Binary voyeurism A decent overview
Mar 23, 2016
Binary voyeurism
A decent overview
Please fill the skill matrix ;)
Who are you• Any experience with– Binary reversing?– Debugging?– Exploitation?– Python?
whoami• Nerd (zombies, cylons…)
• Geek (reversing, python…)
• Consultant :)
We are hiring! Security people Highly skilled team Hardware, mobile, binary, web,
source code, network … Fun, Research, CONs, etc.
Consultancy / business oriented Talk to me!
Beers are presents too!
Today is my birthday!
agenda• Checking out the application– Static analysis– Not programmatic way– winappdbg– Intel PIN– vdb / vtrace
• Drinks & bbq
Setting the scope• This talk is pretty lame• Just an introduction• Basically a compilation of things very
intelligent people did• Anyway a nice overview if you don‘t
have a deep knowledge of this topic
Static analysis
Static analysis Ida pro scripts Idc
in C language Must recompile every time
Idapython Python bindings Me gusta… IDA Pro rocks!
Naive crypto search
Let‘s check for crypto functions
IDA Signsrch from Luigi Auriemma
Naive crypto search
Let‘s compare with a real plugin…
So, there was some crypto after all…
Naive crypto search
Look at those juicy AES constants…
Warning! Malware evasion!
Find special x86 instructions
Why are you doing this funky stuff?
IDA Pro Plugin
m.i.l.f. plugin
My IDA Little Framework
not programmatic
Not programmatic way Just using a regular debugger
Everyone knows this, i guess ;) Olly / Immunity debuggeR windbg
BOOOOORING…
Olly, Immunity, Windbg, etc.
Not programmatic way
BOOOOORING…
Winappdbg(& a bit pydbg)
Monitoring the program stack at runtime
keepassada
Hook those calls!
Following functions are called when copying data to the clipboard:
OpenClipboard() EmptyClipboard() hClipboardData = GlobalAlloc() // hook this and get RetValue pchData = (char*)GlobalLock(hClipboardData) strcpy(pchData, LPCSTR(strData)) GlobalUnlock(hClipboardData) SetClipboardData(CF_TEXT, hClipboardData) // hook this CloseClipboard()
Monitoring the program stack at runtime
keepassada
Enter video!
winappdbg Tracer.py
Performance problems (-1) Slow (-1) Need function list (ida) (-1) It is python (+500) Pydot ftw (+500)
Python rocks!
Look for the process and attach to it
Tracer & derivatives
Where are you little process?
Breakpoints and callbacks
Tracer & derivatives
The callback writes the address to a file
Targeting specific functions
Watching dll loading
WTFDLL?
A picture is worth a thousand words
Tracer & pydot
I <3 pydot
Binary abstract art, anyone?
Tracer & pydot
I <3 pydot
intel pin
THE dynamic binary instrumentation tool
INTEL PIN A more efficient tracer Detect buffer overflows
EIP outside text section Valgrind-like for Windows
Check memory allocations Double free(s)
Intel PIN rocks big time!
It means pain in the ass too
INTEL PIN A more efficient tracer
Compiled means efficient!
Instrumentation vs. Runtime functions
INTEL PIN
Check every basic block
Let‘s exploit this
INTEL PIN
SEH overwrite, a classic
EIP points to the stack!
INTEL PIN
You shouldn‘t be here…
You shouldn‘t be here!
INTEL PIN Detect EIP outside text section
Save all .text section addresses
EIP police! Show me your hands!
INTEL PIN
Compare against .text section
data
Detect EIP outside text section
This could be very poweful
INTEL PIN Valgrind-like for Windows
Check memory allocations Double free(s)
Keep track of malloc and free
Some people take it to the extreme
INTEL PIN
Free the malloc()s!
Vdb / vtrace
What the k00l kidz use
Vdb / vtrace• Yep, it is Python• It does pretty much what others do– And Linux… and ARM… and PPC… etc.
• Look, I‘m so cool!–NO DOCUMENTATION– READABLE CODE
Python still rocks!
These two functions are interesting to us
Vdb / vtrace
Thanks Mozilla Development Docs!
Seems legit.
Vdb / vtrace
Super Secure Bank
Pretty similar to the previous frameworks
Vdb / vtrace
Read at offsets from ESP register
Final project in PIN
Quick recap• Python based:– Fast prototyping but…– damn slow
• Intel pin– Fast and intelligent but…– convoluted
Prototype in Python
Don‘t forget the beer! ;)
Thanks for listening!