s str t - PowerPoint PPT Presentation

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❈♦♥t❡①t ❞❡✜♥✐t✐♦♥ ●❡♥❡r❛❧❧②✱ ♠❛❧✐❝✐♦✉s ❝♦❞❡s tr② t♦ ❞♦ s❡✈❡r❛❧ t❤✐♥❣s✿ st❛② ✉♥❞❡t❡❝t❡❞ ❜② ❛♥t✐✈✐r✉s❡s ♣r♦♣❛❣❛t❡ t♦ ♦t❤❡r ❤♦sts ♦r ❡①❡❝✉t❛❜❧❡s ❡①❡❝✉t❡ t❤❡✐r ♠❛❧✐❝✐♦✉s ❛❝t✐♦♥s ✭❡✳❣✳ ❝❛♣t✉r❡ s♦♠❡ ♣r✐✈❛t❡ ✉s❡r ❞❛t❛✱ ♦♣❡♥ ❛ ❜❛❝❦❞♦♦r ♦♥ t❤❡ s②st❡♠ ✳ ✳ ✳ ✮ ❯s❡ s♣❡❝✐❛❧ t❡❝❤♥✐q✉❡s✱ ♥♦t ❛❧✇❛②s ❡❛s② t♦ ✐♠♣❧❡♠❡♥t ▲❡t ✉s ✐❧❧✉str❛t❡ t❤✐s ✇✐t❤ ❛ ❢❡✇ s♣❡❝✐✜❝ t❡❝❤♥✐q✉❡s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽ ✴ ✶✼✷

❖❜❥❡❝t✐✈❡ Pr♦t❡❝t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❣❛✐♥st ❛♥ ❛♥❛❧②s✐s ❈♦✉❧❞ ❜❡ ❛♥ ❛✉t♦♠❛t✐❝ ❛♥❛❧②s✐s ✭❛♥t✐✈✐r✉s✮ ♦r ❛ ♠❛♥✉❛❧ ❛♥❛❧②s✐s ✭❞✐s❛ss❡♠❜❧✐♥❣ ❝♦❞❡✮ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ♠❛❞❡ ✉♣ ♦❢ t✇♦ ♣❛rts✿ t❤❡ r❡❛❧ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✇❤✐❝❤ ✐s ❡♥❝r②♣t❡❞ ❛ ❞❡❝r②♣t✐♦♥ ♣❛rt ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ♠❛❞❡ ✉♣ ♦❢ t✇♦ ♣❛rts✿ t❤❡ r❡❛❧ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✇❤✐❝❤ ✐s ❡♥❝r②♣t❡❞ ❛ ❞❡❝r②♣t✐♦♥ ♣❛rt ❖❜❥❡❝t✐✈❡ Pr♦t❡❝t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❣❛✐♥st ❛♥ ❛♥❛❧②s✐s ❈♦✉❧❞ ❜❡ ❛♥ ❛✉t♦♠❛t✐❝ ❛♥❛❧②s✐s ✭❛♥t✐✈✐r✉s✮ ♦r ❛ ♠❛♥✉❛❧ ❛♥❛❧②s✐s ✭❞✐s❛ss❡♠❜❧✐♥❣ ❝♦❞❡✮ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ✲ ♣r♦t❡❝t✐♦♥ ❛❣❛✐♥st ❛✉t♦♠❛t✐❝ ❛♥❛❧②s✐s ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s s❝❛♥♥❡❞ ❜② ❛ t♦♦❧ t❤❛t ✇♦r❦s ✇✐t❤ s✐❣♥❛t✉r❡ ✐❞❡♥t✐✜❝❛t✐♦♥ ❊❛❝❤ ❝♦♣② ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ♠✉st ❜❡ ❞✐✛❡r❡♥t✿ ❞❡❝r②♣t✐♦♥ ♣❛rt ✐s tr❛♥s❢♦r♠❡❞ t❤r♦✉❣❤ ♠❡t❛♠♦r♣❤✐s♠ ❡♥❝r②♣t✐♦♥ ❦❡② ✐s ❝❤❛♥❣❡❞ ✐♥ ❡❛❝❤ ❝♦♣② ✭♣♦❧②♠♦r♣❤✐s♠✮ Decryption part Decryption part Decryption key 1 Decryption key 2 Encrypted Encrypted malicious malicious payload payload ❋✐❣✉r❡✿ ❚✇♦ ❝♦♣✐❡s ♦❢ t❤❡ s❛♠❡ ✈✐r✉s t❤❛t ✐♠♣❧❡♠❡♥ts ♣♦❧②♠♦r♣❤✐s♠ ◆♦t❡s✿ ❉❡❝r②♣t✐♦♥ ❦❡② ♠❛② ❜❡ st♦r❡❞ ✐♥ ❞❡❝r②♣t✐♦♥ ♣❛rt ❙✐♠♣❧❡ ❡♥❝r②♣t✐♦♥ ❛❧❣♦r✐t❤♠ ❧✐❦❡ ❛ ❳❖❘ ✇✐t❤ ✸✷✲❜✐ts ❦❡② ♠❛② ❜❡ ✉s❡❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ✲ ♣r♦t❡❝t✐♦♥ ❛❣❛✐♥st ♠❛♥✉❛❧ ❛♥❛❧②s✐s ❆✐♠✿ ✐❢ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ✐♥t❡r❝❡♣t❡❞ ❞✉r✐♥❣ ✐♥tr♦❞✉❝t✐♦♥ ♦♥ t❛r❣❡t❡❞ s②st❡♠✱ ✐t ❝❛♥♥♦t ❜❡ ❞✐s❛ss❡♠❜❧❡❞ ❛♥❞ ❛♥❛❧②s❡❞ ♠❛♥✉❛❧❧② ▲✐tt❧❡ ❞✐✛❡r❡♥❝❡s ✇✐t❤ ♣r❡✈✐♦✉s ❡♥❝r②♣t✐♦♥✿ str♦♥❣ ❡♥❝r②♣t✐♦♥ ❛❧❣♦r✐t❤♠ ❧✐❦❡ ❆❊❙ ♠✉st ❜❡ ✉s❡❞ ❞❡❝r②♣t✐♦♥ ❦❡② ♠✉st ♥♦t ❜❡ st♦r❡❞ ✐♥ ❡♥❝r②♣t❡❞ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ Memory Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ Memory 1 "Decoder" is introduced on targeted system Decoder Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✸ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ Memory 2 Encrypted malicious code is introduced on targeted system Encrypted Decoder malicious code Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✹ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ Decoder 3 Memory "Decoder" is executed Encrypted Decoder malicious code Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✺ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ Encrypted malicious code Decoder 4 "Decoder" loads encrypted Memory malicious code in memory Encrypted Decoder malicious code Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ 5 "Decoder" decrypts malicious code in memory and executes it Encrypted Malicious code malicious code Decoder Memory Encrypted Decoder malicious code Hard drive ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❡♥❝r②♣t❡❞ ♠❛❧✇❛r❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ✲ ♣r♦t❡❝t✐♦♥ ❛❣❛✐♥st ♠❛♥✉❛❧ ❛♥❛❧②s✐s ❖❢ ❝♦✉rs❡✱ s❡✈❡r❛❧ ✇❛②s t♦ ❣❡t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ♦♥ ✐♥❢❡❝t❡❞ ❝♦♠♣✉t❡r ✭❞✉♠♣ t❤❡ ♠❡♠♦r②✱ ❡①tr❛❝t ❡♥❝r②♣t✐♦♥ ❦❡② ❛♥❞ ❞❡❝r②♣t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞✮ ❇✉t ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ♣r♦t❡❝t❡❞ ❞✉r✐♥❣ ✐♥tr♦❞✉❝t✐♦♥ ♦♥t♦ t❛r❣❡t❡❞ ❝♦♠♣✉t❡r✿ t✇♦ ♣❛rts ❛r❡ ✐♥tr♦❞✉❝❡❞ ✐♥ ❞✐✛❡r❡♥t ✇❛②s ❛t ❞✐✛❡r❡♥t t✐♠❡s ✐❢ ♦♥❡ ✐♥tr♦❞✉❝t✐♦♥ ❢❛✐❧s✱ ✇❡ ✇✐❧❧ ✐♥t❡r❝❡♣t✿ ❞❡❝r②♣t✐♦♥ ♣❛rt✿ t♦t❛❧❧② ❣❡♥❡r✐❝ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞✿ ❡♥❝r②♣t❡❞ ⇒ ❝❛♥♥♦t ❣❡t ❛♥② ✐♥❢♦r♠❛t✐♦♥ ♦♥ t❤❡ ❛tt❛❝❦ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✽ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ❊♥❝r②♣t✐♦♥ ♦❢ ❡❛❝❤ ♣❛rt ♦❢ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐♥ ❡①❡❝✉t❛❜❧❡ ♥♦t ❛ ❣♦♦❞ s♦❧✉t✐♦♥✿ ❝♦♠♣❧✐❝❛t❡❞✿ ❛❧❧ ❜✐♥❛r② ❞❛t❛ ❝❤❛r❛❝t❡r✐st✐❝s ♦❢ t❤❡ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ♠✉st ❜❡ ❡♥❝r②♣t❡❞ ✭❢✉♥❝t✐♦♥s✱ ✐♥✐t✐❛❧✐s❡❞ ❞❛t❛ ❛♥❞ str✐♥❣s✮ ♥♦t ❡✣❝✐❡♥t✿ P❊ ♠❡t❛❞❛t❛s ❝❛♥♥♦t ❜❡ ❡♥❝r②♣t❡❞ ❇❡tt❡r s♦❧✉t✐♦♥✿ ❡♥❝r②♣t t❤❡ ✇❤♦❧❡ ❡①❡❝✉t❛❜❧❡ ∼ ❛ ♣❛❝❦❡r ❇✉t ❞❡✈❡❧♦♣✐♥❣ s✉❝❤ ❛ t♦♦❧ r❡q✉✐r❡❞ s♦♠❡ ✇♦r❦ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✶✾ ✴ ✶✼✷

❖❜❥❡❝t✐✈❡ ❈❛♥♥♦t ❜❡ ❞❡t❡❝t❡❞ ❜② ❧♦❝❛❧ ❛♥t✐✈✐r✉s ▲❡❛✈❡s ❢❡✇ tr❛❝❡s ♦♥ t❛r❣❡t❡❞ s②st❡♠ ❝♦♠♣❧✐❝❛t❡s ❛♥ ❡✈❡♥t✉❛❧ ❢♦r❡♥s✐❝ ❛♥❛❧②s✐s ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊①❡❝✉t❡ ♦♥❧② ✐♥ ♠❡♠♦r② ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛❜❧❡ t♦ ❡①❡❝✉t❡ ✇✐t❤♦✉t ❜❡✐♥❣ ❝♦♣✐❡❞ ♦♥ ❤❛r❞ ❞r✐✈❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊①❡❝✉t❡ ♦♥❧② ✐♥ ♠❡♠♦r② ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛❜❧❡ t♦ ❡①❡❝✉t❡ ✇✐t❤♦✉t ❜❡✐♥❣ ❝♦♣✐❡❞ ♦♥ ❤❛r❞ ❞r✐✈❡ ❖❜❥❡❝t✐✈❡ ❈❛♥♥♦t ❜❡ ❞❡t❡❝t❡❞ ❜② ❧♦❝❛❧ ❛♥t✐✈✐r✉s ▲❡❛✈❡s ❢❡✇ tr❛❝❡s ♦♥ t❛r❣❡t❡❞ s②st❡♠ ⇒ ❝♦♠♣❧✐❝❛t❡s ❛♥ ❡✈❡♥t✉❛❧ ❢♦r❡♥s✐❝ ❛♥❛❧②s✐s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② Memory Primergy Hard drive Attacker Server Firewall ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② 1 "Loader" is running Loader on targeted server Memory Primergy Hard drive Attacker Server Firewall ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② Loader Malicious code Memory Primergy Hard drive Attacker Server 2 "Loader" gets malicious payload from server Firewall ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✸ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② 3 Loader "Loader" transfers execution on malicious payload Malicious code Memory Primergy Hard drive Attacker Server Firewall ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✇❛r❡ ♦♥❧② ✐♥ ♠❡♠♦r② ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✹ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❊①❡❝✉t❡ ♦♥❧② ✐♥ ♠❡♠♦r② ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ❈♦♣②✐♥❣ ❡①❡❝✉t❛❜❧❡ ✐♥ ♠❡♠♦r② ❛♥❞ ❥✉♠♣✐♥❣ ♦♥ ❡♥tr② ♣♦✐♥t ❞♦❡s ♥♦t ✇♦r❦✿ s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ♠✉st ❜❡ r❡s♦❧✈❡❞ ❆ ❢❡✇ tr✐❝❦s ❝❛♥ ❜❡ ✉s❡❞✿ ✉s❡ ✏♣r❛❣♠❛✑ ❞✐r❡❝t✐✈❡s t♦ ❣r♦✉♣ ❛❧❧ ❢✉♥❝t✐♦♥s✴❞❛t❛ ✐♥ ♦♥❡ s❡❝t✐♦♥ ♣❧❛② ✇✐t❤ ✏♣r❡❢❡rr❡❞ ❧♦❛❞ ❛❞❞r❡ss✑ s♦ t❤❛t s❡❝t✐♦♥ ✐s ♠❛♣♣❡❞ ✐♥ ❛ ♠❡♠♦r② s♣❛❝❡ ✏♥♦r♠❛❧❧②✑ ❢r❡❡ ✐♥ ♣r♦❝❡ss ✉s❡ ❞②♥❛♠✐❝ ❛❞❞r❡ss r❡s♦❧✉t✐♦♥ ⇒ P♦ss✐❜❧❡✳ ✳ ✳ ❜✉t r❛t❤❡r t❡❞✐♦✉s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✺ ✴ ✶✼✷

❖❜❥❡❝t✐✈❡ ❈r❡❛t❡ ❛ ❚r♦❥❛♥ ❤♦rs❡❀ ❜❡❤❛✈✐♦✉r ♦❢ t❤❡ ♣r♦❣r❛♠ ♠✉st ♥♦t ❜❡ ❞✐sr✉♣t❡❞ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ❛❞❞❡❞ ✐♥t♦ ❛♥♦t❤❡r ❡①❡❝✉t❛❜❧❡ ❊①❡❝✉t✐♦♥ ✢♦✇ ♦❢ ✐♥❢❡❝t❡❞ ❡①❡❝✉t❛❜❧❡ ✐s ♠♦❞✐✜❡❞ t♦ ❡①❡❝✉t❡ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ✐s ❛❞❞❡❞ ✐♥t♦ ❛♥♦t❤❡r ❡①❡❝✉t❛❜❧❡ ❊①❡❝✉t✐♦♥ ✢♦✇ ♦❢ ✐♥❢❡❝t❡❞ ❡①❡❝✉t❛❜❧❡ ✐s ♠♦❞✐✜❡❞ t♦ ❡①❡❝✉t❡ ♠❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❖❜❥❡❝t✐✈❡ ❈r❡❛t❡ ❛ ❚r♦❥❛♥ ❤♦rs❡❀ ❜❡❤❛✈✐♦✉r ♦❢ t❤❡ ♣r♦❣r❛♠ ♠✉st ♥♦t ❜❡ ❞✐sr✉♣t❡❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✻ ✴ ✶✼✷

❊❛❝❤ s♦❧✉t✐♦♥ ❤❛s ♣r♦s ❛♥❞ ❝♦♥s✿ P❛t❝❤✐♥❣ ✐♥str✉❝t✐♦♥ r❡q✉✐r❡s ♠❛♥✉❛❧ ❛♥❛❧②s✐s t♦ ✜♥❞ ❛ s✉✐t❛❜❧❡ ✐♥str✉❝t✐♦♥ t♦ ♣❛t❝❤ ❇✉t ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ r❡q✉✐r❡s ❛❝t✐♦♥ ♦❢ t❤❡ ✉s❡r ♥❡✐t❤❡r ❡①❡❝✉t❡❞✱ ♥♦r ❛♥❛❧②s❡❞ ❜② ❛♥ ❛♥t✐✈✐r✉s✱ ❡✈❡♥ ✇✐t❤ ❝♦❞❡ ❡♠✉❧❛t✐♦♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❞❞❡❞ ❛t t❤❡ ❡♥❞ ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✱ ❛❢t❡r ❧❛st s❡❝t✐♦♥ ❙❡✈❡r❛❧ ✇❛②s t♦ r❡❞✐r❡❝t ❡①❡❝✉t✐♦♥ ✢♦✇✿ ♣❛t❝❤ t❤❡ ❡①❡❝✉t❛❜❧❡ ❡♥tr② ♣♦✐♥t ♣❛t❝❤ s♦♠❡ ✐♥str✉❝t✐♦♥s t❤❛t ✇✐❧❧ ♣r♦❜❛❜❧② ❜❡ ❡①❡❝✉t❡❞ ❊①❛♠♣❧❡✿ ❝❛❧❧ t♦ t❤❡ ❢✉♥❝t✐♦♥ ✏s❛✈❡✑ ✐♥ ❛ t❡①t ❡❞✐t♦r ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ▼❛❧✐❝✐♦✉s ♣❛②❧♦❛❞ ❛❞❞❡❞ ❛t t❤❡ ❡♥❞ ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✱ ❛❢t❡r ❧❛st s❡❝t✐♦♥ ❙❡✈❡r❛❧ ✇❛②s t♦ r❡❞✐r❡❝t ❡①❡❝✉t✐♦♥ ✢♦✇✿ ♣❛t❝❤ t❤❡ ❡①❡❝✉t❛❜❧❡ ❡♥tr② ♣♦✐♥t ♣❛t❝❤ s♦♠❡ ✐♥str✉❝t✐♦♥s t❤❛t ✇✐❧❧ ♣r♦❜❛❜❧② ❜❡ ❡①❡❝✉t❡❞ ❊①❛♠♣❧❡✿ ❝❛❧❧ t♦ t❤❡ ❢✉♥❝t✐♦♥ ✏s❛✈❡✑ ✐♥ ❛ t❡①t ❡❞✐t♦r ❊❛❝❤ s♦❧✉t✐♦♥ ❤❛s ♣r♦s ❛♥❞ ❝♦♥s✿ P❛t❝❤✐♥❣ ✐♥str✉❝t✐♦♥ r❡q✉✐r❡s ♠❛♥✉❛❧ ❛♥❛❧②s✐s t♦ ✜♥❞ ❛ s✉✐t❛❜❧❡ ✐♥str✉❝t✐♦♥ t♦ ♣❛t❝❤ ❇✉t ❡①❡❝✉t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ r❡q✉✐r❡s ❛❝t✐♦♥ ♦❢ t❤❡ ✉s❡r ⇒ ♥❡✐t❤❡r ❡①❡❝✉t❡❞✱ ♥♦r ❛♥❛❧②s❡❞ ❜② ❛♥ ❛♥t✐✈✐r✉s✱ ❡✈❡♥ ✇✐t❤ ❝♦❞❡ ❡♠✉❧❛t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ MyEditor.exe MyEditor.exe MyEditor.exe Header Header Header Section 1 Section 1 Section 1 Section 2 Section 2 Section 2 ... ... ... Section n Section n Section n Malicious code Malicious code Original executable Infected executable Infected executable entry point patched instruction patched ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ✐♥❢❡❝t✐♦♥ ♦❢ ❛♥ ❡①❡❝✉t❛❜❧❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✽ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❢❡❝t ❛♥ ❡①❡❝✉t❛❜❧❡ ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ◆♦t s♦ ❡❛s② t♦ ✐♠♣❧❡♠❡♥t✿ ❙❡✈❡r❛❧ s❡❝t✐♦♥s ♠✐❣❤t ❤❛✈❡ t♦ ❜❡ ❛❞❞❡❞ ❛t t❤❡ ❡♥❞ ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡ ❙❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss ❈♦❞❡ ♠✉st ✉s❡ ❞②♥❛♠✐❝ ❛❞❞r❡ss r❡s♦❧✉t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✷✾ ✴ ✶✼✷

❖❜❥❡❝t✐✈❡s ❙✉r✈✐✈❡ t♦ t❡r♠✐♥❛t✐♦♥ ♦❢ ♦r✐❣✐♥❛❧ ♣r♦❝❡ss ■♥t❡r❝❡♣t ♣r✐✈❛t❡ ❞❛t❛ ♦❢ ✉s❡r ✉s✐♥❣ ✐♥❢❡❝t❡❞ ❝♦♠♣✉t❡r✿ ✐♥❥❡❝t✐♦♥✴❆P■ ❤♦♦❦✐♥❣✴❛♥❛❧②s✐s ♦❢ ♣❛r❛♠❡t❡rs ❇②♣❛ss ❜❛❞ ✐♠♣❧❡♠❡♥t❡❞ ♣❡rs♦♥❛❧ ✜r❡✇❛❧❧s ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐♥❥❡❝ts s♦♠❡ ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ▼❛❧✐❝✐♦✉s ❝♦❞❡ ❢♦r❝❡s t❤❡ ❡①❡❝✉t✐♦♥ ♦❢ t❤✐s ✐♥❥❡❝t❡❞ ❝♦❞❡ ✐♥ t❤❡ ❝♦♥t❡①t ♦❢ t❤❡ ♦t❤❡r ♣r♦❝❡ss ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ Pr✐♥❝✐♣❧❡ ❉❡s❝r✐♣t✐♦♥ ▼❛❧✐❝✐♦✉s ❝♦❞❡ ✐♥❥❡❝ts s♦♠❡ ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ▼❛❧✐❝✐♦✉s ❝♦❞❡ ❢♦r❝❡s t❤❡ ❡①❡❝✉t✐♦♥ ♦❢ t❤✐s ✐♥❥❡❝t❡❞ ❝♦❞❡ ✐♥ t❤❡ ❝♦♥t❡①t ♦❢ t❤❡ ♦t❤❡r ♣r♦❝❡ss ❖❜❥❡❝t✐✈❡s ❙✉r✈✐✈❡ t♦ t❡r♠✐♥❛t✐♦♥ ♦❢ ♦r✐❣✐♥❛❧ ♣r♦❝❡ss ■♥t❡r❝❡♣t ♣r✐✈❛t❡ ❞❛t❛ ♦❢ ✉s❡r ✉s✐♥❣ ✐♥❢❡❝t❡❞ ❝♦♠♣✉t❡r✿ ✐♥❥❡❝t✐♦♥✴❆P■ ❤♦♦❦✐♥❣✴❛♥❛❧②s✐s ♦❢ ♣❛r❛♠❡t❡rs ❇②♣❛ss ❜❛❞ ✐♠♣❧❡♠❡♥t❡❞ ♣❡rs♦♥❛❧ ✜r❡✇❛❧❧s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ❈♦❞❡ ✐♥❥❡❝t✐♦♥ ♠❛② ❜❡ ❞♦♥❡ ✐♥ s❡✈❡r❛❧ ✇❛②s✿ ❞❧❧ ✐♥❥❡❝t✐♦♥ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❊❛❝❤ t❡❝❤♥✐q✉❡ ❤❛s ♣r♦ ❛♥❞ ❝♦♥s❀ ✇❡ ❝❤♦♦s❡ t♦ ✉s❡ t❤❡ s❡❝♦♥❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ Injecter Target Injection code ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ Injecter Target Injection code Malicious code ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✸ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ 1 "Injecter" gets a handle on targeted process Injecter Target Injection code Malicious code ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✹ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ Injecter Target Injection code 2 Free memory "Injecter" allocates memory in other process Malicious code ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✺ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ Injecter Target Injection code Malicious code Malicious 3 "Injecter" copies malicious code code in allocated memory ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✻ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ Injecter Target Injection code Malicious code Malicious code Thread 4 "Injecter" creates a new thread in other process that executes malicious code ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ ❞✐r❡❝t ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✼ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ■♥❥❡❝t ❝♦❞❡ ✐♥t♦ ❛♥♦t❤❡r ♣r♦❝❡ss ✲ ■♠♣❧❡♠❡♥t❛t✐♦♥ ❊♥❝♦✉♥t❡r s❛♠❡ ♣r♦❜❧❡♠s ❛s ❡①❡❝✉t✐♦♥ ♦♥❧② ✐♥ ♠❡♠♦r②✿ s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ♠✉st ❜❡ r❡s♦❧✈❡❞ ⇒ ❈❛♥ ✉s❡ t❤❡ s❛♠❡ tr✐❝❦s ◆♦t❡ t❤❛t ✐❢ ♠❡♠♦r② ✇❤❡r❡ ❝♦❞❡ ♠✉st ❜❡ ♠❛♣♣❡❞ ✐s ❛❧r❡❛❞② ❛❧❧♦❝❛t❡❞✱ ✐♥❥❡❝t✐♦♥ ✇✐❧❧ ❢❛✐❧✦ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✽ ✴ ✶✼✷

❚❤♦s❡ t❡❝❤♥✐q✉❡s ❝♦✉❧❞ ❜❡ ✐♠♣❧❡♠❡♥t❡❞ ♠♦r❡ ❡❛s✐❧② ✐❢ t❤❡ ❝♦❞❡ ✇❛s ❝♦♥st✐t✉t❡❞ ♦❢ ♦♥❧② ♦♥❡ ❜❧♦❝❦ ✇❛s ❛❜❧❡ t♦ ✐♥✐t✐❛❧✐s❡ t❤❡ ❛❞❞r❡ss s♣❛❝❡ ❝♦♥t❛✐♥❡❞ ♥♦ ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss ✐❢ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✇❛s ❛ s❤❡❧❧❝♦❞❡ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❙✉♠♠❛r② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤♦s❡ t❡❝❤♥✐q✉❡s ✐♥ ❛♥ ❡①❡❝✉t❛❜❧❡ ✐s ❛❧✇❛②s ♣♦ss✐❜❧❡✱ ❜✉t r❡q✉✐r❡s ❧♦ts ♦❢ ✇♦r❦ ❉✐✣❝✉❧t✐❡s ❝♦♠❡ ❢r♦♠ s❡✈❡r❛❧ ♣r♦♣❡rt✐❡s ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✿ ❝♦❞❡ ❛♥❞ ❞❛t❛ ❛r❡ s♣r❡❛❞ ✐♥ t❤❡ ❡①❡❝✉t❛❜❧❡ ♣r♦❝❡ss r❡q✉✐r❡s s♦♠❡ ♦❢ ✐♥✐t✐❛❧✐s❛t✐♦♥ ♥♦r♠❛❧❧② ❞♦♥❡ ❜② ❲✐♥❞♦✇s ❧♦❛❞❡r ❝♦❞❡ ❝♦♥t❛✐♥s ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ⇒ s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss❡s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ❆ ❢❡✇ t❡❝❤♥✐q✉❡s ✉s❡❞ ❜② ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✳ ✳ ✳ ❙✉♠♠❛r② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤♦s❡ t❡❝❤♥✐q✉❡s ✐♥ ❛♥ ❡①❡❝✉t❛❜❧❡ ✐s ❛❧✇❛②s ♣♦ss✐❜❧❡✱ ❜✉t r❡q✉✐r❡s ❧♦ts ♦❢ ✇♦r❦ ❉✐✣❝✉❧t✐❡s ❝♦♠❡ ❢r♦♠ s❡✈❡r❛❧ ♣r♦♣❡rt✐❡s ♦❢ t❤❡ ❡①❡❝✉t❛❜❧❡✿ ❝♦❞❡ ❛♥❞ ❞❛t❛ ❛r❡ s♣r❡❛❞ ✐♥ t❤❡ ❡①❡❝✉t❛❜❧❡ ♣r♦❝❡ss r❡q✉✐r❡s s♦♠❡ ♦❢ ✐♥✐t✐❛❧✐s❛t✐♦♥ ♥♦r♠❛❧❧② ❞♦♥❡ ❜② ❲✐♥❞♦✇s ❧♦❛❞❡r ❝♦❞❡ ❝♦♥t❛✐♥s ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ⇒ s❡❝t✐♦♥s ♠✉st ❜❡ ♠❛♣♣❡❞ ❛t t❤❡ r✐❣❤t ❛❞❞r❡ss❡s ❚❤♦s❡ t❡❝❤♥✐q✉❡s ❝♦✉❧❞ ❜❡ ✐♠♣❧❡♠❡♥t❡❞ ♠♦r❡ ❡❛s✐❧② ✐❢ t❤❡ ❝♦❞❡ ✇❛s ❝♦♥st✐t✉t❡❞ ♦❢ ♦♥❧② ♦♥❡ ❜❧♦❝❦ ✇❛s ❛❜❧❡ t♦ ✐♥✐t✐❛❧✐s❡ t❤❡ ❛❞❞r❡ss s♣❛❝❡ ❝♦♥t❛✐♥❡❞ ♥♦ ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss ⇒ ✐❢ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✇❛s ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✸✾ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡ P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✖ ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✵ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡ Pr✐♥❝✐♣❧❡ ❈♦♥s✐❞❡r ♥♦✇ t❤❛t ♦✉r ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛ s❤❡❧❧❝♦❞❡✿ ❝♦♥st✐t✉t❡❞ ♦❢ ♦♥❧② ♦♥❡ ❜❧♦❝❦ ❝❛♥ r✉♥ ❛t ❛♥② ❛❞❞r❡ss ✐♥ ❛♥② ♣r♦❝❡ss ❡①❡❝✉t❡s ❡①❛❝t❧② t❤❡ s❛♠❡ ♦♣❡r❛t✐♦♥s ❛s t❤❡ ♥♦r♠❛❧ ❡①❡❝✉t❛❜❧❡ ✐❢ ❡①❡❝✉t✐♦♥ tr❛♥s❢❡rr❡❞ t♦ ✐ts ✜rst ❜②t❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✶ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡ ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❊♥❝r②♣t✐♦♥ ♦❢ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ❉❡❝r②♣t✐♦♥ ♣❛rt ❜❡❝♦♠❡s ❛ s✐♠♣❧❡ ❧♦♦♣ t❤❛t ❡①❡❝✉t❡s ❞❡❝r②♣t✐♦♥ ♦♥ s❤❡❧❧❝♦❞❡ ∼ ❛rr❛② ♦❢ ❜②t❡s ❊①❡❝✉t✐♦♥ ♦♥❧② ✐♥ ♠❡♠♦r② ❛♥❞ ❝♦❞❡ ✐♥❥❡❝t✐♦♥ ❊❛s② t♦ ✐♠♣❧❡♠❡♥t s✐♥❝❡ ❜② ❞❡✜♥✐t✐♦♥ s❤❡❧❧❝♦❞❡ ✐s ❛❜❧❡ t♦ ❡①❡❝✉t❡ ✐♥ ❛♥② ♣r♦❝❡ss ❛t ❛♥② ❛❞❞r❡ss ❊①❡❝✉t❛❜❧❡ ✐♥❢❡❝t✐♦♥ ❙❤❡❧❧❝♦❞❡ ❛❞❞❡❞ ✐♥ ❧❛st s❡❝t✐♦♥ ❋❡✇ ♠♦❞✐✜❝❛t✐♦♥s ❞♦♥❡ ♦♥ P❊ ❤❡❛❞❡r ❊♥tr② ♣♦✐♥t ♦r ✐♥str✉❝t✐♦♥ ♣❛t❝❤❡❞ t♦ ❥✉♠♣ ♦♥ s❤❡❧❧❝♦❞❡ ❏✉♠♣ t♦ ♦r✐❣✐♥❛❧ ✐♥str✉❝t✐♦♥ ❛❞❞❡❞ ❛t ❡♥❞ ♦❢ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✷ ✴ ✶✼✷

❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ t❡❝❤♥✐q✉❡s ❢r♦♠ ❛ s❤❡❧❧❝♦❞❡ ❙✉♠♠❛r② ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ ♣r❡s❡♥t❡❞ t❡❝❤♥✐q✉❡s ✐s ❣r❡❛t❧② s✐♠♣❧✐✜❡❞ ✐❢ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ✐s ❛ s❤❡❧❧❝♦❞❡ r❛t❤❡r t❤❛♥ ❛♥ ❡①❡❝✉t❛❜❧❡ ◆❡①t ♣r♦❜❧❡♠ ✐s ❤♦✇ t♦ ❣❡t ❛ s❤❡❧❧❝♦❞❡❄ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✸ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✶ ❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ✷ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✸ ❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ✹ ❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ✺ ❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ✻ ❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r ✼ ❈♦♥❝❧✉s✐♦♥ ✽ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✹ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❖❜❥❡❝t✐✈❡ ♦❢ t❤✐s ♣❛rt ✲ ✶ Pr❡s❡♥t ❛♥ ❡❛s② ✇❛② t♦ ✇r✐t❡ t❤❡ ♠❛❧✐❝✐♦✉s ❝♦❞❡ ❛s ❛ s❤❡❧❧❝♦❞❡ ❲r✐t✐♥❣ s❤❡❧❧❝♦❞❡ ❞✐r❡❝t❧② ✐♥ ❛ss❡♠❜❧② q✉✐❝❦❧② ❜❡❝♦♠❡s t❡❞✐♦✉s ⇒ s♦❧✉t✐♦♥ ❞✐s♠✐ss❡❞ ❇❡tt❡r s♦❧✉t✐♦♥ ✇♦✉❧❞ ❜❡✿ ✇r✐t❡ ❝♦❞❡ ✐♥ ❈ ❧❛♥❣✉❛❣❡ ✉s❡ ❝♦♠♣✐❧❡r t♦ ❣❡♥❡r❛t❡ ❡①❡❝✉t❛❜❧❡ ❡①tr❛❝t s♦♠❡ ♣❛rt ❢r♦♠ t❤✐s ❡①❡❝✉t❛❜❧❡ ❢♦r♠ s❤❡❧❧❝♦❞❡ ❜② ❛ss❡♠❜❧✐♥❣ t❤❡♠ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✺ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❖❜❥❡❝t✐✈❡ ♦❢ t❤✐s ♣❛rt ✲ ✷ ❇✐♥❛r② ❝♦❞❡ ♣r♦❞✉❝❡❞ ❜② ♥♦r♠❛❧ ❝♦♠♣✐❧❛t✐♦♥ ❝❛♥♥♦t ❜❡ ❞✐r❡❝t❧② ✉s❡❞ t♦ ❝r❡❛t❡ ❛ s❤❡❧❧❝♦❞❡✿ ❝♦♥t❛✐♥s ❧♦ts ♦❢ ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ✭r❡❢❡r❡♥❝❡ t♦ ❛ str✐♥❣ ♦r ❛ ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡✮ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s ❝❛❧❧s ❛r❡ r❡❧❛t✐✈❡ ❜✉t ❞✐st❛♥❝❡s ❛r❡ ❤❛r❞❝♦❞❡❞ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❝❛❧❧s r❡❧② ♦♥ ■❆❚ ▼❛♥② ✇❛②s t♦ s♦❧✈❡ t❤♦s❡ ♣r♦❜❧❡♠s ✭♣❛t❝❤ ❛ss❡♠❜❧②✱ ✇♦r❦ ✐♥ t❤❡ st❛❝❦✳ ✳ ✳ ✮ ❈❤♦♦s❡ ♦♥❡ t❡❝❤♥✐q✉❡✿ ✉s❡ ❛ ❣❧♦❜❛❧ ❞❛t❛ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✻ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✶ ❯s❡ ♦♥❡ str✉❝t✉r❡ t❤❛t st♦r❡s ❛❧❧ ❣❧♦❜❛❧ ❞❛t❛ ❛♥❞ t❤❛t ✐s tr❛♥s♠✐tt❡❞ ✐♥ ❡✈❡r② ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥ ❝❛❧❧ ❙tr✉❝t✉r❡✱ ❝❛❧❧❡❞ ❧❛t❡r ✏●▲❖❇❆▲❴❉❆❚❆✑✱ ✇✐❧❧ ❝♦♥t❛✐♥✿ ♣♦✐♥t❡rs ♦♥ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s ♣♦✐♥t❡rs ♦♥ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡s str✐♥❣s ❈ ❝♦❞❡ ✐s ♠♦❞✐✜❡❞ s♦ t❤❛t ❡✈❡r② r❡❢❡r❡♥❝❡ t♦ ❛ ♣r❡✈✐♦✉s❧② ❧✐st❡❞ ❡❧❡♠❡♥t ✇✐❧❧ ❜❡ ❞♦♥❡ t❤r♦✉❣❤ ●▲❖❇❆▲❴❉❆❚❆ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✼ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✷ Original function DisplayFile BOOL DisplayFile(IN CHAR * szFilePath) { ... CreateFile(szFilePath, ...) pData = (UCHAR *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize+1) ReadFile(hFile, pData, ...) PrintMsg(LOG_LEVEL_TRACE, "File successfully read: %s", pData); ... } Patched function DisplayFile (modifications are colorized in red) BOOL DisplayFile(IN PGLOBAL_DATA pGlobalData, IN CHAR * szFilePath) { ... pGlobalData->CreateFile(szFilePath, ...) pData = (UCHAR *) pGlobalData->HeapAlloc(pGlobalData->GetProcessHeap(), \\ HEAP_ZERO_MEMORY, dwFileSize+1) pGlobalData->ReadFile(hFile, pData, ...) pGlobalData->PrintMsg(pGlobalData, LOG_LEVEL_TRACE, pGlobalData->szString_00000001, \\ pData); ... } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✽ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✸ ❚❤❡ ●▲❖❇❆▲❴❉❆❚❆ ❞❡✜♥✐t✐♦♥ ❧♦♦❦s ❧✐❦❡ t❤❡ ❢♦❧❧♦✇✐♥❣✿ Overview of structure GLOBAL_DATA typedef struct _GLOBAL_DATA { /* Internal functions */ PrintMsgTypeDef fp_PrintMsg; /* Imported functions */ CreateFileTypeDef fp_CreateFile; HeapAllocTypeDef fp_HeapAlloc; GetProcessHeapTypeDef fp_GetProcessHeap; ReadFileTypeDef fp_ReadFile; /* Data strings */ CHAR szString_00000001[27]; } GLOBAL_DATA, * PGLOBAL_DATA; ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✹✾ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✹ ◆✉♠❜❡r ♦❢ ♠♦❞✐✜❝❛t✐♦♥s ❝❛♥ ❜❡ ❝♦♥s✐❞❡r❛❜❧② r❡❞✉❝❡❞ ❜② ✉s✐♥❣ ❈ ♠❛❝r♦s✿ Definitions of macros /* Add GLOBAL_DATA parameter in definitions of internal function */ #define DisplayFileTempDefinition(...) \\ DisplayFileDefinition(PGLOBAL_DATA pGlobalData, __VA_ARGS__) /* Add redirection and GLOBAL_DATA parameter in call of internal function */ #define PrintMsg(...) pGlobalData->fp_PrintMsg(pGlobalData, __VA_ARGS__) #define DisplayFile(...) pGlobalData->fp_DisplayFile(pGlobalData, __VA_ARGS__) /* Add redirection for imported functions */ #define CreateFile pGlobalData->fp_CreateFile #define HeapAlloc pGlobalData->fp_HeapAlloc #define GetProcessHeap pGlobalData->fp_GetProcessHeap #define ReadFile pGlobalData->fp_ReadFile /* Add redirection for strings */ #define STR_00000001(x) pGlobalData->szString_00000001 ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✵ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✺ P❛t❝❤❡❞ ❢✉♥❝t✐♦♥ ✏❉✐s♣❧❛②❋✐❧❡✑ ❜❡❝♦♠❡s✿ Patched function DisplayFile with the macros BOOL DisplayFileTempDefinition(IN CHAR * szFilePath) { ... CreateFile(szFilePath, ...) pData = (UCHAR *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize+1) ReadFile(hFile, pData, ...) PrintMsg(LOG_LEVEL_TRACE, STR_00000001("File successfully read: %s"), pData); ... } ⇒ t❤❡r❡ ❛r❡ ♥♦✇ ✈❡r② ❢❡✇ ♠♦❞✐✜❝❛t✐♦♥s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✶ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✻ Call of the internal function “DisplayMessage” DisplayMessage(g_szMessage); 00412F99 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; get address of g_szMessage in 00412F9C 05 58010000 ADD EAX,158 ; GLOBAL_DATA 00412FA1 50 PUSH EAX ; push address of g_szMessage 00412FA2 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00412FA5 51 PUSH ECX ; push address of pGlobalData 00412FA6 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; get address of DisplayMessage 00412FA9 8B82 88000000 MOV EAX,DWORD PTR DS:[EDX+88] 00412FAF FFD0 CALL EAX ; call DisplayMessage Call of the internal function “DisplayFile” if(DisplayFile("test.txt") == FALSE) 00412FFC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00412FFF 05 A1040000 ADD EAX,4A1 ; get address of string 00413004 50 PUSH EAX ; push address of string 00413005 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00413008 51 PUSH ECX ; push address of pGlobalData 00413009 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 0041300C 8B42 78 MOV EAX,DWORD PTR DS:[EDX+78] ; get address of DisplayFile 0041300F FFD0 CALL EAX ; call DisplayFile ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✷ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✼ Call of the imported function “CreateFile” CreateFile(szFilePath, ...) ... 00412DE2 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; get address of pGlobalData 00412DE5 8B91 D8000000 MOV EDX,DWORD PTR DS:[ECX+D8] ; get address of CreateFile 00412DEB FFD2 CALL EDX ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✸ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❯s✐♥❣ ❛ ❣❧♦❜❛❧ ❞❛t❛ ✲ ✽ ●❡♥❡r❛t❡❞ ❜✐♥❛r② ❞♦❡s ♥♦t ❝♦♥t❛✐♥ ❛♥② ❤❛r❞❝♦❞❡❞ ❛❞❞r❡ss❡s ⇒ ❜✐♥❛r② ❝♦❞❡ ❝❛♥ ❜❡ ❞✐r❡❝t❧② ❡①tr❛❝t❡❞ ❛♥❞ ✉s❡❞ t♦ ❢♦r♠ s❤❡❧❧❝♦❞❡ ❙❤❡❧❧❝♦❞❡ ♠❛② ❜❡ ❝r❡❛t❡❞ s✐♠♣❧② ❜② ❝♦♥❝❛t❡♥❛t✐♥❣ t❤❡ ❡①tr❛❝t❡❞ ❢✉♥❝t✐♦♥s ❛♥❞ ❛❞❞✐♥❣ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❛t t❤❡ ❡♥❞ Shellcode entrypoint Internal function Internal function ... Internal function Internal function pointers Imported function pointers GLOBAL_DATA Global variables Strings ❋✐❣✉r❡✿ ❖✈❡r✈✐❡✇ ♦❢ t❤❡ str✉❝t✉r❡ ♦❢ t❤❡ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✹ ✴ ✶✼✷

❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❙✉♠♠❛r② ❚❤✐s s♦❧✉t✐♦♥ ❛❧❧♦✇s ❛ s❤❡❧❧❝♦❞❡ t♦ ❜❡ ❝r❡❛t❡❞ ✇✐t❤ ❧✐tt❧❡ ♠♦❞✐✜❝❛t✐♦♥ ♦❢ s♦✉r❝❡ ❝♦❞❡ ❍♦✇❡✈❡r✱ st✐❧❧ ❛ ❢❡✇ ♣r♦❜❧❡♠s t♦ s♦❧✈❡✿ ✇r✐t✐♥❣ t❤❡ ❞❡✜♥✐t✐♦♥ ♦❢ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❛♥❞ t❤❡ ❞❡✜♥✐t✐♦♥ ♦❢ ♠❛❝r♦s ✐s ❧♦♥❣ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ♠✉st ❜❡ ✐♥✐t✐❛❧✐s❡❞ ❜✐♥❛r② ❞❛t❛ ♠✉st ❜❡ ❡①tr❛❝t❡❞ ❢r♦♠ ❣❡♥❡r❛t❡❞ ❡①❡❝✉t❛❜❧❡ ❛♥❞ ❛ss❡♠❜❧❡❞ t♦ ❝r❡❛t❡ ✜♥❛❧ s❤❡❧❧❝♦❞❡ ⇒ ❆ t♦♦❧ t❤❛t ❡①❡❝✉t❡s ❛❧❧ t❤♦s❡ ♦♣❡r❛t✐♦♥s ❛✉t♦♠❛t✐❝❛❧❧② ❤❛s ❜❡❡♥ ❞❡✈❡❧♦♣❡❞✿ ❲✐❙❤▼❛st❡r ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✺ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✶ ❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ✷ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✸ ❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ✹ ❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ✺ ❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ✻ ❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r ✼ ❈♦♥❝❧✉s✐♦♥ ✽ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✻ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ P❧❛♥ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✖ Pr❡s❡♥t❛t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✼ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ Pr❡s❡♥t❛t✐♦♥ ❲✐❙❤▼❛st❡r ✐s ❛ t♦♦❧ t❤❛t ❛✉t♦♠❛t✐❝❛❧❧② ❣❡♥❡r❛t❡s s❤❡❧❧❝♦❞❡s✱ ❜② ✉s✐♥❣ t❤❡ ♣r❡✈✐♦✉s❧② ❞❡s❝r✐❜❡❞ ♣r✐♥❝✐♣❧❡ ❚❛❦❡s ❛ s❡t ♦❢ ❈ s♦✉r❝❡ ✜❧❡s ✇r✐tt❡♥ ✏♥♦r♠❛❧❧②✑ ✐♥ ✐♥♣✉t ❛♥❞ ❣❡♥❡r❛t❡s ❛ s❤❡❧❧❝♦❞❡ ✐♥ ♦✉t♣✉t ❙❤❡❧❧❝♦❞❡ ❛❝❝♦♠♣❧✐s❤❡s s❛♠❡ ♦♣❡r❛t✐♦♥s ❛s ❡①❡❝✉t❛❜❧❡ ♣r♦❞✉❝❡❞ ❜② ❝♦♠♣✐❧❛t✐♦♥ ♦❢ ♦r✐❣✐♥❛❧ s♦✉r❝❡ ❚r❛♥s❢♦r♠❛t✐♦♥ ✐♥ s❤❡❧❧❝♦❞❡ ❝❛❧❧❡❞ ❧❛t❡r ✏s❤❡❧❧❝♦❞✐s❛t✐♦♥✑ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✽ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ❉❡✈❡❧♦♣♠❡♥t ♣r♦❣r❡ss ✲ ❲✐❙❤▼❛st❡r ✈❡rs✐♦♥ ✶ ❲✐❙❤▼❛st❡r ✈✶ ❤❛s ❜❡❡♥ ❛✈❛✐❧❛❜❧❡ ♦♥ ♠② ✇❡❜ s✐t❡ ❢♦r ♦♥❡ ②❡❛r ●r❛♣❤✐❝❛❧ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✐♥ ❈★ ❲♦r❦s ❜✉t ❤❛s s❡✈❡r❛❧ ❧✐♠✐t❛t✐♦♥s ▼♦st ✐♠♣♦rt❛♥t✿ ❈ ❝♦❞❡ ♣❛rs❡❞ ✇✐t❤ r❡❣✉❧❛r ❡①♣r❡ss✐♦♥s ⇒ ♠✉st ❝♦♥❢♦r♠ t♦ ❛ ❢❡✇ s②♥t❛① r✉❧❡s t♦ ❜❡ s✉❝❝❡ss❢✉❧❧② ❛♥❛❧②s❡❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✺✾ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ Pr❡s❡♥t❛t✐♦♥ ❉❡✈❡❧♦♣♠❡♥t ♣r♦❣r❡ss ✲ ❲✐❙❤▼❛st❡r ✈❡rs✐♦♥ ✷ ❲✐❙❤▼❛st❡r ✈✷ ✐s ✉♥❞❡r ❛❝t✐✈❡ ❞❡✈❡❧♦♣♠❡♥t ❈♦rr❡❝ts ♠❛♥② ♣r♦❜❧❡♠s ♦❢ t❤❡ ✈✶✿ ❲✐❙❤▼❛st❡r ✐s ♥♦✇ ❛ ❝♦♥s♦❧❡ ❛♣♣❧✐❝❛t✐♦♥ ✇r✐tt❡♥ ✐♥ P②t❤♦♥✿ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❝❛♥ ❜❡ s❝r✐♣t❡❞ ✉s❡r ❝❛♥ ✐♥t❡r❝❡❞❡ ❛t ❛♥② st❡♣ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss✱ ✈✐❡✇ r❡s✉❧ts ❛♥❞ ❝♦rr❡❝t ❡✈❡♥t✉❛❧ ♠✐st❛❦❡s ♣❛rs✐♥❣ ♦❢ s♦✉r❝❡ ❝♦❞❡ ✇✐t❤ r❡❣✉❧❛r ❡①♣r❡ss✐♦♥s ❤❛s ❜❡❡♥ ❝♦♥s✐❞❡r❛❜❧② r❡❞✉❝❡❞ ⇒ ♠♦st ♦❢ t❤❡ ❝♦♥str❛✐♥s ♦♥ ❈ s②♥t❛① ❤❛✈❡ ❜❡❡♥ r❡♠♦✈❡❞ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✵ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss P❧❛♥ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✖ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✶ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ✐♥ ❲✐❙❤▼❛st❡r ❙❤❡❧❧❝♦❞✐s❛t✐♦♥ ❛❝❝♦♠♣❧✐s❤❡❞ ❜② ❲✐❙❤▼❛st❡r ✐s ❞✐✈✐❞❡❞ ✐♥t♦ ✻ st❡♣s✿ ❆♥❛❧②s✐s ✿ ✐❞❡♥t✐✜❡s ❝♦❞❡ ❡❧❡♠❡♥ts ❖❜t❛✐♥ t❤❡ s✐③❡ ♦❢ ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡s ❈r❡❛t❡ ❡♥✈✐r♦♥♠❡♥t ✿ ❝r❡❛t❡s ✜❧❡ ❣❧♦❜❛❧❴❞❛t❛✳❤ ✭●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❛♥❞ ♠❛❝r♦s✮ ❝r❡❛t❡s ❛ ♣❛t❝❤❡❞ ❝♦♣② ♦❢ s♦✉r❝❡ ✜❧❡s ✐♥ ❛ t❡♠♣♦r❛r② ❞✐r❡❝t♦r② ●❡♥❡r❛t✐♦♥ ✿ ❜✉✐❧❞s ♣❛t❝❤❡❞ s♦✉r❝❡s✱ ❡①tr❛❝ts ❜✐♥❛r② ❞❛t❛ ❛♥❞ ❣❡♥❡r❛t❡s t❤❡ s❤❡❧❧❝♦❞❡ ❈✉st♦♠✐③❛t✐♦♥ ■♥t❡❣r❛t✐♦♥ ✿ ❝♦♣② s❤❡❧❧❝♦❞❡ ✐♥ ❛ s♣❡❝✐✜❝ ❞✐r❡❝t♦r② ♦r tr❛♥s❢♦r♠ ✐t ✐♥ ❛ ❈ ❛rr❛② ❛♥❞ ❞✉♠♣ ✐t ✐♥ ❛ ❈ ❤❡❛❞❡r ✜❧❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✷ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✶ Pr✐♥❝✐♣❧❡ ❙t❡♣ ❝♦♠♣♦✉♥❞❡❞ ♦❢ ❛ ❝❤❛✐♥ ♦❢ ❢✉♥❝t✐♦♥s t❤❛t ✇✐❧❧ ❡①❡❝✉t❡ s♦♠❡ ♠♦❞✐✜❝❛t✐♦♥s ♦♥ t❤❡ s❤❡❧❧❝♦❞❡ ❛♥❞ tr❛♥s♠✐t t❤❡ ♠♦❞✐✜❡❞ s❤❡❧❧❝♦❞❡ t♦ t❤❡ ♥❡①t ❢✉♥❝t✐♦♥ ❈♦♥t❡♥t ♦❢ t❤❡ ❝❤❛✐♥ ✐s ❞❡✜♥❡❞ ❜② t❤❡ ✉s❡r ❈✉st♦♠✐③❛t✐♦♥ ❢✉♥❝t✐♦♥s ✐♠♣❧❡♠❡♥t❡❞ ✐♥ P②t❤♦♥ ♠♦❞✉❧❡ ⇒ ✉s❡r ❝❛♥ ❡❛s✐❧② ✇r✐t❡ t❤❡✐r ♦✇♥ ❝✉st♦♠✐③❛t✐♦♥ ♠♦❞✉❧❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✸ ✴ ✶✼✷

❊①❛♠♣❧❡ ✷✿ s❡tt✐♥❣ s♣❡❝✐✜❝ ✈❛❧✉❡s ❊①❛♠♣❧❡✿ s❤❡❧❧❝♦❞❡ t❤❛t ❝♦♥♥❡❝ts t♦ ❛ s❡r✈❡r ❙♦✉r❝❡ ❝♦❞❡ ❝♦♥t❛✐♥s t✇♦ ✈❛r✐❛❜❧❡s✿ ■P ❛❞❞r❡ss ❛♥❞ ♣♦rt ♦❢ t❤❡ s❡r✈❡r ■❢ ✇❡ ♣✉t r❡❛❧ ✈❛❧✉❡s ❞✐r❡❝t❧② ✐♥ t❤♦s❡ ✈❛r✐❛❜❧❡s✿ s❤❡❧❧❝♦❞❡ ♠✉st ❜❡ r❡❣❡♥❡r❛t❡❞ t♦ ❝♦♥♥❡❝t t♦ ❛♥♦t❤❡r s❡r✈❡r s❤❡❧❧❝♦❞❡ ❝❛♥♥♦t ❜❡ ❞✐str✐❜✉t❡❞ ✐♥ ✐ts ❜✐♥❛r② ❢♦r♠ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✷ ❊①❛♠♣❧❡ ✶✿ ❡♥❝r②♣t✐♦♥ ❈✉st♦♠✐③❛t✐♦♥ st❡♣ ♠❛② ❜❡ ✉s❡❞ t♦ ❡♥❝r②♣t t❤❡ s❤❡❧❧❝♦❞❡ ❲✐❙❤▼❛st❡r ❝♦♠❡s ✇✐t❤ t✇♦ ✏❝✉st♦♠✐③❛t✐♦♥✑ ♠♦❞✉❧❡s t❤❛t ❝❛♥ ❡♥❝r②♣t ❛ s❤❡❧❧❝♦❞❡✿ ❳❖❘ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✸✷✲❜✐ts ❦❡② ✭♣♦❧②♠♦r♣❤✐s♠✮ ❆❊❙✲❈❇❈ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✷✺✻✲❜✐ts ❦❡② ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✹ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✷ ❊①❛♠♣❧❡ ✶✿ ❡♥❝r②♣t✐♦♥ ❈✉st♦♠✐③❛t✐♦♥ st❡♣ ♠❛② ❜❡ ✉s❡❞ t♦ ❡♥❝r②♣t t❤❡ s❤❡❧❧❝♦❞❡ ❲✐❙❤▼❛st❡r ❝♦♠❡s ✇✐t❤ t✇♦ ✏❝✉st♦♠✐③❛t✐♦♥✑ ♠♦❞✉❧❡s t❤❛t ❝❛♥ ❡♥❝r②♣t ❛ s❤❡❧❧❝♦❞❡✿ ❳❖❘ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✸✷✲❜✐ts ❦❡② ✭♣♦❧②♠♦r♣❤✐s♠✮ ❆❊❙✲❈❇❈ ❡♥❝r②♣t✐♦♥ ✇✐t❤ ❛ ✷✺✻✲❜✐ts ❦❡② ❊①❛♠♣❧❡ ✷✿ s❡tt✐♥❣ s♣❡❝✐✜❝ ✈❛❧✉❡s ❊①❛♠♣❧❡✿ s❤❡❧❧❝♦❞❡ t❤❛t ❝♦♥♥❡❝ts t♦ ❛ s❡r✈❡r ❙♦✉r❝❡ ❝♦❞❡ ❝♦♥t❛✐♥s t✇♦ ✈❛r✐❛❜❧❡s✿ ■P ❛❞❞r❡ss ❛♥❞ ♣♦rt ♦❢ t❤❡ s❡r✈❡r ■❢ ✇❡ ♣✉t r❡❛❧ ✈❛❧✉❡s ❞✐r❡❝t❧② ✐♥ t❤♦s❡ ✈❛r✐❛❜❧❡s✿ s❤❡❧❧❝♦❞❡ ♠✉st ❜❡ r❡❣❡♥❡r❛t❡❞ t♦ ❝♦♥♥❡❝t t♦ ❛♥♦t❤❡r s❡r✈❡r s❤❡❧❧❝♦❞❡ ❝❛♥♥♦t ❜❡ ❞✐str✐❜✉t❡❞ ✐♥ ✐ts ❜✐♥❛r② ❢♦r♠ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✹ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ MyProject.cpp 1 The developer writes source code IP and port set to special values Developer of the shellcode ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✺ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ 2 MyProject.cpp Developer uses WiShMaster Internal to generate the shellcode functions GLOBAL_DATA Developer of the shellcode ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✻ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ MyProject.cpp Internal functions GLOBAL_DATA Cutomization 3 Developer writes a cutomization module: module in Python patch values Developer of the shellcode ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✼ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ 4 MyProject.cpp Developer puts the shellcode and the Internal customization module on Internet functions GLOBAL_DATA Cutomization module: patch values Developer of the shellcode ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✽ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ MyProject.cpp Internal functions GLOBAL_DATA Cutomization module: patch values Developer of the shellcode User of the shellcode Internal functions 5 GLOBAL_DATA A user gets the shellcode and the cutomization module ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✻✾ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ MyProject.cpp Internal functions GLOBAL_DATA Cutomization module: patch values Developer of the shellcode User of the shellcode 6 The user uses the customization module to patch special values Internal Internal functions functions Cutomization module: patch values GLOBAL_DATA GLOBAL_DATA Values ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✵ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❚❤❡ ❝✉st♦♠✐③❛t✐♦♥ st❡♣ ✲ ✸ MyProject.cpp Internal functions GLOBAL_DATA Cutomization module: patch values Developer of the shellcode User of the shellcode 7 The user uses another customization module to encrypt the shellcode Internal Internal functions functions Cutomization Cutomization module: module: encryption patch values GLOBAL_DATA GLOBAL_DATA Encryption key Values ❋✐❣✉r❡✿ Pr✐♥❝✐♣❧❡ ♦❢ t❤❡ s❡♣❛r❛t✐♦♥ ❜❡t✇❡❡♥ ❞❡✈❡❧♦♣❡r ✴ ✉s❡r ♦❢ ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✶ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ✐♥ ❲✐❙❤▼❛st❡r ✈✷ ✲ ✶ ■♥t❡r♥❛❧❧②✿ ❊✈❡r② ❡❧❡♠❡♥t ❞✐s❝♦✈❡r❡❞ ✐♥ t❤❡ s♦✉r❝❡ ❝♦❞❡ ∼ ❛♥ ♦❜❥❡❝t ✭✐♥t❡r♥❛❧✴✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s✱ str✐♥❣s✳ ✳ ✳ ✮ ❊✈❡r② st❡♣ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ❞✐✈✐❞❡❞ ✐♥t♦ s❡✈❡r❛❧ s♠❛❧❧ s✉❜✲st❡♣s ❊✈❡r② s✉❜✲st❡♣ ✐♠♣❧❡♠❡♥t❡❞ ❜② ♦♥❡ ❢✉♥❝t✐♦♥ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✷ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ❚❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ■♠♣❧❡♠❡♥t❛t✐♦♥ ♦❢ t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ✐♥ ❲✐❙❤▼❛st❡r ✈✷ ✲ ✷ ❲✐❙❤▼❛st❡r ❝❛♥ ❜❡ ❧❛✉♥❝❤❡❞ ✐♥ t❤r❡❡ ♠♦❞❡s✿ ❛✉t♦♠❛t✐❝ ✿ ❡①❡❝✉t❡s t❤❡ s❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❛✉t♦♠❛t✐❝❛❧❧② s❝r✐♣t ✿ ❡①❡❝✉t❡s ❛♥ ❡①t❡r♥❛❧ s❝r✐♣t t❤❛t ❝❛♥ ❝❛❧❧ st❡♣✴s✉❜✲st❡♣ ❢✉♥❝t✐♦♥s ❡①♣♦rt❡❞ ❜② ❲✐❙❤▼❛st❡r ❛♥❞ ♠❛♥✐♣✉❧❛t❡ ♦❜❥❡❝ts ✐♥t❡r❛❝t✐✈❡ ✿ st❛rts ❛ P②t❤♦♥ s❤❡❧❧ ✭s❛♠❡ ♣r✐♥❝✐♣❧❡ ❛s ✐♥ ❙❝❛♣②✮ ❯s❡r ❝❛♥ t❤❡♥✿ ❝❛❧❧ st❡♣✴s✉❜✲st❡♣ ❢✉♥❝t✐♦♥s ❡①❡❝✉t❡ ❛ s❤❡❧❧❝♦❞✐s❛t✐♦♥ st❡♣ ❜② st❡♣ ❜② ❝❛❧❧✐♥❣ s♦♠❡ ❢✉♥❝t✐♦♥s st❡♣✭✮✱ st❡♣✐✭✮✱ r✉♥✭✮✳ ✳ ✳ ✭❧✐❦❡ ✐♥ ❛ ❞❡❜✉❣❣❡r✮ ❞✐s♣❧❛② ♦❜❥❡❝ts✱ ❝❤❛♥❣❡ t❤❡✐r ♣r♦♣❡rt✐❡s t♦ ❝♦rr❡❝t ❡✈❡♥t✉❛❧ ♠✐st❛❦❡s ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✸ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ P❧❛♥ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✖ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✹ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡✿ ♦❜❥❡❝t✐✈❡ ❙❤❡❧❧❝♦❞✐s❛t✐♦♥ ♣r♦❝❡ss ❞❡s❝r✐❜❡❞ ♣r❡✈✐♦✉s❧② ❝r❡❛t❡s ❛ ❜✐♥❛r② ❝♦❞❡ t❤❛t ♠❛② r✉♥ ❛t ❛♥② ❛❞❞r❡ss ❍♦✇❡✈❡r✱ s❤❡❧❧❝♦❞❡ ♠✉st ✐♥✐t✐❛❧✐s❡ t❤❡ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ❖♣❡r❛t✐♦♥ ❡①❡❝✉t❡❞ ❜② ❛ ❢✉♥❝t✐♦♥ ❛❞❞❡❞ ❜② ❲✐❙❤▼❛st❡r✱ ♣❧❛❝❡❞ ❛t t❤❡ ❜❡❣✐♥♥✐♥❣ ♦❢ t❤❡ s❤❡❧❧❝♦❞❡✿ ✜♥❞ ❛❞❞r❡ss ♦❢ ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ✜♥❞ ❛❞❞r❡ss❡s ♦❢ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s ❛♥❞ ✜❧❧ ♣♦✐♥t❡rs ✐♥ ●▲❖❇❆▲❴❉❆❚❆ r❡s♦❧✈❡ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ❛♥❞ ✜❧❧ ♣♦✐♥t❡rs ✐♥ ●▲❖❇❆▲❴❉❆❚❆ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✺ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡✿ ♣r✐♥❝✐♣❧❡ ❲✐❙❤▼❛st❡r ✉s❡s t✐♣s ✇❡❧❧✲❦♥♦✇♥ ❜② ❲✐♥❞♦✇s s❤❡❧❧❝♦❞❡ ✇r✐t❡rs✿ ✜♥❞s ❧♦❛❞ ❛❞❞r❡ss ✇✐t❤ ❝❛❧❧✴♣♦♣ ✐♥str✉❝t✐♦♥s ❣❡ts ❛❞❞r❡ss ♦❢ ❦❡r♥❡❧✸✷✳❞❧❧ t❤r♦✉❣❤ t❤❡ P❊❇ ✭Pr♦❝❡ss ❊♥✈✐r♦♥♠❡♥t ❇❧♦❝❦✮ r❡s♦❧✈❡s ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s ✇✐t❤ ▲♦❛❞▲✐❜r❛r② ❛♥❞ ❛♥ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥ t❤❛t ❢♦✉♥❞ t❤❡ ❛❞❞r❡ss ♦❢ ❛♥ ❡①♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❢r♦♠ ❛ ✸✷✲❜✐ts ❝❤❡❝❦s✉♠ ❝♦♠♣✉t❡❞ ❢r♦♠ ✐ts ♥❛♠❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✻ ✴ ✶✼✷

❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ■♥✐t✐❛❧✐s✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡✿ s✉♠♠❛r② ❚❤❡ s❤❡❧❧❝♦❞❡ ✐♥✐t✐❛❧✐s❛t✐♦♥ r❡❧✐❡s ♦♥ t❤r❡❡ ❢✉♥❝t✐♦♥s✿ ✏■♥✐t✐❛❧✐s❡❙❤❡❧❧❝♦❞❡✑ ✿ ❡♥tr② ♣♦✐♥t ♦❢ t❤❡ s❤❡❧❧❝♦❞❡✱ ✇❤✐❝❤ ✐♥✐t✐❛❧✐s❡s ●▲❖❇❆▲❴❉❆❚❆ str✉❝t✉r❡ ✏●❡t❑❡r♥❡❧✸✷❆❞❞r❡ss✑ ✿ r❡t✉r♥s t❤❡ ❧♦❛❞ ❛❞❞r❡ss ♦❢ ✏❦❡r♥❡❧✸✷✳❞❧❧✑ ✏●❡tPr♦❝❆❞❞r❡ss❇②❈❦s✉♠■♥❉❧❧✑ ✿ ✜♥❞s ❛♥ ❡①♣♦rt❡❞ ❢✉♥❝t✐♦♥ ❢r♦♠ t❤❡ ❝❤❡❝❦s✉♠ ♦❢ ✐ts ♥❛♠❡ ✭s✉♣♣♦rts ❞❧❧ ❢♦r✇❛r❞✐♥❣✮ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✼ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✶ ❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ✷ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✸ ❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ✹ ❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ✺ ❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ✻ ❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r ✼ ❈♦♥❝❧✉s✐♦♥ ✽ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✽ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st Pr❡s❡♥t❛t✐♦♥ ♦❢ s✐♠♣❧❡t❡st ❱❡r② s✐♠♣❧❡ ♣r♦❣r❛♠✿ ♣r✐♥ts ♠❡ss❛❣❡s ❞✐s♣❧❛②s t❤❡ ❝♦♥t❡♥t ♦❢ ❛ ✜❧❡ ✏t❡st✳t①t✑ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✼✾ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✶ File user.h.txt #define SIZE_USERNAME 32 #define SIZE_PASSWORD 32 typedef struct _USER { CHAR szUsername[SIZE_USERNAME]; CHAR szPassword[SIZE_PASSWORD]; } USER, *PUSER; ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✵ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✷ File display.cpp CHAR g_szMessage[]="This is a message stored as a global variable"; VOID DisplayMessage(IN CHAR * szMessage) { PrintMsg(LOG_LEVEL_TRACE, ">>> %s <<<", szMessage); } BOOL DisplayFile(IN CHAR * szFilePath) { ... CreateFile(szFilePath, ...) pData = (UCHAR *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize+1) ReadFile(hFile, pData, ...) PrintMsg(LOG_LEVEL_TRACE, "File successfully read: %s", pData); ... } BOOL DisplayData(VOID) { DisplayMessage(g_szMessage); PrintMsg(LOG_LEVEL_TRACE, "Username: %s", g_User.szUsername); PrintMsg(LOG_LEVEL_TRACE, "Password: %s", g_User.szPassword); if(DisplayFile("test.txt") == FALSE) return FALSE; return TRUE; } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✶ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✸ File main.cpp USER g_User ={"jmerchat","password"}; BOOL DisplayData(VOID); int main(int argc, char * argv[]) { DisplayUser(); return 0; } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✷ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✹ File print_msg.cpp VOID PrintMsg(IN UINT uiMessageLevel, IN const CHAR * fmt, ...) { CHAR szBuffer[SIZE_OF_LOCAL_LOG_BUFFER+1]; UINT i = 0; if(uiMessageLevel == LOG_LEVEL_ERROR) i += _snprintf(&szBuffer[i], SIZE_OF_LOCAL_LOG_BUFFER-i, "[ERROR] : "); else if(uiMessageLevel == LOG_LEVEL_WARNG) ... va_list ap; va_start(ap, fmt); i += _vsnprintf(&szBuffer[i], SIZE_OF_LOCAL_LOG_BUFFER-i, fmt, ap); va_end(ap); printf("[%.4d] %s\n ", GetCurrentThreadId() , szBuffer); fflush(stdout); } ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✸ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❆ ❢❡✇ ❡①tr❛❝ts ♦❢ s✐♠♣❧❡t❡st ✲ ✺ ❚♦ s✉♠ ✉♣✱ ✏s✐♠♣❧❡t❡st✑ ❝♦♥t❛✐♥s✿ ◆❡✇ t②♣❡ ✏❯❙❊❘✑ ❚✇♦ ❣❧♦❜❛❧ ✈❛r✐❛❜❧❡s❀ ✏❣❴❯s❡r✑ ✿ t②♣❡ ✏❯❙❊❘✑ ✏❣❴s③▼❡ss❛❣❡✑ ✿ str✐♥❣ ❋✐✈❡ ✐♥t❡r♥❛❧ ❢✉♥❝t✐♦♥s✿ ✏❉✐s♣❧❛②▼❡ss❛❣❡✑ ✿ ❞✐s♣❧❛②s ✏❣❴s③▼❡ss❛❣❡✑ ✏❉✐s♣❧❛②❋✐❧❡✑ ✿ ♦♣❡♥s ❛ ✜❧❡ ✏t❡st✳t①t✑ ❛♥❞ ❞✐s♣❧❛②s ✐ts ❝♦♥t❡♥t ✏❉✐s♣❧❛②❉❛t❛✑ ✿ ❢✉♥❝t✐♦♥ t❤❛t r❡❛❧❧② ❡①❡❝✉t❡s ❛❧❧ ♦♣❡r❛t✐♦♥s ✏♠❛✐♥✑ ✿ ♣r♦❣r❛♠ ❡♥tr② ♣♦✐♥t t❤❛t ♦♥❧② ❝❛❧❧s ✏❉✐s♣❧❛②❉❛t❛✑ ✏Pr✐♥t▼s❣✑ ✿ ❞✐s♣❧❛②s ❧♦❣ ♠❡ss❛❣❡s ❙❡✈❡r❛❧ str✐♥❣s ❙❡✈❡r❛❧ ❝❛❧❧s t♦ ✐♠♣♦rt❡❞ ❢✉♥❝t✐♦♥s✿ ❈r❡❛t❡❋✐❧❡✱ ❍❡❛♣❆❧❧♦❝✳ ✳ ✳ ⇒ ♥♦t r❡❛❧❧② ✉s❡❢✉❧ ❜✉t ❝♦♥t❛✐♥s ♠♦st ❡❧❡♠❡♥ts ♦❢ ❈ ♣r♦❣r❛♠ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✹ ✴ ✶✼✷

❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ❉❡♠♦♥str❛t✐♦♥s ❱✐❞❡♦ ✏s✐♠♣❧❡t❡st❴❡①❡✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ ✏s✐♠♣❧❡t❡st✑ ❛s ❛♥ ❡①❡❝✉t❛❜❧❡ ❱✐❞❡♦ ✏s✐♠♣❧❡t❡st❴s❤❡❧❧❝♦❞❡✳❛✈✐✑✿ ❣❡♥❡r❛t✐♦♥ ♦❢ ✏s✐♠♣❧❡t❡st✑ ❛s ❛ s❤❡❧❧❝♦❞❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✺ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r P❧❛♥ ❚❤❡ ✉s❡ ♦❢ s❤❡❧❧❝♦❞❡s ✐♥ ✈✐r♦❧♦❣② ✶ ❲r✐t✐♥❣ t❤❡ s❤❡❧❧❝♦❞❡ ✷ ❲✐❙❤▼❛st❡r ✐♥ ❛ ♥✉ts❤❡❧❧ ✸ ❉❡♠♦♥str❛t✐♦♥✿ s✐♠♣❧❡t❡st ✹ ❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ✺ ❉❡♠♦♥str❛t✐♦♥✿ ❘✈❙❤❡❧❧ ✻ ❉❡♠♦♥str❛t✐♦♥✿ ❲❡❜❉♦♦r ✼ ❈♦♥❝❧✉s✐♦♥ ✽ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✻ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ❖❜❥❡❝t✐✈❡s ♦❢ ❲✐❙❤▼❛st❡r ❱❡rs✐♦♥ ✶ ♦❢ ❲✐❙❤▼❛st❡r✿ ❝r❡❛t✐♦♥ ♦❢ ♠♦♥♦❧✐t❤✐❝ s❤❡❧❧❝♦❞❡s ❲✐t❤ ✈❡rs✐♦♥ ✷✱ ♦❜❥❡❝t✐✈❡s ❤❛✈❡ ❜❡❡♥ ❝♦♥s✐❞❡r❛❜❧② ❡①t❡♥❞❡❞✿ ❞❡✈❡❧♦♣♠❡♥t ♦❢ ♠♦❞✉❧❛r ❛♣♣❧✐❝❛t✐♦♥s ✉s❡r ❝❤♦♦s❡s ♦✉t♣✉t ❢♦r♠❛t✿ ❛♥ ❡①❡❝✉t❛❜❧❡✱ ❛ ❞❧❧ ♦r ❛ s❤❡❧❧❝♦❞❡ ❛❧❧♦✇s ❝♦❞❡ r❡✉s❛❜✐❧✐t② ❞❡✈❡❧♦♣♠❡♥t ✐♥ t❤❡ ✈❡r② ♣♦✇❡r❢✉❧ ■❉❊ ❱✐s✉❛❧ ❙t✉❞✐♦ ♣r♦❥❡❝ts ❝❛♥ ❜❡ ❞✐str✐❜✉t❡❞ ❡✐t❤❡r ✐♥ s♦✉r❝❡ ♦r ✐♥ ❜✐♥❛r② ❢♦r♠❛t ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✼ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✶ ❆ ❲✐❙❤▼❛st❡r ❛♣♣❧✐❝❛t✐♦♥ ✐s ❝♦♠♣♦✉♥❞❡❞ ♦❢ ♦♥❡ ♦r s❡✈❡r❛❧ ✏♠♦❞✉❧❡s✑ ❆ ♠♦❞✉❧❡ ❝❛♥ ❜❡ ✐♥ ♦♥❡ ♦❢ t❤❡ ❢♦❧❧♦✇✐♥❣ ✹ ❢♦r♠s✿ ❛♥ ❡①❡❝✉t❛❜❧❡ ❛ ❞❧❧ ❛ s❤❡❧❧❝♦❞❡ ✐♥❧✐♥❡❞ ✐♥t♦ ❛♥♦t❤❡r ♠♦❞✉❧❡ ❊❛❝❤ ♠♦❞✉❧❡ ❝❛♥ ❡①♣♦rt s♦♠❡ ♦❢ ✐ts ❢✉♥❝t✐♦♥s s♦ t❤❛t t❤❡② ❝❛♥ ❜❡ ❝❛❧❧❡❞ ❜② ♦t❤❡r ♠♦❞✉❧❡s ⇒ ❡❛❝❤ ♠♦❞✉❧❡ ❝♦♥t❛✐♥s ❛♥ ✏❡①♣♦rt✑ t❛❜❧❡ ❛♥❞ ❛♥ ✏✐♠♣♦rt✑ t❛❜❧❡ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✽ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷ Module1.cpp Mod1_func1 Mod1_func2 Mod2_func1 Mod3_func2 Module2.cpp 1 Three modules importing Mod2_func1 and exporting some functions Mod3_func1 Mod3_func2 Module3.cpp Mod3_func1 Internal function exported Mod3_func2 Mod1_func1 Imported function Mod2_func1 ❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✽✾ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷ 2 Module 1 output = shellcode Module 2 output = inlined in module 1 Module1.cpp Module1.bin Mod1_func1 Mod1_func1 Mod1_func2 Mod1_func2 Mod2_func1 Mod2_func1 Mod3_func2 Mod3_func1 Mod3_func2 Module2.cpp Mod2_func1 Mod3_func1 Mod3_func2 Module3.cpp Mod3_func1 Internal function exported Mod3_func2 Mod1_func1 Imported function Mod2_func1 ❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✾✵ ✴ ✶✼✷

❉❡✈❡❧♦♣✐♥❣ ❛♣♣❧✐❝❛t✐♦♥s ✇✐t❤ ❲✐❙❤▼❛st❡r ❖✈❡r✈✐❡✇ ♦❢ t❤❡ ❛♣♣❧✐❝❛t✐♦♥ str✉❝t✉r❡ ✲ ✷ 3 Import and export tables of both modules are merged Module1.cpp Module1.bin Mod1_func1 Mod1_func1 Mod1_func2 Mod1_func2 Mod2_func1 Mod2_func1 Mod3_func2 Mod3_func1 Mod3_func2 Module2.cpp Mod2_func1 Mod3_func1 Mod3_func2 Module3.cpp Mod3_func1 Internal function exported Mod3_func2 Mod1_func1 Imported function Mod2_func1 ❋✐❣✉r❡✿ ❙tr✉❝t✉r❡ ♦❢ ❛♥ ❛♣♣❧✐❝❛t✐♦♥ ❞❡✈❡❧♦♣❡❞ ✇✐t❤ ❲✐❙❤▼❛st❡r ✈✷ ❇❡♥❥❛♠✐♥ ❈❆■▲▲❆❚ ✭❊❙■❊❆ ✲ ❙■✫❙ ❧❛❜✮ ❲✐ ♥❞♦✇s ❙❤ ❡❧❧❝♦❞❡ ▼❛st❡r ② ✾✶ ✴ ✶✼✷

s str t - PowerPoint PPT Presentation

s str t r caillat[at]esiea[dot]fr

Relation Extraction II Luke Zettlemoyer CSE 517 Winter 2013 [with slides adapted from many

Eliciting Subjectivity and Polarity Judgements on Word Senses Fangzhong Su & Katja Markert

Complex Systems with Boundary and Non-Euclidean Geometry Lecture 2, CSSS10 Greg Leibon Memento,

When charge and density fluctuations critically couple Jean-Nol Aqua INSP, Univ Paris 6

Bottomonium first results from LHC experiments Nuno Leonardo (Purdue University) for the LHC

Analysis of Code Heterogeneity for High-precision Classification of Repackaged Malware Gang Tan

Mechanism Design with Unknown Correlated Distributions: Can We Learn Optimal Mechanisms? Michael

A Brief Introduction to Semantics CMSC 473/673 UMBC Outline Recap: dependency grammars and

detection analysis Bradley J. Kavanagh University of Nottingham arXiv:1207.2039 with Anne M.

Augmenting Stack Overflow with API Usage Patterns Mined from GitHub Anastasia Reinhart 1,2 *

CS415: Systems programming Abdullah Alfarrarjeh Most of the slides in this lecture are either

A Coinductive Monad for Prop -bounded Recursion Adam Megacz megacz@cs.berkeley.edu PLPV07

Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Eleonora

CS137: Today Electronic Design Automation Multilevel Synthesis/Optimization Why

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

An Analytical Framework for Particle and Volume Data of Large-Scale Combustion Simulations Franz

W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S

Goals for Today Learning Objective: Understand primitives for interpretation versus

Update on Proposed Privatization 27 October 2017 Overview of Proposed Privatization Proposed

Biophysical Chemistry: NMR Spectroscopy Relaxation & Multidimensional Spectrocopy Lieven Buts

4Q18 Earnings Call Presentation January 23, 2019 Sands Macao Sands Bethlehem Four Seasons Macao The

Forward-Looking Statements From time to time, the Bank makes written and oral forward-looking

Food waste prevention Westminster Forum, 29 June 2010 Professor David C Wilson Independent Waste

CIBC WORLD MARKETS Institutional Investor Conference BILL DOWNE Chief Operating Officer October

s str t - PowerPoint PPT Presentation

s str t r caillat[at]esiea[dot]fr

Relation Extraction II Luke Zettlemoyer CSE 517 Winter 2013 [with slides adapted from many

Eliciting Subjectivity and Polarity Judgements on Word Senses Fangzhong Su &amp; Katja Markert

Complex Systems with Boundary and Non-Euclidean Geometry Lecture 2, CSSS10 Greg Leibon Memento,

When charge and density fluctuations critically couple Jean-Nol Aqua INSP, Univ Paris 6

Bottomonium first results from LHC experiments Nuno Leonardo (Purdue University) for the LHC

Analysis of Code Heterogeneity for High-precision Classification of Repackaged Malware Gang Tan

Mechanism Design with Unknown Correlated Distributions: Can We Learn Optimal Mechanisms? Michael

A Brief Introduction to Semantics CMSC 473/673 UMBC Outline Recap: dependency grammars and

detection analysis Bradley J. Kavanagh University of Nottingham arXiv:1207.2039 with Anne M.

Augmenting Stack Overflow with API Usage Patterns Mined from GitHub Anastasia Reinhart 1,2 *

CS415: Systems programming Abdullah Alfarrarjeh Most of the slides in this lecture are either

A Coinductive Monad for Prop -bounded Recursion Adam Megacz megacz@cs.berkeley.edu PLPV07

Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Eleonora

CS137: Today Electronic Design Automation Multilevel Synthesis/Optimization Why

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

An Analytical Framework for Particle and Volume Data of Large-Scale Combustion Simulations Franz

W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S

Goals for Today Learning Objective: Understand primitives for interpretation versus

Update on Proposed Privatization 27 October 2017 Overview of Proposed Privatization Proposed

Biophysical Chemistry: NMR Spectroscopy Relaxation &amp; Multidimensional Spectrocopy Lieven Buts

4Q18 Earnings Call Presentation January 23, 2019 Sands Macao Sands Bethlehem Four Seasons Macao The

Forward-Looking Statements From time to time, the Bank makes written and oral forward-looking

Food waste prevention Westminster Forum, 29 June 2010 Professor David C Wilson Independent Waste

CIBC WORLD MARKETS Institutional Investor Conference BILL DOWNE Chief Operating Officer October

Eliciting Subjectivity and Polarity Judgements on Word Senses Fangzhong Su & Katja Markert

Biophysical Chemistry: NMR Spectroscopy Relaxation & Multidimensional Spectrocopy Lieven Buts