Portable Executable format, TitaniumCore report and packers. Katja Pericin
|
|
- Vincent Rodger Marsh
- 5 years ago
- Views:
Transcription
1 Portable Executable format, TitaniumCore report and packers Katja Pericin
2 Portable Executable format 3/21/2018 2
3 Introduction file? operating system abstraction for a data container segment(s) of physical space containing bytes file format? layout of data inside a data container we give it meaning endianness file/memory alignment 3/21/2018 Introduction 3
4 Introduction common file format fields format magic ( GIF89, PACK, ) reserved fields ( should be something = ignored) checksum fields (CRC) file table offset/address file size file names and/or paths timestamp program specific details (compression, image width, palette, ) 3/21/2018 Introduction 4
5 Introduction executable files - loaded into memory by OS OS s loader parses the file format arrange data in memory as needed load all additional dependencies execution starts from a specific point OS cleans up afterwards 3/21/2018 Introduction 5
6 Portable Executable format native Win32 / Win64 format PE32 / PE32+ Official documentation MZ Header PE Header Optional Header Section Headers Section 1 Section N Overlay 3/21/2018 PE Format 6
7 MZ Header magic bytes: 0x4D 0x5A ( MZ ) size of header = 0x40 bytes at offset 0x3C e_lfanew offset to PE header in file 3/21/2018 PE Format 7
8 PE Header magic bytes 0x50 0x45 0x00 0x00 ( PE ) size of header = 0x14 bytes target machine (i386, AMD64, MIPS, PowerPC, ) number of sections characteristics file attributes executable image DLL reversed endianness large address aware (x64) size of optional header 3/21/2018 PE Format 8
9 Optional Header magic = 0x010B\0x020B (32/64-bit) not optional for executables provides info to the loader size not fixed determined by SizeOfOptionalHeader in PE header field sizes differ for 32- and 64-bit executables usually 0xE0 for 32-bit if everything is included 3/21/2018 PE Format 9
10 Section Header header size = 0x28 bytes section name can be whatever (8 bytes) usually.text,.code,.data,.data,.rdata, section name DOES NOT define section content pointer to raw data file offset size of raw data relative virtual address address in memory virtual size size in memory characteristics: attributes (readable, writeable, executable, ) 3/21/2018 PE Format 10
11 Data Directories (address, size) pairs list of tables used by Windows loaded into memory usually 0x10 data directories index in the table determines functionality 3/21/2018 PE Format 11
12 Data Directories common directories export import resource relocation TLS Export Table Import Table Resource Table Exception Table Certificate Table Base Relocation Table Debug Architecture Global Ptr TLS Table Load Config Table Bound Import IAT Delay Import Descriptor CLR Runtime Header Reserved, must be zero 3/21/2018 PE Format 12
13 Export Directory usually present in DLLs, rarely in executables functions exported by ordinal and name we import other s exports 3/21/2018 PE Format 13
14 Import Directory describes additional dependencies which executable needs libraries and their APIs each entry size = 0x14 describes a single library points to a list of all APIs imported from the library points to locations where VAs of APIs should be stored empty entry = directory end 3/21/2018 PE Format 14
15 Resource Table multiple-level binary-sorted tree structure three levels (directories) type name language pointers to another directory table (lower level) data description (leafs) 3/21/2018 PE Format 15
16 Overlay found at the end of a file appended data not loaded into memory must be read from file commonly used to store configuration data store additional program binaries or raw data change hash of an executable 3/21/2018 PE Format 16
17 TitaniumCore report 3/21/
18 TitaniumCore report JSON Static analysis of files PE Format analysis is the most interesting for us Parsing of all headers Parsing of all data directories Example used in following slides is a part of the dataset, file fbe39061e9a75eb8da1d28d8c191f9c ff.json 3/21/2018 TC Report 18
19 3/21/2018 TC Report 19
20 3/21/2018 TC Report 20
21 3/21/2018 TC Report 21
22 3/21/2018 TC Report 22
23 3/21/2018 TC Report 23
24 3/21/2018 TC Report 24
25 3/21/2018 TC Report 25
26 3/21/2018 TC Report 26
27 3/21/2018 TC Report 27
28 3/21/2018 TC Report 28
29 3/21/2018 TC Report 29
30 Reverse Engineering 3/21/
31 RE tools Debuggers/Decompilers OllyDbg, x64dbg, IDAPro PE parsing TitaniumCore report LordPE PEView Format identification PEID (often wrong, not reliable) 3/21/2018 Reverse Engineering 31
32 Packers Single or multiple code layers Multiple compression algorithms in use aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg, Custom PECOFF table processing (if present and selected by the user) Imports are usually compressed Resources are usually compressed Relocations are usually compressed TLS can be emulated Can pack x86/x64/.net files No anti-reversing protection 3/21/2018 Reverse Engineering 32
33 Crypters Multiple protection layers Polymorphic decryptors / entry Custom encryption algorithms Numerous anti-reversing protections Anti-debugging Import protection (redirections) Original entry point protection 3/21/2018 Reverse Engineering 33
34 Protectors Multiple encrypted code layers Multiple compression algorithms in use aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg, Custom PECOFF table processing (if present and selected by the user) Imports are usually protected Resources are usually protected Relocations are usually protected TLS can be emulated Can protect x86/x64/.net files Usually come with integrated licensing Numerous anti-reversing protection 3/21/2018 Reverse Engineering 34
35 Original file layout DOS PE Sections (code, data, imports) (compression) Packed file layout DOS PE Sections Resources Resources Overlay STUB Overlay 3/21/2018 Reverse Engineering 35
36 Resource and Overlay If categorized by functionality can be in any of previous categories Protected data is stored in resources or overlay Packers/Crypters/Protectors usually store data in sections Can use any of previously described methods Encryptions Compressions Anti-reversing protections 3/21/2018 Reverse Engineering 36
37 Questions? All rights reserved ReversingLabs 2018
Contents. 2 Undocumented PECOFF
2 Undocumented PECOFF Contents Overview... 3 Introduction... 4 Malformations... 4 DOS & PE Header... 4 Self-destructing PE header... 5 Dual PE header... 5 Writable PE header... 6 Section number limits...
More informationReverse Engineering Malware Binary Obfuscation and Protection
Reverse Engineering Malware Binary Obfuscation and Protection Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Binary Obfuscation and Protection What is covered in this
More informationFast & Furious reverse engineering TitanEngine. titan.reversinglabs.com
Fast & Furious reverse engineering TitanEngine titan.reversinglabs.com Contents Introduction to TitanEngine... 3 Introduction to static unpackers... 4 Introduction to dynamic unpackers... 5 Introduction
More informationPE Infection How to Inject a dll
PE Infection How to Inject a dll In association with www.mihanit.net Thank you to my friends who help me in this research (K053,Heli, L U C I F E R(Bl4ck_Ic3)) Author: Nightmare(BioHazard) Date: 03.05.2009(88.02.13)
More informationStatic Analysis I PAOLO PALUMBO, F-SECURE CORPORATION
Static Analysis I PAOLO PALUMBO, F-SECURE CORPORATION Representing Data Binary numbers 1 0 1 1 NIBBLE 0xB 1 0 1 1 1 1 0 1 0xBD 1 0 1 1 1 1 0 1 0 0 1 1 1 0 0 1 BYTE WORD 0xBD 0x39 Endianness c9 33 41 03
More informationReverse Engineering III: PE Format
Reverse Engineering III: PE Format This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationPE File Browser. by Software Verify
PE File Browser by Software Verify Copyright Software Verify Limited (c) 2017 PE File Browser PE File contents inspector by Software Verification Welcome to the PE File Browser software tool. PE File Browser
More informationT Reverse Engineering Malware: Static Analysis I
T-110.6220 Reverse Engineering Malware: Static Analysis I Antti Tikkanen, F-Secure Corporation Protecting the irreplaceable f-secure.com Representing Data 2 Binary Numbers 1 0 1 1 Nibble B 1 0 1 1 1 1
More informationPimp My PE: Parsing Malicious and Malformed Executables. Virus Bulletin 2007
Pimp My PE: Parsing Malicious and Malformed Executables Virus Bulletin 2007 Authors Sunbelt Software, Tampa FL Anti-Malware SDK team: Casey Sheehan, lead developer Nick Hnatiw, developer / researcher Tom
More informationReverse Engineering III: PE Format
Reverse Engineering III: PE Format Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Introduction to PE PE stands for Portable Executable Microsoft introduced
More informationReverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More informationSAS7BDAT Database Binary Format
SAS7BDAT Database Binary Format Matthew S. Shotwell Contents ˆ Introduction ˆ SAS7BDAT Header ˆ SAS7BDAT Pages ˆ SAS7BDAT Subheaders ˆ SAS7BDAT Packed Binary Data ˆ Platform Differences ˆ Compression Data
More informationTZWorks Portable Executable Scanner (pescan) Users Guide
TZWorks Portable Executable Scanner (pescan) Users Guide Abstract pescan is a standalone, command-line tool that scans portable executable (PE) files and identifies how they were constructed and if they
More informationInside VMProtect. Introduction. Internal. Analysis. VM Logic. Inside VMProtect. Conclusion. Samuel Chevet. 16 January 2015.
16 January 2015 Agenda Describe what VMProtect is Introduce code virtualization in software protection Methods for circumvention VM logic Warning Some assumptions are made in this presentation Only few
More informationIntro to Cracking and Unpacking. Nathan Rittenhouse
Intro to Cracking and Unpacking Nathan Rittenhouse nathan_@mit.edu Keygenning Take this crackme: http://crackmes.de/users/moofy/crackme_2 Write a key generator Process Watch where user data is inputted
More informationFlare-On 5: Challenge 7 Solution WorldOfWarcraft.exe
Flare-On 5: Challenge 7 Solution WorldOfWarcraft.exe Challenge Author: Ryan Warns Summary This challenge implements a 32-bit Windows binary meant to run in a Windows on Windows (WOW) environment. Analysis
More informationYATES` PE NOTES ===============
YATES` PE NOTES =============== 1...Header Details 2...Section Details 3...Full PEHeader listing 4...Import details 5...Export Details 6...Reloc Details 01/FEB/04 ;------------------------.COMMON.HEADER.-----------------------------
More informationTasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones
Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones Who Am I? Sr. Security Research Analyst for Arbor Networks ASERT Attend AHA! in Austin semi-frequently
More informationDistributed Systems 8. Remote Procedure Calls
Distributed Systems 8. Remote Procedure Calls Paul Krzyzanowski pxk@cs.rutgers.edu 10/1/2012 1 Problems with the sockets API The sockets interface forces a read/write mechanism Programming is often easier
More informationMario Vuksan and Tomislav Pericin, ReversingLabs FILE ANALYSIS AND UNPACKING: THE AGE OF 40M NEW SAMPLES PER YEAR
Mario Vuksan and Tomislav Pericin, ReversingLabs FILE ANALYSIS AND UNPACKING: THE AGE OF 40M NEW SAMPLES PER YEAR Agenda Big and scary numbers Introduction to the binary mess out there (the problem) Packers
More informationFlare- On 4: Challenge 6 Solution payload.dll
Flare- On 4: Challenge 6 Solution payload.dll Challenge Author: Jon Erickson (@2130706433) In this challenge, users were given a 64bit Windows DLL. The point of this challenge was to illustrate a trick
More informationMetasm. a ruby (dis)assembler. Yoann Guillot. 20 october 2007
Metasm a ruby (dis)assembler Yoann Guillot 20 october 2007 Metasm Presentation I am Yoann Guillot I work for Sogeti/ESEC in the security R&D lab Metasm HACK.LU 2007 2 / 23 Plan Metasm 1 Metasm 2 Metasm
More informationRaima Database Manager Version 14.1 In-memory Database Engine
+ Raima Database Manager Version 14.1 In-memory Database Engine By Jeffrey R. Parsons, Chief Engineer November 2017 Abstract Raima Database Manager (RDM) v14.1 contains an all new data storage engine optimized
More informationShellcode Analysis. Chapter 19
Shellcode Analysis Chapter 19 What is Shellcode Shellcode a payload of raw executable code, attackers use this code to obtain interactive shell access. A binary chunk of data Can be generally referred
More informationID: Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:17:42 Date: 12/04/2018 Version:
ID: 54295 Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:1:42 Date: 12/04/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationPokas x86 Emulator for Generic Unpacking
BLUE KAIZEN CENTER OF IT SECURITY Cairo Security Camp 2010 Pokas x86 Emulator for Generic Unpacking Subject : This document gives the user a problem, its solution concept, Previous Solutions, Pokas x86
More informationFundamentals of Network Intrusion Analysis. Malicious Code Analysis Lab 1 Introduction to Malware Analysis
Fundamentals of Network Intrusion Analysis Malicious Code Analysis Lab 1 Introduction to Malware Analysis 1 Lab Overview Lab 1 Introduction to Malware Analysis Goals and difficulties Portable Executable
More informationThe Ensoniq EPS/EPS16+/ASR-10 Bank Format
The Ensoniq EPS/EPS16+/ASR-10 Bank Format, document version 0.7 1/6 The Ensoniq EPS/EPS16+/ASR-10 Bank Format documented by Thoralt Franz The Ensoniq EPS/EPS16+/ASR-10 Bank Format, document version 0.7
More informationCODA Online Data Formats
CODA Online Data Formats Evio Header Formats Bank : 32 bits MSB (31) LSB (0) Length (32 bit words, exclusive) Tag (16 bits) (2) Type (6) Num (8) Segment : Padding Tag (8 bits) (2) Type (6) Length (16)
More informationImplementing your own generic unpacker
HITB Singapore 2015 Julien Lenoir - julien.lenoir@airbus.com October 14, 2015 Outline 1 Introduction 2 Test driven design 3 Fine tune algorithm 4 Demo 5 Results 6 Conclusion October 14, 2015 2 Outline
More informationTZWorks Trace Event Log Analysis (tela) Users Guide
TZWorks Trace Event Log Analysis (tela) Users Guide Abstract tela is a command-line tool that parses Windows Trace Log files into CSV type records. Other capabilities: include generating statistics on
More informationID: Sample Name: process.0xfffffa8004b x dmp Cookbook: default.jbs Time: 22:45:59 Date: 02/12/2017 Version: 20.0.
ID: 38941 Sample Name: process.0xfffffa8004b120.0x480000.dmp Cookbook: default.jbs Time: 22:4:9 Date: 02/12/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information
More informationIntroduction to carving File fragmentation Object validation Carving methods Conclusion
Simson L. Garfinkel Presented by Jevin Sweval Introduction to carving File fragmentation Object validation Carving methods Conclusion 1 Carving is the recovery of files from a raw dump of a storage device
More informationID: Sample Name: meterpreter64bit.exe Cookbook: default.jbs Time: 16:01:45 Date: 24/11/2017 Version:
ID: 0 Sample Name: meterpreter4bit.exe Cookbook: default.jbs Time: 1:01:4 Date: 24/11/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationHacking the Packer. Introduction
Hacking the Packer I. Introduction II. Observing Code Obscurities III. Stripping Down Source Code IV. Hacking the Packer V. Producing Packed Samples VI. Possible Signature Set VII. Extended Kernel32 Resolution
More informationTECHNICAL FEATURE. ANTI-UNPACKER TRICKS PART FIVE Peter Ferrie Microsoft, USA. 2. OllyDbg plug-ins. 1. OllyDbg-specific tricks. 2.
TECHNICAL FEATURE ANTI-UNPACKER TRICKS PART FIVE Peter Ferrie Microsoft, USA New anti-unpacking tricks continue to be developed as the older ones are constantly being defeated. This series of articles
More informationCIT 595 Spring System Software: Programming Tools. Assembly Process Example: First Pass. Assembly Process Example: Second Pass.
System Software: Programming Tools Programming tools carry out the mechanics of software creation within the confines of the operating system and hardware environment Linkers & Loaders CIT 595 Spring 2010
More informationInstruction Sets: Characteristics and Functions
Instruction Sets: Characteristics and Functions Chapter 10 Lesson 15 Slide 1/22 Machine instruction set Computer designer: The machine instruction set provides the functional requirements for the CPU.
More informationDLL Injection A DA M F U R M A N EK KON TA MF URMANEK. PL HT T P :/ /BLOG. A DAMF URM ANEK.PL
DLL Injection ADAM FURMANEK KONTAKT@ADAMFURMANEK.PL HT TP://BLOG.ADAMFURMANEK.PL Agenda What and Why Preliminaries How + Demos Summary 5/9/2018 5:24:18 PM ADAM FURMANEK DLL INJECTION 2 What and Why 5/9/2018
More informationT Using debuggers to analyze malware. Antti Tikkanen, F-Secure Corporation
T-110.6220 Using debuggers to analyze malware Antti Tikkanen, F-Secure Corporation Agenda Debugger basics Introduction Scenarios and tools How do debuggers work? Debug API The debugging loop Underlying
More informationThe Extended MBR (version 1.05) (dated: 01 Nov 2018) by Benjamin David Lunt Copyright (c) Forever Young Software
The Extended MBR (version 1.05) (dated: 01 Nov 2018) by Benjamin David Lunt Copyright (c) Forever Young Software 1984-2018 http://www.fysnet.net You may distribute this document in its entirety and/or
More informationBytes are read Right to Left, so = 0x3412, = 0x
Practice - Quiz #5 CIST 2612 Computer Forensics Bitmap File Information Bytes are read Right to Left, so 12 34 = 0x3412, 12 34 56 70 = 0x70563412 Figure 1 - Bitmap File Header Figure 2 - Device Independent
More informationOperating Systems. 18. Remote Procedure Calls. Paul Krzyzanowski. Rutgers University. Spring /20/ Paul Krzyzanowski
Operating Systems 18. Remote Procedure Calls Paul Krzyzanowski Rutgers University Spring 2015 4/20/2015 2014-2015 Paul Krzyzanowski 1 Remote Procedure Calls 2 Problems with the sockets API The sockets
More informationSources of Evidence. CSF: Forensics Cyber-Security. Part I. Foundations of Digital Forensics. Fall 2015 Nuno Santos
Sources of Evidence Part I. Foundations of Digital Forensics CSF: Forensics Cyber-Security Fall 2015 Nuno Santos Summary Reasoning about sources of evidence Data representation and interpretation Number
More informationData File Header Structure for the dbase Version 7 Table File
Page 1 of 5 Data File Header Structure for the dbase Version 7 Table File Note: Unless prefaced by "0x", all s specified in the Description column of the following tables are decimal. 1.1 Table File Header
More informationRetDec: An Open-Source Machine-Code Decompiler. Jakub Křoustek Peter Matula
RetDec: An Open-Source Machine-Code Decompiler Jakub Křoustek Peter Matula Who Are We? 2 Jakub Křoustek Founder of RetDec Threat Labs lead @Avast (previously @AVG) Reverse engineer, malware hunter, security
More informationData Hiding in Windows Executable Files
Data Hiding in Windows Executable Files DaeMin Shin, Yeog Kim, KeunDuck Byun, SangJin Lee Center for Information Security Technologies (CIST), Korea University, Seoul, Republic of Korea {grace_rain, yeog,
More informationECE 598 Advanced Operating Systems Lecture 19
ECE 598 Advanced Operating Systems Lecture 19 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 7 April 2016 Homework #7 was due Announcements Homework #8 will be posted 1 Why use
More informationRAID in Practice, Overview of Indexing
RAID in Practice, Overview of Indexing CS634 Lecture 4, Feb 04 2014 Slides based on Database Management Systems 3 rd ed, Ramakrishnan and Gehrke 1 Disks and Files: RAID in practice For a big enterprise
More informationBMP file format - Wikipedia
Page 1 of 3 Bitmap file header This block of bytes is at the start of the file and is used to identify the file. A typical application reads this block first to ensure that the file is actually a BMP file
More informationUser Manual TAP CURIOUS
User Manual TAP CURIOUS DO0281R00 7/18/2017 Table of Contents KUNBUS GmbH Table of Contents 1 Working safely... 3 2 Scope of delivery... 4 3 Introduction... 5 4 Overview... 6 4.1 Power supply... 8 4.2
More informationEDK II Build Decoded. Data Center Platform Applications Engineering WW Revision 0.0.2
EDK II Build Decoded Data Center Platform Applications Engineering WW11 2011 Revision 0.0.2 EDK II Build Decoded There are many EDK II specs to read to obtain enough knowledge to be able to write EDK II
More informationModule Overview. CLR Initialization
CLR Initialization Module Overview CLR Initialization Getting to Main Method PE Layout & CLR Headers Process Initialization & EE Shim EE Startup CLR Artifacts & Loader Heaps The Managed Object Common Slow
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationSegmentation with Paging. Review. Segmentation with Page (MULTICS) Segmentation with Page (MULTICS) Segmentation with Page (MULTICS)
Review Segmentation Segmentation Implementation Advantage of Segmentation Protection Sharing Segmentation with Paging Segmentation with Paging Segmentation with Paging Reason for the segmentation with
More informationID: Sample Name: 29UPDYATHD.exe Cookbook: default.jbs Time: 19:03:31 Date: 06/04/2018 Version:
ID: 5352 Sample Name: 29UPDYATHD.exe Cookbook: default.jbs Time: 19:03:31 Date: 06/04/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationMemory, Data, & Addressing I
Memory, Data, & Addressing I CSE 351 Autumn 2017 Instructor: Justin Hsia Teaching Assistants: Lucas Wotton Michael Zhang Parker DeWilde Ryan Wong Sam Gehman Sam Wolfson Savanna Yee Vinny Palaniappan http://xkcd.com/953/
More informationVirtual Memory 1. Virtual Memory
Virtual Memory 1 Virtual Memory key concepts virtual memory, physical memory, address translation, MMU, TLB, relocation, paging, segmentation, executable file, swapping, page fault, locality, page replacement
More informationVirtual Memory 1. Virtual Memory
Virtual Memory 1 Virtual Memory key concepts virtual memory, physical memory, address translation, MMU, TLB, relocation, paging, segmentation, executable file, swapping, page fault, locality, page replacement
More informationMobile Opportunities for the Open Source Community
Mobile Opportunities for the Open Source Community Ravi Belwal (ravi.belwal@nokia.com) Sr. Technology Consultant Forum Nokia 1 2007 Nokia Corporation 2 2007 Nokia S60 is the leading converged device platform
More informationFile Systems. Todays Plan
File Systems Thomas Plagemann University of Oslo (includes slides from: Carsten Griwodz, Pål Halvorsen, Kai Li, Andrew Tanenbaum, Maarten van Steen) Todays Plan 2 1 Long-term Information Storage 1. Must
More informationAgenda. Motivation Generic unpacking Typical problems Results
Who we are Product: ewido security suite Protection against Trojans, Adware, Spyware,... First release: Christmas 2003 Emulation research since 2002 Used for generic unpacking Agenda Motivation Generic
More informationMachine Language Instructions Introduction. Instructions Words of a language understood by machine. Instruction set Vocabulary of the machine
Machine Language Instructions Introduction Instructions Words of a language understood by machine Instruction set Vocabulary of the machine Current goal: to relate a high level language to instruction
More informationFile System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)
File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT) 1 FILE SYSTEM CONCEPTS: FILE ALLOCATION TABLE (FAT) Alex Applegate
More informationTypical File Extensions File Structure
CS 355 Operating Systems File Systems File Systems A file is a collection of data records grouped together for purpose of access control and modification A file system is software responsible for creating,
More informationOwning Command and Control: Reverse Engineering Malware. Risk Mitigators
Owning Command and Control: Reverse Engineering Malware Agenda 1- About Synapse-labs a) Bio's b) Synapse-labs 2- Debuggers (Immunity & OllyDBG) 3- Assembler Primer 4- PE (Portable Executable) Structure
More informationTZWorks Timeline ActivitiesCache Parser (tac) Users Guide
TZWorks Timeline ActivitiesCache Parser (tac) Users Guide Abstract tac is a standalone, command-line tool that parses the Windows Timeline records introduced in the April 2018 Win10 update. The Window
More informationMalware Analysis and Antivirus Technologies: Antivirus Engine Basics
Malware Analysis and Antivirus Technologies: Antivirus Engine Basics Protecting the irreplaceable f-secure.com Detecting Malware Blacklisting Detecting badness Typically fairly reactive but heuristic and
More informationDistributed Systems. How do regular procedure calls work in programming languages? Problems with sockets RPC. Regular procedure calls
Problems with sockets Distributed Systems Sockets interface is straightforward [connect] read/write [disconnect] Remote Procedure Calls BUT it forces read/write mechanism We usually use a procedure call
More informationWindows 7 Overview. Windows 7. Objectives. The History of Windows. CS140M Fall Lake 1
Windows 7 Overview Windows 7 Overview By Al Lake History Design Principles System Components Environmental Subsystems File system Networking Programmer Interface Lake 2 Objectives To explore the principles
More informationReconstructing the Scene of the Crime
Reconstructing the Scene of the Crime Who are they? STEVE DAVIS PETER SILBERMAN Security Consultant / Researcher at MANDIANT Engineer / Researcher at MANDIANT Agenda ½ Demo Pop it like its hotttt Problem
More informationECE 598 Advanced Operating Systems Lecture 17
ECE 598 Advanced Operating Systems Lecture 17 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 3 April 2018 Announcements Project Topics Should have gotten response on project topic
More informationAndroid Dynamic Linker - Marshmallow
Android Dynamic Linker - Marshmallow WANG Zhenhua, i@jackwish.net Abstract Dynamic linker, links shared libraries together to be able to run, has been a fundamental mechanism in modern operating system
More informationECE 598 Advanced Operating Systems Lecture 10
ECE 598 Advanced Operating Systems Lecture 10 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 22 February 2018 Announcements Homework #5 will be posted 1 Blocking vs Nonblocking
More informationeeye Digital Security Payload Anatomy and Future Mutations Riley Hassell
Payload Anatomy and Future Mutations Riley Hassell rhassell@eeye.com What is a Payload? 2 Traditional payloads are written in assembly language and compiled to their machine code counterpart. They contain
More informationChapter 17. Disk Storage, Basic File Structures, and Hashing. Records. Blocking
Chapter 17 Disk Storage, Basic File Structures, and Hashing Records Fixed and variable length records Records contain fields which have values of a particular type (e.g., amount, date, time, age) Fields
More informationNo Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
[MS-ONESTORE]: Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages,
More informationCracking, The Anti. Dorian Bugeja Department of Computer Science and Artificial Intelligence University of Malta
Cracking, The Anti Dorian Bugeja Department of Computer Science and Artificial Intelligence University of Malta Email: dbug0009@um.edu.mt Abstract This paper will describe some techniques used to protect
More informationPacker Analysis Report-Debugging and unpacking the NsPack 3.4 and 3.7 packer.
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Packer
More informationINTRODUCTION 3 SYSTEM REQUIREMENTS 4 PACKAGE CONTENT 4 CHANGELOG 4 FAST GUIDE 8 PSD2UGUI IN DEPTH 12 PSD LAYERS STRUCTURES 14
PSD2uGUI USER GUIDE INTRODUCTION 3 SYSTEM REQUIREMENTS 4 PACKAGE CONTENT 4 CHANGELOG 4 FAST GUIDE 8 PSD2UGUI IN DEPTH 12 Commands 12 Variables 13 PSD LAYERS STRUCTURES 14 Toggle Photoshop structure 14
More informationLIEF: Library to Instrument Executable Formats
RMLL 2017 Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview Demo Conclusion About Romain Thomas (rthomas@quarkslab.com)
More informationTZWorks Windows Event Log Viewer (evtx_view) Users Guide
TZWorks Windows Event Log Viewer (evtx_view) Users Guide Abstract evtx_view is a standalone, GUI tool used to extract and parse Event Logs and display their internals. The tool allows one to export all
More informationMalware Analysis and Antivirus Technologies: Using Debuggers to Analyze Malware
Malware Analysis and Antivirus Technologies: Using Debuggers to Analyze Malware Protecting the irreplaceable f-secure.com Agenda Debugger basics Introduction Scenarios and tools How debuggers work Debug
More informationUsing Hashing to Improve Volatile Memory Forensic Analysis
Using Hashing to Improve Volatile Memory Forensic Analysis American Academy of Forensic Sciences Annual Meeting February 21, 2008 AAron Walters awalters@volatilesystems.com Blake Matheny, LLC Center for
More informationLecture Data layout on disk. How to store relations (tables) in disk blocks. By Marina Barsky Winter 2016, University of Toronto
Lecture 01.04 Data layout on disk How to store relations (tables) in disk blocks By Marina Barsky Winter 2016, University of Toronto How do we map tables to disk blocks Relation, or table: schema + collection
More informationIRIX is moving in the n32 direction, and n32 is now the default, but the toolchain still supports o32. When we started supporting native mode o32 was
Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science 6.035, Fall 2002 Handout 23 Running Under IRIX Thursday, October 3 IRIX sucks. This handout describes what
More information06 - Anti Dynamic Analysis
CYS5120 - Malware Analysis Bahcesehir University Cyber Security Msc Program Dr. Ferhat Ozgur Catak 1 Mehmet Can Doslu 2 1 ozgur.catak@tubitak.gov.tr 2 mehmetcan.doslu@tubitak.gov.tr 2017-2018 Fall Table
More informationLinking. Explain what ELF format is. Explain what an executable is and how it got that way. With huge thanks to Steve Chong for his notes from CS61.
Linking Topics How do you transform a collection of object files into an executable? How is an executable structured? Why is an executable structured as it is? Learning Objectives: Explain what ELF format
More information64-bit Imports Rebuilding and Unpacking
64-bit Imports Rebuilding and Unpacking Sebastien Doucet ncircle 2010. All rights reserved. Who am I? Security Research Engineer at ncircle in Toronto My accent is from Montreal Used
More informationComputer Systems II. Memory Management" Subdividing memory to accommodate many processes. A program is loaded in main memory to be executed
Computer Systems II Memory Management" Memory Management" Subdividing memory to accommodate many processes A program is loaded in main memory to be executed Memory needs to be allocated efficiently to
More informationApplication Note: JN-AN-1003 JN51xx Boot Loader Operation
Application Note: JN-AN-1003 JN51xx Boot Loader Operation This Application Note describes the functionality of the boot loaders for the NXP, JN514x and wireless microcontrollers, covering the following
More information1
0 1 4 Because a refnum is a temporary pointer to an open object, it is valid only for the period during which the object is open. If you close the object, LabVIEW disassociates the refnum with the object,
More informationwybuild & wyupdate File Specifications
wybuild & wyupdate File Specifications Version: 2.6.18 August 2012 General This document is licensed under the BSD License. Copyright 2017 wyday. Any questions can be asked on the wyday forum. File format
More informationAvro Specification
Table of contents 1 Introduction...2 2 Schema Declaration... 2 2.1 Primitive Types... 2 2.2 Complex Types...2 2.3 Names... 5 3 Data Serialization...6 3.1 Encodings... 6 3.2 Binary Encoding...6 3.3 JSON
More information[MS-FSSHTTPD]: Binary Data Format for File Synchronization via SOAP. Intellectual Property Rights Notice for Open Specifications Documentation
[MS-FSSHTTPD]: Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open Specifications documentation ( this documentation ) for protocols,
More informationPascal MMU Format Changes:
Pascal MMU Format Changes: Highlights: Expanded Virtual ing - Upto 49 Bits of VA. Expanded physical addressing for system memory Up to 47 bits of sysmem PA. Support for 2MB big pages. Dropped support for
More informationThe source code for this lab must be submitted in a file named lab4.py. The source code file must contain a file header formatted as in previous labs.
CS 112 - Lab Assignment #4 Conversions) Specification (If Statements and Numeric The purpose of this lab is to gain experience if statements, String to numeric conversions with multiple number bases. The
More informationFile Systems: Fundamentals
File Systems: Fundamentals 1 Files! What is a file? Ø A named collection of related information recorded on secondary storage (e.g., disks)! File attributes Ø Name, type, location, size, protection, creator,
More informationAssembly Language Programming Linkers
Assembly Language Programming Linkers November 14, 2017 Placement problem (relocation) Because there can be more than one program in the memory, during compilation it is impossible to forecast their real
More informationCommunication. Distributed Systems Santa Clara University 2016
Communication Distributed Systems Santa Clara University 2016 Protocol Stack Each layer has its own protocol Can make changes at one layer without changing layers above or below Use well defined interfaces
More information