Documente Academic
Documente Profesional
Documente Cultură
Jargon
A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application. An exploit is a piece of software, a chunk of data, or sequence of commands that takes
advantage of a bug
A shellcode is a small piece of code used as the payload in the exploitation of a software
vulnerability
A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
Attacker Mindset
Vulnerability Research
Find the vulnerability, and developing weaponized-exploits.
Exploit Development
Defensive Perspective
Patch and Vulnerability Analysis
Developing signatures against zero-day
Malware Analysis
Anti-Virus, Anti-Spyware and Digital
Forensics
companies
Maxx case
Payment case.
GinWui Rootkit (Manipulate Service, Start and Kill Process etc.) iDefense says,35 zero-day Microsoft Office Exploit
We do not call those types of threats as Advanced Persistent Threat since they use widely known, old-school tactics Microsoft
Reverse Engineering
Arithmetic Instructions
Accessing Memory
cmp eax, 2
je label ja label jb label jbe label jne label jmp label
Function Calls
call function ; store return addr on the stack ; and jump to function!
func: push esi pop esi ret ; save esi ; restore esi ; read return addr from the stack ; and jump to it.
Modern Compiler
Native Language Intermediate Representation
system structures
formats
Toolbag
It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode.
Windows environment.
PEiD
IDA Pro
OllyDbg
OllyDbg (2)
Windbg
Windbg (2)
Intro to Windbg
r: display current register content t: trace-step (until call) pt: single-step (until-ret) g: process run (go!) .hh: help command. (for example .hh t) lm: list modules
Sysinternal: Autoruns
ImpREC
LordPE
Anti-Reverse Engineering
Anti-Debugging, the implementation of one or more techniques within
computer code that hinders attempts at reverse engineering or debugging
target process
Anti-Dumping, describes the process of taking an executable that has been
protected and after the executable has been decrypted into memory Code obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand. Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single executable
Packed Executable
Packed Executable
Packed Executable
Packed Executable
Packed Executable
Anti-Debugging
Anti-Debugging
Anti-Debugging
Anti-Debugging
Anti-Debugging
Anti-Debugging
FATMAL
Loader
Loader
Payload
InstallBot()
Payload
Payload
Payload
Payload
Payload
Memory Analysis
Memory Analysis
Memory Analysis
Memory Analysis
Memory Analysis
Resources
Mobile Market
5%
3%
Android
13%
49%
19%
Mobile Threats
0.7 0.3 0.7 0.3 19
79
Mobile Threats
3.7 11.2 Trojan
Downloader
7 Spy Adware 5.6 0.3 2.7 1 0.7 Backdoor Hacktool Monitoring Riskware 66.1 Spyware Application
Android
Android Apps
Android Market
APK/ZIP
Metadata (manifest, images) Dex File (classes.dex)
Android Architecture
Geinimi
Geinimi
Geinimi
Geinimi
Geinimi
Geinimi
Geinimi
5 years of silence
unused code and renaming classes, fields, and methods with semantically
names.
DexGuard is our specialized optimizer and obfuscator for Android. Create apps that are faster, more compact, and more difficult to crack.
Obfuscation
Obfuscation
Obfuscation
Android Application
Launcher
Activity Manager
Zygote
Activity Thread
Dalvik VM!
JNI
Native Code
Dalvik bytecode
Modified!
Processor
so what
Questions