Download BinaryVoyeurismOHM2013

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
Document related concepts

Buffer overflow protection wikipedia , lookup

Intel iAPX 432 wikipedia , lookup

Transcript 
Binary voyeurism
A decent overview
Who are you
• Any experience with
– Binary reversing?
– Debugging?
– Exploitation?
– Python?
Please fill the skill matrix ;)
whoami
• Nerd (zombies, cylons…)
• Geek (reversing, python…)
• Consultant :)
We are hiring!
 Security people
 Highly skilled team
 Hardware, mobile, binary, web, source
code, network …
 Fun, Research, CONs, etc.
 Consultancy / business oriented
 Talk to me!
Today is my birthday!
Beers are presents too!
agenda
• Checking out the application
– Static analysis
– Not programmatic way
– winappdbg
– Intel PIN
– vdb / vtrace
• Drinks & bbq
Setting the scope
• This talk is pretty lame
• Just an introduction
• Basically a compilation of things very
intelligent people did
• Anyway a nice overview if you don‘t have
a deep knowledge of this topic
Static analysis
Static analysis
 Ida pro scripts
 Idc
 in C language
 Must recompile every time
 Idapython
 Python bindings
 Me gusta…
IDA Pro rocks!
Naive crypto search
Let‘s check for
crypto functions
Naive crypto search
Let‘s compare with
a real plugin…
IDA Signsrch from Luigi Auriemma
Naive crypto search
Look at those juicy
AES constants…
So, there was some crypto after all…
Find special x86 instructions
Why are you doing
this funky stuff?
Warning! Malware evasion!
m.i.l.f. plugin
My IDA Little
Framework
IDA Pro Plugin
not programmatic
Not programmatic way
 Just using a regular debugger
 Everyone knows this, i guess ;)
 Olly / Immunity debuggeR
 windbg
BOOOOORING…
Not programmatic way
BOOOOORING…
Olly, Immunity, Windbg, etc.
Winappdbg
(& a bit pydbg)
keepassada
Following functions are called when copying data to the clipboard:








OpenClipboard()
EmptyClipboard()
hClipboardData = GlobalAlloc() // hook this and get RetValue
pchData = (char*)GlobalLock(hClipboardData)
strcpy(pchData, LPCSTR(strData))
GlobalUnlock(hClipboardData)
SetClipboardData(CF_TEXT, hClipboardData) // hook this
CloseClipboard()
Hook those calls!
Monitoring the program stack at runtime
keepassada
Enter video!
Monitoring the program stack at runtime
winappdbg
 Tracer.py





Performance problems (-1)
Slow (-1)
Need function list (ida) (-1)
It is python (+500)
Pydot ftw (+500)
Python rocks!
Tracer & derivatives
Where are you little
process?
Look for the process and attach to it
Tracer & derivatives
The callback writes
the address to a file
Breakpoints and callbacks
Watching dll loading
WTFDLL?
Targeting specific functions
Tracer & pydot
I <3 pydot
A picture is worth a thousand words
Tracer & pydot
I <3 pydot
Binary abstract art, anyone?
intel pin
INTEL PIN
 A more efficient tracer
 Detect buffer overflows
 EIP outside text section
 Valgrind-like for Windows
 Check memory allocations
 Double free(s)
Intel PIN rocks
big time!
THE dynamic binary instrumentation tool
INTEL PIN
 A more efficient tracer
Compiled means
efficient!
It means pain in the ass too
INTEL PIN
Check every
basic block
Instrumentation vs. Runtime functions
INTEL PIN
SEH overwrite,
a classic
Let‘s exploit this
INTEL PIN
You shouldn‘t
be here…
EIP points to the stack!
INTEL PIN
 Detect EIP outside text section
Save all .text
section addresses
You shouldn‘t be here!
INTEL PIN
 Detect EIP outside text section
Compare against
.text section data
EIP police! Show me your hands!
INTEL PIN
 Valgrind-like for Windows
 Check memory allocations
 Double free(s)
Keep track of
malloc and free
This could be very poweful
INTEL PIN
Free the malloc()s!
Some people take it to the extreme
Vdb / vtrace
Vdb / vtrace
• Yep, it is Python
• It does pretty much what others do
– And Linux… and ARM… and PPC… etc.
• Look, I‘m so cool!
– NO DOCUMENTATION
– READABLE CODE
Python still rocks!
What the k00l kidz use
Vdb / vtrace
Thanks Mozilla
Development Docs!
These two functions are interesting to us
Vdb / vtrace
Super Secure Bank
Seems legit.
Vdb / vtrace
Read at offsets
from ESP register
Pretty similar to the previous frameworks
Quick recap
• Python based:
– Fast prototyping but…
– damn slow
• Intel pin
– Fast and intelligent but…
– convoluted
Prototype in
Python
Final project in PIN
Thanks for listening!
Don‘t forget the beer! ;)
Related documents
No Slide Title
No Slide Title
product assurance
product assurance
may11
may11
program
program
HT12D PIN DESCRIPTION
HT12D PIN DESCRIPTION
KaizadMistryBio - Purdue College of Engineering
KaizadMistryBio - Purdue College of Engineering
Gate Drive
Gate Drive
lecture20
lecture20
Light It Up Content Standards and Objectives
Light It Up Content Standards and Objectives
Math 480B: Programming for the Working Mathematician
Math 480B: Programming for the Working Mathematician
Cell Part Cell Structure and Function Mitochondria Nucleus
Cell Part Cell Structure and Function Mitochondria Nucleus
Teiid Quick Start Example - JBoss.org...Teiid Quick Start Example
Teiid Quick Start Example - JBoss.org...Teiid Quick Start Example