win at reversing
play

Win at Reversing API Tracing and Sandboxing through Inline Hooking - PowerPoint PPT Presentation

Dec 11, 2022 •182 likes •379 views

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda Reverse Engineering Primer Approaches to Dynamic Analysis Inline Hooks Advantages Over Other Techniques Usages 2 Reverse Engineering

  1. Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour

  2. Agenda  Reverse Engineering Primer  Approaches to Dynamic Analysis  Inline Hooks  Advantages Over Other Techniques  Usages 2

  3. Reverse Engineering Primer  Reverse Engineering techniques can be devided into two categories: Static and Dynamic Analysis  Static Analysis • Techniques which do not involve running the code • Disassembly, file structure analysis, strings, etc.  Dynamic Analysis • Techniques which involve running the code • Behavioral analysis 3

  4. Approaches to Dynamic Analysis  Network Monitoring • Isolated Physical Networks • Virtual Networks  Hardware Emulation • Norman Sandbox et al.  Kernel-Level Monitoring (SSDT hooks) • Sysinternals’ Process Monitor  Debuggers 4

  5. Kernel-Level Monitoring Calls CreateFile() Kernel32.dll Kernel32.dll User Mode Process Ntdll.dll Ntdll.dll System Call Performed SSDT SSDT Kernel ZwCreateFile() () ZwCreateFile 5

  6. Kernel-Level Monitoring Calls CreateFile() Kernel32.dll Kernel32.dll User Mode Process Ntdll.dll Ntdll.dll System Call Performed SSDT SSDT Kernel Procmon.sys Procmon.sys ZwCreateFile() ZwCreateFile () 6

  7. Kernel-Level Monitoring  Advantages • Captures every system call • Can’t be avoided from userland  Disadvantages • Only captures functions implemented as system calls • Not every important function call in the Win32 API is implemented as a system call • Tools don’t differentiate between process housekeeping and calls from usercode • Calls to internal DLL’s cannot be observed 7

  8. Process Monitor 8

  9. Process Monitoring via Debugging  Advantages • Debugger can trap any function call, not just system calls • Trapped calls are more likely to be highly relevant to the program’s operation  Disadvantages • Have to act as a debugger • Susceptible to countless anti-debugger techniques 9

  10. Inline Hooks  Advantages • Can trap any function call, not just system calls • Trapped calls are more likely to be highly relevant to the program’s operation • Not operating as a debugger • No device driver required  Disadvantages • More of a pain in the #@! to implement 10

  11. Monitoring with Inline Hooks Calls CreateFile() Kernel32.dll Kernel32.dll Hook Hook User Mode Process Ntdll.dll Ntdll.dll Handler Handler System Call Performed SSDT SSDT Kernel ZwCreateFile() () ZwCreateFile 11

  12. Implementing Inline Hooks 1. Find a function of interest 2. Disassemble the beginning of the function 3. If possible, overwrite the beginning bytes of the function with a jump or call instruction 4. Implement a handler for the hooked function 12

  13. Why Disassemble?  If you attempt to hook every function from a DLL, for example, you might run into a function such as the one below  Inserting a 5 byte jump or call would write beyond the end of the function.  somefunction: 31 C0 xor eax, eax C3 retn 13

  14. A Successful Hook Install original_function: 55 push ebp 89 E5 mov ebp, esp 81 EC 18 00 00 00 sub esp, 24 31 C9 xor ecx, ecx … hooked_function: E9 E4 7C FF FF jmp <handler> 18 00 00 00 ;unused 31 C9 xor ecx, ecx 14

  15. What to do with hooked functions.  Observe and Report • Collect data about the current function call by gathering data from stack and report to console • Execute any instructions overwritten from the hook • Jump back to the next instruction in the hooked function  Intercept and Emulate • Perform a specified action Instead of calling the intended function 15

  16. Roll-your-own Sandbox  Trap gethostbyname() to always return a fixed IP address.  A pseudo-handle interface to allow fake reads and writes to files and netwok sockets. • Trap connect() to connection to a pseudo-socket. • CreateFile(), ReadFile(), WriteFile(), MapViewOfFile()… 16

  17. API Thief  Launches target process in a suspended state  Injects a DLL into the process.  The Injected DLL hooks all Win32 API functions before the target process is resumed  API Call monitoring can be used simply with a process monitor-style console  Imbedded python can be used to write custom handlers for specific hooked functions  Obtain API Thief at www.mandiant.com 17

  18. API Thief Demonstration  Basic Process Monitoring  Basic Interception (gethostbyname)  Pseudo-Handles demonstration  Automated Unpacking with API Thief 18

  19. Questions? nick.harbour@mandiant.com nickharbour@gmail.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
Reversing a firmware uploader &amp; Others NFC stories 1

Reversing a firmware uploader &amp; Others NFC stories 1

7/1/2019 Reversing a Firmware uploader &amp; others NFC stories Reversing a firmware uploader &amp; Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader &amp; others NFC stories

920 views • 41 slides
Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus Mannheim Centre for European Social Research (MZES) University of Mannheim www.mzes.uni-mannheim.de www.mzes.uni mannheim.de Overcoming early exit

380 views • 9 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as quickly as possible without having to read disassembled code Advantages Active Reversing reveals contextual relationships between user actions,

1.41k views • 91 slides
Reversing Land Degrada.on in Landlocked Countries

Reversing Land Degrada.on in Landlocked Countries

Reversing Land Degrada.on in Landlocked Countries Magda Lovei Prac&amp;ce Manager for Environment and Natural Resources, World Bank I. Present

461 views • 18 slides
Reversing Hydraulic Fan Drives Stephen Frantz Staff Engineer Danfoss Power Solutions 1 1

Reversing Hydraulic Fan Drives Stephen Frantz Staff Engineer Danfoss Power Solutions 1 1

Reversing Hydraulic Fan Drives Stephen Frantz Staff Engineer Danfoss Power Solutions 1 1 Benefits/Requirements for a Reversing Hydraulic Fan Drive Requirements Benefits Returns to forward in the event of a control signal loss Increased

280 views • 15 slides
Cross-platform reversing with at NoConName December 2015 by oleavr Who am I? My name is Ole

Cross-platform reversing with at NoConName December 2015 by oleavr Who am I? My name is Ole

Cross-platform reversing with at NoConName December 2015 by oleavr Who am I? My name is Ole Andr Vadla Ravns Author of Frida, CryptoShark, oSpy, libmimic... Developer, Hacker and Reverse Engineer Currently working at

1.26k views • 43 slides
FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant with focus on incident handling, forensics and malware analysis Not a dedicated reverser RE is just part of my job =&gt; I avoid RE as much as

670 views • 15 slides
Reversing the trend Collaboration, Robustness and Standardization 2017 BSEE Standards

Reversing the trend Collaboration, Robustness and Standardization 2017 BSEE Standards

Reversing the trend Collaboration, Robustness and Standardization 2017 BSEE Standards Workshop, Houston May 5th 2017 By Dr.ing Geir Loeland. Head of Structural Integrity Section Petroleum Safety Authority Norway PTIL/PSA Topics included

196 views • 16 slides
Reversing Ocean Hypoxia through Application and Scaling up of Innovative Policy, Economic and

Reversing Ocean Hypoxia through Application and Scaling up of Innovative Policy, Economic and

Reversing Ocean Hypoxia through Application and Scaling up of Innovative Policy, Economic and Financial Tools Andrew Hudson Head, UNDP Water &amp; Ocean Governance Programme &amp; UN-Oceans Coordinator Haber-Bosch Process 1909 Atmos N 2 +

127 views • 8 slides
Reversing ng the he E Exodus Thr hrough h Cult ltivation n LETS TALK KANSAS There are

Reversing ng the he E Exodus Thr hrough h Cult ltivation n LETS TALK KANSAS There are

Reversing ng the he E Exodus Thr hrough h Cult ltivation n LETS TALK KANSAS There are 626 626 incorporated communities in the state of . Of those, nearly 91 91% have a population of Kans nsas. . Additionally, 75% 75% have

490 views • 18 slides
Reversing the Decay of American Air Power Roots of the Air Power Rot Wrong Missions :

Reversing the Decay of American Air Power Roots of the Air Power Rot Wrong Missions :

Pierre Sprey Weapons Analyst and Participant in F-16 &amp; A-10 Design Reversing the Decay of American Air Power Roots of the Air Power Rot Wrong Missions : Dominance of Strategic Bombing and Douhet Wrong Aircraft : Too Few, Too

370 views • 17 slides
Nearby Threats: Reversing, Analyzing, and Attacking Googles Nearby Connections on Android

Nearby Threats: Reversing, Analyzing, and Attacking Googles Nearby Connections on Android

NDSS 2019 @ San Diego, US Nearby Threats: Reversing, Analyzing, and Attacking Googles Nearby Connections on Android Daniele Antonioli 1 , Nils Ole Tippenhauer 2 , Kasper Rasmussen 3 1 Singapore University of Technology and Design (SUTD) 2

671 views • 29 slides
Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core Security Defcon 20 July 2012 P A G E Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout

785 views • 41 slides
Maternal Mortality: Trends, Causes, &amp; Approaches to Reversing the Trend Carol J. Rowland

Maternal Mortality: Trends, Causes, &amp; Approaches to Reversing the Trend Carol J. Rowland

Maternal Mortality: Trends, Causes, &amp; Approaches to Reversing the Trend Carol J. Rowland Hogue, PhD, MPH Terry Professor of MCH &amp; Professor of Epidemiology Rollins School of Public Health Emory University September 24, 2018

441 views • 31 slides
Limit Laws for q -Hook Formulas Sara Billey University of Washington Based on joint work with:

Limit Laws for q -Hook Formulas Sara Billey University of Washington Based on joint work with:

Limit Laws for q -Hook Formulas Sara Billey University of Washington Based on joint work with: Joshua Swanson arXiv:2010.12701 Slides: math.washington.edu/billey/talks/hooks.pdf Triangle Lectures in Combinatorics November 14, 2020 Outline

867 views • 61 slides
A Look Under the Hood of SMART Designs for Developing Adaptive Interventions Daniel Almirall, PhD

A Look Under the Hood of SMART Designs for Developing Adaptive Interventions Daniel Almirall, PhD

A Look Under the Hood of SMART Designs for Developing Adaptive Interventions Daniel Almirall, PhD Survey Research Center, Institute for Social Research University of Michigan April 11, 2016 Center for Drug Use and HIV Research New York, NY

762 views • 73 slides
OpenMP dynamic loops Paolo Burgio paolo.burgio@unimore.it Outline Expressing parallelism

OpenMP dynamic loops Paolo Burgio paolo.burgio@unimore.it Outline Expressing parallelism

OpenMP dynamic loops Paolo Burgio paolo.burgio@unimore.it Outline Expressing parallelism Understanding parallel threads Memory Data management Data clauses Synchronization Barriers, locks, critical sections Work

475 views • 18 slides
Asynchronous Programming Under the Hood Week 6 How to Implement Event Dispatchers Recall:

Asynchronous Programming Under the Hood Week 6 How to Implement Event Dispatchers Recall:

Asynchronous Programming Under the Hood Week 6 How to Implement Event Dispatchers Recall: Record registered callbacks in a data structure (easy) Wait for an event to happen (easy) Call the callbacks when it happens (easy)

269 views • 16 slides
New Poverty Data Highlights Need to Help Workers and Families Login at:

New Poverty Data Highlights Need to Help Workers and Families Login at:

September 2019 RESULTS U.S. Poverty National Webinar New Poverty Data Highlights Need to Help Workers and Families Login at: https://results.zoom.us/j/873308801 or dial (929) 436-2866 or (669) 900- 6833, Meeting ID: 873 308 801. RESULTS is a

1.04k views • 36 slides
Goals for Today Learning Objective: Contrast strengths/weaknesses of security primitives

Goals for Today Learning Objective: Contrast strengths/weaknesses of security primitives

Goals for Today Learning Objective: Contrast strengths/weaknesses of security primitives Understand design concepts of OS-layer Access Control Announcements, etc: MP3 Soft Extension: Submit by April 25th for -10pts MP4 due

489 views • 26 slides
Horizon 2020 and Free Software Marc Hoffmann, h-rd.org FOSDEM2014 Horizon 2020 and Free Software

Horizon 2020 and Free Software Marc Hoffmann, h-rd.org FOSDEM2014 Horizon 2020 and Free Software

Horizon 2020 and Free Software http://h-rd.org/publications/fosdem2014/fosdem... Horizon 2020 and Free Software Marc Hoffmann, h-rd.org FOSDEM2014 Horizon 2020 and Free Software Why this presentation? I'm doing research http://h-rd.org I'm

336 views • 5 slides
DEEP-H -Hybrid rid-DataCloud ud Digi gita tal I Inf nfrastr tructu uctures f for R

DEEP-H -Hybrid rid-DataCloud ud Digi gita tal I Inf nfrastr tructu uctures f for R

DEEP-H -Hybrid rid-DataCloud ud Digi gita tal I Inf nfrastr tructu uctures f for R Research ( ch (DI4R) lva varo L Lpez Garc ca Lisbon (Portugal) aloga@ifca.unican.es October 10, 2018 Spanish National Research Council

393 views • 14 slides

More recommend