fast furious reverse engineering with titanengine agenda
play

FAST & FURIOUS REVERSE ENGINEERING WITH TITANENGINE Agenda - PowerPoint PPT Presentation

Aug 22, 2023 •624 likes •1.47k views

Mario Vuksan, Tomislav Periin & Vojislav Milunovic, ReversingLabsCorporation FAST & FURIOUS REVERSE ENGINEERING WITH TITANENGINE Agenda Obligatory Scare Talk Why should you care? What is the problem? How can

  1. Mario Vuksan, Tomislav Peričin & Vojislav Milunovic, ReversingLabsCorporation FAST & FURIOUS REVERSE ENGINEERING WITH TITANENGINE

  2. Agenda  Obligatory Scare Talk  Why should you care?  What is the problem?  How can TitanEngine change the world?  Show ME!  Show ME!  Show ME!  How can I help? ReversingLabs Corporation

  3. Fighting Malware: Old Problem Inadequate Infrastructure: New Problem ReversingLabs Corporation

  4. Exponential Growth in Malware ReversingLabs Corporation

  5. YIELDS ReversingLabs Corporation

  6. Exponential Growth in Signatures ReversingLabs Corporation

  7. DEMANDING ReversingLabs Corporation

  8. ReversingLabs Corporation

  9. RESULTING IN ReversingLabs Corporation

  10. Denial of Service on Threat Response Teams ReversingLabs Corporation

  11. So What? ReversingLabs Corporation

  12. Security Industry is a For-Profit Entity ReversingLabs Corporation

  13. We’ll Simply Hire More Bodies ReversingLabs Corporation

  14. But Could We Get Enough Bodies? ReversingLabs Corporation

  15. Can’t Hire Enough? Combine those we have into one Worldwide Non-profit Entity (Bwa-ha-ha!) ReversingLabs Corporation

  16. OR… We could simply overload them… ReversingLabs Corporation

  17. Is an overloaded anti-malware analyst an asset or a liability? ReversingLabs Corporation

  18. Henry Ford  Anti-Malware labs are factories  100-200+ Analyst teams  Advanced workflows  Multiple levels of management  Modern labor laws apply: No 20+ hour days  Productivity can be improved  Work process can be studied  Improvements COULD be devised… ReversingLabs Corporation

  19. So how can Labs do more?  Charge more, Hire more  Invest in automation, Invest in heuristics  Deploy proactive modules, Buy competitors  All the usual stuff  … and they could revise their processes ReversingLabs Corporation

  20. So how can Labs do more?  1,000s of OllyDBG and IDAPro scripts can better be reused; could be generalized  Sample analysis, OEP discovery could benefit all team members  Reversing should be a team effort ReversingLabs Corporation

  21. We have to do it better… ReversingLabs Corporation

  22. Competition is tough  Bad guys  Rise of $$ motivated custom attacks  Resourceful crime syndicates $$ $$ ReversingLabs Corporation

  23. Protection is lacking  Signatures only “important” for threats  Need for other types of protection  Behavioral & HIPS tools that work ReversingLabs Corporation

  24. Yet manual analysis is still the only certain bet! ReversingLabs Corporation

  25. Passion for binary protection  Meatiest task today is dealing with protection techniques  Task repetition, Error prone, Not reusable  Large number of file formats can be infected and used for malware ReversingLabs Corporation

  26. Passion for binary protection  Executable files == most significant threat  Executables == the “usual suspect” for malware  85% of malware samples are packed  Packing hides malware, hardens its detection  Packed or protected doesn’t mean bad!  10% of legitimate software is packed ReversingLabs Corporation

  27. Passion for binary protection  Legit use for packers & protectors:  Compressed binaries decrease bandwidth usage  Protect intellectual property  Protect from code theft  Anti-tampering in multi-player games  Safeguard licensing code  Successfully used by malware authors  For all the same reasons ReversingLabs Corporation

  28. Analyzing Malware  Malware File Analysis Requires:  In-depth knowledge of how PE works  In-depth knowledge of how Windows works  Various tools to make you reach your goal  Understanding of Basic Shell Divisions:  Packers, Protectors, Crypters, Bundlers & Hybrids  Custom malware-specific packers & protectors ReversingLabs Corporation

  29. /*408160*/ PUSHAD /*408161*/ MOV ESI,crackme_.00406000 /*408166*/ LEA EDI,DWORD PTR DS:[ESI+FFFFB000] /*40816C*/ PUSH EDI /*40816D*/ OR EBP,FFFFFFFF /*408170*/ JMP SHORT crackme_.00408182 /*408172*/ NOP /*408173*/ NOP /*408174*/ NOP /*408175*/ NOP What’s the Reversing /*408176*/ NOP /*408177*/ NOP /*408178*/ MOV AL,BYTE PTR DS:[ESI] Process Today? /*40817A*/ INC ESI /*40817B*/ MOV BYTE PTR DS:[EDI],AL /*40817D*/ INC EDI /*40817E*/ ADD EBX,EBX /*408180*/ JNZ SHORT crackme_.00408189 /*408182*/ MOV EBX,DWORD PTR DS:[ESI] /*408184*/ SUB ESI,-4 /*408187*/ ADC EBX,EBX ReversingLabs Corporation

  30. Reversing in action|Today  Inspect the Sample  Identify the packing shell or compiler PEiD ReversingLabs Corporation

  31. Reversing in action|Today  Unpack the Sample  Execute it to the original entry point OllyDbg ReversingLabs Corporation

  32. Reversing in action|Today  Unpack the Sample  Execute it to the original entry point OllyDbg ReversingLabs Corporation

  33. Reversing in action|Today  Unpack the Sample  Execute it to the original entry point OllyDbg ReversingLabs Corporation

  34. Reversing in action|Today  Unpack the Sample  Dump the process memory LordPE ReversingLabs Corporation

  35. Reversing in action|Today  Unpack the Sample  Fix the import table ImpRec ReversingLabs Corporation

  36. Problems with File analysis  File analysis takes time  Identifying requires keeping up with shells  Shells evolve & have different forms  Analysts get more samples then they can handle  File unpacking takes even more time  Protection “tricks” continue to evolve  Yet, this process can be automated! ReversingLabs Corporation

  37. TitanEngine ReversingLabs Corporation

  38. Fast Reversing|Tomorrow  TitanEngine key features:  Framework designed to work with PE files  SDK has 250 documented functions  Easy automation of all reversing tools  Supports both x86 and x64  Can create:  Static, Dynamic & Generic unpackers  New file analysis tools  Tested on over 150 unpackers  Its free and open source – LGPL3 ! ReversingLabs Corporation

  39. Furious Reversing|Tomorrow  Engine simulates reverse engineer’s presence  Unpacking process has the same steps:  Debugs until entry point  Dumps memory to disk  Collects data for import fixing  Collects data for relocation fixing  Custom fixes (Code splices, Entry point, …) ReversingLabs Corporation

  40. TitanEngine|Content  SDK Contains:  Integrated x86/x64 debugger  Integrated x86/x64 disassembler  Integrated memory dumper  Integrated import tracer & fixer  Integrated relocation fixer  Integrated file realigner  TLS, Resources, Exports... ReversingLabs Corporation

  41. TitanEngine|Debugger  Integrated x86/x64 Debugger  Attach / Detach  Trace, including single stepping  Set several types of breakpoints:  Software (INT3)  Hardware  Memory  Flexible  API  Access debugged file’s context ReversingLabs Corporation

  42. TitanEngine|Debugger  Integrated x86/x64 Debugger  Disassembly instructions  Disassemble a length  Full disassemble  Memory manipulation  Find, Replace, Patch, Fill…  Get call/jump destination  Check if the jump will execute or not  Thread module for thread manipulation  Librarian module for module manipulation ReversingLabs Corporation

  43. TitanEngine|Dumper  Integrated Memory Dumper  Dump memory  Process, regions or modules  Paste PE header from disk to memory  Manipulate file sections  Extract, resort, add, delete & resize  Manipulate file overlay  Find, extract, add, copy & remove ReversingLabs Corporation

  44. TitanEngine|Dumper  Integrated Memory Dumper  Convert addresses  From relative to physical, and vice-versa  Get section number from address  PE header data  Get and set PE header values ReversingLabs Corporation

  45. TitanEngine|Importer  Integrated Import Fixer  Build new import tables on the fly  Get API information  API address in both your & debugged process  DLL to hold API from API address  Remote & local DLL loaded base  API name from address  API Forwarders ReversingLabs Corporation

  46. TitanEngine|Importer  Integrated Import Fixer  Automatic import table functions:  Locate import table in the memory  Fix the import table automatically  Fix import eliminations, automatically  Enumerate and handle import table data  Move import table from one file to another  Load import table from any PE file ReversingLabs Corporation

  47. TitanEngine|Tracer  Integrated Import Tracer  Identify import redirections and eliminations  Fix known import protections  Use integrated tracers to resolve imports  Static disassembly tracer  Static hasher disassembly tracer  Use ImpRec modules to fix redirections ReversingLabs Corporation

  48. TitanEngine|Relocater  Integrated Relocation Fixer  Build new relocation table on the fly  Resolve relocation table  Grab relocation table directly from the process  Make & compare memory snapshots  Remove relocation table from the file  Relocate file to new image base ReversingLabs Corporation

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Th F Th F The Fast and the Furious! The Fast and the Furious! t t d th F d th F i i !

Th F Th F The Fast and the Furious! The Fast and the Furious! t t d th F d th F i i !

Genetically Engineered Neuronal Networks: Genetically Engineered Neuronal Networks: Th F Th F The Fast and the Furious! The Fast and the Furious! t t d th F d th F i i ! ! Why Neurons? Why Neurons?

553 views • 29 slides
The Fast (but not furious) TracKer The Fast (but not furious) TracKer for ATLAS: for ATLAS: a

The Fast (but not furious) TracKer The Fast (but not furious) TracKer for ATLAS: for ATLAS: a

The Fast (but not furious) TracKer The Fast (but not furious) TracKer for ATLAS: for ATLAS: a track trigger based on FPGAs and Associative a track trigger based on FPGAs and Associative Memory chips Memory chips Misha Lisovyi with many

597 views • 49 slides
The Department of Justices Operation Fast and Furious Senator Charles E. Grassley, Ranking

The Department of Justices Operation Fast and Furious Senator Charles E. Grassley, Ranking

The Department of Justices Operation Fast and Furious Senator Charles E. Grassley, Ranking Member United States Senate Committee on the Judiciary Before the U.S. House of Representatives Committee on Oversight and Government Reform June 15, 2011

297 views • 13 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the

Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the

Building Custom Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the playing field How to obtain byte code Recognizing basic properties of the byte code Implementing an IDA Pro processor

663 views • 52 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda Reverse Engineering Primer Approaches to Dynamic Analysis Inline Hooks Advantages Over Other Techniques Usages 2 Reverse Engineering

379 views • 19 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
arXiv:1209.2137v6 [cs.IR] 15 May 2014 SUMMARY In many important applicationssuch as search

arXiv:1209.2137v6 [cs.IR] 15 May 2014 SUMMARY In many important applicationssuch as search

Decoding billions of integers per second through vectorization D. Lemire 1 , L. Boytsov 2 1 LICEF Research Center, TELUQ, Montreal, QC, Canada 2 Carnegie Mellon University, Pittsburgh, Pennsylvania, USA arXiv:1209.2137v6 [cs.IR] 15 May 2014

488 views • 30 slides
CS4617 Computer Architecture Lecture 7: Instruction Set Architectures Dr J Vaughan October 1,

CS4617 Computer Architecture Lecture 7: Instruction Set Architectures Dr J Vaughan October 1,

CS4617 Computer Architecture Lecture 7: Instruction Set Architectures Dr J Vaughan October 1, 2014 1/27 ISA Classification Stack architecture: operands on top of stack Accumulator architecture: 1 operand in ACC, implicitly

643 views • 27 slides
MathWiki 2007 / Logiweb Klaus Grue, grue@diku.dk Senior Software Engineer, Rovsing A/S Rovsing

MathWiki 2007 / Logiweb Klaus Grue, grue@diku.dk Senior Software Engineer, Rovsing A/S Rovsing

MathWiki 2007 / Logiweb Klaus Grue, grue@diku.dk Senior Software Engineer, Rovsing A/S Rovsing does Independent Software Verification and Validation (ISVV) for space agencies and space companies (http://www.rovsing.dk) Logiweb was developed at

939 views • 48 slides
BGP Scanner Isolario BGP-MRT Data Reader: C library & tool Lorenzo Cogotti lorenzo.cogotti

BGP Scanner Isolario BGP-MRT Data Reader: C library & tool Lorenzo Cogotti lorenzo.cogotti

BGP Scanner Isolario BGP-MRT Data Reader: C library & tool Lorenzo Cogotti lorenzo.cogotti < at > alphacogs.com Luca Sani luca.sani < at > isolario.it Isolario Project What is a BGP route collector? Route collectors (RCs) are

1.01k views • 20 slides
Streaming Massive Environments From Zero to 200MPH Chris Tector (Software Architect Turn 10

Streaming Massive Environments From Zero to 200MPH Chris Tector (Software Architect Turn 10

FORZA MOTORSPORT Streaming Massive Environments From Zero to 200MPH Chris Tector (Software Architect Turn 10 Studios) Turn 10 Internal studio at Microsoft Game Studios - we make Forza Motorsport Around 70 full time staff Streaming

880 views • 50 slides
libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios

libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios

Overview Design & Implementation Results & Discussion libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios Portokalidis Kangkook Jee Angelos D. Keromytis Network Security Lab Department of

649 views • 35 slides
Robust PCA Yingjun Wu Preliminary: vector projection Scalar projection of a onto b: a1 could be

Robust PCA Yingjun Wu Preliminary: vector projection Scalar projection of a onto b: a1 could be

Robust PCA Yingjun Wu Preliminary: vector projection Scalar projection of a onto b: a1 could be expressed as: Example b=(10,4) w=(1,0) Preliminary: understanding PCA Preliminary: methodology in PCA Purpose: project a high-dimensional

500 views • 24 slides
Exploring Qualcomm Baseband via ModKit Tencent Blade Team Tencent Security Platform Department

Exploring Qualcomm Baseband via ModKit Tencent Blade Team Tencent Security Platform Department

Exploring Qualcomm Baseband via ModKit Tencent Blade Team Tencent Security Platform Department About Us - Tencent Blade Team A security research team from Tencent Security Platform Department Focus security research on AI, IoT and

388 views • 34 slides

More recommend