binary analysis notes
play

BINARY ANALYSIS NOTES Mariano Graziano Malware Research Team - - PowerPoint PPT Presentation

May 01, 2023 •181 likes •780 views

BINARY ANALYSIS NOTES Mariano Graziano Malware Research Team - Cisco Talos M0LECON 2019 Turin, Italy - 30/11/2019 1 whoami Technical Leader at Cisco Talos PhD in System Security (Eurecom) Alma mater: Politecnico di Torino

  1. BINARY ANALYSIS NOTES Mariano Graziano Malware Research Team - Cisco Talos M0LECON 2019 Turin, Italy - 30/11/2019 1

  2. whoami ‣ Technical Leader at Cisco Talos ‣ PhD in System Security (Eurecom) ‣ Alma mater: Politecnico di Torino ‣ Binary/Malware analysis, Memory forensics, Automation 2

  3. OUTLINE ‣ Binary Analysis ‣ Linux Threat Landscape ‣ ELF 3

  4. BINARY ANALYSIS ‣ How a binary is generated? 4

  5. BINARY ANALYSIS ‣ How a binary is generated? Compilation (from source code to machine code) - 5

  6. BINARY ANALYSIS ‣ How a binary is generated? Compilation (from source code to machine code) - Preprocessing/compilation/assembling/linking - Statically linked binaries - ‣ Interpreted programs and JIT compilation —> Scripts to executables (e.g. PyInstaller) 6

  7. BINARY ANALYSIS Binary analysis is the art of understanding compiled programs 7

  8. BINARY ANALYSIS ‣ Binary analysis is the art of understanding compiled programs ‣ From machine code to assembly —> Disassembler 8

  9. DISASSEMBLER 9

  10. BINARY ANALYSIS ‣ Binary analysis is the art of understanding compiled programs ‣ From machine code to assembly ‣ Understand from the machine code what the binary does and its properties/behavior 10

  11. BINARY ANALYSIS ‣ How binary analysis is conducted? 11

  12. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Static Analysis 12

  13. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Static Analysis ‣ Strings/symbols/API calls ‣ disassembler 13

  14. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Static Analysis cost 14

  15. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Dynamic analysis 15

  16. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Dynamic analysis: ‣ Debugging/Instrumented environment ‣ Interaction with the OS 16

  17. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Dynamic analysis 17

  18. BINARY ANALYSIS ‣ Why binary analysis is useful? 18

  19. BINARY ANALYSIS ‣ Why binary analysis is useful? ‣ Reverse engineering activities ‣ Malware analysis/Exploitation ‣ Detect plagiarism ‣ Interoperability ‣ Modify and understand applications (closed source) 19

  20. BINARY ANALYSIS ‣ Why binary analysis is hard? 20

  21. BINARY ANALYSIS ‣ Why binary analysis is hard? ‣ Semantic gap 21

  22. OUTLINE ‣ Binary Analysis ‣ Linux Threat Landscape ‣ ELF 22

  23. DESKTOP OS Share Windows 86,66 OSX 11,03 Linux 1,66 Chrome OS 0,41 Unknown 0,24 https://netmarketshare.com/operating-system-market-share.aspx? options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22 %2C%22dateStart%22%3A%222019-09%22%2C%22dateEnd%22%3A%222019-10%22%2C%22segments%22%3A%22-1000%22%7D 23

  24. DESKTOP OS Share Windows 86,66 OSX 11,03 Linux 1,66 Chrome OS 0,41 Unknown 0,24 https://netmarketshare.com/operating-system-market-share.aspx? options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22 %2C%22dateStart%22%3A%222019-09%22%2C%22dateEnd%22%3A%222019-10%22%2C%22segments%22%3A%22-1000%22%7D 24

  25. MOBILE OS Share Android 69,34 iOS 30,3 Unknown 0,25 Series 40 0,04 Windows Phone 0,03 Linux 0,02 https://netmarketshare.com/operating-system-market-share.aspx? options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Mobile%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22date Start%22%3A%222019-09%22%2C%22dateEnd%22%3A%222019-10%22%2C%22segments%22%3A%22-1000%22%7D 25

  26. MOBILE OS Share Android 69,34 iOS 30,3 Unknown 0,25 Series 40 0,04 Windows Phone 0,03 Linux 0,02 https://netmarketshare.com/operating-system-market-share.aspx? options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Mobile%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22date Start%22%3A%222019-09%22%2C%22dateEnd%22%3A%222019-10%22%2C%22segments%22%3A%22-1000%22%7D 26

  27. WEB OS Share Unix 70,8 Windows 29.2 https://w3techs.com/technologies/overview/operating_system 27

  28. WEB OS Share Unix 70,8 Windows 29.2 https://w3techs.com/technologies/overview/operating_system 28

  29. MALWARE? [1] http://www.tom-yam.or.jp/2238/ref/secur.pdf 29

  30. REALITY 30

  31. INFECTIONS ‣ Exploiting known vulnerabilities: Apache struts/ElasticSearch/Redis etc - Shellshock - CMS vulnerabilities (Wordpress, Joomla etc) - ‣ Low hanging fruits: Telnet and SSH bruteforcing - 31

  32. MALWARE ‣ Xor.DDoS — rootkit component ‣ ChinaZ — via shellshock ‣ Hand of Thief — Banker ‣ Mayhem ‣ Mirai ‣ VPNFilter — multistage ‣ HiddenWasp ‣ … 32

  33. MALWARE ‣ Xor.DDoS — rootkit component ‣ ChinaZ — via shellshock ‣ Hand of Thief — Banker Many families ‣ Mayhem and categories ‣ Mirai ‣ VPNFilter — multistage ‣ HiddenWasp ‣ … 33

  34. CURRENT SITUATION 34

  35. CURRENT SITUATION 35

  36. ELF SITUATION TOTAL NEW FILES FILES 36

  37. ELF SITUATION 9x 37

  38. ELF 38

  39. ELF HEADER 39

  40. e_ident 40

  41. e_machine 41

  42. SEGMENTS ‣ Execution view — How to create a process image ‣ A segment can contain zero or more sections 42

  43. p_type 43

  44. DEMO 0x00 READELF 44

  45. ELF HEADER 45

  46. ELF HEADER 46

  47. e_ident 47

  48. EI_DATA 48

  49. DEMO 0x00 1 BYTE https://github.com/radareorg/r2con2019/blob/master/talks/elf_crafting/ELF_Crafting_ulexec.pdf 49

  50. GLIBC INITIALIZATION ‣ Where is my main()? 50

  51. GLIBC INITIALIZATION ‣ ELF entry point points to: ‣ _start ‣ glibc initialization code - fini 400440: 31 ed xor %ebp,%ebp 400442: 49 89 d1 mov %rdx,%r9 - init 400445: 5e pop %rsi 400446: 48 89 e2 mov %rsp,%rdx - main 400449: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 40044d: 50 push %rax 40044e: 54 push %rsp 40044f: 49 c7 c0 e0 05 40 00 mov $0x4005e0,%r8 400456: 48 c7 c1 70 05 40 00 mov $0x400570,%rcx 40045d: 48 c7 c7 4d 05 40 00 mov $0x40054d,%rdi 400464: e8 b7 ff ff ff callq 400420 <__libc_start_main@plt> libc_start_main 400469: f4 hlt ‣ _start —> __libc_start_main(main, init, fini) 51

  52. DEMO 0x01 CONSTRUCTOR 52

  53. ANTI ANALYSIS ‣ Bad guys can complicate our job: ‣ Anti analysis techniques ‣ Anti debugging techniques ‣ Packing 53

  54. DEMO 0x02 STRIP 54

  55. DEMO 0x03 ANTIDEBUG TECHNIQUES 55

  56. DEMO 0x04 56

  57. DEMO 0x04 NEXTCRY SHA256: 027d5f87ab71044a4bbac469b6a3bf5e02571c4661939699d9050a4300d10230 57

  58. REMARKS ‣ Linux malware is a real threat ‣ We have to be ready ‣ We need more tools ‣ We need to know the internals ‣ IoT complicates the analysis: ‣ OS and architecture diversifications ‣ Need more background knowledge 58

  59. THE END THANK YOU email: magrazia@cisco.com twitter: @emd3l 59

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
ECON2228 Notes 6 Christopher F Baum Boston College Economics 20142015 cfb (BC Econ)

ECON2228 Notes 6 Christopher F Baum Boston College Economics 20142015 cfb (BC Econ)

ECON2228 Notes 6 Christopher F Baum Boston College Economics 20142015 cfb (BC Econ) ECON2228 Notes 6 20142015 1 / 49 Chapter 7: Multiple regression analysis with qualitative information: Binary (or dummy) variables We often consider

773 views • 49 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
This is a PDF version with notes. You can find the PPTX version at

This is a PDF version with notes. You can find the PPTX version at

This is a PDF version with notes. You can find the PPTX version at http://www.cse.iitd.ernet.in/~sbansal/talks/btkernel.pptx 1 Firstly, what is Dynamic Binary Translation and what is it used for. Dynamic Binary Translation or DBT is the

617 views • 49 slides
Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson Department of Statistics University of Washington This is joint work with James Robins (Harvard). Outline 1. The binary IV potential outcomes model

156 views • 15 slides
Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed 1-2 pm ENS 31NR Forsyth and Ponce book Binary images Two pixel values Foreground and background Regions of interest

1.13k views • 78 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just Outline Background Interactive Binary Analysis with TREE and CBASS Demonstrations

1.06k views • 67 slides
AMath 483/583 Lecture 28 Notes: Outline: Numba and autojit Binary vs. ASCII output

AMath 483/583 Lecture 28 Notes: Outline: Numba and autojit Binary vs. ASCII output

AMath 483/583 Lecture 28 Notes: Outline: Numba and autojit Binary vs. ASCII output Review / take away messages See also: Numba $UWHPSC/codes/io R.J. LeVeque, University of Washington AMath 483/583, Lecture 28 R.J.

206 views • 5 slides
AMath 483/583 Lecture 2 Notes: Outline: Binary storage, floating point numbers

AMath 483/583 Lecture 2 Notes: Outline: Binary storage, floating point numbers

AMath 483/583 Lecture 2 Notes: Outline: Binary storage, floating point numbers Version control main ideas Client-server version control, e.g., CVS, Subversion Distributed version control, e.g., git, Mercurial Reading:

387 views • 9 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Software Architecture School of Computer Science, University of Oviedo Lab. 12 Monitoring &amp;

Software Architecture School of Computer Science, University of Oviedo Lab. 12 Monitoring &amp;

Software Architecture Software Architecture School of Computer Science, University of Oviedo Lab. 12 Monitoring &amp; profiling How-to do a presentation Jose Emilio Labra Gayo Pablo Gonzlez 2019-20 Irene Cid Hugo Lebredo Software

558 views • 19 slides
Tuning TCP Parameters for the 21st Century H.K. Jerry Chu hkchu@google.com July 27, 2009 75 th

Tuning TCP Parameters for the 21st Century H.K. Jerry Chu hkchu@google.com July 27, 2009 75 th

Tuning TCP Parameters for the 21st Century H.K. Jerry Chu hkchu@google.com July 27, 2009 75 th IETF, Stockholm Parameters to Examine init RTO (for 3WHS and init data transmission) initcwnd (IW) and/or restart cwnd (RW) min RTO Delayed ack

549 views • 17 slides
Variable Fonts in Chrome Webengines Hackfest, Igalia, A Corua Behdad Esfahbod behdad@google.com

Variable Fonts in Chrome Webengines Hackfest, Igalia, A Corua Behdad Esfahbod behdad@google.com

Variable Fonts in Chrome Webengines Hackfest, Igalia, A Corua Behdad Esfahbod behdad@google.com Dominik Rttsches drott@google.com Demos Responsive Web Typography Font Playground Underwares HOI Variable Fonts in CSS

523 views • 28 slides
A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome OS Speed Security - Verified boot Security - Reboot to recover Security for the internet age Current Operating Systems Chrome OS Apps have

424 views • 8 slides
Cloud Computing Leveling The Access Field T. V. Raman Google http://emacspeak.sf.net/raman

Cloud Computing Leveling The Access Field T. V. Raman Google http://emacspeak.sf.net/raman

Cloud Computing Leveling The Access Field T. V. Raman Google http://emacspeak.sf.net/raman April 20, 2012 Overview Accessibility Challenge Speech Opportunity Google Conclusion Accessibility Challenge Speech Opportunity Google Conclusion

538 views • 28 slides
GN: A Modern Build System For BSD ? https://gn.googlesource.com/gn Bucharest, Septembre 23rd

GN: A Modern Build System For BSD ? https://gn.googlesource.com/gn Bucharest, Septembre 23rd

GN: A Modern Build System For BSD ? https://gn.googlesource.com/gn Bucharest, Septembre 23rd 2018 Benjamin Jacobs (Original) Motivation As an easy way to import LLVM into DragonFlyBSD base Under a (naive) assumption, given that: Upsream LLVM

469 views • 16 slides
Cross-Platform OpenCL Application Development Tyler Sorensen (led the work and made the slidese)

Cross-Platform OpenCL Application Development Tyler Sorensen (led the work and made the slidese)

The Hitchhikers Guide to Cross-Platform OpenCL Application Development Tyler Sorensen (led the work and made the slidese) Alastair F. Donaldson (delivered this version of the talk) Imperial College London, UK UKMAC May 2016 1 OpenCL

920 views • 77 slides
Welcome IT in AOS Michael Havas Dept. of Atmospheric and Oceanic Sciences McGill University

Welcome IT in AOS Michael Havas Dept. of Atmospheric and Oceanic Sciences McGill University

Welcome IT in AOS Michael Havas Dept. of Atmospheric and Oceanic Sciences McGill University September 21, 2012 Outline 1 Introduction to AOS IT Services 2 Introduction to Linux Benefits of Linux What Exactly is Linux? The Free-Software

985 views • 65 slides

More recommend