupled?
Microservices: How loose is loosely coupled?John Rofrano
Β 
Making Developers Productive with Vagrant, VirtualBox, and Docker
Making Developers Productive with Vagrant, VirtualBox, and DockerMaking Developers Productive with Vagrant, VirtualBox, and Docker
Making Developers Productive with Vagrant, VirtualBox, and DockerJohn Rofrano
Β 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
Β 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
Β 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
Β 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
Β 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
Β 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
Β 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
Β 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
Β 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
Β 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
Β 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Β 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
Β 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
Β 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
Β 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
Β 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
Β 
Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Maciej Lasyk
Β 
Android NDK
Android NDKAndroid NDK
Android NDKSentinel Solutions Ltd
Β 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
Β 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable coden|u - The Open Security Community
Β 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBISunil Kumar
Β 

More Related Content

What's hot

Making Developers Productive with Vagrant, VirtualBox, and Docker
Making Developers Productive with Vagrant, VirtualBox, and DockerMaking Developers Productive with Vagrant, VirtualBox, and Docker
Making Developers Productive with Vagrant, VirtualBox, and DockerJohn Rofrano
Β 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
Β 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
Β 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
Β 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
Β 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
Β 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
Β 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
Β 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
Β 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
Β 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
Β 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Β 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
Β 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
Β 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
Β 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
Β 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
Β 
Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Maciej Lasyk
Β 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
Β 

What's hot (20)

Making Developers Productive with Vagrant, VirtualBox, and Docker
Making Developers Productive with Vagrant, VirtualBox, and DockerMaking Developers Productive with Vagrant, VirtualBox, and Docker
Making Developers Productive with Vagrant, VirtualBox, and Docker
Β 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
Β 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
Β 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Β 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Β 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
Β 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
Β 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
Β 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Β 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Β 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
Β 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Β 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Β 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008
Β 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Β 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Β 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Β 
Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)
Β 
Android NDK
Android NDKAndroid NDK
Android NDK
Β 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Β 

Similar to Reversing Microsoft patches to reveal vulnerable code

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable coden|u - The Open Security Community
Β 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBISunil Kumar
Β 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationn|u - The Open Security Community
Β 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
Β 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemLouis Jacomet
Β 
Simplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI APISimplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI APIVictorSzoltysek
Β 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
Β 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
Β 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
Β 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)TestDevLab
Β 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
Β 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
Β 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
Β 
Virus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowVirus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowAntiy Labs
Β 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
Β 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
Β 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
Β 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
Β 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
Β 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
Β 

Similar to Reversing Microsoft patches to reveal vulnerable code (20)

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
Β 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBI
Β 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
Β 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Β 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
Β 
Simplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI APISimplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI API
Β 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
Β 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
Β 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
Β 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Β 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
Β 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
Β 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
Β 
Virus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowVirus Detection Based on the Packet Flow
Virus Detection Based on the Packet Flow
Β 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Β 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012
Β 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012
Β 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
Β 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
Β 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
Β 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
Β 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
Β 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
Β 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
Β 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
Β 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
Β 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
Β 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
Β 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
Β 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
Β 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
Β 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
Β 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
Β 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
Β 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
Β 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
Β 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
Β 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
Β 
FULL ENJOY πŸ” 8264348440 πŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY πŸ” 8264348440 πŸ” Call Girls in Diplomatic Enclave | DelhiFULL ENJOY πŸ” 8264348440 πŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY πŸ” 8264348440 πŸ” Call Girls in Diplomatic Enclave | Delhisoniya singh
Β 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
Β 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Β 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
Β 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Β 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Β 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Β 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Β 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Β 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Β 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Β 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Β 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Β 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Β 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Β 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Β 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Β 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Β 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Β 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Β 
FULL ENJOY πŸ” 8264348440 πŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY πŸ” 8264348440 πŸ” Call Girls in Diplomatic Enclave | DelhiFULL ENJOY πŸ” 8264348440 πŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY πŸ” 8264348440 πŸ” Call Girls in Diplomatic Enclave | Delhi
Β 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Β 

Reversing Microsoft patches to reveal vulnerable code

  • 1. Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia http://null.co.in/ http://nullcon.net/
  • 2. Introduction Need Process
  • 3. Introduction Birth of a security patch Discussion in the presentation Vulnerability Releases a Finding a 0day Reverse Vendor finds a Locate the Microsoft reaches the patch to fix the Highlight the vulnerability engineer the fix vulnerability patches vendor vulnerability difficulties patch patched http://null.co.in/ http://nullcon.net/
  • 4. Introduction For reversing and obtaining binary difference in my demos I would be using DarunGrim2 How DarunGrim works? β€’ The schema of DarunGrim is shown in the figure β€’ To generate diffing results – Binaries are disassembled in IDA Pro in the background and darungrim IDA plugin is run which creates the sqlite database – Diffing Engine, the heart of DarunGrim2. The sqlite db from IDA and the binaries from GUI are fed into this engine as inputs http://null.co.in/ http://nullcon.net/
  • 5. Introduction Algorithm ? β€’ Main algorithm of DarunGrim is Basic block fingerprint hash map β€’ Each basic block is 1 entity whose fingerprint is generated from the instruction sequence β€’ Fingerprint hash generated by IDA Pro β€’ Two fingerprint hash tables one each for unpatched and patched binary β€’ For finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a match β€’ All fingerprints in the original binary hash tables are either matched or unmatched http://null.co.in/ http://nullcon.net/
  • 6. Introduction Algorithm ? Contd.. β€’ For a function to be called matching, all the basic blocks in the function should be matching β€’ For unmatched functions DarunGrim calculates percentage match β€’ Match rate based on fingerprint string match – Similar to GNU Diff algorithm which is finding longest common subsequence http://null.co.in/ http://nullcon.net/
  • 7. Introduction Vulnerability Vs Exploit based signatures Exploit signatures β€’ Created by using byte string patterns or regular expressions β€’ These are exploit specific β€’ They are used widely mainly because of the ease of their creation β€’ Cater to only one type of input satisfying that vulnerability condition β€’ Fail: different attacks can exploit the same vulnerability, so exploit based signatures will fail β€’ For eg. Exploit based signature – ESig = β€œdocx?AAAAAAAAAAA...” – It will fail if some exploit uses a long string of B’s instead of A’s http://null.co.in/ http://nullcon.net/
  • 8. Introduction Vulnerability Vs Exploit based signatures Vulnerability signatures β€’ Based on the properties of the vulnerability and not on the properties of the exploit Vulnerability β€’ It is a superset of all the inputs satisfying a particular Signature vulnerability condition β€’ For eg. Vulnerability based signature for previous case – VSig = MATCH_STR (Buffer,"docx?(.*)$",limit) – Matches string in buffer with the regex – It is effective against any alphabet unlike exploit signature Exploit Signature http://null.co.in/ http://nullcon.net/
  • 9. Introduction Vulnerability Vs Exploit based signatures Vulnerability signatures contd.. β€’ For a good vulnerability signature – It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network. – It should allow very few false positives, as too many false positives may lead to a DoS attack for the system. – The signature matching time should not create a considerable delay for the software and services. http://null.co.in/ http://nullcon.net/
  • 10. Need β€’ The first step of creating an undisclosed exploit is to find the vulnerability to exploit it. β€’ To verify if the patch released by Microsoft is working as per it is designed. β€’ To create vulnerability based signatures. http://null.co.in/ http://nullcon.net/
  • 11. Process Finding patches Extraction of files Binary Differencing Differencing Analysis Debugging http://null.co.in/ http://nullcon.net/
  • 12. Process Finding patches β€’ Pick a vulnerability and download its patch β€’ Pick a vulnerability just before this one that patched the same program or dll – If unavailable, use the same dll from your system Quick-fix Use open source β€’ GDR or QFE/LDR ?? ms-patch-tools to easily get the file β€’ File Versioning versions to compare http://null.co.in/ http://nullcon.net/
  • 13. Process Finding patches DEMO http://null.co.in/ http://nullcon.net/
  • 14. Process Finding patches Extraction of files β€’ The traditional way of extracting file from patch – <patchfilename>.exe /x – Works only till Windows XP and earlier versions of Windows β€’ Above method cannot be used on Win7 and Vista patches delivered as msu http://null.co.in/ http://nullcon.net/
  • 15. Process Finding patches Extraction of files β€’ Use expand command – expand -F:* <Saved_MSU_File_Name>.msu C:<Folder_to_extract_in> – expand -F:* <Saved_MSU_File_Name>.cab C:<Folder_to_extract_in> http://null.co.in/ http://nullcon.net/
  • 16. Process Finding patches Extraction of files DEMO http://null.co.in/ http://nullcon.net/
  • 17. Process Finding patches Extraction of files Binary Differencing β€’ DarunGrim v2 used for binary difference – Feed in the two binaries to be compared – Generates a list of functions with the %age match between the two files β€’ Not every function %age < 100 is changed β€’ Includes false positives which requires manual analysis http://null.co.in/ http://nullcon.net/
  • 18. Process Finding patches Extraction of files Binary Differencing DEMO http://null.co.in/ http://nullcon.net/
  • 19. Process Finding patches Extraction of files Binary Differencing Differencing Analysis β€’ Manual inspection of functions with less than 100% match – Remove false positives generated by problems like β€’ Instruction reordering Lot of reordering happening over different releases marks even the same blocks as unmatched β€’ Split blocks Block in the graph which has only parent and the parent has only one child leads to a split block. causing a problem in the matching process Can be improved by merging the two blocks and treating as a single block. http://null.co.in/ http://nullcon.net/
  • 20. Process Finding patches Extraction of files Binary Differencing Differencing Analysis β€’ Hot patching Instructions like mov eax, eax at the start of functions are a sign of hot patching leading to a mismatch in the block By just ignoring the instruction we can get a match β€’ Compiler optimizations Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper difference – Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patched http://null.co.in/ http://nullcon.net/
  • 21. Process Finding patches Extraction of files Binary Differencing Differencing Analysis DEMO http://null.co.in/ http://nullcon.net/
  • 22. Process Finding patches Extraction of files Binary Differencing Differencing Analysis β€’ push [ebp-2Ch] ; unsigned int β€’ push [ebp-2Ch] ; unsigned int call ??2@YAPAXI@Z ; operator new(uint) call ??2@YAPAXI@Z ; operator new(uint) mov ebx, eax pop ecx pop ecx mov [ebp-14h], eax ; ebp-14h = pBuffer mov [ebp-18h], ebx mov [ebp-40h], eax mov [ebp-3Ch], ebx mov byte ptr [ebp-4], 2 mov byte ptr [ebp-4], 1 push [ebp-2Ch] push dword ptr [ebp-2Ch] mov ecx, esi mov ecx, esi push ebx push ebx push edi push [ebp-30h] call sub_118000C func(const *,void *,long) call sub_118000C func(const *,void *,long) mov esi, eax mov edi, eax test esi, esi test edi, edi jge short loc_118158A jge short http://null.co.in/ http://nullcon.net/
  • 23. Process Finding patches Extraction of files Binary Differencing Differencing Analysis Debugging β€’ To validate our finding of analysis by debugging – Getting a crash of the application – Creating a malformed file to get the crash β€’ Would be using Immunity Debugger http://null.co.in/ http://nullcon.net/
  • 24. Process Finding patches Extraction of files Binary Differencing Differencing Analysis Debugging DEMO http://null.co.in/ http://nullcon.net/
  • 25. Conclusion β€’ Presented an overview of how the 1-day exploits and Vulnerability signatures can be created β€’ Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process β€’ Only talked about Microsoft patches but concept not limited to this. β€’ Concepts presented can be perfected by interested audience http://null.co.in/ http://nullcon.net/
  • 26. Thanks Questions?? http://null.co.in/ http://nullcon.net/