Presentation is loading. Please wait.

Presentation is loading. Please wait.

What Happens In Windows 8 Stays In Windows 8 Moti Joseph & Marion Marschalek Defcamp 2014.

Published byJune Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "What Happens In Windows 8 Stays In Windows 8 Moti Joseph & Marion Marschalek Defcamp 2014."— Presentation transcript:

1 What Happens In Windows 8 Stays In Windows 8 Moti Joseph & Marion Marschalek Defcamp 2014

2 About Us Moti Joseph Security Researcher Marion Marschalek Malware Analyst

3 Agenda Vulnerabilities Automated Vulnerability Search An Approach A Solution as Proof of Concept Demo ;) Whats next?

4 Intro

5 Got a bug in your software? Can I haz it??

6 Chuck Norris On Security. Vulnerabilities are software mistakes in specification and design, but mostly mistakes in programming. Any large software package will have thousands of mistakes. Once discovered, they can be used to attack systems. This is the point of security patching: eliminating known vulnerabilities. But many systems don't get patched, so the Internet is filled with known, exploitable vulnerabilities.

7

8 How to find vulnerabilities? Application Penetration Testing Fuzzing Reverse Engineering Source Code Review Or.. Being more advanced: Tracking software bugs, introducing bugs into software, reversing security patches

9 Who is interested in finding them? Hackers Software Companies Criminals Governments Media

10 How much does a 0-day vulnerability cost?

11 “White Market” When or why to sell to white market?

12 “BlackMarket” Broker? Money? Trust?

13 What happens when you sell to the black market?

14

15 And why automate it? It‘s faster!! The hacker – can break more The software company – can fix faster Criminals – can make more money Governments – can... [SECRET] Media – has more to write about

16 The Approach

17 What happens in Windows 8 stays in Windows 8... WinAWinB lea ecx, [ebp+cb] push ecx push 4 push eax mov [esi], eax call ?ULongMult@@YGJKKPAK@Z test eax, eax... push [ebp+cb] ; cb call ds:__imp__CoTaskMemAlloc@4 xor eax, eax inc eax shl eax, cl... shl eax, 2 push eax ; cb call ds:__imp__CoTaskMemAlloc@4 Patch it!

18 Counting Function Calls quartz.lib

19 Intsafe.h & Strsafe.h Searching for security patches: Type Conversion Safe Math Functions Buffer Boundary Checks on Strings Set of 130 Signatures of ‚Safe Functions‘

20 ‚Safe Functions‘ UInt8Add UShortAdd UIntAdd ULongAdd SizeTAdd ULongLongAdd UInt8Sub UShortSub UIntSub ULongSub SizeTSub ULongLongSub UInt8ToInt8 UInt8ToChar ByteToInt8 ByteToChar ShortToInt8 ShortToUChar ShortToChar UShortToUInt8 UShortToShort IntToInt8 IntToUChar IntToChar StringCbGets StringCbGetsEx StringCbLength StringCbPrintf StringCbPrintfEx StringCbVPrintf StringCbVPrintfEx StringCchCat StringCchCatEx StringCchCatN StringCchCatNEx StringCchCopy... and many many more....

21 The Approach Flexible. Extendible. Awesome. Windows Library Parsing to DB Checking for Vulnerability Decompilation or Disassembly Diffing Library with New Version

22 The Solution

23 Pretty, eh??

24 Getting the.C Library Conversion using IDA Pro means:.dll ->.idb ->.c

25 Library Parsing DiffRay on https://github.com/pinkflawd/DiffRay Parses a library / directory of libraries Manages libraries, functions and signature hits Diff libraries functionwise Based on library ID or library name pattern

26 The Database MSSql or SQLite

27 Diff it! Compare libraries on a function basis Extract hits per function per signature

28 DiffRay HowTo: Configuration signatures.conf – whatever symbols you‘re searching for sig_mappings.conf – mappings for signatures logger.conf – logging output and formatting, details to be found at http://docs.python.org/2/howto/logging.html mssql.conf – MSSql access credentials

29 DiffRay HowTo: CMD Parsing Maintenance: python [dir]\src\Main.py --create-scheme --update-sigs python [dir]\src\Main.py --parse [library_path] --os [WinA|WinB] --type [C|LST] python [dir]\src\Main.py --dirparse [directory_path] --os [WinA|WinB] --type [C|LST] python [dir]\src\Main.py --flushall Switches: --backend [mssql|sqlite] --no-flush

30 DiffRay HowTo: CMD Diffing Info Output & Diffing: python [dir]\src\Main.py –-search_libs [libname_pattern] python [dir]\src\Main.py –-lib_all_info [lib_id] python [dir]\src\Main.py –-diff --lib_1 [winAlib] --lib_2 [winBlib] python [dir]\src\Main.py –-diff_byname [libname_pattern]

31 WELCOME to ze FUTURE

32 BOOM

33 Win8 Win10

34 Triggerable? Or not triggerable?

35 Callstack Smb2ExecuteCreate -> Smb2ExecuteCreateReal -> SrvCreateFile ->Smb2RkfReadStateAndResume -> Smb2RkfReadState -> Smb2RkfpConvertDeprecatedBlob

36

37 Happy Diffing.

Download ppt "What Happens In Windows 8 Stays In Windows 8 Moti Joseph & Marion Marschalek Defcamp 2014."

Similar presentations

Software Testing How has agile changed the game? Karen Greaves.

Software Testing How has agile changed the game? Karen Greaves.
Rahul Verma Sr QA Technical Lead, Anti-Malware Core, McAfee Labs.

Rahul Verma Sr QA Technical Lead, Anti-Malware Core, McAfee Labs.
Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?

Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?
Nullcon Goa 2010http://nullcon.net Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma Amandeep Bharti Rohan Thakur.

Nullcon Goa 2010http://nullcon.net Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma Amandeep Bharti Rohan Thakur.
Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia

Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia
Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.

Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
0wning Antivirus Alex Wheeler Neel Mehta

0wning Antivirus Alex Wheeler Neel Mehta
The Business of Penetration Testing

The Business of Penetration Testing
Tim Newsham and Alex Stamos Stanford CS155 April 6, 2010 Bug Finding Techniques.

Tim Newsham and Alex Stamos Stanford CS155 April 6, 2010 Bug Finding Techniques.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Similar presentations

Ads by Google