Download presentation
Presentation is loading. Please wait.
Published byJocelyn Montgomery Modified over 7 years ago
1
Dissecting complex code-reuse attacks with ROPMEMU
Mariano Graziano Cisco Talos
2
whoami Security researcher at Cisco Talos
Ph.D. from Telecom ParisTech/Eurecom Hackademic Malware analysis / Memory forensics / Mitigations
3
CODE INJECTION ATTACKS
4
CODE INJECTION ATTACKS
5
CODE INJECTION ATTACKS
Attackers inject or load malicious code (or modify the existing one)
6
CODE-REUSE ATTACKS - ROP
7
CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)
8
CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)
9
CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)
10
CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)
11
CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)
12
CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)
13
CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)
14
CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)
15
CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30) ?!?
16
HW and OS countermeasures forced ROP adoption
MOTIVATION HW and OS countermeasures forced ROP adoption
17
HW and OS countermeasures forced ROP adoption
MOTIVATION HW and OS countermeasures forced ROP adoption Persistent ROP rootkit – Vogl et al. [NDSS 14] ROP as an obfuscation technique (malware in the wild) All existing tools cope with injected code No tools to dissect ROP payloads
18
ROP ROOTKITS
19
CHUCK - CHALLENGES Memory region for the persistent control structure
Overwrites protection: Interrupts Self-overwriting Resume original/normal control flow Activate the persistent component
20
CHUCK - CHALLENGES Memory region for the persistent memory region
Overwrites protection: Interrupts Self-overwriting Resume original/normal control flow Activate the persistent component
21
CHUCK - PERSISTENCE CVE-2013-2094 sysenter IA32_SYSENTER_ESP (0x175)
IA32_SYSENTER_EIP (0x176)
22
CHUCK - PERSISTENCE CVE-2013-2094 sysenter
IA32_SYSENTER_ESP (0x175) – Copy chain IA32_SYSENTER_EIP (0x176) - ret
23
1 https://www.sec.in.tum.de/persistent-data-only-malware/
CHUCK PoC1: LPE: CVE OS: Ubuntu Server 3.8 with secure boot Hooks: sys_read sys_getdents Chains: Copy chain (persistent) Dispatcher chain Payload chain 1
24
CHALLENGES
25
CHALLENGES [C1] Verbosity
26
CHALLENGES [C1] Verbosity [C2] Lack of immediate values
27
CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining
28
CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches
29
CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions
30
CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains
31
CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains [C7] Stop condition
32
CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains [C7] Stop condition
33
CHALLENGES - Lu et al. – ACSAC12 - Yadegari et al. – S&P15 - Stancill et al. – RAID13 - Lu et al. – ACSAC12 [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains [C7] Stop condition
34
APPROACH ROPMEMU framework adopts many techniques: Memory forensics
Code emulation Multi-path exploration CFG recovery Compiler transformations
35
IMPLEMENTATION Standalone scripts (bash and python):
Volatility plugins (ropemu and unchain) depend on: Capstone Unicorn nasm Standalone scripts (bash and python): GDB python pygraphviz
36
ROPMEMU
37
ROPMEMU
38
DEMO 0x01 DEMO 0x01
39
ROPMEMU
40
DEMO 0x02 DEMO 0x02
41
ROPMEMU
42
DEMO 0x03 DEMO 0x03
43
ROPMEMU
44
ROPMEMU
45
EXPERIMENT CHAINS INSTRUCTIONS GADGETS BLOCKS BRANCHES FUNCTIONS CALLS
COPY 414275 184126 1 - DISPATCHER 63515 18874 7 3 5 PAYLOAD 6320 2913 34 26 9 17
46
RESULTS - CFG
47
RESULTS - CFG
48
RESULTS - IDA
49
DEMO 0x04 DEMO 0x04
50
LIMITATIONS Prone to anti-acquisition Prone to anti-emulation
Lack of completeness on arbitrary inputs
51
CONCLUSIONS Source code: https://github.com/vrtadmin/ROPMEMU
First public tool to analyze code-reuse payloads Tested on the most complex public threat
52
QUESTIONS? Mariano Graziano @emd3l
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.