R4H Reversing for Humans

Slides:



Advertisements
Similar presentations
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Advertisements

.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Automated Malware Analysis
© 2004 Cisco Systems, Inc. All rights reserved. Managing Your Network Environment Managing Router Startup and Configuration INTRO v2.0—9-1.
Presentation By Deepak Katta
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Lecture 14: Operating Systems Intro to IT COSC1078 Introduction to Information Technology Lecture 14 Operating Systems James Harland
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Binary Auditing Geller Bedoya Michael Wozniak. Background  Binary auditing is a technique used to test the security and discover the inner workings of.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Malware Dynamic Analysis Veronica Kovah vkovah.ost at gmail See notes for citation1
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
Overview of Windows Driver Development Reference: us/gstart/hh/gstart/gs_intro_031j.asp.
Introduction to Reverse Engineering
Sweet Problem Based Learning Reverse engineering Custom Cupcakes.
Android and IOS Permissions Why are they here and what do they want from me?
2014 Various Approaches to Malware Detection & Analysis Nidhi Rastogi PhD CS candidate, Rensselaer Polytechnic Institute (RPI), Troy, NY October 9, 2014.
Reverse Engineering Contemporary Countermeasures By: Joshua Schwartz.
Intro to Data Structures Concepts ● We've been working with classes and structures to form linked lists – a linked list is an example of something known.
Polymorphic Virus Analysis Nicolas BRULEZ Senior Virus Researcher Websense Security Labs IMPROVISED TALK MMMKAY?!
Title Line Subtitle Line Top of Content Box Line Top of Footer Line Left Margin LineRight Margin Line Top of Footer Line Top of Content Box Line Subtitle.
Module 51 (Mobile Device Fundamentals - Android)
Start-SPPowerShell – Introduction to PowerShell for SharePoint Admins and Developers Paul BAker.
Beginning of Xamarin for iOS development
Shellcode COSC 480 Presentation Alison Buben.
Malware malicious software which is specifically designed to disrupt, damage, or gain authorized access to a computer system Analysis detailed examination.
Lab assignments Follow each lab walkthrough in textbook
Firmware threat Dhaval Chauhan MIS 534.
BOYS AND GIRLS There are many different kinds of friends. It is nice to have lots of friends Friends are people who talk together and play games. Friends.
Static and dynamic analysis of binaries
A lustrum of malware network communication: Evolution & insights
Topics Introduction Hardware and Software How Computers Store Data
Techniques, Tools, and Research Issues
Chapter 1. Basic Static Techniques
War between Good and Evil.
Primary Longman Elect 6B Chapter 1 Text Type Riddles.
A Malware Similarity Testing Framework
What is Computer Security
How can we become good learners?
Malware Incident Response  Dynamic Analysis - 2
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
SharePoint Saturday Omaha April 2016
Chapter 3. Basic Dynamic Analysis
Lab assignments Follow each lab walkthrough in textbook
COEN 252 Computer Forensics
Chapter 1 Introduction.
Hardware Security – Highlevel Survey Review for Exam 4
CHAPTER 1 Introduction Chapter objectives: Understand what Android is
Programs – Loading and Running an Executable
Lecture9: Embedded Network Operating System: cisco IOS
CSC 497/583 Advanced Topics in Computer Security
Software Lesson 3.
Chapter-1 Computer is an advanced electronic device that takes raw data as an input from the user and processes it under the control of a set of instructions.
CSC 497/583 Advanced Topics in Computer Security
Basic Dynamic Analysis VMs and Sandboxes
Setup a VM to use for analyzing malware
Talking Malware Analysis with MITRE
Perspective on Web Game Tech from the Instant Games team
Lecture9: Embedded Network Operating System: cisco IOS
Weaponizing IoT Ted Harrington Executive Partner
Presentation transcript:

R4H Reversing for Humans Juan C. Cortes @kongo_86

Outline About me Intro Why we reverse things? Purpose Malware Intro x 10 Tools Reversing Time

About Me Malware Researcher & Reverser @ <3‘s redbull, chocolate covered expresso beans, assembly, learning

Intro Reversing is hard… There is a load of malware We all want to save the world

Why RE all the things?

Why do we RE things? Reverse engineering: disassemble and examine or analyze in detail (as a product or device) to discover the concepts involved in manufacture usually in order to produce something similar JCC Dictionary: Figure out what thing is doing what thing Should be part of some component of YOUR Incident Response Plan

Why do we RE things? For me: At the end: I love the challenge and puzzles. Want to know the What,Why,How of an attacker’s code Slow || Stop their badness At the end:

Goal for today

What is the goal for today? Help you reverse faster Help your reversers help you

What is the goal for today? Get better at all things!

What is the goal for today? Help your reversers help you Known what to ask your reversers for Provide CONTEXT. More is better. Offsets, offsets, offsets

What is the goal for today?

What is this Malware you speak of?

What is this Malware you speak of? Malware is short of malicious software. A general term to describe all forms of malicious software Worms Virus Backdoors||Trojans (ransom|spy|ad|scare)ware

What is this Malware you speak of? Malware doesn’t play favorites: Windows OSX Android iOS Linux

What is this Malware you speak of?

T00ls

T00ls Static Dynamic FakeNet InetSim ByteCodeViewer dnSpy

Reversing Methodology & Goal

Reversing Methodology Security Event/Alert AV/FW/Webfilter Notifications Basic Static Analysis Inspect PE file Public Resources Dynamic/Behavioral Analysis Sandbox Execution in VM Advanced Analysis Debugging Disassembling Code Analysis

Reversing with a Goal Why are you reversing it? What do you want? -no meme fail.sorry

Reversing Time

Sample #1 Hi friend, I've got a DLL with export 'CI' which beacons to google. c00lguy1 c00lguy2 Hi back friend, Ok! Much excite! It looks like it's decoding strings with function 10001020

Sample #1 2d22bd6df33d18d366686c5b8338dad653dfcb20863a546718f11b17b6a60035

Sample #2 Yo friend, fo sho! c00lguy1 c00lguy2 Yo friend, interested in helping me again? Yo friend, fo sho! c00lguy1 c00lguy2 Here's the scenario: PotPlayerMini.exe loads PotPlayer.dll. calls export PreprocessCmdLineExW. That export does 2 things 1) persistence 2) loads update.dat, shellcode Delivered in a self extracting archive so they are all in the same directory when executed Shellcode decodes two buffers. I can’t figure out the second routine. Cool. Give me those Offset & Files

Sample #2 cont… c00lguy1 c00lguy2 PotPlayerMini.exe calls PotPlayer.dll code around 4011BB PotPlayer.dll opens update.dat around 10001256 PotPlayer.dll does the incremental xor at 100012C8 PotPlayer.dll calls the shellcode at 100012DD The shellcode should be at offset 3b0000 in memory The decoding routing I'm curious about begins at 3b1bb3 c00lguy1 c00lguy2

Sample #2 76da9d0046fe76fc28b80c4c1062b17852264348fd873b7dd781f39491f911e0 71dc3d7978132e0a885d388d54d30770e06664d5cf52a9b5e1c0620d039f29f0

Sample #3 I have a case with a cust that did not provide a lot of information. Not even a hash. They gave me a screenshot of a google search Can you help? guy1 c00lguy2 Um... No hash? Um... No sample?

Sample #3 c00lguyA c00lguy2 Hey! I seen this! It is suppose to do the following... But according to cuckoo is not doing anything. Here is an analysis of someone in Chinese. c00lguyA c00lguy2 Thank the InternetGods for Google Translate.

Sample #3

Sample #3

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.