keypatch binary patcher for ida pro
play

KEYPATCH: binary patcher for IDA Pro - PowerPoint PPT Presentation

Jun 04, 2023 •137 likes •418 views

KEYPATCH: binary patcher for IDA Pro http://keystone-engine.org/keypatch NGUYEN Anh Quynh <aquynh -at- gmail.com> Trada hacking - 16/9/2016 1 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro Who am I Nguyen Anh Quynh, aquynh

  1. KEYPATCH: binary patcher for IDA Pro http://keystone-engine.org/keypatch NGUYEN Anh Quynh <aquynh -at- gmail.com> Trada hacking - 16/9/2016 1 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  2. Who am I Nguyen Anh Quynh, aquynh -at- gmail.com ◮ Nanyang Technological University, Singapore ◮ PhD in Computer Science ◮ Operating System, Virtual Machine, Binary analysis, etc ◮ Capstone disassembler: http://capstone-engine.org ◮ Unicorn emulator: http://unicorn-engine.org ◮ Keystone assembler: http://keystone-engine.org 2 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  3. Binary patching CrackMe, CTF challenges Malware analysis Modify binary without source code :-) 3 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  4. URLZone Banking Trojan 4 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  5. IDA Pro https://www.hex-rays.com De-facto binary analysis tool Extendable with plugin SDK (C, Python) 5 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  6. Built-in binary patcher of IDA Modify binary code with menu "Edit | Patch program | Assemble..." Save changes permanently to binary file ◮ Menu "Edit | Patch program | Apply patches to input file..." 6 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  7. How it work? 7 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  8. Problems of IDA built-in binary patcher 8 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  9. Keypatch Solution 9 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  10. Keystone == Next Generation Assembler Framework 10 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  11. Assembler framework Definition Compile assembly instructions & returns encoding as sequence of bytes ◮ Ex: inc EAX → 40 May support high-level concepts such as macro, function, etc Framework to build apps on top of it Applications Dynamic machine code generation ◮ Binary rewrite ◮ Binary searching 11 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  12. Good assembler framework? True framework ◮ Embedded into tool without resorting to external process Multi-arch ◮ X86, Arm, Arm64, Mips, PowerPC, Sparc, etc Updated ◮ Keep up with latest CPU extensions Multi-platform ◮ *nix, Windows, Android, iOS, etc Bindings ◮ Python, Ruby, Go, NodeJS, etc 12 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  13. Existing assembler frameworks Nothing is up to our standard, even in 2016! ◮ Yasm: X86 only, no longer updated ◮ Intel XED: X86 only, miss many instructions & closed-source ◮ Other important archs: Arm, Arm64, Mips, PPC, Sparc, etc? 13 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  14. Life without assembler frameworks? People are very much struggling for years! ◮ Use existing assembler tool to compile assembly from file ◮ Call linker to link generated object file ◮ Use executable parser (ELF) to parse resulted file for final encoding Ugly and inefficient Little control on the internal process & output Cross-platform support is very poor 14 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  15. "If not now, then when? If not you, then who?" - Kailash Satyarthi 15 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  16. 16 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  17. Timeline Indiegogo campaign started on March 17th, 2016 (for 3 weeks) ◮ 99 contributors, 4 project sponsors Beta code released to beta testers on April, 2016 ◮ Only Python binding available at this time Version 0.9 released on May, 2016: http://keystone-engine.org ◮ More bindings by beta testers: NodeJS, Ruby, Go & Rust Version 0.9.1 released on July 27th, 2016 ◮ 2 more bindings: Haskell & OCaml 17 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  18. Keystone engine True framework ◮ Embedded into tool without resorting to external process Multi-arch ◮ X86, Arm, Arm64, Mips, PowerPC, Sparc, Hexagon, SystemZ Updated ◮ Keep up with latest CPU extensions Multi-platform ◮ *nix, Windows, Android, iOS, etc C++ core & multi-bindings ◮ Python, Ruby, Go, NodeJS, OCaml, Rust, Haskell Support various X86 undocumented instructions Compact & lightweight: 10x smaller than LLVM 18 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  19. Keypatch binary patcher for IDA 19 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  20. Keypatch Co-developed with Thanh Nguyen (VNSecurity.net) Open source IDA plugin http://keystone-engine.org/keypatch Tool for assembling & patching in IDA Built on top of Keystone assembler framework ◮ Version 1.0 released at BlackHat USA 2016, August 4th, 2016 ◮ Version 2.0 released on September 14th, 2016 ◮ Version 2.0.1 released on September 15th, 2016 20 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  21. Keypatch - Patcher 21 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  22. Keypatch - Fill Range 22 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  23. Keypatch - Assembler 23 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  24. Keypatch vs IDA’s built-in patcher More friendly ◮ Code preview ◮ Padding NOPs automatically ◮ Logging modifications ◮ Fill a range of selected code ◮ Assembler (do not modify) ◮ Revert (undo) Support 8 architectures ◮ Arm, Arm64, Hexagon, Mips, PowerPC, Sparc, SystemZ, X86 ◮ X86 support is fantastic Open source 24 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  25. Conclusions Keypatch is a superior binary patcher for IDA ◮ Multi-arch + multi-platform ◮ Feature-rich & friendly ◮ Open source Looking for new contributors for our open source projects ◮ Keypatch + Keystone engine ◮ Capstone engine + Unicorn engine 25 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  26. 26 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  27. References Keypatch: http://keystone-engine.org/keypatch Keystone assembler ◮ Homepage: http://keystone-engine.org ◮ Twitter: @keystone_engine ◮ Github: http://github.com/keystone-engine/keystone ◮ Mailing list: http://freelists.org/list/keystone-engine 27 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  28. Questions and answers KEYPATCH: binary patcher for IDA Pro http://keystone-engine.org/keypatch NGUYEN Anh Quynh <aquynh -at- gmail.com> 28 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Patcher Case Peter Kruse (pkr@csis.dk), Head of CSIS eCrime and Research &amp;

The Patcher Case Peter Kruse (pkr@csis.dk), Head of CSIS eCrime and Research &amp;

eCrime unit The Patcher Case Peter Kruse (pkr@csis.dk), Head of CSIS eCrime and Research &amp; Intelligence Unit PGP-ID: 0x715FB4BD eCrime unit Agenda Patcher What is Patcher? Patcher naming? Man in The Browser functions

290 views • 25 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal Hexadecimal to binary Hexadecimal to Decimal Binary addition Binary subtraction Binary shift Decimal to Binary 146d = ????????b 146/2

91 views • 7 slides
Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents on Fun Facts Why 10 digits? Because and the 0 represents off people typically have 10 fingers and 10 toes, making it easy for counting! 2

119 views • 10 slides
Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next

Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next

Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next assignment) DE DEPARTMENT OF OF COM OMPUTER S SCIENCE &amp; &amp; SO SOFTW TWARE RE E ENGINEERI RING PI PICN CNIC SA SATU TURD RDAY

709 views • 41 slides
Binary Search Trees A binary search tree is a binary tree T such that - each internal node

Binary Search Trees A binary search tree is a binary tree T such that - each internal node

AVL T REES Binary Search Trees AVL Trees AVL Trees 1 Binary Search Trees A binary search tree is a binary tree T such that - each internal node stores an item (k, e) of a dictionary. - keys stored at nodes in the left subtree of

547 views • 26 slides
Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2

Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2

Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2 child elements left child sorts less, right more, than parent tree has a depth tree has a balance, comparing depths of its left and right

305 views • 5 slides
Negative Numbers and Binary operations Eric McCreath Binary Addition Adding binary numbers is

Negative Numbers and Binary operations Eric McCreath Binary Addition Adding binary numbers is

Negative Numbers and Binary operations Eric McCreath Binary Addition Adding binary numbers is very similar to how you would add large decimal numbers in primary school It involves positioning the numbers such that the columns line up in their

562 views • 10 slides
Binary Trees Parts of a binary tree A binary tree is composed of zero or more nodes Each

Binary Trees Parts of a binary tree A binary tree is composed of zero or more nodes Each

Binary Trees Parts of a binary tree A binary tree is composed of zero or more nodes Each node contains: A value (some sort of data item) A reference or pointer to a left child (may be null ), and A reference or pointer to a

653 views • 14 slides
Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 +

Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 +

Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 + 3x1 = 7x10 2 + 2x10 1 + 3x10 0 Binary Numbers 5349 = 5x10 3 + 3x10 2 + 4x10 1 + 9x10 0 Binary Numbers Why base 10? Binary Numbers 257 (base 8)

1.23k views • 75 slides
Extending Binary Linear Classification One-Versus-All Classification (OVA) } In the presence of

Extending Binary Linear Classification One-Versus-All Classification (OVA) } In the presence of

Binary and Other Classification } We will generally discuss binary classifiers, which divide data into one of two classes } Linear classifiers as presented in last lecture are inherently binary, defining the classes based on two regions,

336 views • 7 slides
(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

Welcome back! In the last session, we started to look at computers and coding, and explored the computer language binary. Can anyone remember what binary code looks like? (Binary code is a series of digits, that are either ones or zeros.

402 views • 25 slides
/ + - * * 5 3 2 6 5 2 Examples Binary Trees BSTs Augmenting BinExpr General Trees

/ + - * * 5 3 2 6 5 2 Examples Binary Trees BSTs Augmenting BinExpr General Trees

Trees Readings: HtDP , sections 14, 15, 16. Topics: Introductory examples and terminology Binary trees Binary search trees Augmenting trees Binary expression trees General arithmetic expression trees Nested lists Examples Binary Trees

1.19k views • 31 slides
Formal Models of Language Paula Buttery Dept of Computer Science &amp; Technology, University of

Formal Models of Language Paula Buttery Dept of Computer Science &amp; Technology, University of

Formal Models of Language Paula Buttery Dept of Computer Science &amp; Technology, University of Cambridge Paula Buttery (Computer Lab) Formal Models of Language 1 / 26 Recap: We said LR shift-reduce parser wasnt a good fit for natural

791 views • 26 slides
Thank you, sponsors Our online sponsors PLATINUM GOLD 1 6/28/2016 TOP 4 LOW COST CONDENSER

Thank you, sponsors Our online sponsors PLATINUM GOLD 1 6/28/2016 TOP 4 LOW COST CONDENSER

6/28/2016 OPTIMIZING CONDENSER PERFORMANCE Presented by: Rob Travis, P.E. 1 Thank you, sponsors Our online sponsors PLATINUM GOLD 1 6/28/2016 TOP 4 LOW COST CONDENSER ACTION ITEMS 1. Reduce Condensing Pressure 2. Enable Wet Bulb

604 views • 7 slides
Applicable Flight Accidents Azerbaijan Airlines Flight 217 22:40 December 23 rd 2005. Instrument

Applicable Flight Accidents Azerbaijan Airlines Flight 217 22:40 December 23 rd 2005. Instrument

Applicable Flight Accidents Azerbaijan Airlines Flight 217 22:40 December 23 rd 2005. Instrument Failure Antonov AN 140 100 Crashed in the Caspian Sea near Nardaran 18 Passengers 5 Crew with 23 Fatalities After climbing to 6900ft

392 views • 12 slides
Key Action 2. Global Change, Climate and Biodiversity 2.4 European component of the global

Key Action 2. Global Change, Climate and Biodiversity 2.4 European component of the global

Key Action 2. Global Change, Climate and Biodiversity 2.4 European component of the global observing system 2.4.1 Better exploitation of existing data and adaptation of existing observing systems Project Duration March 2000 February 2003

1.04k views • 9 slides
Bridging the ROUGE/Human Evaluation Gap in Multi- Document Summarization John M. Conroy Judith

Bridging the ROUGE/Human Evaluation Gap in Multi- Document Summarization John M. Conroy Judith

Bridging the ROUGE/Human Evaluation Gap in Multi- Document Summarization John M. Conroy Judith D. Schlesinger IDA Center for Computing Sciences,USA Dianne P. OLeary University of Maryland, College Park, USA Outline CLASSY 07

429 views • 22 slides
BinCAT Purrfecting binary static analysis 8 juin 2017 Philippe Biondi, Raphal Rigo, Sarah

BinCAT Purrfecting binary static analysis 8 juin 2017 Philippe Biondi, Raphal Rigo, Sarah

BinCAT Purrfecting binary static analysis 8 juin 2017 Philippe Biondi, Raphal Rigo, Sarah Zennou, Xavier Mehrenberger Plan Introduction Dmonstration Sous le capot Conclusion 2 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT Plan

875 views • 66 slides
Homotopy-theoretic aspects of Martin-L of type theory Nicola Gambino University of Palermo

Homotopy-theoretic aspects of Martin-L of type theory Nicola Gambino University of Palermo

Homotopy-theoretic aspects of Martin-L of type theory Nicola Gambino University of Palermo visiting The University of Manchester Logic Colloquium Paris July 30th, 2010 Background Identity types: for a type A and a , b A , we have

652 views • 31 slides
An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter Matula Senior software developer @Avast (previously @AVG) Main developer of the RetDec decompiler Developing reversing tools for 6

1k views • 34 slides

More recommend