Top Banner
Binary voyeurism A decent overview
43

Binary voyeurism

Mar 23, 2016

Download

Documents

aldona

Binary voyeurism. A decent overview. Who are you. Any experience with Binary reversing ? Debugging? Exploitation ? Python?. Please fill the skill matrix ;). whoami. Nerd ( zombies , cylons …) Geek ( reversing , python …) Consultant :). We are hiring !. Security people - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Binary voyeurism

Binary voyeurism

A decent overview

Page 2: Binary voyeurism

Please fill the skill matrix ;)

Who are you• Any experience with– Binary reversing?– Debugging?– Exploitation?– Python?

Page 3: Binary voyeurism

whoami• Nerd (zombies, cylons…)

• Geek (reversing, python…)

• Consultant :)

Page 4: Binary voyeurism

We are hiring! Security people Highly skilled team Hardware, mobile, binary, web,

source code, network … Fun, Research, CONs, etc.

Consultancy / business oriented Talk to me!

Page 5: Binary voyeurism

Beers are presents too!

Today is my birthday!

Page 6: Binary voyeurism

agenda• Checking out the application– Static analysis– Not programmatic way– winappdbg– Intel PIN– vdb / vtrace

• Drinks & bbq

Page 7: Binary voyeurism

Setting the scope• This talk is pretty lame• Just an introduction• Basically a compilation of things very

intelligent people did• Anyway a nice overview if you don‘t

have a deep knowledge of this topic

Page 8: Binary voyeurism

Static analysis

Page 9: Binary voyeurism

Static analysis Ida pro scripts Idc

in C language Must recompile every time

Idapython Python bindings Me gusta… IDA Pro rocks!

Page 10: Binary voyeurism

Naive crypto search

Let‘s check for crypto functions

Page 11: Binary voyeurism

IDA Signsrch from Luigi Auriemma

Naive crypto search

Let‘s compare with a real plugin…

Page 12: Binary voyeurism

So, there was some crypto after all…

Naive crypto search

Look at those juicy AES constants…

Page 13: Binary voyeurism

Warning! Malware evasion!

Find special x86 instructions

Why are you doing this funky stuff?

Page 14: Binary voyeurism

IDA Pro Plugin

m.i.l.f. plugin

My IDA Little Framework

Page 15: Binary voyeurism

not programmatic

Page 16: Binary voyeurism

Not programmatic way Just using a regular debugger

Everyone knows this, i guess ;) Olly / Immunity debuggeR windbg

BOOOOORING…

Page 17: Binary voyeurism

Olly, Immunity, Windbg, etc.

Not programmatic way

BOOOOORING…

Page 18: Binary voyeurism

Winappdbg(& a bit pydbg)

Page 19: Binary voyeurism

Monitoring the program stack at runtime

keepassada

Hook those calls!

Following functions are called when copying data to the clipboard:

OpenClipboard() EmptyClipboard() hClipboardData = GlobalAlloc() // hook this and get RetValue pchData = (char*)GlobalLock(hClipboardData) strcpy(pchData, LPCSTR(strData)) GlobalUnlock(hClipboardData) SetClipboardData(CF_TEXT, hClipboardData) // hook this CloseClipboard()

Page 20: Binary voyeurism

Monitoring the program stack at runtime

keepassada

Enter video!

Page 21: Binary voyeurism

winappdbg Tracer.py

Performance problems (-1) Slow (-1) Need function list (ida) (-1) It is python (+500) Pydot ftw (+500)

Python rocks!

Page 22: Binary voyeurism

Look for the process and attach to it

Tracer & derivatives

Where are you little process?

Page 23: Binary voyeurism

Breakpoints and callbacks

Tracer & derivatives

The callback writes the address to a file

Page 24: Binary voyeurism

Targeting specific functions

Watching dll loading

WTFDLL?

Page 25: Binary voyeurism

A picture is worth a thousand words

Tracer & pydot

I <3 pydot

Page 26: Binary voyeurism

Binary abstract art, anyone?

Tracer & pydot

I <3 pydot

Page 27: Binary voyeurism

intel pin

Page 28: Binary voyeurism

THE dynamic binary instrumentation tool

INTEL PIN A more efficient tracer Detect buffer overflows

EIP outside text section Valgrind-like for Windows

Check memory allocations Double free(s)

Intel PIN rocks big time!

Page 29: Binary voyeurism

It means pain in the ass too

INTEL PIN A more efficient tracer

Compiled means efficient!

Page 30: Binary voyeurism

Instrumentation vs. Runtime functions

INTEL PIN

Check every basic block

Page 31: Binary voyeurism

Let‘s exploit this

INTEL PIN

SEH overwrite, a classic

Page 32: Binary voyeurism

EIP points to the stack!

INTEL PIN

You shouldn‘t be here…

Page 33: Binary voyeurism

You shouldn‘t be here!

INTEL PIN Detect EIP outside text section

Save all .text section addresses

Page 34: Binary voyeurism

EIP police! Show me your hands!

INTEL PIN

Compare against .text section

data

Detect EIP outside text section

Page 35: Binary voyeurism

This could be very poweful

INTEL PIN Valgrind-like for Windows

Check memory allocations Double free(s)

Keep track of malloc and free

Page 36: Binary voyeurism

Some people take it to the extreme

INTEL PIN

Free the malloc()s!

Page 37: Binary voyeurism

Vdb / vtrace

Page 38: Binary voyeurism

What the k00l kidz use

Vdb / vtrace• Yep, it is Python• It does pretty much what others do– And Linux… and ARM… and PPC… etc.

• Look, I‘m so cool!–NO DOCUMENTATION– READABLE CODE

Python still rocks!

Page 39: Binary voyeurism

These two functions are interesting to us

Vdb / vtrace

Thanks Mozilla Development Docs!

Page 40: Binary voyeurism

Seems legit.

Vdb / vtrace

Super Secure Bank

Page 41: Binary voyeurism

Pretty similar to the previous frameworks

Vdb / vtrace

Read at offsets from ESP register

Page 42: Binary voyeurism

Final project in PIN

Quick recap• Python based:– Fast prototyping but…– damn slow

• Intel pin– Fast and intelligent but…– convoluted

Prototype in Python

Page 43: Binary voyeurism

Don‘t forget the beer! ;)

Thanks for listening!


Related Documents
Career MLM Software, Binary Plan Software, Binary Software, Binary Marketin...

Career MLM Software, Binary Plan Software, Binary Software,....

Category: Documents
Reconstructing the Law of Voyeurism and Exhibitionism · Reconstructing the Law of Voyeurism and Exhibitionism . Hashtag for Twitter users: #LSEGreen LSE Law Matters public lecture

Reconstructing the Law of Voyeurism and Exhibitionism ·...

Category: Documents
Chapter 4 Binary Data Representation and Binary Arithmetic · Chapter 4 Binary Data Representation and Binary Arithmetic 4.1 Binary Data Representation 4.2 Important Number Systems

Chapter 4 Binary Data Representation and Binary...

Category: Documents
Turkey in Africa: Voyeurism, Neo-Ottomanism and Islamic ...

Turkey in Africa: Voyeurism, Neo-Ottomanism and Islamic ...

Category: Documents
The Split Wall: Domestic Voyeurism. Beatriz Colomina.

The Split Wall: Domestic Voyeurism. Beatriz Colomina.

Category: Documents
Binary Trees, Binary Search Trees - Drexel CCIamd435/courses/cs260/lectures/L-5_BST... · Binary Trees, Binary Search Trees huamin/ COMP171/bst.ppt. ... • Will not be a binary tree

Binary Trees, Binary Search Trees - Drexel...

Category: Documents
Arithmetic Operators MeaningOperator Addition Subtraction Multiplication Division Modulus + - * / % Type Binary Binary Binary Binary Binary.

Arithmetic Operators MeaningOperator Addition Subtraction...

Category: Documents
Hitchcock’s Sanction of Voyeurism at Cinema

Hitchcock’s Sanction of Voyeurism at Cinema

Category: Documents
Voyeurism in 'Blurred Lines'

Voyeurism in 'Blurred Lines'

Category: Education
Privacy and Surveillance in Web 2 - Michael Zimmermichaelzimmer.org/files/Zimmer 4S 2007 slides.pdf · Dopplr Upcoming. 18 Informational Voyeurism. 19 Informational Voyeurism Digg

Privacy and Surveillance in Web 2 - Michael...

Category: Documents
Breaking the Fourth Wall in K-Pop: Voyeurism and …papers.iafor.org/wp-content/uploads/papers/accs2016/ACCS2016_31427.pdfBreaking the Fourth Wall in K-Pop: Voyeurism and Talking About

Breaking the Fourth Wall in K-Pop: Voyeurism and...

Category: Documents
Anti Voyeurism

Anti Voyeurism

Category: Documents