binary analysis notes
play

BINARY ANALYSIS NOTES Mariano Graziano Malware Research Team - - PowerPoint PPT Presentation

May 01, 2023 •181 likes •780 views

BINARY ANALYSIS NOTES Mariano Graziano Malware Research Team - Cisco Talos M0LECON 2019 Turin, Italy - 30/11/2019 1 whoami Technical Leader at Cisco Talos PhD in System Security (Eurecom) Alma mater: Politecnico di Torino

  1. BINARY ANALYSIS NOTES Mariano Graziano Malware Research Team - Cisco Talos M0LECON 2019 Turin, Italy - 30/11/2019 1

  2. whoami ‣ Technical Leader at Cisco Talos ‣ PhD in System Security (Eurecom) ‣ Alma mater: Politecnico di Torino ‣ Binary/Malware analysis, Memory forensics, Automation 2

  3. OUTLINE ‣ Binary Analysis ‣ Linux Threat Landscape ‣ ELF 3

  4. BINARY ANALYSIS ‣ How a binary is generated? 4

  5. BINARY ANALYSIS ‣ How a binary is generated? Compilation (from source code to machine code) - 5

  6. BINARY ANALYSIS ‣ How a binary is generated? Compilation (from source code to machine code) - Preprocessing/compilation/assembling/linking - Statically linked binaries - ‣ Interpreted programs and JIT compilation —> Scripts to executables (e.g. PyInstaller) 6

  7. BINARY ANALYSIS Binary analysis is the art of understanding compiled programs 7

  8. BINARY ANALYSIS ‣ Binary analysis is the art of understanding compiled programs ‣ From machine code to assembly —> Disassembler 8

  9. DISASSEMBLER 9

  10. BINARY ANALYSIS ‣ Binary analysis is the art of understanding compiled programs ‣ From machine code to assembly ‣ Understand from the machine code what the binary does and its properties/behavior 10

  11. BINARY ANALYSIS ‣ How binary analysis is conducted? 11

  12. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Static Analysis 12

  13. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Static Analysis ‣ Strings/symbols/API calls ‣ disassembler 13

  14. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Static Analysis cost 14

  15. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Dynamic analysis 15

  16. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Dynamic analysis: ‣ Debugging/Instrumented environment ‣ Interaction with the OS 16

  17. BINARY ANALYSIS ‣ How binary analysis is conducted? ‣ Dynamic analysis 17

  18. BINARY ANALYSIS ‣ Why binary analysis is useful? 18

  19. BINARY ANALYSIS ‣ Why binary analysis is useful? ‣ Reverse engineering activities ‣ Malware analysis/Exploitation ‣ Detect plagiarism ‣ Interoperability ‣ Modify and understand applications (closed source) 19

  20. BINARY ANALYSIS ‣ Why binary analysis is hard? 20

  21. BINARY ANALYSIS ‣ Why binary analysis is hard? ‣ Semantic gap 21

  22. OUTLINE ‣ Binary Analysis ‣ Linux Threat Landscape ‣ ELF 22

  23. DESKTOP OS Share Windows 86,66 OSX 11,03 Linux 1,66 Chrome OS 0,41 Unknown 0,24 https://netmarketshare.com/operating-system-market-share.aspx? options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22 %2C%22dateStart%22%3A%222019-09%22%2C%22dateEnd%22%3A%222019-10%22%2C%22segments%22%3A%22-1000%22%7D 23

  24. DESKTOP OS Share Windows 86,66 OSX 11,03 Linux 1,66 Chrome OS 0,41 Unknown 0,24 https://netmarketshare.com/operating-system-market-share.aspx? options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22 %2C%22dateStart%22%3A%222019-09%22%2C%22dateEnd%22%3A%222019-10%22%2C%22segments%22%3A%22-1000%22%7D 24

  25. MOBILE OS Share Android 69,34 iOS 30,3 Unknown 0,25 Series 40 0,04 Windows Phone 0,03 Linux 0,02 https://netmarketshare.com/operating-system-market-share.aspx? options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Mobile%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22date Start%22%3A%222019-09%22%2C%22dateEnd%22%3A%222019-10%22%2C%22segments%22%3A%22-1000%22%7D 25

  26. MOBILE OS Share Android 69,34 iOS 30,3 Unknown 0,25 Series 40 0,04 Windows Phone 0,03 Linux 0,02 https://netmarketshare.com/operating-system-market-share.aspx? options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Mobile%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22date Start%22%3A%222019-09%22%2C%22dateEnd%22%3A%222019-10%22%2C%22segments%22%3A%22-1000%22%7D 26

  27. WEB OS Share Unix 70,8 Windows 29.2 https://w3techs.com/technologies/overview/operating_system 27

  28. WEB OS Share Unix 70,8 Windows 29.2 https://w3techs.com/technologies/overview/operating_system 28

  29. MALWARE? [1] http://www.tom-yam.or.jp/2238/ref/secur.pdf 29

  30. REALITY 30

  31. INFECTIONS ‣ Exploiting known vulnerabilities: Apache struts/ElasticSearch/Redis etc - Shellshock - CMS vulnerabilities (Wordpress, Joomla etc) - ‣ Low hanging fruits: Telnet and SSH bruteforcing - 31

  32. MALWARE ‣ Xor.DDoS — rootkit component ‣ ChinaZ — via shellshock ‣ Hand of Thief — Banker ‣ Mayhem ‣ Mirai ‣ VPNFilter — multistage ‣ HiddenWasp ‣ … 32

  33. MALWARE ‣ Xor.DDoS — rootkit component ‣ ChinaZ — via shellshock ‣ Hand of Thief — Banker Many families ‣ Mayhem and categories ‣ Mirai ‣ VPNFilter — multistage ‣ HiddenWasp ‣ … 33

  34. CURRENT SITUATION 34

  35. CURRENT SITUATION 35

  36. ELF SITUATION TOTAL NEW FILES FILES 36

  37. ELF SITUATION 9x 37

  38. ELF 38

  39. ELF HEADER 39

  40. e_ident 40

  41. e_machine 41

  42. SEGMENTS ‣ Execution view — How to create a process image ‣ A segment can contain zero or more sections 42

  43. p_type 43

  44. DEMO 0x00 READELF 44

  45. ELF HEADER 45

  46. ELF HEADER 46

  47. e_ident 47

  48. EI_DATA 48

  49. DEMO 0x00 1 BYTE https://github.com/radareorg/r2con2019/blob/master/talks/elf_crafting/ELF_Crafting_ulexec.pdf 49

  50. GLIBC INITIALIZATION ‣ Where is my main()? 50

  51. GLIBC INITIALIZATION ‣ ELF entry point points to: ‣ _start ‣ glibc initialization code - fini 400440: 31 ed xor %ebp,%ebp 400442: 49 89 d1 mov %rdx,%r9 - init 400445: 5e pop %rsi 400446: 48 89 e2 mov %rsp,%rdx - main 400449: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 40044d: 50 push %rax 40044e: 54 push %rsp 40044f: 49 c7 c0 e0 05 40 00 mov $0x4005e0,%r8 400456: 48 c7 c1 70 05 40 00 mov $0x400570,%rcx 40045d: 48 c7 c7 4d 05 40 00 mov $0x40054d,%rdi 400464: e8 b7 ff ff ff callq 400420 <__libc_start_main@plt> libc_start_main 400469: f4 hlt ‣ _start —> __libc_start_main(main, init, fini) 51

  52. DEMO 0x01 CONSTRUCTOR 52

  53. ANTI ANALYSIS ‣ Bad guys can complicate our job: ‣ Anti analysis techniques ‣ Anti debugging techniques ‣ Packing 53

  54. DEMO 0x02 STRIP 54

  55. DEMO 0x03 ANTIDEBUG TECHNIQUES 55

  56. DEMO 0x04 56

  57. DEMO 0x04 NEXTCRY SHA256: 027d5f87ab71044a4bbac469b6a3bf5e02571c4661939699d9050a4300d10230 57

  58. REMARKS ‣ Linux malware is a real threat ‣ We have to be ready ‣ We need more tools ‣ We need to know the internals ‣ IoT complicates the analysis: ‣ OS and architecture diversifications ‣ Need more background knowledge 58

  59. THE END THANK YOU email: magrazia@cisco.com twitter: @emd3l 59

Recommend

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
ECON2228 Notes 6 Christopher F Baum Boston College Economics 20142015 cfb (BC Econ)

ECON2228 Notes 6 Christopher F Baum Boston College Economics 20142015 cfb (BC Econ)

ECON2228 Notes 6 Christopher F Baum Boston College Economics 20142015 cfb (BC Econ) ECON2228 Notes 6 20142015 1 / 49 Chapter 7: Multiple regression analysis with qualitative information: Binary (or dummy) variables We often consider

773 views • 49 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
This is a PDF version with notes. You can find the PPTX version at

This is a PDF version with notes. You can find the PPTX version at

This is a PDF version with notes. You can find the PPTX version at http://www.cse.iitd.ernet.in/~sbansal/talks/btkernel.pptx 1 Firstly, what is Dynamic Binary Translation and what is it used for. Dynamic Binary Translation or DBT is the

617 views • 49 slides
Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson Department of Statistics University of Washington This is joint work with James Robins (Harvard). Outline 1. The binary IV potential outcomes model

156 views • 15 slides
Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed 1-2 pm ENS 31NR Forsyth and Ponce book Binary images Two pixel values Foreground and background Regions of interest

1.13k views • 78 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just Outline Background Interactive Binary Analysis with TREE and CBASS Demonstrations

1.06k views • 67 slides
AMath 483/583 Lecture 28 Notes: Outline: Numba and autojit Binary vs. ASCII output

AMath 483/583 Lecture 28 Notes: Outline: Numba and autojit Binary vs. ASCII output

AMath 483/583 Lecture 28 Notes: Outline: Numba and autojit Binary vs. ASCII output Review / take away messages See also: Numba $UWHPSC/codes/io R.J. LeVeque, University of Washington AMath 483/583, Lecture 28 R.J.

206 views • 5 slides
AMath 483/583 Lecture 2 Notes: Outline: Binary storage, floating point numbers

AMath 483/583 Lecture 2 Notes: Outline: Binary storage, floating point numbers

AMath 483/583 Lecture 2 Notes: Outline: Binary storage, floating point numbers Version control main ideas Client-server version control, e.g., CVS, Subversion Distributed version control, e.g., git, Mercurial Reading:

387 views • 9 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform gray-level each region is a binary image ( 0 : background, 1 : object or the reverse) more intensity values for overlapping regions

875 views • 30 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije

Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije

Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije Universiteit Amsterdam Reverse engineering Hardening programs/anti-exploitation Malware analysis ... Attack developer in GameOver Zeus

532 views • 15 slides
Statistical analysis applied to genome and proteome analyses (lecture 5) Warning: These notes

Statistical analysis applied to genome and proteome analyses (lecture 5) Warning: These notes

Statistical analysis applied to genome and proteome analyses (lecture 5) Warning: These notes serve only as a scaffold and should be completed with notes taken during the class Motif identification with position dependent weight matrices

579 views • 42 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal Hexadecimal to binary Hexadecimal to Decimal Binary addition Binary subtraction Binary shift Decimal to Binary 146d = ????????b 146/2

91 views • 7 slides
Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents on Fun Facts Why 10 digits? Because and the 0 represents off people typically have 10 fingers and 10 toes, making it easy for counting! 2

119 views • 10 slides

More recommend