fast furious reverse engineering with titanengine agenda
play

FAST & FURIOUS REVERSE ENGINEERING WITH TITANENGINE Agenda - PowerPoint PPT Presentation

Aug 22, 2023 •624 likes •1.47k views

Mario Vuksan, Tomislav Periin & Vojislav Milunovic, ReversingLabsCorporation FAST & FURIOUS REVERSE ENGINEERING WITH TITANENGINE Agenda Obligatory Scare Talk Why should you care? What is the problem? How can

  1. Mario Vuksan, Tomislav Peričin & Vojislav Milunovic, ReversingLabsCorporation FAST & FURIOUS REVERSE ENGINEERING WITH TITANENGINE

  2. Agenda  Obligatory Scare Talk  Why should you care?  What is the problem?  How can TitanEngine change the world?  Show ME!  Show ME!  Show ME!  How can I help? ReversingLabs Corporation

  3. Fighting Malware: Old Problem Inadequate Infrastructure: New Problem ReversingLabs Corporation

  4. Exponential Growth in Malware ReversingLabs Corporation

  5. YIELDS ReversingLabs Corporation

  6. Exponential Growth in Signatures ReversingLabs Corporation

  7. DEMANDING ReversingLabs Corporation

  8. ReversingLabs Corporation

  9. RESULTING IN ReversingLabs Corporation

  10. Denial of Service on Threat Response Teams ReversingLabs Corporation

  11. So What? ReversingLabs Corporation

  12. Security Industry is a For-Profit Entity ReversingLabs Corporation

  13. We’ll Simply Hire More Bodies ReversingLabs Corporation

  14. But Could We Get Enough Bodies? ReversingLabs Corporation

  15. Can’t Hire Enough? Combine those we have into one Worldwide Non-profit Entity (Bwa-ha-ha!) ReversingLabs Corporation

  16. OR… We could simply overload them… ReversingLabs Corporation

  17. Is an overloaded anti-malware analyst an asset or a liability? ReversingLabs Corporation

  18. Henry Ford  Anti-Malware labs are factories  100-200+ Analyst teams  Advanced workflows  Multiple levels of management  Modern labor laws apply: No 20+ hour days  Productivity can be improved  Work process can be studied  Improvements COULD be devised… ReversingLabs Corporation

  19. So how can Labs do more?  Charge more, Hire more  Invest in automation, Invest in heuristics  Deploy proactive modules, Buy competitors  All the usual stuff  … and they could revise their processes ReversingLabs Corporation

  20. So how can Labs do more?  1,000s of OllyDBG and IDAPro scripts can better be reused; could be generalized  Sample analysis, OEP discovery could benefit all team members  Reversing should be a team effort ReversingLabs Corporation

  21. We have to do it better… ReversingLabs Corporation

  22. Competition is tough  Bad guys  Rise of $$ motivated custom attacks  Resourceful crime syndicates $$ $$ ReversingLabs Corporation

  23. Protection is lacking  Signatures only “important” for threats  Need for other types of protection  Behavioral & HIPS tools that work ReversingLabs Corporation

  24. Yet manual analysis is still the only certain bet! ReversingLabs Corporation

  25. Passion for binary protection  Meatiest task today is dealing with protection techniques  Task repetition, Error prone, Not reusable  Large number of file formats can be infected and used for malware ReversingLabs Corporation

  26. Passion for binary protection  Executable files == most significant threat  Executables == the “usual suspect” for malware  85% of malware samples are packed  Packing hides malware, hardens its detection  Packed or protected doesn’t mean bad!  10% of legitimate software is packed ReversingLabs Corporation

  27. Passion for binary protection  Legit use for packers & protectors:  Compressed binaries decrease bandwidth usage  Protect intellectual property  Protect from code theft  Anti-tampering in multi-player games  Safeguard licensing code  Successfully used by malware authors  For all the same reasons ReversingLabs Corporation

  28. Analyzing Malware  Malware File Analysis Requires:  In-depth knowledge of how PE works  In-depth knowledge of how Windows works  Various tools to make you reach your goal  Understanding of Basic Shell Divisions:  Packers, Protectors, Crypters, Bundlers & Hybrids  Custom malware-specific packers & protectors ReversingLabs Corporation

  29. /*408160*/ PUSHAD /*408161*/ MOV ESI,crackme_.00406000 /*408166*/ LEA EDI,DWORD PTR DS:[ESI+FFFFB000] /*40816C*/ PUSH EDI /*40816D*/ OR EBP,FFFFFFFF /*408170*/ JMP SHORT crackme_.00408182 /*408172*/ NOP /*408173*/ NOP /*408174*/ NOP /*408175*/ NOP What’s the Reversing /*408176*/ NOP /*408177*/ NOP /*408178*/ MOV AL,BYTE PTR DS:[ESI] Process Today? /*40817A*/ INC ESI /*40817B*/ MOV BYTE PTR DS:[EDI],AL /*40817D*/ INC EDI /*40817E*/ ADD EBX,EBX /*408180*/ JNZ SHORT crackme_.00408189 /*408182*/ MOV EBX,DWORD PTR DS:[ESI] /*408184*/ SUB ESI,-4 /*408187*/ ADC EBX,EBX ReversingLabs Corporation

  30. Reversing in action|Today  Inspect the Sample  Identify the packing shell or compiler PEiD ReversingLabs Corporation

  31. Reversing in action|Today  Unpack the Sample  Execute it to the original entry point OllyDbg ReversingLabs Corporation

  32. Reversing in action|Today  Unpack the Sample  Execute it to the original entry point OllyDbg ReversingLabs Corporation

  33. Reversing in action|Today  Unpack the Sample  Execute it to the original entry point OllyDbg ReversingLabs Corporation

  34. Reversing in action|Today  Unpack the Sample  Dump the process memory LordPE ReversingLabs Corporation

  35. Reversing in action|Today  Unpack the Sample  Fix the import table ImpRec ReversingLabs Corporation

  36. Problems with File analysis  File analysis takes time  Identifying requires keeping up with shells  Shells evolve & have different forms  Analysts get more samples then they can handle  File unpacking takes even more time  Protection “tricks” continue to evolve  Yet, this process can be automated! ReversingLabs Corporation

  37. TitanEngine ReversingLabs Corporation

  38. Fast Reversing|Tomorrow  TitanEngine key features:  Framework designed to work with PE files  SDK has 250 documented functions  Easy automation of all reversing tools  Supports both x86 and x64  Can create:  Static, Dynamic & Generic unpackers  New file analysis tools  Tested on over 150 unpackers  Its free and open source – LGPL3 ! ReversingLabs Corporation

  39. Furious Reversing|Tomorrow  Engine simulates reverse engineer’s presence  Unpacking process has the same steps:  Debugs until entry point  Dumps memory to disk  Collects data for import fixing  Collects data for relocation fixing  Custom fixes (Code splices, Entry point, …) ReversingLabs Corporation

  40. TitanEngine|Content  SDK Contains:  Integrated x86/x64 debugger  Integrated x86/x64 disassembler  Integrated memory dumper  Integrated import tracer & fixer  Integrated relocation fixer  Integrated file realigner  TLS, Resources, Exports... ReversingLabs Corporation

  41. TitanEngine|Debugger  Integrated x86/x64 Debugger  Attach / Detach  Trace, including single stepping  Set several types of breakpoints:  Software (INT3)  Hardware  Memory  Flexible  API  Access debugged file’s context ReversingLabs Corporation

  42. TitanEngine|Debugger  Integrated x86/x64 Debugger  Disassembly instructions  Disassemble a length  Full disassemble  Memory manipulation  Find, Replace, Patch, Fill…  Get call/jump destination  Check if the jump will execute or not  Thread module for thread manipulation  Librarian module for module manipulation ReversingLabs Corporation

  43. TitanEngine|Dumper  Integrated Memory Dumper  Dump memory  Process, regions or modules  Paste PE header from disk to memory  Manipulate file sections  Extract, resort, add, delete & resize  Manipulate file overlay  Find, extract, add, copy & remove ReversingLabs Corporation

  44. TitanEngine|Dumper  Integrated Memory Dumper  Convert addresses  From relative to physical, and vice-versa  Get section number from address  PE header data  Get and set PE header values ReversingLabs Corporation

  45. TitanEngine|Importer  Integrated Import Fixer  Build new import tables on the fly  Get API information  API address in both your & debugged process  DLL to hold API from API address  Remote & local DLL loaded base  API name from address  API Forwarders ReversingLabs Corporation

  46. TitanEngine|Importer  Integrated Import Fixer  Automatic import table functions:  Locate import table in the memory  Fix the import table automatically  Fix import eliminations, automatically  Enumerate and handle import table data  Move import table from one file to another  Load import table from any PE file ReversingLabs Corporation

  47. TitanEngine|Tracer  Integrated Import Tracer  Identify import redirections and eliminations  Fix known import protections  Use integrated tracers to resolve imports  Static disassembly tracer  Static hasher disassembly tracer  Use ImpRec modules to fix redirections ReversingLabs Corporation

  48. TitanEngine|Relocater  Integrated Relocation Fixer  Build new relocation table on the fly  Resolve relocation table  Grab relocation table directly from the process  Make & compare memory snapshots  Remove relocation table from the file  Relocate file to new image base ReversingLabs Corporation

Recommend

Th F Th F The Fast and the Furious! The Fast and the Furious! t t d th F d th F i i !

Th F Th F The Fast and the Furious! The Fast and the Furious! t t d th F d th F i i !

Genetically Engineered Neuronal Networks: Genetically Engineered Neuronal Networks: Th F Th F The Fast and the Furious! The Fast and the Furious! t t d th F d th F i i ! ! Why Neurons? Why Neurons?

553 views • 29 slides
The Fast (but not furious) TracKer The Fast (but not furious) TracKer for ATLAS: for ATLAS: a

The Fast (but not furious) TracKer The Fast (but not furious) TracKer for ATLAS: for ATLAS: a

The Fast (but not furious) TracKer The Fast (but not furious) TracKer for ATLAS: for ATLAS: a track trigger based on FPGAs and Associative a track trigger based on FPGAs and Associative Memory chips Memory chips Misha Lisovyi with many

597 views • 49 slides
The Department of Justices Operation Fast and Furious Senator Charles E. Grassley, Ranking

The Department of Justices Operation Fast and Furious Senator Charles E. Grassley, Ranking

The Department of Justices Operation Fast and Furious Senator Charles E. Grassley, Ranking Member United States Senate Committee on the Judiciary Before the U.S. House of Representatives Committee on Oversight and Government Reform June 15, 2011

297 views • 13 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the

Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the

Building Custom Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the playing field How to obtain byte code Recognizing basic properties of the byte code Implementing an IDA Pro processor

663 views • 52 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda Reverse Engineering Primer Approaches to Dynamic Analysis Inline Hooks Advantages Over Other Techniques Usages 2 Reverse Engineering

379 views • 19 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap W44 Introduction V.Zaytsev W45 Metaprogramming J.Vinju W46 Reverse Engineering V.Zaytsev W47 Software Analytics M.Bruntink W48 Clone

751 views • 31 slides
Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013 Context Reverse

856 views • 18 slides
Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for .NET are easy to reverse engineer. This is not in any way a fault in the design of .NET; it is simply a reality of modern, intermediate-compiled

132 views • 10 slides
Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach

Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach

Overview Evidence Model Calibration Quantitative Results Reverse Engineered Shocks Conclusion Extras Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach Paolo Gelain Kevin J. Lansing Gisle J.

717 views • 50 slides
Reverse engineering using computational algebra Elena Dimitrova School of Mathematical and

Reverse engineering using computational algebra Elena Dimitrova School of Mathematical and

Reverse engineering using computational algebra Elena Dimitrova School of Mathematical and Statistical Sciences Clemson University http://edimit.people.clemson.edu/ Algebraic Biology E. Dimitrova (Clemson) Reverse engineering using

864 views • 57 slides
REportal: A Service-Based Web Portal for Reverse Engineering and Program Comprehension William

REportal: A Service-Based Web Portal for Reverse Engineering and Program Comprehension William

REportal: A Service-Based Web Portal for Reverse Engineering and Program Comprehension William M. Mongan Wednesday, August 13, 2008 1 Agenda Background and Motivation REportal 1.0 Architecture Maintenance Re-engineered REportal

371 views • 33 slides
Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University

Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015 What is software reverse engineering? Determine and possibly change

629 views • 35 slides
Reverse engineering - traces to state machines Neil Walkinshaw and Kirill Bogdanov 1 1 Department

Reverse engineering - traces to state machines Neil Walkinshaw and Kirill Bogdanov 1 1 Department

Inference Competition Reverse engineering - traces to state machines Neil Walkinshaw and Kirill Bogdanov 1 1 Department of Computer Science The University of Sheffield TAIC PART, September 4, 2010 U. of Sheffield Reverse engineering - traces

660 views • 17 slides

More recommend