reverse engineering with hardware debuggers
play

Reverse Engineering with Hardware Debuggers 11 Mar 10 11 Mar 10 - PowerPoint PPT Presentation

Jan 06, 2023 •41 likes •231 views

Reverse Engineering with Hardware Debuggers 11 Mar 10 11 Mar 10 JASON RABER and JASON CHEATHAM ATSPI Assessment Science Team ATSPI Assessment Science Team RYTA Air Force Research Laboratory Public release authorization 88 ABW-10-1497 2

  1. Reverse Engineering with Hardware Debuggers 11 Mar 10 11 Mar 10 JASON RABER and JASON CHEATHAM ATSPI Assessment Science Team ATSPI Assessment Science Team RYTA Air Force Research Laboratory Public release authorization 88 ABW-10-1497

  2. 2 Outline • Architecture • Breakpoints • Breakpoints • Hypervisors Hypervisors • Macros

  3. The Hard Way Hardware debugger / in-target probe (ITP) / in-circuit gg g p ( ) emulator (ICE) Socket CPU 3

  4. Friends with Benefits • Hardware debuggers can see almost everything • They live outside the OS, so even kernel mode rootkits can’t hide • Rewriting firmware • They’re OS independent – Just needs a compatible x86 processor J t d tibl 86 4

  5. 5 The Softer Side

  6. 6 Outline • Architecture • Breakpoints • Breakpoints • Hypervisors Hypervisors • Macros

  7. Ways to Break Things • Hardware Breakpoints – DR registers DR registers • Software Breakpoints Software Breakpoints – ICEBP (0xF1) instruction + DR7 bit 12 • Infinite loops – Steal a couple bytes and replace with 0xEBFE 7

  8. Infinite Breakpoints • EB FE is a jump to the same address (jmp $) – Inject the infinite loop (0xEBFE) into the application or Inject the infinite loop (0xEBFE) into the application or driver – Halt the CPU when the system freezes, and there you y y are • They’re very easy to use with an ICE C – No worries about freezing the system – Don t have to deal with virtual memory Don’t have to deal with virtual memory • Checksums can detect these, so place them Checksums can detect these, so place them carefully 8

  9. 9 Outline • Architecture • Breakpoints • Breakpoints • Hypervisors Hypervisors • Macros

  10. More Power… • Macros can make an define proc pcrange(startaddr, p p g emulator very powerful l t f l endaddr) – Implement complex or define ord4 startaddr repetitive tasks define ord4 endaddr – Detailed control of ICE Detailed control of ICE { { while (1) { if (EIP >= startaddr && • SourcePoint uses a C EIP <= endaddr) { like scripting language like scripting language break – Variables, functions, control } else { flow step 4 – Types have well-defined Types have well defined } widths } • ord1, int4, real8, … } – Control statements for ICE 10

  11. 11 Range Breakpoint

  12. Run Trace flist (“tracelog.txt”, 1) define ord4 lasteip = EIP softremove while (1) { if (EIP > if (EIP >= 0xC0000000 && lasteip < 0xC0000000) { 0 C0000000 && lasteip < 0 C0000000) { softbreak = location=lasteip+2 softbreak = location=lasteip+3 softbreak = location=lasteip+4 softbreak = location=lasteip+5 softbreak = location=lasteip+6 lasteip = EIP go } if (EIP != endaddr) { asm eip printf("eax: “); eval eax virtual printf("ebx: “); eval ebx virtual printf("ecx: "); eval ecx virtual printf("edx: "); eval edx virtual printf("esi: "); eval esi virtual printf( esi: ); eval esi virtual printf("edi: "); eval edi virtual printf("esp: "); eval esp virtual lasteip = EIP step } else { nolog stop } } 12

  13. From the Outside In • Emulator access is pretty raw, so we wrote some simple forensic macros simple forensic macros – list_procs() – get_ssdt() g _ () – get_syscall_addr(name) – hook_syscall(name) – list_mods() 13

  14. get_syscall_addr define proc pointer get_syscall_addr(syscall_name) define nstring syscall_name define proc pointer find_gdi_proc() { { define pointer PsActiveProcessHead = get_head_proc() if (syscall_name == "NtCreateProcessEx") { return ssdt_index_to_addr(0x30, 0) define pointer first_proc = flink_to_proc_addr(PsActiveProcessHead) } else if (syscall_name == "NtCreateSection") { return ssdt index to addr(0x32 0) return ssdt_index_to_addr(0x32, 0) define pointer current_flink = next_proc_flink(first_proc) } else { define proc pointer ssdt_index_to_addr(index, table) define pointer current_proc = flink_to_proc_addr(current_flink) printf("Unknown system call\n"); define ord4 index define proc pointer get_ssdt() return 0 { { while (current_flink != PsActiveProcessHead) { } define pointer ssdt = get_ssdt() define pointer gdi_addr = find_gdi_proc() d fi i t di dd fi d di () define ord1 type = proc_type(current_proc) d fi d1 ( ) } define pointer service_table_base = ord4 ssdt define pointer tlh_flink = proc_thread_list_head(gdi_addr) if (type != 0x03) { printf("Non ‐ process type: %x\n", type); break; } return ssdt_service(service_table_base, index) define pointer thread_list_head = flink_to_thread_addr(tlh_flink) } define pointer ssdt = thread_ssdt(thread_list_head) define ord4 w32proc = proc_win32process(current_proc) return ssdt } if (w32proc != 0x0) return current_proc current_flink = next_proc_flink(current_proc) current_proc = flink_to_proc_addr(current_flink) } } } 14

  15. 15 Outline • Architecture • Breakpoints • Breakpoints • Hypervisors Hypervisors • Macros

  16. Blue…Something • ICE runs below hypervisors • You can go far with a few simple macros – vmx is enabled vmx_is_enabled – vmx_goto_resume – vmx_guest_eip – vmx_exit_reason 16

  17. 17 Down We Go…

  18. Nobody’s Perfect • You can’t single step or trace across the ring -1/0 boundary boundary • Finding the hypervisor is tricky g yp y • Newer VM instructions can cause problems 18

  19. 19 The Debuginator Summary

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
1 Host/Target A Big Problem with Debuggers gdb can be used to debug a program on a

1 Host/Target A Big Problem with Debuggers gdb can be used to debug a program on a

Debuggers A very real interactive debugger: gdb Widely used Debugging Runs on everything A classic implementation (with and without Debuggers) Mostly standard debugger technology Design decisions Runs and

274 views • 8 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Lab 6: Debuggers GDB Breakpoints Inspection TUI mode Code::Blocks plugin KDevelop and KDbg

Lab 6: Debuggers GDB Breakpoints Inspection TUI mode Code::Blocks plugin KDevelop and KDbg

Debuggers Lab 6: Debuggers GDB Breakpoints Inspection TUI mode Code::Blocks plugin KDevelop and KDbg Miscellaneous Comp Sci 1585 Data Structures Lab: Tools for Computer Scientists Outline Debuggers GDB Breakpoints Inspection TUI

551 views • 17 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain access to hardware features and the shell behind the RouterOS that has no ls Who? Me? Who am I? https://twitter.com/KirilsSolovjovs

753 views • 43 slides
THE GDB DEBUGGER GDB Debuggers allow you to examine and control program execution To compile a

THE GDB DEBUGGER GDB Debuggers allow you to examine and control program execution To compile a

THE GDB DEBUGGER GDB Debuggers allow you to examine and control program execution To compile a program for use with gdb, use the -g compiler switch Most debuggers provide the same functionality Other graphical options on MCECS Linux

506 views • 8 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com

Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com

Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com http://christian.amsuess.com/ 2010-05-06 Overview objective understand smart card communication based on sniffable communication hardware standard card

468 views • 20 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
Quantum non-malleability and authentication Christian Majenz QMATH, University of Copenhagen

Quantum non-malleability and authentication Christian Majenz QMATH, University of Copenhagen

Quantum non-malleability and authentication Christian Majenz QMATH, University of Copenhagen Joint work with Gorjan Alagic, NIST and University of Maryland CRYPTO 2017, UCSB 24.08.2017 Motivation: a classical story... Crypto for bank

1.01k views • 83 slides
Theories of Hyperarithmetic Analysis. Antonio Montalb an. University of Chicago Columbus, OH,

Theories of Hyperarithmetic Analysis. Antonio Montalb an. University of Chicago Columbus, OH,

Hyperarithmetic analysis in the 70s Background Hyperarithmetic analysis in the 00s Known theories Theories of Hyperarithmetic Analysis. Antonio Montalb an. University of Chicago Columbus, OH, May 2009 CONFERENCE IN HONOR OF THE 60th

270 views • 25 slides
Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar

Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar

Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] pk sk Public Key Encryption Public Key Encryption

296 views • 25 slides
Matrices with Integer Eigenvalues 4 1 1 0 1 1 4 0 1 1

Matrices with Integer Eigenvalues 4 1 1 0 1 1 4 0 1 1

Matrices with Integer Eigenvalues 4 1 1 0 1 1 4 0 1 1 1 0 3 0 0 0 1 0 3 0 1 1 0 0 3 Ron Adin Bar-Ilan University

758 views • 27 slides
Development of perfSONAR-Measurement Archive (MA) Capability based on PRESTA 10G NTT Network

Development of perfSONAR-Measurement Archive (MA) Capability based on PRESTA 10G NTT Network

perfSONAR workshop, 29th APAN Meeting 2010.2.11 Development of perfSONAR-Measurement Archive (MA) Capability based on PRESTA 10G NTT Network Innovation Labs. Kenji Shimizu, Katsuhiro Sebayashi 1 1 This work was partially supported by the

560 views • 12 slides
Day 13: Scripting Workflows II DAGMan 2012 Fall Cartwright 1 Computer Sciences 368 Scripting

Day 13: Scripting Workflows II DAGMan 2012 Fall Cartwright 1 Computer Sciences 368 Scripting

Computer Sciences 368 Scripting for CHTC Day 13: Scripting Workflows II DAGMan 2012 Fall Cartwright 1 Computer Sciences 368 Scripting for CHTC Homework Review 2012 Fall Cartwright 2 Computer Sciences 368 Scripting for CHTC Advanced

599 views • 32 slides
Factorisations of a group element, Hurwitz action and shellability Vivien Ripoll University of

Factorisations of a group element, Hurwitz action and shellability Vivien Ripoll University of

Factorisations of a group element, Hurwitz action and shellability Vivien Ripoll University of Vienna, Austria Combinatorial Algebra meets Algebraic Combinatorics London, Ontario 2016, January 24th uhle ( joint work with Henri M Ecole

975 views • 58 slides
Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of Computer Science University of Bras lia Joint work with K. Karabina, P. Longa, C. Gebotys, J. L opez, D. Hankerson, A. Menezes, E. Knapp, F.

759 views • 41 slides

More recommend