SlideShare ist ein Scribd-Unternehmen logo

"egg" - A stealth fine grained code analyzer

FFRI, Inc.
FFRI, Inc.
Technologie
1 von 33
Downloaden Sie, um offline zu lesen
Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp “egg” - A Stealth fine grained code analyzer Satoshi TANDA Senior Software Engineer
Fourteenforty Research Institute, Inc. / 32 Agenda • Background and problems • Introduce “egg” – Demonstration its basic functions • Implementation (Taint tracing approach in ring-0) – Demonstration of the taint tracing behavior • Discuss a limitation of “egg” • Conclusion 2
Fourteenforty Research Institute, Inc. / 32 Too many malwares! • We can’t manually analyze each malware. • Automatic approaches have become more important. 3 0 10 20 30 40 50 60 70 80 90 100 2001 yr 2003 yr 2005 yr 2007 yr The percentage of packed malwares 80% of malwares ware packed in 2007 Source: 2001-2005 : McAfee Sage vol.1 issue 1 2007 : Panda Research (http://research.pandasecurity.com/malwareformation-statistics/)
Fourteenforty Research Institute, Inc. / 32 Problems of traditional dynamic analyzers • We can’t get useful information for more intensive analysis. • We can’t analyze a kernel mode code. • It’s difficult to analyze a spreading malware over the process. 4
Fourteenforty Research Institute, Inc. / 32 Innovative analyzers (based on VM environments) • Innovative analyzers have already resolved the above problems – Anubis – Ether • It’s able to analyze a kernel mode code and perform an instruction level analysis. – BitBlaze and Renovo • Also these analyze a spreading malware automatically with approach called “taint tracing”. • However these systems are detected by VM detection techniques 5
Fourteenforty Research Institute, Inc. / 32 Summary table of problems Type of system Traditional Innovative (Based on virtual environments) Getting useful information Insufficient Good Analyzing a kernel mode code Insufficient Good Analyzing a spreading malware. Insufficient Good Not affected by VM detection techniques Good Insufficient 6 • I developed “egg” to try and resolve these problems.
Fourteenforty Research Institute, Inc. / 32 What is egg? • “egg” is a dynamic analyzer based on a Windows device driver. • egg has following capabilities: 1. It can obtain more detailed information. 2. It can analyze a kernel mode code. 3. It can automatically trace a spreading malware. • Of course, It’s not affected by VM detection techniques. • Also most common anti-debug tech can’t detect “egg”. 7
Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 1. API arguments for IN, OUT (,INOUT), and return value 8 BOOL WINAPI ReadFile( __in HANDLE hFile, __out LPVOID lpBuffer, __in DWORD nNumberOfBytesToRead, __out_opt LPDWORD lpNumberOfBytesRead, __inout_opt LPOVERLAPPED lpOverlapped );
Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 1. API arguments for IN, OUT (,INOUT), and return value 9 BOOL WINAPI ReadFile( __in HANDLE hFile, __out LPVOID lpBuffer, __in DWORD nNumberOfBytesToRead, __out_opt LPDWORD lpNumberOfBytesRead, __inout_opt LPOVERLAPPED lpOverlapped ); call to kernel32.dll!ReadFile( Arg 1 : 00000064 = File : ¥Device¥HarddiskVolume1¥WINDOWS¥(...) , Arg 3 : 00000800(2048) )
Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 1. API arguments for IN, OUT (,INOUT), and return value 10 BOOL WINAPI ReadFile( __in HANDLE hFile, __out LPVOID lpBuffer, __in DWORD nNumberOfBytesToRead, __out_opt LPDWORD lpNumberOfBytesRead, __inout_opt LPOVERLAPPED lpOverlapped ); call to kernel32.dll!ReadFile( Arg 1 : 00000064 = File : ¥Device¥HarddiskVolume1¥WINDOWS¥(...) , Arg 3 : 00000800(2048) ) returned from kernel32.dll!ReadFile( Arg 2 : 0012F184 - 0012F983 is dumped as ¥(...)¥(...)ReadFile_Arg02.bin ) => 00000001(1)
Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 11 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 12 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 13 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 14 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
Fourteenforty Research Institute, Inc. / 32 Demonstration of basic functions(movie) • Analyzing sample.exe. • Sample.exe overwrites original beep driver (beep.sys). • Then restarts beep service to install this driver in the kernel. • “egg” analyzes sample.exe and the modified beep driver. 15
Fourteenforty Research Institute, Inc. / 32 Implementation of the fine-grained code analysis • Based on the page protection and the trap flag. • Published by the paper “Stealth Breakpoints”. • We can run analysis codes for each instruction execution. • It can applies to both a kernel and user modes, and even works transparently in the user mode code. 16 Stealth Breakpoints http://www.acsac.org/2005/abstracts/72.html
Fourteenforty Research Institute, Inc. / 32 What is taint tracing? • It can automatically trace suspicious elements. • A suspicious element is marked as tainted. • A taint automatically influences new elements that used tainted elements. 17 NEW Tainted NOT Tainted Tainted Some suspicious sources
Fourteenforty Research Institute, Inc. / 32 An overview of taint tracing approach of “egg” 18 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File • egg takes a novel approach to implement the taint tracing. • In case of egg, “Elements” are Files, Virtual memory and Threads.
Fourteenforty Research Institute, Inc. / 32 An overview of taint tracing approach of “egg” 19 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File • egg takes a novel approach to implement the taint tracing. • In case of egg, “Elements” are Files, Virtual memory and Threads.
Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 20 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using API PsSetLoadImageNotifyRoutine
Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 21 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using the page protection (eXecute Disable bit)
Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 22 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using the File system filter driver
Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 23 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using the page protection (Write/Read bit)
Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 • For thread safety, egg hooks thread switching function (called SwapContext). • Therefore egg can notice a thread switching. 24 Process Memory Thread (not tainted) Thread (tainted) Thread (not tainted) Waiting WaitingRunning on processor Process memory has not been modified yet.
Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 • When taint thread becomes active, egg changes every process memory to read-only. 25 Process Memory Thread (tainted) Thread (not tainted) Thread (not tainted) Waiting WaitingRunning on processor Currently, process memory is read-only. If a thread tries to write somewhere, the processor causes an exception. egg catches this exception as taint event.
Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 • When taint thread becomes inactive, egg restores every page protection. 26 Process Memory Thread (not tainted) Thread (not tainted) Thread (not tainted) Waiting WaitingRunning on processor Process memory protection is restored.
Fourteenforty Research Institute, Inc. / 32 Tracking the cross-process memory operation • To trace cross-process memory operation, egg hooks context switching function (called KiSwapProcess). • Therefore egg can notice cross-process memory operation. 27 malware.exe Process Memory Thread (tainted) Running on processor CR3 explorer.exe Process Memory Read-only Have not been changed
Fourteenforty Research Institute, Inc. / 32 Tracking the cross-process memory operation • When taint thread is running on other process memory, its process memory will be changed to read-only. 28 malware.exe Process Memory Thread (tainted) Running on processor CR3 explorer.exe Process Memory egg can trace cross-process memory operation. (e.g. WriteProcessMemory) Restored Read-only
Fourteenforty Research Institute, Inc. / 32 Demonstration of the taint tracing function(movie) • The sample is the thread injection code. • Sample malware called “injector.exe” injects to notepad.exe with VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. • Injected thread calls AllocConsole and WriteConsole in infinite loop. • egg will trace the injected thread. 29
Fourteenforty Research Institute, Inc. / 32 Problem of same privilege • egg has limitation against kernel mode code. – egg is visible and breakable from kernel mode malware. • This limitation is result of trade off for avoiding detection by the VM detection. 30
Fourteenforty Research Institute, Inc. / 32 Conclusion • We can save time by using egg. • In the future, I will try to improve its stability and usability. 31 Type of system egg Traditional Innovative Getting useful information Good Insufficient Good Analyzing a kernel mode code Better Insufficient Good Analyzing a spreading malware. Good Insufficient Good Not affected by VM detection techniques Good Good Insufficient
Fourteenforty Research Institute, Inc. / 32 Acknowledgement • Junichi Murakami @FFR • Darren Willis @FFR 32
33 ありがとうございました Fourteenforty Research Institute, Inc. 株式会社 フォティーンフォティ技術研究所 http://www.fourteenforty.jp 発表者肩書き 発表者氏名 発表者メールアドレス Thank you! Senior Software Engineer Satoshi TANDA <tanda@fourteenforty.jp>

Empfohlen

A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside WinnypFFRI, Inc.
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkHigh-Tech Bridge SA (HTBridge)
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 

Empfohlen

A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside WinnypFFRI, Inc.
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkHigh-Tech Bridge SA (HTBridge)
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料Asuka Nakajima
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? Masamitsu Maehara
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMichael Boman
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainIgor Korkin
 
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...GangSeok Lee
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Codemotion
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJSFestUA
 

Weitere ähnliche Inhalte

Was ist angesagt?

第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料Asuka Nakajima
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? Masamitsu Maehara
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMichael Boman
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainIgor Korkin
 

Was ist angesagt? (11)

第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
[ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world? [ElasticStack]What happens when you visualize servers exposed to the world?
[ElasticStack]What happens when you visualize servers exposed to the world?
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit Detection
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
Fuzzing
FuzzingFuzzing
Fuzzing
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring Budget
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
 

Ähnlich wie "egg" - A stealth fine grained code analyzer

[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...GangSeok Lee
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Codemotion
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJSFestUA
 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009abhicc285
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Metasploit Computer security testing tool
Metasploit Computer security testing toolMetasploit Computer security testing tool
Metasploit Computer security testing toolmedoelkang600
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersAsep Sopyan
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
Debugging Complex Systems - Erlang Factory SF 2015
Debugging Complex Systems - Erlang Factory SF 2015Debugging Complex Systems - Erlang Factory SF 2015
Debugging Complex Systems - Erlang Factory SF 2015lpgauth
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi 6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi OdessaJS Conf
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 

Ähnlich wie "egg" - A stealth fine grained code analyzer (20)

[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
Metasploit Computer security testing tool
Metasploit Computer security testing toolMetasploit Computer security testing tool
Metasploit Computer security testing tool
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
Debugging Complex Systems - Erlang Factory SF 2015
Debugging Complex Systems - Erlang Factory SF 2015Debugging Complex Systems - Erlang Factory SF 2015
Debugging Complex Systems - Erlang Factory SF 2015
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi 6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 

Mehr von FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
 

Mehr von FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

"egg" - A stealth fine grained code analyzer

  • 1. Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp “egg” - A Stealth fine grained code analyzer Satoshi TANDA Senior Software Engineer
  • 2. Fourteenforty Research Institute, Inc. / 32 Agenda • Background and problems • Introduce “egg” – Demonstration its basic functions • Implementation (Taint tracing approach in ring-0) – Demonstration of the taint tracing behavior • Discuss a limitation of “egg” • Conclusion 2
  • 3. Fourteenforty Research Institute, Inc. / 32 Too many malwares! • We can’t manually analyze each malware. • Automatic approaches have become more important. 3 0 10 20 30 40 50 60 70 80 90 100 2001 yr 2003 yr 2005 yr 2007 yr The percentage of packed malwares 80% of malwares ware packed in 2007 Source: 2001-2005 : McAfee Sage vol.1 issue 1 2007 : Panda Research (http://research.pandasecurity.com/malwareformation-statistics/)
  • 4. Fourteenforty Research Institute, Inc. / 32 Problems of traditional dynamic analyzers • We can’t get useful information for more intensive analysis. • We can’t analyze a kernel mode code. • It’s difficult to analyze a spreading malware over the process. 4
  • 5. Fourteenforty Research Institute, Inc. / 32 Innovative analyzers (based on VM environments) • Innovative analyzers have already resolved the above problems – Anubis – Ether • It’s able to analyze a kernel mode code and perform an instruction level analysis. – BitBlaze and Renovo • Also these analyze a spreading malware automatically with approach called “taint tracing”. • However these systems are detected by VM detection techniques 5
  • 6. Fourteenforty Research Institute, Inc. / 32 Summary table of problems Type of system Traditional Innovative (Based on virtual environments) Getting useful information Insufficient Good Analyzing a kernel mode code Insufficient Good Analyzing a spreading malware. Insufficient Good Not affected by VM detection techniques Good Insufficient 6 • I developed “egg” to try and resolve these problems.
  • 7. Fourteenforty Research Institute, Inc. / 32 What is egg? • “egg” is a dynamic analyzer based on a Windows device driver. • egg has following capabilities: 1. It can obtain more detailed information. 2. It can analyze a kernel mode code. 3. It can automatically trace a spreading malware. • Of course, It’s not affected by VM detection techniques. • Also most common anti-debug tech can’t detect “egg”. 7
  • 8. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 1. API arguments for IN, OUT (,INOUT), and return value 8 BOOL WINAPI ReadFile( __in HANDLE hFile, __out LPVOID lpBuffer, __in DWORD nNumberOfBytesToRead, __out_opt LPDWORD lpNumberOfBytesRead, __inout_opt LPOVERLAPPED lpOverlapped );
  • 9. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 1. API arguments for IN, OUT (,INOUT), and return value 9 BOOL WINAPI ReadFile( __in HANDLE hFile, __out LPVOID lpBuffer, __in DWORD nNumberOfBytesToRead, __out_opt LPDWORD lpNumberOfBytesRead, __inout_opt LPOVERLAPPED lpOverlapped ); call to kernel32.dll!ReadFile( Arg 1 : 00000064 = File : ¥Device¥HarddiskVolume1¥WINDOWS¥(...) , Arg 3 : 00000800(2048) )
  • 10. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 1. API arguments for IN, OUT (,INOUT), and return value 10 BOOL WINAPI ReadFile( __in HANDLE hFile, __out LPVOID lpBuffer, __in DWORD nNumberOfBytesToRead, __out_opt LPDWORD lpNumberOfBytesRead, __inout_opt LPOVERLAPPED lpOverlapped ); call to kernel32.dll!ReadFile( Arg 1 : 00000064 = File : ¥Device¥HarddiskVolume1¥WINDOWS¥(...) , Arg 3 : 00000800(2048) ) returned from kernel32.dll!ReadFile( Arg 2 : 0012F184 - 0012F983 is dumped as ¥(...)¥(...)ReadFile_Arg02.bin ) => 00000001(1)
  • 11. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 11 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
  • 12. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 12 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
  • 13. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 13 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
  • 14. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 14 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
  • 15. Fourteenforty Research Institute, Inc. / 32 Demonstration of basic functions(movie) • Analyzing sample.exe. • Sample.exe overwrites original beep driver (beep.sys). • Then restarts beep service to install this driver in the kernel. • “egg” analyzes sample.exe and the modified beep driver. 15
  • 16. Fourteenforty Research Institute, Inc. / 32 Implementation of the fine-grained code analysis • Based on the page protection and the trap flag. • Published by the paper “Stealth Breakpoints”. • We can run analysis codes for each instruction execution. • It can applies to both a kernel and user modes, and even works transparently in the user mode code. 16 Stealth Breakpoints http://www.acsac.org/2005/abstracts/72.html
  • 17. Fourteenforty Research Institute, Inc. / 32 What is taint tracing? • It can automatically trace suspicious elements. • A suspicious element is marked as tainted. • A taint automatically influences new elements that used tainted elements. 17 NEW Tainted NOT Tainted Tainted Some suspicious sources
  • 18. Fourteenforty Research Institute, Inc. / 32 An overview of taint tracing approach of “egg” 18 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File • egg takes a novel approach to implement the taint tracing. • In case of egg, “Elements” are Files, Virtual memory and Threads.
  • 19. Fourteenforty Research Institute, Inc. / 32 An overview of taint tracing approach of “egg” 19 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File • egg takes a novel approach to implement the taint tracing. • In case of egg, “Elements” are Files, Virtual memory and Threads.
  • 20. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 20 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using API PsSetLoadImageNotifyRoutine
  • 21. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 21 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using the page protection (eXecute Disable bit)
  • 22. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 22 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using the File system filter driver
  • 23. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 23 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using the page protection (Write/Read bit)
  • 24. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 • For thread safety, egg hooks thread switching function (called SwapContext). • Therefore egg can notice a thread switching. 24 Process Memory Thread (not tainted) Thread (tainted) Thread (not tainted) Waiting WaitingRunning on processor Process memory has not been modified yet.
  • 25. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 • When taint thread becomes active, egg changes every process memory to read-only. 25 Process Memory Thread (tainted) Thread (not tainted) Thread (not tainted) Waiting WaitingRunning on processor Currently, process memory is read-only. If a thread tries to write somewhere, the processor causes an exception. egg catches this exception as taint event.
  • 26. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 • When taint thread becomes inactive, egg restores every page protection. 26 Process Memory Thread (not tainted) Thread (not tainted) Thread (not tainted) Waiting WaitingRunning on processor Process memory protection is restored.
  • 27. Fourteenforty Research Institute, Inc. / 32 Tracking the cross-process memory operation • To trace cross-process memory operation, egg hooks context switching function (called KiSwapProcess). • Therefore egg can notice cross-process memory operation. 27 malware.exe Process Memory Thread (tainted) Running on processor CR3 explorer.exe Process Memory Read-only Have not been changed
  • 28. Fourteenforty Research Institute, Inc. / 32 Tracking the cross-process memory operation • When taint thread is running on other process memory, its process memory will be changed to read-only. 28 malware.exe Process Memory Thread (tainted) Running on processor CR3 explorer.exe Process Memory egg can trace cross-process memory operation. (e.g. WriteProcessMemory) Restored Read-only
  • 29. Fourteenforty Research Institute, Inc. / 32 Demonstration of the taint tracing function(movie) • The sample is the thread injection code. • Sample malware called “injector.exe” injects to notepad.exe with VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. • Injected thread calls AllocConsole and WriteConsole in infinite loop. • egg will trace the injected thread. 29
  • 30. Fourteenforty Research Institute, Inc. / 32 Problem of same privilege • egg has limitation against kernel mode code. – egg is visible and breakable from kernel mode malware. • This limitation is result of trade off for avoiding detection by the VM detection. 30
  • 31. Fourteenforty Research Institute, Inc. / 32 Conclusion • We can save time by using egg. • In the future, I will try to improve its stability and usability. 31 Type of system egg Traditional Innovative Getting useful information Good Insufficient Good Analyzing a kernel mode code Better Insufficient Good Analyzing a spreading malware. Good Insufficient Good Not affected by VM detection techniques Good Good Insufficient
  • 32. Fourteenforty Research Institute, Inc. / 32 Acknowledgement • Junichi Murakami @FFR • Darren Willis @FFR 32
  • 33. 33 ありがとうございました Fourteenforty Research Institute, Inc. 株式会社 フォティーンフォティ技術研究所 http://www.fourteenforty.jp 発表者肩書き 発表者氏名 発表者メールアドレス Thank you! Senior Software Engineer Satoshi TANDA <tanda@fourteenforty.jp>