bubble str ubble struggle uggle
play

BUBBLE STR UBBLE STRUGGLE UGGLE Call Graph Visualization with - PowerPoint PPT Presentation

Mar 14, 2024 •377 likes •886 views

BUBBLE STR UBBLE STRUGGLE UGGLE Call Graph Visualization with Radare2 Marion Marschalek marion@0x1338.at @pinkflawd Static Analysis is King What my my sa sandbox th thought What my my cu customer th thought the malw th alware do

  1. BUBBLE STR UBBLE STRUGGLE UGGLE Call Graph Visualization with Radare2

  2. Marion Marschalek marion@0x1338.at @pinkflawd

  3. Static Analysis is King

  4. What my my sa sandbox th thought What my my cu customer th thought the malw th alware do does th the malw alware do does Packer / Call home Setup Evasion might or might not be analyzed What th the mal alware REALLY do does What I I th thought th the malw lware do does Encrypting files Keylogging Screenshots Screen captures DDoS Downloading more malware

  5. r2g r2graphit aphity https://github.com/pinkflawd/r2graphity Github link Python3 radare2 & r2pipe NetworkX pefile pydeep numpy Neo4j/py2neo

  6. Scalable Can analyze entire binaries Scriptable Provides - functions and cross references GUI-free - symbols Great support - strings Quick bug fixes - basic PE information

  7. R2handle = r2pipe.open(<file>) r2 r2 R2handle.cmd(<cmd>) Watch magic co command mmand ch cheat at aaa – analyze the target binary afr @ [address] – recursively analyze function at [address] she heet et iS – get information about file sections iij – get import table in JSON format axtj @@ sym.* - get cross references on found symbols in JSON axtj @ [address] – get cross references for [address] pd 300 @ [address] – disassemble 300 instructions at [address] pd -30 @ [address] – disassemble backwards 30 instructions at [address] pdf @ [address] – disassemble function at [address], after e.g. aaa command izzj – get strings out of entire binary in JSON iz – get strings out of code section iEj – get exports of a library ?v $FB @ [address] – get function which contains [address] aflj – get list of functions with supporting information in JSON

  8. Function Detection is Key Win8 32-bit benign (Little agreed on method to verify whether TP/FP)

  9. Function Detection is Key 32-bit malicious (Little agreed on method to verify whether TP/FP)

  10. Function call graphs Function cross references within code section References to function offsets Outside executable section(s) Nodes: functions => Offset, size, calling convention Edges: calls, indirect calls r2g r2graphity aphity

  11. Strings String parsing Evaluation: ASCII, cross references, character frequency count String list detection string length + alingment string following w/o cross reference Fitting strings into the graph Whats the information one can gain from strings?

  12. APIs Cross references on symbols Indirect calls - parsing for mov/lea - disassembling further - call and jmp considered xref Thunk pruning Dynamic loading

  13. Indirect Calls „Top - down“ Disassemble upwards Check the arguments for function cross references Add edge and tag Currently only CreateThread and SetWindowsHookEx, because context „ Bottom-up “ Sweep for nodes without inbound edges Check for cross references within functions Add edge and tag

  14. The r2graphity graph structure ### NetworkX Graph Structure ### # FUNCTION as node, attributes: function address, size, calltype, list of calls, list of strings, count of calls, functiontype[Callback, Export, Supernode], alias (e.g. export name), mnemonic distribution # FUNCTION REFERENCE as edge (function address -> target address), attributes: ref offset (at) # INDIRECT REFERENCE as edge (currently for threads and Windows hooks, also indirect code and indirect data references) # API CALLS (list attribute of function node): address, API name # STRINGS (list attribute of function node): address, string, eval ####

  15. Binary Visualization

  16. „ Useful “ ain‘t easy

  17. Large graphs, small graphs, dense graphs, lose graphs, dense subgraphs, disconnected subgraphs , … DLLs & GUI applications Spaghetti code Copy/paste code Packed code Repetitive patterns Noise Recovering code structure from call graphs

  18. yellow: 0 API calls gradually darker: plenty of API calls node size: out-degree

  19. green: 0 API calls gradually darker: plenty of API calls

  20. Highlighting memory allocation habits

  21. How to deal with large graphs & too much information Data reduction and simplification How to pick features for visualization know what your tools support what your algorithms support Layout algorithms what your data has to say Graph transformations API gadgets & highlighting String evaluation

  22. Fruchterman-Rheingold Force directed Neat overview Slooow² Find most important nodes at a glance

  23. Force-directed graph layouts Position graph nodes in a way, that edges are in equal length and cross as little as possible Forces can be applied, to pull less connected nodes further apart High running time, high number of iterations

  24. ForceAtlas Repulsion and gravity

  25. Sofacy

  26. Mnemonicism shl shr Arithmetic instructions as indicator for cryptography, compression or codecs mul Leveraging radare2‘s instruction type div rol ror sar load store

  27. Babar

  28. “ Behavior ” Gadgets

  29. Scanning for Gadgets Pre-defined API patterns Searching the graph for anchor Scanning nodes in close vicinity

  30. “ Behavior ” Gadgets For APILOADING found {'GetProcAddress': '0x1000def8', 'LoadLibrary': '0x1000def8'} For APILOADING found {'GetProcAddress': '0x10014e88', 'LoadLibrary': '0x10014e88'} For READFILE found {'ReadFile': '0x100032a0', 'CreateFile': '0x100032a0'} For READFILE found {'ReadFile': '0x1000d6b0', 'CreateFile': '0x1000d6b0'} For APILOADING2 found {'GetModuleHandle': '0x1000fbd3', 'GetProcAddress': '0x1000fbd3'} For APILOADING2 found {'GetModuleHandle': '0x1000f8ef', 'GetProcAddress': '0x1000fbd3'} For APILOADING2 found {'GetModuleHandle': '0x10012552', 'GetProcAddress': '0x10012552'} For SHELLEXEC found {'ShellExecute': '0x1000d330'} For FILEITER found {'FindClose': '0x1000d330', 'FindFirstFile': '0x1000d330', 'FindNextFile': '0x1000d330'} For CREATETHREAD found {'CreateThread': '0x1000ebc2'} For CREATETHREAD found {'CreateThread': '0x10009b10'} For CREATETHREAD found {'CreateThread': '0x10002190'} For CREATETHREAD found {'CreateThread': '0x1000a050'} For CREATETHREAD found {'CreateThread': '0x10001820'} For CREATETHREAD found {'CreateThread': '0x10001000'} For WRITEFILE found {'WriteFile': '0x1000d880', 'CreateFile': '0x1000d880'} For WRITEFILE found {'WriteFile': '0x1000a4f0', 'CreateFile': '0x1000a4f0'} For WRITEFILE found {'WriteFile': '0x10001f80', 'CreateFile': '0x10001f80'} For RECV found {'recv': '0x1000b290', 'send': '0x1000b290'} For SCREENSHOT found {'GetDeviceCaps': '0x100094d0', 'CreateCompatibleBitmap': '0x100094d0', 'BitBlt': '0x100094d0', 'CreateCompatibleDC': '0x100094d0'} For REGQUERY found {'RegOpenKey': '0x10001000', 'RegQueryValue': '0x10001000'}

  31. t

  33. Color-code functionality families

  34. Grey: functions Yellow: API calls Red: strings Subgraph Expansion

  35. Expansion Transformation

  36. Banito Banito

  37. Similarity Visualization: Animalfarm Binaries

  39. String Constants Human readable strings give information away Presence or absence of readable strings is relevant information Graph structure, character frequency and character repetition allow string constant evaluation

  40. CheshireCat

  41. Sizing string nodes by „ readability “

  42. 2-0-7-9-31-0-0-3-30 2-2-7-12-37-1-0-4-38 String character 2-8-8-11-39-1-0-4-38 2-4-7-13-37-5-0-3-34 Subset of frequency histogram 3-5-7-16-40-6-0-4-38 2-5-7-14-36-5-0-3-38 3-6-7-12-35-4-0-3-30 Sofacy per sample 2-4-7-13-29-5-0-3-29 2-4-7-7-27-0-0-3-29 3-4-7-10-27-0-0-3-29 3-4-7-12-27-4-0-3-29 13-233-274-464-276-1381-1895-265-190 13-233-274-464-276-1381-1895-265-190 2-2-5-11-25-1-0-4-46 Bucketsize of 0.01 2-2-5-11-25-1-0-4-46 2-2-5-11-25-1-0-4-46 2-2-5-11-25-1-0-4-46 Count of strings per bucket 2-2-5-11-25-1-0-4-46 3-0-3-8-13-0-1-3-2 0.04 is a reasonable edge 3-1-3-8-13-0-1-3-2 3-1-3-8-13-0-1-3-2 Resilient to little changes 12-195-121-175-177-769-1319-75-49 12-195-122-175-177-784-1324-76-50 12-194-123-163-184-786-1308-81-49 12-195-120-156-188-781-1308-76-47 12-195-121-158-163-785-1323-73-43 12-195-122-157-187-770-1255-76-48 12-195-123-156-183-769-1324-73-49 9-193-101-134-160-757-1277-76-48 12-195-121-160-189-786-1304-81-49

  43. String character frequency histogram per sample Bucketsize of 0.01 Count of strings per bucket 0.04 is a reasonable edge Resilient to little changes

  47. Corner Cases and Issues C++ VB/.NET Delphi xD Other exotic compilers Large binaries Loops Inner programming logic

  49. Help in static analysis Borderline foolproof packer detection Persisting of analysis results (Unintentional) disassembly framework bug report factory Marketing will faint, I swear Scales Open source Lightweight Parse once, analyse forevaaa

  50. Th Thank ank you you!!1 !!1! marion@0x1338.at @pinkflawd

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

VOLUNTEER AT THE BUBBLE Rewarding work with a positive experience WHAT IS THE BUBBLE ? The Bubble

VOLUNTEER AT THE BUBBLE Rewarding work with a positive experience WHAT IS THE BUBBLE ? The Bubble

VOLUNTEER AT THE BUBBLE Rewarding work with a positive experience WHAT IS THE BUBBLE ? The Bubble is a non-profit NGO which organises local events in support of humanitarian and environmental causes. The Bubble focuses on including everyone and is

51 views • 3 slides
No Child Should Struggle to Read. No Child Should Struggle to Read. No Child Should Struggle to

No Child Should Struggle to Read. No Child Should Struggle to Read. No Child Should Struggle to

OK House of Representatives Common Education Committee INTERIM STUDY # 16-036 Effects of Dyslexia on Youth and Model Programs Rep. Michael Shelton and Ann Coody No Child Should Struggle to Read. No Child Should Struggle to Read. No Child

627 views • 27 slides
Bubble Sort! Tyralyn Tran What is a bubble sort?!?!?!?!?!?!?!? In a bubble sorting algorithm,

Bubble Sort! Tyralyn Tran What is a bubble sort?!?!?!?!?!?!?!? In a bubble sorting algorithm,

http://www.internationalhero.co.uk/p/powpuff1.jpg http://www.skorks.com/wp- content/uploads/2010/05/sort.jpg Bubble Sort! Tyralyn Tran What is a bubble sort?!?!?!?!?!?!?!? In a bubble sorting algorithm, the elements of the list

337 views • 20 slides
BUBBLE LAMP GEORGE NELSON BUBBLE LAMP FOR HERMAN MILLER, AVAILABLE FROM HAY BUBBLE LAMP

BUBBLE LAMP GEORGE NELSON BUBBLE LAMP FOR HERMAN MILLER, AVAILABLE FROM HAY BUBBLE LAMP

BUBBLE LAMP GEORGE NELSON BUBBLE LAMP FOR HERMAN MILLER, AVAILABLE FROM HAY BUBBLE LAMP INTRODUCING GEORGE NELSON BUBBLE LAMP AVAILABLE FROM HAY In honour of HAYs recent partnership with Herman Miller, HAY will be the European

730 views • 39 slides
The outline and latest status of fine bubble measurement techniques and UK bubble applications

The outline and latest status of fine bubble measurement techniques and UK bubble applications

The outline and latest status of fine bubble measurement techniques and UK bubble applications including advances in drug delivery using bubbles Dr Stephen Ward-Smith Malvern Instruments Ltd Malvern PANalytical Agenda An introduction to

827 views • 47 slides
Proof of the Double Bubble Conjecture in R n Ben Reichardt Caltech Double Bubble Theorem

Proof of the Double Bubble Conjecture in R n Ben Reichardt Caltech Double Bubble Theorem

Proof of the Double Bubble Conjecture in R n Ben Reichardt Caltech Double Bubble Theorem Theorem: The least-area way to enclose and separate two given volumes in R n is the standard double bubble. 120 120 120 v 1 v 2 L three

485 views • 45 slides
Background A bubble generated inside microfluidic channel is actuated via acoustic waves,

Background A bubble generated inside microfluidic channel is actuated via acoustic waves,

Background A bubble generated inside microfluidic channel is actuated via acoustic waves, which set up a streaming flow around the bubble. Red blood cells introduced in the fluid will deform differently near the bubble due to different

171 views • 3 slides
+ Productive Struggle &amp; Problem Solving Grades 3-5 Heather Siedschlag hsied22@gmail.com +

+ Productive Struggle &amp; Problem Solving Grades 3-5 Heather Siedschlag hsied22@gmail.com +

+ Productive Struggle &amp; Problem Solving Grades 3-5 Heather Siedschlag hsied22@gmail.com + What is Productive Struggle? Productive: adjective having the power of producing, generative, creative Struggle: verb 1. to contend with an

613 views • 33 slides
The ABS The ABS Acoustic Bubble Spectrometer Acoustic Bubble Spectrometer by G. L.

The ABS The ABS Acoustic Bubble Spectrometer Acoustic Bubble Spectrometer by G. L.

The ABS The ABS Acoustic Bubble Spectrometer Acoustic Bubble Spectrometer by G. L. Chahine D YNAFLOW , I NC . Jessup, MD www.dynaflow-inc.com Email: glchahine@dynaflow-inc.com www.dynaflow-inc.com Background Background Bubbles

238 views • 21 slides
CREDENTIAL 2020 CONFIDENTIAL The struggle for survival in the SNS The world market and its

CREDENTIAL 2020 CONFIDENTIAL The struggle for survival in the SNS The world market and its

CREDENTIAL 2020 CONFIDENTIAL The struggle for survival in the SNS The world market and its fierce struggle in SNS! Not fighting competitors, you will crash after 3 years [To survive on the battlefield in the SNS] A company that actively and

555 views • 31 slides
To share the refreshing fun of bubble tea in Africa. CEO: Brittany Soung VP of Operation: Alison

To share the refreshing fun of bubble tea in Africa. CEO: Brittany Soung VP of Operation: Alison

To share the refreshing fun of bubble tea in Africa. CEO: Brittany Soung VP of Operation: Alison Galza VP of Marketing: Kamren Phillips Business Concept The first bubble tea shop in tropical Lagos, Nigeria. Combining local fruit flavors with

329 views • 20 slides
Search for Dark Ma-er with bubble chambers Orin Harris Northeastern Illinois University APS DPF

Search for Dark Ma-er with bubble chambers Orin Harris Northeastern Illinois University APS DPF

Search for Dark Ma-er with bubble chambers Orin Harris Northeastern Illinois University APS DPF 2017 1 Bubble chamber: theory In a superheated fluid, bubbles will collapse unless they are large enough (r c ) to overcome surface tension:

442 views • 20 slides
Limiting the witch hunt: recovering from the South Sea Bubble Helen Julia Paul University of

Limiting the witch hunt: recovering from the South Sea Bubble Helen Julia Paul University of

Limiting the witch hunt: recovering from the South Sea Bubble Helen Julia Paul University of Southampton, England hjp@soton.ac.uk The South Sea Bubble of 1720 Famous crash Traditional history: gambling mania Depth of crisis

216 views • 5 slides
Underwater Explosions Expansion S hock wave 1st bubble pulse gas globe E. S chmidtke

Underwater Explosions Expansion S hock wave 1st bubble pulse gas globe E. S chmidtke

Underwater Explosions Expansion S hock wave 1st bubble pulse gas globe E. S chmidtke Damping of S hock Waves MIREMAR 2010, Page 1 Results 2008 1 kg charges Reference calculated from 5 charges without bubble curtain Attenuations of up

260 views • 8 slides
Stochastic Analysis of Bubble Razor Guowei Zhang Peter A. Beerel Department of Microelectronics

Stochastic Analysis of Bubble Razor Guowei Zhang Peter A. Beerel Department of Microelectronics

Stochastic Analysis of Bubble Razor Guowei Zhang Peter A. Beerel Department of Microelectronics and Ming Hsieh Electrical Engineering Department Nanoelectronics Tsinghua University, China Univ. of Southern California, USA Why Bubble Razor?

573 views • 20 slides
Beyond the Bubble Using Performance Assessments for Learning &amp; Accountability Christopher R.

Beyond the Bubble Using Performance Assessments for Learning &amp; Accountability Christopher R.

Beyond the Bubble: Using Performance Presented at the 2018 VASSP Conference Assessments for Learning &amp; Accountability Hot Springs, VA Beyond the Bubble Using Performance Assessments for Learning &amp; Accountability Christopher R. Gareis,

195 views • 18 slides
Outline Overview Parallel Computing with GPU Introduction to CUDA CUDA Thread Model

Outline Overview Parallel Computing with GPU Introduction to CUDA CUDA Thread Model

Outline Overview Parallel Computing with GPU Introduction to CUDA CUDA Thread Model CUDA Memory Hierarchy and Memory Spaces CUDA Memory Hierarchy and Memory Spaces CUDA Synchronization 2110412 Parallel Comp Arch CUDA:

449 views • 12 slides
Exploiting Quality-Efficiency Tradeoffs with Arbitrary Quantization Special Session - CODES+ISSS

Exploiting Quality-Efficiency Tradeoffs with Arbitrary Quantization Special Session - CODES+ISSS

Exploiting Quality-Efficiency Tradeoffs with Arbitrary Quantization Special Session - CODES+ISSS Thierry Moreau , Felipe Augusto, Patrick Howe Armin Alaghi, Luis Ceze Internet of Things Revolution aggregate noisy, real world analytics,

536 views • 39 slides
340 Million Tweets per day 2.3 Billion Queries per day &lt; 10 s Indexing latency 50 ms Avg.

340 Million Tweets per day 2.3 Billion Queries per day &lt; 10 s Indexing latency 50 ms Avg.

340 Million Tweets per day 2.3 Billion Queries per day &lt; 10 s Indexing latency 50 ms Avg. query response time Earlybird - Realtime Search @twitter Michael Busch @michibusch michael@twitter.com buschmi@apache.org Earlybird - Realtime

1.2k views • 96 slides
Architecture level Optimizations for Kummer based HECC on FPGAs Gabriel GALLIN Turku Ozlum

Architecture level Optimizations for Kummer based HECC on FPGAs Gabriel GALLIN Turku Ozlum

Architecture level Optimizations for Kummer based HECC on FPGAs Gabriel GALLIN Turku Ozlum CELIK Arnaud TISSERAND CNRS IRISA Univ. Rennes Lab-STICC December, 11 th Indocrypt 2017 ECC, HECC, Kummer-HECC size of GF ( P ) elems.

360 views • 31 slides
Graphics and Visualization Yuriy Tymchuk (almost) Alain Plantec Guillaume Larcheveque What are

Graphics and Visualization Yuriy Tymchuk (almost) Alain Plantec Guillaume Larcheveque What are

Graphics and Visualization Yuriy Tymchuk (almost) Alain Plantec Guillaume Larcheveque What are Athens? aCanvas createPath: [:builder | builder absolute; moveTo: 70@100; lineTo: 330@100; cwArcTo: 350@120 angle: 90 degreesToRadians;

420 views • 27 slides
Memories and SRAM 1 Silicon Memories Why store things in silicon? Its fast!!!

Memories and SRAM 1 Silicon Memories Why store things in silicon? Its fast!!!

Memories and SRAM 1 Silicon Memories Why store things in silicon? Its fast!!! Compatible with logic devices (mostly) The main goal is to be cheap Dense -- The smaller the bits, the less area you need, and the more bits you

241 views • 22 slides
Unit 18 Field Programmable Gate Arrays (FPGAs) HARDWARE IMPLEMENTATION Implementing Logic

Unit 18 Field Programmable Gate Arrays (FPGAs) HARDWARE IMPLEMENTATION Implementing Logic

18.1 18.2 Unit 18 Field Programmable Gate Arrays (FPGAs) HARDWARE IMPLEMENTATION Implementing Logic Functions with Memories TARGETS 18.3 18.4 Processing Logic Approaches Progression of HW Logic Density Recall HW/SW designs sit on a

462 views • 8 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides

More recommend