recon 2010 montreal
play

RECON 2010 - Montreal Metasm Tracer MSR NIC Plan Metasm 1 - PowerPoint PPT Presentation

Feb 23, 2024 •256 likes •508 views

Metasm Feelings Alexandre Gazet Yoann Guillot Sogeti / ESEC R&D Sogeti / ESEC R&D alexandre.gazet(at)sogeti.com yoann.guillot(at)sogeti.com RECON 2010 - Montreal Metasm Tracer MSR NIC Plan Metasm 1 Tracer 2 MSR 3 NIC 4

  1. Metasm Feelings Alexandre Gazet Yoann Guillot Sogeti / ESEC R&D Sogeti / ESEC R&D alexandre.gazet(at)sogeti.com yoann.guillot(at)sogeti.com RECON 2010 - Montreal

  2. Metasm Tracer MSR NIC Plan Metasm 1 Tracer 2 MSR 3 NIC 4 A. Gazet, Y. Guillot Metasm Feelings 2/25

  3. Metasm Tracer MSR NIC Metasm: prends-moi opensource (LGPL) full ruby http://metasm.cr0.org/ extensible scriptable full interactive documentation over IRC 1 yadda yadda 1irc://freenode/metasm A. Gazet, Y. Guillot Metasm Feelings 3/25

  4. Metasm Tracer MSR NIC Main features Cross-arch assembler Disassembler Intelligent Emulation Instruction semantics Debugger Linux Win32 GDBServer C Parser C Compiler Decompiler xtrem GUI A. Gazet, Y. Guillot Metasm Feelings 4/25

  5. Metasm Tracer MSR NIC Target architectures OS Windows Linux Arch X86 X64 ARM MIPS PowerPC Sh4 A. Gazet, Y. Guillot Metasm Feelings 5/25

  6. Metasm Tracer MSR NIC Previous works Mainly static analysis of software protections: Deobfuscation Devirtualisation SSTIC (fr) - challenges ( T2 2007, poeut, . . . ) HITB 2009 - realworld software protection Check the papers (with translation) on http://metasm.cr0.org/ Trainings (CSW, HITB) A. Gazet, Y. Guillot Metasm Feelings 6/25

  7. Metasm Tracer MSR NIC Sample uses r e q u i r e ’ metasm ’ i n c l u d e Metasm np = OS. c u r r e n t . f i n d p r o c e s s ( ’ notepad ’ ) # read the v i r t u a l memory of a running p r o c e s s p np . memory [0 x40000 , 0x200 ] # i n j e c t a s h e l l c o d e sc = S h e l l c o d e . assemble ( Ia32 . new , ’ ’ jmp esp ’ ’ ) . e n c o d e s t r i n g np . memory [0 x40000 , sc . l e n g t h ] = sc A. Gazet, Y. Guillot Metasm Feelings 7/25

  8. Metasm Tracer MSR NIC Sample uses r e q u i r e ’ open − u r i ’ puts ’ ’ r e t r i e v i n g source code . . . ’ ’ html = open ( ’ http :// recon . cx /2010/ cfp . html ’ ) . read source = html [ / unsigned . ∗\} /m ] abort ’ ’ no source found : ( ’ ’ i f not source e l f = Metasm : : ELF . c o m p i l e c ( Metasm : : Ia32 . new , source ) e l f . e n c o d e s t r i n g ; e l f . decode dasm = e l f . d i s a s s e m b l e r # s e l f m o d i f y plugin , handles t r i v i a l decoding l o o p s dasm . l o a d p l u g i n ’ s e l f m o d i f y ’ w = Metasm : : Gui : : DasmWindow . new ( ’ recon − cfp ’ , dasm , ’ buf ’ ) Metasm : : Gui . main A. Gazet, Y. Guillot Metasm Feelings 8/25

  9. Metasm Tracer MSR NIC Plan Metasm 1 Tracer 2 MSR 3 NIC 4 A. Gazet, Y. Guillot Metasm Feelings 9/25

  10. Metasm Tracer MSR NIC Trace engine Scriptable debugger High level API: ⇒ bpx() , stepover() , etc. Disassembler: code graph Building tools Block-by-block trace algorithm implemented using the API ⇒ can be used on any supported target Database support for free with rubygems a ⇒ Trivial to store execution traces a Currently using DataMapper A. Gazet, Y. Guillot Metasm Feelings 10/25

  11. Metasm Tracer MSR NIC Trace visualization Scriptable GUI as well Execution path coloring Possible to add controls: trace selection, etc. Advanced data manipulation Trace “replay” Trace diffing A. Gazet, Y. Guillot Metasm Feelings 11/25

  12. Metasm Tracer MSR NIC Demo Trace creation Trace diffing Trace replay A. Gazet, Y. Guillot Metasm Feelings 12/25

  13. Metasm Tracer MSR NIC Plan Metasm 1 Tracer 2 MSR 3 NIC 4 A. Gazet, Y. Guillot Metasm Feelings 13/25

  14. Metasm Tracer MSR NIC MSR debug registers Hardware registers from processors ( Intel / AMD ) Branch tracing MSR: IA32 DEBUGCTL (0x1D9) Can trigger an INT1 whenever a branch is taken with TF set Implementation for WinXP in 2006 by Pedram Amini ( NtSystemDebugControl ) Branch Tracing with Intel MSR Registers 2 Same concepts can be applied on Windows 7 through the KD module 3 : Issue IOCTL s to \\ . \ kldbgdrv device Need to boot with / DEBUG option 2 http://www.openrce.org/blog/view/535/Branch_Tracing_with_Intel_MSR_Registers 3 http://www.ivanlef0u.tuxfamily.org/?p=382 A. Gazet, Y. Guillot Metasm Feelings 14/25

  15. Metasm Tracer MSR NIC DynLdr We’d like to call Kernel32!DeviceIOControl() from our ruby script DynLdr DynLdr is a Metasm component to generate ruby bindings from C headers Handles arbitrary C function prototypes (incl. stdcall) Handles most numeric macros/enums Wrapper for C structures A. Gazet, Y. Guillot Metasm Feelings 15/25

  16. Metasm Tracer MSR NIC MSR: C definitions c l a s s MSR < Metasm : : DynLdr new api c < EOS < t y p e d e f s t r u c t KLDBG { SYSDBG COMMAND DbgCommandClass ; PVOID DbgCommand ; DWORD DbgCommandLen ; } KLDBG, ∗ PKLDBG; t y p e d e f enum SYSDBG COMMAND { SysDbgReadVirtual = 8 , SysDbgWriteVirtual = 9 , SysDbgReadMsr = 16 , SysDbgWriteMsr = 17 , } HANDLE WINAPI OpenServiceA ( HANDLE hSCManager , LPCSTR lpServiceName , DWORD dwDesiredAccess ) ; EOS end A. Gazet, Y. Guillot Metasm Feelings 16/25

  17. Metasm Tracer MSR NIC MSR: from Ruby to kernel device def readmsr ( addr ) msr = a l l o c c s t r u c t ( ’SYSDBG MSR ’ , ’ msraddress ’ = > addr ) kldbg = a l l o c c s t r u c t ( ’KLDBG ’ ) kldbg [ ’ dbgcommandclass ’ ] = SYSDBGREADMSR kldbg [ ’ dbgcommand ’ ] = msr kldbg [ ’ dbgcommandlen ’ ] = msr . l e n g t h lpBytesReturned = 0. chr ∗ 8 d e v i c e i o c o n t r o l ( @hdevice , IOCTL , kldbg , kldbg . length , \ msr , msr . length , lpBytesReturned , NULL) return msr [ ’ data ’ ] end A. Gazet, Y. Guillot Metasm Feelings 17/25

  18. Metasm Tracer MSR NIC Glue the bricks together Tweak debugger’s interpretation of INT1 Handle trap flag logic Add support for MSR : Load kldbgdrv driver Read/Write the IA32 DEBUGCTL MSR Integrate within Bintrace module Keep in mind that MSR are core-specific on SMP systems ⇒ OMGWTFBBQ Port to Linux MSR interaction trivial, via mainline msr LKM creates char device: /dev/cpu/*/msr ∼ 30 lines of Ruby code A. Gazet, Y. Guillot Metasm Feelings 18/25

  19. Metasm Tracer MSR NIC Demo Branch tracing of hostname.exe A. Gazet, Y. Guillot Metasm Feelings 19/25

  20. Metasm Tracer MSR NIC Plan Metasm 1 Tracer 2 MSR 3 NIC 4 A. Gazet, Y. Guillot Metasm Feelings 20/25

  21. Metasm Tracer MSR NIC Broadcom NIC firmware Runs on the card Independant MIPS processor Dedicated ram&flash Controlled from host through MMIO Already examined by Perez&Duflot (CSW10) (custom-designed lowlevel interface) Guillaume Delugr´ e, from our lab, has done similar works a custom LKM exposes a char device read/write to card memory space via a cli interface set breakpoints, read regs, etc. through MMIO A. Gazet, Y. Guillot Metasm Feelings 21/25

  22. Metasm Tracer MSR NIC NICDBG Metasm comes with a MIPS disassembler ⇒ Get a disassembler/debugger GUI for free Include Bintrace modules in the debugger ⇒ Record live trace of execution A. Gazet, Y. Guillot Metasm Feelings 22/25

  23. Metasm Tracer MSR NIC Demo NIC debugging Trace card initialisation routines A. Gazet, Y. Guillot Metasm Feelings 23/25

  24. Metasm Tracer MSR NIC Conclusion Metasm is good for you Covers lots of everyday reversing tasks Avoid reinventing the wheel Plan, do, check, act The tracing module will be published soon 4 Thanks to Guillaume & Ivan for their work all the lab for their feedback bruce & natron for IRC animation 4 http://esec.fr.sogeti.com/blog/ A. Gazet, Y. Guillot Metasm Feelings 24/25

  25. Metasm Tracer MSR NIC KTHXBYE Questions ? http://metasm.cr0.org/ http://esec.fr.sogeti.com/blog/ A. Gazet, Y. Guillot Metasm Feelings 25/25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ARM EDITION Matt Spisak REcon 2016, Montreal RECON 2016 ABOUT Offense-based approach to

ARM EDITION Matt Spisak REcon 2016, Montreal RECON 2016 ABOUT Offense-based approach to

HARDWARE-ASSISTED ROOTKITS &amp; INSTRUMENTATION: ARM EDITION Matt Spisak REcon 2016, Montreal RECON 2016 ABOUT Offense-based approach to security and hunting adversaries Research thrusts in malware, threat intel, data science, and

1.4k views • 81 slides
FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of

FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of

FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of the baseband Proprietary baseband/modem/radio processors are an insult to personal computing freedom The problem is even worse for those

1.09k views • 19 slides
How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email:

How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email:

How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email: sebastian.porst@zynamics.com Twitter: @LambdaCube 1 Targeted Attacks 2008 Adobe Acrobat Reader; 28.61% Microsoft Word; 34.55% Microsoft PowerPoint; 16.87%

944 views • 52 slides
The Montreal case The Montreal case 1 The Montreal case The Montreal case 2 Montreal 1992

The Montreal case The Montreal case 1 The Montreal case The Montreal case 2 Montreal 1992

The Montreal case The Montreal case 1 The Montreal case The Montreal case 2 Montreal 1992 Montreal 19922012 : Waterrelated investments related investments Value ($) $ / yr $ / yr Life expectancy (yrs) 30G$ 300M$ / yr 300M$ / yr 100

900 views • 17 slides
IEEE PES SUBSTATIONS COMMITTEE ANNUAL MEETING MONTREAL May 17 - 20, 2010 2010 Substations

IEEE PES SUBSTATIONS COMMITTEE ANNUAL MEETING MONTREAL May 17 - 20, 2010 2010 Substations

IEEE PES SUBSTATIONS COMMITTEE ANNUAL MEETING MONTREAL May 17 - 20, 2010 2010 Substations Committee Status Report 1 SUBSTATIONS COMMITTEE OFFICERS (2009 2010) Chair Hermann J. Koch Siemens Vice Chair John D. Randolph Pacific

873 views • 27 slides
Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target brendangates The Target Meriac (2010), Churchill Legacy ICLASS Introduced in 2007 Broken in 2010 Master key on every reader Security

682 views • 44 slides
Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015 Montreal, QC. Overview W.t.f is side-channel power analysis (again) Example: IEEE 802.15.4 Node Example: AES-256 Bootloader W.t.f.

633 views • 47 slides
Charting our I nternational Future : A Competitive Greater Montreal ISRN Annual Meeting Yves

Charting our I nternational Future : A Competitive Greater Montreal ISRN Annual Meeting Yves

Charting our I nternational Future : A Competitive Greater Montreal ISRN Annual Meeting Yves Charette Greater Montreal Economic Development Coordinator Toronto, May 5 th , 2010 Montreal Metropolitain Community at a glance 82 Local

269 views • 16 slides
Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July, 2010 Sunday, July 25, 2010 Brief Introduction 8, 16-bit Embedded Systems No operating system, no symbol table, etc. Very different

902 views • 74 slides
BANK OF MONTREAL BANK OF MONTREAL BANK OF MONTREAL BANK OF MONTREAL FINANCIAL HIGHLIGHTS

BANK OF MONTREAL BANK OF MONTREAL BANK OF MONTREAL BANK OF MONTREAL FINANCIAL HIGHLIGHTS

BANK OF MONTREAL BANK OF MONTREAL BANK OF MONTREAL BANK OF MONTREAL FINANCIAL HIGHLIGHTS FINANCIAL HIGHLIGHTS FINANCIAL HIGHLIGHTS FINANCIAL HIGHLIGHTS (Canadian $ in millions except as noted) For the three months ended Change from

71 views • 4 slides
Alexei Bulazel @0xAlexei REcon Brussels 2018 About Me Security researcher at River Loop

Alexei Bulazel @0xAlexei REcon Brussels 2018 About Me Security researcher at River Loop

Reverse Engineering Windows Defenders JavaScript Engine Alexei Bulazel @0xAlexei REcon Brussels 2018 About Me Security researcher at River Loop Security RPI / RPISEC 2015 graduate Longtime REcon attendee, first time presenter

1.92k views • 147 slides
Target 11 &amp; PoWPA Sarat Gidda CBD Secretariat Montreal October 2010: Nagoya Biodiversity

Target 11 &amp; PoWPA Sarat Gidda CBD Secretariat Montreal October 2010: Nagoya Biodiversity

Target 11 &amp; PoWPA Sarat Gidda CBD Secretariat Montreal October 2010: Nagoya Biodiversity Summit Epoch making for Biodiversity policy Programme of Work on Protected Areas 2004- COP 7 Establishment and maintenance of : comprehensive,

641 views • 47 slides
Target 11 &amp; PoWPA Sarat Gidda CBD Secretariat Montreal October 2010: Nagoya Biodiversity

Target 11 &amp; PoWPA Sarat Gidda CBD Secretariat Montreal October 2010: Nagoya Biodiversity

Target 11 &amp; PoWPA Sarat Gidda CBD Secretariat Montreal October 2010: Nagoya Biodiversity Summit Epoch making for Biodiversity policy Programme of Work on Protected Areas 2004- COP 7 Establishment and maintenance of : comprehensive,

693 views • 50 slides
2011 Business Plan 2011 Budget Request Police Total 2010 Adopted Budget 2010 Adopted Budget

2011 Business Plan 2011 Budget Request Police Total 2010 Adopted Budget 2010 Adopted Budget

2011 Business Plan 2011 Budget Request Police Total 2010 Adopted Budget 2010 Adopted Budget $ $ 84,173,191 84 173 191 Contribution to Capital $ 1,296,556 Recon Adj Contribution to Capital $ Recon Adj Contribution to

457 views • 35 slides
building a concrete alternative to ida 1 were sorry raxcity.com Shellphish

building a concrete alternative to ida 1 were sorry raxcity.com Shellphish

Jeffrey (crowell) Crowell Julien (jvoisin) Voisin Radare2 to the rescue! June 20, 2015 REcon 2015 Montreal building a concrete alternative to ida 1 were sorry raxcity.com Shellphish Boston Key Party

1.04k views • 64 slides
DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon 2014 Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function whiteboxed : AES-CBC

1.43k views • 103 slides
Understanding Statistical-vs-Computational Tradeoffs via the Low-Degree Likelihood Ratio Alex

Understanding Statistical-vs-Computational Tradeoffs via the Low-Degree Likelihood Ratio Alex

Understanding Statistical-vs-Computational Tradeoffs via the Low-Degree Likelihood Ratio Alex Wein Courant Institute, NYU Joint work with: Afonso Bandeira Yunzi Ding Tim Kunisky (ETH Zurich) (NYU) (NYU) 1 / 27 Motivation 2 / 27

1.64k views • 162 slides
Dynamic Expressivity with Static Optimization for Streaming Languages Robert Soul Michael I.

Dynamic Expressivity with Static Optimization for Streaming Languages Robert Soul Michael I.

Dynamic Expressivity with Static Optimization for Streaming Languages Robert Soul Michael I. Gordon Saman Amarasinghe Robert Grimm Martin Hirzel Cornell MIT MIT NYU IBM DEBS 2013 1 Problem Stream (FIFO queue) Operator Rate

691 views • 20 slides
Comparing the Yosemite Project and ONC Roadmaps for Healthcare Information Interoperability

Comparing the Yosemite Project and ONC Roadmaps for Healthcare Information Interoperability

Comparing the Yosemite Project and ONC Roadmaps for Healthcare Information Interoperability David Booth, PhD Yosemite Project Steering Committee Rancho BioSciences, LLC Hawaii Resource Group, LLC These slides: http://dbooth.org/2015/onc/

1.32k views • 90 slides
Cach: Caching Location-Enhanced Content to Improve User Privacy Carnegie Mellon University

Cach: Caching Location-Enhanced Content to Improve User Privacy Carnegie Mellon University

Cach: Caching Location-Enhanced Content to Improve User Privacy Carnegie Mellon University Shahriyar Amini , Janne Lindqvist, Jason Hong Jialiu Lin, Eran Toch, Norman Sadeh June 30, 2011 Widespread Adoption of Location-Enabled Devices

328 views • 17 slides
A GENERALIZATION OF SYMANZIK POLYNOMIALS MASTER THESIS, UNDER THE SUPERVISION OF OMID AMINI

A GENERALIZATION OF SYMANZIK POLYNOMIALS MASTER THESIS, UNDER THE SUPERVISION OF OMID AMINI

A GENERALIZATION OF SYMANZIK POLYNOMIALS MASTER THESIS, UNDER THE SUPERVISION OF OMID AMINI MATTHIEU PIQUEREZ Abstract. Symanzik polynomials are defined on Feynman graphs. They are used in quan- tum field theory to compute Feynman amplitudes. But

952 views • 79 slides
Maximum Entropy Approach for Reconstructing Bivariate Probability Distributions Zahra Amini

Maximum Entropy Approach for Reconstructing Bivariate Probability Distributions Zahra Amini

Maximum Entropy Approach for Reconstructing Bivariate Probability Distributions Zahra Amini Farsani Iran University of Science and Technology, Tehran, Iran, &amp; Ludwig-Maximilian Universitt Munich, Germany October 2014 Global Overview

451 views • 21 slides
Quantum feedback for preparation and protection of quantum states of light I gor Dotsenko

Quantum feedback for preparation and protection of quantum states of light I gor Dotsenko

Quantum feedback for preparation and protection of quantum states of light I gor Dotsenko LABORATOI RE KASTLER BROSSEL de lcole Normale Suprieure, Paris Workshop on Quantum Control I HP, Paris December 8-11, 2010 1 The Cavity QED

392 views • 36 slides
Should I Protect You? Understanding Developers Behavior to Privacy-Preserving APIs Shubham

Should I Protect You? Understanding Developers Behavior to Privacy-Preserving APIs Shubham

Should I Protect You? Understanding Developers Behavior to Privacy-Preserving APIs Shubham Jain and Janne Lindqvist Department of Electrical and Computer Engineering Rutgers University Workshop on Usable Security (USEC14) February 23,

230 views • 21 slides

More recommend