1 / 43

Binary voyeurism

Binary voyeurism. A decent overview. Who are you. Any experience with Binary reversing ? Debugging? Exploitation ? Python?. Please fill the skill matrix ;). whoami. Nerd ( zombies , cylons …) Geek ( reversing , python …) Consultant :). We are hiring !. Security people

Download Presentation

Binary voyeurism

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Binaryvoyeurism A decentoverview

  2. Who areyou • Anyexperiencewith • Binary reversing? • Debugging? • Exploitation? • Python? Pleasefilltheskillmatrix ;)

  3. whoami • Nerd (zombies, cylons…) • Geek (reversing, python…) • Consultant :)

  4. Wearehiring! • Security people • Highlyskilledteam • Hardware, mobile, binary, web, sourcecode, network … • Fun, Research, CONs, etc. • Consultancy / businessoriented • Talk tome!

  5. Today ismybirthday! Beers arepresentstoo!

  6. agenda • Checking out theapplication • Staticanalysis • Not programmaticway • winappdbg • Intel PIN • vdb / vtrace • Drinks & bbq

  7. Setting thescope • This talkisprettylame • Just an introduction • Basically a compilationofthingsvery intelligent peopledid • Anyway a niceoverviewifyoudon‘thave a deepknowledgeofthistopic

  8. Staticanalysis

  9. Staticanalysis • Ida pro scripts • Idc • in C language • Must recompileevery time • Idapython • Python bindings • Megusta… IDA Pro rocks!

  10. Naivecryptosearch Let‘s check forcryptofunctions

  11. Naivecryptosearch Let‘scomparewith a real plugin… IDA Signsrchfrom Luigi Auriemma

  12. Naivecryptosearch Look atthosejuicy AES constants… So, there was somecrypto after all…

  13. Find special x86 instructions Whyareyoudoingthisfunkystuff? Warning! Malware evasion!

  14. m.i.l.f. plugin My IDA Little Framework IDA Pro Plugin

  15. notprogrammatic

  16. Not programmaticway • Just using a regulardebugger • Everyoneknowsthis, i guess ;) • Olly / ImmunitydebuggeR • windbg BOOOOORING…

  17. Not programmaticway BOOOOORING… Olly, Immunity, Windbg, etc.

  18. Winappdbg (& a bitpydbg)

  19. keepassada • Followingfunctionsarecalledwhencopyingdatatotheclipboard: • OpenClipboard() • EmptyClipboard() • hClipboardData= GlobalAlloc() // hookthisandgetRetValue • pchData= (char*)GlobalLock(hClipboardData) • strcpy(pchData, LPCSTR(strData)) • GlobalUnlock(hClipboardData) • SetClipboardData(CF_TEXT, hClipboardData) // hookthis • CloseClipboard() Hook thosecalls! Monitoringtheprogramstackatruntime

  20. keepassada Entervideo! Monitoringtheprogramstackatruntime

  21. winappdbg • Tracer.py • Performance problems (-1) • Slow (-1) • Need functionlist (ida) (-1) • Itispython (+500) • Pydotftw (+500) Python rocks!

  22. Tracer & derivatives Whereareyoulittleprocess? Look fortheprocessandattachtoit

  23. Tracer & derivatives The callbackwritestheaddressto a file Breakpoints andcallbacks

  24. Watchingdllloading WTFDLL? Targetingspecificfunctions

  25. Tracer & pydot I <3 pydot A pictureisworth a thousandwords

  26. Tracer & pydot I <3 pydot Binary abstractart, anyone?

  27. intelpin

  28. INTEL PIN • A moreefficienttracer • Detectbufferoverflows • EIP outside textsection • Valgrind-likefor Windows • Check memoryallocations • Double free(s) Intel PIN rocks big time! THE dynamicbinaryinstrumentationtool

  29. INTEL PIN • A moreefficienttracer Compiledmeansefficient! Itmeanspain in theasstoo

  30. INTEL PIN Check every basic block Instrumentation vs. Runtimefunctions

  31. INTEL PIN SEH overwrite, a classic Let‘sexploitthis

  32. INTEL PIN Youshouldn‘t behere… EIP pointstothestack!

  33. INTEL PIN • DetectEIP outside textsection Save all .textsectionaddresses Youshouldn‘tbehere!

  34. INTEL PIN • DetectEIP outside textsection Compareagainst .textsectiondata EIP police! Show meyourhands!

  35. INTEL PIN • Valgrind-likefor Windows • Check memoryallocations • Double free(s) Keep trackofmallocandfree This couldbeverypoweful

  36. INTEL PIN Free themalloc()s! Somepeopletakeittothe extreme

  37. Vdb / vtrace

  38. Vdb / vtrace • Yep, itis Python • Itdoesprettymuchwhatothers do • And Linux… and ARM… and PPC… etc. • Look, I‘m so cool! • NO DOCUMENTATION • READABLE CODE Python still rocks! Whatthe k00l kidzuse

  39. Vdb / vtrace Thanks Mozilla Development Docs! These twofunctionsareinterestingtous

  40. Vdb / vtrace Super Secure Bank Seemslegit.

  41. Vdb / vtrace Read atoffsetsfrom ESP register Prettysimilartothepreviousframeworks

  42. Quick recap • Python based: • Fast prototyping but… • damnslow • Intel pin • Fast and intelligent but… • convoluted Prototype in Python Final project in PIN

  43. Thanksforlistening! Don‘tforgetthebeer! ;)

More Related