s str t - - PowerPoint PPT Presentation

❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r②

❇❧❛❝❦❍❛t ❊✉r♦♣❡ ✷✵✵✾

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜

caillat[at]esiea[dot]fr bcaillat[at]security-labs[dot]org

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶ ✴ ✶✼✷

P❧❛♥

✶

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣②

✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

✸

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧

✹

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

✺

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

✻

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧

✼

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

✽

❈♦♥❝❧✉s✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣②

P❧❛♥

✶

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣②

✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

✸

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧

✹

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

✺

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

✻

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧

✼

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

✽

❈♦♥❝❧✉s✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ q✉✐❝❦ r❡♠✐♥❞❡r✳ ✳ ✳

P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✖ ❆ q✉✐❝❦ r❡♠✐♥❞❡r✳ ✳ ✳

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ q✉✐❝❦ r❡♠✐♥❞❡r✳ ✳ ✳

❘❡♠✐♥❞❡r✿ P❊ ❢♦r♠❛t ❛♥❞ ❝r❡❛t✐♦♥ ♦❢ ❛ ♣r♦❝❡ss

❯♥❞❡r ❲✐♥❞♦✇s✱ ❡①❡❝✉t❛❜❧❡s ❛r❡ ✐♥ P❊ ❢♦r♠❛t ✭P♦rt❛❜❧❡ ❊①❡❝✉t❛❜❧❡✮ ❊①❡❝✉t❛❜❧❡s ❝♦♠♣♦✉♥❞❡❞ ♦❢ ❛ ❤❡❛❞❡r ❛♥❞ s❡✈❡r❛❧ s❡❝t✐♦♥s ✭❝♦❞❡✱ ❞❛t❛✱ r❡s♦✉r❝❡s✳ ✳ ✳ ✮ ❉✉r✐♥❣ ❝r❡❛t✐♦♥ ♦❢ ❛ ♣r♦❝❡ss✱ ❲✐♥❞♦✇s ❧♦❛❞❡r✿

♠❛♣s s❡❝t✐♦♥s ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss ✭♠❛② ❝♦♥t❛✐♥ ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s✮ ✐♥✐t✐❛❧✐s❡s ♠❡♠♦r② r❡s♦❧✈❡s ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ q✉✐❝❦ r❡♠✐♥❞❡r✳ ✳ ✳

❘❡♠✐♥❞❡r✿ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥ r❡s♦❧✉t✐♦♥ ✐♥ ❲✐♥❞♦✇s

❚✇♦ ♠❡❝❤❛♥✐s♠s t♦ r❡s♦❧✈❡ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❲❤❡♥ ♣r♦❝❡ss ✐s ❝r❡❛t❡❞ P❊ ✜❧❡ ❝♦♥t❛✐♥s ❛♥ ✏✐♠♣♦rt t❛❜❧❡✑✿ ❝♦♥t❛✐♥s ♥❛♠❡s ♦❢ ❡✈❡r② ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❲✐♥❞♦✇s ❧♦❛❞❡r r❡❛❞s t❛❜❧❡ ❛♥❞ ✜❧❧s ❛♥♦t❤❡r t❛❜❧❡✿ t❤❡ ■❆❚ ✭■♠♣♦rt ❆❞❞r❡ss ❚❛❜❧❡✮ ❈❛❧❧s t♦ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❛r❡ ❞♦♥❡ t❤r♦✉❣❤ t❤❡ ■❆❚ ❉✉r✐♥❣ ❡①❡❝✉t✐♦♥✿ ✏❞②♥❛♠✐❝ ❛❞❞r❡ss r❡s♦❧✉t✐♦♥✑ ❊①❡❝✉t❛❜❧❡ ✉s❡s t✇♦ ❢✉♥❝t✐♦♥s t♦ r❡s♦❧✈❡ ❛♥ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥✿ ✏▲♦❛❞▲✐❜r❛r②✑✿ ❧♦❛❞ ❛ ❧✐❜r❛r② ✏●❡tPr♦❝❆❞❞r❡ss✑✿ ✜♥❞ ❛♥ ❡①♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❜② ✐ts ♥❛♠❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ q✉✐❝❦ r❡♠✐♥❞❡r✳ ✳ ✳

❘❡♠✐♥❞❡r✿ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥ r❡s♦❧✉t✐♦♥ ✐♥ ❲✐♥❞♦✇s

❚✇♦ ♠❡❝❤❛♥✐s♠s t♦ r❡s♦❧✈❡ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❲❤❡♥ ♣r♦❝❡ss ✐s ❝r❡❛t❡❞ P❊ ✜❧❡ ❝♦♥t❛✐♥s ❛♥ ✏✐♠♣♦rt t❛❜❧❡✑✿ ❝♦♥t❛✐♥s ♥❛♠❡s ♦❢ ❡✈❡r② ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❲✐♥❞♦✇s ❧♦❛❞❡r r❡❛❞s t❛❜❧❡ ❛♥❞ ✜❧❧s ❛♥♦t❤❡r t❛❜❧❡✿ t❤❡ ■❆❚ ✭■♠♣♦rt ❆❞❞r❡ss ❚❛❜❧❡✮ ❈❛❧❧s t♦ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❛r❡ ❞♦♥❡ t❤r♦✉❣❤ t❤❡ ■❆❚ ❉✉r✐♥❣ ❡①❡❝✉t✐♦♥✿ ✏❞②♥❛♠✐❝ ❛❞❞r❡ss r❡s♦❧✉t✐♦♥✑ ❊①❡❝✉t❛❜❧❡ ✉s❡s t✇♦ ❢✉♥❝t✐♦♥s t♦ r❡s♦❧✈❡ ❛♥ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥✿ ✏▲♦❛❞▲✐❜r❛r②✑✿ ❧♦❛❞ ❛ ❧✐❜r❛r② ✏●❡tPr♦❝❆❞❞r❡ss✑✿ ✜♥❞ ❛♥ ❡①♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❜② ✐ts ♥❛♠❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ q✉✐❝❦ r❡♠✐♥❞❡r✳ ✳ ✳

❘❡♠✐♥❞❡r✿ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥ r❡s♦❧✉t✐♦♥ ✐♥ ❲✐♥❞♦✇s

❚✇♦ ♠❡❝❤❛♥✐s♠s t♦ r❡s♦❧✈❡ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❲❤❡♥ ♣r♦❝❡ss ✐s ❝r❡❛t❡❞ P❊ ✜❧❡ ❝♦♥t❛✐♥s ❛♥ ✏✐♠♣♦rt t❛❜❧❡✑✿ ❝♦♥t❛✐♥s ♥❛♠❡s ♦❢ ❡✈❡r② ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❲✐♥❞♦✇s ❧♦❛❞❡r r❡❛❞s t❛❜❧❡ ❛♥❞ ✜❧❧s ❛♥♦t❤❡r t❛❜❧❡✿ t❤❡ ■❆❚ ✭■♠♣♦rt ❆❞❞r❡ss ❚❛❜❧❡✮ ❈❛❧❧s t♦ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❛r❡ ❞♦♥❡ t❤r♦✉❣❤ t❤❡ ■❆❚ ❉✉r✐♥❣ ❡①❡❝✉t✐♦♥✿ ✏❞②♥❛♠✐❝ ❛❞❞r❡ss r❡s♦❧✉t✐♦♥✑ ❊①❡❝✉t❛❜❧❡ ✉s❡s t✇♦ ❢✉♥❝t✐♦♥s t♦ r❡s♦❧✈❡ ❛♥ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥✿ ✏▲♦❛❞▲✐❜r❛r②✑✿ ❧♦❛❞ ❛ ❧✐❜r❛r② ✏●❡tPr♦❝❆❞❞r❡ss✑✿ ✜♥❞ ❛♥ ❡①♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❜② ✐ts ♥❛♠❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✖ ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❈♦♥t❡①t ❞❡✜♥✐t✐♦♥

• ❡♥❡r❛❧❧②✱ ♠❛❧✐❝✐♦✉s ❝♦❞❡s tr② t♦ ❞♦ s❡✈❡r❛❧ t❤✐♥❣s✿

st❛② ✉♥❞❡t❡❝t❡❞ ❜② ❛♥t✐✈✐r✉s❡s ♣r♦♣❛❣❛t❡ t♦ ♦t❤❡r ❤♦sts ♦r ❡①❡❝✉t❛❜❧❡s ❡①❡❝✉t❡ t❤❡✐r ♠❛❧✐❝✐♦✉s ❛❝t✐♦♥s ✭❡✳❣✳ ❝❛♣t✉r❡ s♦♠❡ ♣r✐✈❛t❡ ✉s❡r ❞❛t❛✱ ♦♣❡♥ ❛ ❜❛❝❦❞♦♦r ♦♥ t❤❡ s②st❡♠ ✳ ✳ ✳ ✮

❯s❡ s♣❡❝✐❛❧ t❡❝❤♥✐q✉❡s✱ ♥♦t ❛❧✇❛②s ❡❛s② t♦ ✐♠♣❧❡♠❡♥t ▲❡t ✉s ✐❧❧✉str❛t❡ t❤✐s ✇✐t❤ ❛ ❢❡✇ s♣❡❝✐✜❝ t❡❝❤♥✐q✉❡s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✲ Pr✐♥❝✐♣❧❡

❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ♠❛❞❡ ✉♣ ♦❢ t✇♦ ♣❛rts✿ t❤❡ r❡❛❧ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✇❤✐❝❤ ✐s ❡♥❝r②♣t❡❞ ❛ ❞❡❝r②♣t✐♦♥ ♣❛rt ❖❜❥❡❝t✐✈❡ Pr♦t❡❝t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❣❛✐♥st ❛♥ ❛♥❛❧②s✐s ❈♦✉❧❞ ❜❡ ❛♥ ❛✉t♦♠❛t✐❝ ❛♥❛❧②s✐s ✭❛♥t✐✈✐r✉s✮ ♦r ❛ ♠❛♥✉❛❧ ❛♥❛❧②s✐s ✭❞✐s❛ss❡♠❜❧✐♥❣ ❝♦❞❡✮

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✲ Pr✐♥❝✐♣❧❡

❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ♠❛❞❡ ✉♣ ♦❢ t✇♦ ♣❛rts✿ t❤❡ r❡❛❧ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✇❤✐❝❤ ✐s ❡♥❝r②♣t❡❞ ❛ ❞❡❝r②♣t✐♦♥ ♣❛rt ❖❜❥❡❝t✐✈❡ Pr♦t❡❝t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❣❛✐♥st ❛♥ ❛♥❛❧②s✐s ❈♦✉❧❞ ❜❡ ❛♥ ❛✉t♦♠❛t✐❝ ❛♥❛❧②s✐s ✭❛♥t✐✈✐r✉s✮ ♦r ❛ ♠❛♥✉❛❧ ❛♥❛❧②s✐s ✭❞✐s❛ss❡♠❜❧✐♥❣ ❝♦❞❡✮

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❊♥❝r②♣t✐♦♥ ✲ ♣r♦t❡❝t✐♦♥ ❛❣❛✐♥st ❛✉t♦♠❛t✐❝ ❛♥❛❧②s✐s

▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s s❝❛♥♥❡❞ ❜② ❛ t♦♦❧ t❤❛t ✇♦r❦s ✇✐t❤ s✐❣♥❛t✉r❡ ✐❞❡♥t✐✜❝❛t✐♦♥ ❊❛❝❤ ❝♦♣② ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ♠✉st ❜❡ ❞✐✛❡r❡♥t✿

❞❡❝r②♣t✐♦♥ ♣❛rt ✐s tr❛♥s❢♦r♠❡❞ t❤r♦✉❣❤ ♠❡t❛♠♦r♣❤✐s♠ ❡♥❝r②♣t✐♦♥ ❦❡② ✐s ❝❤❛♥❣❡❞ ✐♥ ❡❛❝❤ ❝♦♣② ✭♣♦❧②♠♦r♣❤✐s♠✮

Decryption key 2 malicious Decryption key 1 payload Encrypted Decryption part malicious payload Encrypted Decryption part

❋✐❣✉r❡✿ ❚✇♦ ❝♦♣✐❡s ♦❢ t❤❡ s❛♠❡ ✈✐r✉s t❤❛t ✐♠♣❧❡♠❡♥ts ♣♦❧②♠♦r♣❤✐s♠

◆♦t❡s✿

❉❡❝r②♣t✐♦♥ ❦❡② ♠❛② ❜❡ st♦r❡❞ ✐♥ ❞❡❝r②♣t✐♦♥ ♣❛rt ❙✐♠♣❧❡ ❡♥❝r②♣t✐♦♥ ❛❧❣♦r✐t❤♠ ❧✐❦❡ ❛ ❳❖❘ ✇✐t❤ ✸✷✲❜✐ts ❦❡② ♠❛② ❜❡ ✉s❡❞

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❊♥❝r②♣t✐♦♥ ✲ ♣r♦t❡❝t✐♦♥ ❛❣❛✐♥st ♠❛♥✉❛❧ ❛♥❛❧②s✐s

❆✐♠✿ ✐❢ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ✐♥t❡r❝❡♣t❡❞ ❞✉r✐♥❣ ✐♥tr♦❞✉❝t✐♦♥ ♦♥ t❛r❣❡t❡❞ s②st❡♠✱ ✐t ❝❛♥♥♦t ❜❡ ❞✐s❛ss❡♠❜❧❡❞ ❛♥❞ ❛♥❛❧②s❡❞ ♠❛♥✉❛❧❧② ▲✐tt❧❡ ❞✐✛❡r❡♥❝❡s ✇✐t❤ ♣r❡✈✐♦✉s ❡♥❝r②♣t✐♦♥✿

str♦♥❣ ❡♥❝r②♣t✐♦♥ ❛❧❣♦r✐t❤♠ ❧✐❦❡ ❆❊❙ ♠✉st ❜❡ ✉s❡❞ ❞❡❝r②♣t✐♦♥ ❦❡② ♠✉st ♥♦t ❜❡ st♦r❡❞ ✐♥ ❡♥❝r②♣t❡❞ ♠❛❧✐❝✐♦✉s ❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

Hard drive Memory

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

Hard drive Memory Decoder 1 "Decoder" is introduced

• n targeted system

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

Hard drive Memory Decoder Encrypted malicious code introduced on targeted system Encrypted malicious code is 2

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

Hard drive Memory Decoder Encrypted malicious code Decoder 3 "Decoder" is executed

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

Hard drive Memory Decoder Encrypted malicious code Decoder malicious code Encrypted 4 malicious code in memory "Decoder" loads encrypted

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

Hard drive Memory Decoder Encrypted malicious code Decoder malicious code Encrypted Malicious code 5 in memory and executes it "Decoder" decrypts malicious code

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❊♥❝r②♣t✐♦♥ ✲ ♣r♦t❡❝t✐♦♥ ❛❣❛✐♥st ♠❛♥✉❛❧ ❛♥❛❧②s✐s

❖❢ ❝♦✉rs❡✱ s❡✈❡r❛❧ ✇❛②s t♦ ❣❡t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ♦♥ ✐♥❢❡❝t❡❞ ❝♦♠♣✉t❡r ✭❞✉♠♣ t❤❡ ♠❡♠♦r②✱ ❡①tr❛❝t ❡♥❝r②♣t✐♦♥ ❦❡② ❛♥❞ ❞❡❝r②♣t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞✮ ❇✉t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ♣r♦t❡❝t❡❞ ❞✉r✐♥❣ ✐♥tr♦❞✉❝t✐♦♥ ♦♥t♦ t❛r❣❡t❡❞ ❝♦♠♣✉t❡r✿

t✇♦ ♣❛rts ❛r❡ ✐♥tr♦❞✉❝❡❞ ✐♥ ❞✐✛❡r❡♥t ✇❛②s ❛t ❞✐✛❡r❡♥t t✐♠❡s ✐❢ ♦♥❡ ✐♥tr♦❞✉❝t✐♦♥ ❢❛✐❧s✱ ✇❡ ✇✐❧❧ ✐♥t❡r❝❡♣t✿

❞❡❝r②♣t✐♦♥ ♣❛rt✿ t♦t❛❧❧② ❣❡♥❡r✐❝ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞✿ ❡♥❝r②♣t❡❞

⇒❝❛♥♥♦t ❣❡t ❛♥② ✐♥❢♦r♠❛t✐♦♥ ♦♥ t❤❡ ❛tt❛❝❦

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✽ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

❊♥❝r②♣t✐♦♥ ♦❢ ❡❛❝❤ ♣❛rt ♦❢ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐♥ ❡①❡❝✉t❛❜❧❡ ♥♦t ❛ ❣♦♦❞ s♦❧✉t✐♦♥✿

❝♦♠♣❧✐❝❛t❡❞✿ ❛❧❧ ❜✐♥❛r② ❞❛t❛ ❝❤❛r❛❝t❡r✐st✐❝s ♦❢ t❤❡ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ♠✉st ❜❡ ❡♥❝r②♣t❡❞ ✭❢✉♥❝t✐♦♥s✱ ✐♥✐t✐❛❧✐s❡❞ ❞❛t❛ ❛♥❞ str✐♥❣s✮ ♥♦t ❡✣❝✐❡♥t✿ P❊ ♠❡t❛❞❛t❛s ❝❛♥♥♦t ❜❡ ❡♥❝r②♣t❡❞

❇❡tt❡r s♦❧✉t✐♦♥✿ ❡♥❝r②♣t t❤❡ ✇❤♦❧❡ ❡①❡❝✉t❛❜❧❡ ∼ ❛ ♣❛❝❦❡r ❇✉t ❞❡✈❡❧♦♣✐♥❣ s✉❝❤ ❛ t♦♦❧ r❡q✉✐r❡❞ s♦♠❡ ✇♦r❦

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❊①❡❝✉t❡ ♦♥❧② ✐♥ ♠❡♠♦r② ✲ Pr✐♥❝✐♣❧❡

❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛❜❧❡ t♦ ❡①❡❝✉t❡ ✇✐t❤♦✉t ❜❡✐♥❣ ❝♦♣✐❡❞ ♦♥ ❤❛r❞ ❞r✐✈❡ ❖❜❥❡❝t✐✈❡ ❈❛♥♥♦t ❜❡ ❞❡t❡❝t❡❞ ❜② ❧♦❝❛❧ ❛♥t✐✈✐r✉s ▲❡❛✈❡s ❢❡✇ tr❛❝❡s ♦♥ t❛r❣❡t❡❞ s②st❡♠ ❝♦♠♣❧✐❝❛t❡s ❛♥ ❡✈❡♥t✉❛❧ ❢♦r❡♥s✐❝ ❛♥❛❧②s✐s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❊①❡❝✉t❡ ♦♥❧② ✐♥ ♠❡♠♦r② ✲ Pr✐♥❝✐♣❧❡

❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛❜❧❡ t♦ ❡①❡❝✉t❡ ✇✐t❤♦✉t ❜❡✐♥❣ ❝♦♣✐❡❞ ♦♥ ❤❛r❞ ❞r✐✈❡ ❖❜❥❡❝t✐✈❡ ❈❛♥♥♦t ❜❡ ❞❡t❡❝t❡❞ ❜② ❧♦❝❛❧ ❛♥t✐✈✐r✉s ▲❡❛✈❡s ❢❡✇ tr❛❝❡s ♦♥ t❛r❣❡t❡❞ s②st❡♠ ⇒ ❝♦♠♣❧✐❝❛t❡s ❛♥ ❡✈❡♥t✉❛❧ ❢♦r❡♥s✐❝ ❛♥❛❧②s✐s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r②

Server Memory Hard drive Firewall Attacker

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r②

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r②

Server Memory Hard drive Firewall Attacker Loader "Loader" is running 1

• n targeted server

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r②

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r②

Server Memory Hard drive Firewall Attacker Loader Malicious code payload from server 2 "Loader" gets malicious

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r②

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✸ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r②

Server Memory Hard drive Firewall Attacker Loader Malicious code 3 "Loader" transfers execution

• n malicious payload

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r②

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✹ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❊①❡❝✉t❡ ♦♥❧② ✐♥ ♠❡♠♦r② ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

❈♦♣②✐♥❣ ❡①❡❝✉t❛❜❧❡ ✐♥ ♠❡♠♦r② ❛♥❞ ❥✉♠♣✐♥❣ ♦♥ ❡♥tr② ♣♦✐♥t ❞♦❡s ♥♦t ✇♦r❦✿

s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ♠✉st ❜❡ r❡s♦❧✈❡❞

❆ ❢❡✇ tr✐❝❦s ❝❛♥ ❜❡ ✉s❡❞✿

✉s❡ ✏♣r❛❣♠❛✑ ❞✐r❡❝t✐✈❡s t♦ ❣r♦✉♣ ❛❧❧ ❢✉♥❝t✐♦♥s✴❞❛t❛ ✐♥ ♦♥❡ s❡❝t✐♦♥ ♣❧❛② ✇✐t❤ ✏♣r❡❢❡rr❡❞ ❧♦❛❞ ❛❞❞r❡ss✑ s♦ t❤❛t s❡❝t✐♦♥ ✐s ♠❛♣♣❡❞ ✐♥ ❛ ♠❡♠♦r② s♣❛❝❡ ✏♥♦r♠❛❧❧②✑ ❢r❡❡ ✐♥ ♣r♦❝❡ss ✉s❡ ❞②♥❛♠✐❝ ❛❞❞r❡ss r❡s♦❧✉t✐♦♥

⇒ P♦ss✐❜❧❡✳ ✳ ✳ ❜✉t r❛t❤❡r t❡❞✐♦✉s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✺ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ Pr✐♥❝✐♣❧❡

❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ❛❞❞❡❞ ✐♥t♦ ❛♥♦t❤❡r ❡①❡❝✉t❛❜❧❡ ❊①❡❝✉t✐♦♥ ✢♦✇ ♦❢ ✐♥❢❡❝t❡❞ ❡①❡❝✉t❛❜❧❡ ✐s ♠♦❞✐✜❡❞ t♦ ❡①❡❝✉t❡ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❖❜❥❡❝t✐✈❡ ❈r❡❛t❡ ❛ ❚r♦❥❛♥ ❤♦rs❡❀ ❜❡❤❛✈✐♦✉r ♦❢ t❤❡ ♣r♦❣r❛♠ ♠✉st ♥♦t ❜❡ ❞✐sr✉♣t❡❞

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ Pr✐♥❝✐♣❧❡

❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ❛❞❞❡❞ ✐♥t♦ ❛♥♦t❤❡r ❡①❡❝✉t❛❜❧❡ ❊①❡❝✉t✐♦♥ ✢♦✇ ♦❢ ✐♥❢❡❝t❡❞ ❡①❡❝✉t❛❜❧❡ ✐s ♠♦❞✐✜❡❞ t♦ ❡①❡❝✉t❡ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❖❜❥❡❝t✐✈❡ ❈r❡❛t❡ ❛ ❚r♦❥❛♥ ❤♦rs❡❀ ❜❡❤❛✈✐♦✉r ♦❢ t❤❡ ♣r♦❣r❛♠ ♠✉st ♥♦t ❜❡ ❞✐sr✉♣t❡❞

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❞❞❡❞ ❛t t❤❡ ❡♥❞ ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✱ ❛❢t❡r ❧❛st s❡❝t✐♦♥ ❙❡✈❡r❛❧ ✇❛②s t♦ r❡❞✐r❡❝t ❡①❡❝✉t✐♦♥ ✢♦✇✿

♣❛t❝❤ t❤❡ ❡①❡❝✉t❛❜❧❡ ❡♥tr② ♣♦✐♥t ♣❛t❝❤ s♦♠❡ ✐♥str✉❝t✐♦♥s t❤❛t ✇✐❧❧ ♣r♦❜❛❜❧② ❜❡ ❡①❡❝✉t❡❞ ❊①❛♠♣❧❡✿ ❝❛❧❧ t♦ t❤❡ ❢✉♥❝t✐♦♥ ✏s❛✈❡✑ ✐♥ ❛ t❡①t ❡❞✐t♦r

❊❛❝❤ s♦❧✉t✐♦♥ ❤❛s ♣r♦s ❛♥❞ ❝♦♥s✿

P❛t❝❤✐♥❣ ✐♥str✉❝t✐♦♥ r❡q✉✐r❡s ♠❛♥✉❛❧ ❛♥❛❧②s✐s t♦ ✜♥❞ ❛ s✉✐t❛❜❧❡ ✐♥str✉❝t✐♦♥ t♦ ♣❛t❝❤ ❇✉t ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ r❡q✉✐r❡s ❛❝t✐♦♥ ♦❢ t❤❡ ✉s❡r ♥❡✐t❤❡r ❡①❡❝✉t❡❞✱ ♥♦r ❛♥❛❧②s❡❞ ❜② ❛♥ ❛♥t✐✈✐r✉s✱ ❡✈❡♥ ✇✐t❤ ❝♦❞❡ ❡♠✉❧❛t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❞❞❡❞ ❛t t❤❡ ❡♥❞ ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✱ ❛❢t❡r ❧❛st s❡❝t✐♦♥ ❙❡✈❡r❛❧ ✇❛②s t♦ r❡❞✐r❡❝t ❡①❡❝✉t✐♦♥ ✢♦✇✿

♣❛t❝❤ t❤❡ ❡①❡❝✉t❛❜❧❡ ❡♥tr② ♣♦✐♥t ♣❛t❝❤ s♦♠❡ ✐♥str✉❝t✐♦♥s t❤❛t ✇✐❧❧ ♣r♦❜❛❜❧② ❜❡ ❡①❡❝✉t❡❞ ❊①❛♠♣❧❡✿ ❝❛❧❧ t♦ t❤❡ ❢✉♥❝t✐♦♥ ✏s❛✈❡✑ ✐♥ ❛ t❡①t ❡❞✐t♦r

❊❛❝❤ s♦❧✉t✐♦♥ ❤❛s ♣r♦s ❛♥❞ ❝♦♥s✿

P❛t❝❤✐♥❣ ✐♥str✉❝t✐♦♥ r❡q✉✐r❡s ♠❛♥✉❛❧ ❛♥❛❧②s✐s t♦ ✜♥❞ ❛ s✉✐t❛❜❧❡ ✐♥str✉❝t✐♦♥ t♦ ♣❛t❝❤ ❇✉t ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ r❡q✉✐r❡s ❛❝t✐♦♥ ♦❢ t❤❡ ✉s❡r ⇒ ♥❡✐t❤❡r ❡①❡❝✉t❡❞✱ ♥♦r ❛♥❛❧②s❡❞ ❜② ❛♥ ❛♥t✐✈✐r✉s✱ ❡✈❡♥ ✇✐t❤ ❝♦❞❡ ❡♠✉❧❛t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

Header MyEditor.exe Header Section 1 Section 2 ... Section n MyEditor.exe Header Section 1 Section 2 ... Section n MyEditor.exe Section 1 Section 2 ... Section n Malicious code Malicious code entry point patched Original executable Infected executable Infected executable instruction patched

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✐♥❢❡❝t✐♦♥ ♦❢ ❛♥ ❡①❡❝✉t❛❜❧❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✽ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

◆♦t s♦ ❡❛s② t♦ ✐♠♣❧❡♠❡♥t✿ ❙❡✈❡r❛❧ s❡❝t✐♦♥s ♠✐❣❤t ❤❛✈❡ t♦ ❜❡ ❛❞❞❡❞ ❛t t❤❡ ❡♥❞ ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡ ❙❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss ❈♦❞❡ ♠✉st ✉s❡ ❞②♥❛♠✐❝ ❛❞❞r❡ss r❡s♦❧✉t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✷✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ Pr✐♥❝✐♣❧❡

❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐♥❥❡❝ts s♦♠❡ ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ▼❛❧✐❝✐♦✉s ❝♦❞❡ ❢♦r❝❡s t❤❡ ❡①❡❝✉t✐♦♥ ♦❢ t❤✐s ✐♥❥❡❝t❡❞ ❝♦❞❡ ✐♥ t❤❡ ❝♦♥t❡①t ♦❢ t❤❡ ♦t❤❡r ♣r♦❝❡ss ❖❜❥❡❝t✐✈❡s ❙✉r✈✐✈❡ t♦ t❡r♠✐♥❛t✐♦♥ ♦❢ ♦r✐❣✐♥❛❧ ♣r♦❝❡ss ■♥t❡r❝❡♣t ♣r✐✈❛t❡ ❞❛t❛ ♦❢ ✉s❡r ✉s✐♥❣ ✐♥❢❡❝t❡❞ ❝♦♠♣✉t❡r✿ ✐♥❥❡❝t✐♦♥✴❆P■ ❤♦♦❦✐♥❣✴❛♥❛❧②s✐s ♦❢ ♣❛r❛♠❡t❡rs ❇②♣❛ss ❜❛❞ ✐♠♣❧❡♠❡♥t❡❞ ♣❡rs♦♥❛❧ ✜r❡✇❛❧❧s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ Pr✐♥❝✐♣❧❡

❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐♥❥❡❝ts s♦♠❡ ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ▼❛❧✐❝✐♦✉s ❝♦❞❡ ❢♦r❝❡s t❤❡ ❡①❡❝✉t✐♦♥ ♦❢ t❤✐s ✐♥❥❡❝t❡❞ ❝♦❞❡ ✐♥ t❤❡ ❝♦♥t❡①t ♦❢ t❤❡ ♦t❤❡r ♣r♦❝❡ss ❖❜❥❡❝t✐✈❡s ❙✉r✈✐✈❡ t♦ t❡r♠✐♥❛t✐♦♥ ♦❢ ♦r✐❣✐♥❛❧ ♣r♦❝❡ss ■♥t❡r❝❡♣t ♣r✐✈❛t❡ ❞❛t❛ ♦❢ ✉s❡r ✉s✐♥❣ ✐♥❢❡❝t❡❞ ❝♦♠♣✉t❡r✿ ✐♥❥❡❝t✐♦♥✴❆P■ ❤♦♦❦✐♥❣✴❛♥❛❧②s✐s ♦❢ ♣❛r❛♠❡t❡rs ❇②♣❛ss ❜❛❞ ✐♠♣❧❡♠❡♥t❡❞ ♣❡rs♦♥❛❧ ✜r❡✇❛❧❧s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

❈♦❞❡ ✐♥❥❡❝t✐♦♥ ♠❛② ❜❡ ❞♦♥❡ ✐♥ s❡✈❡r❛❧ ✇❛②s✿ ❞❧❧ ✐♥❥❡❝t✐♦♥ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❊❛❝❤ t❡❝❤♥✐q✉❡ ❤❛s ♣r♦ ❛♥❞ ❝♦♥s❀ ✇❡ ❝❤♦♦s❡ t♦ ✉s❡ t❤❡ s❡❝♦♥❞

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

Injecter Target Injection code

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

Injecter Target Injection code Malicious code

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✸ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

Injecter Target Injection code Malicious code 1 "Injecter" gets a handle

• n targeted process

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✹ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

Injecter Target Injection code Malicious code Free memory memory in other process 2 "Injecter" allocates

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✺ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

Injecter Target Injection code Malicious code Malicious code "Injecter" copies malicious 3 code in allocated memory

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

Injecter Target Injection code Malicious code Malicious code Thread 4 process that executes malicious code "Injecter" creates a new thread in other

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥

❊♥❝♦✉♥t❡r s❛♠❡ ♣r♦❜❧❡♠s ❛s ❡①❡❝✉t✐♦♥ ♦♥❧② ✐♥ ♠❡♠♦r②✿

s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ♠✉st ❜❡ r❡s♦❧✈❡❞

⇒ ❈❛♥ ✉s❡ t❤❡ s❛♠❡ tr✐❝❦s ◆♦t❡ t❤❛t ✐❢ ♠❡♠♦r② ✇❤❡r❡ ❝♦❞❡ ♠✉st ❜❡ ♠❛♣♣❡❞ ✐s ❛❧r❡❛❞② ❛❧❧♦❝❛t❡❞✱ ✐♥❥❡❝t✐♦♥ ✇✐❧❧ ❢❛✐❧✦

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✽ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❙✉♠♠❛r②

■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤♦s❡ t❡❝❤♥✐q✉❡s ✐♥ ❛♥ ❡①❡❝✉t❛❜❧❡ ✐s ❛❧✇❛②s ♣♦ss✐❜❧❡✱ ❜✉t r❡q✉✐r❡s ❧♦ts ♦❢ ✇♦r❦ ❉✐✣❝✉❧t✐❡s ❝♦♠❡ ❢r♦♠ s❡✈❡r❛❧ ♣r♦♣❡rt✐❡s ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✿

❝♦❞❡ ❛♥❞ ❞❛t❛ ❛r❡ s♣r❡❛❞ ✐♥ t❤❡ ❡①❡❝✉t❛❜❧❡ ♣r♦❝❡ss r❡q✉✐r❡s s♦♠❡ ♦❢ ✐♥✐t✐❛❧✐s❛t✐♦♥ ♥♦r♠❛❧❧② ❞♦♥❡ ❜② ❲✐♥❞♦✇s ❧♦❛❞❡r ❝♦❞❡ ❝♦♥t❛✐♥s ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ⇒ s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss❡s

❚❤♦s❡ t❡❝❤♥✐q✉❡s ❝♦✉❧❞ ❜❡ ✐♠♣❧❡♠❡♥t❡❞ ♠♦r❡ ❡❛s✐❧② ✐❢ t❤❡ ❝♦❞❡

✇❛s ❝♦♥st✐t✉t❡❞ ♦❢ ♦♥❧② ♦♥❡ ❜❧♦❝❦ ✇❛s ❛❜❧❡ t♦ ✐♥✐t✐❛❧✐s❡ t❤❡ ❛❞❞r❡ss s♣❛❝❡ ❝♦♥t❛✐♥❡❞ ♥♦ ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss

✐❢ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✇❛s ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳

❙✉♠♠❛r②

■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤♦s❡ t❡❝❤♥✐q✉❡s ✐♥ ❛♥ ❡①❡❝✉t❛❜❧❡ ✐s ❛❧✇❛②s ♣♦ss✐❜❧❡✱ ❜✉t r❡q✉✐r❡s ❧♦ts ♦❢ ✇♦r❦ ❉✐✣❝✉❧t✐❡s ❝♦♠❡ ❢r♦♠ s❡✈❡r❛❧ ♣r♦♣❡rt✐❡s ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✿

❝♦❞❡ ❛♥❞ ❞❛t❛ ❛r❡ s♣r❡❛❞ ✐♥ t❤❡ ❡①❡❝✉t❛❜❧❡ ♣r♦❝❡ss r❡q✉✐r❡s s♦♠❡ ♦❢ ✐♥✐t✐❛❧✐s❛t✐♦♥ ♥♦r♠❛❧❧② ❞♦♥❡ ❜② ❲✐♥❞♦✇s ❧♦❛❞❡r ❝♦❞❡ ❝♦♥t❛✐♥s ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ⇒ s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss❡s

❚❤♦s❡ t❡❝❤♥✐q✉❡s ❝♦✉❧❞ ❜❡ ✐♠♣❧❡♠❡♥t❡❞ ♠♦r❡ ❡❛s✐❧② ✐❢ t❤❡ ❝♦❞❡

✇❛s ❝♦♥st✐t✉t❡❞ ♦❢ ♦♥❧② ♦♥❡ ❜❧♦❝❦ ✇❛s ❛❜❧❡ t♦ ✐♥✐t✐❛❧✐s❡ t❤❡ ❛❞❞r❡ss s♣❛❝❡ ❝♦♥t❛✐♥❡❞ ♥♦ ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss

⇒ ✐❢ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✇❛s ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✸✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡

P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✖ ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡

Pr✐♥❝✐♣❧❡

❈♦♥s✐❞❡r ♥♦✇ t❤❛t ♦✉r ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛ s❤❡❧❧❝♦❞❡✿ ❝♦♥st✐t✉t❡❞ ♦❢ ♦♥❧② ♦♥❡ ❜❧♦❝❦ ❝❛♥ r✉♥ ❛t ❛♥② ❛❞❞r❡ss ✐♥ ❛♥② ♣r♦❝❡ss ❡①❡❝✉t❡s ❡①❛❝t❧② t❤❡ s❛♠❡ ♦♣❡r❛t✐♦♥s ❛s t❤❡ ♥♦r♠❛❧ ❡①❡❝✉t❛❜❧❡ ✐❢ ❡①❡❝✉t✐♦♥ tr❛♥s❢❡rr❡❞ t♦ ✐ts ✜rst ❜②t❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡

■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s

❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ❉❡❝r②♣t✐♦♥ ♣❛rt ❜❡❝♦♠❡s ❛ s✐♠♣❧❡ ❧♦♦♣ t❤❛t ❡①❡❝✉t❡s ❞❡❝r②♣t✐♦♥ ♦♥ s❤❡❧❧❝♦❞❡ ∼ ❛rr❛② ♦❢ ❜②t❡s ❊①❡❝✉t✐♦♥ ♦♥❧② ✐♥ ♠❡♠♦r② ❛♥❞ ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❊❛s② t♦ ✐♠♣❧❡♠❡♥t s✐♥❝❡ ❜② ❞❡✜♥✐t✐♦♥ s❤❡❧❧❝♦❞❡ ✐s ❛❜❧❡ t♦ ❡①❡❝✉t❡ ✐♥ ❛♥② ♣r♦❝❡ss ❛t ❛♥② ❛❞❞r❡ss ❊①❡❝✉t❛❜❧❡ ✐♥❢❡❝t✐♦♥ ❙❤❡❧❧❝♦❞❡ ❛❞❞❡❞ ✐♥ ❧❛st s❡❝t✐♦♥ ❋❡✇ ♠♦❞✐✜❝❛t✐♦♥s ❞♦♥❡ ♦♥ P❊ ❤❡❛❞❡r ❊♥tr② ♣♦✐♥t ♦r ✐♥str✉❝t✐♦♥ ♣❛t❝❤❡❞ t♦ ❥✉♠♣ ♦♥ s❤❡❧❧❝♦❞❡ ❏✉♠♣ t♦ ♦r✐❣✐♥❛❧ ✐♥str✉❝t✐♦♥ ❛❞❞❡❞ ❛t ❡♥❞ ♦❢ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡

❙✉♠♠❛r②

■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ ♣r❡s❡♥t❡❞ t❡❝❤♥✐q✉❡s ✐s ❣r❡❛t❧② s✐♠♣❧✐✜❡❞ ✐❢ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛ s❤❡❧❧❝♦❞❡ r❛t❤❡r t❤❛♥ ❛♥ ❡①❡❝✉t❛❜❧❡ ◆❡①t ♣r♦❜❧❡♠ ✐s ❤♦✇ t♦ ❣❡t ❛ s❤❡❧❧❝♦❞❡❄

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹✸ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

P❧❛♥

✶

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣②

✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

✸

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧

✹

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

✺

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

✻

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧

✼

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

✽

❈♦♥❝❧✉s✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹✹ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❖❜❥❡❝t✐✈❡ ♦❢ t❤✐s ♣❛rt ✲ ✶

Pr❡s❡♥t ❛♥ ❡❛s② ✇❛② t♦ ✇r✐t❡ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ❛s ❛ s❤❡❧❧❝♦❞❡ ❲r✐t✐♥❣ s❤❡❧❧❝♦❞❡ ❞✐r❡❝t❧② ✐♥ ❛ss❡♠❜❧② q✉✐❝❦❧② ❜❡❝♦♠❡s t❡❞✐♦✉s ⇒ s♦❧✉t✐♦♥ ❞✐s♠✐ss❡❞ ❇❡tt❡r s♦❧✉t✐♦♥ ✇♦✉❧❞ ❜❡✿

✇r✐t❡ ❝♦❞❡ ✐♥ ❈ ❧❛♥❣✉❛❣❡ ✉s❡ ❝♦♠♣✐❧❡r t♦ ❣❡♥❡r❛t❡ ❡①❡❝✉t❛❜❧❡ ❡①tr❛❝t s♦♠❡ ♣❛rt ❢r♦♠ t❤✐s ❡①❡❝✉t❛❜❧❡ ❢♦r♠ s❤❡❧❧❝♦❞❡ ❜② ❛ss❡♠❜❧✐♥❣ t❤❡♠

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹✺ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❖❜❥❡❝t✐✈❡ ♦❢ t❤✐s ♣❛rt ✲ ✷

❇✐♥❛r② ❝♦❞❡ ♣r♦❞✉❝❡❞ ❜② ♥♦r♠❛❧ ❝♦♠♣✐❧❛t✐♦♥ ❝❛♥♥♦t ❜❡ ❞✐r❡❝t❧② ✉s❡❞ t♦ ❝r❡❛t❡ ❛ s❤❡❧❧❝♦❞❡✿

❝♦♥t❛✐♥s ❧♦ts ♦❢ ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ✭r❡❢❡r❡♥❝❡ t♦ ❛ str✐♥❣ ♦r ❛ ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡✮ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s ❝❛❧❧s ❛r❡ r❡❧❛t✐✈❡ ❜✉t ❞✐st❛♥❝❡s ❛r❡ ❤❛r❞❝♦❞❡❞ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❝❛❧❧s r❡❧② ♦♥ ■❆❚

▼❛♥② ✇❛②s t♦ s♦❧✈❡ t❤♦s❡ ♣r♦❜❧❡♠s ✭♣❛t❝❤ ❛ss❡♠❜❧②✱ ✇♦r❦ ✐♥ t❤❡ st❛❝❦✳ ✳ ✳ ✮ ❈❤♦♦s❡ ♦♥❡ t❡❝❤♥✐q✉❡✿ ✉s❡ ❛ ❣❧♦❜❛❧ ❞❛t❛

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹✻ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✶

❯s❡ ♦♥❡ str✉❝t✉r❡ t❤❛t st♦r❡s ❛❧❧ ❣❧♦❜❛❧ ❞❛t❛ ❛♥❞ t❤❛t ✐s tr❛♥s♠✐tt❡❞ ✐♥ ❡✈❡r② ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥ ❝❛❧❧ ❙tr✉❝t✉r❡✱ ❝❛❧❧❡❞ ❧❛t❡r ✏●▲❖❇❆▲❴❉❆❚❆✑✱ ✇✐❧❧ ❝♦♥t❛✐♥✿

♣♦✐♥t❡rs ♦♥ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s ♣♦✐♥t❡rs ♦♥ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡s str✐♥❣s

❈ ❝♦❞❡ ✐s ♠♦❞✐✜❡❞ s♦ t❤❛t ❡✈❡r② r❡❢❡r❡♥❝❡ t♦ ❛ ♣r❡✈✐♦✉s❧② ❧✐st❡❞ ❡❧❡♠❡♥t ✇✐❧❧ ❜❡ ❞♦♥❡ t❤r♦✉❣❤ ●▲❖❇❆▲❴❉❆❚❆

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹✼ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✷

Original function DisplayFile BOOL DisplayFile(IN CHAR * szFilePath) { ... CreateFile(szFilePath, ...) pData = (UCHAR *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize+1) ReadFile(hFile, pData, ...) PrintMsg(LOG_LEVEL_TRACE, "File successfully read: %s", pData); ... } Patched function DisplayFile (modifications are colorized in red) BOOL DisplayFile(IN PGLOBAL_DATA pGlobalData, IN CHAR * szFilePath) { ... pGlobalData->CreateFile(szFilePath, ...) pData = (UCHAR *) pGlobalData->HeapAlloc(pGlobalData->GetProcessHeap(), \\ HEAP_ZERO_MEMORY, dwFileSize+1) pGlobalData->ReadFile(hFile, pData, ...) pGlobalData->PrintMsg(pGlobalData, LOG_LEVEL_TRACE, pGlobalData->szString_00000001, \\ pData); ... } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹✽ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✸

❚❤❡ ●▲❖❇❆▲❴❉❆❚❆ ❞❡✜♥✐t✐♦♥ ❧♦♦❦s ❧✐❦❡ t❤❡ ❢♦❧❧♦✇✐♥❣✿

Overview of structure GLOBAL_DATA typedef struct _GLOBAL_DATA { /* Internal functions */ PrintMsgTypeDef fp_PrintMsg; /* Imported functions */ CreateFileTypeDef fp_CreateFile; HeapAllocTypeDef fp_HeapAlloc; GetProcessHeapTypeDef fp_GetProcessHeap; ReadFileTypeDef fp_ReadFile; /* Data strings */ CHAR szString_00000001[27]; } GLOBAL_DATA, * PGLOBAL_DATA; ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✹✾ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✹

◆✉♠❜❡r ♦❢ ♠♦❞✐✜❝❛t✐♦♥s ❝❛♥ ❜❡ ❝♦♥s✐❞❡r❛❜❧② r❡❞✉❝❡❞ ❜② ✉s✐♥❣ ❈ ♠❛❝r♦s✿

Definitions of macros /* Add GLOBAL_DATA parameter in definitions of internal function */ #define DisplayFileTempDefinition(...) \\ DisplayFileDefinition(PGLOBAL_DATA pGlobalData, __VA_ARGS__) /* Add redirection and GLOBAL_DATA parameter in call of internal function */ #define PrintMsg(...) pGlobalData->fp_PrintMsg(pGlobalData, __VA_ARGS__) #define DisplayFile(...) pGlobalData->fp_DisplayFile(pGlobalData, __VA_ARGS__) /* Add redirection for imported functions */ #define CreateFile pGlobalData->fp_CreateFile #define HeapAlloc pGlobalData->fp_HeapAlloc #define GetProcessHeap pGlobalData->fp_GetProcessHeap #define ReadFile pGlobalData->fp_ReadFile /* Add redirection for strings */ #define STR_00000001(x) pGlobalData->szString_00000001 ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺✵ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✺

P❛t❝❤❡❞ ❢✉♥❝t✐♦♥ ✏❉✐s♣❧❛②❋✐❧❡✑ ❜❡❝♦♠❡s✿

Patched function DisplayFile with the macros BOOL DisplayFileTempDefinition(IN CHAR * szFilePath) { ... CreateFile(szFilePath, ...) pData = (UCHAR *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize+1) ReadFile(hFile, pData, ...) PrintMsg(LOG_LEVEL_TRACE, STR_00000001("File successfully read: %s"), pData); ... }

⇒ t❤❡r❡ ❛r❡ ♥♦✇ ✈❡r② ❢❡✇ ♠♦❞✐✜❝❛t✐♦♥s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺✶ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✻

Call of the internal function “DisplayMessage” DisplayMessage(g_szMessage); 00412F99 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; get address of g_szMessage in 00412F9C 05 58010000 ADD EAX,158 ; GLOBAL_DATA 00412FA1 50 PUSH EAX ; push address of g_szMessage 00412FA2 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00412FA5 51 PUSH ECX ; push address of pGlobalData 00412FA6 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; get address of DisplayMessage 00412FA9 8B82 88000000 MOV EAX,DWORD PTR DS:[EDX+88] 00412FAF FFD0 CALL EAX ; call DisplayMessage Call of the internal function “DisplayFile” if(DisplayFile("test.txt") == FALSE) 00412FFC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00412FFF 05 A1040000 ADD EAX,4A1 ; get address of string 00413004 50 PUSH EAX ; push address of string 00413005 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00413008 51 PUSH ECX ; push address of pGlobalData 00413009 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 0041300C 8B42 78 MOV EAX,DWORD PTR DS:[EDX+78] ; get address of DisplayFile 0041300F FFD0 CALL EAX ; call DisplayFile ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺✷ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✼

Call of the imported function “CreateFile” CreateFile(szFilePath, ...) ... 00412DE2 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00412DE5 8B91 D8000000 MOV EDX,DWORD PTR DS:[ECX+D8] ; get address of CreateFile 00412DEB FFD2 CALL EDX ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺✸ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✽

• ❡♥❡r❛t❡❞ ❜✐♥❛r② ❞♦❡s ♥♦t ❝♦♥t❛✐♥ ❛♥② ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s

⇒ ❜✐♥❛r② ❝♦❞❡ ❝❛♥ ❜❡ ❞✐r❡❝t❧② ❡①tr❛❝t❡❞ ❛♥❞ ✉s❡❞ t♦ ❢♦r♠ s❤❡❧❧❝♦❞❡ ❙❤❡❧❧❝♦❞❡ ♠❛② ❜❡ ❝r❡❛t❡❞ s✐♠♣❧② ❜② ❝♦♥❝❛t❡♥❛t✐♥❣ t❤❡ ❡①tr❛❝t❡❞ ❢✉♥❝t✐♦♥s ❛♥❞ ❛❞❞✐♥❣ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❛t t❤❡ ❡♥❞

entrypoint Shellcode Internal function Internal function ... Internal function pointers Internal function Imported function pointers Global variables Strings GLOBAL_DATA

❋✐❣✉r❡✿ ❖✈❡r✈✐❡✇ ♦❢ t❤❡ str✉❝t✉r❡ ♦❢ t❤❡ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺✹ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❙✉♠♠❛r②

❚❤✐s s♦❧✉t✐♦♥ ❛❧❧♦✇s ❛ s❤❡❧❧❝♦❞❡ t♦ ❜❡ ❝r❡❛t❡❞ ✇✐t❤ ❧✐tt❧❡ ♠♦❞✐✜❝❛t✐♦♥ ♦❢ s♦✉r❝❡ ❝♦❞❡ ❍♦✇❡✈❡r✱ st✐❧❧ ❛ ❢❡✇ ♣r♦❜❧❡♠s t♦ s♦❧✈❡✿

✇r✐t✐♥❣ t❤❡ ❞❡✜♥✐t✐♦♥ ♦❢ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❛♥❞ t❤❡ ❞❡✜♥✐t✐♦♥ ♦❢ ♠❛❝r♦s ✐s ❧♦♥❣ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ♠✉st ❜❡ ✐♥✐t✐❛❧✐s❡❞ ❜✐♥❛r② ❞❛t❛ ♠✉st ❜❡ ❡①tr❛❝t❡❞ ❢r♦♠ ❣❡♥❡r❛t❡❞ ❡①❡❝✉t❛❜❧❡ ❛♥❞ ❛ss❡♠❜❧❡❞ t♦ ❝r❡❛t❡ ✜♥❛❧ s❤❡❧❧❝♦❞❡

⇒ ❆ t♦♦❧ t❤❛t ❡①❡❝✉t❡s ❛❧❧ t❤♦s❡ ♦♣❡r❛t✐♦♥s ❛✉t♦♠❛t✐❝❛❧❧② ❤❛s ❜❡❡♥ ❞❡✈❡❧♦♣❡❞✿ ❲✐❙❤▼❛st❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺✺ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧

P❧❛♥

✶

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣②

✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

✸

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧

✹

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

✺

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

✻

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧

✼

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

✽

❈♦♥❝❧✉s✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺✻ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥

P❧❛♥ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✖ Pr❡s❡♥t❛t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺✼ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥

Pr❡s❡♥t❛t✐♦♥

❲✐❙❤▼❛st❡r ✐s ❛ t♦♦❧ t❤❛t ❛✉t♦♠❛t✐❝❛❧❧② ❣❡♥❡r❛t❡s s❤❡❧❧❝♦❞❡s✱ ❜② ✉s✐♥❣ t❤❡ ♣r❡✈✐♦✉s❧② ❞❡s❝r✐❜❡❞ ♣r✐♥❝✐♣❧❡ ❚❛❦❡s ❛ s❡t ♦❢ ❈ s♦✉r❝❡ ✜❧❡s ✇r✐tt❡♥ ✏♥♦r♠❛❧❧②✑ ✐♥ ✐♥♣✉t ❛♥❞ ❣❡♥❡r❛t❡s ❛ s❤❡❧❧❝♦❞❡ ✐♥ ♦✉t♣✉t ❙❤❡❧❧❝♦❞❡ ❛❝❝♦♠♣❧✐s❤❡s s❛♠❡ ♦♣❡r❛t✐♦♥s ❛s ❡①❡❝✉t❛❜❧❡ ♣r♦❞✉❝❡❞ ❜② ❝♦♠♣✐❧❛t✐♦♥ ♦❢ ♦r✐❣✐♥❛❧ s♦✉r❝❡ ❚r❛♥s❢♦r♠❛t✐♦♥ ✐♥ s❤❡❧❧❝♦❞❡ ❝❛❧❧❡❞ ❧❛t❡r ✏s❤❡❧❧❝♦❞✐s❛t✐♦♥✑

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺✽ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥

❉❡✈❡❧♦♣♠❡♥t ♣r♦❣r❡ss ✲ ❲✐❙❤▼❛st❡r ✈❡rs✐♦♥ ✶

❲✐❙❤▼❛st❡r ✈✶ ❤❛s ❜❡❡♥ ❛✈❛✐❧❛❜❧❡ ♦♥ ♠② ✇❡❜ s✐t❡ ❢♦r ♦♥❡ ②❡❛r

• r❛♣❤✐❝❛❧ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✐♥ ❈★

❲♦r❦s ❜✉t ❤❛s s❡✈❡r❛❧ ❧✐♠✐t❛t✐♦♥s ▼♦st ✐♠♣♦rt❛♥t✿ ❈ ❝♦❞❡ ♣❛rs❡❞ ✇✐t❤ r❡❣✉❧❛r ❡①♣r❡ss✐♦♥s ⇒ ♠✉st ❝♦♥❢♦r♠ t♦ ❛ ❢❡✇ s②♥t❛① r✉❧❡s t♦ ❜❡ s✉❝❝❡ss❢✉❧❧② ❛♥❛❧②s❡❞

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✺✾ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥

❉❡✈❡❧♦♣♠❡♥t ♣r♦❣r❡ss ✲ ❲✐❙❤▼❛st❡r ✈❡rs✐♦♥ ✷

❲✐❙❤▼❛st❡r ✈✷ ✐s ✉♥❞❡r ❛❝t✐✈❡ ❞❡✈❡❧♦♣♠❡♥t ❈♦rr❡❝ts ♠❛♥② ♣r♦❜❧❡♠s ♦❢ t❤❡ ✈✶✿

❲✐❙❤▼❛st❡r ✐s ♥♦✇ ❛ ❝♦♥s♦❧❡ ❛♣♣❧✐❝❛t✐♦♥ ✇r✐tt❡♥ ✐♥ P②t❤♦♥✿

s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❝❛♥ ❜❡ s❝r✐♣t❡❞ ✉s❡r ❝❛♥ ✐♥t❡r❝❡❞❡ ❛t ❛♥② st❡♣ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss✱ ✈✐❡✇ r❡s✉❧ts ❛♥❞ ❝♦rr❡❝t ❡✈❡♥t✉❛❧ ♠✐st❛❦❡s

♣❛rs✐♥❣ ♦❢ s♦✉r❝❡ ❝♦❞❡ ✇✐t❤ r❡❣✉❧❛r ❡①♣r❡ss✐♦♥s ❤❛s ❜❡❡♥ ❝♦♥s✐❞❡r❛❜❧② r❡❞✉❝❡❞ ⇒ ♠♦st ♦❢ t❤❡ ❝♦♥str❛✐♥s ♦♥ ❈ s②♥t❛① ❤❛✈❡ ❜❡❡♥ r❡♠♦✈❡❞

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✵ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

P❧❛♥ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✖ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✶ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ✐♥ ❲✐❙❤▼❛st❡r

❙❤❡❧❧❝♦❞✐s❛t✐♦♥ ❛❝❝♦♠♣❧✐s❤❡❞ ❜② ❲✐❙❤▼❛st❡r ✐s ❞✐✈✐❞❡❞ ✐♥t♦ ✻ st❡♣s✿ ❆♥❛❧②s✐s✿ ✐❞❡♥t✐✜❡s ❝♦❞❡ ❡❧❡♠❡♥ts ❖❜t❛✐♥ t❤❡ s✐③❡ ♦❢ ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡s ❈r❡❛t❡ ❡♥✈✐r♦♥♠❡♥t✿

❝r❡❛t❡s ✜❧❡ ❣❧♦❜❛❧❴❞❛t❛✳❤ ✭●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❛♥❞ ♠❛❝r♦s✮ ❝r❡❛t❡s ❛ ♣❛t❝❤❡❞ ❝♦♣② ♦❢ s♦✉r❝❡ ✜❧❡s ✐♥ ❛ t❡♠♣♦r❛r② ❞✐r❡❝t♦r②

• ❡♥❡r❛t✐♦♥✿ ❜✉✐❧❞s ♣❛t❝❤❡❞ s♦✉r❝❡s✱ ❡①tr❛❝ts ❜✐♥❛r② ❞❛t❛ ❛♥❞

❣❡♥❡r❛t❡s t❤❡ s❤❡❧❧❝♦❞❡ ❈✉st♦♠✐③❛t✐♦♥ ■♥t❡❣r❛t✐♦♥✿

❝♦♣② s❤❡❧❧❝♦❞❡ ✐♥ ❛ s♣❡❝✐✜❝ ❞✐r❡❝t♦r② ♦r tr❛♥s❢♦r♠ ✐t ✐♥ ❛ ❈ ❛rr❛② ❛♥❞ ❞✉♠♣ ✐t ✐♥ ❛ ❈ ❤❡❛❞❡r ✜❧❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✷ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✶

Pr✐♥❝✐♣❧❡ ❙t❡♣ ❝♦♠♣♦✉♥❞❡❞ ♦❢ ❛ ❝❤❛✐♥ ♦❢ ❢✉♥❝t✐♦♥s t❤❛t ✇✐❧❧ ❡①❡❝✉t❡ s♦♠❡ ♠♦❞✐✜❝❛t✐♦♥s ♦♥ t❤❡ s❤❡❧❧❝♦❞❡ ❛♥❞ tr❛♥s♠✐t t❤❡ ♠♦❞✐✜❡❞ s❤❡❧❧❝♦❞❡ t♦ t❤❡ ♥❡①t ❢✉♥❝t✐♦♥ ❈♦♥t❡♥t ♦❢ t❤❡ ❝❤❛✐♥ ✐s ❞❡✜♥❡❞ ❜② t❤❡ ✉s❡r ❈✉st♦♠✐③❛t✐♦♥ ❢✉♥❝t✐♦♥s ✐♠♣❧❡♠❡♥t❡❞ ✐♥ P②t❤♦♥ ♠♦❞✉❧❡ ⇒ ✉s❡r ❝❛♥ ❡❛s✐❧② ✇r✐t❡ t❤❡✐r ♦✇♥ ❝✉st♦♠✐③❛t✐♦♥ ♠♦❞✉❧❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✸ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✷

❊①❛♠♣❧❡ ✶✿ ❡♥❝r②♣t✐♦♥ ❈✉st♦♠✐③❛t✐♦♥ st❡♣ ♠❛② ❜❡ ✉s❡❞ t♦ ❡♥❝r②♣t t❤❡ s❤❡❧❧❝♦❞❡ ❲✐❙❤▼❛st❡r ❝♦♠❡s ✇✐t❤ t✇♦ ✏❝✉st♦♠✐③❛t✐♦♥✑ ♠♦❞✉❧❡s t❤❛t ❝❛♥ ❡♥❝r②♣t ❛ s❤❡❧❧❝♦❞❡✿

❳❖❘ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✸✷✲❜✐ts ❦❡② ✭♣♦❧②♠♦r♣❤✐s♠✮ ❆❊❙✲❈❇❈ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✷✺✻✲❜✐ts ❦❡②

❊①❛♠♣❧❡ ✷✿ s❡tt✐♥❣ s♣❡❝✐✜❝ ✈❛❧✉❡s ❊①❛♠♣❧❡✿ s❤❡❧❧❝♦❞❡ t❤❛t ❝♦♥♥❡❝ts t♦ ❛ s❡r✈❡r ❙♦✉r❝❡ ❝♦❞❡ ❝♦♥t❛✐♥s t✇♦ ✈❛r✐❛❜❧❡s✿ ■P ❛❞❞r❡ss ❛♥❞ ♣♦rt ♦❢ t❤❡ s❡r✈❡r ■❢ ✇❡ ♣✉t r❡❛❧ ✈❛❧✉❡s ❞✐r❡❝t❧② ✐♥ t❤♦s❡ ✈❛r✐❛❜❧❡s✿

s❤❡❧❧❝♦❞❡ ♠✉st ❜❡ r❡❣❡♥❡r❛t❡❞ t♦ ❝♦♥♥❡❝t t♦ ❛♥♦t❤❡r s❡r✈❡r s❤❡❧❧❝♦❞❡ ❝❛♥♥♦t ❜❡ ❞✐str✐❜✉t❡❞ ✐♥ ✐ts ❜✐♥❛r② ❢♦r♠

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✹ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✷

❊①❛♠♣❧❡ ✶✿ ❡♥❝r②♣t✐♦♥ ❈✉st♦♠✐③❛t✐♦♥ st❡♣ ♠❛② ❜❡ ✉s❡❞ t♦ ❡♥❝r②♣t t❤❡ s❤❡❧❧❝♦❞❡ ❲✐❙❤▼❛st❡r ❝♦♠❡s ✇✐t❤ t✇♦ ✏❝✉st♦♠✐③❛t✐♦♥✑ ♠♦❞✉❧❡s t❤❛t ❝❛♥ ❡♥❝r②♣t ❛ s❤❡❧❧❝♦❞❡✿

❳❖❘ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✸✷✲❜✐ts ❦❡② ✭♣♦❧②♠♦r♣❤✐s♠✮ ❆❊❙✲❈❇❈ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✷✺✻✲❜✐ts ❦❡②

❊①❛♠♣❧❡ ✷✿ s❡tt✐♥❣ s♣❡❝✐✜❝ ✈❛❧✉❡s ❊①❛♠♣❧❡✿ s❤❡❧❧❝♦❞❡ t❤❛t ❝♦♥♥❡❝ts t♦ ❛ s❡r✈❡r ❙♦✉r❝❡ ❝♦❞❡ ❝♦♥t❛✐♥s t✇♦ ✈❛r✐❛❜❧❡s✿ ■P ❛❞❞r❡ss ❛♥❞ ♣♦rt ♦❢ t❤❡ s❡r✈❡r ■❢ ✇❡ ♣✉t r❡❛❧ ✈❛❧✉❡s ❞✐r❡❝t❧② ✐♥ t❤♦s❡ ✈❛r✐❛❜❧❡s✿

s❤❡❧❧❝♦❞❡ ♠✉st ❜❡ r❡❣❡♥❡r❛t❡❞ t♦ ❝♦♥♥❡❝t t♦ ❛♥♦t❤❡r s❡r✈❡r s❤❡❧❧❝♦❞❡ ❝❛♥♥♦t ❜❡ ❞✐str✐❜✉t❡❞ ✐♥ ✐ts ❜✐♥❛r② ❢♦r♠

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✹ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸

Developer of the shellcode MyProject.cpp 1 The developer writes source code IP and port set to special values

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✺ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸

Developer of the shellcode MyProject.cpp GLOBAL_DATA Internal functions 2 to generate the shellcode Developer uses WiShMaster

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✻ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸

Developer of the shellcode MyProject.cpp GLOBAL_DATA Internal functions module: patch values Cutomization module in Python Developer writes a cutomization 3

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✼ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸

Developer of the shellcode MyProject.cpp GLOBAL_DATA Internal functions module: patch values Cutomization customization module on Internet 4 Developer puts the shellcode and the

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✽ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸

Developer of the shellcode User of the shellcode MyProject.cpp GLOBAL_DATA Internal functions module: patch values Cutomization functions GLOBAL_DATA Internal and the cutomization module A user gets the shellcode 5

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✻✾ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸

Developer of the shellcode User of the shellcode MyProject.cpp GLOBAL_DATA Internal functions module: patch values Cutomization functions GLOBAL_DATA Internal functions GLOBAL_DATA Values patch values module: Cutomization Internal The user uses the customization module to patch special values 6

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼✵ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸

Developer of the shellcode User of the shellcode MyProject.cpp GLOBAL_DATA Internal functions module: patch values Cutomization functions GLOBAL_DATA Internal functions GLOBAL_DATA Values patch values module: Cutomization Internal Encryption key Cutomization module: encryption The user uses another customization 7 module to encrypt the shellcode

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼✶ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ✐♥ ❲✐❙❤▼❛st❡r ✈✷ ✲ ✶

■♥t❡r♥❛❧❧②✿ ❊✈❡r② ❡❧❡♠❡♥t ❞✐s❝♦✈❡r❡❞ ✐♥ t❤❡ s♦✉r❝❡ ❝♦❞❡ ∼ ❛♥ ♦❜❥❡❝t ✭✐♥t❡r♥❛❧✴✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s✱ str✐♥❣s✳ ✳ ✳ ✮ ❊✈❡r② st❡♣ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ❞✐✈✐❞❡❞ ✐♥t♦ s❡✈❡r❛❧ s♠❛❧❧ s✉❜✲st❡♣s ❊✈❡r② s✉❜✲st❡♣ ✐♠♣❧❡♠❡♥t❡❞ ❜② ♦♥❡ ❢✉♥❝t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼✷ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss

■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ✐♥ ❲✐❙❤▼❛st❡r ✈✷ ✲ ✷

❲✐❙❤▼❛st❡r ❝❛♥ ❜❡ ❧❛✉♥❝❤❡❞ ✐♥ t❤r❡❡ ♠♦❞❡s✿ ❛✉t♦♠❛t✐❝✿ ❡①❡❝✉t❡s t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❛✉t♦♠❛t✐❝❛❧❧② s❝r✐♣t✿ ❡①❡❝✉t❡s ❛♥ ❡①t❡r♥❛❧ s❝r✐♣t t❤❛t ❝❛♥ ❝❛❧❧ st❡♣✴s✉❜✲st❡♣ ❢✉♥❝t✐♦♥s ❡①♣♦rt❡❞ ❜② ❲✐❙❤▼❛st❡r ❛♥❞ ♠❛♥✐♣✉❧❛t❡ ♦❜❥❡❝ts ✐♥t❡r❛❝t✐✈❡✿ st❛rts ❛ P②t❤♦♥ s❤❡❧❧ ✭s❛♠❡ ♣r✐♥❝✐♣❧❡ ❛s ✐♥ ❙❝❛♣②✮ ❯s❡r ❝❛♥ t❤❡♥✿

❝❛❧❧ st❡♣✴s✉❜✲st❡♣ ❢✉♥❝t✐♦♥s ❡①❡❝✉t❡ ❛ s❤❡❧❧❝♦❞✐s❛t✐♦♥ st❡♣ ❜② st❡♣ ❜② ❝❛❧❧✐♥❣ s♦♠❡ ❢✉♥❝t✐♦♥s st❡♣✭✮✱ st❡♣✐✭✮✱ r✉♥✭✮✳ ✳ ✳ ✭❧✐❦❡ ✐♥ ❛ ❞❡❜✉❣❣❡r✮ ❞✐s♣❧❛② ♦❜❥❡❝ts✱ ❝❤❛♥❣❡ t❤❡✐r ♣r♦♣❡rt✐❡s t♦ ❝♦rr❡❝t ❡✈❡♥t✉❛❧ ♠✐st❛❦❡s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼✸ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

P❧❛♥ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✖ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼✹ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡✿ ♦❜❥❡❝t✐✈❡

❙❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❞❡s❝r✐❜❡❞ ♣r❡✈✐♦✉s❧② ❝r❡❛t❡s ❛ ❜✐♥❛r② ❝♦❞❡ t❤❛t ♠❛② r✉♥ ❛t ❛♥② ❛❞❞r❡ss ❍♦✇❡✈❡r✱ s❤❡❧❧❝♦❞❡ ♠✉st ✐♥✐t✐❛❧✐s❡ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❖♣❡r❛t✐♦♥ ❡①❡❝✉t❡❞ ❜② ❛ ❢✉♥❝t✐♦♥ ❛❞❞❡❞ ❜② ❲✐❙❤▼❛st❡r✱ ♣❧❛❝❡❞ ❛t t❤❡ ❜❡❣✐♥♥✐♥❣ ♦❢ t❤❡ s❤❡❧❧❝♦❞❡✿

✜♥❞ ❛❞❞r❡ss ♦❢ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ✜♥❞ ❛❞❞r❡ss❡s ♦❢ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s ❛♥❞ ✜❧❧ ♣♦✐♥t❡rs ✐♥ ●▲❖❇❆▲❴❉❆❚❆ r❡s♦❧✈❡ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❛♥❞ ✜❧❧ ♣♦✐♥t❡rs ✐♥ ●▲❖❇❆▲❴❉❆❚❆

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼✺ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡✿ ♣r✐♥❝✐♣❧❡

❲✐❙❤▼❛st❡r ✉s❡s t✐♣s ✇❡❧❧✲❦♥♦✇♥ ❜② ❲✐♥❞♦✇s s❤❡❧❧❝♦❞❡ ✇r✐t❡rs✿ ✜♥❞s ❧♦❛❞ ❛❞❞r❡ss ✇✐t❤ ❝❛❧❧✴♣♦♣ ✐♥str✉❝t✐♦♥s ❣❡ts ❛❞❞r❡ss ♦❢ ❦❡r♥❡❧✸✷✳❞❧❧ t❤r♦✉❣❤ t❤❡ P❊❇ ✭Pr♦❝❡ss ❊♥✈✐r♦♥♠❡♥t ❇❧♦❝❦✮ r❡s♦❧✈❡s ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ✇✐t❤ ▲♦❛❞▲✐❜r❛r② ❛♥❞ ❛♥ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥ t❤❛t ❢♦✉♥❞ t❤❡ ❛❞❞r❡ss ♦❢ ❛♥ ❡①♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❢r♦♠ ❛ ✸✷✲❜✐ts ❝❤❡❝❦s✉♠ ❝♦♠♣✉t❡❞ ❢r♦♠ ✐ts ♥❛♠❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼✻ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡✿ s✉♠♠❛r②

❚❤❡ s❤❡❧❧❝♦❞❡ ✐♥✐t✐❛❧✐s❛t✐♦♥ r❡❧✐❡s ♦♥ t❤r❡❡ ❢✉♥❝t✐♦♥s✿ ✏■♥✐t✐❛❧✐s❡❙❤❡❧❧❝♦❞❡✑✿ ❡♥tr② ♣♦✐♥t ♦❢ t❤❡ s❤❡❧❧❝♦❞❡✱ ✇❤✐❝❤ ✐♥✐t✐❛❧✐s❡s

• ▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡

✏●❡t❑❡r♥❡❧✸✷❆❞❞r❡ss✑✿ r❡t✉r♥s t❤❡ ❧♦❛❞ ❛❞❞r❡ss ♦❢ ✏❦❡r♥❡❧✸✷✳❞❧❧✑ ✏●❡tPr♦❝❆❞❞r❡ss❇②❈❦s✉♠■♥❉❧❧✑✿ ✜♥❞s ❛♥ ❡①♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❢r♦♠ t❤❡ ❝❤❡❝❦s✉♠ ♦❢ ✐ts ♥❛♠❡ ✭s✉♣♣♦rts ❞❧❧ ❢♦r✇❛r❞✐♥❣✮

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼✼ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

P❧❛♥

✶

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣②

✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

✸

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧

✹

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

✺

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

✻

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧

✼

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

✽

❈♦♥❝❧✉s✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼✽ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

Pr❡s❡♥t❛t✐♦♥ ♦❢ s✐♠♣❧❡t❡st

❱❡r② s✐♠♣❧❡ ♣r♦❣r❛♠✿ ♣r✐♥ts ♠❡ss❛❣❡s ❞✐s♣❧❛②s t❤❡ ❝♦♥t❡♥t ♦❢ ❛ ✜❧❡ ✏t❡st✳t①t✑

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✼✾ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✶

File user.h.txt #define SIZE_USERNAME 32 #define SIZE_PASSWORD 32 typedef struct _USER { CHAR szUsername[SIZE_USERNAME]; CHAR szPassword[SIZE_PASSWORD]; } USER, *PUSER; ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽✵ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✷

File display.cpp CHAR g_szMessage[]="This is a message stored as a global variable"; VOID DisplayMessage(IN CHAR * szMessage) { PrintMsg(LOG_LEVEL_TRACE, ">>> %s <<<", szMessage); } BOOL DisplayFile(IN CHAR * szFilePath) { ... CreateFile(szFilePath, ...) pData = (UCHAR *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize+1) ReadFile(hFile, pData, ...) PrintMsg(LOG_LEVEL_TRACE, "File successfully read: %s", pData); ... } BOOL DisplayData(VOID) { DisplayMessage(g_szMessage); PrintMsg(LOG_LEVEL_TRACE, "Username: %s", g_User.szUsername); PrintMsg(LOG_LEVEL_TRACE, "Password: %s", g_User.szPassword); if(DisplayFile("test.txt") == FALSE) return FALSE; return TRUE; } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽✶ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✸

File main.cpp USER g_User ={"jmerchat","password"}; BOOL DisplayData(VOID); int main(int argc, char * argv[]) { DisplayUser(); return 0; } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽✷ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✹

File print_msg.cpp VOID PrintMsg(IN UINT uiMessageLevel, IN const CHAR * fmt, ...) { CHAR szBuffer[SIZE_OF_LOCAL_LOG_BUFFER+1]; UINT i = 0; if(uiMessageLevel == LOG_LEVEL_ERROR) i += _snprintf(&szBuffer[i], SIZE_OF_LOCAL_LOG_BUFFER-i, "[ERROR] : "); else if(uiMessageLevel == LOG_LEVEL_WARNG) ... va_list ap; va_start(ap, fmt); i += _vsnprintf(&szBuffer[i], SIZE_OF_LOCAL_LOG_BUFFER-i, fmt, ap); va_end(ap); printf("[%.4d] %s\n ", GetCurrentThreadId() , szBuffer); fflush(stdout); } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✺

❚♦ s✉♠ ✉♣✱ ✏s✐♠♣❧❡t❡st✑ ❝♦♥t❛✐♥s✿ ◆❡✇ t②♣❡ ✏❯❙❊❘✑ ❚✇♦ ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡s❀

✏❣❴❯s❡r✑✿ t②♣❡ ✏❯❙❊❘✑ ✏❣❴s③▼❡ss❛❣❡✑✿ str✐♥❣

❋✐✈❡ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s✿

✏❉✐s♣❧❛②▼❡ss❛❣❡✑✿ ❞✐s♣❧❛②s ✏❣❴s③▼❡ss❛❣❡✑ ✏❉✐s♣❧❛②❋✐❧❡✑✿ ♦♣❡♥s ❛ ✜❧❡ ✏t❡st✳t①t✑ ❛♥❞ ❞✐s♣❧❛②s ✐ts ❝♦♥t❡♥t ✏❉✐s♣❧❛②❉❛t❛✑✿ ❢✉♥❝t✐♦♥ t❤❛t r❡❛❧❧② ❡①❡❝✉t❡s ❛❧❧ ♦♣❡r❛t✐♦♥s ✏♠❛✐♥✑✿ ♣r♦❣r❛♠ ❡♥tr② ♣♦✐♥t t❤❛t ♦♥❧② ❝❛❧❧s ✏❉✐s♣❧❛②❉❛t❛✑ ✏Pr✐♥t▼s❣✑✿ ❞✐s♣❧❛②s ❧♦❣ ♠❡ss❛❣❡s

❙❡✈❡r❛❧ str✐♥❣s ❙❡✈❡r❛❧ ❝❛❧❧s t♦ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s✿ ❈r❡❛t❡❋✐❧❡✱ ❍❡❛♣❆❧❧♦❝✳ ✳ ✳ ⇒ ♥♦t r❡❛❧❧② ✉s❡❢✉❧ ❜✉t ❝♦♥t❛✐♥s ♠♦st ❡❧❡♠❡♥ts ♦❢ ❈ ♣r♦❣r❛♠

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽✹ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

❉❡♠♦♥str❛t✐♦♥s

❱✐❞❡♦ ✏s✐♠♣❧❡t❡st❴❡①❡✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ ✏s✐♠♣❧❡t❡st✑ ❛s ❛♥ ❡①❡❝✉t❛❜❧❡ ❱✐❞❡♦ ✏s✐♠♣❧❡t❡st❴s❤❡❧❧❝♦❞❡✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ ✏s✐♠♣❧❡t❡st✑ ❛s ❛ s❤❡❧❧❝♦❞❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽✺ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

P❧❛♥

✶

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣②

✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

✸

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧

✹

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

✺

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

✻

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧

✼

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

✽

❈♦♥❝❧✉s✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽✻ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❖❜❥❡❝t✐✈❡s ♦❢ ❲✐❙❤▼❛st❡r

❱❡rs✐♦♥ ✶ ♦❢ ❲✐❙❤▼❛st❡r✿ ❝r❡❛t✐♦♥ ♦❢ ♠♦♥♦❧✐t❤✐❝ s❤❡❧❧❝♦❞❡s ❲✐t❤ ✈❡rs✐♦♥ ✷✱ ♦❜❥❡❝t✐✈❡s ❤❛✈❡ ❜❡❡♥ ❝♦♥s✐❞❡r❛❜❧② ❡①t❡♥❞❡❞✿

❞❡✈❡❧♦♣♠❡♥t ♦❢ ♠♦❞✉❧❛r ❛♣♣❧✐❝❛t✐♦♥s ✉s❡r ❝❤♦♦s❡s ♦✉t♣✉t ❢♦r♠❛t✿ ❛♥ ❡①❡❝✉t❛❜❧❡✱ ❛ ❞❧❧ ♦r ❛ s❤❡❧❧❝♦❞❡ ❛❧❧♦✇s ❝♦❞❡ r❡✉s❛❜✐❧✐t② ❞❡✈❡❧♦♣♠❡♥t ✐♥ t❤❡ ✈❡r② ♣♦✇❡r❢✉❧ ■❉❊ ❱✐s✉❛❧ ❙t✉❞✐♦ ♣r♦❥❡❝ts ❝❛♥ ❜❡ ❞✐str✐❜✉t❡❞ ❡✐t❤❡r ✐♥ s♦✉r❝❡ ♦r ✐♥ ❜✐♥❛r② ❢♦r♠❛t

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽✼ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✶

❆ ❲✐❙❤▼❛st❡r ❛♣♣❧✐❝❛t✐♦♥ ✐s ❝♦♠♣♦✉♥❞❡❞ ♦❢ ♦♥❡ ♦r s❡✈❡r❛❧ ✏♠♦❞✉❧❡s✑ ❆ ♠♦❞✉❧❡ ❝❛♥ ❜❡ ✐♥ ♦♥❡ ♦❢ t❤❡ ❢♦❧❧♦✇✐♥❣ ✹ ❢♦r♠s✿

❛♥ ❡①❡❝✉t❛❜❧❡ ❛ ❞❧❧ ❛ s❤❡❧❧❝♦❞❡ ✐♥❧✐♥❡❞ ✐♥t♦ ❛♥♦t❤❡r ♠♦❞✉❧❡

❊❛❝❤ ♠♦❞✉❧❡ ❝❛♥ ❡①♣♦rt s♦♠❡ ♦❢ ✐ts ❢✉♥❝t✐♦♥s s♦ t❤❛t t❤❡② ❝❛♥ ❜❡ ❝❛❧❧❡❞ ❜② ♦t❤❡r ♠♦❞✉❧❡s ⇒ ❡❛❝❤ ♠♦❞✉❧❡ ❝♦♥t❛✐♥s ❛♥ ✏❡①♣♦rt✑ t❛❜❧❡ ❛♥❞ ❛♥ ✏✐♠♣♦rt✑ t❛❜❧❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽✽ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷

Module1.cpp Mod3_func2 Mod1_func1 Mod1_func2 Mod2_func1 Imported function Internal function exported Mod3_func1 Mod3_func2 Mod2_func1 Module2.cpp Module3.cpp Mod3_func1 Mod3_func2 Mod1_func1 Mod2_func1 1 and exporting some functions Three modules importing

❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✽✾ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷

Module1.cpp Mod3_func2 Mod1_func1 Mod1_func2 Mod2_func1 Imported function Internal function exported Mod3_func1 Mod3_func2 Mod2_func1 Module2.cpp Module3.cpp Mod3_func1 Mod3_func2 Mod1_func1 Mod2_func1 Mod3_func2 Module1.bin Mod1_func1 Mod1_func2 Mod2_func1 Mod3_func1 2 Module 1 output = shellcode Module 2 output = inlined in module 1

❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✵ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷

Module1.cpp Mod3_func2 Mod1_func1 Mod1_func2 Mod2_func1 Imported function Internal function exported Mod3_func1 Mod3_func2 Mod2_func1 Module2.cpp Module3.cpp Mod3_func1 Mod3_func2 Mod1_func1 Mod2_func1 Mod3_func2 Module1.bin Mod1_func1 Mod1_func2 Mod2_func1 Mod3_func1 Import and export tables

• f both modules are merged

3

❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✶ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷

Module1.cpp Mod3_func2 Mod1_func1 Mod1_func2 Mod2_func1 Imported function Internal function exported Mod3_func1 Mod3_func2 Mod2_func1 Module2.cpp Module3.cpp Mod3_func1 Mod3_func2 Mod1_func1 Mod2_func1 Mod3_func2 Module1.bin Mod1_func1 Mod1_func2 Mod2_func1 Mod3_func1 Mod3_func2 Mod2_func1 Mod1_func1 Module3.exe Mod3_func1 4 Module 3 output = executable

❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✷ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷

Module1.cpp Mod3_func2 Mod1_func1 Mod1_func2 Mod2_func1 Imported function Internal function exported Mod3_func1 Mod3_func2 Mod2_func1 Module2.cpp Module3.cpp Mod3_func1 Mod3_func2 Mod1_func1 Mod2_func1 Mod3_func2 Module1.bin Mod1_func1 Mod1_func2 Mod2_func1 Mod3_func1 Mod3_func2 Mod2_func1 Mod1_func1 Module3.exe Mod3_func1 Module3.exe Mod1_func2 Mod2_func1 Mod1_func1 Module1.bin Mod3_func2 Mod3_func1 Mod3_func1 Mod3_func2 Mod1_func1 Mod2_func1 During execution, imported 5 symbols are resolved

❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✸ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❇✐♥❛r② ❢♦r♠❛t ♦❢ ❛ ❲✐❙❤▼❛st❡r ♠♦❞✉❧❡ ✲ ✶

▼♦❞✉❧❡ ♠✉st ❜❡ ❛❜❧❡ t♦✿ ❧♦❛❞ ✇✐t❤♦✉t ❣❡♥❡r❛t✐♥❣ ❛♥ ❡rr♦r ❡✈❡♥ ✐❢ ❛ r❡q✉✐r❡❞ ♠♦❞✉❧❡ ✐s ♠✐ss✐♥❣ ❝❛❧❧ ❢✉♥❝t✐♦♥ ❡①♣♦rt❡❞ ❜② ❛ ♠♦❞✉❧❡ ✐♥❞❡♣❡♥❞❡♥t❧② ♦❢ t❤❡ ❢♦r♠❛t ♦❢ t❤✐s ♠♦❞✉❧❡ ✭❡①❡✱ ❞❧❧✱ s❤❡❧❧❝♦❞❡✮ ⇒ P❊ ❢♦r♠❛t ❝❛♥♥♦t ❜❡ ✉s❡❞✿ ❲✐❙❤▼❛st❡r ❞❡✜♥❡s ✐ts ♦✇♥ ❜✐♥❛r② ❢♦r♠❛t

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✹ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❇✐♥❛r② ❢♦r♠❛t ♦❢ ❛ ❲✐❙❤▼❛st❡r ♠♦❞✉❧❡ ✲ ✷

❙tr✉❝t✉r❡ ♦❢ ●▲❖❇❆▲❴❉❆❚❆ ✐s ♥♦r♠❛❧✐③❡❞ ❛♥❞ ❝♦♥t❛✐♥s✿ ❛♥ ❡①♣♦rt t❛❜❧❡✿ ❝♦♥t❛✐♥s t❤❡ ❝❤❡❝❦s✉♠ ♦❢ t❤❡ ♥❛♠❡ ♦❢ ❡❛❝❤ ❡①♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❛♥ ✐♠♣♦rt t❛❜❧❡✿ ❝♦♥t❛✐♥s t❤❡ ❝❤❡❝❦s✉♠ ♦❢ t❤❡ ♥❛♠❡s ♦❢ ❡❛❝❤ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❛♥ ♦♣t✐♦♥❛❧ ❡♥tr② ♣♦✐♥t✿ ♣♦✐♥t❡r ♦♥ ❛♥ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥ t❤❛t ♠✉st ❜❡ ❝❛❧❧❡❞ ❛❢t❡r ♠♦❞✉❧❡ ✐♥✐t✐❛❧✐s❛t✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✺ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❙t❛♥❞❛r❞ ♠♦❞✉❧❡s ✲ ✶

Pr❡s❡♥t❛t✐♦♥ ❲✐❙❤▼❛st❡r ❝♦♠❡s ✇✐t❤ ❛ ❢❡✇ st❛♥❞❛r❞ ♠♦❞✉❧❡s ❂ ♠♦❞✉❧❡s t❤❛t ❡①♣♦s❡ s♦♠❡ ❢✉♥❝t✐♦♥s ❢r❡q✉❡♥t❧② ✉s❡❞ ❜② ♦t❤❡r ♠♦❞✉❧❡s ▼♦❞✉❧❡ ✏▲♦❣✑ ❊①♣♦s❡s ❛ ❢✉♥❝t✐♦♥ ✏Pr✐♥t▼s❣✑ ✇❤✐❝❤ ❛❧❧♦✇s t❤❡ ♣r✐♥t ♦❢ ❢♦r♠❛tt❡❞ ♠❡ss❛❣❡s ▼♦❞✉❧❡ ✏■♥✐t❙❤✑ ❊①♣♦s❡s ❛❧❧ t❤❡ ❢✉♥❝t✐♦♥s ♥❡❡❞❡❞ t♦ ✐♥✐t✐❛❧✐s❡ ❛ s❤❡❧❧❝♦❞❡ ✭♥♦t❛❜❧② ■♥✐t✐❛❧✐s❡❙❤❡❧❧❝♦❞❡ ❛♥❞ ●❡tPr♦❝❆❞❞r❡ss❇②❈❦s✉♠■♥❉❧❧✮

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✻ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❙t❛♥❞❛r❞ ♠♦❞✉❧❡s ✲ ✶

Pr❡s❡♥t❛t✐♦♥ ❲✐❙❤▼❛st❡r ❝♦♠❡s ✇✐t❤ ❛ ❢❡✇ st❛♥❞❛r❞ ♠♦❞✉❧❡s ❂ ♠♦❞✉❧❡s t❤❛t ❡①♣♦s❡ s♦♠❡ ❢✉♥❝t✐♦♥s ❢r❡q✉❡♥t❧② ✉s❡❞ ❜② ♦t❤❡r ♠♦❞✉❧❡s ▼♦❞✉❧❡ ✏▲♦❣✑ ❊①♣♦s❡s ❛ ❢✉♥❝t✐♦♥ ✏Pr✐♥t▼s❣✑ ✇❤✐❝❤ ❛❧❧♦✇s t❤❡ ♣r✐♥t ♦❢ ❢♦r♠❛tt❡❞ ♠❡ss❛❣❡s ▼♦❞✉❧❡ ✏■♥✐t❙❤✑ ❊①♣♦s❡s ❛❧❧ t❤❡ ❢✉♥❝t✐♦♥s ♥❡❡❞❡❞ t♦ ✐♥✐t✐❛❧✐s❡ ❛ s❤❡❧❧❝♦❞❡ ✭♥♦t❛❜❧② ■♥✐t✐❛❧✐s❡❙❤❡❧❧❝♦❞❡ ❛♥❞ ●❡tPr♦❝❆❞❞r❡ss❇②❈❦s✉♠■♥❉❧❧✮

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✻ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❙t❛♥❞❛r❞ ♠♦❞✉❧❡s ✲ ✶

Pr❡s❡♥t❛t✐♦♥ ❲✐❙❤▼❛st❡r ❝♦♠❡s ✇✐t❤ ❛ ❢❡✇ st❛♥❞❛r❞ ♠♦❞✉❧❡s ❂ ♠♦❞✉❧❡s t❤❛t ❡①♣♦s❡ s♦♠❡ ❢✉♥❝t✐♦♥s ❢r❡q✉❡♥t❧② ✉s❡❞ ❜② ♦t❤❡r ♠♦❞✉❧❡s ▼♦❞✉❧❡ ✏▲♦❣✑ ❊①♣♦s❡s ❛ ❢✉♥❝t✐♦♥ ✏Pr✐♥t▼s❣✑ ✇❤✐❝❤ ❛❧❧♦✇s t❤❡ ♣r✐♥t ♦❢ ❢♦r♠❛tt❡❞ ♠❡ss❛❣❡s ▼♦❞✉❧❡ ✏■♥✐t❙❤✑ ❊①♣♦s❡s ❛❧❧ t❤❡ ❢✉♥❝t✐♦♥s ♥❡❡❞❡❞ t♦ ✐♥✐t✐❛❧✐s❡ ❛ s❤❡❧❧❝♦❞❡ ✭♥♦t❛❜❧② ■♥✐t✐❛❧✐s❡❙❤❡❧❧❝♦❞❡ ❛♥❞ ●❡tPr♦❝❆❞❞r❡ss❇②❈❦s✉♠■♥❉❧❧✮

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✻ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❙t❛♥❞❛r❞ ♠♦❞✉❧❡s ✲ ✷

▼♦❞✉❧❡ ✏▲♦❛❞❡r✑ ▼❛♥❛❣❡s ❛ s❡t ♦❢ ♠♦❞✉❧❡s ❊①♣♦s❡s ❛ ❢✉♥❝t✐♦♥ ✏❆❞❞▼♦❞✉❧❡❚♦▲♦❛❞✑✿ ❤❛♥❞❧❡s ❛❧❧ t❤❡ ❧♦❛❞ ❛♥❞ t❤❡ ✐♥✐t✐❛❧✐s❛t✐♦♥ ♦❢ ❛ ♠♦❞✉❧❡ ✭❞❧❧✱ s❤❡❧❧❝♦❞❡✱ ❡①❡❝✉t❛❜❧❡✮✿

❧♦❛❞s t❤❡ ♠♦❞✉❧❡ ✐♥ ♠❡♠♦r② ❞❡❝r②♣ts t❤❡ ♠♦❞✉❧❡ ✐❢ t❤✐s ♦♥❡ ✐s ❛♥ ❡♥❝r②♣t❡❞ s❤❡❧❧❝♦❞❡ r❡s♦❧✈❡s ❛❧❧ ✐♠♣♦rt❡❞ s②♠❜♦❧s ✭❢r♦♠ st❛♥❞❛r❞ ❧✐❜r❛r✐❡s ♦r ♦t❤❡r ♠♦❞✉❧❡s✮ ❝❛❧❧s t❤❡ ❡♥tr② ♣♦✐♥t

◆♦t❡✿ ✏▲♦❛❞❡r✑ ✐♥❧✐♥❡s ✏■♥✐t❙❤✑

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✼ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❙❤❡❧❧❝♦❞❡ ❡♥❝r②♣t✐♦♥ ✲ ❚✇♦ ❦✐♥❞s ♦❢ ❡♥❝r②♣t✐♦♥✳ ✳ ✳

✏▲♦❛❞❡r✑ ❝❛♥ ❤❛♥❞❧❡ s❤❡❧❧❝♦❞❡s ❡♥❝r②♣t❡❞ ✐♥ ❆❊❙✲❈❇❈ ✇✐t❤ ❛ ✷✺✻✲❜✐ts ❦❡② ❚✇♦ ❦✐♥❞s ♦❢ ❡♥❝r②♣t✐♦♥✿

❖♥❡ s❡❝r❡t ❦❡②✿ ❛❧❧ ♠♦❞✉❧❡s ❛r❡ ❡♥❝r②♣t❡❞ ✇✐t❤ ❛ s❡❝r❡t ❦❡② st♦r❡❞ ✐♥ ✏▲♦❛❞❡r✑ ❙❤❛r❡❞ s❡❝r❡t ❦❡②

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✽ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❙❤❡❧❧❝♦❞❡ ❡♥❝r②♣t✐♦♥ ✲ Pr✐♥❝✐♣❧❡ ♦❢ s❤❛r❡❞ s❡❝r❡t ❦❡②

❋♦❧❧♦✇✐♥❣ ❛❧❣♦r✐t❤♠ ✐s ✉s❡❞✿

❡❛❝❤ ♠♦❞✉❧❡ ❤❛s ❛ ✷✺✻✲❜✐ts ♣r✐✈❛t❡ ❦❡② t❤❡ s❤❛r❡❞ ❦❡② ✐s t❤❡ s✉♠ ❜②t❡ t♦ ❜②t❡ ♦❢ ❛❧❧ ♣r✐✈❛t❡ ❦❡②s ❛❧❧ ♠♦❞✉❧❡s ❛r❡ ❡♥❝r②♣t❡❞ ✇✐t❤ t❤❡ ✜♥❛❧ s❤❛r❡❞ ❦❡② ❛❧❧ ♠♦❞✉❧❡s ❝♦♥t❛✐♥ t❤❡✐r ♦✇♥ ♣r✐✈❛t❡ ❦❡② ✭✐♥ ❝❧❡❛r✮

❆❧❧ ♠♦❞✉❧❡s ❛r❡ r❡q✉✐r❡❞ t♦ ❝♦♠♣✉t❡ s❤❛r❡❞ ❦❡② ❍❛✈✐♥❣ ◆✲✶ ♣r✐✈❛t❡ ❦❡②s ❞♦❡s ♥♦t ❣✐✈❡ ❛♥② ✐♥❢♦r♠❛t✐♦♥ ♦♥ s❤❛r❡❞ ❦❡②

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✾✾ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧

P❧❛♥

✶

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣②

✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

✸

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧

✹

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

✺

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

✻

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧

✼

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

✽

❈♦♥❝❧✉s✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵✵ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

P❧❛♥ ❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ✖ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵✶ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ✲ ✶

✏❘✈❙❤❡❧❧✑ ✐s ❛ s✐♠♣❧❡ r❡✈❡rs❡ s❤❡❧❧✿ ❜❛❝❦❞♦♦r t❤❛t ❡st❛❜❧✐s❤❡s ❛ ❝♦♥♥❡❝t✐♦♥ ❜❡t✇❡❡♥ ❛ ✏❝♠❞✑ ♣r♦❝❡ss ❛♥❞ ❛ r❡♠♦t❡ s❡r✈❡r ❇❛❝❦❞♦♦r ❝♦♠♣♦✉♥❞❡❞ ♦❢ t✇♦ ❧❛②❡rs✿

t❤❡ ♥❡t✇♦r❦ ❧❛②❡r t❤❛t ❡st❛❜❧✐s❤❡s t❤❡ ❝♦♠♠✉♥✐❝❛t✐♦♥ ✇✐t❤ t❤❡ s❡r✈❡r t❤❡ ❛♣♣❧✐❝❛t✐♦♥ ❧❛②❡r t❤❛t ❝r❡❛t❡s t❤❡ ✏❝♠❞✑ ♣r♦❝❡ss ❛♥❞ ✉s❡s t❤❡ s❡r✈✐❝❡s ❡①♣♦s❡❞ ❜② t❤❡ ♥❡t✇♦r❦ ❧❛②❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵✷ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ✲ ✷

Memory Hard drive Firewall Attacker Server

❋✐❣✉r❡✿ ❲♦r❦✐♥❣ ♣r✐♥❝✐♣❧❡ ♦❢ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ✲ ✷

Memory Hard drive Firewall Attacker Server RvShell started on server "RvShell" is 1

❋✐❣✉r❡✿ ❲♦r❦✐♥❣ ♣r✐♥❝✐♣❧❡ ♦❢ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵✹ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ✲ ✷

Memory Hard drive Firewall Attacker Server RvShell NETCAT "RvShell" connects on 2 attacker’s computer

❋✐❣✉r❡✿ ❲♦r❦✐♥❣ ♣r✐♥❝✐♣❧❡ ♦❢ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵✺ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ✲ ✷

Memory Hard drive Firewall Attacker Server RvShell NETCAT CMD with stdin/stdout redirected in socket 3 "RvShell" spawns a hidden cmd process

❋✐❣✉r❡✿ ❲♦r❦✐♥❣ ♣r✐♥❝✐♣❧❡ ♦❢ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵✻ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

❚✇♦ ♠♦❞✉❧❡s ❤❛✈❡ ❜❡❡♥ ❞❡✈❡❧♦♣❡❞✿ ✏◆t❙t❛❝❦❙♠♣❧✑ ✐♠♣❧❡♠❡♥ts t❤❡ ♥❡t✇♦r❦ ❧❛②❡r ❛♥❞ ❡①♣♦rts t✇♦ ❢✉♥❝t✐♦♥s✿

BOOL OpenConnection(IN UINT uiServerAddressNt, IN USHORT usServerPortNt, OUT SOCKET * pSock); BOOL CloseConnection(IN SOCKET sock);

✏❘✈❙❤❡❧❧✑ ✐♠♣❧❡♠❡♥ts t❤❡ ❛♣♣❧✐❝❛t✐♦♥ ❧❛②❡r✿

❞♦❡s ♥♦t ❡①♣♦rt ❛♥② ❢✉♥❝t✐♦♥ ❤❛s ❛♥ ❡♥tr② ♣♦✐♥t✱ t❤❡ ❢✉♥❝t✐♦♥ ✏❊①❡❝✉t❡❙❤❡❧❧✑✿

✉s❡s ✏❖♣❡♥❈♦♥♥❡❝t✐♦♥✑ t♦ ♦♣❡♥ ❛ ❚❈P ❝♦♥♥❡❝t✐♦♥ ♦♥ t❤❡ s❡r✈❡r ❝r❡❛t❡s t❤❡ ✏❝♠❞✑ ♣r♦❝❡ss

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵✼ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

• ❡♥❡r❛t✐♥❣ ❘✈❙❤❡❧❧ ❛s ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ✶

Configuration file used to generate RvShell as an executable <solution> <module name="rvshell" config="rvshell/rvshell.cfg" input_type="code" specific_config="" output_type="exe"/> <module name="ntstacksmpl" config="ntstacksmpl/ntstacksmpl.cfg" specific_config="" input_type="code" output_type="inline" inline_destination="rvshell"/> <module name="log" config="log/log.cfg" specific_config="" input_type="code"

• utput_type="inline" inline_destination="rvshell"/>

</solution> ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵✽ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

• ❡♥❡r❛t✐♥❣ ❘✈❙❤❡❧❧ ❛s ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ✷

RvShell.cpp ExecuteShell RvShell.exe

NtStackSmpl.cpp

OpenConnection ExecuteShell PrintMsg CloseConnection CloseConnection PrintMsg OpenConnection PrintMsg CloseConnection PrintMsg OpenConnection Log.cpp

❋✐❣✉r❡✿ ❘❡s✉❧t ♦❢ t❤❡ ❝r❡❛t✐♦♥ ♦❢ t❤❡ r❡✈❡rs❡ s❤❡❧❧ ❛s ❛♥ ❡①❡❝✉t❛❜❧❡

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✵✾ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

• ❡♥❡r❛t✐♥❣ ❛ ♣♦❧②♠♦r♣❤✐❝ ❘✈❙❤❡❧❧ ✲ ✶

✏❘✈❙❤❡❧❧✑ ✐s ❣❡♥❡r❛t❡❞ ❛s ❛ s❤❡❧❧❝♦❞❡ ❛♥❞ t❤❡♥ ✐♥❝❧✉❞❡❞ ✐♥ ❛♥ ❡①❡❝✉t❛❜❧❡ t❤❛t ❞❡❝r②♣ts ❘✈❙❤❡❧❧ ❛♥❞ ❥✉♠♣s ♦♥ ✐t

Configuration file used to generate RvShell as a shellcode <solution> <module name="rvshell" config="rvshell/rvshell.cfg" specific_config="" input_type="code" output_type="="shellcode"/> <module name="ntstacksmpl" config="ntstacksmpl/ntstacksmpl.cfg" specific_config="" input_type="code" output_type="="inline" inline_destination="="rvshell"/> <module name="initsh" config="initsh/initsh.cfg" specific_config=""

• utput_type="="inline" inline_destination="="rvshell"/>

<module name="log" config="log/log.cfg" specific_config="" input_type="code"

• utput_type="="inline" inline_destination="="rvshell" />

</solution> ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✵ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

• ❡♥❡r❛t✐♥❣ ❛ ♣♦❧②♠♦r♣❤✐❝ ❘✈❙❤❡❧❧ ✲ ✷

RvShell.exe RvShell.cpp OpenConnection ExecuteShell OpenConnection CloseConnection PrintMsg OpenConnection CloseConnection PrintMsg Log.cpp PrintMsg Log.cpp InitShellcode GetProcAddr... PrintMsg ExecuteShell OpenConnection CloseConnection PrintMsg GetProcAddr... InitShellcode RvShell.bin Decryption loop RvShell.bin CloseConnection ExecuteShell GetProcAddr... InitShellcode PrintMsg

NtStackSmpl.cpp

❋✐❣✉r❡✿ ❘❡s✉❧t ♦❢ t❤❡ ❝r❡❛t✐♦♥ ♦❢ ❛ ♣♦❧②♠♦r♣❤✐❝ r❡✈❡rs❡ s❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✶ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

P❧❛♥ ❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ✖ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✷ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❈♦♥t❡①t

❖❜❥❡❝t✐✈❡ ❚❛❦❡ ❝♦♥tr♦❧ ♦❢ ❛ t❛r❣❡t❡❞ ❝♦♠♣✉t❡r ✇✐t❤ ❛ ❜❛❝❦❞♦♦r ✭r❡✈❡rs❡ s❤❡❧❧✮ ❈♦♥t❡①t ♦❢ t❤❡ ❛tt❛❝❦ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ♠✉st ❜❡ ♣r♦t❡❝t❡❞ ❛❣❛✐♥st ❢♦r❡♥s✐❝ ❛♥❛❧②s✐s✿ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s tr❛♥s❢❡rr❡❞ ❛❢t❡r ❡♥❝r②♣t✐♦♥ ♦♥ t❛r❣❡t❡❞ ❝♦♠♣✉t❡r ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ❞❡❝r②♣t❡❞ ♦♥❧② ✐♥ ♠❡♠♦r② ❞❡❝r②♣t✐♦♥ ❝♦❞❡ ✐s ✐♥tr♦❞✉❝❡❞ ❜② ❛♥♦t❤❡r ✇❛②

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❈♦♥t❡①t

❖❜❥❡❝t✐✈❡ ❚❛❦❡ ❝♦♥tr♦❧ ♦❢ ❛ t❛r❣❡t❡❞ ❝♦♠♣✉t❡r ✇✐t❤ ❛ ❜❛❝❦❞♦♦r ✭r❡✈❡rs❡ s❤❡❧❧✮ ❈♦♥t❡①t ♦❢ t❤❡ ❛tt❛❝❦ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ♠✉st ❜❡ ♣r♦t❡❝t❡❞ ❛❣❛✐♥st ❢♦r❡♥s✐❝ ❛♥❛❧②s✐s✿ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s tr❛♥s❢❡rr❡❞ ❛❢t❡r ❡♥❝r②♣t✐♦♥ ♦♥ t❛r❣❡t❡❞ ❝♦♠♣✉t❡r ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ❞❡❝r②♣t❡❞ ♦♥❧② ✐♥ ♠❡♠♦r② ❞❡❝r②♣t✐♦♥ ❝♦❞❡ ✐s ✐♥tr♦❞✉❝❡❞ ❜② ❛♥♦t❤❡r ✇❛②

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

MyEditor.exe XOR / 32−bits keys Decryption Loader Attacker generates a Trojan that contains "Loader" (XOR encryption) 1

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✹ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl Attacker generates shellcodes "RvShell" and "NtStackSmpl" (AES encryption) 2

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✺ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✻ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader to targeted user 3 Attacker sends Trojan

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✼ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader MyEditor.exe Decryption Loader 4 User starts "MyEditor"

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✽ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader MyEditor.exe Decryption Loader

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✶✾ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader MyEditor.exe Decryption Loader Loader 5 "Loader" is decrypted and executed User uses to trapped functionnality

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷✵ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader MyEditor.exe Decryption Loader Loader Firefox.exe instance of default browser "Loader" starts a hidden 6

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷✶ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader MyEditor.exe Decryption Loader Loader Firefox.exe Loader "Loader" injects itself 7 in the hidden instance

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷✷ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader Firefox.exe Loader stays in browser, waiting for USB key 8 "MyEditor" may be closed. "Loader"

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

USB key Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader Firefox.exe Loader Attacker puts "RvShell" and "NtStackSmpl" on a USB key 9

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷✹ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

USB key Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader Firefox.exe Loader USB key NtStackSmpl RvShell the USB key in their computer 10 Attacker asks the user to plug in

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷✺ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

USB key Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader Firefox.exe Loader USB key NtStackSmpl RvShell NtStackSmpl RvShell 11 "Loader" detects plug, finds the modules loads, decrypts and executes them

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷✻ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦

USB key Hard drive Memory MyEditor.exe XOR / 32−bits keys Decryption Loader AES−CBC / 256−bits key RvShell NtStackSmpl MyEditor.exe Decryption Loader Firefox.exe Loader USB key NtStackSmpl RvShell NtStackSmpl RvShell CMD NETCAT remote cmd access to attacker 12 "RvShell" connects back and gives a

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷✼ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ s❡❝r❡t ❦❡②s

key_generator.py

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❣❡♥❡r❛t✐♦♥ ♦❢ ✷✺✻✲❜✐ts ❦❡②s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷✽ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ s❡❝r❡t ❦❡②s

key_generator.py RANDOM NtStackSmpl.key

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❣❡♥❡r❛t✐♦♥ ♦❢ ✷✺✻✲❜✐ts ❦❡②s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✷✾ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ s❡❝r❡t ❦❡②s

key_generator.py NtStackSmpl.key RANDOM RvShell.key

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❣❡♥❡r❛t✐♦♥ ♦❢ ✷✺✻✲❜✐ts ❦❡②s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸✵ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ s❡❝r❡t ❦❡②s

key_generator.py NtStackSmpl.key RvShell.key RANDOM Loader.key

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❣❡♥❡r❛t✐♦♥ ♦❢ ✷✺✻✲❜✐ts ❦❡②s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸✶ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ s❡❝r❡t ❦❡②s

key_generator.py NtStackSmpl.key RvShell.key Loader.key ADDITION Shared.key

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ ❣❡♥❡r❛t✐♦♥ ♦❢ ✷✺✻✲❜✐ts ❦❡②s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸✷ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ❦❡② ❣❡♥❡r❛t✐♦♥

❱✐❞❡♦ ✏r✈s❤❡❧❧❴✶❴❣❡♥❦❡②✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ ❡♥❝r②♣t✐♦♥ ❦❡②s

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ▲♦❛❞❡r

SearchModInDir.cpp

Log.cpp Loader.cpp InitSh.cpp DetectUsbKey.cpp

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ▲♦❛❞❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸✹ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ▲♦❛❞❡r

SearchModInDir.cpp

Log.cpp Loader.cpp InitSh.cpp DetectUsbKey.cpp InitSh DetectUsbKey Loader inlined in Loader Shellcodisation inlined in Loader inlined in Loader Log SearchModInDir inlined in Loader

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ▲♦❛❞❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸✺ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ▲♦❛❞❡r

SearchModInDir.cpp

Log.cpp Loader.cpp InitSh.cpp DetectUsbKey.cpp InitSh DetectUsbKey Loader inlined in Loader Shellcodisation inlined in Loader inlined in Loader Log SearchModInDir inlined in Loader InitSh Customization: Log Patch secret key Loader SearchModInDir DetectUsbKey

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ▲♦❛❞❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸✻ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ❣❡♥❡r❛t✐♦♥ ♦❢ ❝✉st♦♠✐③❡❞ ❧♦❛❞❡r

✈✐❞❡♦ ✏r✈s❤❡❧❧❴✷❴❣❡♥❧♦❛❞❡r✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ ❝✉st♦♠✐③❡❞ ❧♦❛❞❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸✼ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ❛♥❞ ◆t❙t❛❝❦❙♠♣❧

NtStackSmpl.cpp RvShell.cpp

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ❛♥❞ ◆t❙t❛❝❦❙♠♣❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸✽ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ❛♥❞ ◆t❙t❛❝❦❙♠♣❧

NtStackSmpl.cpp RvShell.cpp NtStackSmpl.bin RvShell.bin Shellcodisation Shellcodisation

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ❛♥❞ ◆t❙t❛❝❦❙♠♣❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✸✾ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ❛♥❞ ◆t❙t❛❝❦❙♠♣❧

NtStackSmpl.cpp RvShell.cpp NtStackSmpl.bin RvShell.bin Shellcodisation Shellcodisation Customization: Patch IP/port IP address / port RvShell.bin

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ❛♥❞ ◆t❙t❛❝❦❙♠♣❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹✵ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ❛♥❞ ◆t❙t❛❝❦❙♠♣❧

NtStackSmpl.cpp RvShell.cpp NtStackSmpl.bin RvShell.bin Shellcodisation Shellcodisation Customization: Patch IP/port IP address / port RvShell.bin Customization: AES encryption Customization: RvShell.bin AES encryption NtStackSmpl.bin

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ❘✈❙❤❡❧❧ ❛♥❞ ◆t❙t❛❝❦❙♠♣❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹✶ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ❣❡♥❡r❛t✐♦♥ ♦❢ s❤❡❧❧❝♦❞❡ ❘✈❙❤❡❧❧

✈✐❞❡♦ ✏r✈s❤❡❧❧❴✸❴❣❡♥r✈s❤❡❧❧✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ s❤❡❧❧❝♦❞❡ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹✷ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ■♥❥❡❝t❡r

Injecter.cpp InitSh.cpp Log.cpp

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ■♥❥❡❝t❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ■♥❥❡❝t❡r

Injecter.cpp InitSh.cpp Log.cpp Log InitSh inlined in Loader inlined in Loader Shellcodisation Injecter

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ■♥❥❡❝t❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹✹ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ■♥❥❡❝t❡r

Injecter.cpp InitSh.cpp Log.cpp Log InitSh inlined in Loader inlined in Loader Shellcodisation Injecter SearchModInDir Customization: DetectUsbKey InitSh InitSh Log Log Add shellcode to inject Loader DetectUsbKey SearchModInDir InitSh Log Injecter Loader

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ■♥❥❡❝t❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹✺ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ ■♥❥❡❝t❡r

Injecter.cpp InitSh.cpp Log.cpp Log InitSh inlined in Loader inlined in Loader Shellcodisation Injecter SearchModInDir Customization: DetectUsbKey InitSh InitSh Log Log Add shellcode to inject Loader DetectUsbKey SearchModInDir InitSh Log Injecter Loader Log Loader SearchModInDir Customization: Injecter InitSh DetectUsbKey XOR encryption InitSh Log

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ ■♥❥❡❝t❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹✻ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ❣❡♥❡r❛t✐♦♥ ♦❢ ✐♥❥❡❝t❡r

✈✐❞❡♦ ✏r✈s❤❡❧❧❴✹❴❣❡♥✐♥❥❡❝t❡r✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ ✐♥❥❡❝t❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹✼ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ t❤❡ ❚r♦❥❛♥

Header Section 1 Section 2 ... Section n Injecter MyEditor.exe

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ t❤❡ ❚r♦❥❛♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹✽ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ t❤❡ ❚r♦❥❛♥

Header Section 1 Section 2 ... Section n Injecter MyEditor.exe Infector.exe Section n ... Section 2 Section 1 Decryption Injecter Header MyEditor.exe

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ t❤❡ ❚r♦❥❛♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✹✾ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ●❡♥❡r❛t✐♦♥ ♦❢ t❤❡ ❚r♦❥❛♥

Header Section 1 Section 2 ... Section n Injecter MyEditor.exe Infector.exe Section n ... Section 2 Section 1 Decryption Injecter Header MyEditor.exe

❋✐❣✉r❡✿ ●❡♥❡r❛t✐♦♥ ♦❢ t❤❡ ❚r♦❥❛♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✵ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

Pr❡♣❛r✐♥❣ ❛tt❛❝❦ ✲ ❣❡♥❡r❛t✐♦♥ ♦❢ t❤❡ ❚r♦❥❛♥

✈✐❞❡♦ ✏r✈s❤❡❧❧❴✺❴❣❡♥tr♦❥❛♥✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ t❤❡ ❚r♦❥❛♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✶ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❆tt❛❝❦ ✲ ❡①❡❝✉t✐♦♥ ♦❢ ❚r♦❥❛♥

✈✐❞❡♦ ✏r✈s❤❡❧❧❴✻❴❡①❡❝✉t❡tr♦❥❛♥✳❛✈✐✑✿ ❡①❡❝✉t✐♦♥ ♦❢ ❚r♦❥❛♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✷ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❆tt❛❝❦ ✲ ❡①❡❝✉t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

✈✐❞❡♦ ✏r✈s❤❡❧❧❴✼❴❡①❡❝✉t❡r✈s❤❡❧❧✳❛✈✐✑✿ ❡①❡❝✉t✐♦♥ ♦❢ ❘✈❙❤❡❧❧

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ❙✐♠✉❧❛t✐♦♥ ♦❢ ❛♥ ❛tt❛❝❦ ✇✐t❤ ❘✈❙❤❡❧❧

❆tt❛❝❦ ✲ s✉♠♠❛r②

❚❡❝❤♥✐q✉❡s ✉s❡❞ ❞✉r✐♥❣ t❤✐s ❛tt❛❝❦✿ ❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞✿

✏■♥❥❡❝t❡r✑ ✐♥ ✏▼②❊❞✐t♦r✑✿ ♣♦❧②♠♦r♣❤✐s♠ ✏◆t❙t❛❝❦❙♠♣❧✑ ❛♥❞ ✏❘✈❙❤❡❧❧✑✿ s❤❛r❡❞ s❡❝r❡t

❊①❡❝✉t✐♦♥ ♦♥❧② ✐♥ ♠❡♠♦r② ✿ ✏◆t❙t❛❝❦❙♠♣❧✑ ❛♥❞ ✏❘✈❙❤❡❧❧✑ ❧♦❛❞❡❞ ❢r♦♠ ❯❙❇ ❦❡② ❛♥❞ ❞❡❝r②♣t❡❞ ✐♥ ♠❡♠♦r② ❈♦❞❡ ✐♥❥❡❝t✐♦♥✿ ✏▲♦❛❞❡r✑ ❡①❡❝✉t❡❞ ✐♥ ❛ ❤✐❞❞❡♥ ♣r♦❝❡ss ❊①❡❝✉t❛❜❧❡ ✐♥❢❡❝t✐♦♥✿ ❚r♦❥❛♥ ❝r❡❛t❡❞ ❢r♦♠ ✏▼②❊❞✐t♦r✑

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✹ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

P❧❛♥

✶

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣②

✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

✸

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧

✹

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

✺

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

✻

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧

✼

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

✽

❈♦♥❝❧✉s✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✺ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

❈♦♥t❡①t

❖❜❥❡❝t✐✈❡ ❚❛❦❡ ❝♦♥tr♦❧ ♦❢ ❛ ✇❡❜ s❡r✈❡r❀ st❡❛❧ ✉s❡r♥❛♠❡✴♣❛ss✇♦r❞ ♦❢ ✇❡❜ s✐t❡ ✉s❡rs ❉❡s❝r✐♣t✐♦♥ ♦❢ t❤❡ t❛r❣❡t ❲✐♥❞♦✇s ✷✵✵✸ ❚✇♦ s❡r✈✐❝❡s✿

❆♣❛❝❤❡ ✇✐t❤ ❛ ♣❤♣❜❜ ✭t❛r❣❡t✮ ❋❚P s❡r✈❡r ✉s❡❞ t♦ ✉♣❞❛t❡ ✇❡❜ s✐t❡

❙❡r✈❡r ♣r♦t❡❝t❡❞ ❜② ❛ ✜r❡✇❛❧❧ ✭❛❧❧♦✇s ♦♥❧② ✐♥❝♦♠✐♥❣ ❍❚❚P✴❋❚P✮ ❈♦♥t❡①t ♦❢ t❤❡ ❛tt❛❝❦ ❆tt❛❝❦❡r ❢♦✉♥❞ ❛ ✈❛❧✐❞ ✉s❡r✴♣❛ss ❢♦r ❋❚P s❡r✈❡r ❋✐❧❡ s②st❡♠ r❡❣✉❧❛r❧② ❝❤❡❝❦❡❞ ✐♠♣♦ss✐❜❧❡ t♦ ❧❡❛✈❡ ❛ ❜❛❝❦❞♦♦r ♦♥ s②st❡♠ ❛tt❛❝❦❡r ❞❡❝✐❞❡s t♦ ✉s❡ ❛ ♣❡rs♦♥❛❧ t♦♦❧✿ ✏❲❡❜❉♦♦r✑

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✻ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

❈♦♥t❡①t

❖❜❥❡❝t✐✈❡ ❚❛❦❡ ❝♦♥tr♦❧ ♦❢ ❛ ✇❡❜ s❡r✈❡r❀ st❡❛❧ ✉s❡r♥❛♠❡✴♣❛ss✇♦r❞ ♦❢ ✇❡❜ s✐t❡ ✉s❡rs ❉❡s❝r✐♣t✐♦♥ ♦❢ t❤❡ t❛r❣❡t ❲✐♥❞♦✇s ✷✵✵✸ ❚✇♦ s❡r✈✐❝❡s✿

❆♣❛❝❤❡ ✇✐t❤ ❛ ♣❤♣❜❜ ✭t❛r❣❡t✮ ❋❚P s❡r✈❡r ✉s❡❞ t♦ ✉♣❞❛t❡ ✇❡❜ s✐t❡

❙❡r✈❡r ♣r♦t❡❝t❡❞ ❜② ❛ ✜r❡✇❛❧❧ ✭❛❧❧♦✇s ♦♥❧② ✐♥❝♦♠✐♥❣ ❍❚❚P✴❋❚P✮ ❈♦♥t❡①t ♦❢ t❤❡ ❛tt❛❝❦ ❆tt❛❝❦❡r ❢♦✉♥❞ ❛ ✈❛❧✐❞ ✉s❡r✴♣❛ss ❢♦r ❋❚P s❡r✈❡r ❋✐❧❡ s②st❡♠ r❡❣✉❧❛r❧② ❝❤❡❝❦❡❞ ✐♠♣♦ss✐❜❧❡ t♦ ❧❡❛✈❡ ❛ ❜❛❝❦❞♦♦r ♦♥ s②st❡♠ ❛tt❛❝❦❡r ❞❡❝✐❞❡s t♦ ✉s❡ ❛ ♣❡rs♦♥❛❧ t♦♦❧✿ ✏❲❡❜❉♦♦r✑

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✻ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

❈♦♥t❡①t

❖❜❥❡❝t✐✈❡ ❚❛❦❡ ❝♦♥tr♦❧ ♦❢ ❛ ✇❡❜ s❡r✈❡r❀ st❡❛❧ ✉s❡r♥❛♠❡✴♣❛ss✇♦r❞ ♦❢ ✇❡❜ s✐t❡ ✉s❡rs ❉❡s❝r✐♣t✐♦♥ ♦❢ t❤❡ t❛r❣❡t ❲✐♥❞♦✇s ✷✵✵✸ ❚✇♦ s❡r✈✐❝❡s✿

❆♣❛❝❤❡ ✇✐t❤ ❛ ♣❤♣❜❜ ✭t❛r❣❡t✮ ❋❚P s❡r✈❡r ✉s❡❞ t♦ ✉♣❞❛t❡ ✇❡❜ s✐t❡

❙❡r✈❡r ♣r♦t❡❝t❡❞ ❜② ❛ ✜r❡✇❛❧❧ ✭❛❧❧♦✇s ♦♥❧② ✐♥❝♦♠✐♥❣ ❍❚❚P✴❋❚P✮ ❈♦♥t❡①t ♦❢ t❤❡ ❛tt❛❝❦ ❆tt❛❝❦❡r ❢♦✉♥❞ ❛ ✈❛❧✐❞ ✉s❡r✴♣❛ss ❢♦r ❋❚P s❡r✈❡r ❋✐❧❡ s②st❡♠ r❡❣✉❧❛r❧② ❝❤❡❝❦❡❞ ⇒ ✐♠♣♦ss✐❜❧❡ t♦ ❧❡❛✈❡ ❛ ❜❛❝❦❞♦♦r ♦♥ s②st❡♠ ⇒ ❛tt❛❝❦❡r ❞❡❝✐❞❡s t♦ ✉s❡ ❛ ♣❡rs♦♥❛❧ t♦♦❧✿ ✏❲❡❜❉♦♦r✑

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✻ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr❡s❡♥t❛t✐♦♥ ♦❢ ❲❡❜❉♦♦r

❲❡❜❞♦♦r ❡①❡❝✉t❡s t❤❡ ❢♦❧❧♦✇✐♥❣ ❛❝t✐♦♥s✿ ❋✐♥❞s ❛ t❛r❣❡t❡❞ ♣r♦❝❡ss t❤❛t r❡♣r❡s❡♥ts ❛ ✇❡❜ s❡r✈❡r ■♥❥❡❝ts ❛ s❤❡❧❧❝♦❞❡ ✐♥ t❤✐s ♣r♦❝❡ss t❤❛t ✇✐❧❧ ✐♥st❛❧❧ ❛ ❤♦♦❦ ♦♥ ❢✉♥❝t✐♦♥ ✏❲❙❆❘❡❝✈✑ ❍♦♦❦ ❛♥❛❧②s❡s ❡✈❡r② ✇❡❜ r❡q✉❡st ❛♥❞ ❡①tr❛❝ts ♣❛r❛♠❡t❡rs✿

♣❛r❛♠❡t❡r ✏s❤❡❧❧✑ ⇒ ✐♥t❡r♣r❡t❡s ❝♦♠♠❛♥❞ ✐♥ ❛ ♠✐♥✐✲s❤❡❧❧ ❊①❛♠♣❧❡✿ ✏s❤❡❧❧❂❝♠❞✑ ❣✐✈❡s ❛❝❝❡ss t♦ ❛ r❡♠♦t❡ ❝♠❞ ♦♥ s❡r✈❡r ♦t❤❡r✇✐s❡ ❝♦♠♣❛r❡s ❡✈❡r② ♥❛♠❡ ♦❢ ♣❛r❛♠❡t❡r ✇✐t❤ ❧✐st ♦❢ ❦❡②✇♦r❞s t♦ ❞❡t❡❝t ✉s❡r♥❛♠❡✴♣❛ss✇♦r❞

❲❡❜ s❡r✈❡r ✇♦r❦ ♥♦t ❞✐sr✉♣t❡❞

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✼ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦

Memory Hard drive Firewall Attacker Server User Apache

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦ ✇✐t❤ ❲❡❜❉♦♦r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✽ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦

Memory Hard drive Firewall Attacker Server User Apache FTP i.exe WebDoor WebDoor on server Attacker uploads 1

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦ ✇✐t❤ ❲❡❜❉♦♦r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✺✾ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦

Memory Hard drive Firewall Attacker Server User Apache i.exe WebDoor WebDoor injects itself in Apache WebDoor is started and 2

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦ ✇✐t❤ ❲❡❜❉♦♦r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻✵ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦

Memory Hard drive Firewall Attacker Server User Apache WebDoor deleted from hard drive WebDoor can now be 3

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦ ✇✐t❤ ❲❡❜❉♦♦r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻✶ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦

Memory Hard drive Firewall Attacker Server User Apache WebDoor NETCAT CMD

GET /index.php?shell=cmd HTTP/1.0

HTTP cmd access 4 User gets remote

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦ ✇✐t❤ ❲❡❜❉♦♦r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻✷ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦

Memory Hard drive Firewall Attacker Server User Apache WebDoor NETCAT

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦ ✇✐t❤ ❲❡❜❉♦♦r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦

Memory Hard drive Firewall Attacker Server User Apache WebDoor NETCAT HTTP BROWSER

POST /login.php HTTP/1.0 username=admin&password=rdp700!

5 Another user authenticate theirself on web site

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦ ✇✐t❤ ❲❡❜❉♦♦r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻✹ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦

Memory Hard drive Firewall Attacker Server User Apache WebDoor NETCAT HTTP BROWSER

POST /login.php HTTP/1.0 username=admin&password=rdp700!

rdp_700! admin WebDoor intercepts 6 username and password

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦ ✇✐t❤ ❲❡❜❉♦♦r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻✺ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦

Memory Hard drive Firewall Attacker Server User Apache WebDoor NETCAT BROWSER rdp_700! admin

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦ ✇✐t❤ ❲❡❜❉♦♦r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻✻ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦

Memory Hard drive Firewall Attacker Server User Apache WebDoor NETCAT

GET /index.php?shell=get_pwd HTTP/1.0

HTTP BROWSER rdp_700! admin admin rdp_700! captured credentials 7 Attacker gets list of

❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✇❡❜ s❡r✈❡r ❛tt❛❝❦ ✇✐t❤ ❲❡❜❉♦♦r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻✼ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

❉❡♠♦♥str❛t✐♦♥

❱✐❞❡♦ ✏✇❡❜❞♦♦r❴✶❴♣r❡s❡♥t❛t✐♦♥✳❛✈✐✑✿ q✉✐❝❦ ♣r❡s❡♥t❛t✐♦♥ ♦❢ ❛r❝❤✐t❡❝t✉r❡ ❱✐❞❡♦ ✏✇❡❜❞♦♦r❴✷❴❛tt❛❝❦✳❛✈✐✑✿ ❛tt❛❝❦ ♦❢ ✇❡❜ s❡r✈❡r ❱✐❞❡♦ ✏✇❡❜❞♦♦r❴✸❴st✐❧❧❴✇♦r❦✐♥❣✳❛✈✐✑✿ ✇❡❜ s❡r✈❡r ✇♦r❦ ♥♦t ❞✐sr✉♣t❡❞ ❱✐❞❡♦ ✏✇❡❜❞♦♦r❴✹❴❝♦♥tr♦❧✳❛✈✐✑✿ ❣❡tt✐♥❣ r❡♠♦t❡ ❝♠❞ ❛♥❞ st❡❛❧✐♥❣ ♣❛ss✇♦r❞

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻✽ ✴ ✶✼✷

❈♦♥❝❧✉s✐♦♥

P❧❛♥

✶

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣②

✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡

✸

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧

✹

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st

✺

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

✻

❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧

✼

❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r

✽

❈♦♥❝❧✉s✐♦♥

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✻✾ ✴ ✶✼✷

❈♦♥❝❧✉s✐♦♥

❈♦♥❝❧✉s✐♦♥

❚❡❝❤♥✐q✉❡s ✐♠♣❧❡♠❡♥t❡❞ ✐♥ t♦♦❧s ✉s❡❞ ✐♥ t✇♦ ❛tt❛❝❦s ❛r❡ ✇❡❧❧✲❦♥♦✇♥ ■♥t❡r❡st✐♥❣ ♣♦✐♥t ✿ ❞❡✈❡❧♦♣❡❞ ✈❡r② q✉✐❝❦❧② ❊①❛♠♣❧❡✿ ✐♥t❡❣r❛t✐♦♥ ♦❢ t❤❡ ❆❊❙ ♦❢ P♦❧❛r❙❙▲ ✐♥ ✏▲♦❛❞❡r✑ ∼ ✷ ❤♦✉rs

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✼✵ ✴ ✶✼✷

❈♦♥❝❧✉s✐♦♥

❋✉t✉r❡ ✇♦r❦

❈♦♥t✐♥✉❡ ❞❡✈❡❧♦♣♠❡♥t ♦❢ ❲✐❙❤▼❛st❡r✿

▼❛✐♥ ♦❜❥❡❝t✐✈❡✿ ✐♠♣r♦✈❡ ❛♥❛❧②s✐s ♦❢ ❈ ❝♦❞❡ ❛♥❞ r❡♠♦✈❡ t❤❡ ❧❛t❡st ❝♦♥str❛✐♥ts ♦♥ t❤❡ ❝♦❞❡ ✐♠♣♦s❡❞ ❜② t❤❡ ♣❛rs✐♥❣ ✇✐t❤ r❡❣✉❧❛r ❡①♣r❡ss✐♦♥s ❊①❛♠♣❧❡✿ ✐♥t❡❣r❛t❡ ✏♣②❝♣❛rs❡r✑✿ ❈ ♣❛rs❡r ❛♥❞ ❛♥ ❆❙❚ ❣❡♥❡r❛t♦r

❙❤❡❧❧❝♦❞✐s❡ ✇❡❧❧✲❦♥♦✇♥ ❛♣♣❧✐❝❛t✐♦♥ ❧✐❦❡ ♥❡t❝❛t ⇒ ♣♦❧②♠♦r♣❤✐❝ ♥❡t❝❛t ❉❡✈❡❧♦♣ ♠♦r❡ ❢✉♥♥② ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r

❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✼✶ ✴ ✶✼✷

❈♦♥❝❧✉s✐♦♥

❚❤❛♥❦ ②♦✉ ❢♦r ②♦✉r ❛tt❡♥t✐♦♥✳ ✳ ✳

❆♥② q✉❡st✐♦♥s❄

❙❤❡❧❧❝♦❞✐s❛t✐♦♥ ✐s ♣❛✐♥❧❡ss✳ ◆♦ ❈ ❝♦❞❡ ✇❛s ❤❛r♠❡❞ ❞✉r✐♥❣ t❤✐s ♣r❡s❡♥t❛t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐♥❞♦✇s ❙❤❡❧❧❝♦❞❡ ▼❛st❡r② ✶✼✷ ✴ ✶✼✷