Presentation is loading. Please wait.

Presentation is loading. Please wait.

Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead

Published byCyrus Berkes Modified over 10 years ago

Similar presentations

Presentation on theme: "Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead"— Presentation transcript:

1 Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com

2 Why How Countermeasure Legal Statement

3 I am a Penetration Tester. I want to use public codes* without fear. I want to know the system internals. I want to impress my girl friend ^_^. I want to test effectiveness of security technologies.

4 Warning: Everything that I will discuss here is not applicable to.exe files. Logic – divide exe in two parts – means dont make exe. Code Interface Code – it is our normal code with some additional powers – stand alone executable code. Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the shellcode.

5 Why we are splitting exe in two parts ? AV detection techniques Signature based Emulation + signature MD5 Heuristic If your binary is packed then AV uses Emulation + signature tech. for detection. By splitting exe in two parts we can bypass AVs. True fact: generating exe is simpler than writing the stand alone executable code that performs the same function.

6 Techniques: Code injection in another process Jump and Execute Loaders

7 Code injection in another process Interface – make a interface that will read the code and will inject it into another process. Raw Material: OpenProcess WriteProcessMemory CreateRemoteThread

8

9 Jump and Execute Interface – make a interface that will read the file and then jump to that location and execute the code Raw Material: ReadFile JMP

10

11 Loaders Interface – make a interface that will read the code and creates a trusted process in suspended mode and overwrite the code at the entry point of the suspended process and then resume the thread. Raw Material: CreateProcess – suspended WriteProcessMemory ResumeThread

12

13 What if AV flag Interface ? Yes, they can but the interface code is using legitimate APIs with very minimal code. Many legitimate programs use similar APIs so fear of false positive. May be they can flag on the basis of MD5

14 Simply call it shellcode detection The Philosophy Emulate or Execute Everything Exception – move to next byte Abort execution if anytime EIP >= 7xxxxxxx Scan – Detection

15

16 Shellcode Detection Technique and source codes are distributed under CC. http://creativecommons.org/licenses/by-nc/3.0/ Codes: https://sites.google.com/site/hacking1now/tools https://sites.google.com/site/hacking1now/tools

Download ppt "Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead"

Similar presentations

Chapter 4 Computation Bjarne Stroustrup www.stroustrup.com/Programming.

Chapter 4 Computation Bjarne Stroustrup
1 G54PRG Programming Lecture 1 Amadeo Ascó Adam Moore G54PRG Programming Lecture 1 Amadeo Ascó 3 Java Programming Language.

1 G54PRG Programming Lecture 1 Amadeo Ascó Adam Moore G54PRG Programming Lecture 1 Amadeo Ascó 3 Java Programming Language.
Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
Q1 Review. Other News US News top CS Universities global-universities/computer- science?int=994b08.

Q1 Review. Other News US News top CS Universities global-universities/computer- science?int=994b08.
Malware Dynamic Analysis Part 5 Veronica Kovah vkovah.ost at gmail See notes for citation1

Malware Dynamic Analysis Part 5 Veronica Kovah vkovah.ost at gmail See notes for citation1
Cosc 5/4730 Android Maps v2. Maps V1 and V2 In March 2013 google removed the ability to get a map key for version 1. Version 2 had been introduced in.

Cosc 5/4730 Android Maps v2. Maps V1 and V2 In March 2013 google removed the ability to get a map key for version 1. Version 2 had been introduced in.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Remote Controlled Agent Avital Yachin Ran Didi SoftLab – June 2006.

Remote Controlled Agent Avital Yachin Ran Didi SoftLab – June 2006.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security

2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Bypassing antivirus detection with encryption

Bypassing antivirus detection with encryption
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
 | bit OR & bit AND ~ bit NOT ^ bit EXLUSIVE OR (XOR) > bit RIGHT SHIFT.

 | bit OR & bit AND ~ bit NOT ^ bit EXLUSIVE OR (XOR) > bit RIGHT SHIFT.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
GreenSQL Yuli Stremovsky /MSN/Gtalk:

GreenSQL Yuli Stremovsky /MSN/Gtalk:
DIRAC API DIRAC Project. Overview  DIRAC API  Why APIs are important?  Why advanced users prefer APIs?  How it is done?  What is local mode what.

DIRAC API DIRAC Project. Overview  DIRAC API  Why APIs are important?  Why advanced users prefer APIs?  How it is done?  What is local mode what.

Similar presentations

Ads by Google