Binary voyeurism A decent overview Who are you • Any experience with – Binary reversing? – Debugging? – Exploitation? – Python? Please fill the skill matrix ;) whoami • Nerd (zombies, cylons…) • Geek (reversing, python…) • Consultant :) We are hiring! Security people Highly skilled team Hardware, mobile, binary, web, source code, network … Fun, Research, CONs, etc. Consultancy / business oriented Talk to me! Today is my birthday! Beers are presents too! agenda • Checking out the application – Static analysis – Not programmatic way – winappdbg – Intel PIN – vdb / vtrace • Drinks & bbq Setting the scope • This talk is pretty lame • Just an introduction • Basically a compilation of things very intelligent people did • Anyway a nice overview if you don‘t have a deep knowledge of this topic Static analysis Static analysis Ida pro scripts Idc in C language Must recompile every time Idapython Python bindings Me gusta… IDA Pro rocks! Naive crypto search Let‘s check for crypto functions Naive crypto search Let‘s compare with a real plugin… IDA Signsrch from Luigi Auriemma Naive crypto search Look at those juicy AES constants… So, there was some crypto after all… Find special x86 instructions Why are you doing this funky stuff? Warning! Malware evasion! m.i.l.f. plugin My IDA Little Framework IDA Pro Plugin not programmatic Not programmatic way Just using a regular debugger Everyone knows this, i guess ;) Olly / Immunity debuggeR windbg BOOOOORING… Not programmatic way BOOOOORING… Olly, Immunity, Windbg, etc. Winappdbg (& a bit pydbg) keepassada Following functions are called when copying data to the clipboard: OpenClipboard() EmptyClipboard() hClipboardData = GlobalAlloc() // hook this and get RetValue pchData = (char*)GlobalLock(hClipboardData) strcpy(pchData, LPCSTR(strData)) GlobalUnlock(hClipboardData) SetClipboardData(CF_TEXT, hClipboardData) // hook this CloseClipboard() Hook those calls! Monitoring the program stack at runtime keepassada Enter video! Monitoring the program stack at runtime winappdbg Tracer.py Performance problems (-1) Slow (-1) Need function list (ida) (-1) It is python (+500) Pydot ftw (+500) Python rocks! Tracer & derivatives Where are you little process? Look for the process and attach to it Tracer & derivatives The callback writes the address to a file Breakpoints and callbacks Watching dll loading WTFDLL? Targeting specific functions Tracer & pydot I <3 pydot A picture is worth a thousand words Tracer & pydot I <3 pydot Binary abstract art, anyone? intel pin INTEL PIN A more efficient tracer Detect buffer overflows EIP outside text section Valgrind-like for Windows Check memory allocations Double free(s) Intel PIN rocks big time! THE dynamic binary instrumentation tool INTEL PIN A more efficient tracer Compiled means efficient! It means pain in the ass too INTEL PIN Check every basic block Instrumentation vs. Runtime functions INTEL PIN SEH overwrite, a classic Let‘s exploit this INTEL PIN You shouldn‘t be here… EIP points to the stack! INTEL PIN Detect EIP outside text section Save all .text section addresses You shouldn‘t be here! INTEL PIN Detect EIP outside text section Compare against .text section data EIP police! Show me your hands! INTEL PIN Valgrind-like for Windows Check memory allocations Double free(s) Keep track of malloc and free This could be very poweful INTEL PIN Free the malloc()s! Some people take it to the extreme Vdb / vtrace Vdb / vtrace • Yep, it is Python • It does pretty much what others do – And Linux… and ARM… and PPC… etc. • Look, I‘m so cool! – NO DOCUMENTATION – READABLE CODE Python still rocks! What the k00l kidz use Vdb / vtrace Thanks Mozilla Development Docs! These two functions are interesting to us Vdb / vtrace Super Secure Bank Seems legit. Vdb / vtrace Read at offsets from ESP register Pretty similar to the previous frameworks Quick recap • Python based: – Fast prototyping but… – damn slow • Intel pin – Fast and intelligent but… – convoluted Prototype in Python Final project in PIN Thanks for listening! Don‘t forget the beer! ;)