1 / 19

Extending Microsoft’s Phoenix Framework

Extending Microsoft’s Phoenix Framework. An external perspective. Who am I?. Matt Miller Consultant with Leviathan Security Group Core developer for the Metasploit Framework Uninformed Journal editor & contributor. What’s this talk about?. External project using Phoenix

lucia
Download Presentation

Extending Microsoft’s Phoenix Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extending Microsoft’s Phoenix Framework An external perspective

  2. Who am I? • Matt Miller • Consultant with Leviathan Security Group • Core developer for the Metasploit Framework • Uninformed Journal editor & contributor

  3. What’s this talk about? • External project using Phoenix • Introduction to Cthulhu • High-level architecture overview • Cool features

  4. Phoenix Overview • Software optimization and analysis • Basis for future Microsoft compilers and tools • Robust and extensible architecture • Plugins • Phases

  5. Why extend Phoenix? • RDK/SDK not yet completely solidified • Encapsulation can help here • API is feature rich but verbose • No simplified wrapper • No solution for large-scale analysis • LCTG is not enough

  6. Cthulhu Overview • Static analysis encapsulation framework • Hobby project started in June, 2006 • Written in C# • Goals • Simplified interface • Large-scale analysis • Research sand box

  7. Cthulhu Architecture DB Data Flow IDA Control Flow Phoenix Peons Analysis Engine Fundamentals Tools Analysis Rendering

  8. Cthulhu Architecture DB Data Flow IDA Control Flow Phoenix Peons Analysis Engine Fundamentals Tools Analysis Rendering

  9. Analysis Engine Process • Uses a fundamental to load assemblies • Runs phases • Import • Analyze • Render • Peons register to be notified on certain events

  10. Import Phase Phoenix Fundamental DB 1. Load Assembly 2. Assembly Loaded Analysis Engine 4. Normalize Information 3. Import Event FundamentalistPeons Basic Types 5. Import Event Control Flow Data Flow

  11. Analyze Phase 2. Denormalize Assembly Information DB Database Fundamental 1. Load Assembly 3. Assembly Loaded Analysis Engine 5. Normalize and Denormalize Information 4. Analysis Event Analytical Peons Path Discovery 6. Analysis Event Leak Check

  12. Render Phase DB 2. Denormalize Renderer Peons Output Store Analysis Engine 1. Render 3. Display Console GUI

  13. Database Implications • Extensible and flexible way to represent binary information • May be used to support large-scale analysis • Hundreds of modules • More work needs to be done • Performance overhead is non-trivial • Processing time is high • Volatile memory usage is low

  14. A few cool features Simplified API Version-independent modeling Conceptual modeling

  15. Simplified API Abstract classes provide fundamental independence Assembly Module Data Type Method … Assembly Assembly Module Module Data Type Data Type Method Method DB Phoenix Concrete Implementations

  16. Version-independent Modeling Modeling version independent relationships between assemblies in the database Appropriate versions can be selected at analysis time void CallExitProcess() { ExitProcess(0);} ExitProcess 1 ExitProcess 2 ExitProcess ExitProcess 3 CallExitProcess 1 ExitProcess 4 Call to generic kernel32!ExitProcess Distinct kernel32!ExitProcess versions related to generic

  17. Conceptual Modeling Universe VPN Client VPN Server Device Driver Daemon vpn.sys daemon.exe User Interface vpngui.exe dialogs.dll

  18. Future Work • Import and analyze large data sets • All PE modules from Windows XP? • Improve database performance • Implement additional peons • Leak Check • And the list goes on…

  19. Conclusion / Questions • There is… • A lot more to be said • A lot of work left to do • A lot of data to collect • Unfortunately, time is a factor • Questions?

More Related