Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 497/583 Advanced Topics in Computer Security

Published byEeva-Liisa Tikkanen Modified over 5 years ago

Similar presentations

Presentation on theme: "CSC 497/583 Advanced Topics in Computer Security"— Presentation transcript:

1 CSC 497/583 Advanced Topics in Computer Security
Class6 CSC 497/583 Advanced Topics in Computer Security Modern Malware Analysis Static Analysis: Real-world Case Study Si Chen

2 Load PE file (Notepad.exe) into Memory

3 NT Header

4

5 PE Header Structure

6 IAT (Import Address Table)

7 Look up IAT Table with PEview

8 IAT Table Two ways to Load DLL
An executable file links to (or loads) a DLL in one of two ways: Implicit Linking (load-time dynamic linking) The operating system loads the DLL when the executable using it is loaded. IAT Table

9 Implicit Linking and IAT (Import Address Table)
Notepad.exe Call CreateFileW()  Call 0x  Call 0x7C810CD9 Call 0x Look up IAT Table Function Name IAT Address Real Address CreateFileW() 0x 0x7C810CD9 When the application was first compiled, it was designed so that all API calls will NOT use direct hardcoded addresses but rather work through a function pointer. This was accomplished through the use of an import address table. This is a table of function pointers filled in by the windows loader as the dlls are loaded. 

10 IAT (Import Address Table)
Why IAT?

11 IAT (Import Address Table)
Support different Windows Version (9X, 2K, XP, Vista, 7, 8, 10) Call CreateFileW() --> Call 0x Look up XP IAT Table Function Name IAT Address Real Address CreateFileW() 0x 0x7C810CD9 Windows 7 Function Name IAT Address Real Address CreateFileW() 0x 0x7C81FFFF

12 IAT (Import Address Table)
Support DLL Relocation

13 Import Directory Table
The Import Directory Table contains entries for every DLL which is loaded by the executable. Each entry contains, among other, Import Lookup Table (ILT) and Import Address Table (IAT)

14 Inspecting file imports with pefile library

15

16 EAT (Export Address Table)
Similar to IAT, EAT data is stored in IMAGE_EXPORT_DIRECTORY EAT contains an RVA that points to an array of pointers to (RVAs of) the functions in the module. 

17 Inspecting file export with pefile library

18 Real-world Case Study

19 (Trojan.Win32.Dllhijack.a)
16d6b0e2c77da2776a88dd88c7cfc672 (Trojan.Win32.Dllhijack.a)

20 16d6b0e2c77da2776a88dd88c7cfc672

21 16d6b0e2c77da2776a88dd88c7cfc672

22 16d6b0e2c77da2776a88dd88c7cfc672

23 0fd6e3fb1cd5ec397ff3cdbaac39d80c

24

25 6a764e4e6db461781d080034aab85aff & cc3c6c77e118a83ca0513c25c208832c

26

27 e0bed0b33e7b6183f654f0944b607618

28 e0bed0b33e7b6183f654f0944b607618

29 (Rootkit.Win32.blackken.b)
db8199eeb2d75e789df72cd8852a9fbb (Rootkit.Win32.blackken.b)

30 db8199eeb2d75e789df72cd8852a9fbb Is this claim correct?
If two export functions share the same address, it’s a malware.

31 1c db91382b9d8b

32 1c db91382b9d8b

33 Lab1 Create your own anti-malware system based on heuristic analysis.
Check course website

34 Q & A

Download ppt "CSC 497/583 Advanced Topics in Computer Security"

Similar presentations

Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
Lots of content, the hope is that they will be used as reference material after the presentation.

Lots of content, the hope is that they will be used as reference material after the presentation.
Operating Systems1 9. Linking and Sharing 9.1 Single-Copy Sharing –Why Share –Requirements for Sharing –Linking and Sharing 9.2 Sharing in Systems without.

Operating Systems1 9. Linking and Sharing 9.1 Single-Copy Sharing –Why Share –Requirements for Sharing –Linking and Sharing 9.2 Sharing in Systems without.
Assembler/Linker/Loader Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc11-12.html Chapter 4.3 J. Levine: Linkers & Loaders

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Linking & Loading CS-502 Operating Systems

Linking & Loading CS-502 Operating Systems
Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.

Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
CS 31003: Compilers ANIRUDDHA GUPTA 11CS10004 G2 CLASS DATE : 24/07/2013.

CS 31003: Compilers ANIRUDDHA GUPTA 11CS10004 G2 CLASS DATE : 24/07/2013.
1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++

1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Loader- Machine Independent Loader Features

Loader- Machine Independent Loader Features
1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.

1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.
OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.

OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
A genda for Today What is memory management Source code to execution Address binding Logical and physical address spaces Dynamic loading, dynamic linking,

A genda for Today What is memory management Source code to execution Address binding Logical and physical address spaces Dynamic loading, dynamic linking,
MIPS coding. SPIM Some links can be found such as:

MIPS coding. SPIM Some links can be found such as:
Rootkits in Windows XP  What they are and how they work.

Rootkits in Windows XP  What they are and how they work.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.

Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
Linking and Loading Linker collects procedures and links them together object modules into one executable program. Why isn't everything written as just.

Linking and Loading Linker collects procedures and links them together object modules into one executable program. Why isn't everything written as just.
CS 444 Introduction to Operating Systems

CS 444 Introduction to Operating Systems

Similar presentations

Ads by Google