Download presentation
Presentation is loading. Please wait.
Published byDelphia Ferguson Modified over 9 years ago
1
An external perspective
2
Matt Miller Consultant with Leviathan Security Group Core developer for the Metasploit Framework Uninformed Journal editor & contributor
3
External project using Phoenix Introduction to Cthulhu High-level architecture overview Cool features
4
Software optimization and analysis Basis for future Microsoft compilers and tools Robust and extensible architecture ◦ Plugins ◦ Phases
5
RDK/SDK not yet completely solidified ◦ Encapsulation can help here API is feature rich but verbose ◦ No simplified wrapper No solution for large-scale analysis ◦ LCTG is not enough
6
Static analysis encapsulation framework Hobby project started in June, 2006 Written in C# Goals ◦ Simplified interface ◦ Large-scale analysis ◦ Research sand box
7
Fundamentals Analysis Engine Peons Tools IDA Phoenix Control Flow Data Flow Rendering Analysis DB
8
Fundamentals Analysis Engine Peons Tools IDA Phoenix Control Flow Data Flow Rendering Analysis DB
9
Uses a fundamental to load assemblies Runs phases ◦ Import ◦ Analyze ◦ Render Peons register to be notified on certain events
10
Analysis Engine Phoenix Fundamental 1. Load Assembly DB Fundamentalist Peons Control Flow Data Flow 2. Assembly Loaded 4. Normalize Information 3. Import Event 5. Import Event Basic Types
11
Analysis Engine Database Fundamental 1. Load Assembly DB Analytical Peons Analytical Peons Path Discovery Leak Check 3. Assembly Loaded 5. Normalize and Denormalize Information 4. Analysis Event 6. Analysis Event 2. Denormalize Assembly Information
12
Analysis Engine Renderer Peons Renderer Peons Console GUI 1. Render DB 2. Denormalize Output Store Output Store 3. Display
13
Extensible and flexible way to represent binary information May be used to support large-scale analysis ◦ Hundreds of modules ◦ More work needs to be done Performance overhead is non-trivial ◦ Processing time is high ◦ Volatile memory usage is low
14
Simplified API Version-independent modeling Conceptual modeling
15
Assembly Module Data Type Method Module Data Type Method Module Data Type Method DB Abstract classes provide fundamental independence … … Concrete Implementations Phoenix
16
Modeling version independent relationships between assemblies in the database void CallExitProcess() { ExitProcess(0); } CallExitProcess 1 ExitProcess ExitProcess 1 ExitProcess 2 ExitProcess 3 ExitProcess 4 Appropriate versions can be selected at analysis time Call to generic kernel32!ExitProcess Distinct kernel32!ExitProcess versions related to generic
17
Universe VPN Client VPN Server Device Driver User Interface Daemon vpn.sys vpngui.exe dialogs.dll daemon.exe
18
Import and analyze large data sets ◦ All PE modules from Windows XP? Improve database performance Implement additional peons ◦ Leak Check And the list goes on…
19
There is… ◦ A lot more to be said ◦ A lot of work left to do ◦ A lot of data to collect Unfortunately, time is a factor Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.