anti anti malware part 3 stack smashing
play

Anti-anti-malware (part 3) / Stack Smashing 1 last time various - PowerPoint PPT Presentation

Jun 23, 2023 •16 likes •496 views

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

  1. Anti-anti-malware (part 3) / Stack Smashing 1

  2. last time various kinds of armored malware malware that evades analysis 2

  3. logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3

  4. upcoming exam next Wednesday review next Monday — come with questions 4

  5. armored viruses “encrypted” malware not strong encryption — key is there! self-changing viruses: encrypted oligiomorphic polymorphic metamorphic other anti-analysis techniques: antigoat antiemulation antidebugging 5

  6. this time fjnish up anti-debugging “tunnelling viruses” memory residence Nasi article on evading 2014 antivirus (if time) new topic: exploits and stack-smashing 6 evade behavior-based detection

  7. antiantivirus last time: break disassemblers — with packers break VMs/emulators break debuggers make analysis harder break antivirus software itself “retrovirus” 7

  8. diversion: debuggers we’ll care about two pieces of functionality: breakpoints debugger gets control when certain code is reached single-step debugger gets control after a single instruction runs 8

  9. diversion: debuggers we’ll care about two pieces of functionality: breakpoints debugger gets control when certain code is reached single-step debugger gets control after a single instruction runs 9

  10. implementing breakpoints idea: change movq %rax, %rdx addq %rbx, %rdx // BREAKPOINT HERE subq 0(%rsp), %r8 ... into movq %rax, %rdx jmp debugger_code subq 0(%rsp), %r8 ... problem: jmp might be bigger than addq ? 10

  11. implementing breakpoints idea: change movq %rax, %rdx addq %rbx, %rdx // BREAKPOINT HERE subq 0(%rsp), %r8 ... into movq %rax, %rdx jmp debugger_code subq 0(%rsp), %r8 ... problem: jmp might be bigger than addq ? 10

  12. int 3 x86 breakpoint instruction: int 3 Why 3? fourth entry in table of handlers one byte instruction encoding: CC debugger modifjes code to insert breakpoint has copy of original somewhere invokes handler setup by OS debugger can ask OS to be run by handler or changes pointer to handler directly on old OSes 11

  13. int 3 handler kind of exception handler recall: exception handler = way for CPU to run OS code x86 CPU saves registers, PC for debugger x86 CPU has easy to way to resume debugged code from handler 12

  14. detecting int 3 directly (1) checksum running code mycode: ... movq $0, %rbx movq $mycode, %rax loop : addq (%rax), %rbx addq $8, %rax cmpq $endcode, %rax jl loop cmpq %rbx, $EXPECTED_VALUE jne debugger_found ... endcode: 13

  15. detecting int 3 directly (2) query the “handler” for int 3 old OSs only; today: cannot set directly modern OSs: ask if there’s a debugger attached …or try to attach as debugger yourself doesn’t work — debugger present, probably does work — broke any debugger? // Windows API function! if (IsDebuggerPresent()) { 14

  16. modern debuggers int 3 is the oldest x86 debugging mechanism modern x86: 4 “breakpoint” registers (DR0–DR3) contain address of program instructions need more than 4? sorry processor triggers exception when address reached 4 extra registers + comparators in CPU? fmag to invoke debugger if debugging registers used enables nested debugging 15

  17. diversion: debuggers we’ll care about two pieces of functionality: breakpoints debugger gets control when certain code is reached single-step debugger gets control after a single instruction runs 16

  18. implementing single-stepping (1) set a breakpoint on the following instruction? kinda works movq %rax, %rdx subq 8(%rsp), %r8 transformed to movq %rax, %rdx subq 8(%rsp), %r8 then jmp to addq 17 addq %rbx, %rdx // ←− STOPPED HERE subq 0(%rsp), %r8 // ←− SINGLE STEP TO HERE addq %rbx, %rdx // ←− STOPPED HERE int 3 // ←− SINGLE STEP TO HERE

  19. implementing single-stepping (2) problem: what about fmow control? or retq or 18 jmpq *0x1234(%rax,%rbx,8) // ←− STOPPED HERE

  20. implementing single-stepping (3) typically hardware support for single stepping x86: int 1 handler (second entry in table) x86: TF fmag: execute handler after every instruction …except during handler (whew!) 19

  21. defeating single-stepping try to install your own int 1 handler (if OS allows) try to clear TF? would take efgect on following instruction …if debugger doesn’t reset it 20

  22. unstealthy debuggers is a debugger installed? unlikely on Windows, maybe ignore those machines is a debugger process running (don’t check if it’s tracing you) … 21

  23. confusing debuggers “broken” executable formats e.g., recall ELF: segments and sections corrupt sections — program still works overlapping segments/sections — program still works what does the loader really use?? “broken” machine code insert “junk” bytes to break disassembly skip over junk with jump use the stack pointer not for the stack stack trace? recall anti-virus heuristics looking for this (though brokness probably not on purpose?) “encrypted” code sophisticated version of this 22

  24. confusing debuggers “broken” executable formats e.g., recall ELF: segments and sections corrupt sections — program still works overlapping segments/sections — program still works what does the loader really use?? “broken” machine code insert “junk” bytes to break disassembly skip over junk with jump use the stack pointer not for the stack stack trace? recall anti-virus heuristics looking for this (though brokness probably not on purpose?) “encrypted” code sophisticated version of this 22

  25. confusing debuggers “broken” executable formats e.g., recall ELF: segments and sections corrupt sections — program still works overlapping segments/sections — program still works what does the loader really use?? “broken” machine code insert “junk” bytes to break disassembly skip over junk with jump use the stack pointer not for the stack stack trace? recall anti-virus heuristics looking for this (though brokness probably not on purpose?) “encrypted” code sophisticated version of this 22

  26. confusing debuggers “broken” executable formats e.g., recall ELF: segments and sections corrupt sections — program still works overlapping segments/sections — program still works what does the loader really use?? “broken” machine code insert “junk” bytes to break disassembly skip over junk with jump use the stack pointer not for the stack stack trace? recall anti-virus heuristics looking for this (though brokness probably not on purpose?) “encrypted” code sophisticated version of this 22

  27. antiantivirus last time: break disassemblers — with packers break VMs/emulators break debuggers make analysis harder break antivirus software itself “retrovirus” 23

  28. terminology semistealth / stealth — hide from system tunneling virus — evades behavior-blocking e.g. detection of modifying system fjles retrovirus — directly attacks/disables antivirus software 24

  29. attacking antivirus (1) how does antivirus software scan new fjles? how does antivirus software detect bad behavior? register handlers with OS/applications — new fjles, etc. 25

  30. hooking and malware hooking — getting a ‘hook’ into (OS) operations e.g. creating new fjles, opening fjle monitoring or changing/stopping behavior used by antivirus and malware: stealth virus — hide virus program from normal I/O, etc. tunneling virus — skip over antivirus’s hook retrovirus — break antivirus’s hook 26

  31. stealth /* in virus: */ int OpenFile( const char *filename, ...) { if (strcmp(filename, "infected.exe") == 0) { return RealOpenFile("clean.exe", ...); } else { return RealOpenFile(filename, ...); } } 27

  32. stealth ideas override “get fjle modifjcation time” (infected fjles) override “get fjles in directory” (infected fjles) override “read fjle” (infected fjles) but not “execute fjle” override “get running processes” 28

  33. tunneling ideas use the “real” write/etc. function not wrapper from antivirus software fjnd write/etc. function antivirus software “forgot” to hook 29

  34. retrovirus ideas empty antivirus signature list kill antivirus process, remove “hooks” delete antivirus software, replace with dummy executable … 30

  35. hooking mechanisms hooking — getting a ‘hook’ to run on (OS) operations e.g. creating new fjles ideal mechanism: OS support less ideal mechanism: change library loading e.g. replace ‘open’, ‘fopen’, etc. in libraries less ideal mechanism: replace OS exception (system call) handlers very OS version dependent 31

  36. hooking mechanisms hooking — getting a ‘hook’ to run on (OS) operations e.g. creating new fjles less ideal mechanism: change library loading e.g. replace ‘open’, ‘fopen’, etc. in libraries less ideal mechanism: replace OS exception (system call) handlers very OS version dependent 32 ideal mechanism: OS support

  37. 33

  38. debugging mechanisms debuggers can stop program at system calls, etc. another form of OS support, typically Linux interface: ptrace has “run program until any system call” mode and (recently) “ run program until specifjc system call” mode 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday (review) 2 last few times encrypted code changing code polymorphic, metamorphic anti-VM/emulation anti-debugging stealth tunneling

817 views • 71 slides
Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1 Process Memory Organization Text Fixed by program Includes code and read-only data

257 views • 22 slides
Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit ... overflow direction / higher addresses int main(int argc, char **argv) buf { stack growth char buf[0x10]; gets(buf); saved return address

911 views • 13 slides
USA 2012 Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and

USA 2012 Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and

USA 2012 Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies Rodrigo Rubira Branco (@BSDaemon) Rodrigo Rubira Branco (@BSDaemon) Gabriel Negreira Barbosa (@gabrielnb) Gabriel Negr eira

757 views • 50 slides
64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

Techorganic About PGP Disclaimer Vulnerabilities Musings from the brainpan 64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my 64-bit Linux Stack Smashing tutorial. In part 1 we exploited a 64- bit

451 views • 9 slides
anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable 2 last time anti-virus: heuristic: malware messing up executables? key idea: wrong segment of executable? switching segments of the executable?

1.14k views • 102 slides
anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an executable 2 anti-virus techniques last time: signature-based detection regular expression-like matching snippets of virus(-like) code heuristic

1.79k views • 139 slides
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales Shouhuai Xu Ravi Sandhu SEI @ CMU CS @ UTSA ICS @ UTSA Roadmap Motivation Experimental Methodology Experimental Results Summary

560 views • 16 slides
Use and abuse of anti-arbitration injunctions: strategies in dealing with anti-arbitration

Use and abuse of anti-arbitration injunctions: strategies in dealing with anti-arbitration

Use and abuse of anti-arbitration injunctions: strategies in dealing with anti-arbitration injunctions ASA Below 40 Seminar: Court assistance in international arbitration how to use it wisely and efficiently Anti-suit and anti-arbitration

359 views • 10 slides
Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info Malware Forensics and Incident Response Anti-Forensics Executables Stealth Techniques Live System Anti-Forensics Process

907 views • 76 slides
Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern University Smashing the Stack for Fun and Profit Review: Process memory organization The problem: Buffer overflows How to exploit the problem

660 views • 46 slides
Anti-Social Behaviour Anti-Social Behaviour - Anti-social Behaviour, Crime and Policing Act 2014

Anti-Social Behaviour Anti-Social Behaviour - Anti-social Behaviour, Crime and Policing Act 2014

Hounslow Housing Chris Shoubridge Head of Area Housing Anti-Social Behaviour Anti-Social Behaviour - Anti-social Behaviour, Crime and Policing Act 2014 conduct that has caused, or is likely to cause, harassment, alarm or distress to any

377 views • 18 slides
Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus Techniques } Virus writers have devised numerous methods of resisting anti-virus software and making life difficult for anti-virus researchers }

554 views • 53 slides
Management of SAH Disclosures: None Controversies Anti-fibrinolytics Anti-epileptic Drugs

Management of SAH Disclosures: None Controversies Anti-fibrinolytics Anti-epileptic Drugs

Controversies in the Management of SAH Disclosures: None Controversies Anti-fibrinolytics Anti-epileptic Drugs Goal Hemoglobin Hyponatremia Fever Anti-Fibrinolytics The risk of re-bleeding is highest in the first 24 hours

695 views • 36 slides
ACS Slides 1 INTRO TO CODE BLUE ACS Anti- Anti-an angi ginal al O2,

ACS Slides 1 INTRO TO CODE BLUE ACS Anti- Anti-an angi ginal al O2,

INTRO TO CODE BLUE ACS Slides 1 INTRO TO CODE BLUE ACS Anti- Anti-an angi ginal al O2, nitroglycerin, morphine Anti-pl plat atel elet et 1 st : ASA (162mg PO chewable) 2 nd : P2Y 12 inhibitor (clopidogrel,

242 views • 3 slides
Anti-Infective Drug Development in Neonates Sumati Nambiar MD MPH Division of Anti-Infective

Anti-Infective Drug Development in Neonates Sumati Nambiar MD MPH Division of Anti-Infective

Anti-Infective Drug Development in Neonates Sumati Nambiar MD MPH Division of Anti-Infective Products CDER/FDA EMA/FDA/PMDA Pediatric Workshop London, June 21-22, 2018 Neonatal Studies Of the anti-infective drug approvals since 2000,

387 views • 16 slides
FrankenLaws: The Sad State of the Information Security Regulatory Landscape UNCC 12 th Annual

FrankenLaws: The Sad State of the Information Security Regulatory Landscape UNCC 12 th Annual

1 Charlotte, North Carolina Tuesday, October 11, 2011 FrankenLaws: The Sad State of the Information Security Regulatory Landscape UNCC 12 th Annual Cyber Security Symposium Tuesday, October 11, 2011 Charlotte, North Carolina John Linkous |

488 views • 26 slides
Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief

Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief

Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief Open Source Officer Sun Microsystems http://www.webmink.net/ Systems Middleware Cloud 3 1 Third Wave? Stallman Software Freedoms Use

1.31k views • 87 slides
OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

386 views • 10 slides
Lessons learned from six years of cloud technology transformation in government David Turner

Lessons learned from six years of cloud technology transformation in government David Turner

Lessons learned from six years of cloud technology transformation in government David Turner Managing Director, MSC Digital MSC Digital Independent and vendor agnostic Formed specifically to assist the UK Public Sector - Its

386 views • 19 slides
The electroweak effective field theory

The electroweak effective field theory

The electroweak effective field theory from on-shell amplitudes (KMI) /

565 views • 25 slides
CS615 - Aspects of System Administration System Security Department of Computer Science Stevens

CS615 - Aspects of System Administration System Security Department of Computer Science Stevens

CS765 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration System Security Department of Computer Science Stevens Institute of Technology Jan Schaumann jschauma@stevens.edu

1.17k views • 90 slides
Mixed Factorization for Collaborative Recommendation with Heterogeneous Explicit Feedbacks Weike

Mixed Factorization for Collaborative Recommendation with Heterogeneous Explicit Feedbacks Weike

Mixed Factorization for Collaborative Recommendation with Heterogeneous Explicit Feedbacks Weike Pan , Shanchuan Xia, Zhuode Liu, Xiaogang Peng and Zhong Ming panweike@szu.edu.cn, shaun.xia@outlook.com, zero.lzd@gmail.com,

808 views • 38 slides
I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers

I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers

O N THE R ESOLUTIONS OF ( SOME ) S IMPLICIAL F ORESTS S ARA F ARIDI D ALHOUSIE U NIVERSITY I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers i,j ( I ) ? Eliahou-Kervaire Splittings: When I = J + K

289 views • 25 slides

More recommend