SlideShare a Scribd company logo

Tetcon2016 160104

Download as PPT, PDF
B
Bordeaux I

This document describes BE-PUM, a tool for generating control flow graphs (CFGs) from binary malware code to facilitate model checking. BE-PUM uses binary emulation and pushdown model generation to handle obfuscation techniques like indirect jumps, self-modifying code, decryption, and packers. It generates more precise models than tools like Jakstab and IDA Pro. The document outlines BE-PUM's approach, provides examples of how it handles different obfuscations, and compares it to other tools based on experiments. It is presented as both a model generator and emulator that can under-approximate programs through concolic testing and white-box testing.

Software
1 of 39
BE-PUM: Binary Emulation for Pushdown Model Generation Obfuscation code localization based on CFG generation of malware Nguyen Minh Hai Industrial University of Ho Chi Minh City (IUH) with Quan Thanh Tho, Ho Chi Minh City University of Technology (HMCUT) , in Collaboration with Mizuhito Ogawa (JAIST) January 2016
BE-PUM • Binary Emulation for Pushdown Model Generation • Key features: Generate model (CFG) from binary code of malware Show better results compared with many other tools, e.g. IDA Pro, Jakstab, Hooper... Tackle many obfuscation techniques and successfully unpack many packers (27 different packers)  Generic Unpacker for Model Generation of Malware Detect packer by semantic signature (recognizing packer techniques)  Sematic Signature Matching for Packer Detection 1
Agenda 1.Motivation 2.BE-PUM 3.Experiments 4.Conclusions 5.Demo 2
Malwares • Malware (malicious software) – a real threat Virus Trojan horse Keylogger • How to deal Signature detection (Industry approach) Emulation (Sandbox approach) Model checking (Formal approach) 3
Issues • Signature-based = Failed by obfuscation techniques • Sandbox-based Heavy cost Virus may have different behaviors (at different time points) Virus may even detect sandbox environment • Model Checking Model Generation Model Checking 4
Model Checking Outline Model GenerationModel Checking 5
Typical approach • Control Flow Graph (CFG) is generated as the model One program location is mapped a node Decide all of destinations when branching • Things are more difficult with sophisticated binaries: Self-modification code (Encryption/Decryption) Indirect jump Many other obfuscation techniques 6
Control Flow Graph • Choices of many tools (CodeSurfer/x86, McVeto, JakStab, BIRD, Renovo, Syman, BINCOA/OSMOSE, IDA Pro) Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 0x0040100c 00 03 05 0A 12 0D 15 18 0A 7
ExampleExample 8
9
10
Demo
Demo
BE-PUM • BE-PUM - Binary Emulation for Pushdown Model • Apply pushdown model generation of binary code Apply concolic testing (dynamic symbolic execution) to handle indirect jump Apply on-the-fly model generation for handling self- modifying code Focus on obfuscation techniques which are used in malware and packer tools. 14
Running Examples
Running Example Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax
Running Example Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax eax = α
Running Example Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax eax = α
Running Example Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax eax <0 eax >=0 eax = α
Running Example Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax 00 03 05 0a 12 0d 15 18 eax = α Convert symbolic value of α into a concrete value Use white-box testing to under-approximate α jmp to α?
Test-case Generation 00 03 05 0a 12 0d 15 18 α >= 0 α >= 0 α >= 0 α >= 0 00 03 05 0a 12 0d 15 18 α <= 0 α <= 0 α <= 0 eax = α eax = α Test-case-1 = 5 Test-case-2 = -7
Enlarging the Model by Testing Result Simulation Snapshot eax=0x0040100C; start=0x00401000; return=0; address=0x0040100C; Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax 00 03 05 0a 12 0d 15 18 0c Test- case-1Test- case- 2
Framework 15
Strategy for covered instruction selection • Instruction statistics collected from virus samples • Full list of 300 supported instructions Call Jump Return add shl Call je jz jne jump mov cmovg ret cmp out setna lods daa and sal jnz jb jnae xchg cmovl int pop setnae movs das sub dec jc jnb jae movz cmovl aaa popa setnb neg enter or inc jnc jng jnae movsb cmovna aad popf setnbe nop in xor adc jle ja jl movsw cmovnae aam push setnc shld int1 imul shr jnge jnl jnbe mosx cmovnbe aas pusha setne shrd int3 ror ror jge jo jg movzb cmovne bsf pushf setng stc lahf div rep jnle jns loop movzw cmovng bswap rdtsc setnge stos lea sbb mul js jno jp cmova cmovnge bt sahf setnl test leave clc sar jno jpe jecxz cmovb cmovnl btc scas setnle xlat not ror jmp loope loopne cmovbe cmovnle brt seta setno cbw idiv rcr loop loopz loopnz cmovc cmovno bts setae setnp cwde xadd rol cmove cmovnp cbw setb setns cmps adc rcl cmovp cmovns cdq setbe seto cmpxchg dec mul cmovpe cmovnz clc setc setp cmpxchg8b shr sbb cmovpo cmovo cld sete setpe cpuid sar cmovs cmovz cli setg setpo cwd cltd setge sets cwde cmc setl setz cwt Arthimetic Conditinal Jump Move Control 16
Supported 400 Windows APIs • Kernel32.dll: _lwrite, accept, bind, CloseHandle, closesocket, connect, CopyFile, CreateFile, CreateFileMapping, CreateProcess, CreateThread DeleteFile, ExitProcess, FindClose, FindFirstFile, FindNextFile, FreeEnvironmentStrings, GetCommandLine, GetCurrentDirectory GetCurrentProcess, GetEnvironmentStrings, GetFileAttributes, GetFileSize, GetFileType, gethostbyname, gethostname, GetLastError GetLocalTime, GetModuleFileName, GetModuleHandle, GetProcAddress, GetStartupInfo, GetStdHandle, GetSystemDirectory GetSystemTime, GetTickCount, GetVersion, GetVersionEx, GetWindowsDirectory, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, IsDebuggerPresent, listen, LoadLibrary, lstrcat, lstrcmp, lstrcpy, lstrlen, MapViewOfFile, MoveFile, PeekMessageA, ReadFile, recv, RegCloseKey, RegOpenKeyEx, RegSetValueEx, send, , SetCurrentDirectory, SetEndOfFile, SetFileAttributes, SetFilePointer, SetHandleCount, shutdown, socket ,UnmapViewOfFile, VirtualAlloc, VirtualFree, WaitForSingleObject, WinExec, WriteFile, WSACleanup, WSAStartup... • User32.dll: MessageBox, SendMessage, FindWindow, PostMessage. 17
Best Practice • Apply bread-first-search strategy to ask Z3 to generate as much test-case as possible • Use JNA (Java Native Access) to simulate API calling 18
Indirect Jump • Virus.Win32.Aztec 00401057 . B8 00100000 MOV EAX,1000 0040105C . 05 00004000 ADD EAX, 00400000 00401061 . FFE0 JMP EAX BE-PUM IDA Pro 20
Overlapping Instruction HLLW.Rolog.f •Junk code modifies the return address. 00437002 E8 03000000 CALL 0043700A 00437007 E9 EB045D45 JMP 45A074F7 00437002 CALL 0043700A 0043700D RETN 0043700A POP EBP 0043700B INC EBP 0043700C PUSH EBP Code 21
Demo BE-PUM IDA Pro 22
Self-Modifying Code • Virus.Win32.Seppuku.1606 : Self-Modifying Code 00401646 E8 B5F9FFFF CALL 00401000 EDI = 401067 004010E5 MOV EAX,DWORD PTR SS:[EBP+401489] 004010EB STOS DWORD PTR ES:[EDI] 00401646 E8 00000000 CALL 0040164B 23
Decryption • Email-Worm.Win32.Kickin.d : Self-decryption 00609223 pop ebp 00609224 push 3d 00609226 mov byte ptr ds:[esi+9cccd0e5],dh 0060922C retn 8d9e 0060922F pxor mm5,mm3 00609232 dec ecx 00609233 fiadd word ptr ds:[ecx+80a6b31] Decryption loop ecx was set to 0CAh0060933A mov ecx,0ca 00609345 lods byte ptr ds:[esi] 00609346 xor al,ah 00609348 inc ah 0060934A rol ah,2 0060934D add ah,90 00609350 stos byte ptr es:[edi] 00609351 loopd 00609345 00609223 call 00609228 00609228 mov ebx, [ebp+402705] 0060922E add ebx,28 00609231 pop eax 00609232 sub eax,ebx 00609234 mov [ebp+40270d],eax 24
Demo BE-PUM IDA Pro 25
Comparison with others • BE-PUM current tool: precise models (CFG) generated from real malwares Indirect jumps (now) Self-modification (now) Decryption (now) SEH (now) Packer techniques (now) • Experiments Compare the CFG with those generated by Jakstab and IDA Pro 29
Experiment statistics 30
Supported Techniques in Packer 32
Related Works 33
Remarks • BE-PUM plays the roles of both model generation and model emulator for binaries Model Generation: on-the-fly manner, with concolic technique –Missing piece: Loop invariant (handled by looping many many times if needed)  Emulator – A “symbolic sandbox” 34
Demo 36
Thank you for your attention

Recommended

36 gotas de-sabiduria
36 gotas de-sabiduria36 gotas de-sabiduria
36 gotas de-sabiduriaLuis Arevalo Ponce
 
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Codemotion
 
The State of PHPUnit
The State of PHPUnitThe State of PHPUnit
The State of PHPUnit
Edorian
 
The State of PHPUnit
The State of PHPUnitThe State of PHPUnit
The State of PHPUnitEdorian
 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112
Bordeaux I
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...Software Guru
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
Matt Provost
 
Picking Mushrooms after Cppcheck
Picking Mushrooms after CppcheckPicking Mushrooms after Cppcheck
Picking Mushrooms after Cppcheck
Andrey Karpov
 

Recommended

36 gotas de-sabiduria
36 gotas de-sabiduria36 gotas de-sabiduria
36 gotas de-sabiduriaLuis Arevalo Ponce
 
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Codemotion
 
The State of PHPUnit
The State of PHPUnitThe State of PHPUnit
The State of PHPUnit
Edorian
 
The State of PHPUnit
The State of PHPUnitThe State of PHPUnit
The State of PHPUnitEdorian
 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112
Bordeaux I
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...Software Guru
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
Matt Provost
 
Picking Mushrooms after Cppcheck
Picking Mushrooms after CppcheckPicking Mushrooms after Cppcheck
Picking Mushrooms after Cppcheck
Andrey Karpov
 
One definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим житьOne definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим жить
Platonov Sergey
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
delimitry
 
Openframworks x Mobile
Openframworks x MobileOpenframworks x Mobile
Openframworks x Mobile
Janet Huang
 
Коварный code type ITGM #9
Коварный code type ITGM #9Коварный code type ITGM #9
Коварный code type ITGM #9
Andrey Zakharevich
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
GangSeok Lee
 
A techis guide to combating bugs & poor performance in production
A techis guide to combating bugs & poor performance in productionA techis guide to combating bugs & poor performance in production
A techis guide to combating bugs & poor performance in production
Tarun Arora
 
A exception ekon16
A exception ekon16A exception ekon16
A exception ekon16
Max Kleiner
 
Os Practical Assignment 1
Os Practical Assignment 1Os Practical Assignment 1
Os Practical Assignment 1Emmanuel Garcia
 
Advanced QUnit - Front-End JavaScript Unit Testing
Advanced QUnit - Front-End JavaScript Unit TestingAdvanced QUnit - Front-End JavaScript Unit Testing
Advanced QUnit - Front-End JavaScript Unit Testing
Lars Thorup
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
PacSecJP
 
An introduction to Google test framework
An introduction to Google test frameworkAn introduction to Google test framework
An introduction to Google test framework
Abner Chih Yi Huang
 
为什么 rust-lang 吸引我?
为什么 rust-lang 吸引我?为什么 rust-lang 吸引我?
为什么 rust-lang 吸引我?
勇浩 赖
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Sheng-Hao Ma
 
[KOSSA] C++ Programming - 17th Study - STL #3
[KOSSA] C++ Programming - 17th Study - STL #3[KOSSA] C++ Programming - 17th Study - STL #3
[KOSSA] C++ Programming - 17th Study - STL #3
Seok-joon Yun
 
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En TiempoDDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
Fernando Marcos Marcos
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014Martin Hron
 
Debugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
Debugging in Clojure: Finding Light in the Darkness using Emacs and CursiveDebugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
Debugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
Ahmad Ragab
 
Emulador de ensamblador emu8086
Emulador de ensamblador emu8086Emulador de ensamblador emu8086
Emulador de ensamblador emu8086
Marco Muñoz
 
Exceptions in java
Exceptions in javaExceptions in java
Exceptions in java
Manav Prasad
 
HOW TO GET FEATURED IN NATIONAL MAGAZINES
HOW TO GET FEATURED IN NATIONAL MAGAZINESHOW TO GET FEATURED IN NATIONAL MAGAZINES
HOW TO GET FEATURED IN NATIONAL MAGAZINES
Krystle Lynch
 
Rúbrica
RúbricaRúbrica
Rúbrica
valerianajera02
 

More Related Content

What's hot

One definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим житьOne definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим жить
Platonov Sergey
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
delimitry
 
Openframworks x Mobile
Openframworks x MobileOpenframworks x Mobile
Openframworks x Mobile
Janet Huang
 
Коварный code type ITGM #9
Коварный code type ITGM #9Коварный code type ITGM #9
Коварный code type ITGM #9
Andrey Zakharevich
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
GangSeok Lee
 
A techis guide to combating bugs & poor performance in production
A techis guide to combating bugs & poor performance in productionA techis guide to combating bugs & poor performance in production
A techis guide to combating bugs & poor performance in production
Tarun Arora
 
A exception ekon16
A exception ekon16A exception ekon16
A exception ekon16
Max Kleiner
 
Os Practical Assignment 1
Os Practical Assignment 1Os Practical Assignment 1
Os Practical Assignment 1Emmanuel Garcia
 
Advanced QUnit - Front-End JavaScript Unit Testing
Advanced QUnit - Front-End JavaScript Unit TestingAdvanced QUnit - Front-End JavaScript Unit Testing
Advanced QUnit - Front-End JavaScript Unit Testing
Lars Thorup
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
PacSecJP
 
An introduction to Google test framework
An introduction to Google test frameworkAn introduction to Google test framework
An introduction to Google test framework
Abner Chih Yi Huang
 
为什么 rust-lang 吸引我?
为什么 rust-lang 吸引我?为什么 rust-lang 吸引我?
为什么 rust-lang 吸引我?
勇浩 赖
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Sheng-Hao Ma
 
[KOSSA] C++ Programming - 17th Study - STL #3
[KOSSA] C++ Programming - 17th Study - STL #3[KOSSA] C++ Programming - 17th Study - STL #3
[KOSSA] C++ Programming - 17th Study - STL #3
Seok-joon Yun
 
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En TiempoDDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
Fernando Marcos Marcos
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014Martin Hron
 
Debugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
Debugging in Clojure: Finding Light in the Darkness using Emacs and CursiveDebugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
Debugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
Ahmad Ragab
 
Emulador de ensamblador emu8086
Emulador de ensamblador emu8086Emulador de ensamblador emu8086
Emulador de ensamblador emu8086
Marco Muñoz
 
Exceptions in java
Exceptions in javaExceptions in java
Exceptions in java
Manav Prasad
 

What's hot (20)

One definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим житьOne definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим жить
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
 
Openframworks x Mobile
Openframworks x MobileOpenframworks x Mobile
Openframworks x Mobile
 
Коварный code type ITGM #9
Коварный code type ITGM #9Коварный code type ITGM #9
Коварный code type ITGM #9
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
 
A techis guide to combating bugs & poor performance in production
A techis guide to combating bugs & poor performance in productionA techis guide to combating bugs & poor performance in production
A techis guide to combating bugs & poor performance in production
 
A exception ekon16
A exception ekon16A exception ekon16
A exception ekon16
 
Os Practical Assignment 1
Os Practical Assignment 1Os Practical Assignment 1
Os Practical Assignment 1
 
Advanced QUnit - Front-End JavaScript Unit Testing
Advanced QUnit - Front-End JavaScript Unit TestingAdvanced QUnit - Front-End JavaScript Unit Testing
Advanced QUnit - Front-End JavaScript Unit Testing
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
 
An introduction to Google test framework
An introduction to Google test frameworkAn introduction to Google test framework
An introduction to Google test framework
 
为什么 rust-lang 吸引我?
为什么 rust-lang 吸引我?为什么 rust-lang 吸引我?
为什么 rust-lang 吸引我?
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
 
[KOSSA] C++ Programming - 17th Study - STL #3
[KOSSA] C++ Programming - 17th Study - STL #3[KOSSA] C++ Programming - 17th Study - STL #3
[KOSSA] C++ Programming - 17th Study - STL #3
 
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En TiempoDDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
 
Debugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
Debugging in Clojure: Finding Light in the Darkness using Emacs and CursiveDebugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
Debugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
 
Emulador de ensamblador emu8086
Emulador de ensamblador emu8086Emulador de ensamblador emu8086
Emulador de ensamblador emu8086
 
Exceptions in java
Exceptions in javaExceptions in java
Exceptions in java
 

Viewers also liked

HOW TO GET FEATURED IN NATIONAL MAGAZINES
HOW TO GET FEATURED IN NATIONAL MAGAZINESHOW TO GET FEATURED IN NATIONAL MAGAZINES
HOW TO GET FEATURED IN NATIONAL MAGAZINES
Krystle Lynch
 
Rúbrica
RúbricaRúbrica
Rúbrica
valerianajera02
 
Roneil sanchez cv (2)
Roneil sanchez cv (2)Roneil sanchez cv (2)
Roneil sanchez cv (2)
Roneil Sanchez
 
Palestra: Atenção Gerencial - Rami Goldratt
Palestra: Atenção Gerencial - Rami GoldrattPalestra: Atenção Gerencial - Rami Goldratt
Palestra: Atenção Gerencial - Rami Goldratt
ExpoGestão
 
Palestra: Brasil-China Uma Parceria Estratégica - Charles A. Tang
Palestra: Brasil-China Uma Parceria Estratégica - Charles A. Tang Palestra: Brasil-China Uma Parceria Estratégica - Charles A. Tang
Palestra: Brasil-China Uma Parceria Estratégica - Charles A. Tang
ExpoGestão
 
Chiropractic presentation
Chiropractic presentationChiropractic presentation
Chiropractic presentation
Candice Smith
 
Maharashtra Tourism
Maharashtra TourismMaharashtra Tourism
Maharashtra Tourism
The Other Home
 

Viewers also liked (9)

HOW TO GET FEATURED IN NATIONAL MAGAZINES
HOW TO GET FEATURED IN NATIONAL MAGAZINESHOW TO GET FEATURED IN NATIONAL MAGAZINES
HOW TO GET FEATURED IN NATIONAL MAGAZINES
 
Rúbrica
RúbricaRúbrica
Rúbrica
 
Parcial2 notario bruno
Parcial2 notario brunoParcial2 notario bruno
Parcial2 notario bruno
 
Roneil sanchez cv (2)
Roneil sanchez cv (2)Roneil sanchez cv (2)
Roneil sanchez cv (2)
 
buyers rep
buyers repbuyers rep
buyers rep
 
Palestra: Atenção Gerencial - Rami Goldratt
Palestra: Atenção Gerencial - Rami GoldrattPalestra: Atenção Gerencial - Rami Goldratt
Palestra: Atenção Gerencial - Rami Goldratt
 
Palestra: Brasil-China Uma Parceria Estratégica - Charles A. Tang
Palestra: Brasil-China Uma Parceria Estratégica - Charles A. Tang Palestra: Brasil-China Uma Parceria Estratégica - Charles A. Tang
Palestra: Brasil-China Uma Parceria Estratégica - Charles A. Tang
 
Chiropractic presentation
Chiropractic presentationChiropractic presentation
Chiropractic presentation
 
Maharashtra Tourism
Maharashtra TourismMaharashtra Tourism
Maharashtra Tourism
 

Similar to Tetcon2016 160104

NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Cloudflare
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
Code instrumentation
Code instrumentationCode instrumentation
Code instrumentation
Bryan Reinero
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Yulia Tsisyk
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Rodolpho Concurde
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101
Craft Symbol
 
Down the rabbit hole, profiling in Django
Down the rabbit hole, profiling in DjangoDown the rabbit hole, profiling in Django
Down the rabbit hole, profiling in Django
Remco Wendt
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source CodeA Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
PVS-Studio
 
groovy & grails - lecture 7
groovy & grails - lecture 7groovy & grails - lecture 7
groovy & grails - lecture 7
Alexandre Masselot
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
Quinn Wilton
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
Anup Singh
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
Rodolpho Concurde
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
Michael Boman
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
44CON
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
Chong-Kuan Chen
 

Similar to Tetcon2016 160104 (20)

NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
 
Project00
Project00Project00
Project00
 
Code instrumentation
Code instrumentationCode instrumentation
Code instrumentation
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101
 
Down the rabbit hole, profiling in Django
Down the rabbit hole, profiling in DjangoDown the rabbit hole, profiling in Django
Down the rabbit hole, profiling in Django
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source CodeA Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
 
groovy & grails - lecture 7
groovy & grails - lecture 7groovy & grails - lecture 7
groovy & grails - lecture 7
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
 
Wtf per lineofcode
Wtf per lineofcodeWtf per lineofcode
Wtf per lineofcode
 

Recently uploaded

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 

Recently uploaded (20)

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 

Tetcon2016 160104

  • 1. BE-PUM: Binary Emulation for Pushdown Model Generation Obfuscation code localization based on CFG generation of malware Nguyen Minh Hai Industrial University of Ho Chi Minh City (IUH) with Quan Thanh Tho, Ho Chi Minh City University of Technology (HMCUT) , in Collaboration with Mizuhito Ogawa (JAIST) January 2016
  • 2. BE-PUM • Binary Emulation for Pushdown Model Generation • Key features: Generate model (CFG) from binary code of malware Show better results compared with many other tools, e.g. IDA Pro, Jakstab, Hooper... Tackle many obfuscation techniques and successfully unpack many packers (27 different packers)  Generic Unpacker for Model Generation of Malware Detect packer by semantic signature (recognizing packer techniques)  Sematic Signature Matching for Packer Detection 1
  • 4. Malwares • Malware (malicious software) – a real threat Virus Trojan horse Keylogger • How to deal Signature detection (Industry approach) Emulation (Sandbox approach) Model checking (Formal approach) 3
  • 5. Issues • Signature-based = Failed by obfuscation techniques • Sandbox-based Heavy cost Virus may have different behaviors (at different time points) Virus may even detect sandbox environment • Model Checking Model Generation Model Checking 4
  • 7. Typical approach • Control Flow Graph (CFG) is generated as the model One program location is mapped a node Decide all of destinations when branching • Things are more difficult with sophisticated binaries: Self-modification code (Encryption/Decryption) Indirect jump Many other obfuscation techniques 6
  • 8. Control Flow Graph • Choices of many tools (CodeSurfer/x86, McVeto, JakStab, BIRD, Renovo, Syman, BINCOA/OSMOSE, IDA Pro) Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 0x0040100c 00 03 05 0A 12 0D 15 18 0A 7
  • 10. 9
  • 11. 10
  • 12. Demo
  • 13. Demo
  • 14. BE-PUM • BE-PUM - Binary Emulation for Pushdown Model • Apply pushdown model generation of binary code Apply concolic testing (dynamic symbolic execution) to handle indirect jump Apply on-the-fly model generation for handling self- modifying code Focus on obfuscation techniques which are used in malware and packer tools. 14
  • 16. Running Example Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax
  • 17. Running Example Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax eax = α
  • 18. Running Example Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax eax = α
  • 19. Running Example Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax eax <0 eax >=0 eax = α
  • 20. Running Example Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax 00 03 05 0a 12 0d 15 18 eax = α Convert symbolic value of α into a concrete value Use white-box testing to under-approximate α jmp to α?
  • 21. Test-case Generation 00 03 05 0a 12 0d 15 18 α >= 0 α >= 0 α >= 0 α >= 0 00 03 05 0a 12 0d 15 18 α <= 0 α <= 0 α <= 0 eax = α eax = α Test-case-1 = 5 Test-case-2 = -7
  • 22. Enlarging the Model by Testing Result Simulation Snapshot eax=0x0040100C; start=0x00401000; return=0; address=0x0040100C; Hexa Instructions 0x00401000 cmp eax, 0 0x00401003 jle 0x0040100d 0x00401005 mov eax, 0x00401001 0x0040100a jmp 0x00401015 0x0040100c halt 0x0040100d mov eax, 0x00401018 0x00401012 sub eax, 5 0x00401015 sub eax, 1 0x00401018 jmp eax 00 03 05 0a 12 0d 15 18 0c Test- case-1Test- case- 2
  • 24. Strategy for covered instruction selection • Instruction statistics collected from virus samples • Full list of 300 supported instructions Call Jump Return add shl Call je jz jne jump mov cmovg ret cmp out setna lods daa and sal jnz jb jnae xchg cmovl int pop setnae movs das sub dec jc jnb jae movz cmovl aaa popa setnb neg enter or inc jnc jng jnae movsb cmovna aad popf setnbe nop in xor adc jle ja jl movsw cmovnae aam push setnc shld int1 imul shr jnge jnl jnbe mosx cmovnbe aas pusha setne shrd int3 ror ror jge jo jg movzb cmovne bsf pushf setng stc lahf div rep jnle jns loop movzw cmovng bswap rdtsc setnge stos lea sbb mul js jno jp cmova cmovnge bt sahf setnl test leave clc sar jno jpe jecxz cmovb cmovnl btc scas setnle xlat not ror jmp loope loopne cmovbe cmovnle brt seta setno cbw idiv rcr loop loopz loopnz cmovc cmovno bts setae setnp cwde xadd rol cmove cmovnp cbw setb setns cmps adc rcl cmovp cmovns cdq setbe seto cmpxchg dec mul cmovpe cmovnz clc setc setp cmpxchg8b shr sbb cmovpo cmovo cld sete setpe cpuid sar cmovs cmovz cli setg setpo cwd cltd setge sets cwde cmc setl setz cwt Arthimetic Conditinal Jump Move Control 16
  • 25. Supported 400 Windows APIs • Kernel32.dll: _lwrite, accept, bind, CloseHandle, closesocket, connect, CopyFile, CreateFile, CreateFileMapping, CreateProcess, CreateThread DeleteFile, ExitProcess, FindClose, FindFirstFile, FindNextFile, FreeEnvironmentStrings, GetCommandLine, GetCurrentDirectory GetCurrentProcess, GetEnvironmentStrings, GetFileAttributes, GetFileSize, GetFileType, gethostbyname, gethostname, GetLastError GetLocalTime, GetModuleFileName, GetModuleHandle, GetProcAddress, GetStartupInfo, GetStdHandle, GetSystemDirectory GetSystemTime, GetTickCount, GetVersion, GetVersionEx, GetWindowsDirectory, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, IsDebuggerPresent, listen, LoadLibrary, lstrcat, lstrcmp, lstrcpy, lstrlen, MapViewOfFile, MoveFile, PeekMessageA, ReadFile, recv, RegCloseKey, RegOpenKeyEx, RegSetValueEx, send, , SetCurrentDirectory, SetEndOfFile, SetFileAttributes, SetFilePointer, SetHandleCount, shutdown, socket ,UnmapViewOfFile, VirtualAlloc, VirtualFree, WaitForSingleObject, WinExec, WriteFile, WSACleanup, WSAStartup... • User32.dll: MessageBox, SendMessage, FindWindow, PostMessage. 17
  • 26. Best Practice • Apply bread-first-search strategy to ask Z3 to generate as much test-case as possible • Use JNA (Java Native Access) to simulate API calling 18
  • 27. Indirect Jump • Virus.Win32.Aztec 00401057 . B8 00100000 MOV EAX,1000 0040105C . 05 00004000 ADD EAX, 00400000 00401061 . FFE0 JMP EAX BE-PUM IDA Pro 20
  • 28. Overlapping Instruction HLLW.Rolog.f •Junk code modifies the return address. 00437002 E8 03000000 CALL 0043700A 00437007 E9 EB045D45 JMP 45A074F7 00437002 CALL 0043700A 0043700D RETN 0043700A POP EBP 0043700B INC EBP 0043700C PUSH EBP Code 21
  • 30. Self-Modifying Code • Virus.Win32.Seppuku.1606 : Self-Modifying Code 00401646 E8 B5F9FFFF CALL 00401000 EDI = 401067 004010E5 MOV EAX,DWORD PTR SS:[EBP+401489] 004010EB STOS DWORD PTR ES:[EDI] 00401646 E8 00000000 CALL 0040164B 23
  • 31. Decryption • Email-Worm.Win32.Kickin.d : Self-decryption 00609223 pop ebp 00609224 push 3d 00609226 mov byte ptr ds:[esi+9cccd0e5],dh 0060922C retn 8d9e 0060922F pxor mm5,mm3 00609232 dec ecx 00609233 fiadd word ptr ds:[ecx+80a6b31] Decryption loop ecx was set to 0CAh0060933A mov ecx,0ca 00609345 lods byte ptr ds:[esi] 00609346 xor al,ah 00609348 inc ah 0060934A rol ah,2 0060934D add ah,90 00609350 stos byte ptr es:[edi] 00609351 loopd 00609345 00609223 call 00609228 00609228 mov ebx, [ebp+402705] 0060922E add ebx,28 00609231 pop eax 00609232 sub eax,ebx 00609234 mov [ebp+40270d],eax 24
  • 33. Comparison with others • BE-PUM current tool: precise models (CFG) generated from real malwares Indirect jumps (now) Self-modification (now) Decryption (now) SEH (now) Packer techniques (now) • Experiments Compare the CFG with those generated by Jakstab and IDA Pro 29
  • 37. Remarks • BE-PUM plays the roles of both model generation and model emulator for binaries Model Generation: on-the-fly manner, with concolic technique –Missing piece: Loop invariant (handled by looping many many times if needed)  Emulator – A “symbolic sandbox” 34
  • 39. Thank you for your attention

Editor's Notes

  1. A simulation is a system that behaves similar to something else, but is implemented in an entirely different way. It provides the basic behaviour of a system, but may not necessarily adhere to all of the rules of the system being simulated. It is there to give you an idea about how something works. Example Think of a flight simulator as an example. It looks and feels like you are flying an airplane, but you are completely disconnected from the reality of flying the plane, and you can bend or break those rules as you see fit. For example, fly an Airbus A380 upside down between London and Sydney without breaking it. Emulation An emulation is a system that behaves exactly like something else, and adheres to all of the rules of the system being emulated. It is effectively a complete replication of another system, right down to being binary compatible with the emulated system&amp;apos;s inputs and outputs, but operating in a different environment to the environment of the original emulated system. The rules are fixed, and cannot be changed, or the system fails. Example The M.A.M.E. system is built around this very premise. All those old arcade systems that have been long forgotten, that were implemented almost entirely in hardware, or in the firmware of their hardware systems can be emulated right down to the original bugs and crashes that would occur when you reached the highest possible score.