Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead

Slides:



Advertisements
Similar presentations
Chapter 4 Computation Bjarne Stroustrup
Advertisements

1 G54PRG Programming Lecture 1 Amadeo Ascó Adam Moore G54PRG Programming Lecture 1 Amadeo Ascó 3 Java Programming Language.
Sample chapter from Reverse Engineering Course.
Q1 Review. Other News US News top CS Universities global-universities/computer- science?int=994b08.
Malware Dynamic Analysis Part 5 Veronica Kovah vkovah.ost at gmail See notes for citation1
Cosc 5/4730 Android Maps v2. Maps V1 and V2 In March 2013 google removed the ability to get a map key for version 1. Version 2 had been introduced in.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Remote Controlled Agent Avital Yachin Ran Didi SoftLab – June 2006.
Operating System Security : David Phillips A Study of Windows Rootkits.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Bypassing antivirus detection with encryption
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
 | bit OR & bit AND ~ bit NOT ^ bit EXLUSIVE OR (XOR) > bit RIGHT SHIFT.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
GreenSQL Yuli Stremovsky /MSN/Gtalk:
DIRAC API DIRAC Project. Overview  DIRAC API  Why APIs are important?  Why advanced users prefer APIs?  How it is done?  What is local mode what.
Loops and Iteration Chapter 5 Python for Informatics: Exploring Information
Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Defeating public exploit protections (EMET v5.2 and more)
Revision Chapter 3, 4 Mock Test.
OCR Nationals – Unit 1 AO2 (Part 2) – s. Overview of AO2 (Part 2) To select and use tools and facilities to download files/information and to send.
Program Control Instructions:
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Rootkits in Windows XP  What they are and how they work.
‘Tirgul’ # 7 Enterprise Development Using Visual Basic 6.0 Autumn 2002 Tirgul #7.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
Yet Another Heapspray Detector Danny Kovach Raytheon SI.
The WinMine Toolkit Max Chickering. Build Statistical Models From Data Dependency Networks Bayesian Networks Local Distributions –Trees Multinomial /
Chapter 4 - Implementing Standard Program Structures in 8086 Assembly Language from Microprocessors and Interfacing by Douglas Hall.
Hunting for Metamorphic Engines Wing Wong Mark Stamp Hunting for Metamorphic Engines 1.
CIS 442: Chapter 2 Viruses. Malewares Maleware classifications and types Viruses Logical and time bombs Trojan horses and backdoors Worms Spam Spyware.
Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014.
Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Briefing for: Hacking Windows Internals Cesar Cerrudo Argeniss.
Amit Malik SecurityXploded Research Group FireEye Labs.
Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign.
Test Specifications A Specification System for Multi-Platform Test Suite Configuration, Build, and Execution Greg Cooksey.
Slide 1 Shall Lists. Slide 2 Shall List Statement Categories Functional Requirements User Interface Requirements Performance Requirements Qualification.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Advanced Malware Detection Group 8: Alex Finkelstein, Josh Suess, Dom Amos, Mike Hite, Kevin Hao.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Slide 1 What we'll cover here l Using the debugger: Starting the debugger Setting.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
13/July/1999Third USENIX Windows NT Symposium1 Detours: Binary Interception of Win32 Functions Galen Hunt and Doug Brubacher Systems and Networking Group.
Module 1A An Introduction to Metasploit – Based upon Chapter 2 of “Metasploit the Penetration testers guide” Based upon Chapter 2 of “Metasploit the Penetration.
MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.
Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)
Google C++ Testing Framework Part 2: Assertion. Concepts A test case contains one or many tests. ◦ You should group your tests into test cases that reflect.
LAB#8 PKI & DIGITAL CERTIFICATE CPIT 425. Public Key Infrastructure PKI 2  Public key infrastructure is the term used to describe the laws, policies,
Windows Programming Lecture 06. Data Types Classification Data types are classified in two categories that is, – those data types which stores decimal.
Just-In-Time Compilation. Introduction Just-in-time compilation (JIT), also known as dynamic translation, is a method to improve the runtime performance.
Lab assignments Follow each lab walkthrough in textbook
EGR 2261 Unit 5 Control Structures II: Repetition
Panda Cloud Antivirus Pedro Bustamante
Backdoor Attacks.
Finding and Fighting the Causes of Insecure Applications
CMPE419 Mobile Application Development
Python Stateful Parsing
Robotics and EV3 - Behavior-Based Robots -
Week 2: Buffer Overflow Part 2.
Finding and Fighting the Causes of Insecure Applications
Implementing Processes, Threads, and Resources
Setup a VM to use for analyzing malware
CMPE419 Mobile Application Development
Presentation transcript:

Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead

Why How Countermeasure Legal Statement

I am a Penetration Tester. I want to use public codes* without fear. I want to know the system internals. I want to impress my girl friend ^_^. I want to test effectiveness of security technologies.

Warning: Everything that I will discuss here is not applicable to.exe files. Logic – divide exe in two parts – means dont make exe. Code Interface Code – it is our normal code with some additional powers – stand alone executable code. Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the shellcode.

Why we are splitting exe in two parts ? AV detection techniques Signature based Emulation + signature MD5 Heuristic If your binary is packed then AV uses Emulation + signature tech. for detection. By splitting exe in two parts we can bypass AVs. True fact: generating exe is simpler than writing the stand alone executable code that performs the same function.

Techniques: Code injection in another process Jump and Execute Loaders

Code injection in another process Interface – make a interface that will read the code and will inject it into another process. Raw Material: OpenProcess WriteProcessMemory CreateRemoteThread

Jump and Execute Interface – make a interface that will read the file and then jump to that location and execute the code Raw Material: ReadFile JMP

Loaders Interface – make a interface that will read the code and creates a trusted process in suspended mode and overwrite the code at the entry point of the suspended process and then resume the thread. Raw Material: CreateProcess – suspended WriteProcessMemory ResumeThread

What if AV flag Interface ? Yes, they can but the interface code is using legitimate APIs with very minimal code. Many legitimate programs use similar APIs so fear of false positive. May be they can flag on the basis of MD5

Simply call it shellcode detection The Philosophy Emulate or Execute Everything Exception – move to next byte Abort execution if anytime EIP >= 7xxxxxxx Scan – Detection

Shellcode Detection Technique and source codes are distributed under CC. Codes:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.