A Survey of Obfuscations in Prevalent Packer Tools
|
|
- Domenic Lindsey
- 5 years ago
- Views:
Transcription
1 A Survey of Obfuscations in Prevalent Packer Tools Kevin Roundy Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin March 26,
2 Types of program analysis Source code Friendly binary Uncooperative binary Hostile binary loop CFG Function Basic block mov eax, *[ebp+8] leave ret 2
3 Analysis building blocks Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the code 6. Trace code s execution Tools Toolkit: o Interactive debuggers Defensive-mode Dyninst o Automated Interactive debuggers testing o Combinatorial testing o Automated testing Code-coverage test generation o Combinatorial testing o Fault localization o Code-coverage test generation o Backwards slicing o Fault localization Correlation of statement o Backwards slicing executions and test failures o Correlation of statement executions and test failures o Taint analysis o Vulnerability analysis o Vulnerability analysis Symbolic evaluation o Taint analysis o Symbolic evaluation 3
4 Analysis building blocks Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the code 6. Trace code s execution Toolkit: Defensive-mode Dyninst o Interactive debuggers o Automated testing o Combinatorial testing o Code-coverage test generation o Fault localization o Backwards slicing o Correlation of statement executions and test failures o Vulnerability analysis o Taint analysis o Symbolic evaluation 4
5 Binary packing tools Fast, Small, Good Open source crossplatform Open Antireverse source engineer- crossplatforing Packer Malware market share* OVERALL 75%-80% UPX 9.45% PolyEnE 6.21% PECompact 2.59% Upack 2.08% npack 1.74% ASPack 1.29% FSG 1.26% Nspack 0.89% ASProtect 0.43% Armadillo 0.37% Yoda s Prot. 0.33% WinUpack 0.17% MEW 0.13% * Packer (r)evolution. Panda A Survey Research, of Prevalent Two-month Obfuscations average Feb-March
6 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Code packing b. Code overwriting 6
7 Code packing Code packing Storm Worm Aspack Entry Point 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 7a e e9 c0 3d 73 e0 1c e a c0 d8 45 6a be d e 4b 80 fe af c c 1c b6 88 f a 32 d8 f5 6a 07 d0 b b 21 fe af c0 0c 73 b6 1c f a f5 d8 07 6a b6 d b 0c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e c0 73 1c 88 8e c c e 7
8 Code overwriting Code packing Code overwriting 1B - 8KB Entry Point Storm Worm Aspack Entry Point malware Upack 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 7a e e9 c0 3d 73 e0 1c e a c0 d8 45 6a be d e 4b 80 fe af c c 1c b6 88 f a 32 d8 f5 6a 07 d0 b b 21 fe af c0 0c 73 b6 1c f a f5 d8 07 6a b6 d b 0c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e c0 73 1c 88 8e c c e 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 79 5e c0 73 1c a d8 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e d9 83 a1 37 1b 2f b c 22 8e 63 8
9 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Unresolvable control flow b. Call-stack tampering c. Signals and exceptions d. Ambiguous code & data e. Disassembler fuzzing 9
10 Unresolvable control flow invalid target non-standard indirect non-standard return call jmp eax call ptr[eax] push eax ret Invalid Region??? 10
11 Call-stack tampering Storm Worm Address 40d a 0b 0c 0d Bytes e e9 eb 04 5d c3 CALL JMP 40d00a 459dd4f7 JMP POP INC PUSH RET 40d00e ebp ebp ebp 11
12 Exception-based control flow Popov, Debray, Andrews. Usenix Danekhar access violation handler mov *[ebp],eax mov 402d8a,edx mov edx,*[eax+b8] xor eax,eax mov ecx,*[eax] push eax... Exception State eip eip d8a... Operating System 12
13 Ambiguous code and data o Bytes after call instructions o Junk after exception-raising instruction o In-place decryption of unpacked code Yoda s Protector 13
14 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Missing call/ret instructions b. Extra call/ret instructions c. Overlapping functions d. Overlapping basic blocks 14
15 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Missing call/ret instructions b. Extra call/ret instructions c. Overlapping functions d. Overlapping basic blocks 15
16 Extra call/ret instructions call <targ> mov edi,esi pop ebp push <targ> ret jmp <targ> call <targ> pop ebp call <targ> jmp <targ2> pop esi 17
17 Overlapping functions Function Function Function 18
18 Overlapping functions Function Function Function Optional preamble Shared teardown code 19
19 0x x45401b 0x45401e Overlapping blocks Address Bytes b8 eb 07 b9 eb 0f 90 eb 08 fd eb 0b Block 1 mov eax, ebb907eb seto bl or ch,bh jmp 45402e Block 2 jmp 45402c Block 3 jmp
20 Overlapping blocks Address a 1b 1c 1d 1e 1f Bytes e e9 eb 04 5d c3 Block 1 mov eax, ebb907eb seto bl or ch,bh jmp 45402e Block 2 Block 3 jmp 45402c jmp
21 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Obfuscated constants b. ABI violations c. Do-nothing code 22
22 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Self-checksumming b. Stolen bytes c. Anti-unpacking 23
23 Self-checksumming process Bootstrap code checksum routine xor eax, eax Payload code add eax, ptr[ebx] add 4, ebx cmp ebx, 0x41000 jne.loop cmp eax,.chksum jne.fail Binary file pass fail 24
24 Stolen bytes Import Address Table.loadlibrary call ptr [IAT-entry] kernel32.dll loadlibrary malware.exe mov edi, edi push ebp mov ebp, esp cmp ptr[ebp+8],0 Import Address Table malware.asprotect.exe.loadlibrary mov edi, edi push ebp mov ebp, esp cmp ptr[ebp+8],0 call buffer.stolen kernel32.dll loadlibrary kernel32.dll.stolen kernel32.dll mov edi, edi push ebp mov ebp, esp cmp ptr[ebp+8],0 buffer 25
25 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Stolen bytes b. Non-standard API calls c. Anti-debugging 27
26 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution 30
27 Adapting Dyninst for Malware Analysis tool Mutator program binary 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 CFG be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b Control flow analyzer Dyninst Data flow analyzer Instrumenter Malware Analysis and Instrumentation 31
28 Adapting Dyninst for Malware printf( ) Analysis tool Code snippets gettarget(insn) counter++ if (pred) callback( ) Mutator program binary 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 CFG be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b SR- Dyninst static-dynamic analysis Sensitivity Control flow analyzer Data flow analyzer Resistant Instrumenter Instrumenter Instrumenter 32
Agenda. Motivation Generic unpacking Typical problems Results
Who we are Product: ewido security suite Protection against Trojans, Adware, Spyware,... First release: Christmas 2003 Emulation research since 2002 Used for generic unpacking Agenda Motivation Generic
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationGeneral Unpacking Overview and Techniques
Bachelor project General Unpacking Overview and Techniques Author: Danut Niculae Supervisor: Jesper Andersson Date: 2015-05-18 Course code: 2DV00E, 15 credits Level: Bachelor Subject: Computer Science
More informationImplementing your own generic unpacker
HITB Singapore 2015 Julien Lenoir - julien.lenoir@airbus.com October 14, 2015 Outline 1 Introduction 2 Test driven design 3 Fine tune algorithm 4 Demo 5 Results 6 Conclusion October 14, 2015 2 Outline
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationT Using debuggers to analyze malware. Antti Tikkanen, F-Secure Corporation
T-110.6220 Using debuggers to analyze malware Antti Tikkanen, F-Secure Corporation Agenda Debugger basics Introduction Scenarios and tools How do debuggers work? Debug API The debugging loop Underlying
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationX86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
More informationThe IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:
More informationMalware Analysis and Antivirus Technologies: Using Debuggers to Analyze Malware
Malware Analysis and Antivirus Technologies: Using Debuggers to Analyze Malware Protecting the irreplaceable f-secure.com Agenda Debugger basics Introduction Scenarios and tools How debuggers work Debug
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationCMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang
Project 3 Questions CMSC 313 Lecture 12 How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP
More informationCracking, The Anti. Dorian Bugeja Department of Computer Science and Artificial Intelligence University of Malta
Cracking, The Anti Dorian Bugeja Department of Computer Science and Artificial Intelligence University of Malta Email: dbug0009@um.edu.mt Abstract This paper will describe some techniques used to protect
More informationAnalyzing the packer layers of rogue anti-virus programs. Rachit Mathur, McAfee Labs Dr. Zheng Zhang, McAfee Labs
Analyzing the packer layers of rogue anti-virus programs Rachit Mathur, McAfee Labs Dr. Zheng Zhang, McAfee Labs Outline Introduction Junk API Calls Exception Context Modifications Shared User Data Accesses
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationOverview of Compiler. A. Introduction
CMPSC 470 Lecture 01 Topics: Overview of compiler Compiling process Structure of compiler Programming language basics Overview of Compiler A. Introduction What is compiler? What is interpreter? A very
More information16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More informationTitle: Reverse Engineering: Anti-Cracking Techniques. Date: April 12th Website:
Title: Reverse Engineering: Anti-Cracking Techniques Date: April 12th 2008 Website: http://www.astalavista.com Author: Nicolaou George Mail: ishtus@astalavista.com Author: Charalambous Glafkos Mail: glafkos@astalavista.com
More informationData Exfiltration Techniques
Data Exfiltration Techniques Introduction In this article we will see how malware encode or encrypt data that s exfiltrated to the Command and Control Server from infected machines. This is often done
More informationLab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationAnalysis and Visualization of Common Packers
Analysis and Visualization of Common Packers PowerOfCommunity, Seoul Ero Carrera - ero.carrera@gmail.com Reverse Engineer at zynamics GmbH Chief Research Officer at VirusTotal Introduction An historical
More informationDo You Trust a Mutated Binary? Drew Bernat Correct Relocation
Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat bernat@cs.wisc.edu April 30, 2007 Correct Relocation Binary Manipulation We want to: Insert new code Modify or delete code These operations
More information16.317: Microprocessor Systems Design I Fall 2015
16.317: Microprocessor Systems Design I Fall 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationLecture 4 CIS 341: COMPILERS
Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationAssembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction
Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction E I P CPU isters Condition Codes Addresses Data Instructions Memory Object Code Program Data OS Data Topics Assembly Programmer
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationFLARE-On 4: Challenge 3 Solution greek_to_me.exe
FLARE-On 4: Challenge 3 Solution greek_to_me.exe Challenge Author: Matt Williams (@0xmwilliams) greek_to_me.exe is a Windows x86 executable whose strings reveal what is likely the desired state of the
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 7 Procedures and the Stack April, 2014 1 Assembly Language LAB Runtime Stack and Stack
More informationLabeling Library Functions in Stripped Binaries
Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller Computer Sciences Department University of Wisconsin - Madison PASTE 2011 Szeged, Hungary September
More informationScott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
More informationEqua%onal Reasoning of x86 Assembly Code. Kevin Coogan and Saumya Debray University of Arizona, Tucson, AZ
Equa%onal Reasoning of x86 Assembly Code Kevin Coogan and Saumya Debray University of Arizona, Tucson, AZ Assembly Code is Source Code Commercial libraries oeen do not come with source code, but there
More informationBinary Code Analysis: Concepts and Perspectives
Binary Code Analysis: Concepts and Perspectives Emmanuel Fleury LaBRI, Université de Bordeaux, France May 12, 2016 E. Fleury (LaBRI, France) Binary Code Analysis: Concepts
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationUMBC. 1 (Feb. 9, 2002) seg_base + base + index. Systems Design & Programming 80x86 Assembly II CMPE 310. Base-Plus-Index addressing:
Data Addressing Modes Base-Plus-Index addressing: Effective address computed as: seg_base base index. Base registers: Holds starting location of an array. ebp (stack) ebx (data) Any 32-bit register except
More informationMachine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationStarForce 3 - Brief insight into a hidden world. By [yates] [http://www.yates2k.net] [http://www.reteam.org]
StarForce 3 - Brief insight into a hidden world. By [yates] [http://www.yates2k.net] [http://www.reteam.org] These notes are intended for anyone wishing to study the working elements of this protection.
More informationCMSC 313 Lecture 12 [draft] How C functions pass parameters
CMSC 313 Lecture 12 [draft] How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP removes an
More informationOwning Command and Control: Reverse Engineering Malware. Risk Mitigators
Owning Command and Control: Reverse Engineering Malware Agenda 1- About Synapse-labs a) Bio's b) Synapse-labs 2- Debuggers (Immunity & OllyDBG) 3- Assembler Primer 4- PE (Portable Executable) Structure
More informationCSC 591 Systems Attacks and Defenses Reverse Engineering Part 1
CSC 591 Systems Attacks and Defenses Reverse Engineering Part 1 Alexandros Kapravelos akaprav@ncsu.edu Reverse engineering Introduction process of analyzing a system understand its structure and functionality
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More informationID: Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:17:42 Date: 12/04/2018 Version:
ID: 54295 Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:1:42 Date: 12/04/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationRootkits n Stuff
Rootkits n Stuff www.sigmil.org What a rootkit is(n t) IS Software intended to conceal running processes, files, etc from the OS A way to maintain control of a system after compromising it. ISN T A buffer
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationIA-32 Architecture. CS 4440/7440 Malware Analysis and Defense
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code
More informationConfigurations. Make menuconfig : Kernel hacking/
Kernel Debugging Configurations Make menuconfig : Kernel hacking/ Timing info on printks depreciated logic Detection of hung tasks SLUB debugging Kernel memory leak detector Mutext/lock debugging Kmemcheck
More informationCVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK
CVE-2017-11882 EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK First words of thank to Embedy Company to discover the initial exploit and POC of 44 bytes máximum, Ridter
More informationAssembly Language Programming: Procedures. EECE416 uc. Charles Kim Howard University. Fall
Assembly Language Programming: Procedures EECE416 uc Charles Kim Howard University Fall 2013 www.mwftr.com Before we start Schedule of the next few weeks T Nov 19: Procedure and Calls (continued) R Nov
More informationInstruction Set Architectures
Instruction Set Architectures ISAs Brief history of processors and architectures C, assembly, machine code Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface contain?
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationStack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
More informationAssembly Language: Function Calls. Goals of this Lecture. Function Call Problems
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationModule 3 Instruction Set Architecture (ISA)
Module 3 Instruction Set Architecture (ISA) I S A L E V E L E L E M E N T S O F I N S T R U C T I O N S I N S T R U C T I O N S T Y P E S N U M B E R O F A D D R E S S E S R E G I S T E R S T Y P E S O
More informationRev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
More informationUMBC. A register, an immediate or a memory address holding the values on. Stores a symbolic name for the memory location that it represents.
Intel Assembly Format of an assembly instruction: LABEL OPCODE OPERANDS COMMENT DATA1 db 00001000b ;Define DATA1 as decimal 8 START: mov eax, ebx ;Copy ebx to eax LABEL: Stores a symbolic name for the
More informationSA33901 / CVE
Released by Secunia 23 February, 2009 6 pages Table of Contents Terms and Conditions 2 Introduction 3 Technical Details 3 Exploitation 5 Characteristics 5 Tested Versions 6 Fixed Versions 6 References
More informationCSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM
CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM February 7, 2008 1 Overview The purpose of this assignment is to introduce you to the assembly language
More informationReverse Engineering Malware Binary Obfuscation and Protection
Reverse Engineering Malware Binary Obfuscation and Protection Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Binary Obfuscation and Protection What is covered in this
More informationCSC 405 Computer Security Reverse Engineering Part 1
CSC 405 Computer Security Reverse Engineering Part 1 Alexandros Kapravelos akaprav@ncsu.edu Introduction Reverse engineering process of analyzing a system understand its structure and functionality used
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationMACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION
MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics:
More informationCS 290 Host-based Security and Malware. Christopher Kruegel
CS 290 Host-based Security and Malware Christopher Kruegel chris@cs.ucsb.edu Reverse Engineering Introduction Reverse engineering process of analyzing a system understand its structure and functionality
More informationMachine-Level Programming II: Control Flow
Machine-Level Programming II: Control Flow Today Condition codes Control flow structures Next time Procedures Fabián E. Bustamante, Spring 2010 Processor state (ia32, partial) Information about currently
More information16.317: Microprocessor Systems Design I Spring 2015
16.317: Microprocessor Systems Design I Spring 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationSA31675 / CVE
Generated by Secunia 10 September, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Tested Versions 4 Fixed Versions 5 References 5 Generated by Secunia
More informationChapter 3: Addressing Modes
Chapter 3: Addressing Modes Chapter 3 Addressing Modes Note: Adapted from (Author Slides) Instructor: Prof. Dr. Khalid A. Darabkh 2 Introduction Efficient software development for the microprocessor requires
More informationCSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
More informationIntroduction Skype analysis Enforcing anti-skype policies. Skype uncovered. Security study of Skype. Desclaux Fabrice 1 EADS CCR/STI/C
Security study of Skype 1 1 EADS CCR/STI/C Should we be afraid of Skype? 1 Introduction Should we be afraid of Skype? 2 3 Skype detection Quick overview of Skype Should we be afraid of Skype? End-user
More informationReversing Basics A Practical Approach
Reversing Basics A Practical Approach Author: Amit Malik (DouBle_Zer0) E-Mail: m.amit30@gmail.com Note: Keep Out of Reach of Children/Danger-Software Poison. Download EXE/Crackme: https://sites.google.com/site/hacking1now/crackmes
More informationCS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE
CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE The purpose of this exercise is to learn Intel assembly language by disassembling a small piece of code and extensively commenting the resulting instructions.
More informationInstruction Set Architectures
Instruction Set Architectures! ISAs! Brief history of processors and architectures! C, assembly, machine code! Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface
More informationThe Deconstruction of Dyninst
Andrew Bernat, Bill Williams Paradyn Project CScADS June 26, 2012 Dyninst 8.0 o Component integration o ProcControlAPI o StackwalkerAPI o PatchAPI o Additional analyses o Register liveness o Improved stack
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationRamblr. Making Reassembly Great Again
Ramblr Making Reassembly Great Again Ruoyu Fish Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, Giovanni Vigna Motivation Available Solutions
More informationComputer Architecture and Assembly Language. Practical Session 5
Computer Architecture and Assembly Language Practical Session 5 Addressing Mode - "memory address calculation mode" An addressing mode specifies how to calculate the effective memory address of an operand.
More informationReverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
More informationCS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015
CS165 Computer Security Understanding low-level program execution Oct 1 st, 2015 A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns
More informationTim Ebringer The university of Melbourne, Australia Li Sun RMIT university, Australia Serdar Boztas RMIT university, Australia VB 2008 Ottawa,
A FAST RANDOMNESS TEST THAT PRESERVES LOCAL DETAIL Tim Ebringer The university of Melbourne, Australia Li Sun RMIT university, Australia Serdar Boztas RMIT university, Australia VB 2008 Ottawa, Canada,
More informationFull Name: CISC 360, Fall 2008 Example of Exam
Full Name: CISC 360, Fall 2008 Example of Exam Page 1 of 0 Problem 1. (12 points): Consider the following 8-bit floating point representation based on the IEEE floating point format: There is a sign bit
More informationReversing the Inception APT malware
Reversing the Inception APT malware After reading the Inception paper by Snorre Fagerland and Waylon Grange, I got curious about this threat and did some reversing. I felt that it would be good to write
More informationTurning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p
Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p text C program (p1.c p2.c) Compiler (gcc -S) text Asm
More informationProcedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27
Procedure Calls Young W. Lim 2016-11-05 Sat Young W. Lim Procedure Calls 2016-11-05 Sat 1 / 27 Outline 1 Introduction References Stack Background Transferring Control Register Usage Conventions Procedure
More informationAusgewählte Betriebssysteme. Anatomy of a system call
Ausgewählte Betriebssysteme Anatomy of a system call 1 User view #include int main(void) { printf( Hello World!\n ); return 0; } 2 3 Syscall (1) User: write(fd, buffer, sizeof(buffer)); size
More informationMachine Language, Assemblers and Linkers"
Machine Language, Assemblers and Linkers 1 Goals for this Lecture Help you to learn about: IA-32 machine language The assembly and linking processes 2 1 Why Learn Machine Language Last stop on the language
More informationMitchell Adair January, 2014
Mitchell Adair January, 2014 Know Owen from our time at Sandia National Labs Currently work for Raytheon Founded UTDallas s Computer Security Group (CSG) in Spring 2010 Reversing, binary auditing, fuzzing,
More informationBuffer Overflow Attacks
CS- Spring Buffer Overflow Attacks Computer Systems..-, CS- Spring Hacking Roots in phone phreaking White Hat vs Gray Hat vs Black Hat Over % of Modern Software Development is Black Hat! Tip the balance:
More informationUMBC. contain new IP while 4th and 5th bytes contain CS. CALL BX and CALL [BX] versions also exist. contain displacement added to IP.
Procedures: CALL: Pushes the address of the instruction following the CALL instruction onto the stack. RET: Pops the address. SUM PROC NEAR USES BX CX DX ADD AX, BX ADD AX, CX MOV AX, DX RET SUM ENDP NEAR
More informationT Reverse Engineering Malware: Static Analysis I
T-110.6220 Reverse Engineering Malware: Static Analysis I Antti Tikkanen, F-Secure Corporation Protecting the irreplaceable f-secure.com Representing Data 2 Binary Numbers 1 0 1 1 Nibble B 1 0 1 1 1 1
More information