Weird Voyeurism Novelties Presents: Caucus Cashout Novelty ...
Binary voyeurism
description
Transcript of Binary voyeurism
![Page 1: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/1.jpg)
Binary voyeurism
A decent overview
![Page 2: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/2.jpg)
Please fill the skill matrix ;)
Who are you• Any experience with– Binary reversing?– Debugging?– Exploitation?– Python?
![Page 3: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/3.jpg)
whoami• Nerd (zombies, cylons…)
• Geek (reversing, python…)
• Consultant :)
![Page 4: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/4.jpg)
We are hiring! Security people Highly skilled team Hardware, mobile, binary, web,
source code, network … Fun, Research, CONs, etc.
Consultancy / business oriented Talk to me!
![Page 5: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/5.jpg)
Beers are presents too!
Today is my birthday!
![Page 6: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/6.jpg)
agenda• Checking out the application– Static analysis– Not programmatic way– winappdbg– Intel PIN– vdb / vtrace
• Drinks & bbq
![Page 7: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/7.jpg)
Setting the scope• This talk is pretty lame• Just an introduction• Basically a compilation of things very
intelligent people did• Anyway a nice overview if you don‘t
have a deep knowledge of this topic
![Page 8: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/8.jpg)
Static analysis
![Page 9: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/9.jpg)
Static analysis Ida pro scripts Idc
in C language Must recompile every time
Idapython Python bindings Me gusta… IDA Pro rocks!
![Page 10: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/10.jpg)
Naive crypto search
Let‘s check for crypto functions
![Page 11: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/11.jpg)
IDA Signsrch from Luigi Auriemma
Naive crypto search
Let‘s compare with a real plugin…
![Page 12: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/12.jpg)
So, there was some crypto after all…
Naive crypto search
Look at those juicy AES constants…
![Page 13: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/13.jpg)
Warning! Malware evasion!
Find special x86 instructions
Why are you doing this funky stuff?
![Page 14: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/14.jpg)
IDA Pro Plugin
m.i.l.f. plugin
My IDA Little Framework
![Page 15: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/15.jpg)
not programmatic
![Page 16: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/16.jpg)
Not programmatic way Just using a regular debugger
Everyone knows this, i guess ;) Olly / Immunity debuggeR windbg
BOOOOORING…
![Page 17: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/17.jpg)
Olly, Immunity, Windbg, etc.
Not programmatic way
BOOOOORING…
![Page 18: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/18.jpg)
Winappdbg(& a bit pydbg)
![Page 19: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/19.jpg)
Monitoring the program stack at runtime
keepassada
Hook those calls!
Following functions are called when copying data to the clipboard:
OpenClipboard() EmptyClipboard() hClipboardData = GlobalAlloc() // hook this and get RetValue pchData = (char*)GlobalLock(hClipboardData) strcpy(pchData, LPCSTR(strData)) GlobalUnlock(hClipboardData) SetClipboardData(CF_TEXT, hClipboardData) // hook this CloseClipboard()
![Page 20: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/20.jpg)
Monitoring the program stack at runtime
keepassada
Enter video!
![Page 21: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/21.jpg)
winappdbg Tracer.py
Performance problems (-1) Slow (-1) Need function list (ida) (-1) It is python (+500) Pydot ftw (+500)
Python rocks!
![Page 22: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/22.jpg)
Look for the process and attach to it
Tracer & derivatives
Where are you little process?
![Page 23: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/23.jpg)
Breakpoints and callbacks
Tracer & derivatives
The callback writes the address to a file
![Page 24: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/24.jpg)
Targeting specific functions
Watching dll loading
WTFDLL?
![Page 25: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/25.jpg)
A picture is worth a thousand words
Tracer & pydot
I <3 pydot
![Page 26: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/26.jpg)
Binary abstract art, anyone?
Tracer & pydot
I <3 pydot
![Page 27: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/27.jpg)
intel pin
![Page 28: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/28.jpg)
THE dynamic binary instrumentation tool
INTEL PIN A more efficient tracer Detect buffer overflows
EIP outside text section Valgrind-like for Windows
Check memory allocations Double free(s)
Intel PIN rocks big time!
![Page 29: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/29.jpg)
It means pain in the ass too
INTEL PIN A more efficient tracer
Compiled means efficient!
![Page 30: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/30.jpg)
Instrumentation vs. Runtime functions
INTEL PIN
Check every basic block
![Page 31: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/31.jpg)
Let‘s exploit this
INTEL PIN
SEH overwrite, a classic
![Page 32: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/32.jpg)
EIP points to the stack!
INTEL PIN
You shouldn‘t be here…
![Page 33: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/33.jpg)
You shouldn‘t be here!
INTEL PIN Detect EIP outside text section
Save all .text section addresses
![Page 34: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/34.jpg)
EIP police! Show me your hands!
INTEL PIN
Compare against .text section
data
Detect EIP outside text section
![Page 35: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/35.jpg)
This could be very poweful
INTEL PIN Valgrind-like for Windows
Check memory allocations Double free(s)
Keep track of malloc and free
![Page 36: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/36.jpg)
Some people take it to the extreme
INTEL PIN
Free the malloc()s!
![Page 37: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/37.jpg)
Vdb / vtrace
![Page 38: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/38.jpg)
What the k00l kidz use
Vdb / vtrace• Yep, it is Python• It does pretty much what others do– And Linux… and ARM… and PPC… etc.
• Look, I‘m so cool!–NO DOCUMENTATION– READABLE CODE
Python still rocks!
![Page 39: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/39.jpg)
These two functions are interesting to us
Vdb / vtrace
Thanks Mozilla Development Docs!
![Page 40: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/40.jpg)
Seems legit.
Vdb / vtrace
Super Secure Bank
![Page 41: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/41.jpg)
Pretty similar to the previous frameworks
Vdb / vtrace
Read at offsets from ESP register
![Page 42: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/42.jpg)
Final project in PIN
Quick recap• Python based:– Fast prototyping but…– damn slow
• Intel pin– Fast and intelligent but…– convoluted
Prototype in Python
![Page 43: Binary voyeurism](https://reader035.fdocuments.us/reader035/viewer/2022062502/56816967550346895de12bdc/html5/thumbnails/43.jpg)
Don‘t forget the beer! ;)
Thanks for listening!