CSC 497/583 Advanced Topics in Computer Security

Slides:



Advertisements
Similar presentations
Sample chapter from Reverse Engineering Course.
Advertisements

Lots of content, the hope is that they will be used as reference material after the presentation.
Operating Systems1 9. Linking and Sharing 9.1 Single-Copy Sharing –Why Share –Requirements for Sharing –Linking and Sharing 9.2 Sharing in Systems without.
Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Linking & Loading CS-502 Operating Systems
Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.
Operating System Security : David Phillips A Study of Windows Rootkits.
CS 31003: Compilers ANIRUDDHA GUPTA 11CS10004 G2 CLASS DATE : 24/07/2013.
1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Loader- Machine Independent Loader Features
1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.
OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
A genda for Today What is memory management Source code to execution Address binding Logical and physical address spaces Dynamic loading, dynamic linking,
MIPS coding. SPIM Some links can be found such as:
Rootkits in Windows XP  What they are and how they work.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
Linking and Loading Linker collects procedures and links them together object modules into one executable program. Why isn't everything written as just.
CS 444 Introduction to Operating Systems
Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
CSE451 Linking and Loading Autumn 2002 Gary Kimura Lecture #21 December 9, 2002.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
CPS3340 COMPUTER ARCHITECTURE Fall Semester, /29/2013 Lecture 13: Compile-Link-Load Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE.
L ECTURE -9 Topics : Compiler Interpreter Loader Linker. Types of Software..
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
CSE 451: Operating Systems Winter 2011 Linking, Loading and Process Startup Mark Zbikowski Gary Kimura.
Application Remediation
Win32 Programming Lesson 19: Introduction to DLLs.
Lecture 11 Example Rootkit. Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using.
LECTURE 3 Translation. PROCESS MEMORY There are four general areas of memory in a process. The text area contains the instructions for the application.
OE-NIK HP Advanced Programming Using and creating DLL files.
Object Files & Linking. Object Sections Compiled code store as object files – Linux : ELF : Extensible Linking Format – Windows : PE : Portable Execution.
GOT overwrites and IAT hooks. What is this?  The GOT hijack was a key exploit technique for me, it was the first time I internalized that we are overwriting.
1 CE 454 Computer Architecture Lecture 11 Ahmed Ezzat The Assembly Language Level, Ch-(7.1 – 7.4)
IT 244 Complete Class To purchase this material link 244/IT-244-Complete-Class. For more courses visit our website
Lecture 3 Translation.
Topic 2: Hardware and Software
Introduction to Computers, the Internet and the World Wide Web
Chapter 1. Basic Static Techniques
The University of Adelaide, School of Computer Science
Linking & Loading.
Location of Cluster Files and Folders
Programs – Dynamic Linking and Loading
CS-3013 Operating Systems C-term 2008
Microsoft Windows Technical Support Setup,Install,Activate
Programming COMP104: Fundamentals and Methodology Introduction.
The Assembly Language Level
Chapter 3. Basic Dynamic Analysis
Machine Independent Features
COEN 252 Computer Forensics
Working with Linux Libraries in Delphi
Lecture Topics: 11/1 General Operating System Concepts Processes
CSE 451: Operating Systems Winter 2010 Module 16 Linking, Loading and Process Startup Mark Zbikowski Gary Kimura 1.
Computer Organization and Design Assembly & Compilation
The Assembly Language Level
Linking & Loading CS-502 Operating Systems
Chapter 3 Socket API © Bobby Hoggard, Department of Computer Science, East Carolina University These slides may not be used or duplicated without permission.
CMSC 491/691 Malware Analysis
CSE 451: Operating Systems Winter 2009 Module 16 Linking, Loading and Process Startup Mark Zbikowski Gary Kimura 1.
CSC 497/583 Advanced Topics in Computer Security
10/6: Lecture Topics C Brainteaser More on Procedure Call
Linking & Loading CS-502 Operating Systems
RUN-TIME STORAGE Chuen-Liang Chen Department of Computer Science
Following Malware Execution in IDA
CSC 497/583 Advanced Topics in Computer Security
Program Assembly.
CSC 497/583 Advanced Topics in Computer Security
Understanding DLLs and headers, and libs… Jeff Chastine.
Presentation transcript:

CSC 497/583 Advanced Topics in Computer Security Class6 CSC 497/583 Advanced Topics in Computer Security Modern Malware Analysis Static Analysis: Real-world Case Study Si Chen (schen@wcupa.edu)

Load PE file (Notepad.exe) into Memory

NT Header https://docs.microsoft.com/en-us/windows/desktop/api/winnt/

PE Header Structure

IAT (Import Address Table)

Look up IAT Table with PEview

IAT Table Two ways to Load DLL An executable file links to (or loads) a DLL in one of two ways: Implicit Linking (load-time dynamic linking) The operating system loads the DLL when the executable using it is loaded. IAT Table

Implicit Linking and IAT (Import Address Table) Notepad.exe Call CreateFileW()  Call 0x01001104  Call 0x7C810CD9 Call 0x01001104 Look up IAT Table Function Name IAT Address Real Address … CreateFileW() 0x01001104 0x7C810CD9 When the application was first compiled, it was designed so that all API calls will NOT use direct hardcoded addresses but rather work through a function pointer. This was accomplished through the use of an import address table. This is a table of function pointers filled in by the windows loader as the dlls are loaded. 

IAT (Import Address Table) Why IAT?

IAT (Import Address Table) Support different Windows Version (9X, 2K, XP, Vista, 7, 8, 10) Call CreateFileW() --> Call 0x01001104 Look up XP IAT Table Function Name IAT Address Real Address … CreateFileW() 0x01001104 0x7C810CD9 Windows 7 Function Name IAT Address Real Address … CreateFileW() 0x01001104 0x7C81FFFF

IAT (Import Address Table) Support DLL Relocation

Import Directory Table The Import Directory Table contains entries for every DLL which is loaded by the executable. Each entry contains, among other, Import Lookup Table (ILT) and Import Address Table (IAT)

Inspecting file imports with pefile library

EAT (Export Address Table) Similar to IAT, EAT data is stored in IMAGE_EXPORT_DIRECTORY EAT contains an RVA that points to an array of pointers to (RVAs of) the functions in the module. 

Inspecting file export with pefile library

Real-world Case Study

(Trojan.Win32.Dllhijack.a) 16d6b0e2c77da2776a88dd88c7cfc672 (Trojan.Win32.Dllhijack.a)

16d6b0e2c77da2776a88dd88c7cfc672

16d6b0e2c77da2776a88dd88c7cfc672

16d6b0e2c77da2776a88dd88c7cfc672 https://www.hybrid-analysis.com/sample/037203d274cb66bad34559c0f426e9e1bf91a048155240581f4aa554be17925c?environmentId=100

0fd6e3fb1cd5ec397ff3cdbaac39d80c

6a764e4e6db461781d080034aab85aff & cc3c6c77e118a83ca0513c25c208832c

e0bed0b33e7b6183f654f0944b607618

e0bed0b33e7b6183f654f0944b607618

(Rootkit.Win32.blackken.b) db8199eeb2d75e789df72cd8852a9fbb (Rootkit.Win32.blackken.b)

db8199eeb2d75e789df72cd8852a9fbb Is this claim correct? If two export functions share the same address, it’s a malware.

1c1131112db91382b9d8b46115045097

1c1131112db91382b9d8b46115045097

Lab1 Create your own anti-malware system based on heuristic analysis. Check course website

Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.