SlideShare ist ein Scribd-Unternehmen logo

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladislav Hrčka

Als PPTX, PDF herunterladen
CODE BLUE
CODE BLUE

In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM. Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.

Präsentationen & Vorträge
1 von 54
Under the hood of Wslink’s multilayered virtual machine Vladislav Hrčka | Malware Researcher
Vladislav Hrčka Malware Researcher at ESET @HrckaVladislav
Agenda •Intro to VMs in general and symbolic execution •Internals of the VM used in Wslink •Our approach to dealing with the obfuscation •Demonstration of the approach
Process VMs basics • Interpreter executes the bytecode • Bytecode contains instructions with: • Opcodes • Operands • Handlers define individual opcodes
VM based obfuscation
VM based obfuscation
Symbolic execution in Miasm • Expresses the code in mathematical formulas • Registers and memory are treated as symbolic values • Summarizes the code’s effects on the symbolic values • We will frequently use it • Original ASM: MOV EAX, EBX MOV ECX, DWORD PTR [EDX] XOR ECX, 0x123 MOV AX, WORD PTR [ESI] JMP ECX • Performed symbolic execution: EAX = {@16[ESI] 0 16, EBX[16:32] 16 32} ECX = @32[EDX] ^ 0x123 zf = @32[EDX] == 0x123 nf = (@32[EDX] ^ 0x123)[31:32] ... EIP = @32[EDX] ^ 0x123 IRDst = @32[EDX] ^ 0x123
Symbolic execution in Miasm • Allows us to simply apply known concrete values • Concrete values can simplify the expressions • Performed Symbolic execution: EAX = {@16[ESI] 0 16, EBX[16:3… ECX = @32[EDX] ^ 0x123 zf = @32[EDX] == 0x123 nf = (@32[EDX] ^ 0x123)[31:32] ... EIP = @32[EDX] ^ 0x123 IRDst = @32[EDX] ^ 0x123 • Applied EDX = 0x96 and @32[0x96] = 0xFEED: EAX = {@16[ESI] 0 16, EBX[16:3… ECX = 0xFFCE zf = 0x0 nf = 0x0 ... EIP = 0xFFCE IRDst = 0xFFCE EDX = 0x96 @32[0x96] = 0xFEED
End of introduction
• A virtualized function • Virtualized functions contain: • Prologue • Call to VM entry • Gibberish code Wslink: First contact
Junk code
Overview of the VM’s structure
Overview of the VM’s structure
• Prepares the next virtual instruction • Increases VPC (virtual program counter) • Zeroes out a register • RBP_init is context pointer • Instruction table at offset 0xA4 • VPC at offset 0x28 VM2: The first executed virtual instruction
•Instruction 2 • Zeroes out several virtual registers •Instruction 3 • Stores RSP in a virtual register VM2: Virtual instructions 2 and 3
VM2: Virtual instruction 4 • Multiple basic blocks:
• Multiple basic blocks: VM2: Virtual instruction 4 • Summary of the first block – memory assignments and IRDst:
• Multiple basic blocks: VM2: Virtual instruction 4 • Summary of the first block – memory assignments and IRDst:
• Multiple basic blocks: VM2: Virtual instruction 4 • Summary of the first block – memory assignments and IRDst: • Rolling decryption – encryption of operands • Values of virtual registers at offsets 0x0B and 0x70 were set earlier
VM2: Virtual instruction 4 - deobfuscation • The first original block
VM2: Virtual instruction 4 - deobfuscation • The first original block
VM2: Virtual instruction 4 - deobfuscation • The first original block • Application of known values of the rolling decryption registers • Application of known bytecode values reveals POP IRDst = (-@16[@64[RBP_init + 0x28] + 0x4] ^ 0x3038 == @16[@64[RBP_init + 0x28] + 0x6])?(0x7FEC91ABD1C,0x7FEC91ABCF6) @64[RBP_init + {-@16[@64[RBP_init + 0x28] + 0x4] ^ 0x3038, 0, 16, 0x0, 16, 64}] = @64[RSP_init] IRDst = @64[@64[RBP_init + 0xA4] + 0x5A8] @64[RBP_init + 0x28] = @64[RBP_init + 0x28] + 0x8 @64[RBP_init + 0x141] = @64[RBP_init + 0x141] + 0x8 @64[RBP_init + 0x12A] = @64[RSP_init]
• Virtual instruction 4 summary: VM2: Deobfuscating bytecode chunks IRDst = @64[@64[RBP_init + 0xA4] + 0x5A8] @64[RBP_init + 0x28] = @64[RBP_init + 0x28] + 0x8 @64[RBP_init + 0x141] = @64[RBP_init + 0x141] + 0x8 @64[RBP_init + 0x12A] = @64[RSP_init]
• Build a graph from summaries • Treat some values as concrete: • Rolling decryption registers • Memory accesses relative to the bytecode pointer • Preserve only decryption registers’ values between blocks VM2: Deobfuscating bytecode chunks • Virtual instruction 4 summary: IRDst = @64[@64[RBP_init + 0xA4] + 0x5A8] @64[RBP_init + 0x28] = @64[RBP_init + 0x28] + 0x8 @64[RBP_init + 0x141] = @64[RBP_init + 0x141] + 0x8 @64[RBP_init + 0x12A] = @64[RSP_init] virtual_instruction2_1(vpc) virtual_instruction2_2(vpc) virtual_instruction2_1(vpc) virtual_instruction2_3(vpc) virtual_instruction2_4(vpc)
VM1: Deobfuscated virtual instruction structure CFG
VM1: Deobfuscated virtual instruction structure OUTRO CFG INTRO
OUTRO CFG INTRO
CFG INTRO Legend: Yellow – Push virtual registers Red – Pop virtual registers; switch context Green – Jump to register OUTRO
• Virtual instructions 1, 2, 3 • The same behavior as in VM2 VM1: Initially executed virtual instructions
VM1: Virtual instruction 4
VM1: Virtual instruction 4 • Instruction merging – contains, e.g., POP and PUSH operations • Operands decide which instruction is executed • PUSH:
VM1: Virtual instruction 4 • Instruction merging – contains, e.g., POP and PUSH operations • Operands decide which instruction is executed • POP:
• Instruction merging – contains, e.g., POP and PUSH operations • Operands decide which instruction is executed • PUSH/POP • Can be simplified by making the operands concrete VM1: Virtual instruction 4
VM1: Deobfuscating bytecode chunks • Use the same approach as in VM2: • Build a graph from summaries • Treat certain values as concrete • Preserve certain values between blocks • Process both VMs at once: • Additionally make the entire VM2 concrete • Ignore assignments to the VM2 context virtual_instruction2_1(vpc) virtual_instruction2_2(vpc) virtual_instruction2_1(vpc) virtual_instruction2_3(vpc) virtual_instruction2_4(vpc)
Resulting graph contained unexpected branches instead of a series of POPs VM1: Issue with opaque predicates during deobfuscation
VM1: Issue with opaque predicates during deobfuscation •The branches check a known value • We can apply the value and simplify it • This is a sort of opaque predicates
Does the approach work?
Analyzing results Bytecode block VM1 VM2 Size in bytes 695 1,145 Total number of processed virtual instructions 62 109 Total number of underlying native instructions 3,536,427 17,406 Total number of resulting IR instructions (including IRDsts) 192 307 Execution time in seconds 382 10
NON-OBFUSCATED SAMPLE* Processed ServiceMain bytecode OBFUSCATED
DEOBFUSCATED
ORIGINAL SAMPLE DEOBFUSCATED SIMPLIFIED mov R0, [R0] mov R1, 28
lea R2, BASE+0xE3808 ORIGINAL SAMPLE DEOBFUSCATED SIMPLIFIED
ORIGINAL SAMPLE DEOBFUSCATED
ORIGINAL SAMPLE DEOBFUSCATED
ORIGINAL SAMPLE DEOBFUSCATED lea R2, BASE+0x2FB0 mov R3, R0 SIMPLIFIED
ORIGINAL SAMPLE DEOBFUSCATED SIMPLIFIED lea Rdest, BASE+0x8C038
ORIGINAL SAMPLE DEOBFUSCATED lea Rdest, BASE+0x8C038 ... jmp Rdest RETaddr = &vm_pre_initX()
•Symbolic execution cannot process unbounded loops Limitations • Instructions using such loops need to be addressed by other means
Symbolic execution can help devirtualize advanced unknown VMs in a reasonable time if we treat the right values as concrete Takeaway
Links You can read the whitepaper at WeLiveSecurity.com Full source code is available in ESET git repository
www.eset.com | www.welivesecurity.com | @ESETresearch Vladislav Hrčka Malware Researcher vladislav.hrcka@eset.com | @HrckaVladislav Questions?

Empfohlen

Deep hooks
Deep hooksDeep hooks
Deep hooksYarden Shafir
 
Single instruction multiple data
Single instruction multiple dataSingle instruction multiple data
Single instruction multiple dataSyed Zaid Irshad
 
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsStealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsМохачёк Сахер
 
BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat Security Conference
 
FreeBSD VPC Introduction
FreeBSD VPC IntroductionFreeBSD VPC Introduction
FreeBSD VPC IntroductionSean Chittenden
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Bh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slidesBh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slidesMatt Kocubinski
 
Дмитрий Вовк: Векторизация кода под мобильные платформы
Дмитрий Вовк: Векторизация кода под мобильные платформыДмитрий Вовк: Векторизация кода под мобильные платформы
Дмитрий Вовк: Векторизация кода под мобильные платформыDevGAMM Conference
 

Empfohlen

Deep hooks
Deep hooksDeep hooks
Deep hooksYarden Shafir
 
Single instruction multiple data
Single instruction multiple dataSingle instruction multiple data
Single instruction multiple dataSyed Zaid Irshad
 
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsStealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsМохачёк Сахер
 
BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat Security Conference
 
FreeBSD VPC Introduction
FreeBSD VPC IntroductionFreeBSD VPC Introduction
FreeBSD VPC IntroductionSean Chittenden
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Bh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slidesBh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slidesMatt Kocubinski
 
Дмитрий Вовк: Векторизация кода под мобильные платформы
Дмитрий Вовк: Векторизация кода под мобильные платформыДмитрий Вовк: Векторизация кода под мобильные платформы
Дмитрий Вовк: Векторизация кода под мобильные платформыDevGAMM Conference
 
Fast, deterministic, and verifiable computations with WebAssembly
Fast, deterministic, and verifiable computations with WebAssemblyFast, deterministic, and verifiable computations with WebAssembly
Fast, deterministic, and verifiable computations with WebAssemblyFluence Labs
 
Reduced instruction set computers
Reduced instruction set computersReduced instruction set computers
Reduced instruction set computersSyed Zaid Irshad
 
SIMD inside and outside oracle 12c
SIMD inside and outside oracle 12cSIMD inside and outside oracle 12c
SIMD inside and outside oracle 12cLaurent Leturgez
 
AVX512 assembly language in FFmpeg
AVX512 assembly language in FFmpegAVX512 assembly language in FFmpeg
AVX512 assembly language in FFmpegKieran Kunhya
 
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...Fluence Labs
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorAsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorDave Voutila
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Eusecwest
EusecwestEusecwest
Eusecwestzynamics GmbH
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JITMarcus Denker
 
So You Want To Write Your Own Benchmark
So You Want To Write Your Own BenchmarkSo You Want To Write Your Own Benchmark
So You Want To Write Your Own BenchmarkDror Bereznitsky
 
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDefconRussia
 
POWER processor and features presentation
POWER processor and features presentationPOWER processor and features presentation
POWER processor and features presentationGanesan Narayanasamy
 
Deploying WO on Windows
Deploying WO on WindowsDeploying WO on Windows
Deploying WO on WindowsWO Community
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Dhruv Sharma
 
Ruby 2.4 Internals
Ruby 2.4 InternalsRuby 2.4 Internals
Ruby 2.4 InternalsKoichi Sasada
 
Understanding low latency jvm gcs
Understanding low latency jvm gcsUnderstanding low latency jvm gcs
Understanding low latency jvm gcsJean-Philippe BEMPEL
 
12 virtualmachine
12 virtualmachine12 virtualmachine
12 virtualmachineThe World of Smalltalk
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
VIO on Cisco UCS and Network
VIO on Cisco UCS and NetworkVIO on Cisco UCS and Network
VIO on Cisco UCS and NetworkYousef Morcos
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 

Weitere ähnliche Inhalte

Ähnlich wie [cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladislav Hrčka

Fast, deterministic, and verifiable computations with WebAssembly
Fast, deterministic, and verifiable computations with WebAssemblyFast, deterministic, and verifiable computations with WebAssembly
Fast, deterministic, and verifiable computations with WebAssemblyFluence Labs
 
Reduced instruction set computers
Reduced instruction set computersReduced instruction set computers
Reduced instruction set computersSyed Zaid Irshad
 
SIMD inside and outside oracle 12c
SIMD inside and outside oracle 12cSIMD inside and outside oracle 12c
SIMD inside and outside oracle 12cLaurent Leturgez
 
AVX512 assembly language in FFmpeg
AVX512 assembly language in FFmpegAVX512 assembly language in FFmpeg
AVX512 assembly language in FFmpegKieran Kunhya
 
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...Fluence Labs
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorAsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorDave Voutila
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JITMarcus Denker
 
So You Want To Write Your Own Benchmark
So You Want To Write Your Own BenchmarkSo You Want To Write Your Own Benchmark
So You Want To Write Your Own BenchmarkDror Bereznitsky
 
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDefconRussia
 
POWER processor and features presentation
POWER processor and features presentationPOWER processor and features presentation
POWER processor and features presentationGanesan Narayanasamy
 
Deploying WO on Windows
Deploying WO on WindowsDeploying WO on Windows
Deploying WO on WindowsWO Community
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Dhruv Sharma
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
VIO on Cisco UCS and Network
VIO on Cisco UCS and NetworkVIO on Cisco UCS and Network
VIO on Cisco UCS and NetworkYousef Morcos
 

Ähnlich wie [cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladislav Hrčka (20)

Fast, deterministic, and verifiable computations with WebAssembly
Fast, deterministic, and verifiable computations with WebAssemblyFast, deterministic, and verifiable computations with WebAssembly
Fast, deterministic, and verifiable computations with WebAssembly
 
Reduced instruction set computers
Reduced instruction set computersReduced instruction set computers
Reduced instruction set computers
 
SIMD inside and outside oracle 12c
SIMD inside and outside oracle 12cSIMD inside and outside oracle 12c
SIMD inside and outside oracle 12c
 
AVX512 assembly language in FFmpeg
AVX512 assembly language in FFmpegAVX512 assembly language in FFmpeg
AVX512 assembly language in FFmpeg
 
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorAsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
Eusecwest
EusecwestEusecwest
Eusecwest
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JIT
 
So You Want To Write Your Own Benchmark
So You Want To Write Your Own BenchmarkSo You Want To Write Your Own Benchmark
So You Want To Write Your Own Benchmark
 
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
 
POWER processor and features presentation
POWER processor and features presentationPOWER processor and features presentation
POWER processor and features presentation
 
Deploying WO on Windows
Deploying WO on WindowsDeploying WO on Windows
Deploying WO on Windows
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
 
Ruby 2.4 Internals
Ruby 2.4 InternalsRuby 2.4 Internals
Ruby 2.4 Internals
 
Understanding low latency jvm gcs
Understanding low latency jvm gcsUnderstanding low latency jvm gcs
Understanding low latency jvm gcs
 
12 virtualmachine
12 virtualmachine12 virtualmachine
12 virtualmachine
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
VIO on Cisco UCS and Network
VIO on Cisco UCS and NetworkVIO on Cisco UCS and Network
VIO on Cisco UCS and Network
 

Mehr von CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
 

Mehr von CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
 

Kürzlich hochgeladen

Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 

Kürzlich hochgeladen (20)

Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladislav Hrčka

  • 1. Under the hood of Wslink’s multilayered virtual machine Vladislav Hrčka | Malware Researcher
  • 2. Vladislav Hrčka Malware Researcher at ESET @HrckaVladislav
  • 3. Agenda •Intro to VMs in general and symbolic execution •Internals of the VM used in Wslink •Our approach to dealing with the obfuscation •Demonstration of the approach
  • 4. Process VMs basics • Interpreter executes the bytecode • Bytecode contains instructions with: • Opcodes • Operands • Handlers define individual opcodes
  • 7. Symbolic execution in Miasm • Expresses the code in mathematical formulas • Registers and memory are treated as symbolic values • Summarizes the code’s effects on the symbolic values • We will frequently use it • Original ASM: MOV EAX, EBX MOV ECX, DWORD PTR [EDX] XOR ECX, 0x123 MOV AX, WORD PTR [ESI] JMP ECX • Performed symbolic execution: EAX = {@16[ESI] 0 16, EBX[16:32] 16 32} ECX = @32[EDX] ^ 0x123 zf = @32[EDX] == 0x123 nf = (@32[EDX] ^ 0x123)[31:32] ... EIP = @32[EDX] ^ 0x123 IRDst = @32[EDX] ^ 0x123
  • 8. Symbolic execution in Miasm • Allows us to simply apply known concrete values • Concrete values can simplify the expressions • Performed Symbolic execution: EAX = {@16[ESI] 0 16, EBX[16:3… ECX = @32[EDX] ^ 0x123 zf = @32[EDX] == 0x123 nf = (@32[EDX] ^ 0x123)[31:32] ... EIP = @32[EDX] ^ 0x123 IRDst = @32[EDX] ^ 0x123 • Applied EDX = 0x96 and @32[0x96] = 0xFEED: EAX = {@16[ESI] 0 16, EBX[16:3… ECX = 0xFFCE zf = 0x0 nf = 0x0 ... EIP = 0xFFCE IRDst = 0xFFCE EDX = 0x96 @32[0x96] = 0xFEED
  • 10.
  • 11. • A virtualized function • Virtualized functions contain: • Prologue • Call to VM entry • Gibberish code Wslink: First contact
  • 13. Overview of the VM’s structure
  • 14. Overview of the VM’s structure
  • 15. • Prepares the next virtual instruction • Increases VPC (virtual program counter) • Zeroes out a register • RBP_init is context pointer • Instruction table at offset 0xA4 • VPC at offset 0x28 VM2: The first executed virtual instruction
  • 16. •Instruction 2 • Zeroes out several virtual registers •Instruction 3 • Stores RSP in a virtual register VM2: Virtual instructions 2 and 3
  • 17. VM2: Virtual instruction 4 • Multiple basic blocks:
  • 18. • Multiple basic blocks: VM2: Virtual instruction 4 • Summary of the first block – memory assignments and IRDst:
  • 19. • Multiple basic blocks: VM2: Virtual instruction 4 • Summary of the first block – memory assignments and IRDst:
  • 20. • Multiple basic blocks: VM2: Virtual instruction 4 • Summary of the first block – memory assignments and IRDst: • Rolling decryption – encryption of operands • Values of virtual registers at offsets 0x0B and 0x70 were set earlier
  • 21.
  • 22. VM2: Virtual instruction 4 - deobfuscation • The first original block
  • 23. VM2: Virtual instruction 4 - deobfuscation • The first original block
  • 24. VM2: Virtual instruction 4 - deobfuscation • The first original block • Application of known values of the rolling decryption registers • Application of known bytecode values reveals POP IRDst = (-@16[@64[RBP_init + 0x28] + 0x4] ^ 0x3038 == @16[@64[RBP_init + 0x28] + 0x6])?(0x7FEC91ABD1C,0x7FEC91ABCF6) @64[RBP_init + {-@16[@64[RBP_init + 0x28] + 0x4] ^ 0x3038, 0, 16, 0x0, 16, 64}] = @64[RSP_init] IRDst = @64[@64[RBP_init + 0xA4] + 0x5A8] @64[RBP_init + 0x28] = @64[RBP_init + 0x28] + 0x8 @64[RBP_init + 0x141] = @64[RBP_init + 0x141] + 0x8 @64[RBP_init + 0x12A] = @64[RSP_init]
  • 25. • Virtual instruction 4 summary: VM2: Deobfuscating bytecode chunks IRDst = @64[@64[RBP_init + 0xA4] + 0x5A8] @64[RBP_init + 0x28] = @64[RBP_init + 0x28] + 0x8 @64[RBP_init + 0x141] = @64[RBP_init + 0x141] + 0x8 @64[RBP_init + 0x12A] = @64[RSP_init]
  • 26. • Build a graph from summaries • Treat some values as concrete: • Rolling decryption registers • Memory accesses relative to the bytecode pointer • Preserve only decryption registers’ values between blocks VM2: Deobfuscating bytecode chunks • Virtual instruction 4 summary: IRDst = @64[@64[RBP_init + 0xA4] + 0x5A8] @64[RBP_init + 0x28] = @64[RBP_init + 0x28] + 0x8 @64[RBP_init + 0x141] = @64[RBP_init + 0x141] + 0x8 @64[RBP_init + 0x12A] = @64[RSP_init] virtual_instruction2_1(vpc) virtual_instruction2_2(vpc) virtual_instruction2_1(vpc) virtual_instruction2_3(vpc) virtual_instruction2_4(vpc)
  • 27. VM1: Deobfuscated virtual instruction structure CFG
  • 28.
  • 29. VM1: Deobfuscated virtual instruction structure OUTRO CFG INTRO
  • 31. CFG INTRO Legend: Yellow – Push virtual registers Red – Pop virtual registers; switch context Green – Jump to register OUTRO
  • 32. • Virtual instructions 1, 2, 3 • The same behavior as in VM2 VM1: Initially executed virtual instructions
  • 34. VM1: Virtual instruction 4 • Instruction merging – contains, e.g., POP and PUSH operations • Operands decide which instruction is executed • PUSH:
  • 35. VM1: Virtual instruction 4 • Instruction merging – contains, e.g., POP and PUSH operations • Operands decide which instruction is executed • POP:
  • 36. • Instruction merging – contains, e.g., POP and PUSH operations • Operands decide which instruction is executed • PUSH/POP • Can be simplified by making the operands concrete VM1: Virtual instruction 4
  • 37. VM1: Deobfuscating bytecode chunks • Use the same approach as in VM2: • Build a graph from summaries • Treat certain values as concrete • Preserve certain values between blocks • Process both VMs at once: • Additionally make the entire VM2 concrete • Ignore assignments to the VM2 context virtual_instruction2_1(vpc) virtual_instruction2_2(vpc) virtual_instruction2_1(vpc) virtual_instruction2_3(vpc) virtual_instruction2_4(vpc)
  • 38. Resulting graph contained unexpected branches instead of a series of POPs VM1: Issue with opaque predicates during deobfuscation
  • 39. VM1: Issue with opaque predicates during deobfuscation •The branches check a known value • We can apply the value and simplify it • This is a sort of opaque predicates
  • 41. Analyzing results Bytecode block VM1 VM2 Size in bytes 695 1,145 Total number of processed virtual instructions 62 109 Total number of underlying native instructions 3,536,427 17,406 Total number of resulting IR instructions (including IRDsts) 192 307 Execution time in seconds 382 10
  • 45. lea R2, BASE+0xE3808 ORIGINAL SAMPLE DEOBFUSCATED SIMPLIFIED
  • 48. ORIGINAL SAMPLE DEOBFUSCATED lea R2, BASE+0x2FB0 mov R3, R0 SIMPLIFIED
  • 50. ORIGINAL SAMPLE DEOBFUSCATED lea Rdest, BASE+0x8C038 ... jmp Rdest RETaddr = &vm_pre_initX()
  • 51. •Symbolic execution cannot process unbounded loops Limitations • Instructions using such loops need to be addressed by other means
  • 52. Symbolic execution can help devirtualize advanced unknown VMs in a reasonable time if we treat the right values as concrete Takeaway
  • 53. Links You can read the whitepaper at WeLiveSecurity.com Full source code is available in ESET git repository
  • 54. www.eset.com | www.welivesecurity.com | @ESETresearch Vladislav Hrčka Malware Researcher vladislav.hrcka@eset.com | @HrckaVladislav Questions?

Hinweis der Redaktion

  1. Subsequently to starting our analysis found a non-obfuscated sample – we weren’t motivated to fully deobfuscate the code
  2. Since 2017 been focusing on reverse engineering challenging malware samples Computer Science student at the Comenius University in the first years of master’s degree BlackHat Arsenal, AVAR
  3. Work like standard machines – machine code is bytecode here PC is offset to the bytecode here – not necessary Transfer of control from one virtual instruction to the next during interpretation needs to be performed by every VM. This process is generally known as dispatching Centralized interpreter – dispatcher – called direct call threading; can be also simple switch case Can be also inside of handlers – direct threading
  4. Stored in sep.arate section Need context switch Bytecode is generated from a function Original function starts interpreter Interpreter is embedded in the executable Context switch needs to be performed Stored in a separate section Need context switch Bytecode is generated from a function Original function starts interpreter Interpreter is embedded in the executable Context switch needs to be performed
  5. The strength of this obfuscation technique resides in the fact that the ISA of the VM is unknown to any prospective reverse engineer – a thorough analysis of the VM, which can be very time-consuming; Additionally, obfuscating VMs usually virtualize only certain “interesting” functions
  6. SE in IR IRDst 1. stands for 2. is IR instruction pointer, e.g. cmov multiple blocks X bit value dereference Self explainable dereference
  7. SE engine in Miasm automatically performs common optimization techniques
  8. The VM used in the Wslink is a variant of CV (themida) that supports multiple VMs and polymorphic layers of obfuscation techniques. We found this out subsequently to publishing our research
  9. The right side contains a part of the function
  10. Why 1071? They are duplicated! Vm_init – Sync – shared virtual context in the memory Virtual program counter (VPC) register Base address register Instruction table register
  11. Zdorazni nested VM – zacneme VM2
  12. Rolling decryption – present in a blog about VM Protect’s structure
  13. Make values relative to the bytecode ptr concrete
  14. We’ve just deobfuscated one of the VM1 instructions
  15. Let’s start with CFG
  16. Reminder – atomic operations in blocks
  17. Laser point – These IR blocks are effects of VM2 virtual instructions, they represent one VM1 virtual instruction together
  18. Zeroes out a register, stores the RSP, initializes rolling decryption registers
  19. A part of the instruction. When we inspected the code, we realized what the problem is
  20. Memory range of the VMs is known – separate section
  21. Let’s take a closer look at one of the branches <CLICK>
  22. The branches check a known value We can apply the value and simplify it This is a sort of opaque predicates
  23. We will show the results on the first executed bytecode, but before that show statistics
  24. Before we look at the devirtualized bytecode, let’s see what the execution time is approximately like Let’s look at the deobfuscated bytecode block of VM1 <CLICK>
  25. *We discovered the sample after starting our analysis
  26. No ARM R0! – pseudocode close to assembly
  27. Advanced – use junk code, duplicate and merge handlers, encrypt operands Right values – operands and registers for encryption