Binary voyeurism

Binary voyeurism

A decent overview

Please fill the skill matrix ;)

Who are you• Any experience with– Binary reversing?– Debugging?– Exploitation?– Python?

whoami• Nerd (zombies, cylons…)

• Geek (reversing, python…)

• Consultant :)

We are hiring! Security people Highly skilled team Hardware, mobile, binary, web,

source code, network … Fun, Research, CONs, etc.

Consultancy / business oriented Talk to me!

Beers are presents too!

Today is my birthday!

agenda• Checking out the application– Static analysis– Not programmatic way– winappdbg– Intel PIN– vdb / vtrace

• Drinks & bbq

Setting the scope• This talk is pretty lame• Just an introduction• Basically a compilation of things very

intelligent people did• Anyway a nice overview if you don‘t

have a deep knowledge of this topic

Static analysis

Static analysis Ida pro scripts Idc

in C language Must recompile every time

Idapython Python bindings Me gusta… IDA Pro rocks!

Naive crypto search

Let‘s check for crypto functions

IDA Signsrch from Luigi Auriemma

Naive crypto search

Let‘s compare with a real plugin…

So, there was some crypto after all…

Naive crypto search

Look at those juicy AES constants…

Warning! Malware evasion!

Find special x86 instructions

Why are you doing this funky stuff?

IDA Pro Plugin

m.i.l.f. plugin

My IDA Little Framework

not programmatic

Not programmatic way Just using a regular debugger

Everyone knows this, i guess ;) Olly / Immunity debuggeR windbg

BOOOOORING…

Olly, Immunity, Windbg, etc.

Not programmatic way

BOOOOORING…

Winappdbg(& a bit pydbg)

Monitoring the program stack at runtime

keepassada

Hook those calls!

Following functions are called when copying data to the clipboard:

OpenClipboard() EmptyClipboard() hClipboardData = GlobalAlloc() // hook this and get RetValue pchData = (char*)GlobalLock(hClipboardData) strcpy(pchData, LPCSTR(strData)) GlobalUnlock(hClipboardData) SetClipboardData(CF_TEXT, hClipboardData) // hook this CloseClipboard()

Monitoring the program stack at runtime

keepassada

Enter video!

winappdbg Tracer.py

Performance problems (-1) Slow (-1) Need function list (ida) (-1) It is python (+500) Pydot ftw (+500)

Python rocks!

Look for the process and attach to it

Tracer & derivatives

Where are you little process?

Breakpoints and callbacks

Tracer & derivatives

The callback writes the address to a file

Targeting specific functions

Watching dll loading

WTFDLL?

A picture is worth a thousand words

Tracer & pydot

I <3 pydot

Binary abstract art, anyone?

Tracer & pydot

I <3 pydot

intel pin

THE dynamic binary instrumentation tool

INTEL PIN A more efficient tracer Detect buffer overflows

EIP outside text section Valgrind-like for Windows

Check memory allocations Double free(s)

Intel PIN rocks big time!

It means pain in the ass too

INTEL PIN A more efficient tracer

Compiled means efficient!

Instrumentation vs. Runtime functions

INTEL PIN

Check every basic block

Let‘s exploit this

INTEL PIN

SEH overwrite, a classic

EIP points to the stack!

INTEL PIN

You shouldn‘t be here…

You shouldn‘t be here!

INTEL PIN Detect EIP outside text section

Save all .text section addresses

EIP police! Show me your hands!

INTEL PIN

Compare against .text section

data

Detect EIP outside text section

This could be very poweful

INTEL PIN Valgrind-like for Windows

Check memory allocations Double free(s)

Keep track of malloc and free

Some people take it to the extreme

INTEL PIN

Free the malloc()s!

Vdb / vtrace

What the k00l kidz use

Vdb / vtrace• Yep, it is Python• It does pretty much what others do– And Linux… and ARM… and PPC… etc.

• Look, I‘m so cool!–NO DOCUMENTATION– READABLE CODE

Python still rocks!

These two functions are interesting to us

Vdb / vtrace

Thanks Mozilla Development Docs!

Seems legit.

Vdb / vtrace

Super Secure Bank

Pretty similar to the previous frameworks

Vdb / vtrace

Read at offsets from ESP register

Final project in PIN

Quick recap• Python based:– Fast prototyping but…– damn slow

• Intel pin– Fast and intelligent but…– convoluted

Prototype in Python

Don‘t forget the beer! ;)

Thanks for listening!