s str t - PowerPoint PPT Presentation

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❈♦♥t❡①t ❞❡✜♥✐t✐♦♥ ●❡♥❡r❛❧❧②✱ ♠❛❧✐❝✐♦✉s ❝♦❞❡s tr② t♦ ❞♦ s❡✈❡r❛❧ t❤✐♥❣s✿ st❛② ✉♥❞❡t❡❝t❡❞ ❜② ❛♥t✐✈✐r✉s❡s ♣r♦♣❛❣❛t❡ t♦ ♦t❤❡r ❤♦sts ♦r ❡①❡❝✉t❛❜❧❡s ❡①❡❝✉t❡ t❤❡✐r ♠❛❧✐❝✐♦✉s ❛❝t✐♦♥s ✭❡✳❣✳ ❝❛♣t✉r❡ s♦♠❡ ♣r✐✈❛t❡ ✉s❡r ❞❛t❛✱ ♦♣❡♥ ❛ ❜❛❝❦❞♦♦r ♦♥ t❤❡ s②st❡♠ ✳ ✳ ✳ ✮ ❯s❡ s♣❡❝✐❛❧ t❡❝❤♥✐q✉❡s✱ ♥♦t ❛❧✇❛②s ❡❛s② t♦ ✐♠♣❧❡♠❡♥t ▲❡t ✉s ✐❧❧✉str❛t❡ t❤✐s ✇✐t❤ ❛ ❢❡✇ s♣❡❝✐✜❝ t❡❝❤♥✐q✉❡s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽ ✴ ✶✼✷

❖❜❥❡❝t✐✈❡ Pr♦t❡❝t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❣❛✐♥st ❛♥ ❛♥❛❧②s✐s ❈♦✉❧❞ ❜❡ ❛♥ ❛✉t♦♠❛t✐❝ ❛♥❛❧②s✐s ✭❛♥t✐✈✐r✉s✮ ♦r ❛ ♠❛♥✉❛❧ ❛♥❛❧②s✐s ✭❞✐s❛ss❡♠❜❧✐♥❣ ❝♦❞❡✮ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ♠❛❞❡ ✉♣ ♦❢ t✇♦ ♣❛rts✿ t❤❡ r❡❛❧ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✇❤✐❝❤ ✐s ❡♥❝r②♣t❡❞ ❛ ❞❡❝r②♣t✐♦♥ ♣❛rt ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ♠❛❞❡ ✉♣ ♦❢ t✇♦ ♣❛rts✿ t❤❡ r❡❛❧ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✇❤✐❝❤ ✐s ❡♥❝r②♣t❡❞ ❛ ❞❡❝r②♣t✐♦♥ ♣❛rt ❖❜❥❡❝t✐✈❡ Pr♦t❡❝t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❣❛✐♥st ❛♥ ❛♥❛❧②s✐s ❈♦✉❧❞ ❜❡ ❛♥ ❛✉t♦♠❛t✐❝ ❛♥❛❧②s✐s ✭❛♥t✐✈✐r✉s✮ ♦r ❛ ♠❛♥✉❛❧ ❛♥❛❧②s✐s ✭❞✐s❛ss❡♠❜❧✐♥❣ ❝♦❞❡✮ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ✲ ♣r♦t❡❝t✐♦♥ ❛❣❛✐♥st ❛✉t♦♠❛t✐❝ ❛♥❛❧②s✐s ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s s❝❛♥♥❡❞ ❜② ❛ t♦♦❧ t❤❛t ✇♦r❦s ✇✐t❤ s✐❣♥❛t✉r❡ ✐❞❡♥t✐✜❝❛t✐♦♥ ❊❛❝❤ ❝♦♣② ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ♠✉st ❜❡ ❞✐✛❡r❡♥t✿ ❞❡❝r②♣t✐♦♥ ♣❛rt ✐s tr❛♥s❢♦r♠❡❞ t❤r♦✉❣❤ ♠❡t❛♠♦r♣❤✐s♠ ❡♥❝r②♣t✐♦♥ ❦❡② ✐s ❝❤❛♥❣❡❞ ✐♥ ❡❛❝❤ ❝♦♣② ✭♣♦❧②♠♦r♣❤✐s♠✮ Decryption part Decryption part Decryption key 1 Decryption key 2 Encrypted Encrypted malicious malicious payload payload ❋✐❣✉r❡✿ ❚✇♦ ❝♦♣✐❡s ♦❢ t❤❡ s❛♠❡ ✈✐r✉s t❤❛t ✐♠♣❧❡♠❡♥ts ♣♦❧②♠♦r♣❤✐s♠ ◆♦t❡s✿ ❉❡❝r②♣t✐♦♥ ❦❡② ♠❛② ❜❡ st♦r❡❞ ✐♥ ❞❡❝r②♣t✐♦♥ ♣❛rt ❙✐♠♣❧❡ ❡♥❝r②♣t✐♦♥ ❛❧❣♦r✐t❤♠ ❧✐❦❡ ❛ ❳❖❘ ✇✐t❤ ✸✷✲❜✐ts ❦❡② ♠❛② ❜❡ ✉s❡❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ✲ ♣r♦t❡❝t✐♦♥ ❛❣❛✐♥st ♠❛♥✉❛❧ ❛♥❛❧②s✐s ❆✐♠✿ ✐❢ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ✐♥t❡r❝❡♣t❡❞ ❞✉r✐♥❣ ✐♥tr♦❞✉❝t✐♦♥ ♦♥ t❛r❣❡t❡❞ s②st❡♠✱ ✐t ❝❛♥♥♦t ❜❡ ❞✐s❛ss❡♠❜❧❡❞ ❛♥❞ ❛♥❛❧②s❡❞ ♠❛♥✉❛❧❧② ▲✐tt❧❡ ❞✐✛❡r❡♥❝❡s ✇✐t❤ ♣r❡✈✐♦✉s ❡♥❝r②♣t✐♦♥✿ str♦♥❣ ❡♥❝r②♣t✐♦♥ ❛❧❣♦r✐t❤♠ ❧✐❦❡ ❆❊❙ ♠✉st ❜❡ ✉s❡❞ ❞❡❝r②♣t✐♦♥ ❦❡② ♠✉st ♥♦t ❜❡ st♦r❡❞ ✐♥ ❡♥❝r②♣t❡❞ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ Memory Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ Memory 1 "Decoder" is introduced on targeted system Decoder Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✸ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ Memory 2 Encrypted malicious code is introduced on targeted system Encrypted Decoder malicious code Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✹ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ Decoder 3 Memory "Decoder" is executed Encrypted Decoder malicious code Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✺ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ Encrypted malicious code Decoder 4 "Decoder" loads encrypted Memory malicious code in memory Encrypted Decoder malicious code Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ 5 "Decoder" decrypts malicious code in memory and executes it Encrypted Malicious code malicious code Decoder Memory Encrypted Decoder malicious code Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ✲ ♣r♦t❡❝t✐♦♥ ❛❣❛✐♥st ♠❛♥✉❛❧ ❛♥❛❧②s✐s ❖❢ ❝♦✉rs❡✱ s❡✈❡r❛❧ ✇❛②s t♦ ❣❡t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ♦♥ ✐♥❢❡❝t❡❞ ❝♦♠♣✉t❡r ✭❞✉♠♣ t❤❡ ♠❡♠♦r②✱ ❡①tr❛❝t ❡♥❝r②♣t✐♦♥ ❦❡② ❛♥❞ ❞❡❝r②♣t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞✮ ❇✉t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ♣r♦t❡❝t❡❞ ❞✉r✐♥❣ ✐♥tr♦❞✉❝t✐♦♥ ♦♥t♦ t❛r❣❡t❡❞ ❝♦♠♣✉t❡r✿ t✇♦ ♣❛rts ❛r❡ ✐♥tr♦❞✉❝❡❞ ✐♥ ❞✐✛❡r❡♥t ✇❛②s ❛t ❞✐✛❡r❡♥t t✐♠❡s ✐❢ ♦♥❡ ✐♥tr♦❞✉❝t✐♦♥ ❢❛✐❧s✱ ✇❡ ✇✐❧❧ ✐♥t❡r❝❡♣t✿ ❞❡❝r②♣t✐♦♥ ♣❛rt✿ t♦t❛❧❧② ❣❡♥❡r✐❝ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞✿ ❡♥❝r②♣t❡❞ ⇒ ❝❛♥♥♦t ❣❡t ❛♥② ✐♥❢♦r♠❛t✐♦♥ ♦♥ t❤❡ ❛tt❛❝❦ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✽ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ❊♥❝r②♣t✐♦♥ ♦❢ ❡❛❝❤ ♣❛rt ♦❢ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐♥ ❡①❡❝✉t❛❜❧❡ ♥♦t ❛ ❣♦♦❞ s♦❧✉t✐♦♥✿ ❝♦♠♣❧✐❝❛t❡❞✿ ❛❧❧ ❜✐♥❛r② ❞❛t❛ ❝❤❛r❛❝t❡r✐st✐❝s ♦❢ t❤❡ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ♠✉st ❜❡ ❡♥❝r②♣t❡❞ ✭❢✉♥❝t✐♦♥s✱ ✐♥✐t✐❛❧✐s❡❞ ❞❛t❛ ❛♥❞ str✐♥❣s✮ ♥♦t ❡✣❝✐❡♥t✿ P❊ ♠❡t❛❞❛t❛s ❝❛♥♥♦t ❜❡ ❡♥❝r②♣t❡❞ ❇❡tt❡r s♦❧✉t✐♦♥✿ ❡♥❝r②♣t t❤❡ ✇❤♦❧❡ ❡①❡❝✉t❛❜❧❡ ∼ ❛ ♣❛❝❦❡r ❇✉t ❞❡✈❡❧♦♣✐♥❣ s✉❝❤ ❛ t♦♦❧ r❡q✉✐r❡❞ s♦♠❡ ✇♦r❦ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✾ ✴ ✶✼✷

❖❜❥❡❝t✐✈❡ ❈❛♥♥♦t ❜❡ ❞❡t❡❝t❡❞ ❜② ❧♦❝❛❧ ❛♥t✐✈✐r✉s ▲❡❛✈❡s ❢❡✇ tr❛❝❡s ♦♥ t❛r❣❡t❡❞ s②st❡♠ ❝♦♠♣❧✐❝❛t❡s ❛♥ ❡✈❡♥t✉❛❧ ❢♦r❡♥s✐❝ ❛♥❛❧②s✐s ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊①❡❝✉t❡ ♦♥❧② ✐♥ ♠❡♠♦r② ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛❜❧❡ t♦ ❡①❡❝✉t❡ ✇✐t❤♦✉t ❜❡✐♥❣ ❝♦♣✐❡❞ ♦♥ ❤❛r❞ ❞r✐✈❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊①❡❝✉t❡ ♦♥❧② ✐♥ ♠❡♠♦r② ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛❜❧❡ t♦ ❡①❡❝✉t❡ ✇✐t❤♦✉t ❜❡✐♥❣ ❝♦♣✐❡❞ ♦♥ ❤❛r❞ ❞r✐✈❡ ❖❜❥❡❝t✐✈❡ ❈❛♥♥♦t ❜❡ ❞❡t❡❝t❡❞ ❜② ❧♦❝❛❧ ❛♥t✐✈✐r✉s ▲❡❛✈❡s ❢❡✇ tr❛❝❡s ♦♥ t❛r❣❡t❡❞ s②st❡♠ ⇒ ❝♦♠♣❧✐❝❛t❡s ❛♥ ❡✈❡♥t✉❛❧ ❢♦r❡♥s✐❝ ❛♥❛❧②s✐s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② Memory Primergy Hard drive Attacker Server Firewall ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② 1 "Loader" is running Loader on targeted server Memory Primergy Hard drive Attacker Server Firewall ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② Loader Malicious code Memory Primergy Hard drive Attacker Server 2 "Loader" gets malicious payload from server Firewall ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✸ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② 3 Loader "Loader" transfers execution on malicious payload Malicious code Memory Primergy Hard drive Attacker Server Firewall ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✹ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊①❡❝✉t❡ ♦♥❧② ✐♥ ♠❡♠♦r② ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ❈♦♣②✐♥❣ ❡①❡❝✉t❛❜❧❡ ✐♥ ♠❡♠♦r② ❛♥❞ ❥✉♠♣✐♥❣ ♦♥ ❡♥tr② ♣♦✐♥t ❞♦❡s ♥♦t ✇♦r❦✿ s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ♠✉st ❜❡ r❡s♦❧✈❡❞ ❆ ❢❡✇ tr✐❝❦s ❝❛♥ ❜❡ ✉s❡❞✿ ✉s❡ ✏♣r❛❣♠❛✑ ❞✐r❡❝t✐✈❡s t♦ ❣r♦✉♣ ❛❧❧ ❢✉♥❝t✐♦♥s✴❞❛t❛ ✐♥ ♦♥❡ s❡❝t✐♦♥ ♣❧❛② ✇✐t❤ ✏♣r❡❢❡rr❡❞ ❧♦❛❞ ❛❞❞r❡ss✑ s♦ t❤❛t s❡❝t✐♦♥ ✐s ♠❛♣♣❡❞ ✐♥ ❛ ♠❡♠♦r② s♣❛❝❡ ✏♥♦r♠❛❧❧②✑ ❢r❡❡ ✐♥ ♣r♦❝❡ss ✉s❡ ❞②♥❛♠✐❝ ❛❞❞r❡ss r❡s♦❧✉t✐♦♥ ⇒ P♦ss✐❜❧❡✳ ✳ ✳ ❜✉t r❛t❤❡r t❡❞✐♦✉s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✺ ✴ ✶✼✷

❖❜❥❡❝t✐✈❡ ❈r❡❛t❡ ❛ ❚r♦❥❛♥ ❤♦rs❡❀ ❜❡❤❛✈✐♦✉r ♦❢ t❤❡ ♣r♦❣r❛♠ ♠✉st ♥♦t ❜❡ ❞✐sr✉♣t❡❞ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ❛❞❞❡❞ ✐♥t♦ ❛♥♦t❤❡r ❡①❡❝✉t❛❜❧❡ ❊①❡❝✉t✐♦♥ ✢♦✇ ♦❢ ✐♥❢❡❝t❡❞ ❡①❡❝✉t❛❜❧❡ ✐s ♠♦❞✐✜❡❞ t♦ ❡①❡❝✉t❡ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ❛❞❞❡❞ ✐♥t♦ ❛♥♦t❤❡r ❡①❡❝✉t❛❜❧❡ ❊①❡❝✉t✐♦♥ ✢♦✇ ♦❢ ✐♥❢❡❝t❡❞ ❡①❡❝✉t❛❜❧❡ ✐s ♠♦❞✐✜❡❞ t♦ ❡①❡❝✉t❡ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❖❜❥❡❝t✐✈❡ ❈r❡❛t❡ ❛ ❚r♦❥❛♥ ❤♦rs❡❀ ❜❡❤❛✈✐♦✉r ♦❢ t❤❡ ♣r♦❣r❛♠ ♠✉st ♥♦t ❜❡ ❞✐sr✉♣t❡❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✻ ✴ ✶✼✷

❊❛❝❤ s♦❧✉t✐♦♥ ❤❛s ♣r♦s ❛♥❞ ❝♦♥s✿ P❛t❝❤✐♥❣ ✐♥str✉❝t✐♦♥ r❡q✉✐r❡s ♠❛♥✉❛❧ ❛♥❛❧②s✐s t♦ ✜♥❞ ❛ s✉✐t❛❜❧❡ ✐♥str✉❝t✐♦♥ t♦ ♣❛t❝❤ ❇✉t ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ r❡q✉✐r❡s ❛❝t✐♦♥ ♦❢ t❤❡ ✉s❡r ♥❡✐t❤❡r ❡①❡❝✉t❡❞✱ ♥♦r ❛♥❛❧②s❡❞ ❜② ❛♥ ❛♥t✐✈✐r✉s✱ ❡✈❡♥ ✇✐t❤ ❝♦❞❡ ❡♠✉❧❛t✐♦♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❞❞❡❞ ❛t t❤❡ ❡♥❞ ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✱ ❛❢t❡r ❧❛st s❡❝t✐♦♥ ❙❡✈❡r❛❧ ✇❛②s t♦ r❡❞✐r❡❝t ❡①❡❝✉t✐♦♥ ✢♦✇✿ ♣❛t❝❤ t❤❡ ❡①❡❝✉t❛❜❧❡ ❡♥tr② ♣♦✐♥t ♣❛t❝❤ s♦♠❡ ✐♥str✉❝t✐♦♥s t❤❛t ✇✐❧❧ ♣r♦❜❛❜❧② ❜❡ ❡①❡❝✉t❡❞ ❊①❛♠♣❧❡✿ ❝❛❧❧ t♦ t❤❡ ❢✉♥❝t✐♦♥ ✏s❛✈❡✑ ✐♥ ❛ t❡①t ❡❞✐t♦r ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❞❞❡❞ ❛t t❤❡ ❡♥❞ ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✱ ❛❢t❡r ❧❛st s❡❝t✐♦♥ ❙❡✈❡r❛❧ ✇❛②s t♦ r❡❞✐r❡❝t ❡①❡❝✉t✐♦♥ ✢♦✇✿ ♣❛t❝❤ t❤❡ ❡①❡❝✉t❛❜❧❡ ❡♥tr② ♣♦✐♥t ♣❛t❝❤ s♦♠❡ ✐♥str✉❝t✐♦♥s t❤❛t ✇✐❧❧ ♣r♦❜❛❜❧② ❜❡ ❡①❡❝✉t❡❞ ❊①❛♠♣❧❡✿ ❝❛❧❧ t♦ t❤❡ ❢✉♥❝t✐♦♥ ✏s❛✈❡✑ ✐♥ ❛ t❡①t ❡❞✐t♦r ❊❛❝❤ s♦❧✉t✐♦♥ ❤❛s ♣r♦s ❛♥❞ ❝♦♥s✿ P❛t❝❤✐♥❣ ✐♥str✉❝t✐♦♥ r❡q✉✐r❡s ♠❛♥✉❛❧ ❛♥❛❧②s✐s t♦ ✜♥❞ ❛ s✉✐t❛❜❧❡ ✐♥str✉❝t✐♦♥ t♦ ♣❛t❝❤ ❇✉t ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ r❡q✉✐r❡s ❛❝t✐♦♥ ♦❢ t❤❡ ✉s❡r ⇒ ♥❡✐t❤❡r ❡①❡❝✉t❡❞✱ ♥♦r ❛♥❛❧②s❡❞ ❜② ❛♥ ❛♥t✐✈✐r✉s✱ ❡✈❡♥ ✇✐t❤ ❝♦❞❡ ❡♠✉❧❛t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ MyEditor.exe MyEditor.exe MyEditor.exe Header Header Header Section 1 Section 1 Section 1 Section 2 Section 2 Section 2 ... ... ... Section n Section n Section n Malicious code Malicious code Original executable Infected executable Infected executable entry point patched instruction patched ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✐♥❢❡❝t✐♦♥ ♦❢ ❛♥ ❡①❡❝✉t❛❜❧❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✽ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ◆♦t s♦ ❡❛s② t♦ ✐♠♣❧❡♠❡♥t✿ ❙❡✈❡r❛❧ s❡❝t✐♦♥s ♠✐❣❤t ❤❛✈❡ t♦ ❜❡ ❛❞❞❡❞ ❛t t❤❡ ❡♥❞ ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡ ❙❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss ❈♦❞❡ ♠✉st ✉s❡ ❞②♥❛♠✐❝ ❛❞❞r❡ss r❡s♦❧✉t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✾ ✴ ✶✼✷

❖❜❥❡❝t✐✈❡s ❙✉r✈✐✈❡ t♦ t❡r♠✐♥❛t✐♦♥ ♦❢ ♦r✐❣✐♥❛❧ ♣r♦❝❡ss ■♥t❡r❝❡♣t ♣r✐✈❛t❡ ❞❛t❛ ♦❢ ✉s❡r ✉s✐♥❣ ✐♥❢❡❝t❡❞ ❝♦♠♣✉t❡r✿ ✐♥❥❡❝t✐♦♥✴❆P■ ❤♦♦❦✐♥❣✴❛♥❛❧②s✐s ♦❢ ♣❛r❛♠❡t❡rs ❇②♣❛ss ❜❛❞ ✐♠♣❧❡♠❡♥t❡❞ ♣❡rs♦♥❛❧ ✜r❡✇❛❧❧s ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐♥❥❡❝ts s♦♠❡ ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ▼❛❧✐❝✐♦✉s ❝♦❞❡ ❢♦r❝❡s t❤❡ ❡①❡❝✉t✐♦♥ ♦❢ t❤✐s ✐♥❥❡❝t❡❞ ❝♦❞❡ ✐♥ t❤❡ ❝♦♥t❡①t ♦❢ t❤❡ ♦t❤❡r ♣r♦❝❡ss ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐♥❥❡❝ts s♦♠❡ ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ▼❛❧✐❝✐♦✉s ❝♦❞❡ ❢♦r❝❡s t❤❡ ❡①❡❝✉t✐♦♥ ♦❢ t❤✐s ✐♥❥❡❝t❡❞ ❝♦❞❡ ✐♥ t❤❡ ❝♦♥t❡①t ♦❢ t❤❡ ♦t❤❡r ♣r♦❝❡ss ❖❜❥❡❝t✐✈❡s ❙✉r✈✐✈❡ t♦ t❡r♠✐♥❛t✐♦♥ ♦❢ ♦r✐❣✐♥❛❧ ♣r♦❝❡ss ■♥t❡r❝❡♣t ♣r✐✈❛t❡ ❞❛t❛ ♦❢ ✉s❡r ✉s✐♥❣ ✐♥❢❡❝t❡❞ ❝♦♠♣✉t❡r✿ ✐♥❥❡❝t✐♦♥✴❆P■ ❤♦♦❦✐♥❣✴❛♥❛❧②s✐s ♦❢ ♣❛r❛♠❡t❡rs ❇②♣❛ss ❜❛❞ ✐♠♣❧❡♠❡♥t❡❞ ♣❡rs♦♥❛❧ ✜r❡✇❛❧❧s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ❈♦❞❡ ✐♥❥❡❝t✐♦♥ ♠❛② ❜❡ ❞♦♥❡ ✐♥ s❡✈❡r❛❧ ✇❛②s✿ ❞❧❧ ✐♥❥❡❝t✐♦♥ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❊❛❝❤ t❡❝❤♥✐q✉❡ ❤❛s ♣r♦ ❛♥❞ ❝♦♥s❀ ✇❡ ❝❤♦♦s❡ t♦ ✉s❡ t❤❡ s❡❝♦♥❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ Injecter Target Injection code ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ Injecter Target Injection code Malicious code ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✸ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ 1 "Injecter" gets a handle on targeted process Injecter Target Injection code Malicious code ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✹ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ Injecter Target Injection code 2 Free memory "Injecter" allocates memory in other process Malicious code ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✺ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ Injecter Target Injection code Malicious code Malicious 3 "Injecter" copies malicious code code in allocated memory ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ Injecter Target Injection code Malicious code Malicious code Thread 4 "Injecter" creates a new thread in other process that executes malicious code ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ❊♥❝♦✉♥t❡r s❛♠❡ ♣r♦❜❧❡♠s ❛s ❡①❡❝✉t✐♦♥ ♦♥❧② ✐♥ ♠❡♠♦r②✿ s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ♠✉st ❜❡ r❡s♦❧✈❡❞ ⇒ ❈❛♥ ✉s❡ t❤❡ s❛♠❡ tr✐❝❦s ◆♦t❡ t❤❛t ✐❢ ♠❡♠♦r② ✇❤❡r❡ ❝♦❞❡ ♠✉st ❜❡ ♠❛♣♣❡❞ ✐s ❛❧r❡❛❞② ❛❧❧♦❝❛t❡❞✱ ✐♥❥❡❝t✐♦♥ ✇✐❧❧ ❢❛✐❧✦ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✽ ✴ ✶✼✷

❚❤♦s❡ t❡❝❤♥✐q✉❡s ❝♦✉❧❞ ❜❡ ✐♠♣❧❡♠❡♥t❡❞ ♠♦r❡ ❡❛s✐❧② ✐❢ t❤❡ ❝♦❞❡ ✇❛s ❝♦♥st✐t✉t❡❞ ♦❢ ♦♥❧② ♦♥❡ ❜❧♦❝❦ ✇❛s ❛❜❧❡ t♦ ✐♥✐t✐❛❧✐s❡ t❤❡ ❛❞❞r❡ss s♣❛❝❡ ❝♦♥t❛✐♥❡❞ ♥♦ ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss ✐❢ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✇❛s ❛ s❤❡❧❧❝♦❞❡ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❙✉♠♠❛r② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤♦s❡ t❡❝❤♥✐q✉❡s ✐♥ ❛♥ ❡①❡❝✉t❛❜❧❡ ✐s ❛❧✇❛②s ♣♦ss✐❜❧❡✱ ❜✉t r❡q✉✐r❡s ❧♦ts ♦❢ ✇♦r❦ ❉✐✣❝✉❧t✐❡s ❝♦♠❡ ❢r♦♠ s❡✈❡r❛❧ ♣r♦♣❡rt✐❡s ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✿ ❝♦❞❡ ❛♥❞ ❞❛t❛ ❛r❡ s♣r❡❛❞ ✐♥ t❤❡ ❡①❡❝✉t❛❜❧❡ ♣r♦❝❡ss r❡q✉✐r❡s s♦♠❡ ♦❢ ✐♥✐t✐❛❧✐s❛t✐♦♥ ♥♦r♠❛❧❧② ❞♦♥❡ ❜② ❲✐♥❞♦✇s ❧♦❛❞❡r ❝♦❞❡ ❝♦♥t❛✐♥s ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ⇒ s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss❡s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❙✉♠♠❛r② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤♦s❡ t❡❝❤♥✐q✉❡s ✐♥ ❛♥ ❡①❡❝✉t❛❜❧❡ ✐s ❛❧✇❛②s ♣♦ss✐❜❧❡✱ ❜✉t r❡q✉✐r❡s ❧♦ts ♦❢ ✇♦r❦ ❉✐✣❝✉❧t✐❡s ❝♦♠❡ ❢r♦♠ s❡✈❡r❛❧ ♣r♦♣❡rt✐❡s ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✿ ❝♦❞❡ ❛♥❞ ❞❛t❛ ❛r❡ s♣r❡❛❞ ✐♥ t❤❡ ❡①❡❝✉t❛❜❧❡ ♣r♦❝❡ss r❡q✉✐r❡s s♦♠❡ ♦❢ ✐♥✐t✐❛❧✐s❛t✐♦♥ ♥♦r♠❛❧❧② ❞♦♥❡ ❜② ❲✐♥❞♦✇s ❧♦❛❞❡r ❝♦❞❡ ❝♦♥t❛✐♥s ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ⇒ s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss❡s ❚❤♦s❡ t❡❝❤♥✐q✉❡s ❝♦✉❧❞ ❜❡ ✐♠♣❧❡♠❡♥t❡❞ ♠♦r❡ ❡❛s✐❧② ✐❢ t❤❡ ❝♦❞❡ ✇❛s ❝♦♥st✐t✉t❡❞ ♦❢ ♦♥❧② ♦♥❡ ❜❧♦❝❦ ✇❛s ❛❜❧❡ t♦ ✐♥✐t✐❛❧✐s❡ t❤❡ ❛❞❞r❡ss s♣❛❝❡ ❝♦♥t❛✐♥❡❞ ♥♦ ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss ⇒ ✐❢ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✇❛s ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡ P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✖ ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡ Pr✐♥❝✐♣❧❡ ❈♦♥s✐❞❡r ♥♦✇ t❤❛t ♦✉r ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛ s❤❡❧❧❝♦❞❡✿ ❝♦♥st✐t✉t❡❞ ♦❢ ♦♥❧② ♦♥❡ ❜❧♦❝❦ ❝❛♥ r✉♥ ❛t ❛♥② ❛❞❞r❡ss ✐♥ ❛♥② ♣r♦❝❡ss ❡①❡❝✉t❡s ❡①❛❝t❧② t❤❡ s❛♠❡ ♦♣❡r❛t✐♦♥s ❛s t❤❡ ♥♦r♠❛❧ ❡①❡❝✉t❛❜❧❡ ✐❢ ❡①❡❝✉t✐♦♥ tr❛♥s❢❡rr❡❞ t♦ ✐ts ✜rst ❜②t❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡ ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ❉❡❝r②♣t✐♦♥ ♣❛rt ❜❡❝♦♠❡s ❛ s✐♠♣❧❡ ❧♦♦♣ t❤❛t ❡①❡❝✉t❡s ❞❡❝r②♣t✐♦♥ ♦♥ s❤❡❧❧❝♦❞❡ ∼ ❛rr❛② ♦❢ ❜②t❡s ❊①❡❝✉t✐♦♥ ♦♥❧② ✐♥ ♠❡♠♦r② ❛♥❞ ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❊❛s② t♦ ✐♠♣❧❡♠❡♥t s✐♥❝❡ ❜② ❞❡✜♥✐t✐♦♥ s❤❡❧❧❝♦❞❡ ✐s ❛❜❧❡ t♦ ❡①❡❝✉t❡ ✐♥ ❛♥② ♣r♦❝❡ss ❛t ❛♥② ❛❞❞r❡ss ❊①❡❝✉t❛❜❧❡ ✐♥❢❡❝t✐♦♥ ❙❤❡❧❧❝♦❞❡ ❛❞❞❡❞ ✐♥ ❧❛st s❡❝t✐♦♥ ❋❡✇ ♠♦❞✐✜❝❛t✐♦♥s ❞♦♥❡ ♦♥ P❊ ❤❡❛❞❡r ❊♥tr② ♣♦✐♥t ♦r ✐♥str✉❝t✐♦♥ ♣❛t❝❤❡❞ t♦ ❥✉♠♣ ♦♥ s❤❡❧❧❝♦❞❡ ❏✉♠♣ t♦ ♦r✐❣✐♥❛❧ ✐♥str✉❝t✐♦♥ ❛❞❞❡❞ ❛t ❡♥❞ ♦❢ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡ ❙✉♠♠❛r② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ ♣r❡s❡♥t❡❞ t❡❝❤♥✐q✉❡s ✐s ❣r❡❛t❧② s✐♠♣❧✐✜❡❞ ✐❢ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛ s❤❡❧❧❝♦❞❡ r❛t❤❡r t❤❛♥ ❛♥ ❡①❡❝✉t❛❜❧❡ ◆❡①t ♣r♦❜❧❡♠ ✐s ❤♦✇ t♦ ❣❡t ❛ s❤❡❧❧❝♦❞❡❄ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✸ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✶ ❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ✷ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✸ ❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ✹ ❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ✺ ❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ✻ ❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r ✼ ❈♦♥❝❧✉s✐♦♥ ✽ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✹ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❖❜❥❡❝t✐✈❡ ♦❢ t❤✐s ♣❛rt ✲ ✶ Pr❡s❡♥t ❛♥ ❡❛s② ✇❛② t♦ ✇r✐t❡ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ❛s ❛ s❤❡❧❧❝♦❞❡ ❲r✐t✐♥❣ s❤❡❧❧❝♦❞❡ ❞✐r❡❝t❧② ✐♥ ❛ss❡♠❜❧② q✉✐❝❦❧② ❜❡❝♦♠❡s t❡❞✐♦✉s ⇒ s♦❧✉t✐♦♥ ❞✐s♠✐ss❡❞ ❇❡tt❡r s♦❧✉t✐♦♥ ✇♦✉❧❞ ❜❡✿ ✇r✐t❡ ❝♦❞❡ ✐♥ ❈ ❧❛♥❣✉❛❣❡ ✉s❡ ❝♦♠♣✐❧❡r t♦ ❣❡♥❡r❛t❡ ❡①❡❝✉t❛❜❧❡ ❡①tr❛❝t s♦♠❡ ♣❛rt ❢r♦♠ t❤✐s ❡①❡❝✉t❛❜❧❡ ❢♦r♠ s❤❡❧❧❝♦❞❡ ❜② ❛ss❡♠❜❧✐♥❣ t❤❡♠ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✺ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❖❜❥❡❝t✐✈❡ ♦❢ t❤✐s ♣❛rt ✲ ✷ ❇✐♥❛r② ❝♦❞❡ ♣r♦❞✉❝❡❞ ❜② ♥♦r♠❛❧ ❝♦♠♣✐❧❛t✐♦♥ ❝❛♥♥♦t ❜❡ ❞✐r❡❝t❧② ✉s❡❞ t♦ ❝r❡❛t❡ ❛ s❤❡❧❧❝♦❞❡✿ ❝♦♥t❛✐♥s ❧♦ts ♦❢ ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ✭r❡❢❡r❡♥❝❡ t♦ ❛ str✐♥❣ ♦r ❛ ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡✮ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s ❝❛❧❧s ❛r❡ r❡❧❛t✐✈❡ ❜✉t ❞✐st❛♥❝❡s ❛r❡ ❤❛r❞❝♦❞❡❞ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❝❛❧❧s r❡❧② ♦♥ ■❆❚ ▼❛♥② ✇❛②s t♦ s♦❧✈❡ t❤♦s❡ ♣r♦❜❧❡♠s ✭♣❛t❝❤ ❛ss❡♠❜❧②✱ ✇♦r❦ ✐♥ t❤❡ st❛❝❦✳ ✳ ✳ ✮ ❈❤♦♦s❡ ♦♥❡ t❡❝❤♥✐q✉❡✿ ✉s❡ ❛ ❣❧♦❜❛❧ ❞❛t❛ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✻ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✶ ❯s❡ ♦♥❡ str✉❝t✉r❡ t❤❛t st♦r❡s ❛❧❧ ❣❧♦❜❛❧ ❞❛t❛ ❛♥❞ t❤❛t ✐s tr❛♥s♠✐tt❡❞ ✐♥ ❡✈❡r② ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥ ❝❛❧❧ ❙tr✉❝t✉r❡✱ ❝❛❧❧❡❞ ❧❛t❡r ✏●▲❖❇❆▲❴❉❆❚❆✑✱ ✇✐❧❧ ❝♦♥t❛✐♥✿ ♣♦✐♥t❡rs ♦♥ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s ♣♦✐♥t❡rs ♦♥ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡s str✐♥❣s ❈ ❝♦❞❡ ✐s ♠♦❞✐✜❡❞ s♦ t❤❛t ❡✈❡r② r❡❢❡r❡♥❝❡ t♦ ❛ ♣r❡✈✐♦✉s❧② ❧✐st❡❞ ❡❧❡♠❡♥t ✇✐❧❧ ❜❡ ❞♦♥❡ t❤r♦✉❣❤ ●▲❖❇❆▲❴❉❆❚❆ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✼ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✷ Original function DisplayFile BOOL DisplayFile(IN CHAR * szFilePath) { ... CreateFile(szFilePath, ...) pData = (UCHAR *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize+1) ReadFile(hFile, pData, ...) PrintMsg(LOG_LEVEL_TRACE, "File successfully read: %s", pData); ... } Patched function DisplayFile (modifications are colorized in red) BOOL DisplayFile(IN PGLOBAL_DATA pGlobalData, IN CHAR * szFilePath) { ... pGlobalData->CreateFile(szFilePath, ...) pData = (UCHAR *) pGlobalData->HeapAlloc(pGlobalData->GetProcessHeap(), \\ HEAP_ZERO_MEMORY, dwFileSize+1) pGlobalData->ReadFile(hFile, pData, ...) pGlobalData->PrintMsg(pGlobalData, LOG_LEVEL_TRACE, pGlobalData->szString_00000001, \\ pData); ... } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✽ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✸ ❚❤❡ ●▲❖❇❆▲❴❉❆❚❆ ❞❡✜♥✐t✐♦♥ ❧♦♦❦s ❧✐❦❡ t❤❡ ❢♦❧❧♦✇✐♥❣✿ Overview of structure GLOBAL_DATA typedef struct _GLOBAL_DATA { /* Internal functions */ PrintMsgTypeDef fp_PrintMsg; /* Imported functions */ CreateFileTypeDef fp_CreateFile; HeapAllocTypeDef fp_HeapAlloc; GetProcessHeapTypeDef fp_GetProcessHeap; ReadFileTypeDef fp_ReadFile; /* Data strings */ CHAR szString_00000001[27]; } GLOBAL_DATA, * PGLOBAL_DATA; ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✾ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✹ ◆✉♠❜❡r ♦❢ ♠♦❞✐✜❝❛t✐♦♥s ❝❛♥ ❜❡ ❝♦♥s✐❞❡r❛❜❧② r❡❞✉❝❡❞ ❜② ✉s✐♥❣ ❈ ♠❛❝r♦s✿ Definitions of macros /* Add GLOBAL_DATA parameter in definitions of internal function */ #define DisplayFileTempDefinition(...) \\ DisplayFileDefinition(PGLOBAL_DATA pGlobalData, __VA_ARGS__) /* Add redirection and GLOBAL_DATA parameter in call of internal function */ #define PrintMsg(...) pGlobalData->fp_PrintMsg(pGlobalData, __VA_ARGS__) #define DisplayFile(...) pGlobalData->fp_DisplayFile(pGlobalData, __VA_ARGS__) /* Add redirection for imported functions */ #define CreateFile pGlobalData->fp_CreateFile #define HeapAlloc pGlobalData->fp_HeapAlloc #define GetProcessHeap pGlobalData->fp_GetProcessHeap #define ReadFile pGlobalData->fp_ReadFile /* Add redirection for strings */ #define STR_00000001(x) pGlobalData->szString_00000001 ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✵ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✺ P❛t❝❤❡❞ ❢✉♥❝t✐♦♥ ✏❉✐s♣❧❛②❋✐❧❡✑ ❜❡❝♦♠❡s✿ Patched function DisplayFile with the macros BOOL DisplayFileTempDefinition(IN CHAR * szFilePath) { ... CreateFile(szFilePath, ...) pData = (UCHAR *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize+1) ReadFile(hFile, pData, ...) PrintMsg(LOG_LEVEL_TRACE, STR_00000001("File successfully read: %s"), pData); ... } ⇒ t❤❡r❡ ❛r❡ ♥♦✇ ✈❡r② ❢❡✇ ♠♦❞✐✜❝❛t✐♦♥s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✶ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✻ Call of the internal function “DisplayMessage” DisplayMessage(g_szMessage); 00412F99 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; get address of g_szMessage in 00412F9C 05 58010000 ADD EAX,158 ; GLOBAL_DATA 00412FA1 50 PUSH EAX ; push address of g_szMessage 00412FA2 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00412FA5 51 PUSH ECX ; push address of pGlobalData 00412FA6 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; get address of DisplayMessage 00412FA9 8B82 88000000 MOV EAX,DWORD PTR DS:[EDX+88] 00412FAF FFD0 CALL EAX ; call DisplayMessage Call of the internal function “DisplayFile” if(DisplayFile("test.txt") == FALSE) 00412FFC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00412FFF 05 A1040000 ADD EAX,4A1 ; get address of string 00413004 50 PUSH EAX ; push address of string 00413005 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00413008 51 PUSH ECX ; push address of pGlobalData 00413009 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 0041300C 8B42 78 MOV EAX,DWORD PTR DS:[EDX+78] ; get address of DisplayFile 0041300F FFD0 CALL EAX ; call DisplayFile ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✷ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✼ Call of the imported function “CreateFile” CreateFile(szFilePath, ...) ... 00412DE2 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00412DE5 8B91 D8000000 MOV EDX,DWORD PTR DS:[ECX+D8] ; get address of CreateFile 00412DEB FFD2 CALL EDX ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✸ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✽ ●❡♥❡r❛t❡❞ ❜✐♥❛r② ❞♦❡s ♥♦t ❝♦♥t❛✐♥ ❛♥② ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ⇒ ❜✐♥❛r② ❝♦❞❡ ❝❛♥ ❜❡ ❞✐r❡❝t❧② ❡①tr❛❝t❡❞ ❛♥❞ ✉s❡❞ t♦ ❢♦r♠ s❤❡❧❧❝♦❞❡ ❙❤❡❧❧❝♦❞❡ ♠❛② ❜❡ ❝r❡❛t❡❞ s✐♠♣❧② ❜② ❝♦♥❝❛t❡♥❛t✐♥❣ t❤❡ ❡①tr❛❝t❡❞ ❢✉♥❝t✐♦♥s ❛♥❞ ❛❞❞✐♥❣ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❛t t❤❡ ❡♥❞ Shellcode entrypoint Internal function Internal function ... Internal function Internal function pointers Imported function pointers GLOBAL_DATA Global variables Strings ❋✐❣✉r❡✿ ❖✈❡r✈✐❡✇ ♦❢ t❤❡ str✉❝t✉r❡ ♦❢ t❤❡ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✹ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❙✉♠♠❛r② ❚❤✐s s♦❧✉t✐♦♥ ❛❧❧♦✇s ❛ s❤❡❧❧❝♦❞❡ t♦ ❜❡ ❝r❡❛t❡❞ ✇✐t❤ ❧✐tt❧❡ ♠♦❞✐✜❝❛t✐♦♥ ♦❢ s♦✉r❝❡ ❝♦❞❡ ❍♦✇❡✈❡r✱ st✐❧❧ ❛ ❢❡✇ ♣r♦❜❧❡♠s t♦ s♦❧✈❡✿ ✇r✐t✐♥❣ t❤❡ ❞❡✜♥✐t✐♦♥ ♦❢ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❛♥❞ t❤❡ ❞❡✜♥✐t✐♦♥ ♦❢ ♠❛❝r♦s ✐s ❧♦♥❣ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ♠✉st ❜❡ ✐♥✐t✐❛❧✐s❡❞ ❜✐♥❛r② ❞❛t❛ ♠✉st ❜❡ ❡①tr❛❝t❡❞ ❢r♦♠ ❣❡♥❡r❛t❡❞ ❡①❡❝✉t❛❜❧❡ ❛♥❞ ❛ss❡♠❜❧❡❞ t♦ ❝r❡❛t❡ ✜♥❛❧ s❤❡❧❧❝♦❞❡ ⇒ ❆ t♦♦❧ t❤❛t ❡①❡❝✉t❡s ❛❧❧ t❤♦s❡ ♦♣❡r❛t✐♦♥s ❛✉t♦♠❛t✐❝❛❧❧② ❤❛s ❜❡❡♥ ❞❡✈❡❧♦♣❡❞✿ ❲✐❙❤▼❛st❡r ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✺ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✶ ❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ✷ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✸ ❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ✹ ❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ✺ ❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ✻ ❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r ✼ ❈♦♥❝❧✉s✐♦♥ ✽ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✻ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ P❧❛♥ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✖ Pr❡s❡♥t❛t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✼ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ Pr❡s❡♥t❛t✐♦♥ ❲✐❙❤▼❛st❡r ✐s ❛ t♦♦❧ t❤❛t ❛✉t♦♠❛t✐❝❛❧❧② ❣❡♥❡r❛t❡s s❤❡❧❧❝♦❞❡s✱ ❜② ✉s✐♥❣ t❤❡ ♣r❡✈✐♦✉s❧② ❞❡s❝r✐❜❡❞ ♣r✐♥❝✐♣❧❡ ❚❛❦❡s ❛ s❡t ♦❢ ❈ s♦✉r❝❡ ✜❧❡s ✇r✐tt❡♥ ✏♥♦r♠❛❧❧②✑ ✐♥ ✐♥♣✉t ❛♥❞ ❣❡♥❡r❛t❡s ❛ s❤❡❧❧❝♦❞❡ ✐♥ ♦✉t♣✉t ❙❤❡❧❧❝♦❞❡ ❛❝❝♦♠♣❧✐s❤❡s s❛♠❡ ♦♣❡r❛t✐♦♥s ❛s ❡①❡❝✉t❛❜❧❡ ♣r♦❞✉❝❡❞ ❜② ❝♦♠♣✐❧❛t✐♦♥ ♦❢ ♦r✐❣✐♥❛❧ s♦✉r❝❡ ❚r❛♥s❢♦r♠❛t✐♦♥ ✐♥ s❤❡❧❧❝♦❞❡ ❝❛❧❧❡❞ ❧❛t❡r ✏s❤❡❧❧❝♦❞✐s❛t✐♦♥✑ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✽ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ❉❡✈❡❧♦♣♠❡♥t ♣r♦❣r❡ss ✲ ❲✐❙❤▼❛st❡r ✈❡rs✐♦♥ ✶ ❲✐❙❤▼❛st❡r ✈✶ ❤❛s ❜❡❡♥ ❛✈❛✐❧❛❜❧❡ ♦♥ ♠② ✇❡❜ s✐t❡ ❢♦r ♦♥❡ ②❡❛r ●r❛♣❤✐❝❛❧ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✐♥ ❈★ ❲♦r❦s ❜✉t ❤❛s s❡✈❡r❛❧ ❧✐♠✐t❛t✐♦♥s ▼♦st ✐♠♣♦rt❛♥t✿ ❈ ❝♦❞❡ ♣❛rs❡❞ ✇✐t❤ r❡❣✉❧❛r ❡①♣r❡ss✐♦♥s ⇒ ♠✉st ❝♦♥❢♦r♠ t♦ ❛ ❢❡✇ s②♥t❛① r✉❧❡s t♦ ❜❡ s✉❝❝❡ss❢✉❧❧② ❛♥❛❧②s❡❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✾ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ❉❡✈❡❧♦♣♠❡♥t ♣r♦❣r❡ss ✲ ❲✐❙❤▼❛st❡r ✈❡rs✐♦♥ ✷ ❲✐❙❤▼❛st❡r ✈✷ ✐s ✉♥❞❡r ❛❝t✐✈❡ ❞❡✈❡❧♦♣♠❡♥t ❈♦rr❡❝ts ♠❛♥② ♣r♦❜❧❡♠s ♦❢ t❤❡ ✈✶✿ ❲✐❙❤▼❛st❡r ✐s ♥♦✇ ❛ ❝♦♥s♦❧❡ ❛♣♣❧✐❝❛t✐♦♥ ✇r✐tt❡♥ ✐♥ P②t❤♦♥✿ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❝❛♥ ❜❡ s❝r✐♣t❡❞ ✉s❡r ❝❛♥ ✐♥t❡r❝❡❞❡ ❛t ❛♥② st❡♣ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss✱ ✈✐❡✇ r❡s✉❧ts ❛♥❞ ❝♦rr❡❝t ❡✈❡♥t✉❛❧ ♠✐st❛❦❡s ♣❛rs✐♥❣ ♦❢ s♦✉r❝❡ ❝♦❞❡ ✇✐t❤ r❡❣✉❧❛r ❡①♣r❡ss✐♦♥s ❤❛s ❜❡❡♥ ❝♦♥s✐❞❡r❛❜❧② r❡❞✉❝❡❞ ⇒ ♠♦st ♦❢ t❤❡ ❝♦♥str❛✐♥s ♦♥ ❈ s②♥t❛① ❤❛✈❡ ❜❡❡♥ r❡♠♦✈❡❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✵ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss P❧❛♥ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✖ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✶ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ✐♥ ❲✐❙❤▼❛st❡r ❙❤❡❧❧❝♦❞✐s❛t✐♦♥ ❛❝❝♦♠♣❧✐s❤❡❞ ❜② ❲✐❙❤▼❛st❡r ✐s ❞✐✈✐❞❡❞ ✐♥t♦ ✻ st❡♣s✿ ❆♥❛❧②s✐s ✿ ✐❞❡♥t✐✜❡s ❝♦❞❡ ❡❧❡♠❡♥ts ❖❜t❛✐♥ t❤❡ s✐③❡ ♦❢ ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡s ❈r❡❛t❡ ❡♥✈✐r♦♥♠❡♥t ✿ ❝r❡❛t❡s ✜❧❡ ❣❧♦❜❛❧❴❞❛t❛✳❤ ✭●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❛♥❞ ♠❛❝r♦s✮ ❝r❡❛t❡s ❛ ♣❛t❝❤❡❞ ❝♦♣② ♦❢ s♦✉r❝❡ ✜❧❡s ✐♥ ❛ t❡♠♣♦r❛r② ❞✐r❡❝t♦r② ●❡♥❡r❛t✐♦♥ ✿ ❜✉✐❧❞s ♣❛t❝❤❡❞ s♦✉r❝❡s✱ ❡①tr❛❝ts ❜✐♥❛r② ❞❛t❛ ❛♥❞ ❣❡♥❡r❛t❡s t❤❡ s❤❡❧❧❝♦❞❡ ❈✉st♦♠✐③❛t✐♦♥ ■♥t❡❣r❛t✐♦♥ ✿ ❝♦♣② s❤❡❧❧❝♦❞❡ ✐♥ ❛ s♣❡❝✐✜❝ ❞✐r❡❝t♦r② ♦r tr❛♥s❢♦r♠ ✐t ✐♥ ❛ ❈ ❛rr❛② ❛♥❞ ❞✉♠♣ ✐t ✐♥ ❛ ❈ ❤❡❛❞❡r ✜❧❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✷ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✶ Pr✐♥❝✐♣❧❡ ❙t❡♣ ❝♦♠♣♦✉♥❞❡❞ ♦❢ ❛ ❝❤❛✐♥ ♦❢ ❢✉♥❝t✐♦♥s t❤❛t ✇✐❧❧ ❡①❡❝✉t❡ s♦♠❡ ♠♦❞✐✜❝❛t✐♦♥s ♦♥ t❤❡ s❤❡❧❧❝♦❞❡ ❛♥❞ tr❛♥s♠✐t t❤❡ ♠♦❞✐✜❡❞ s❤❡❧❧❝♦❞❡ t♦ t❤❡ ♥❡①t ❢✉♥❝t✐♦♥ ❈♦♥t❡♥t ♦❢ t❤❡ ❝❤❛✐♥ ✐s ❞❡✜♥❡❞ ❜② t❤❡ ✉s❡r ❈✉st♦♠✐③❛t✐♦♥ ❢✉♥❝t✐♦♥s ✐♠♣❧❡♠❡♥t❡❞ ✐♥ P②t❤♦♥ ♠♦❞✉❧❡ ⇒ ✉s❡r ❝❛♥ ❡❛s✐❧② ✇r✐t❡ t❤❡✐r ♦✇♥ ❝✉st♦♠✐③❛t✐♦♥ ♠♦❞✉❧❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✸ ✴ ✶✼✷

❊①❛♠♣❧❡ ✷✿ s❡tt✐♥❣ s♣❡❝✐✜❝ ✈❛❧✉❡s ❊①❛♠♣❧❡✿ s❤❡❧❧❝♦❞❡ t❤❛t ❝♦♥♥❡❝ts t♦ ❛ s❡r✈❡r ❙♦✉r❝❡ ❝♦❞❡ ❝♦♥t❛✐♥s t✇♦ ✈❛r✐❛❜❧❡s✿ ■P ❛❞❞r❡ss ❛♥❞ ♣♦rt ♦❢ t❤❡ s❡r✈❡r ■❢ ✇❡ ♣✉t r❡❛❧ ✈❛❧✉❡s ❞✐r❡❝t❧② ✐♥ t❤♦s❡ ✈❛r✐❛❜❧❡s✿ s❤❡❧❧❝♦❞❡ ♠✉st ❜❡ r❡❣❡♥❡r❛t❡❞ t♦ ❝♦♥♥❡❝t t♦ ❛♥♦t❤❡r s❡r✈❡r s❤❡❧❧❝♦❞❡ ❝❛♥♥♦t ❜❡ ❞✐str✐❜✉t❡❞ ✐♥ ✐ts ❜✐♥❛r② ❢♦r♠ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✷ ❊①❛♠♣❧❡ ✶✿ ❡♥❝r②♣t✐♦♥ ❈✉st♦♠✐③❛t✐♦♥ st❡♣ ♠❛② ❜❡ ✉s❡❞ t♦ ❡♥❝r②♣t t❤❡ s❤❡❧❧❝♦❞❡ ❲✐❙❤▼❛st❡r ❝♦♠❡s ✇✐t❤ t✇♦ ✏❝✉st♦♠✐③❛t✐♦♥✑ ♠♦❞✉❧❡s t❤❛t ❝❛♥ ❡♥❝r②♣t ❛ s❤❡❧❧❝♦❞❡✿ ❳❖❘ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✸✷✲❜✐ts ❦❡② ✭♣♦❧②♠♦r♣❤✐s♠✮ ❆❊❙✲❈❇❈ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✷✺✻✲❜✐ts ❦❡② ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✹ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✷ ❊①❛♠♣❧❡ ✶✿ ❡♥❝r②♣t✐♦♥ ❈✉st♦♠✐③❛t✐♦♥ st❡♣ ♠❛② ❜❡ ✉s❡❞ t♦ ❡♥❝r②♣t t❤❡ s❤❡❧❧❝♦❞❡ ❲✐❙❤▼❛st❡r ❝♦♠❡s ✇✐t❤ t✇♦ ✏❝✉st♦♠✐③❛t✐♦♥✑ ♠♦❞✉❧❡s t❤❛t ❝❛♥ ❡♥❝r②♣t ❛ s❤❡❧❧❝♦❞❡✿ ❳❖❘ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✸✷✲❜✐ts ❦❡② ✭♣♦❧②♠♦r♣❤✐s♠✮ ❆❊❙✲❈❇❈ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✷✺✻✲❜✐ts ❦❡② ❊①❛♠♣❧❡ ✷✿ s❡tt✐♥❣ s♣❡❝✐✜❝ ✈❛❧✉❡s ❊①❛♠♣❧❡✿ s❤❡❧❧❝♦❞❡ t❤❛t ❝♦♥♥❡❝ts t♦ ❛ s❡r✈❡r ❙♦✉r❝❡ ❝♦❞❡ ❝♦♥t❛✐♥s t✇♦ ✈❛r✐❛❜❧❡s✿ ■P ❛❞❞r❡ss ❛♥❞ ♣♦rt ♦❢ t❤❡ s❡r✈❡r ■❢ ✇❡ ♣✉t r❡❛❧ ✈❛❧✉❡s ❞✐r❡❝t❧② ✐♥ t❤♦s❡ ✈❛r✐❛❜❧❡s✿ s❤❡❧❧❝♦❞❡ ♠✉st ❜❡ r❡❣❡♥❡r❛t❡❞ t♦ ❝♦♥♥❡❝t t♦ ❛♥♦t❤❡r s❡r✈❡r s❤❡❧❧❝♦❞❡ ❝❛♥♥♦t ❜❡ ❞✐str✐❜✉t❡❞ ✐♥ ✐ts ❜✐♥❛r② ❢♦r♠ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✹ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ MyProject.cpp 1 The developer writes source code IP and port set to special values Developer of the shellcode ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✺ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ 2 MyProject.cpp Developer uses WiShMaster Internal to generate the shellcode functions GLOBAL_DATA Developer of the shellcode ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✻ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ MyProject.cpp Internal functions GLOBAL_DATA Cutomization 3 Developer writes a cutomization module: module in Python patch values Developer of the shellcode ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✼ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ 4 MyProject.cpp Developer puts the shellcode and the Internal customization module on Internet functions GLOBAL_DATA Cutomization module: patch values Developer of the shellcode ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✽ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ MyProject.cpp Internal functions GLOBAL_DATA Cutomization module: patch values Developer of the shellcode User of the shellcode Internal functions 5 GLOBAL_DATA A user gets the shellcode and the cutomization module ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✾ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ MyProject.cpp Internal functions GLOBAL_DATA Cutomization module: patch values Developer of the shellcode User of the shellcode 6 The user uses the customization module to patch special values Internal Internal functions functions Cutomization module: patch values GLOBAL_DATA GLOBAL_DATA Values ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✵ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ MyProject.cpp Internal functions GLOBAL_DATA Cutomization module: patch values Developer of the shellcode User of the shellcode 7 The user uses another customization module to encrypt the shellcode Internal Internal functions functions Cutomization Cutomization module: module: encryption patch values GLOBAL_DATA GLOBAL_DATA Encryption key Values ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✶ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ✐♥ ❲✐❙❤▼❛st❡r ✈✷ ✲ ✶ ■♥t❡r♥❛❧❧②✿ ❊✈❡r② ❡❧❡♠❡♥t ❞✐s❝♦✈❡r❡❞ ✐♥ t❤❡ s♦✉r❝❡ ❝♦❞❡ ∼ ❛♥ ♦❜❥❡❝t ✭✐♥t❡r♥❛❧✴✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s✱ str✐♥❣s✳ ✳ ✳ ✮ ❊✈❡r② st❡♣ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ❞✐✈✐❞❡❞ ✐♥t♦ s❡✈❡r❛❧ s♠❛❧❧ s✉❜✲st❡♣s ❊✈❡r② s✉❜✲st❡♣ ✐♠♣❧❡♠❡♥t❡❞ ❜② ♦♥❡ ❢✉♥❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✷ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ✐♥ ❲✐❙❤▼❛st❡r ✈✷ ✲ ✷ ❲✐❙❤▼❛st❡r ❝❛♥ ❜❡ ❧❛✉♥❝❤❡❞ ✐♥ t❤r❡❡ ♠♦❞❡s✿ ❛✉t♦♠❛t✐❝ ✿ ❡①❡❝✉t❡s t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❛✉t♦♠❛t✐❝❛❧❧② s❝r✐♣t ✿ ❡①❡❝✉t❡s ❛♥ ❡①t❡r♥❛❧ s❝r✐♣t t❤❛t ❝❛♥ ❝❛❧❧ st❡♣✴s✉❜✲st❡♣ ❢✉♥❝t✐♦♥s ❡①♣♦rt❡❞ ❜② ❲✐❙❤▼❛st❡r ❛♥❞ ♠❛♥✐♣✉❧❛t❡ ♦❜❥❡❝ts ✐♥t❡r❛❝t✐✈❡ ✿ st❛rts ❛ P②t❤♦♥ s❤❡❧❧ ✭s❛♠❡ ♣r✐♥❝✐♣❧❡ ❛s ✐♥ ❙❝❛♣②✮ ❯s❡r ❝❛♥ t❤❡♥✿ ❝❛❧❧ st❡♣✴s✉❜✲st❡♣ ❢✉♥❝t✐♦♥s ❡①❡❝✉t❡ ❛ s❤❡❧❧❝♦❞✐s❛t✐♦♥ st❡♣ ❜② st❡♣ ❜② ❝❛❧❧✐♥❣ s♦♠❡ ❢✉♥❝t✐♦♥s st❡♣✭✮✱ st❡♣✐✭✮✱ r✉♥✭✮✳ ✳ ✳ ✭❧✐❦❡ ✐♥ ❛ ❞❡❜✉❣❣❡r✮ ❞✐s♣❧❛② ♦❜❥❡❝ts✱ ❝❤❛♥❣❡ t❤❡✐r ♣r♦♣❡rt✐❡s t♦ ❝♦rr❡❝t ❡✈❡♥t✉❛❧ ♠✐st❛❦❡s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✸ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ P❧❛♥ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✖ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✹ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡✿ ♦❜❥❡❝t✐✈❡ ❙❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❞❡s❝r✐❜❡❞ ♣r❡✈✐♦✉s❧② ❝r❡❛t❡s ❛ ❜✐♥❛r② ❝♦❞❡ t❤❛t ♠❛② r✉♥ ❛t ❛♥② ❛❞❞r❡ss ❍♦✇❡✈❡r✱ s❤❡❧❧❝♦❞❡ ♠✉st ✐♥✐t✐❛❧✐s❡ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❖♣❡r❛t✐♦♥ ❡①❡❝✉t❡❞ ❜② ❛ ❢✉♥❝t✐♦♥ ❛❞❞❡❞ ❜② ❲✐❙❤▼❛st❡r✱ ♣❧❛❝❡❞ ❛t t❤❡ ❜❡❣✐♥♥✐♥❣ ♦❢ t❤❡ s❤❡❧❧❝♦❞❡✿ ✜♥❞ ❛❞❞r❡ss ♦❢ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ✜♥❞ ❛❞❞r❡ss❡s ♦❢ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s ❛♥❞ ✜❧❧ ♣♦✐♥t❡rs ✐♥ ●▲❖❇❆▲❴❉❆❚❆ r❡s♦❧✈❡ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❛♥❞ ✜❧❧ ♣♦✐♥t❡rs ✐♥ ●▲❖❇❆▲❴❉❆❚❆ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✺ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡✿ ♣r✐♥❝✐♣❧❡ ❲✐❙❤▼❛st❡r ✉s❡s t✐♣s ✇❡❧❧✲❦♥♦✇♥ ❜② ❲✐♥❞♦✇s s❤❡❧❧❝♦❞❡ ✇r✐t❡rs✿ ✜♥❞s ❧♦❛❞ ❛❞❞r❡ss ✇✐t❤ ❝❛❧❧✴♣♦♣ ✐♥str✉❝t✐♦♥s ❣❡ts ❛❞❞r❡ss ♦❢ ❦❡r♥❡❧✸✷✳❞❧❧ t❤r♦✉❣❤ t❤❡ P❊❇ ✭Pr♦❝❡ss ❊♥✈✐r♦♥♠❡♥t ❇❧♦❝❦✮ r❡s♦❧✈❡s ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ✇✐t❤ ▲♦❛❞▲✐❜r❛r② ❛♥❞ ❛♥ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥ t❤❛t ❢♦✉♥❞ t❤❡ ❛❞❞r❡ss ♦❢ ❛♥ ❡①♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❢r♦♠ ❛ ✸✷✲❜✐ts ❝❤❡❝❦s✉♠ ❝♦♠♣✉t❡❞ ❢r♦♠ ✐ts ♥❛♠❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✻ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡✿ s✉♠♠❛r② ❚❤❡ s❤❡❧❧❝♦❞❡ ✐♥✐t✐❛❧✐s❛t✐♦♥ r❡❧✐❡s ♦♥ t❤r❡❡ ❢✉♥❝t✐♦♥s✿ ✏■♥✐t✐❛❧✐s❡❙❤❡❧❧❝♦❞❡✑ ✿ ❡♥tr② ♣♦✐♥t ♦❢ t❤❡ s❤❡❧❧❝♦❞❡✱ ✇❤✐❝❤ ✐♥✐t✐❛❧✐s❡s ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ✏●❡t❑❡r♥❡❧✸✷❆❞❞r❡ss✑ ✿ r❡t✉r♥s t❤❡ ❧♦❛❞ ❛❞❞r❡ss ♦❢ ✏❦❡r♥❡❧✸✷✳❞❧❧✑ ✏●❡tPr♦❝❆❞❞r❡ss❇②❈❦s✉♠■♥❉❧❧✑ ✿ ✜♥❞s ❛♥ ❡①♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❢r♦♠ t❤❡ ❝❤❡❝❦s✉♠ ♦❢ ✐ts ♥❛♠❡ ✭s✉♣♣♦rts ❞❧❧ ❢♦r✇❛r❞✐♥❣✮ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✼ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✶ ❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ✷ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✸ ❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ✹ ❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ✺ ❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ✻ ❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r ✼ ❈♦♥❝❧✉s✐♦♥ ✽ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✽ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st Pr❡s❡♥t❛t✐♦♥ ♦❢ s✐♠♣❧❡t❡st ❱❡r② s✐♠♣❧❡ ♣r♦❣r❛♠✿ ♣r✐♥ts ♠❡ss❛❣❡s ❞✐s♣❧❛②s t❤❡ ❝♦♥t❡♥t ♦❢ ❛ ✜❧❡ ✏t❡st✳t①t✑ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✾ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✶ File user.h.txt #define SIZE_USERNAME 32 #define SIZE_PASSWORD 32 typedef struct _USER { CHAR szUsername[SIZE_USERNAME]; CHAR szPassword[SIZE_PASSWORD]; } USER, *PUSER; ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✵ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✷ File display.cpp CHAR g_szMessage[]="This is a message stored as a global variable"; VOID DisplayMessage(IN CHAR * szMessage) { PrintMsg(LOG_LEVEL_TRACE, ">>> %s <<<", szMessage); } BOOL DisplayFile(IN CHAR * szFilePath) { ... CreateFile(szFilePath, ...) pData = (UCHAR *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize+1) ReadFile(hFile, pData, ...) PrintMsg(LOG_LEVEL_TRACE, "File successfully read: %s", pData); ... } BOOL DisplayData(VOID) { DisplayMessage(g_szMessage); PrintMsg(LOG_LEVEL_TRACE, "Username: %s", g_User.szUsername); PrintMsg(LOG_LEVEL_TRACE, "Password: %s", g_User.szPassword); if(DisplayFile("test.txt") == FALSE) return FALSE; return TRUE; } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✶ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✸ File main.cpp USER g_User ={"jmerchat","password"}; BOOL DisplayData(VOID); int main(int argc, char * argv[]) { DisplayUser(); return 0; } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✷ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✹ File print_msg.cpp VOID PrintMsg(IN UINT uiMessageLevel, IN const CHAR * fmt, ...) { CHAR szBuffer[SIZE_OF_LOCAL_LOG_BUFFER+1]; UINT i = 0; if(uiMessageLevel == LOG_LEVEL_ERROR) i += _snprintf(&szBuffer[i], SIZE_OF_LOCAL_LOG_BUFFER-i, "[ERROR] : "); else if(uiMessageLevel == LOG_LEVEL_WARNG) ... va_list ap; va_start(ap, fmt); i += _vsnprintf(&szBuffer[i], SIZE_OF_LOCAL_LOG_BUFFER-i, fmt, ap); va_end(ap); printf("[%.4d] %s\n ", GetCurrentThreadId() , szBuffer); fflush(stdout); } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✺ ❚♦ s✉♠ ✉♣✱ ✏s✐♠♣❧❡t❡st✑ ❝♦♥t❛✐♥s✿ ◆❡✇ t②♣❡ ✏❯❙❊❘✑ ❚✇♦ ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡s❀ ✏❣❴❯s❡r✑ ✿ t②♣❡ ✏❯❙❊❘✑ ✏❣❴s③▼❡ss❛❣❡✑ ✿ str✐♥❣ ❋✐✈❡ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s✿ ✏❉✐s♣❧❛②▼❡ss❛❣❡✑ ✿ ❞✐s♣❧❛②s ✏❣❴s③▼❡ss❛❣❡✑ ✏❉✐s♣❧❛②❋✐❧❡✑ ✿ ♦♣❡♥s ❛ ✜❧❡ ✏t❡st✳t①t✑ ❛♥❞ ❞✐s♣❧❛②s ✐ts ❝♦♥t❡♥t ✏❉✐s♣❧❛②❉❛t❛✑ ✿ ❢✉♥❝t✐♦♥ t❤❛t r❡❛❧❧② ❡①❡❝✉t❡s ❛❧❧ ♦♣❡r❛t✐♦♥s ✏♠❛✐♥✑ ✿ ♣r♦❣r❛♠ ❡♥tr② ♣♦✐♥t t❤❛t ♦♥❧② ❝❛❧❧s ✏❉✐s♣❧❛②❉❛t❛✑ ✏Pr✐♥t▼s❣✑ ✿ ❞✐s♣❧❛②s ❧♦❣ ♠❡ss❛❣❡s ❙❡✈❡r❛❧ str✐♥❣s ❙❡✈❡r❛❧ ❝❛❧❧s t♦ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s✿ ❈r❡❛t❡❋✐❧❡✱ ❍❡❛♣❆❧❧♦❝✳ ✳ ✳ ⇒ ♥♦t r❡❛❧❧② ✉s❡❢✉❧ ❜✉t ❝♦♥t❛✐♥s ♠♦st ❡❧❡♠❡♥ts ♦❢ ❈ ♣r♦❣r❛♠ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✹ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❉❡♠♦♥str❛t✐♦♥s ❱✐❞❡♦ ✏s✐♠♣❧❡t❡st❴❡①❡✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ ✏s✐♠♣❧❡t❡st✑ ❛s ❛♥ ❡①❡❝✉t❛❜❧❡ ❱✐❞❡♦ ✏s✐♠♣❧❡t❡st❴s❤❡❧❧❝♦❞❡✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ ✏s✐♠♣❧❡t❡st✑ ❛s ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✺ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✶ ❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ✷ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✸ ❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ✹ ❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ✺ ❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ✻ ❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r ✼ ❈♦♥❝❧✉s✐♦♥ ✽ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✻ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ❖❜❥❡❝t✐✈❡s ♦❢ ❲✐❙❤▼❛st❡r ❱❡rs✐♦♥ ✶ ♦❢ ❲✐❙❤▼❛st❡r✿ ❝r❡❛t✐♦♥ ♦❢ ♠♦♥♦❧✐t❤✐❝ s❤❡❧❧❝♦❞❡s ❲✐t❤ ✈❡rs✐♦♥ ✷✱ ♦❜❥❡❝t✐✈❡s ❤❛✈❡ ❜❡❡♥ ❝♦♥s✐❞❡r❛❜❧② ❡①t❡♥❞❡❞✿ ❞❡✈❡❧♦♣♠❡♥t ♦❢ ♠♦❞✉❧❛r ❛♣♣❧✐❝❛t✐♦♥s ✉s❡r ❝❤♦♦s❡s ♦✉t♣✉t ❢♦r♠❛t✿ ❛♥ ❡①❡❝✉t❛❜❧❡✱ ❛ ❞❧❧ ♦r ❛ s❤❡❧❧❝♦❞❡ ❛❧❧♦✇s ❝♦❞❡ r❡✉s❛❜✐❧✐t② ❞❡✈❡❧♦♣♠❡♥t ✐♥ t❤❡ ✈❡r② ♣♦✇❡r❢✉❧ ■❉❊ ❱✐s✉❛❧ ❙t✉❞✐♦ ♣r♦❥❡❝ts ❝❛♥ ❜❡ ❞✐str✐❜✉t❡❞ ❡✐t❤❡r ✐♥ s♦✉r❝❡ ♦r ✐♥ ❜✐♥❛r② ❢♦r♠❛t ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✼ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✶ ❆ ❲✐❙❤▼❛st❡r ❛♣♣❧✐❝❛t✐♦♥ ✐s ❝♦♠♣♦✉♥❞❡❞ ♦❢ ♦♥❡ ♦r s❡✈❡r❛❧ ✏♠♦❞✉❧❡s✑ ❆ ♠♦❞✉❧❡ ❝❛♥ ❜❡ ✐♥ ♦♥❡ ♦❢ t❤❡ ❢♦❧❧♦✇✐♥❣ ✹ ❢♦r♠s✿ ❛♥ ❡①❡❝✉t❛❜❧❡ ❛ ❞❧❧ ❛ s❤❡❧❧❝♦❞❡ ✐♥❧✐♥❡❞ ✐♥t♦ ❛♥♦t❤❡r ♠♦❞✉❧❡ ❊❛❝❤ ♠♦❞✉❧❡ ❝❛♥ ❡①♣♦rt s♦♠❡ ♦❢ ✐ts ❢✉♥❝t✐♦♥s s♦ t❤❛t t❤❡② ❝❛♥ ❜❡ ❝❛❧❧❡❞ ❜② ♦t❤❡r ♠♦❞✉❧❡s ⇒ ❡❛❝❤ ♠♦❞✉❧❡ ❝♦♥t❛✐♥s ❛♥ ✏❡①♣♦rt✑ t❛❜❧❡ ❛♥❞ ❛♥ ✏✐♠♣♦rt✑ t❛❜❧❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✽ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷ Module1.cpp Mod1_func1 Mod1_func2 Mod2_func1 Mod3_func2 Module2.cpp 1 Three modules importing Mod2_func1 and exporting some functions Mod3_func1 Mod3_func2 Module3.cpp Mod3_func1 Internal function exported Mod3_func2 Mod1_func1 Imported function Mod2_func1 ❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✾ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷ 2 Module 1 output = shellcode Module 2 output = inlined in module 1 Module1.cpp Module1.bin Mod1_func1 Mod1_func1 Mod1_func2 Mod1_func2 Mod2_func1 Mod2_func1 Mod3_func2 Mod3_func1 Mod3_func2 Module2.cpp Mod2_func1 Mod3_func1 Mod3_func2 Module3.cpp Mod3_func1 Internal function exported Mod3_func2 Mod1_func1 Imported function Mod2_func1 ❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✾✵ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷ 3 Import and export tables of both modules are merged Module1.cpp Module1.bin Mod1_func1 Mod1_func1 Mod1_func2 Mod1_func2 Mod2_func1 Mod2_func1 Mod3_func2 Mod3_func1 Mod3_func2 Module2.cpp Mod2_func1 Mod3_func1 Mod3_func2 Module3.cpp Mod3_func1 Internal function exported Mod3_func2 Mod1_func1 Imported function Mod2_func1 ❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✾✶ ✴ ✶✼✷

s str t - PowerPoint PPT Presentation

s str t r caillat[at]esiea[dot]fr

Relation Extraction II Luke Zettlemoyer CSE 517 Winter 2013 [with slides adapted from many

Eliciting Subjectivity and Polarity Judgements on Word Senses Fangzhong Su & Katja Markert

Complex Systems with Boundary and Non-Euclidean Geometry Lecture 2, CSSS10 Greg Leibon Memento,

When charge and density fluctuations critically couple Jean-Nol Aqua INSP, Univ Paris 6

Bottomonium first results from LHC experiments Nuno Leonardo (Purdue University) for the LHC

Analysis of Code Heterogeneity for High-precision Classification of Repackaged Malware Gang Tan

Mechanism Design with Unknown Correlated Distributions: Can We Learn Optimal Mechanisms? Michael

A Brief Introduction to Semantics CMSC 473/673 UMBC Outline Recap: dependency grammars and

detection analysis Bradley J. Kavanagh University of Nottingham arXiv:1207.2039 with Anne M.

Augmenting Stack Overflow with API Usage Patterns Mined from GitHub Anastasia Reinhart 1,2 *

CS415: Systems programming Abdullah Alfarrarjeh Most of the slides in this lecture are either

A Coinductive Monad for Prop -bounded Recursion Adam Megacz megacz@cs.berkeley.edu PLPV07

Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Eleonora

CS137: Today Electronic Design Automation Multilevel Synthesis/Optimization Why

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

An Analytical Framework for Particle and Volume Data of Large-Scale Combustion Simulations Franz

W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S

Goals for Today Learning Objective: Understand primitives for interpretation versus

Update on Proposed Privatization 27 October 2017 Overview of Proposed Privatization Proposed

Biophysical Chemistry: NMR Spectroscopy Relaxation & Multidimensional Spectrocopy Lieven Buts

4Q18 Earnings Call Presentation January 23, 2019 Sands Macao Sands Bethlehem Four Seasons Macao The

Forward-Looking Statements From time to time, the Bank makes written and oral forward-looking

Food waste prevention Westminster Forum, 29 June 2010 Professor David C Wilson Independent Waste

CIBC WORLD MARKETS Institutional Investor Conference BILL DOWNE Chief Operating Officer October

Sambuz

Useful Links

Newsletter

Mail Us

s str t - PowerPoint PPT Presentation

s str t r caillat[at]esiea[dot]fr

Relation Extraction II Luke Zettlemoyer CSE 517 Winter 2013 [with slides adapted from many

Eliciting Subjectivity and Polarity Judgements on Word Senses Fangzhong Su &amp; Katja Markert

Complex Systems with Boundary and Non-Euclidean Geometry Lecture 2, CSSS10 Greg Leibon Memento,

When charge and density fluctuations critically couple Jean-Nol Aqua INSP, Univ Paris 6

Bottomonium first results from LHC experiments Nuno Leonardo (Purdue University) for the LHC

Analysis of Code Heterogeneity for High-precision Classification of Repackaged Malware Gang Tan

Mechanism Design with Unknown Correlated Distributions: Can We Learn Optimal Mechanisms? Michael

A Brief Introduction to Semantics CMSC 473/673 UMBC Outline Recap: dependency grammars and

detection analysis Bradley J. Kavanagh University of Nottingham arXiv:1207.2039 with Anne M.

Augmenting Stack Overflow with API Usage Patterns Mined from GitHub Anastasia Reinhart 1,2 *

CS415: Systems programming Abdullah Alfarrarjeh Most of the slides in this lecture are either

A Coinductive Monad for Prop -bounded Recursion Adam Megacz megacz@cs.berkeley.edu PLPV07

Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Eleonora

CS137: Today Electronic Design Automation Multilevel Synthesis/Optimization Why

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

An Analytical Framework for Particle and Volume Data of Large-Scale Combustion Simulations Franz

W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S

Goals for Today Learning Objective: Understand primitives for interpretation versus

Update on Proposed Privatization 27 October 2017 Overview of Proposed Privatization Proposed

Biophysical Chemistry: NMR Spectroscopy Relaxation &amp; Multidimensional Spectrocopy Lieven Buts

4Q18 Earnings Call Presentation January 23, 2019 Sands Macao Sands Bethlehem Four Seasons Macao The

Forward-Looking Statements From time to time, the Bank makes written and oral forward-looking

Food waste prevention Westminster Forum, 29 June 2010 Professor David C Wilson Independent Waste

CIBC WORLD MARKETS Institutional Investor Conference BILL DOWNE Chief Operating Officer October

Sambuz

Useful Links

Newsletter

Mail Us

Eliciting Subjectivity and Polarity Judgements on Word Senses Fangzhong Su & Katja Markert

Biophysical Chemistry: NMR Spectroscopy Relaxation & Multidimensional Spectrocopy Lieven Buts