Presentation is loading. Please wait.

Presentation is loading. Please wait.

Binary voyeurism A decent overview.

Published byElijah Stokes Modified over 5 years ago

Similar presentations

Presentation on theme: "Binary voyeurism A decent overview."— Presentation transcript:

1 Binary voyeurism A decent overview

2 Please fill the skill matrix ;)
Who are you Any experience with Binary reversing? Debugging? Exploitation? Python? Please fill the skill matrix ;)

3 whoami Nerd (zombies, cylons…) Geek (reversing, python…) Consultant :)

4 We are hiring! Security people Highly skilled team
Hardware, mobile, binary, web, source code, network … Fun, Research, CONs, etc. Consultancy / business oriented Talk to me! By the way…

5 Today is my birthday! Beers are presents too!
Beer == Present. Accepted Beers are presents too!

6 agenda Checking out the application Drinks & bbq Static analysis
Not programmatic way winappdbg Intel PIN vdb / vtrace Drinks & bbq

7 Setting the scope This talk is pretty lame Just an introduction
Basically a compilation of things very intelligent people did Anyway a nice overview if you don‘t have a deep knowledge of this topic

8 Static analysis

9 Static analysis Ida pro scripts Idc Idapython in C language
Must recompile every time Idapython Python bindings Me gusta… Open IDA Pro and execute a couple of them. MILF as well, of course! IDA Pro rocks!

10 Let‘s check for crypto functions
Naive crypto search Run it and compare results with IDASign_Srch Let‘s check for crypto functions

11 Let‘s compare with a real plugin…
Naive crypto search Run it and compare results with IDASign_Srch Let‘s compare with a real plugin… IDA Signsrch from Luigi Auriemma

12 Look at those juicy AES constants…
Naive crypto search Apparently we weren‘t that far from reality… Look at those juicy AES constants… So, there was some crypto after all…

13 Find special x86 instructions
Very easy to find funky instructions, which in case of malware are used in shellcode or in VM detection. Run this script and show the GUI capabilities (Choose2 selector) Why are you doing this funky stuff? Warning! Malware evasion!

14 My IDA Little Framework
m.i.l.f. plugin Open it and showcase following functionality: Most referenced functions Find allocations (show tooltip) Mark immediate compares -> parsing Export function addresses to disk (*** important for later ***) My IDA Little Framework IDA Pro Plugin

15 not programmatic

16 Not programmatic way Just using a regular debugger
Everyone knows this, i guess ;) Olly / Immunity debuggeR windbg Enough static. Let‘s check the program execution DYNAMICALLY. BOOOOORING…

17 Olly, Immunity, Windbg, etc.
Not programmatic way A debugger implements actually nothing more than the Windows Debugging API. It‘s not magic, it just calls Windows API functions, like any other program. Since a debugger is just an interface to the Windows Debugging API, what if we just throw the debugger away and interact with the API directly? BOOOOORING… Olly, Immunity, Windbg, etc.

18 Winappdbg (& a bit pydbg)

19 Monitoring the program stack at runtime
keepassada Following functions are called when copying data to the clipboard: OpenClipboard() EmptyClipboard() hClipboardData = GlobalAlloc() // hook this and get RetValue pchData = (char*)GlobalLock(hClipboardData) strcpy(pchData, LPCSTR(strData)) GlobalUnlock(hClipboardData) SetClipboardData(CF_TEXT, hClipboardData) // hook this CloseClipboard() Not Winappdbg but PyDBG. Anyway, Python based and worth to mention. Winappdbg is like the evolution of PyDbg. Hook those calls! Monitoring the program stack at runtime

20 Monitoring the program stack at runtime
keepassada Not Winappdbg but PyDBG. Anyway, Python based and worth to mention. Enter video! Monitoring the program stack at runtime

21 winappdbg Tracer.py Performance problems (-1) Slow (-1)
Need function list (ida) (-1) It is python (+500) Pydot ftw (+500) Show Tracer.py and WTFDLL.py Then show Tracer_DOT.py Python rocks!

22 Where are you little process?
Tracer & derivatives The debugger registers the function HitTracerEventHandler. Then looks for the process and attaches to it. Where are you little process? Look for the process and attach to it

23 The callback writes the address to a file
Tracer & derivatives Different kinds of breakpoints: permanent and „one hit“ The callback writes the address to a file Breakpoints and callbacks

24 Targeting specific functions
Watching dll loading Applying hooks to only these API functions we can detect libraries / functions used in runtime. WTFDLL? Targeting specific functions

25 A picture is worth a thousand words
Tracer & pydot Instead of writing to a text file, let‘s create a graph ;) I <3 pydot A picture is worth a thousand words

26 Binary abstract art, anyone?
Tracer & pydot We can then get beautiful binary art, like this one :) I <3 pydot Binary abstract art, anyone?

27 intel pin

28 THE dynamic binary instrumentation tool
INTEL PIN A more efficient tracer Detect buffer overflows EIP outside text section Valgrind-like for Windows Check memory allocations Double free(s) Intel PIN rocks big time! THE dynamic binary instrumentation tool

29 Compiled means efficient!
INTEL PIN A more efficient tracer This one starts the program in the context of PIN, so you can trace its *initialization* Compiled means efficient! It means pain in the ass too

30 Instrumentation vs. Runtime functions
INTEL PIN Instrumentation vs. Runtime Instrumentation: once when the condition holds, example: one basic block or a new routine is found. Runtime: usually installed by the instrumentation, executed *everytime*. Example: a certain basic block is hit Check every basic block Instrumentation vs. Runtime functions

31 INTEL PIN SEH overwrite, a classic Let‘s exploit this
Simple TCP server Stack based buffer overflow (memcpy) -> SEH exploit SEH overwrite, a classic Let‘s exploit this

32 INTEL PIN You shouldn‘t be here… EIP points to the stack!
Yay! Shellcode! You shouldn‘t be here… EIP points to the stack!

33 Save all .text section addresses
INTEL PIN Detect EIP outside text section Some old / bad coded software (ehem… adobe) may need to do this… Save all .text section addresses You shouldn‘t be here!

34 Compare against .text section data
INTEL PIN Detect EIP outside text section Some old / bad coded software (ehem… adobe) may need to do this… Compare against .text section data EIP police! Show me your hands!

35 Keep track of malloc and free
INTEL PIN Valgrind-like for Windows Check memory allocations Double free(s) Keep track of malloc and free This could be very poweful

36 Some people take it to the extreme
INTEL PIN No slides, just demo it quickly. Free the malloc()s! Some people take it to the extreme

37 Vdb / vtrace

38 Vdb / vtrace Yep, it is Python It does pretty much what others do
And Linux… and ARM… and PPC… etc. Look, I‘m so cool! NO DOCUMENTATION READABLE CODE Mario Vilas (creator of WinAppDbg) is a commiter to a vtrace fork in Google Code. Python still rocks! What the k00l kidz use

39 Thanks Mozilla Development Docs!
Vdb / vtrace httpstalker.py – Super secure bank login Thanks Mozilla Development Docs! These two functions are interesting to us

40 Vdb / vtrace Super Secure Bank Seems legit.
httpstalker.py – Super secure bank login Super Secure Bank Seems legit.

41 Read at offsets from ESP register
Vdb / vtrace Dereference the pointer and read a certain amount Read at offsets from ESP register Pretty similar to the previous frameworks

42 Quick recap Python based: Intel pin Fast prototyping but… damn slow
Fast and intelligent but… convoluted Prototype in Python Final project in PIN

43 Don‘t forget the beer! ;)
Thanks for listening! Don‘t forget the beer! ;)

Download ppt "Binary voyeurism A decent overview."

Similar presentations

Part IV: Memory Management

Part IV: Memory Management
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
OllyDbg Debuger.

OllyDbg Debuger.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Unit 1 – Improving Productivity Josh Sherriff Instructions ~ 100 words per box.

Unit 1 – Improving Productivity Josh Sherriff Instructions ~ 100 words per box.
Introduction Purpose This course describes the process of installing the KPIT GNU toolchain on your PC. Objective Learn how easy it is to get information.

Introduction Purpose This course describes the process of installing the KPIT GNU toolchain on your PC. Objective Learn how easy it is to get information.
IT253: Computer Organization Lecture 4: Instruction Set Architecture Tonga Institute of Higher Education.

IT253: Computer Organization Lecture 4: Instruction Set Architecture Tonga Institute of Higher Education.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.

Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Debugging and Profiling With some help from Software Carpentry resources.

Debugging and Profiling With some help from Software Carpentry resources.

Similar presentations

Ads by Google