1 / 18

Binary Auditing

Binary Auditing. Geller Bedoya Michael Wozniak. Background. Binary auditing is a technique used to test the security and discover the inner workings of closed source software. These techniques can be used to find out what malicious software does.

imogene-phelps
Download Presentation

Binary Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Binary Auditing Geller Bedoya Michael Wozniak

  2. Background • Binary auditing is a technique used to test the security and discover the inner workings of closed source software. • These techniques can be used to find out what malicious software does. • They are also used by crackers to bypass authentication systems in programs.

  3. Tools • Strings – used to list all printable strings that can be found in a file. • File – displays information about the file. • Hexedit – allows files to be edited at the binary level in a hex representation.

  4. Tools (cont.) • Biew – This is a multi-platform tool that can be used as a hex editor and a disassembler. • Objdump – Used to disassemble binaries in linux. • Gdb – Debugger in linux.

  5. Tools (cont.) • IDA – Interactive DisAssembler – This program is a windows only disassembler for windows and linux binaries. This is an advanced disassembler that can be integrated with scripting languages like python and ruby.

  6. A Simple Binary • A program that takes in a password and compares it to a reference password to authenticate a user. • This type of program can be reverse engineered in many ways.

  7. Simple.c

  8. Method #1 • Use hexedit, strings, objdump, or even a text editor. • These methods all display the password in plain text because the password is not encrypted.

  9. Method #2 • Suppose the input password were encrypted using a hash and compared to a known hash. Method #1 would be useless. • Method #2 is to modify the function of the binary by reversing the logic of the if statement.

  10. Method #2

  11. Method #3 • The jump code can be changed to jump to a different place in the program or it can be changed from je to jne. • This type of change is independent of the test logic.

  12. Anti-Reverse Engineering • Many software engineers attempt to disguise a program’s behaviour. • Techniques to do this include: • Anti-Virtual-Machine • Binary Compression/Packing • Binary Encoding • Stripping Symbols • Anti-Debugger

  13. Anti-VM • SIDT – Store Interrupt Descriptor Table Register • This instruction can be used to find the value of this register which is abnormally high for VM’s. • RedPill.exe is a POC program that looks at this register and declare’s whether or not it is in a VM.

  14. RedPill.exe • To change this program, the jumps can be changed to manipulate how the program works. • The value that the program compares the IDTR to can be changed as well.

  15. Key Generators • Some software uses a username and an algorithm to get a serial number that is used for authentication. • The problem with this is that the software must calculate the serial number from the user name, and the algorithm can be reversed.

  16. Very Simple Key Generator • A program needs a user name and a key. • The key is the same as the user name, but 1 is added to each character. • By running the program in a debugger or through a disassembler, the algorithm can be discovered.

  17. Key Generator • A key generator is a program that is created to run the same algorithm on any input and display the results.

  18. Questions?

More Related