covert debugging
play

Covert Debugging Circumventing Software Armoring Techniques - PowerPoint PPT Presentation

Dec 14, 2023 •410 likes •984 views

Covert Debugging Circumventing Software Armoring Techniques Offensive Computing, LLC Danny Quist Valsmith dquist@offensivecomputing.net valsmith@offensivecomputing.net Offensive Computing - Malware Intelligence Danny Quist Offensive

  1. Covert Debugging Circumventing Software Armoring Techniques Offensive Computing, LLC Danny Quist Valsmith dquist@offensivecomputing.net valsmith@offensivecomputing.net

  2. Offensive Computing - Malware Intelligence Danny Quist • Offensive Computing, Cofounder • PhD Student at New Mexico Tech • Reverse Engineer • Exploit Development • cDc/NSF

  3. Offensive Computing - Malware Intelligence Valsmith • Offensive Computing, Cofounder • Malware Analyst/Reverse Engineer • Metasploit Contributor • Penetration Tester/Exploit developer • cDc/NSF

  4. Offensive Computing - Malware Intelligence Offensive Computing, LLC • Community Contributions – Free access to malware samples – Largest open malware site on the Internet – 350k hits per month • Business Services – Customized malware analysis – Large malware data-mining / access – Reverse Engineering

  5. Offensive Computing - Malware Intelligence Introduction • Debugging Malware is a powerful tool – Trace Runtime Performance – Monitor API Calls – Dynamic Analysis == Automation • Malware is getting good at preventing it – Debugger Detection – VM Detection – Legitimate Software Pioneered these Techniques

  6. Offensive Computing - Malware Intelligence Overview of Talk • Software Armoring Techniques • Covert Debugging Requirements • Dynamic Instrumentation for Debugging • OS Pagefault Assisted Covert Debugging • Application – Generic Autounpacking • Results

  7. Offensive Computing - Malware Intelligence Software Armoring • Packing/Encryption • VM Detection • SEH Tricks • Debugger Detection • Shifting Decode Frame • Example: Microsoft’s Patchguard

  8. Offensive Computing - Malware Intelligence Packing/Encryption • Self-modifying Code – Small Decoder Stub – Decompresses the main executable – Restores imports • Play Tricks with Portable Executables – Hide the Imports – Obscure relocations – Encrypt/compress the executable

  9. Offensive Computing - Malware Intelligence Normal PE File

  10. Offensive Computing - Malware Intelligence Packed PE File

  11. Offensive Computing - Malware Intelligence Virtual Machine Detection • Single instruction detection – SLDT, SGDT, SIDT – See: Redpill, Scoopy-Doo, OCVmdetect • Instructions for Privileged/Unprivileged CPU mode – VMs try to be efficient, some instructions insecure – Do not fully emulate x86 bug for bug

  12. Offensive Computing - Malware Intelligence Debugger Detection • Windows API – IsDebuggerPresent() API call – Checks PEB for magic bit (EFLAGS) – Bit toggling works • Timing Attacks – Issue RDTSC instruction, compare to known values – Amazingly effective

  13. Offensive Computing - Malware Intelligence Debugger Detection (cont.) • Breakpoint Detection – Int3 (0xCC) Instruction Scanning – Checksumming of executable • Hardware Debugging Detection – Check CPU Flags for debug bit • SoftICE Detection – Modification of Int3 Scanning

  14. Offensive Computing - Malware Intelligence SEH Tricks • Structured Exception Handler • Used to handle error in running code • Malware will overload this function to unpack code • Debugger thinks SEH exceptions are for it • Debugger dies

  15. Offensive Computing - Malware Intelligence Shifting Decode Frames • Execution is split at the basic block level • Block is decoded, executed, and then encoded again • Hard to defeat! • Implemented in Patchguard for Vista 64 and Windows Server 2003 64-bit

  16. Offensive Computing - Malware Intelligence So What? • These are all variations on a theme • There should be a generic way to debug • Need to modify at a fundamental level • Solution should be: – Generic – Work across set of executables – Efficient – Good performance for non-debug – Undetectable (as much as possible) – Extensible – Automation is the key

  17. Offensive Computing - Malware Intelligence Software Armoring Achilles Heel If it executes, it can be unpacked. [http://www.security-assessment.com/files/presentations/Ruxcon_2006_-_Unpacking_Virus,_Trojans_and_Worms.pdf]

  18. Offensive Computing - Malware Intelligence Unpacking • How an Unpacker Works: – Writes to an area of memory (decode) – Memory is read from (execute) – More writes to memory (optional re-encoding) • CPU Only Executes Machine Code • This process can be monitored • Unpacking is directly related to timing – At some point, it must be unpacked

  19. Offensive Computing - Malware Intelligence Manual Unpacking Process • Consists of several stages – Identify Packer Type – Find OEP or get process to unpacked state in memory – Dump process memory to file – Fixup file / rebuild Import Address Table (IAT) – Ensure file can now be analyzed

  20. Offensive Computing - Malware Intelligence Manual Unpacking Process • Several methods to identify packer type – Peid – Msfpecan / OffensiveComputing.net – Manually look at section names – Other packer scanners like • Protection-id • Pe-scan

  21. Offensive Computing - Malware Intelligence Manual Unpacking Process

  22. Offensive Computing - Malware Intelligence Manual Unpacking Process • Methods to find OEP / unpacked memory – OllyScripts • http://www.tuts4you.com • http://www.openrce.org – OEP finder tools • OEP finders for specific packers • OEP Finder (very limited) • PE Tools / LordPe • PEiD generic OEP finder

  23. Offensive Computing - Malware Intelligence Manual Unpacking Process

  24. Offensive Computing - Malware Intelligence Manual Unpacking Process – Dump process memory to file • OllyDump • LordPE • Custom tools – Example: void DumpProcMem(unsigned int ImageBase, unsigned int ImageSize,LPSTR filename, LPSTR pid) { SIZE_T ReadBytes = 0; SIZE_T WriteBytes = 0; unsigned char * buffer = (unsigned char *) calloc(ImageSize, 1); HANDLE hProcess = OpenProcess(PROCESS_VM_READ, FALSE, (DWORD)atoi(pid)); ReadProcessMemory(hProcess, (LPCVOID) ImageBase, buffer, ImageSize, &ReadBytes); HANDLE hFile = CreateFile(TEXT("oc_dumped_image.exe"), GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); WriteFile(hFile, buffer, ImageSize, &WriteBytes, NULL);

  25. Offensive Computing - Malware Intelligence Manual Unpacking Process

  26. Offensive Computing - Malware Intelligence Manual Unpacking Process – Fixup file / rebuild Import Address Table (IAT) • ImportRec probably best tool • Revirgin by +Tsehp • Manually with a hex editor (tedious) – IAT contains list of functions imported • Very useful for understanding capabilities

  27. Offensive Computing - Malware Intelligence Manual Unpacking Process

  28. Offensive Computing - Malware Intelligence Manual Unpacking Process • Ensure file can now be analyzed • Clean disassembly should be available • IAT should be visible • Functions should be found • Strings clear and useful • Manual unpacking process can be tedious • Hardest part is generally finding the OEP

  29. Offensive Computing - Malware Intelligence Manual Unpacking Process

  30. Offensive Computing - Malware Intelligence Unpacking: The Algorithm • Track written memory • If that memory is executed, it’s unpacked • Must monitor: – Memory writes – Memory Executions • Break on execute useful here • Automate the process

  31. Offensive Computing - Malware Intelligence Dynamic Instrumentation • Allows a running process to be monitored • Intel PIN – Uses Just-In-Time compiler to insert analysis code – Retains consistency of executable – Pintools – Use API to analyze code – Good control of execution • Instruction • Memory access • Basic block – Process Attaching / Detaching

  32. Offensive Computing - Malware Intelligence Dynamic Instrumentation • Instruction tracing for the following packers – Armadillo – Aspack – FSG – MEW – PECompact – Telock – UPX • Created Simple Hello World Application • Graphed results with Oreas GDE

  33. Offensive Computing - Malware Intelligence Results Aspack 2.12

  34. Offensive Computing - Malware Intelligence Results • Unpacking loop is easy to find

  35. Offensive Computing - Malware Intelligence Dynamic Instrumentation Results • Generic Algorithm Described Previously works well • All address verified by manual unpacking • Addresses display clustering, which must be taken into account • Attach / Detach is effective for taking memory snapshots of an executable

  36. Offensive Computing - Malware Intelligence Dynamic Instrumentation Problems • Detectable – Memory checksums – Signature scanning • Extend this to work generically, non- detectably • Slow – ~1,000 times slower than native • Need faster implementation

  37. Offensive Computing - Malware Intelligence Towards a Solution • Core operating system component that: – Monitors all memory – Intercepts memory accesses – Fast Interception and Logging – Fundamental part of OS

  38. Offensive Computing - Malware Intelligence Introducing Saffron • Intel PIN and Hybrid Page Fault Handler • Extension of OllyBonE Kernel Code • Designed for 32-bit Intel x86 CPUs • Replaces Windows 0x0E Trap Handler • Logs memory accesses

  39. Offensive Computing - Malware Intelligence

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Chapter 15 Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and set values in memory Execute portions of program Stop execution when (and where) desired Want debugging tools to operate on

274 views • 9 slides
May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Welcome to Advanced .NET Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production Challenges in debugging Production issues Production Environment Debugging Timeline Tools for .NET Debugging Review 3

622 views • 47 slides
Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks

Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks

Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks Aron Laszka 1 , 2 Benjamin Johnson 3 Jens Grossklags 1 1 Pennsylvania State University 2 Budapest University of Technology and Economics 3 University

867 views • 43 slides
Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

766 views • 38 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing Program State Incremental interactive unfolding (DDD) Visual Memory Abstract representations (traversal-based) Debugging Focusing: memory

433 views • 5 slides
Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination. Will also talk about the ddd gui for gdb (lots of value added to gdb). First, debugging in the abstract: Program state is a snapshot

475 views • 20 slides
Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels Kang-Hee Cho and Si-Hyeon Lee School of Electrical Engineering KAIST 2020 ISIT 1 / 14 Covert Communication ^ Y n W Decoder X n W P n Encoder

386 views • 15 slides
PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Chupja Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1

627 views • 38 slides
I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche, Kashyap Thimmaraju , Liron Schiff and Stefan Schmid IFIP Networking 2018 14-16 May, 2018, Zurich, Switzerland 1 Outline 1. Motivation 2. Covert

999 views • 95 slides
PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN KENTON.BORN@GMAIL.COM Black Hat USA 2010 GREATEST CAPTCHA EVER Las Vegas, casino floor Wi-Fi (4/6/10) ROADMAP DNS Refresher Covert Channels DNS Tunnels My

435 views • 42 slides
1 Crashes, interrupts, and backtrace Watchpoints GDB will automatically stop if the program

1 Crashes, interrupts, and backtrace Watchpoints GDB will automatically stop if the program

Debugging and debuggers Debugging in the development cycle You have probably already had the experience of making Edit a mistake in a program Speaking roughly, debugging is the process: After you know that your code is wrong

911 views • 3 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Climate Change Induced Tropical Cyclones BY GROUP 4 : ZUHAIR AHMED KOWSHIK (LEADER) / BANGLADESH

Climate Change Induced Tropical Cyclones BY GROUP 4 : ZUHAIR AHMED KOWSHIK (LEADER) / BANGLADESH

Action Plan to address Climate Change Induced Tropical Cyclones BY GROUP 4 : ZUHAIR AHMED KOWSHIK (LEADER) / BANGLADESH REBECCA SULTANA / BANGLADESH GIVETTE KRISTINE / PHILIPPINES NATALIA MARIA Z. BALTAO / PHILIPPINES MEGA FITRIA / INDONESIA

327 views • 8 slides
Hotel Resilient Strengthening the Resilience of the Tourism Sector With support from the German

Hotel Resilient Strengthening the Resilience of the Tourism Sector With support from the German

Hotel Resilient Strengthening the Resilience of the Tourism Sector With support from the German Government through Why Tourism Matters Source: UNWTO Tourism Highlights 2014 Trends and Forecast Source: UNWTO Tourism Highlights 2014 Tourism

469 views • 16 slides
Hurricanes and Climate Change Kerry Emanuel Massachusetts Institute of Technology Doubling

Hurricanes and Climate Change Kerry Emanuel Massachusetts Institute of Technology Doubling

Hurricanes and Climate Change Kerry Emanuel Massachusetts Institute of Technology Doubling of Atlan.c PDI for ~0.5 C increase in SST Global mean surface temperature Tropical Atlan3c

511 views • 22 slides
Vulnera bility of the Asia n Region Asia is famous for its great diversities and also for

Vulnera bility of the Asia n Region Asia is famous for its great diversities and also for

R. Ra m esh, R. Purv a ja a nd S. Sriniv a sa lu ANNA UNIVERSITY CHENNAI Vulnera bility of the Asia n Region Asia is famous for its great diversities and also for disparities . Half of the total world population live in Eight disaster

1.05k views • 70 slides
Saffron Industry Value Chain Development 3 Months Work Plan 15 January 2014 Tehran, Iran 1 3

Saffron Industry Value Chain Development 3 Months Work Plan 15 January 2014 Tehran, Iran 1 3

Saffron Industry Value Chain Development 3 Months Work Plan 15 January 2014 Tehran, Iran 1 3 months work plan Saffron industry value chain project Outlook I. Project outlook I. Outcome one: Farmers II. Outcome two: Processing and

776 views • 7 slides
New Leicester Local Plan 7 th August 2017 Saffron Community Ward Meeting Background A Growing

New Leicester Local Plan 7 th August 2017 Saffron Community Ward Meeting Background A Growing

17/10/17 New Leicester Local Plan 7 th August 2017 Saffron Community Ward Meeting Background A Growing City, 60 years ago 1 17/10/17 Planning for the next 15 years: Why The Importance of a Local Plan Sets councils policies and

579 views • 9 slides
Governing for Infrastructure Delivery in Sub-Saharan Africa: Overcoming challenges to create

Governing for Infrastructure Delivery in Sub-Saharan Africa: Overcoming challenges to create

Governing for Infrastructure Delivery in Sub-Saharan Africa: Overcoming challenges to create enabling Environments LOGISTICS AND THE COST OF DOING BUSINESS: CASE STUDY OF TANZANIA Lambaji Madai| Executive Councilor Chatham House, London 14 th

417 views • 9 slides
Amour Seleman Tolly S.A. Mbwette, Sara Gabrielsson, Richard Kimwaga University of Dar es Salaam,

Amour Seleman Tolly S.A. Mbwette, Sara Gabrielsson, Richard Kimwaga University of Dar es Salaam,

Drivers of persistent unhygienic faecal desludging and potential sustainable solutions in unplanned urban settlements in Dar es Salaam, Tanzania Amour Seleman Tolly S.A. Mbwette, Sara Gabrielsson, Richard Kimwaga University of Dar es Salaam,

696 views • 14 slides

More recommend