laboratoire exploration et recherche en d tection
play

Laboratoire Exploration et recherche en Dtection LED Agence - PowerPoint PPT Presentation

Jul 18, 2023 •339 likes •882 views

Laboratoire Exploration et recherche en Dtection LED Agence Nationale de la Scurit des Systmes dInformation 2019 VMProtect Compression Imports protection Code mutation ... VIRTUALIZATION ANSSI Laboratoire

  1. Laboratoire Exploration et recherche en Détection LED Agence Nationale de la Sécurité des Systèmes d’Information 2019

  2. VMProtect ◮ Compression ◮ Imports protection ◮ Code mutation ◮ ... ◮ VIRTUALIZATION ANSSI Laboratoire Exploration et recherche en Détection 2/47

  3. File geometry .text .rdata .data ANSSI Laboratoire Exploration et recherche en Détection 3/47

  4. File geometry f1 .text f2 .rdata .data ANSSI Laboratoire Exploration et recherche en Détection 3/47

  5. File geometry f1 .text f2 .rdata .data .vmp0 ANSSI Laboratoire Exploration et recherche en Détection 3/47

  6. File geometry itrp / bytecode .text itrp / bytecode .rdata .data itrp .vmp0 bytecode ANSSI Laboratoire Exploration et recherche en Détection 3/47

  7. Interpreter code is obfuscated . vmp0 :004047D3 and ah , d l ( junk ) . vmp0 :004047D5 mov eax , [ ebp +0] . vmp0 :004047D8 s a l dl , 3 ( junk ) . vmp0 :004047DB c l c ( junk ) . vmp0 :004047DC mov dh , 0E3h ( junk ) . vmp0 :004047DF t e s t esp , eax ( junk ) . vmp0 :004047E1 mov edx , [ ebp +4] . vmp0 :004047E4 t e s t eax , 0A4B7FFF0h ( junk ) . vmp0 :004047E9 t e s t bh , bh ( junk ) . vmp0 :004047EB pushf ( junk ) . vmp0 :004047EC not eax . vmp0 :004047EE t e s t cl , 5Ch ( junk ) . vmp0 :004047F1 c l c ( junk ) . vmp0 :004047F2 s t c ( junk ) . vmp0 :004047F3 not edx . vmp0 :004047F5 pushf ( junk ) . vmp0 :004047F6 jmp l o c 4053BF ANSSI Laboratoire Exploration et recherche en Détection 4/47

  8. V2 Interpreter dispatcher push nor jmp add ANSSI Laboratoire Exploration et recherche en Détection 5/47

  9. V3 Interpreter push nor jmp add ANSSI Laboratoire Exploration et recherche en Détection 6/47

  10. Native registers roles x86 x64 vip esi rsi vsp ebp rbp virtual registers edi (x 16) rdi (x 24) decryption mask ebx rbx opcode (@handler entry) eax rax ANSSI Laboratoire Exploration et recherche en Détection 7/47

  11. VM instruction set Most important invariant across samples ◮ Based on the same template ◮ Opcodes permutated ◮ Bytecode encryption varies Who does what ? ANSSI Laboratoire Exploration et recherche en Détection 8/47

  12. Bytecode extraction ◮ Locate dispatcher / handlers ◮ Symbolic execution ◮ Extract decryption formulas ◮ Recognize opcodes by their effect on the virtual stack ANSSI Laboratoire Exploration et recherche en Détection 9/47

  13. Front-end protected binary VM instruction set x86 discovery code VM encrypted decrypted semantics bytecode bytecode ANSSI Laboratoire Exploration et recherche en Détection 10/47

  14. Bytecode instruction set Stack-oriented machine ◮ push X, pop Y, load, store ANSSI Laboratoire Exploration et recherche en Détection 11/47

  15. Bytecode instruction set Stack-oriented machine ◮ push X, pop Y, load, store ◮ ALU : add, nor, shifts, mul, div ANSSI Laboratoire Exploration et recherche en Détection 11/47

  16. Bytecode instruction set Stack-oriented machine ◮ push X, pop Y, load, store ◮ ALU : add, nor, shifts, mul, div ◮ Control flow : jmp ANSSI Laboratoire Exploration et recherche en Détection 11/47

  17. Bytecode instruction set Stack-oriented machine ◮ push X, pop Y, load, store ◮ ALU : add, nor, shifts, mul, div ◮ Control flow : jmp ◮ VM exits : fixed-arity call, exitvm ANSSI Laboratoire Exploration et recherche en Détection 11/47

  18. Bytecode instruction set Stack-oriented machine ◮ push X, pop Y, load, store ◮ ALU : add, nor, shifts, mul, div ◮ Control flow : jmp ◮ VM exits : fixed-arity call, exitvm ◮ misc : cpuid, rdtsc, FPU, checksum... ANSSI Laboratoire Exploration et recherche en Détection 11/47

  19. Operators expansion operation translates into not a nor a a and a b nor (not a) (not b) or a b not (nor a b) sub a b not (add (not a) b) xor a b and (or a b) (or (not a) (not b)) flags (sub a b) add (and ~0x815 (flags (and (sub a b) (sub a b))) (and 0x815 (flags (add (not a) b))) ANSSI Laboratoire Exploration et recherche en Détection 12/47

  20. From bytecode back to CISC

  21. Source loop: dec eax test eax, eax jnz loop ANSSI Laboratoire Exploration et recherche en Détection 14/47

  22. Bytecode [+] 43bc7d : pop r4 [+] 43bc82 : pop r2 [+] 43bc87 : pop r8 [+] 43bc8c : pop r9 [+] 43bc91 : pop r6 [+] 43bc96 : pop r10 [+] 43bc9b : pop r3 [+] 43bca0 : pop r1 [+] 43bca5 : pop r14 [+] 43bcaa : pop r15 [+] 43bcaf : pop r5 [+] 43bcb4 : push 0x [+] 43bcbc : push r9 ✁ ✁ ✁ ✁ [+] 43bcc1 : add32 [+] 43bcc5 : pop r7 [+] 43bcca : pop r5 [+] 43bccf : push 0x43bc08 [+] 43bcd7 : push r5 [+] 43bcdc : push r5 [+] 43bce1 : nor32 [+] 43bce5 : pop r0 [+] 43bcea : push r5 [+] 43bcef : push r5 [+] 43bcf4 : nor32 [+] 43bcf8 : pop r9 [+] 43bcfd : nor32 [+] 43bd01 : pop r0 [+] 43bd06 : pop r7 [+] 43bd0b : push 0x44cba5 [+] 43bd13 : push vsp [+] 43bd17 : push 4:16 [+] 43bd1d : push r0 [+] 43bd22 : push 0x ✁ bf [+] 43bd2a : nor32 ✁ ✁ [+] 43bd2e : pop r9 [+] 43bd33 : shr32 [+] 43bd37 : pop r9 [+] 43bd3c : add32 [+] 43bd40 : pop r11 [+] 43bd45 : load32 [+] 43bd49 : pop r12 [+] 43bd4e : pop r11 [+] 43bd53 : pop r7 [+] 43bd58 : push r12 [+] 43bd5d : push r4 [+] 43bd62 : add32 [+] 43bd66 : pop r11 [+] 43bd6b : pop r15 [+] 43bd70 : push r5 [+] 43bd75 : push r10 [+] 43bd7a : push r0 [+] 43bd7f : push r14 [+] 43bd84 : push r10 [+] 43bd89 : push r8 [+] 43bd8e : push r5 [+] 43bd93 : push r3 [+] 43bd98 : push r1 [+] 43bd9d : push r2 [+] 43bda2 : push r4 [+] 43bda7 : push r15 [+] 43bdac : jmp ANSSI Laboratoire Exploration et recherche en Détection 15/47

  23. Bytecode [+] 43bc7d : pop r4 [+] 43bc82 : pop r2 [+] 43bc87 : pop r8 [+] 43bc8c : pop r9 [+] 43bc91 : pop r6 [+] 43bc96 : pop r10 [+] 43bc9b : pop r3 [+] 43bca0 : pop r1 [+] 43bca5 : pop r14 [+] 43bcaa : pop r15 [+] 43bcaf : pop r5 [+] 43bcb4 : push 0x ffffffff [+] 43bcbc : push r9 [+] 43bcc1 : add32 [+] 43bcc5 : pop r7 [+] 43bcca : pop r5 [+] 43bccf : push 0x43bc08 [+] 43bcd7 : push r5 [+] 43bcdc : push r5 [+] 43bce1 : nor32 [+] 43bce5 : pop r0 [+] 43bcea : push r5 [+] 43bcef : push r5 [+] 43bcf4 : nor32 [+] 43bcf8 : pop r9 [+] 43bcfd : nor32 [+] 43bd01 : pop r0 [+] 43bd06 : pop r7 [+] 43bd0b : push 0x44cba5 [+] 43bd13 : push vsp [+] 43bd17 : push 4:16 [+] 43bd1d : push r0 [+] 43bd22 : push 0x ffffff bf [+] 43bd2a : nor32 [+] 43bd2e : pop r9 [+] 43bd33 : shr32 [+] 43bd37 : pop r9 [+] 43bd3c : add32 [+] 43bd40 : pop r11 [+] 43bd45 : load32 [+] 43bd49 : pop r12 [+] 43bd4e : pop r11 [+] 43bd53 : pop r7 [+] 43bd58 : push r12 [+] 43bd5d : push r4 [+] 43bd62 : add32 [+] 43bd66 : pop r11 [+] 43bd6b : pop r15 [+] 43bd70 : push r5 [+] 43bd75 : push r10 [+] 43bd7a : push r0 [+] 43bd7f : push r14 [+] 43bd84 : push r10 [+] 43bd89 : push r8 [+] 43bd8e : push r5 [+] 43bd93 : push r3 [+] 43bd98 : push r1 [+] 43bd9d : push r2 [+] 43bda2 : push r4 [+] 43bda7 : push r15 [+] 43bdac : jmp ANSSI Laboratoire Exploration et recherche en Détection 16/47

  24. Prologue [+] 43bc7d : pop r4 [+] 43bc82 : pop r2 [+] 43bc87 : pop r8 [+] 43bc8c : pop r9 [+] 43bc91 : pop r6 [+] 43bc96 : pop r10 [+] 43bc9b : pop r3 [+] 43bca0 : pop r1 [+] 43bca5 : pop r14 [+] 43bcaa : pop r15 [+] 43bcaf : pop r5 ANSSI Laboratoire Exploration et recherche en Détection 17/47

  25. Epilogue [+] 43bd70 : push r5 [+] 43bd75 : push r10 [+] 43bd7a : push r0 [+] 43bd7f : push r14 [+] 43bd84 : push r10 [+] 43bd89 : push r8 [+] 43bd8e : push r5 [+] 43bd93 : push r3 [+] 43bd98 : push r1 [+] 43bd9d : push r2 [+] 43bda2 : push r4 [+] 43bda7 : push r15 [+] 43bdac : jmp ANSSI Laboratoire Exploration et recherche en Détection 18/47

  26. Virtual registers permutation ecx r0 r0 eax r1 r1 ecx r2 r2 eax r3 r3 ebx r4 r4 r5 ebx r5 ANSSI Laboratoire Exploration et recherche en Détection 19/47

  27. Body [+] 43bcb4 : push 0x ffffffff [+] 43bcbc : push r9 [+] 43bcc1 : add32 [+] 43bcc5 : pop r7 [+] 43bcca : pop r5 [+] 43bccf : ... [+] 43bcd7 : ... [+] 43bcdc : ... [+] 43bce1 : ... ANSSI Laboratoire Exploration et recherche en Détection 20/47

  28. How do we simplify the body ?

  29. Mutable registers ♣ � ♣ ✂✄ ♣ � ♣ ✂☎ ... ♣ � ♣ ✂✆ ✝ ✞✟ 0x ffffffff ♣ ♣ ✝ ✞✟ ✂r ❛ ✠ ✠ ✡ ☎ ♣ � ♣ ✂☛ ♣ � ♣ ✂✆ ... ANSSI Laboratoire Exploration et recherche en Détection 22/47

  30. SSA form .1 ☞ ✌ ☞ ✍✎ .1 ☞ ✌ ☞ ✍✏ ... .1 ☞ ✌ ☞ ✍✑ ✒ ✓✔ 0x ffffffff ☞ .1 ☞ ✒ ✓✔ ✍✕ ✖ ✗ ✗ ✘ ✏ .1 ☞ ✌ ☞ ✍✙ ☞ ✌ ☞ ✍✑ ✳ ✏ ... ANSSI Laboratoire Exploration et recherche en Détection 23/47

  31. Explicit operands IR ✣ ✤ ✣ ✥ ✣ ✤ ✣ ✦ ❘ ✧ ★ ❂ ✚ ✛ ✛ ✦ ✧ ✥ ✚ ✛ ✛ ✜ ✢ ✫ R ✣ ✩✪ ✣ ✩✪ ✫ ★ ANSSI Laboratoire Exploration et recherche en Détection 24/47

Recommend

BEYOND MEAN-FIELD APPROXIMATION AURLIEN DECELLE LABORATOIRE DE RECHERCHE EN INFORMATIQUE

BEYOND MEAN-FIELD APPROXIMATION AURLIEN DECELLE LABORATOIRE DE RECHERCHE EN INFORMATIQUE

BEYOND MEAN-FIELD APPROXIMATION AURLIEN DECELLE LABORATOIRE DE RECHERCHE EN INFORMATIQUE UNIVERSIT PARIS SUD MOTIVATIONS Why inverse problems ? In Machine Learning online recognition tasks In Physics understanding a

754 views • 40 slides
Ceftazidime / avibactam Michel Arthur Laboratoire de Recherche Molculaire We're gonna geed a

Ceftazidime / avibactam Michel Arthur Laboratoire de Recherche Molculaire We're gonna geed a

Ceftazidime / avibactam Michel Arthur Laboratoire de Recherche Molculaire We're gonna geed a bigger boat Spellberg B, Bonomo RA sur les Antibiotiques Centre de Recherches des Cordeliers INSERM UMR S 1138 Equipe 12 A new generation of

396 views • 35 slides
Numerical Computations and Formal Methods Guillaume Melquiond Proval, Laboratoire de Recherche en

Numerical Computations and Formal Methods Guillaume Melquiond Proval, Laboratoire de Recherche en

Program verification Formal arithmetic Decision procedures Numerical Computations and Formal Methods Guillaume Melquiond Proval, Laboratoire de Recherche en Informatique INRIA SaclayIdF, Universit e Paris Sud, CNRS October 28, 2009

1.07k views • 77 slides
Model Checking of Parameterized Systems on Weak Memory David Declerck Laboratoire de Recherche

Model Checking of Parameterized Systems on Weak Memory David Declerck Laboratoire de Recherche

Model Checking of Parameterized Systems on Weak Memory David Declerck Laboratoire de Recherche en Informatique Universit e Paris-Sud October 3rd, 2017 Work supported by French ANR project PARDI (DS0703) David Declerck A Backward

327 views • 10 slides
Pattern covering by set approximations Nicolas Oury Laboratoire de Recherche en Informatique

Pattern covering by set approximations Nicolas Oury Laboratoire de Recherche en Informatique

Outline Pattern covering by set approximations Nicolas Oury Laboratoire de Recherche en Informatique Universit e ParisSud, France TYPES, 2006 Nicolas Oury Pattern covering by set approximations Outline Outline Introduction 1 The

670 views • 63 slides
Pointing and Navigation Beating Fitts law Michel Beaudouin-Lafon Laboratoire de Recherche en

Pointing and Navigation Beating Fitts law Michel Beaudouin-Lafon Laboratoire de Recherche en

Master Informatique - Universit Paris-Sud Outline Pointing Fitts law Pointing and Navigation Beating Fitts law Michel Beaudouin-Lafon Laboratoire de Recherche en Informatique Multiscale pointing Universit Paris-Sud / CNRS

468 views • 7 slides
Com ommunity de ty detecti tection i in n netw twor orks w with th unobser erved ed edg

Com ommunity de ty detecti tection i in n netw twor orks w with th unobser erved ed edg

Com ommunity de ty detecti tection i in n netw twor orks w with th unobser erved ed edg edges es Leto Peel Universit catholique de Louvain @PiratePeel Community detection Aim: partition the network according similarity of link

385 views • 23 slides
PL PLAN ANT T PR PROTE TECTION CTION MIN INIS ISTR TRY Y OF OF N NATIO TIONAL L FOO

PL PLAN ANT T PR PROTE TECTION CTION MIN INIS ISTR TRY Y OF OF N NATIO TIONAL L FOO

DE DEPAR ARTME TMENT NT OF OF PL PLAN ANT T PR PROTE TECTION CTION MIN INIS ISTR TRY Y OF OF N NATIO TIONAL L FOO OOD SE SECU CURIT ITY Y & RES ESEA EARCH GOVT. . OF OF P PAKIS ISTAN AN PE PESTIC TICIDES

632 views • 23 slides
CAP APACIT CITY Y BUILDING ILDING FO FOR TH THE E PHYSIC YSICAL AL PROTE TECTION CTION

CAP APACIT CITY Y BUILDING ILDING FO FOR TH THE E PHYSIC YSICAL AL PROTE TECTION CTION

CAP APACIT CITY Y BUILDING ILDING FO FOR TH THE E PHYSIC YSICAL AL PROTE TECTION CTION SYS YSTEMS TEMS STR TREN ENGTHENING THENING OF BATANS NUCLEAR FACILITIES ILITIES International Conference on Physical Y. Hasan, I. H.

693 views • 31 slides
Spac ace e and Da Data ta Protec tection tion GLI LIS, S, 7 June ne 2016 2016

Spac ace e and Da Data ta Protec tection tion GLI LIS, S, 7 June ne 2016 2016

Spac ace e and Da Data ta Protec tection tion GLI LIS, S, 7 June ne 2016 2016 Introduction Space Policies all around the globe put emphases on space services supporting growth, jobs, innovation and competitiveness. Technology

219 views • 10 slides
SURGE GE PROTECT TECTION ION FI FIRE ALARM RM 1-800-753-2345 Technical Support:

SURGE GE PROTECT TECTION ION FI FIRE ALARM RM 1-800-753-2345 Technical Support:

SURGE GE PROTECT TECTION ION FI FIRE ALARM RM 1-800-753-2345 Technical Support: 1-888-472-6100 DITEKCORP.com Course Outline About DITEK Corporation What are Surges and Spikes? Causes Effects How Surge Protection Works Surge

929 views • 53 slides
Some analytical aspects of the Kontsevich matrix model Mattia Cafasso Laboratoire Angevin de

Some analytical aspects of the Kontsevich matrix model Mattia Cafasso Laboratoire Angevin de

The Wittens conjecture and the PI hierarchy Isomonodromic tau functions Convergence Universalit Some analytical aspects of the Kontsevich matrix model Mattia Cafasso Laboratoire Angevin de REcherche en MAthmatiques (LAREMA), Angers.

529 views • 22 slides
Data protection in the EU Area of Data protection in the EU Area of ection tection freedom,

Data protection in the EU Area of Data protection in the EU Area of ection tection freedom,

isor visor Superv Super Data protection in the EU Area of Data protection in the EU Area of ection tection freedom, security and justice under the Lisbon Treaty d th Li b T t ta Prot ta Pro ean Da an Da Bndicte Havelange

739 views • 10 slides
T RANSITION -P ATH S AMPLING AND F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire

T RANSITION -P ATH S AMPLING AND F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire

T RANSITION -P ATH S AMPLING AND F REE -E NERGY C ALCULATIONS T RANSITION -P ATH S AMPLING AND F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire International Associ CNRS-UIUC, Unit Mixte de Recherche n 7565, Universit de Lorraine

559 views • 35 slides
T RANSITION -P ATH S AMPLING AND F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire

T RANSITION -P ATH S AMPLING AND F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire

T RANSITION -P ATH S AMPLING AND F REE -E NERGY C ALCULATIONS T RANSITION -P ATH S AMPLING AND F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire International Associ CNRS-UIUC, Unit Mixte de Recherche n 7565, Universit de Lorraine

367 views • 33 slides
I NTRODUCTION TO F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire International Associ

I NTRODUCTION TO F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire International Associ

I NTRODUCTION TO F REE -E NERGY C ALCULATIONS I NTRODUCTION TO F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire International Associ CNRS-UIUC, Unit Mixte de Recherche n 7565, Universit de Lorraine Beckman Institute for Advanced

549 views • 44 slides
I NTRODUCTION TO F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire International Associ

I NTRODUCTION TO F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire International Associ

I NTRODUCTION TO F REE -E NERGY C ALCULATIONS I NTRODUCTION TO F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire International Associ CNRS-UIUC, Unit Mixte de Recherche n 7565, Universit de Lorraine Beckman Institute for Advanced

949 views • 42 slides
MEAP and ENB Exploration Exploration in MEAP Genesis of Exploration New Business

MEAP and ENB Exploration Exploration in MEAP Genesis of Exploration New Business

MEAP and ENB Exploration Exploration in MEAP Genesis of Exploration New Business opportunities Rift and Frontal fold belt knowledge transfer Play based approach in chosen themes Focus on North and East Africa Preserving

1.01k views • 59 slides
Clock Typing of n-Synchronous Programs Louis Mandel Florence Plateau Marc Pouzet Laboratoire de

Clock Typing of n-Synchronous Programs Louis Mandel Florence Plateau Marc Pouzet Laboratoire de

Clock Typing of n-Synchronous Programs Louis Mandel Florence Plateau Marc Pouzet Laboratoire de Recherche en Informatique Universit e Paris-Sud 11 INRIA Saclay Ile-de-France DCC 20-21/03/2010 Kahn Process Networks [Gilles Kahn,

758 views • 48 slides
Public Prot tection and Anti-Social l Behaviour Brie efing S.Bar rstow Service M Manager

Public Prot tection and Anti-Social l Behaviour Brie efing S.Bar rstow Service M Manager

Public Prot tection and Anti-Social l Behaviour Brie efing S.Bar rstow Service M Manager Demand 20 012 - 2016 4500 Administrative I Issues Removed Without t Licensing Total Com mplaints 4500 5000 4000 4000 4500 3500 4000

376 views • 11 slides
P ROTEIN -L IGAND S TANDARD B INDING F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire

P ROTEIN -L IGAND S TANDARD B INDING F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire

P ROTEIN -L IGAND S TANDARD B INDING F REE -E NERGY C ALCULATIONS P ROTEIN -L IGAND S TANDARD B INDING F REE -E NERGY C ALCULATIONS Chris Chipot Laboratoire International Associ CNRS-UIUC, Unit Mixte de Recherche n 7565, Universit de

419 views • 27 slides
in Advanced . Exploration 1 . Note 1 : Advanced Exploration: Defined as confirmed

in Advanced . Exploration 1 . Note 1 : Advanced Exploration: Defined as confirmed

Investment Opportunity in Advanced . Exploration 1 . Note 1 : Advanced Exploration: Defined as confirmed mineralisation, immediate drill targets & exploration upside Duke Exploration / Investor Presentation 1 Disclaimer This

918 views • 26 slides
Acacia Mining plc Exploration Roundtable 11.12.2015 Exploration roundtable Investment in

Acacia Mining plc Exploration Roundtable 11.12.2015 Exploration roundtable Investment in

Acacia Mining plc Exploration Roundtable 11.12.2015 Exploration roundtable Investment in exploration beginning to deliver results Exploration historically focused on Tanzania Mature, well explored portfolio of projects Changed

498 views • 38 slides
Towards an information-theoretic model of the Allison mixture A canonical measure of dependence

Towards an information-theoretic model of the Allison mixture A canonical measure of dependence

Lachlan J. Gunn 1 Franois Chapeau-Blondeau 2 Andrew Allison 1 Derek Abbott 1 1 School of Electrical and Electronic Engineering The University of Adelaide 2 Laboratoire Angevin de Recherche en Ingnierie des Systmes (LARIS) University of

490 views • 22 slides

More recommend