Software Fingerprinting for Automated Malicious Code Analysis
|
|
- Esther Jordan
- 8 years ago
- Views:
Transcription
1 Software Fingerprinting for Automated Malicious Code Analysis Philippe Charland Mission Critical Cyber Security Section October 25, 2012 Terms of Release: This document is approved for release to Defence Departments, Defence Contractors, and Governments. Any further distribution requires the prior approval of the Defence R&D Canada Valcartier Document Review Panel
2 Outline Software Reverse Engineering Motivation Research Objective Prototypes Future Work 2
3 Why Software Reverse Engineering? To develop a solid understanding of a software for which there is no Documentation Source code Malicious software (malware) falls into this category 3
4 Malware Figures SophosLabs Analyzed 95,000 malware pieces every day in 2010 Panda Security 26 million new malware samples were identified in ,000 strains per day 4
5 5 Targeted Attacks
6 Software Reverse Engineering Process Increase in Complexity Deobfuscation / Software Dearmoring Disassembly / Code level Analysis Relevant and Interesting Feature Identification Unpacking Debugger IDA Pro Olly Dbg Experience based Newbies have trouble with this 6
7 Assembly Code Analysis Most nebulous portion of the process Largely depends on intuition and experience Looking at assembly is tedious Not seeing the forest for the trees Analyst fatigue High level of attention required 7
8 Assembly Code Analysis Question: lea eax, DWORD PTR [edx+edx] add eax, eax add eax, eax add eax, eax add eax, eax 8
9 Assembly Code Analysis Question: lea eax, DWORD PTR [edx+edx] add eax, eax add eax, eax add eax, eax add eax, eax Answer: y = x * 32 9
10 Assembly Code Analysis Doing everything manually is unsustainable... Throwing more reverse engineers is not possible... 10
11 Assembly Code Analysis Automate some of the assembly code analysis process! 11
12 Motivation Malware authors Develop huge numbers of variants to bypass antivirus Exchange source code among them Reuse open source code Reverse engineers Leverage the code reuse in malware Reduce redundant analysis efforts Accelerate the reverse engineering process 12
13 Research Objective Automatically identify code fragments that reuse 1. Open source code 2. Previously analyzed assembly code 13
14 Assembly and Source Code Matching RE Google regoogle.carnivore.it IDA Pro plug in Python script Enumerate all functions and extract Strings Constants Imported functions names Perform a Google Code Search Add top results as function comments 14
15 Results Constants 15
16 16
17 RE Google Relies on the Google Code Search API Shut down on January 15, Look for alternatives... 17
18 Google Code Search Alternatives As suggested on the Google Code Search Group:
19 Koders Merging with Ohloh (code.ohloh.net) Index and search 10+ BLOCs (3x the amount of Koders) Support 43 programming languages 19
20 20 Koders
21 21 Koders
22 22 Koders
23 23 Koders Search for SHA 512
24 24
25 RE Source IDA Pro Plug in Based on the original RE Google Python script Assembly File RE Source Extract Features Comment Functions Build Query Parse Results HTML Page RE Source 25
26 26 RE Source Precise Calculator Case study
27 Precise Calculator Open source programmable scientific calculator Has more than 150 mathematical and statistical functions Written in C++ and assembly 9.h files 7.cpp files 2 assembly files 27
28 RE Source Precise Calculator Case study Disassembled executable contains 533 functions Features extracted for 67 functions Identified 5 of the 7.cpp files with 100% accuracy 70% of the original source code Detected functions Mathematical, geometrical and statistical Parsing, editing, GUI 28
29 29 RE Source Precise Calculator Case study
30 30 RE Source Precise Calculator Case study
31 Clone Detection Technique to identify duplicate code fragments in a code base Most algorithms operate on source code Decrease code size by consolidating it Facilitate program comprehension and software maintenance Commercial off the shelf software Copyright infringements Plagiarism detection 31
32 Clone Detection vs. Clone Search Clone Detection Identify all the similar code fragments within a code base Compare every code fragment pair Clone Search Identify only the code fragments similar to a target fragment 32
33 Clone Types Syntactic Clones Textual similarity Type I, II, III clones Semantic Clones Functional similarity Type IV clones 33
34 Syntactic Clones Type I Identical code fragments except for variations in whitespace, layout and comments push eax ; Memory call ds:_aligned_free and dword ptr [esi], 0 pop ecx push eax call ds:_aligned_free and dword ptr [esi], 0 pop ecx 34
35 Syntactic Clones Type II Structurally/syntactically identical fragments except for variations in identifiers, literals, types, layout and comments push edi ; Size call _malloc mov edx, eax mov ecx, edi mov [esp+24h+var_c], edx mov edi, edx mov edx, ecx xor eax,eax shr ecx, 2 rep stosd mov ecx, edx add esp, 4 and ecx, 3 rep stosb mov eax, [esp+20h+var_c] test eax, eax jnz loc_10001a97 mov eax, [ebx] push eax push edi ; Size call _malloc mov edx, eax mov ecx, edi mov [esp+20h+inbuffer], edx mov edi, edx mov edx, ecx xor eax, eax shr ecx, 2 rep stosd mov ecx, edx add esp, 4 and ecx, 3 rep stosb mov eax, [esp+1ch+inbuffer] test eax, eax jnz loc_ mov eax, [ebx] push eax 35
36 Syntactic Clones Type III Copied fragments with further modifications Statements can be changed, added or removed in addition to variations in identifiers, literals, types, layout and comments mov esi, [ebp+arg_0] mov edx, [esi+214h] mov edi, [esi+220h] mov [ebp+var_4], edx cmp [esi+21ch], edi jl short loc_ lea ebx, [edx+edi*8] mov esi, [ebp+arg_0] mov edx, [esi+214h] mov [ebp+var_4], edx mov edi, [esi+220h] cmp [esi+21ch], edi jl short loc_ lea ebx, [edx+edi*8] 36
37 Semantic Clones Type IV Two or more code fragments that perform the same computation implemented through different syntactic variants strlen1 proc near arg_0 = dword ptr 4 mov eax, [esp+arg_0] loc_401004: cmp byte ptr [eax], 0 jz short done inc eax jmp short loc_ done: sub eax, [esp+arg_0] retn strlen1 endp strlen3 proc near arg_0 = dword ptr 4 push edi mov edi, [esp+4+arg_0] xor ecx, ecx not ecx xor al, al cld repne scasb not ecx lea eax, [ecx-1] pop edi retn strlen3 endp 37
38 Clone Detector Overview Extended from A. Saebjornsen, et al. (2009), University of California, Davis Disassembler Assembly Files Regionizer Normalizer Binary Files Token Indexer Exact Clone Detector Inexact Clone Detector Visualizer XML File Maximal Clone Merger Duplicate Clone Merger 38
39 Clone Detector Regionizer 39 sub_402d5f proc near ; CODE XREF: sub_402fc1+12p mov edi, edi push esi push edi mov edi, ecx lea esi, [edi+0d0h] mov eax, [esi] test eax, eax jz short loc_402d7c push eax ; Memory call ds:_aligned_free and dword ptr [esi], 0 pop ecx loc_402d7c: ; CODE XREF: sub_402d5f+10j and dword ptr [edi+0d4h], 0 push 90h ; Size push 0 ; Val add edi, 40h push edi ; Dst call memset add esp, 0Ch pop edi pop esi retn sub_402d5f endp
40 Clone Detector Regionizer sub_402d5f proc near mov edi, edi push esi push edi mov edi, ecx lea esi, [edi+0d0h] mov eax, [esi] test eax, eax jz short loc_402d7c push eax call ds:_aligned_free and dword ptr [esi], 0 pop ecx and dword ptr [edi+0d4h], 0 push 90h push 0 add edi, 40h push edi call memset add esp, 0Ch pop edi pop esi retn sub_402d5f endp Window Size = 10 instructions Step Size = 4 instructions Region 0 Region 1 Region 2 Region 3 Region 4 Region 5 40
41 Clone Detector Normalization Registers, constants and memory addresses are normalized Constants VAL or VALx, where x is an index number Memory addresses MEM or MEMx, where x is an index number Registers Different normalization levels are available 41
42 Clone Detector Normalization REG EAX REG CS REG EDI REG REGSeg, REGGen, REGldxPtr EAX REGGen CS REGSeg EDI REGIdxPtr REGGen8, REGGen16, REGGen32 EAX REGGen32 AX REGGen16 AH REGGen8 REGx EAX REG#0 AX REG#1 AH REG#2 REG REGSeg REGGen REGIdxPtr REGGen8 REGGen16 REGGen32 REGx 42
43 Clone Detector Normalization Assembly code mov push push mov edi, edi ebp ebp, esp eax, dword ptr [epb+8] Normalized assembly code mov push push mov REG, REG REG REG, REG REG, MEM 43
44 Clone Detector Exact Clones Compare statements between regions Two regions are considered an exact clone if all their normalized statements are identical (i.e. same hash value) 44
45 Clone Detector Exact Clones sub_402d5f proc near mov REGGen32, REGGen32 push REGIdxPtr push REGIdxPtr mov REGIdxPtr, REGGen32 lea REGIdxPtr, VAL mov REGGen32, MEM test REGGen32, REGGen32 jz short VAL push REGGen16... retn sub_402d5f endp sub_579aeg proc near... mov REGIdxPtr, REGGen32 lea REGIdxPtr, VAL mov REGGen32, MEM test REGGen32, REGGen32 jz short VAL push REGGen16... retn sub_579aeg endp sub_579aeg proc near mov REGIdxPtr, REGGen32 lea REGIdxPtr, VAL mov REGGen32, MEM test REGGen32, REGGen32 push REGGen16 mov REGIdxPtr, REGGen32 lea REGIdxPtr, VAL... retn sub_579aeg endp Hash Key Clone Cluster
46 46 Clone Detector Exact Clones
47 47 Clone Detector Exact Clones
48 48 Clone Detector Exact Clones
49 Clone Detector Inexact Clones Compute a feature vector for each region Feature vectors are constructed based on Mnemonics of instructions Types of operands in instructions Combination of mnemonic and operands Two regions are considered an inexact clone if the similarity between their feature vectors is within a minimum similarity threshold 49
50 50 Clone Detector Inexact Clones
51 51 Clone Detector Inexact Clones
52 52 Clone Detector Inexact Clones
53 Clone Detector Duplicate Clone Merger Remove clones that are highly overlapping regions in the same function push call sub push lea push push call lea lea push push push push call mov mov edi ds:gettickcount eax, dword_1000d22c eax eax, [esp+0ch] offset a9lu eax _sprintf ecx, [esp+14h] edx, [esp+24h] ecx offset Dest offset a8ss edx _sprintf eax, dword_1000d218 ecx, dword_1000a044 53
54 Clone Detector Maximal Clone Merger Merge consecutive cloned regions push call sub push lea push push call lea lea push push push push call mov mov lea add lea edi ds:gettickcount eax, dword_1000d22c eax eax, [esp+0ch] offset a9lu eax _sprintf ecx, [esp+14h] edx, [esp+24h] ecx offset Dest offset a8ss edx _sprintf eax, dword_1000d218 ecx, dword_1000a044 edi, [esp+34h] esp, 1Ch edx, [ecx+eax+0ah] push call sub push lea push push call lea lea push push push push call mov mov lea add lea edi ds:gettickcount eax, dword_1000d22c eax eax, [esp+0ch] offset a9lu eax _sprintf ecx, [esp+14h] edx, [esp+24h] ecx offset Dest offset a8ss edx _sprintf eax, dword_1000d218 ecx, dword_1000a044 edi, [esp+34h] esp, 1Ch edx, [ecx+eax+0ah] 54
55 55 Clone Detector Clone Search
56 56 Clone Detector Clone Search
57 Case Study 18 open source code dynamic link libraries (DLLs) Recall and precision consistently above 80% Zeus and Blaster malware Precision over 96% Efficiency is not sensitive to the window size 57
58 Future Work Proof of concept prototypes RE Source Automatically identify a larger proportion of libraries Clone Detector Improve the precision and recall of inexact clone detection Support semantic clones Conduct additional case studies 58
59 Questions rddc.gc.ca 59
60
Analysis of Win32.Scream
Analysis of Win32.Scream 1. Introduction Scream is a very interesting virus as it combines a lot of techniques written inside of it. In this paper I ll cover all of its features and internals. I ll dissect
More informationesrever gnireenigne tfosorcim seiranib
esrever gnireenigne tfosorcim seiranib Alexander Sotirov asotirov@determina.com CanSecWest / core06 Reverse Engineering Microsoft Binaries Alexander Sotirov asotirov@determina.com CanSecWest / core06 Overview
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version
Abysssec Research 1) Advisory information Title Version Discovery Vendor Impact Contact Twitter CVE : Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability : QuickTime player 7.6.5
More informationTitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com
TitanMist: Your First Step to Reversing Nirvana TitanMist mist.reversinglabs.com Contents Introduction to TitanEngine.. 3 Introduction to TitanMist 4 Creating an unpacker for TitanMist.. 5 References and
More informationComputer Organization and Assembly Language
Computer Organization and Assembly Language Lecture 8 - Strings and Arrays Introduction We already know that assembly code will execute significantly faster than code written in a higher-level language
More informationFighting malware on your own
Fighting malware on your own Vitaliy Kamlyuk Senior Virus Analyst Kaspersky Lab Vitaly.Kamluk@kaspersky.com Why fight malware on your own? 5 reasons: 1. Touch 100% of protection yourself 2. Be prepared
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 20: Stack Frames 7 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Where We Are Source code if (b == 0) a = b; Low-level IR code
More informationSystems Design & Programming Data Movement Instructions. Intel Assembly
Intel Assembly Data Movement Instruction: mov (covered already) push, pop lea (mov and offset) lds, les, lfs, lgs, lss movs, lods, stos ins, outs xchg, xlat lahf, sahf (not covered) in, out movsx, movzx
More informationReturn-oriented programming without returns
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without urns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy
More informationInside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010
Do you? or Inside a killer IMBot Wei Ming Khoo University of Cambridge 19 Nov 2010 Background Tracking a botnet propagating over Skype & Yahoo IM. Bait is Foto Exploits social connectivity (friend
More informationIntroduction to Reverse Engineering
Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager December 2011 What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a
More informationHarnessing Intelligence from Malware Repositories
Harnessing Intelligence from Malware Repositories Arun Lakhotia and Vivek Notani Software Research Lab University of Louisiana at Lafayette arun@louisiana.edu, vxn4849@louisiana.edu 7/22/2015 (C) 2015
More informationIntroduction. Figure 1 Schema of DarunGrim2
Reversing Microsoft patches to reveal vulnerable code Harsimran Walia Computer Security Enthusiast 2011 Abstract The paper would try to reveal the vulnerable code for a particular disclosed vulnerability,
More informationIntroduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code
Introduction Application Security Tom Chothia Computer Security, Lecture 16 Compiled code is really just data which can be edit and inspected. By examining low level code protections can be removed and
More informationA Museum of API Obfuscation on Win32
A Museum of API Obfuscation on Win32 Masaki Suenaga Senior Software Engineer Contents Abstract... 1 File Image vs. Memory Image... 2 API Analysis... 4 Generating Memory Dumps... 5 Runtime API Address Resolution...
More information1. General function and functionality of the malware
1. General function and functionality of the malware The malware executes in a command shell, it begins by checking to see if the executing file contains the MZP file extension, and then continues to access
More informationA Tiny Guide to Programming in 32-bit x86 Assembly Language
CS308, Spring 1999 A Tiny Guide to Programming in 32-bit x86 Assembly Language by Adam Ferrari, ferrari@virginia.edu (with changes by Alan Batson, batson@virginia.edu and Mike Lack, mnl3j@virginia.edu)
More informationReversing C++ Paul Vincent Sabanal. Mark Vincent Yason
As recent as a couple of years ago, reverse engineers can get by with just knowledge of C and assembly to reverse most applications. Now, due to the increasing use of C++ in malware as well as most moderns
More information64-Bit NASM Notes. Invoking 64-Bit NASM
64-Bit NASM Notes The transition from 32- to 64-bit architectures is no joke, as anyone who has wrestled with 32/64 bit incompatibilities will attest We note here some key differences between 32- and 64-bit
More informationHotpatching and the Rise of Third-Party Patches
Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments
More informationAssembly Language: Function Calls" Jennifer Rexford!
Assembly Language: Function Calls" Jennifer Rexford! 1 Goals of this Lecture" Function call problems:! Calling and returning! Passing parameters! Storing local variables! Handling registers without interference!
More informationThe Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014
Intelligent Things, Vehicles and Factories: Intel Workshop on Cyberphysical and Mobile Security 2014, Darmstadt, June 11 The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation
More informationBuffer Overflows. Security 2011
Buffer Overflows Security 2011 Memory Organiza;on Topics Kernel organizes memory in pages Typically 4k bytes Processes operate in a Virtual Memory Space Mapped to real 4k pages Could live in RAM or be
More informationOff-by-One exploitation tutorial
Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend
More informationCS61: Systems Programing and Machine Organization
CS61: Systems Programing and Machine Organization Fall 2009 Section Notes for Week 2 (September 14 th - 18 th ) Topics to be covered: I. Binary Basics II. Signed Numbers III. Architecture Overview IV.
More informationStitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection
USENIX Security Symposium 2014, San Diego, CA, USA Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection Lucas Davi Intel Collaborative Research Institute for
More informationHeap-based Buffer Overflow Vulnerability in Adobe Flash Player
Analysis of Zero-Day Exploit_Issue 03 Heap-based Buffer Overflow Vulnerability in Adobe Flash Player CVE-2014-0556 20 December 2014 Table of Content Overview... 3 1. CVE-2014-0556 Vulnerability... 3 2.
More informationHacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license http://creativecommonsorg/licenses/by-sa/30/ # whoami Ali
More informationIdentification and Removal of
RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Ei Eric Laspe, Reverse Engineer Jason Raber, Lead Reverse Engineer Overview The Problem:
More informationINTRODUCTION TO MALWARE & MALWARE ANALYSIS
INTRODUCTION TO MALWARE & MALWARE ANALYSIS by Quick Heal R&D lab Security Simplified INTRODUCTION Very often people call everything that corrupts their system a virus without being aware about what it
More informationReverse Engineering and Computer Security
Reverse Engineering and Computer Security Alexander Sotirov alex@sotirov.net Introduction Security researcher at Determina, working on our LiveShield product Responsible for vulnerability analysis and
More informationHow To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux 2.2.2 (Windows 3.5) On A Pc
ReVuln Ltd. http://revuln.com @revuln info@revuln.com Revision 3 STEAM VOIP SECURITY BY LUIGI AURIEMMA Overview and details about the security issues found in the Steam voice framework. TABLE OF CONTENTS
More informationPackers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management
allocation allocation (VirtualAlloc / empty section) trapped start allocation (VirtualAlloc / empty section) (MANY layers,add/rol/xor) startup decompression engine loading (one layer,add/rol/xor) (Tea/RC4/operators)
More informationComputer Organization and Architecture
Computer Organization and Architecture Chapter 11 Instruction Sets: Addressing Modes and Formats Instruction Set Design One goal of instruction set design is to minimize instruction length Another goal
More informationPackers. (5th April 2010) Ange Albertini http://corkami.blogspot.com Creative Commons Attribution 3.0
Packers (5th April 2010) Ange Albertini 3.0 Table of contents 3 Models: simple, malware, advanced 4 Categories and Features: compresser, protecter, crypter, bundler, virtualiser, mutater 5 Landscape: Free,
More informationViolating Database - Enforced Security Mechanisms
Violating Database - Enforced Security Mechanisms Runtime Patching Exploits in SQL Server 2000: a case study Chris Anley [chris@ngssoftware.com] 18/06/2002 An NGSSoftware Insight Security Research (NISR)
More informationApplication-Specific Attacks: Leveraging the ActionScript Virtual Machine
IBM Global Technology Services April 2008 Application-Specific Attacks: Leveraging the ActionScript Virtual Machine By Mark Dowd X-Force Researcher IBM Internet Security Systems (markdowd@au1.ibm.com)
More informationCompilers. Introduction to Compilers. Lecture 1. Spring term. Mick O Donnell: michael.odonnell@uam.es Alfonso Ortega: alfonso.ortega@uam.
Compilers Spring term Mick O Donnell: michael.odonnell@uam.es Alfonso Ortega: alfonso.ortega@uam.es Lecture 1 to Compilers 1 Topic 1: What is a Compiler? 3 What is a Compiler? A compiler is a computer
More informationMarch 2012 White Paper: Police trojan study. Marcin Icewall Noga martin@hispasec.com Sergio de los Santos ssantos@hispasec.com
March 2012 White Paper: Police trojan study Marcin Icewall Noga martin@hispasec.com Sergio de los Santos ssantos@hispasec.com HISPASEC SISTEMAS Y TECNOLOGÍAS DE SEGURIDAD LA INFORMACIÓN Y TECNOLOGÍAS Index
More informationREpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas
REpsych : psycholigical warfare in reverse engineering { def con 2015 // domas Warning This serves no purpose Taking something apart to figure out how it works With software Interfacing Documentation Obsolescence
More informationRemoving Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.
Removing Sentinel SuperPro dongle from Applications Shub-Nigurrath of ARTeam Version 1.0 September 2006 1. Abstract... 2 2. Possible approaches: emulations vs simulation... 3 2.1. How a dongle works...
More informationComplete 8086 instruction set
Page 1 of 53 Complete 8086 instruction set Quick reference: AAA AAD AAM AAS ADC ADD AND CALL CBW CLC CLD CLI CMC CMP CMPSB CMPSW CWD DAA DAS DEC DIV HLT IDIV IMUL IN INC INT INTO I JA JAE JB JBE JC JCXZ
More informationFormat string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com
Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic
More informationCS 16: Assembly Language Programming for the IBM PC and Compatibles
CS 16: Assembly Language Programming for the IBM PC and Compatibles Start basic with some string primitive instructions Get choosy with some selected string procedures Look both ways before crossing two-dimensional
More informationWhat Happens In Windows 7 Stays In Windows 7
What Happens In Windows 7 Stays In Windows 7 Moti Joseph & Marion Marschalek Troopers Conference 2014 About Us Joseph Moti Security Researcher Marion Marschalek Malware Analyst 8 7 3 1-7 3 6 4-1 9 3 2-9
More informationOverview of IA-32 assembly programming. Lars Ailo Bongo University of Tromsø
Overview of IA-32 assembly programming Lars Ailo Bongo University of Tromsø Contents 1 Introduction... 2 2 IA-32 assembly programming... 3 2.1 Assembly Language Statements... 3 2.1 Modes...4 2.2 Registers...4
More informationIntroduction. Compiler Design CSE 504. Overview. Programming problems are easier to solve in high-level languages
Introduction Compiler esign CSE 504 1 Overview 2 3 Phases of Translation ast modifled: Mon Jan 28 2013 at 17:19:57 EST Version: 1.5 23:45:54 2013/01/28 Compiled at 11:48 on 2015/01/28 Compiler esign Introduction
More informationUnpacked BCD Arithmetic. BCD (ASCII) Arithmetic. Where and Why is BCD used? From the SQL Server Manual. Packed BCD, ASCII, Unpacked BCD
BCD (ASCII) Arithmetic The Intel Instruction set can handle both packed (two digits per byte) and unpacked BCD (one decimal digit per byte) We will first look at unpacked BCD Unpacked BCD can be either
More informationDetecting the One Percent: Advanced Targeted Malware Detection
Detecting the One Percent: Advanced Targeted Malware Detection Tomer Teller Check Point Software Technologies Session ID: SP02-T19 Session Classification: Intermediate Antivirus 20 th+ Anniversary The
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version
Abysssec Research 1) Advisory information Title Version Analysis Vendor Impact Contact Twitter CVE : Microsoft MPEG Layer- 3 Audio Stack Based Overflow : l3codeca.acm (XP SP2 XP SP3) : http://www.abysssec.com
More informationLecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com
CSCI-UA.0201-003 Computer Systems Organization Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Some slides adapted (and slightly modified)
More informationWindows XP SP3 Registry Handling Buffer Overflow
Windows XP SP3 Registry Handling Buffer Overflow by Matthew j00ru Jurczyk and Gynvael Coldwind Hispasec 1. Basic Information Name Windows XP SP3 Registry Handling Buffer Overflow Class Design Error Impact
More informationHow Compilers Work. by Walter Bright. Digital Mars
How Compilers Work by Walter Bright Digital Mars Compilers I've Built D programming language C++ C Javascript Java A.B.E.L Compiler Compilers Regex Lex Yacc Spirit Do only the easiest part Not very customizable
More informationWhite paper: August 2008. Marcin Icewall Noga martin@hispasec.com
White paper: GetCodec Multimedia Trojan Analysis August 2008 Marcin Icewall Noga martin@hispasec.com 1. Introduction Recently a new trojan was spotted spreading in the wild, infecting multi-media files
More informationAutomatic Network Protocol Analysis
Gilbert Wondracek, Paolo M ilani C omparetti, C hristopher Kruegel and E ngin Kirda {gilbert,pmilani}@ seclab.tuwien.ac.at chris@ cs.ucsb.edu engin.kirda@ eurecom.fr Reverse Engineering Network Protocols
More informationWhere we are CS 4120 Introduction to Compilers Abstract Assembly Instruction selection mov e1 , e2 jmp e cmp e1 , e2 [jne je jgt ] l push e1 call e
0/5/03 Where we are CS 0 Introduction to Compilers Ross Tate Cornell University Lecture 8: Instruction Selection Intermediate code synta-directed translation reordering with traces Canonical intermediate
More informationCrowd Security Intelligence. syn.ac/virusb2014. @patrickwardle. (download slides)
Crowd Security Intelligence (download slides) syn.ac/virusb2014 @patrickwardle METHODS of MALWARE PERSISTENCE on os x mavericks ABOUT [synack] sources a global contingent of vetted security experts worldwide
More informationX86-64 Architecture Guide
X86-64 Architecture Guide For the code-generation project, we shall expose you to a simplified version of the x86-64 platform. Example Consider the following Decaf program: class Program { int foo(int
More informationWindows Assembly Programming Tutorial
JEFF HUANG (huang6@uiuc.edu) December 10, 2003 Windows Assembly Programming Tutorial Version 1.02 Copyright 2003, Jeff Huang. All rights reserved. by Jeff Huang Table of Contents Introduction... 2 Why
More informationBinary Code Extraction and Interface Identification for Security Applications
Binary Code Extraction and Interface Identification for Security Applications Juan Caballero Noah M. Johnson Stephen McCamant Dawn Song UC Berkeley Carnegie Mellon University Abstract Binary code reuse
More informationUsing MMX Instructions to Convert RGB To YUV Color Conversion
Using MMX Instructions to Convert RGB To YUV Color Conversion Information for Developers and ISVs From Intel Developer Services www.intel.com/ids Information in this document is provided in connection
More informationFrom Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?
From Georgia, with Love Win32/Georbot Is someone trying to spy on Georgians? At the beginning of the year, a curious piece of malware came to our attention. An analyst in our virus laboratory noticed that
More informationJakstab: A Static Analysis Platform for Binaries
Jakstab: A Static Analysis Platform for Binaries (Tool Paper) Johannes Kinder and Helmut Veith Technische Universität Darmstadt, 64289 Darmstadt, Germany Abstract. For processing compiled code, model checkers
More informationTO APPEAR IN: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 1. Proactive Detection of Computer Worms Using Model Checking
TO APPEAR IN: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 1 Proactive Detection of Computer Worms Using Model Checking Johannes Kinder, Stefan Katzenbeisser, Member, IEEE, Christian Schallhart,
More informationCompiler Construction
Compiler Construction Lecture 1 - An Overview 2003 Robert M. Siegfried All rights reserved A few basic definitions Translate - v, a.to turn into one s own language or another. b. to transform or turn from
More informationDiving into a Silverlight Exploit and Shellcode - Analysis and Techniques
Diving into a Silverlight Exploit and Shellcode - Analysis and Techniques By Omri Herscovici & Liran Englender January 04, 2015 Preface In recent years, exploit-kits are one of the most common platforms
More informationDongwoo Kim : Hyeon-jeong Lee s Husband
2/ 32 Who we are Dongwoo Kim : Hyeon-jeong Lee s Husband Ph.D. Candidate at Chungnam National University in South Korea Majoring in Computer Communications & Security Interested in mobile hacking, digital
More informationSelf Protection Techniques in Malware
DSIE 10 5 th Doctoral lsymposium on Informatics Engineering i January 28 29, 2010 Porto, Portugal Self Protection Techniques in Malware Tiago Santos Overview Introduction Malware Types Why Self Protection?
More informationBypassing Anti- Virus Scanners
Bypassing Anti- Virus Scanners Abstract Anti-Virus manufacturers nowadays implements more and more complex functions and algorithms in order to detect the latest and newest viruses along with their variants.
More informationx64 Cheat Sheet Fall 2015
CS 33 Intro Computer Systems Doeppner x64 Cheat Sheet Fall 2015 1 x64 Registers x64 assembly code uses sixteen 64-bit registers. Additionally, the lower bytes of some of these registers may be accessed
More informationEvaluating a ROP Defense Mechanism. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis Columbia University
Evaluating a ROP Defense Mechanism Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis Columbia University Outline Background on ROP attacks ROP Smasher Evaluation strategy and results Discussion
More informationMike Melanson (mike@multimedia.cx)
Breaking Eggs And Making Omelettes: Intelligence Gathering For Open Source Software Development Mike Melanson (mike@multimedia.cx) Legalnotice: Es können zusätzliche Angaben zur Veröffentlichung angegeben
More informationSoftware Vulnerabilities
Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in
More informationhttp://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention
http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 skape mmiller@hick.org Skywing Skywing@valhallalegends.com One of the big changes that Microsoft introduced
More informationPE Explorer. Heaventools. Malware Code Analysis Made Easy
Heaventools PE Explorer Data Sheet Malware Code Analysis Made Easy Reverse engineers within the anti-virus, vulnerability research and forensics companies face the challenge of analysing a large number
More informationIntel Assembler. Project administration. Non-standard project. Project administration: Repository
Lecture 14 Project, Assembler and Exam Source code Compiler phases and program representations Frontend Lexical analysis (scanning) Backend Immediate code generation Today Project Emma Söderberg Revised
More informationAnalysis and Diversion of Duqu s Driver
Analysis and Diversion of Duqu s Driver Guillaume Bonfante, Jean-Yves Marion, Fabrice Sabatier, Aurélien Thierry To cite this version: Guillaume Bonfante, Jean-Yves Marion, Fabrice Sabatier, Aurélien Thierry.
More informationA New Bioinformatics-Inspired and Binary Analysis: Coding Style/Motif Identification. Scott Miller Offensive Computing
A New Bioinformatics-Inspired and Binary Analysis: Coding Style/Motif Identification Scott Miller Offensive Computing For that B guy Summary After drawing an analog from computer binary analysis to a similar
More informationPlatform-independent static binary code analysis using a metaassembly
Platform-independent static binary code analysis using a metaassembly language Thomas Dullien, Sebastian Porst zynamics GmbH CanSecWest 2009 Overview The REIL Language Abstract Interpretation MonoREIL
More informationl C-Programming l A real computer language l Data Representation l Everything goes down to bits and bytes l Machine representation Language
198:211 Computer Architecture Topics: Processor Design Where are we now? C-Programming A real computer language Data Representation Everything goes down to bits and bytes Machine representation Language
More informationSpontaneous Code Recommendation based on Open Source Code Repository
Spontaneous Code Recommendation based on Open Source Code Repository Hidehiko Masuhara masuhara@acm.org Tokyo Tech joint work with Takuya Watanabe, Naoya Murakami, Tomoyuki Aotani Do you program with Google?
More informationFor a 64-bit system. I - Presentation Of The Shellcode
#How To Create Your Own Shellcode On Arch Linux? #Author : N3td3v!l #Contact-mail : 4nonymouse@usa.com #Website : Nopotm.ir #Spcial tnx to : C0nn3ct0r And All Honest Hackerz and Security Managers I - Presentation
More informationStack Overflows. Mitchell Adair
Stack Overflows Mitchell Adair Outline Why? What? There once was a VM Virtual Memory Registers Stack stack1, stack2, stack3 Resources Why? Real problem Real money Real recognition Still prevalent Very
More informationReverse Engineering Malware Part 1
Reverse Engineering Malware Part 1 Author :Arunpreet Singh Blog : https://reverse2learn.wordpress.com MD5 Hash : 1d8ea40a41988b9c3db9eff5fce3abe5 This is First Part of 2 Part Series.This Malware Drops
More informationTest Driven Development in Assembler a little story about growing software from nothing
Test Driven Development in Assembler a little story about growing software from nothing Olve Maudal During the last decade Test-Driven Development has become an established practice for developing software
More informationEgil Aspevik Martinsen Polymorphic Viruses. Material from Master Thesis «Detection of Junk Instructions in Malicious Software»
Egil Aspevik Martinsen Polymorphic Viruses Material from Master Thesis «Detection of Junk Instructions in Malicious Software» 1 History 1982 Elk Cloner Brain 1987 1260 1992 Ply 1997 Melissa ILOVEYOU Zmist
More informationAttacking x86 Windows Binaries by Jump Oriented Programming
Attacking x86 Windows Binaries by Jump Oriented Programming L. Erdődi * * Faculty of John von Neumann, Óbuda University, Budapest, Hungary erdodi.laszlo@nik.uni-obuda.hu Abstract Jump oriented programming
More informationDynamic Behavior Analysis Using Binary Instrumentation
Dynamic Behavior Analysis Using Binary Instrumentation Jonathan Salwan jsalwan@quarkslab.com St'Hack Bordeaux France March 27 2015 Keywords: program analysis, DBI, DBA, Pin, concrete execution, symbolic
More information8. MACROS, Modules, and Mouse
8. MACROS, Modules, and Mouse Background Macros, Modules and the Mouse is a combination of concepts that will introduce you to modular programming while learning how to interface with the mouse. Macros
More informationAttacking Obfuscated Code with IDA Pro. Chris Eagle
Attacking Obfuscated Code with IDA Pro Chris Eagle Outline Introduction Operation Demos Summary 2 First Order Of Business MOVE UP AND IN! There is plenty of room up front I can't increase the font size
More informationDisassembly of False Positives for Microsoft Word under SCRAP
Disassembly of False Positives for Microsoft Word under SCRAP We evaluated Word application of Microsoft Office 2010 Suite using a 54 KiB document [1] under the SCRAP configuration S 7,4 for one billion
More informationAdministration. Instruction scheduling. Modern processors. Examples. Simplified architecture model. CS 412 Introduction to Compilers
CS 4 Introduction to Compilers ndrew Myers Cornell University dministration Prelim tomorrow evening No class Wednesday P due in days Optional reading: Muchnick 7 Lecture : Instruction scheduling pr 0 Modern
More informationStatic detection of C++ vtable escape vulnerabilities in binary code
Static detection of C++ vtable escape vulnerabilities in binary code David Dewey Jonathon Giffin School of Computer Science, Georgia Institute of Technology {ddewey, giffin}@gatech.edu Abstract Static
More informationWLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (www.argeniss.com)
WLSI Windows Local Shellcode Injection Cesar Cerrudo Argeniss (www.argeniss.com) Overview _ Introduction _ Establishing a LPC connection _ Creating a shared section _ The technique _ Building an exploit
More informationMission 1: The Bot Hunter
Mission 1: The Bot Hunter Mission: Interpol have asked the BSidesLondon Unhackable Mission Force to penetrate and shut down a notorious botnet. Our only clue is a recovered bot executable which we hope
More informationThe 80x86 Instruction Set
Thi d t t d ith F M k 4 0 2 The 80x86 Instruction Set Chapter Six Until now, there has been little discussion of the instructions available on the 80x86 microprocessor. This chapter rectifies this situation.
More informationFine-grained covert debugging using hypervisors and analysis via visualization
Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Fine-grained covert debugging using hypervisors and analysis via visualization Daniel A. Quist Lorie M. Liebrock Offensive
More informationThe Plan Today... System Calls and API's Basics of OS design Virtual Machines
System Calls + The Plan Today... System Calls and API's Basics of OS design Virtual Machines System Calls System programs interact with the OS (and ultimately hardware) through system calls. Called when
More information風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com
風 水 Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program
More informationThe Value of Physical Memory for Incident Response
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
More information