oriented re for fun and profit

oriented RE for fun and profit Alexander Matrosov Eugene Rodionov - PowerPoint PPT Presentation

Mar 22, 2024 •112 likes •591 views

HexRaysCodeXplorer: object oriented RE for fun and profit Alexander Matrosov Eugene Rodionov @matrosov @vxradius Agenda C++ Code Reconstruction Problems Show problems on real examples (Flamer) HexRaysCodeXplorer v1.5 [H2HC Edition]

  1. HexRaysCodeXplorer: object oriented RE for fun and profit Alexander Matrosov Eugene Rodionov @matrosov @vxradius

  2. Agenda  C++ Code Reconstruction Problems  Show problems on real examples (Flamer)  HexRaysCodeXplorer v1.5 [H2HC Edition]

  3. C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction

  4. C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor

  5. C++ Code Reconstruction Problems

  6. REconstructing Flamer Framework

  7. An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Vector<Task> Cmd Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Euphoria Frog Beetlejuice Consumer Supplier Sender http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/

  8. An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Vector<Task> Cmd Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Euphoria Frog Beetlejuice Consumer Supplier Sender http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/

  9. An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Vector<Task> Cmd Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Euphoria Frog Beetlejuice Consumer Supplier Sender http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/

  10. Identify Smart Pointer Structure o Smart pointers o Strings o Vectors to maintain the objects o Custom data types:  wrappers  tasks,  triggers  and etc.

  11. Data Types Being Used: Smart pointers typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };

  12. Identify Smart Pointer Structure

  13. Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements }; o Used to handle the objects:  tasks  triggers  etc.

  14. Identify Exact Virtual Function Call in Vtable

  15. Identify Exact Virtual Function Call in Vtable

  16. Identify Custom Type Operations

  17. Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };

  18. Identify Objects Constructors

  19. Identify Objects Constructors

  20. REconstructing Object’s Attributes

  21. REconstructing Object’s Attributes

  22. REconstructing Object’s Methods

  23. REconstructing Object’s Methods

  24. HexRaysCodeXplorer

  25. HexRaysCodeXplorer v1.0: released in 2013 at REcon

  26. HexRaysCodeXplorer Features o Hex-Rays decompiler plugin o The plugin was designed to facilitate static analysis of:  object oriented code  position independent code o The plugin allows to:  navigate through decompiled virtual methods  partially reconstruct object type

  27. Hex-Rays Decompiler Plugin SDK o At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure

  28. Hex-Rays Decompiler Plugin SDK o At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure

  29. Hex-Rays Decompiler Plugin SDK citem_t o Type citem_t is a base class for:  cexpr_t – expression type cexpr_t cinsn_t  cinsn_t – statement type o Expressions have attached type information o Statements include:  block, if, for, while, do, switch, return, goto, asm o Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t

  30. Hex-Rays Decompiler Plugin SDK citem_t o Type citem_t is a base class for:  cexpr_t – expression type cexpr_t cinsn_t  cinsn_t – statement type o Expressions have attached type information o Statements include:  block, if, for, while, do, switch, return, goto, asm o Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t

  31. DEMO time :)

  32. HexRaysCodeXplorer: Gapz Position Independent Code

  33. HexRaysCodeXplorer: Virtual Methods  The IDA’s ‘Local Types’ is used to represent object type

  34. HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods

  35. HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods

  36. HexRaysCodeXplorer: Object Type REconstruction o Hex- Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor) o Input :  pointer to the object instance  object initialization routine entry point o Output :  C structure-like object representation

  37. HexRaysCodeXplorer: Object Type REconstruction  citem_t objects to monitor:  memptr  call (LOBYTE, etc.)  idx  memref

  38. HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;

  39. HexRaysCodeXplorer v1.5 [H2HC Edition] o New citem_t objects to monitor:  memptr  idx  memref  call (LOBYTE, etc.)  ptr, asg , …

  40. HexRaysCodeXplorer v1.5 [H2HC Edition] o New citem_t objects to monitor:  memptr  idx  memref  call (LOBYTE, etc.)  ptr, asg , … o Type propagation for nested function calls

  41. HexRaysCodeXplorer v1.5 [H2HC Edition] o Features of v1.5 [H2HC Edition] :  Better Type Reconstruction • Improvements for parsing citem_t objects with PTR and ASG statements • Recursive traversal of Ctree to reconstruct Types hierarchy  Navigate from Pseudo code window to Disassembly line  Hints for Ctree elements which point to Disassembly line  Support for x64 version of Hex-Rays Decompiler  Some bug fixes by user requests

  42. DEMO time :)

  43. HexRaysCodeXplorer: -> What are the next goals? o Develop the next version on IdaPython o Focus on the following features:  Type reconstruction (C++, Objective-C)  Type Navigation (C++, Objective-C)  Vtables parsing based on Hex-Rays API  Ctree graph navigation improvements  Patterns for possible vuln detection

  44. Why python?

  45. Python Arsenal Contest  Best exploit dev tool/plugin/lib  Best forensics tool/plugin/lib  Best reversing tool/plugin/lib  Best fuzzing tool/plugin/lib  Best malware analysis tool/plugin/lib http://2014.zeronights.org/contests/python-arsenal-contest.html

  46. Thank you for your attention! HexRaysCodeXplorer http://REhints.com @REhints https://github.com/REhints/HexRaysCodeXplorer

Recommend

Finger Pointing for Fun, Finger Pointing for Fun, Profit and War? Profit and War? Profit and

Finger Pointing for Fun, Finger Pointing for Fun, Profit and War? Profit and War? Profit and

Finger Pointing for Fun, Finger Pointing for Fun, Profit and War? Profit and War? Profit and War? Profit and War? Tom Parker Tom Parker tom.at.rooted.dot.net tom.at.rooted.dot.net om.at.rooted.dot.net om.at.rooted.dot.net Quick

401 views • 37 slides
Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun

Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun

Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for

1.07k views • 72 slides
Water Quality Fun Book ter Quality Fun Book Water Quality Fun Book ater Quality Fun Book Join

Water Quality Fun Book ter Quality Fun Book Water Quality Fun Book ater Quality Fun Book Join

Water Quality Fun Book ter Quality Fun Book Water Quality Fun Book ater Quality Fun Book Join Grover in the fight against poo- -lution! lution! Join Grover in the fight against poo G rover the Dog gets grouchy when he sees poo-lluted wa-

644 views • 12 slides
Object oriented Object oriented Object oriented Object oriented approach and UML approach and

Object oriented Object oriented Object oriented Object oriented approach and UML approach and

Object oriented Object oriented Object oriented Object oriented approach and UML approach and UML approach and UML approach and UML Goals The goals of this chapter are to introduce the object oriented approach to software systems

1.06k views • 92 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit ... overflow direction / higher addresses int main(int argc, char **argv) buf { stack growth char buf[0x10]; gets(buf); saved return address

911 views • 13 slides
NON NON- -PROFIT SUPPORT PROFIT SUPPORT NON NON - - PROFIT SUPPORT PROFIT SUPPORT FOR

NON NON- -PROFIT SUPPORT PROFIT SUPPORT NON NON - - PROFIT SUPPORT PROFIT SUPPORT FOR

NON NON- -PROFIT SUPPORT PROFIT SUPPORT NON NON - - PROFIT SUPPORT PROFIT SUPPORT FOR RESEARCH FOR RESEARCH FOR RESEARCH FOR RESEARCH Daniel L. Goroff Alfred P. Sloan Foundation Vice President &amp; Program Director Views expressed

627 views • 52 slides
for Fun and Profit Lu Guanqun Intel Corporation Why? The market is big! 3 Famous games apps

for Fun and Profit Lu Guanqun Intel Corporation Why? The market is big! 3 Famous games apps

Write Your Angry Bird Game on Tizen for Fun and Profit Lu Guanqun Intel Corporation Why? The market is big! 3 Famous games apps 4 Playing games is fun. Developing a game is more fun. 5 How? Native app vs Web app

571 views • 29 slides
Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source

Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source

Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source Project Rod Whitby &lt;rod@whitby.id.au&gt; NSLU2-Linux Project Lead Hacking Consumer Devices for Fun and Profit 5. Official Kernel Support 1.

285 views • 26 slides
Anna Satsiou, CERTH AIM PROFIT Playground Technology Advancements of PROFIT

Anna Satsiou, CERTH AIM PROFIT Playground Technology Advancements of PROFIT

Anna Satsiou, CERTH AIM PROFIT Playground Technology Advancements of PROFIT PROFIT Use Scheme PROFIT Target Users COLLECTIVE COMMUNITY AWARENESS Subscribe to our newsletter PROFIT Team 1st Int.

455 views • 13 slides
MAGNETIC TRAINING SOLUTIONS MAKING TRAINING STICK We make the boring things fun. And the fun

MAGNETIC TRAINING SOLUTIONS MAKING TRAINING STICK We make the boring things fun. And the fun

MAGNETIC TRAINING SOLUTIONS MAKING TRAINING STICK We make the boring things fun. And the fun things even more fun. Bei eing ng a be a bett tter er YO YOU! U! Do you have positive or negative biases when thinking about any of these

456 views • 35 slides
Gdel Hashing matt.might.net @mattmight Disclaimer simple, fun idea simple, fun

Gdel Hashing matt.might.net @mattmight Disclaimer simple, fun idea simple, fun

Gdel Hashing matt.might.net @mattmight Disclaimer simple, fun idea simple, fun idea works well in practice, simple, fun idea works well in practice, but theory says it will not. An old problem An

2.43k views • 151 slides
Shorting for Fun and Profit Nah, Just Profit Michael Shulman Editor, ChangeWave Shorts and

Shorting for Fun and Profit Nah, Just Profit Michael Shulman Editor, ChangeWave Shorts and

Shorting for Fun and Profit Nah, Just Profit Michael Shulman Editor, ChangeWave Shorts and Author, Sell Short April 2009 Fundamental Shorting A trade, using a put based on the fundamentals of a company and its stock A faster way to

724 views • 25 slides
Comp-304 : Object-Oriented Design What do is mean to be Object Oriented? Computer Science McGill

Comp-304 : Object-Oriented Design What do is mean to be Object Oriented? Computer Science McGill

Comp-304 : Object-Oriented Design What do is mean to be Object Oriented? Computer Science McGill University Fall 2008 What does it mean to be OO? What are the characteristics of Object Oriented programs? What does Object Oriented

962 views • 59 slides
Pharo Simply S. Ducasse and M. Denker http://www.pharo-project.org Pharo Pure object language

Pharo Simply S. Ducasse and M. Denker http://www.pharo-project.org Pharo Pure object language

Pharo Simply S. Ducasse and M. Denker http://www.pharo-project.org Pharo Pure object language Great community of active doers Powerful Elegant and fun to program Living system under your fingers VM running on MacOSX, linux, Windows

1.14k views • 54 slides
The Pharo Roadmap M. Denker and S. Ducasse http://www.pharo-project.org Create an ecosystem

The Pharo Roadmap M. Denker and S. Ducasse http://www.pharo-project.org Create an ecosystem

The Pharo Roadmap M. Denker and S. Ducasse http://www.pharo-project.org Create an ecosystem where business/innovation can bloom Some Pharos success stories Seaside.st Yesplan.be, netstyle.ch Pier , DrGeo Cmsbox.ch : Content Management

870 views • 39 slides
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information

Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information

Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs or other situations in which you are

1.19k views • 65 slides
OCaml Workshop 2020-08-28 Seb Mondet, TQ Tezos The Who Software Engineer at TQ Tezos Improve

OCaml Workshop 2020-08-28 Seb Mondet, TQ Tezos The Who Software Engineer at TQ Tezos Improve

OCaml Workshop 2020-08-28 Seb Mondet, TQ Tezos The Who Software Engineer at TQ Tezos Improve Tezos Ecosystem Smart Contracts. Helping partners get up to speed and build on Tezos. Standardization efgorts. Contribute to tooling, incl.

652 views • 26 slides
Alspachs cycle decomposition problem for multigraphs Daniel Horsley (Monash University) Joint

Alspachs cycle decomposition problem for multigraphs Daniel Horsley (Monash University) Joint

Alspachs cycle decomposition problem for multigraphs Daniel Horsley (Monash University) Joint work with Darryn Bryant, Barbara Maenhaut and Ben Smith (University of Queensland) Part 1: Alspachs problem Cycle decompositions of complete

970 views • 63 slides
But y ou can't c hec k the FD ! in AB C these relations. 1 Example = street ,

But y ou can't c hec k the FD ! in AB C these relations. 1 Example = street ,

3NF One FD structure causes problems: If y ou decomp ose, y ou can't c hec k the FD's in the decomp osed relations. If y ou don't decomp ose, y ou violate BCNF. Abstractly: ! and ! . AB C C B

372 views • 19 slides
Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink

Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink

Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink Giovambattista Ianni Thomas Krennwallner Peter Schller KBS Group Institut fr Informationssysteme, Technische Universitt Wien

606 views • 50 slides
Decomposition of Permutations in a Finite Field SVETLA NIKOVA 1 , VENTZISLAV NIKOV 2 , AND VINCENT

Decomposition of Permutations in a Finite Field SVETLA NIKOVA 1 , VENTZISLAV NIKOV 2 , AND VINCENT

Decomposition of Permutations in a Finite Field SVETLA NIKOVA 1 , VENTZISLAV NIKOV 2 , AND VINCENT RIJMEN 1 1 IMEC COSIC, KU LEUVEN, BELGIUM 2 NXP SEMICONDUCTORS, BELGIUM Decomposition of Permutations in relation to Side Channel

415 views • 15 slides

More recommend