unpacking tips and tricks
play

Unpacking tips and tricks Protector Techniques Conclusion Samuel - PowerPoint PPT Presentation

Dec 01, 2022 •170 likes •439 views

Unpacking tips and tricks Samuel Chevet Presentation Process Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr http://www.lse.epita.fr 12 February 2013 Why this talk ? Unpacking tips and tricks

  1. Unpacking tips and tricks Samuel Chevet Presentation Process Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr http://www.lse.epita.fr 12 February 2013

  2. Why this talk ? Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Previously in w4kfu’s talk : Anti-Debug Detection Basics knowledges Import Table Malicious software Import Address Table Video Games Process Protector Share Reverse Engineering stu ff Techniques Conclusion Fun

  3. Packer Unpacking tips and tricks Samuel Chevet Presentation Compress executable Why this talk ? Packer Prepend decompression stub Protector Detection Decompression stub is standalone Basics knowledges Import Table Import Address Table Indistinguishable to the casual user Process Single executable Protector Techniques Unpack and transfer control to it Conclusion Original entry point Exist for DOS, Microsoft Windows and others OS Command line as GUI based

  4. Packer Benefit Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Less storage space Detection Basics knowledges Marketing a product via internet Import Table Import Address Table Less time for data transfer Process Protector Resistant to casual reverser Techniques Target must be unpacked or rebuilt Conclusion

  5. Packer Disavantages Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Everything come at a price Detection Basics knowledges Antivirus problem Import Table Import Address Table More time to decompress Process Protector Unpacked at some stage Techniques Dumped to disk ? Conclusion

  6. Protector Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Derive of the simple packer Detection Basics knowledges Import Table Packer aim to reduce size Import Address Table Add code to protect against reverse engineering Process Protector Size will considerably increase Techniques Conclusion Malicious software

  7. Detection Unpacking tips and tricks Samuel Chevet Signature based Presentation Why this talk ? Opcode-sequence-based Packer Protector Tag Detection Basics knowledges Additional heuristics Import Table Import Address Table OEP outside first section Process More than one executable section Protector ImportTable position uncommon Techniques LoadLibrary and GetProcAddress in ImportTable Conclusion TLS Unknow instruction Anti Re-Protect Compiler startup code

  8. Detection Unpacking tips and tricks Samuel Chevet Anti Presentation Why this talk ? Replace instruction Packer Protector Detection Polymorphism Basics knowledges Import Table Metamorphism Import Address Table Process Protector Toolz Techniques PEiD Conclusion Protection ID RDG packer Detector . . .

  9. Import Table Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector List of functions not part of the application Detection Basics knowledges Called imports Import Table Import Address Table Operating systems DLL’s, or homemade Process Protector Di ff erent OS Version Techniques Application don’t know where Conclusion

  10. Import Table Unpacking tips and tricks Samuel Chevet Presentation OptionalHeader- > DataDirectory[] Why this talk ? Packer IMAGE_DIRECTORY_ENTRY_IMPORT Protector Detection Basics knowledges Import Table IMAGE_IMPORT_DESCRIPTOR Import Address Table Process OriginalFirstThunk Protector TimeDateStamp Techniques Conclusion ForwarderChain Name FirstThunk

  11. Import Address Table Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Detection Loader loads DLL Basics knowledges Import Table Construct IAT Import Address Table Process All ptr in FirstThunk contain API’s address Protector Techniques call [addr], jmp [addr] Conclusion

  12. Peering inside the PE Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Detection Basics knowledges Import Table Import Address Table Process Protector Techniques Conclusion

  13. Original OEP Unpacking tips and tricks Samuel Chevet Presentation Process Original OEP Fix PE Trace the code Import rebuilding Protector ESP trick Techniques Conclusion VirtualProtect() Use Exceptions

  14. Fix PE Unpacking tips and tricks Samuel Chevet Presentation Process Original OEP Fix PE O ff set OEP Import rebuilding Protector O ff set IAT Techniques Conclusion Sections characteristics And more when there is some protection

  15. Import rebuilding Unpacking tips and tricks Samuel Chevet Presentation Process Original OEP Fix PE Packers / Protector destroy Import Table Import rebuilding Protector Correct RVA and Size of Import Table Techniques IMAGE_IMPORT_DESCRIPTOR nulled one Conclusion OriginalFirstThunk, FirstThunk and Name must be well informed

  16. Anti-Dumping Unpacking tips and tricks Samuel Chevet Presentation Process Protector Mutex Techniques Anti-Dumping CPUID TLS Callbacks Stolen Bytes Delete loader API Redirection Nanomites Triggers Header modification Conclusion Page level protection

  17. TLS Callbacks Unpacking tips and tricks Samuel Chevet Presentation Process Protector Thread Local Storage Techniques Anti-Dumping Execute code before EP TLS Callbacks Stolen Bytes Debugger detection API Redirection Nanomites Triggers Decryption routines Conclusion Hook

  18. Stolen Bytes Unpacking tips and tricks Samuel Chevet Presentation Process Protector Portions of code Techniques Anti-Dumping Removed from original TLS Callbacks Stolen Bytes Usually near entry point API Redirection Nanomites Triggers Executed from allocated memory Conclusion Restore them before dump

  19. API Redirection Unpacking tips IAT partially or completely destroyed and tricks Call to APIs are redirected Samuel Chevet Routines located into allocated memory or in Presentation protector stub Process Protector Techniques Anti-Dumping TLS Callbacks Stolen Bytes API Redirection Nanomites Triggers Conclusion

  20. API Redirection Unpacking tips and tricks Samuel Chevet Presentation Process Stolen instructions Protector Techniques Control transfered back in the middle Anti-Dumping TLS Callbacks Routines located into allocated memory or in Stolen Bytes protector stub API Redirection Nanomites Triggers Load whole DLL image Conclusion Redirect API Di ffi cult to set breakpoints

  21. API Redirection Unpacking tips and tricks Samuel Chevet Presentation Process Inject !!! Protector Scan for call dword ptr / jmp dword ptr Techniques Anti-Dumping Is outside PE ? TLS Callbacks Stolen Bytes API Redirection Is not an API ? Nanomites Triggers Hook routine Conclusion Call it Use against himself !

  22. Nanomites Unpacking tips and tricks Samuel Chevet JCC instruction Presentation Some Opcodes Process Replace by int3 Protector Techniques 2 Process ! Father and son Anti-Dumping TLS Callbacks Stolen Bytes Inject the father API Redirection Nanomites Father : WaitForDebugEvent() Triggers Conclusion Son : Scan 0xCC (int3) Reverse, or comportemental study Thruth table Maybe opcode will be restored to avoid performance down

  23. Triggers Unpacking tips and tricks Samuel Chevet Presentation Process Detect if protection has been deleted Protector Techniques Developpers can use SDK Anti-Dumping TLS Callbacks Invincible enemy Stolen Bytes API Redirection Nanomites Camera bug Triggers Conclusion Redirect call will return on the next instruction Return value modification

  24. Conclusion Unpacking tips and tricks Samuel Chevet Presentation Process Protector Techniques Conclusion INJECT !

  25. Real Conclusion Unpacking tips and tricks Samuel Chevet Presentation Process Protector Really fun ! Techniques Code your own toolz Conclusion Don’t use unpacker ! Write your own Internet connection permanent Kill market of multimedia library and occasion

  26. Questions ? Unpacking tips and tricks Samuel Chevet Presentation Process Thank you for your attention Protector Techniques Conclusion @w4kfu blog.w4kfu.com w4kfu@lse.epita.fr

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Productivity tips & tricks Productivity tips & tricks for a developer for a developer

Productivity tips & tricks Productivity tips & tricks for a developer for a developer

Productivity tips & tricks Productivity tips & tricks for a developer for a developer Sebastian Witowski Sebastian Witowski 1 2 3 4 5 6 vs. vs. 7 8 dotles dotles .bashrc, .vimrc, .gitcong alias ..="cd

308 views • 15 slides
HSC FCO PRESENTS UNMJobs 2.0 Onboarding, Updates, Tips & Tricks, Q&A Session May 16,

HSC FCO PRESENTS UNMJobs 2.0 Onboarding, Updates, Tips & Tricks, Q&A Session May 16,

HSC FCO PRESENTS UNMJobs 2.0 Onboarding, Updates, Tips & Tricks, Q&A Session May 16, 2017 Agenda Onboarding Regular faculty TPTs System Updates New User Interface (update roll outs) Tips & Tricks

643 views • 14 slides
Tips and Tricks For Broadcast Engineers and Managers Agenda Overview Jeff Welton, CBRE Tips

Tips and Tricks For Broadcast Engineers and Managers Agenda Overview Jeff Welton, CBRE Tips

Tips and Tricks For Broadcast Engineers and Managers Agenda Overview Jeff Welton, CBRE Tips and Tricks Regional Sales Manager Central U.S. For Engineers For Managers Paul Freeman Tinkle, CRMC, CRSM President and General

1.25k views • 56 slides
902 Grant Disbursements: Ti Tips, Tricks and Troubleshooting for a T i k d T bl h ti f

902 Grant Disbursements: Ti Tips, Tricks and Troubleshooting for a T i k d T bl h ti f

902 Grant Disbursements: Ti Tips, Tricks and Troubleshooting for a T i k d T bl h ti f Flawless Submission COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF ENVIRONMENTAL PROTECTION BUREAU OF WASTE MANAGEMENT ACT 101, SECTION 902 MUNICIPAL

635 views • 34 slides
Being the best recorder player you can be Tips and tricks for getting the most out of your

Being the best recorder player you can be Tips and tricks for getting the most out of your

Presentation Flte Alors! Being the best recorder player you can be Tips and tricks for getting the most out of your practice and tackling difficult passages Good morning everyone. My name is Sarah Jeffery, and I am a recorder player living

470 views • 6 slides
GOOD MORNING! THINK BIG, BE GREAT! Tips, tricks, and little bit of fun for engaging with our

GOOD MORNING! THINK BIG, BE GREAT! Tips, tricks, and little bit of fun for engaging with our

GOOD MORNING! THINK BIG, BE GREAT! Tips, tricks, and little bit of fun for engaging with our community Britt Delo & Keegan Aalderink Michigan West Coast Chamber of Commerce ITS ALL ABOUT YOU! Working together to improve the quality

524 views • 15 slides
Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19 getting the most (security) out of your openssh The users perspective: least amount of hassle tradeoff between anxiety, angst and

559 views • 19 slides
FM Translators for AM stations We have the license, now what? (and other translator tips, tricks

FM Translators for AM stations We have the license, now what? (and other translator tips, tricks

FM Translators for AM stations We have the license, now what? (and other translator tips, tricks and suggestions) Agenda Overview Legal Audio source Chuck Kelly Jeff Welton Originating program Regional Sales Manager, Regional

216 views • 18 slides
Tips and Tricks for Disclosures Laparoscopy I have no financial disclosures Jessica

Tips and Tricks for Disclosures Laparoscopy I have no financial disclosures Jessica

10/26/2016 Pushing the Envelope Tips and Tricks for Disclosures Laparoscopy I have no financial disclosures Jessica Opoku-Anane, MD, MS Assistant Professor, OB/GYN Minimally Invasive Gynecology Director, UCSF Center for Endometriosis

407 views • 8 slides
Throwing a Great Afterparty Other social media tips and tricks for getting the most out of your

Throwing a Great Afterparty Other social media tips and tricks for getting the most out of your

Throwing a Great Afterparty Other social media tips and tricks for getting the most out of your event Promoting the Basics Posters print and digital Leveraging Facebook and Twitter (targeting posts, frequent updates, etc)

245 views • 5 slides
FOCUS: Yes & Yes on Election Day Targeted Tips & Tricks from Three Districts

FOCUS: Yes & Yes on Election Day Targeted Tips & Tricks from Three Districts

FOCUS: Yes & Yes on Election Day Targeted Tips & Tricks from Three Districts Presenters Dr. Jason Snodgrass Amy Berendzen Superintendent Director, Fort Osage School District School-Community Relations @DrJSnodgrass

591 views • 29 slides
Getting Started with The Conversation Project: Orientation to TCP Resources, Tips and Tricks

Getting Started with The Conversation Project: Orientation to TCP Resources, Tips and Tricks

Getting Started with The Conversation Project: Orientation to TCP Resources, Tips and Tricks January 22, 2020 Patty Webster Naomi Fedna 2 Zoom Quick Reference Welcome to todays session! Click the Participants and Chat buttons Raise

861 views • 45 slides
How not to be a Git Tips and tricks for a good workflow Who am I? Adam Jimerson Software

How not to be a Git Tips and tricks for a good workflow Who am I? Adam Jimerson Software

How not to be a Git Tips and tricks for a good workflow Who am I? Adam Jimerson Software Engineer @ Code Journeymen GDG Gigcity Organizer vendion@gmail.com https://google.com/+AdamJimerson What is a Git? 1. A distributed

620 views • 58 slides
Tips and Tricks for a way cool Way Cool Presentation Thank you for your interest in

Tips and Tricks for a way cool Way Cool Presentation Thank you for your interest in

Tips and Tricks for a way cool Way Cool Presentation Thank you for your interest in doing a Way Cool Presentation for the Beaty Biodiversity Museum! Since January 2011, this monthly series allows visitors to delve deeper into specific

288 views • 3 slides
Grant Writing Tips & Tricks Sean Vroom NJIT TAB Felicia Fred USEPA Region 3, Brownfields

Grant Writing Tips & Tricks Sean Vroom NJIT TAB Felicia Fred USEPA Region 3, Brownfields

Grant Writing Tips & Tricks Sean Vroom NJIT TAB Felicia Fred USEPA Region 3, Brownfields Salem, VA October 2, 2019 Grant Writing Tips & Tricks Bootcamp Objectives: Expose participants to the NJIT TAB program Participants

681 views • 53 slides
Staff engagement Tips and tricks on getting buy-in Logistics Please use chat and for for

Staff engagement Tips and tricks on getting buy-in Logistics Please use chat and for for

Staff engagement Tips and tricks on getting buy-in Logistics Please use chat and for for questions questions I you have have! According to Merriam-Webster online sustained physical or mental effort to overcome obstacles and

605 views • 34 slides
Heads and Tails A Variable-Length Instruction Format Supporting Parallel Fetch and Decode Heidi

Heads and Tails A Variable-Length Instruction Format Supporting Parallel Fetch and Decode Heidi

Heads and Tails A Variable-Length Instruction Format Supporting Parallel Fetch and Decode Heidi Pan and Krste Asanovi MIT Laboratory for Computer Science CASES Conference, Nov. 2001 Motivation Tight space constraints Cost, power

679 views • 46 slides
Recorder 2.0: Efficient Parallel I/O Tracing and Analysis Chen Wang, Jinghan Sun and Marc Snir

Recorder 2.0: Efficient Parallel I/O Tracing and Analysis Chen Wang, Jinghan Sun and Marc Snir

Recorder 2.0: Efficient Parallel I/O Tracing and Analysis Chen Wang, Jinghan Sun and Marc Snir Kathryn Mohror and Elsa Gonsiorowski Department of Computer Science Center for Applied Scientific Computing University of Illinois at

307 views • 11 slides
OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions

OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions

OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions Yotam Harchol The Hebrew University of Jerusalem Joint work with Anat Bremler-Barr and David Hay THE HEBREW This research was supported by the

467 views • 24 slides
Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and Documentation Engineering Virus Analysis Malware Virus Needs a vector for propagation Worm No vector needed Can spread by

320 views • 21 slides
VAST A Unified Platform for Interactive Network Forensics Matthias Vallentin 1 , 2 Vern Paxson 1 ,

VAST A Unified Platform for Interactive Network Forensics Matthias Vallentin 1 , 2 Vern Paxson 1 ,

VAST A Unified Platform for Interactive Network Forensics Matthias Vallentin 1 , 2 Vern Paxson 1 , 2 Robin Sommer 2 , 3 1 UC Berkeley 2 International Computer Science Institute (ICSI) 3 Lawrence Berkeley National Laboratory (LBNL) March 17, 2016

1.01k views • 76 slides
UNIX Commands CIS 218 Advanced UNIX Commands (UNIX) File/Directory information ls

UNIX Commands CIS 218 Advanced UNIX Commands (UNIX) File/Directory information ls

UNIX Commands CIS 218 Advanced UNIX Commands (UNIX) File/Directory information ls LiSt. Shows contents of current directory. cd Change Directory mv

264 views • 7 slides
HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang, Heiner Litz, David R. Cheriton Stanford University DAMON14 Database Indexing Databases use precomputed indexes to speed up processing avoid

518 views • 18 slides
Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer

Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer

Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook <keescook@google.com> (pronounced Case) Overview Classic Attack Structure

431 views • 15 slides

More recommend