Storicamente il reversing di eseguibili è sempre stata una pratica oscura associata alla pirateria o allo spionaggio industriale, ma oggi, con l'aumentare di malware targettizzati, quest'arte sta diventando un argomento molto discusso perchè necessita una forte capacità di analisi, intuizione ed inventiva. Ma perchè è così importante analizzare un malware? Quali strumenti utlizzare, ma soprattutto come approcciare il problema? Come gestire i meccanismi di protezione adottati? Niente di meglio per addentrarci nel mondo della malware analysis partendo proprio da alcuni casi reali
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Andrea Pompili - The Dark Side of Malware Analysis
1. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
THE DARK SIDE OF
MALWARE ANALYSIS
Andrea Pompili
There are only 10 types
of people in the world:
Those who understand binary,
and those who don't
apompili@hotmail.com
2. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
3. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
4. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
203.131.222.102:8080
217.96.33.164:8000
88.53.215.64:8000
IPSistemi Comando eControllo #>
5. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
6. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Malware Analysis?
> Per capire i danni reali
> Per scoprire gli Indicatori di Compromissione
> Per stabilire il grado di preparazione/motivazione
dell’attaccante (Sun Tzudocet)
> Per ricostruire la vulnerabilità utilizzata (Magari uno0-day :-|)
> Per catturare il cattivo
> Per rispondere alle domande della vita…
7. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
La nobile arte del Reverse Engineering
Ingegneriainversa def.
«processodi analisidi un sistema softwareesistente, eseguitoalfinedi
crearneunarappresentazione ad altolivello di astrazione»
Altri scopi dell'ingegneria inversa comprendono: verifichedi vulnerabilità,
rimozione di protezione da copia, l'aggiramento di restrizionid'accesso
8. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Ideal Reverse Engineering
9. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Full vs Adequate Analysis
10. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Launcher
Dropper
Downloader
Module
Command & Control
Exploit
Vector
Module <01>
Malware Architecture
Infection Stage
Malware Core
Module <XX>
11. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Launcher
Dropper
Module
Command & Control
Vector
Module <01>
Malware Architecture > Infection Stage
Malware Core
Module <XX>
Exploit
Downloader
Infection Stage
12. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Spear Phishing> Email contenenti link
13. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Spear Phishing> Email contenenti Allegati
14. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
POST su Forum // Blog // Social Network
15. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Che Bello! Ho trovato una pennetta USB
16. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Vector
Malware Architecture > Downloader
Infection Stage
Downloader
Exploit
Command & Control
17. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
How is Encoded the Communication Channel?
<#1> FixedByteXOR(evergreen)
Identificabile (basta trovare unopcode xor nel binario)
<#2> Base64 Encoding
Identificabile eautomaticamente reversabile
<#3>
Librerie Crypto ingombranti e riconoscibili gestire lechiavi?
<#4> G Channel
Dipendedal tipo prova a farlo con unoShellcode!!!
18. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Communication Channel: Spazio alla fantasia
19. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Downloader
Command & Control
Vector
Module <01>
Malware Architecture > Persistenza
Infection Stage Module <XX>
Exploit
Launcher
Dropper
Malware Core
Module
20. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Downloader
#1
Malware
Component
Command & Control #1
Vector
Malware Architecture > Chained Modules
Infection Stage
Exploit
Downloader
#2
Command & Control#2
21. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Moduli e Plugin
> Infostealer
> Keylogging
> Sniffer
> Spyware
> Data Exfiltration
> Remote Control
> Identity Theft
> Ransomware
> Spambot
> Network Scanner
> DDoS Agent
> Targeted attacks
> Data manipulation
> Anonymous Proxy
> DNS Attack
> Warez Archive
22. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Static vs Dynamic Analysis?
> Il codice non viene MAI eseguito (o almeno non dovrebbe)
> L’analisi è effettuata trasformando o ri-organizzando il codice di un
artefatto per stadi successivi
> Uso di un numero importante di tool di analisi
> Necessità di gestire strumenti di elaborazione ad-hoc
> Attenzione ad eventuali exploit per i tool di analisi utilizzati!
> Analisi limitata o molto lunga in caso di packer o offuscamenti complessi
<#1>Analisi Statica
23. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
First of All
24. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
String Revealer
25. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Static Malware
<#1>Formato Nativo (PE/Elf)
<#2>Intermediate Language(Java/.NET/etc.)
<#3>DocumentiAttivi (PDF/Office/etc.)
Stessorisultato == Approcci MOLTOdiversi
26. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
La realtà dei fatti #1
<#1>Formato Nativo (PE/Elf)
27. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Interactive Disassembler
28. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Online Disassembler
29. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
How Malware Writers protect their
30. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
http://upx.sourceforge.net/
How Malware Writers protect their
31. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
How Malware Writers protect their
32. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
The way to Packers
Sections
DOS MZ Header
PE Header
Section Table
.text
.data
.resrc
Sections
DOS MZ Header
PE Header
SectionTable
Unpacker Stub
TempSpace
PackedData(orignalOEP)
OEP
OriginalProgram PackedProgram
33. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
FUD (Fully UnDetectable) Packers
UPX, Aspack, PE Compact,
eilresto
http://it.wikipedia.org/wiki/Exe_Packer
34. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Static Resource Analyzer
35. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Internet helps
36. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
La realtà dei fatti #2
<#2>Intermediate Language(Java/.NET/etc.)
37. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
> Metadati devono essere espliciti
(nomi Constant-Pool, variabili, metodi e classi)
> Gli opcode sono molto vicini ai costrutti del codice sorgente
(es. tableswitch)
> Non si può usare self-modifying code
> Non è possibile effettuare il branching su location arbitrarie,
ma solo all‘inizio di un‘istruzione, con il limite dello scope del
metodo corrente (controllato dal verifier)
Why Decompilation is easier
38. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Stack is Everything
THREAD #1
PC Register
JVM Stack
Native Method Stack
Frame #n
Local Variable Array
Operand Stack
RCP Reference
Frame #1
Local Variable Array
Operand Stack
RCP Reference
…
THREAD #n
PC Register
JVM Stack
Native Method Stack
Frame #n
Local Variable Array
Operand Stack
RCP Reference
Frame #1
Local Variable Array
Operand Stack
RCP Reference
…
…
39. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
int addTwo(int a, int b) {
b = a + b;
return b;
}
iload_0
iload_1
iadd
istore_1
iload_1
ireturn
The way from Source to Bytecode
Frame «addTwo»
Local Variable Array
Operand Stack
RCP Reference
40. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
«Easy» way to Source
JD-GUI
http://jd.benow.ca/
JAD
http://varaneckas.com/jad/
41. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
why not So Easy
42. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
43. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
http://set.ee/jbe/
ByteCode Analysis & Manipulation
44. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
45. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
https://github.com/contra/JMD
46. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
but sometimes Things work
47. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
48. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Get your own ZKM String Custom Tool
java -jar ZKMTools.jar <CLASS_FILE>
49. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
What is Dynamic Analysis?
<#2>Live ExecutionAnalysis
<#3>Sandboxbased Analysis
<#1>Debugging
Non usare MAI il tuo PC per
eseguire Malware!!!
50. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Snapshot is the Way
51. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Debugging Principles
<#1>Debugging
OllyDbgDebugger(x86 only)
http://www.ollydbg.de/
x64Dbg(x86/x64)
http://x64dbg.com
52. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Debugging World
x86 Ring0
x86 Ring3
I Ringsono dei livellidi privilegio e/odi sicurezza fornitidal processore
Usermode
Kernel
HyperDbg,WinDbg, SoftICE
http://www.woodmann.com/collaborative/
tools/index.php/Category:Ring_0_Debuggers
http://www.woodmann.com/collaborative/
tools/index.php/Category:Ring_3_Debuggers
53. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Two Assembler things you have to know
Registri base x86/x64:
EAX registro general purpose #1 RAX a 64bit
EBX registro general purpose #2 RBX a 64bit
ECX registro general purpose #3 RCX a 64bit
EDX registro general purpose #4 RDX a 64bit
ESI puntatore sorgente operazioni su stringhe RSI a 64bit
EDI puntatore destinazione operazioni su stringhe RDI a 64bit
ESP puntatore alla posizione attuale dello stack RSP a 64bit
EBP puntatore alla base dello stack RBP a 64bit
EIP (Extended Instruction Pointer) puntatore
alla successiva istruzione da eseguire
Registri generici 64-bit mode-only
R8-R15
54. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Two Assembler things you have to know
Stack x86/x64:
» Struttura LIFO (Last In First Out) mappata sulla memoria
» ESP punta alla posizione attuale in memoria
» EBP viene utilizzato come «marcatore»
per gestire il successivo stackframe
» I dati possono essere caricati mediante
istruzioni PUSH e POP
» Automaticamente salva l’indirizzo di ritorno
delle CALL
55. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
> Run-time stack (Stackframe)
> Contiene le variabili locali
> ESP punta al primo elemento dello stack
> EBP punta alla base dello Stackframe
> Ad ogni chiamata di procedura viene
riservato un nuovo stackframe (scope
della funzione) spostando ESP ed EBP
Instructions
(.text)
global data(.data)
run-time
stack
Device Registers
x0200
xFFFF
EPC
R4
ESP
EBP
x0000
xFE00
Trap Vectors
Op Sys
x3000
Heap
Intr Vectors
x0100
Two Assembler things you have to know
56. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
» UsareilDebugger (es. x64Dbg o IDAProcon Bochs)attraverso le varieroutine
di decryption impostando Breakpointalterminedi ogni ciclo
» Effettuareil Dumpdellamemoria al terminedel processo(e.g. ScyllaPlugin)
Defeat Packers using Dubuggers
Best Practices:
>Molti processi nonsono resilienti(si eseguonoed esconosubito)
>Interrompereil processoal momento giusto
> Step over istruzioneper istruzionefino
57. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
<#2>Live ExecutionAnalysis
58. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Start Debugging during Execution
59. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
How to Fake Servers during Execution
60. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
How to Monitor Traffic during Execution
61. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
<#3>Sandboxbased Analysis
62. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Detailed Artifact Execution
63. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Screenshots Available!!!
64. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
The Online Cuckoo Service
65. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
66. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
but be careful to fully Understand Objectives!
67. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 20-21.11.2015
www.codemotionworld.com
Domande?
Italian
ةَّيَأ ِبلاَطَم
Arabic
¿Preguntas?
Spanish
Questions?
English
tupoQghachmey
Klingon
Sindarin
Japanese
Ερωτήσεις?
Greek
вопросы?
Russian