revenge is a dish served cold debug oriented malware
play

RevEngE is a dish served cold: Debug-Oriented Malware Decompilation - PowerPoint PPT Presentation

Jun 25, 2023 •317 likes •763 views

Introduction RevEngE Evaluation Final Remarks RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly Marcus Botacin 1 , Lucas Galante 2 , cio de Geus 2 , Andr egio 1 Paulo L e Gr 1 Federal University of

  1. Introduction RevEngE Evaluation Final Remarks RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly Marcus Botacin 1 , Lucas Galante 2 , ıcio de Geus 2 , Andr´ egio 1 Paulo L´ e Gr´ 1 Federal University of Paran´ a (UFPR-BR) { mfbotacin, gregio } @inf.ufpr.br 2 University of Campinas (UNICAMP-BR) { galante, paulo } @lasca.ic.unicamp.br RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 1 / 44 ROOTS’19

  2. Introduction RevEngE Evaluation Final Remarks Who Am I? Background Computer Engineer (University of Campinas–Brazil). CS Master (University of Campinas–Brazil). CS PhD Student (Federal University of Paran´ a–Brazil). Malware Analyst (Since 2012). Research Interests Malware Analysis & Detection . Hardware-Assisted Security. RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 2 / 44 ROOTS’19

  3. Introduction RevEngE Evaluation Final Remarks The Problem Topics Introduction 1 The Problem Background RevEngE 2 Overview Architecture Evaluation 3 Malware Decompilation Malware Reassembly Final Remarks 4 Limitations Conclusion Questions? RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 3 / 44 ROOTS’19

  4. Introduction RevEngE Evaluation Final Remarks The Problem The Problem Malware Hard to Understand at low level (e.g. assembly). Decompilers Lift low level constructions to high level semantics. Allow API and/or source code analyses. Decompilation Challenges Malware is not well-behaved. Malware implement anti-analysis tricks. Malware binaries present dead code. RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 4 / 44 ROOTS’19

  5. Introduction RevEngE Evaluation Final Remarks The Problem Insights & Proposal (1/2) Current Decompilers They perform reasonably well with small pieces of code. They do not perform well with static disassembly. Current Debuggers They can perform dynamic disassembly and/or inspection. RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 5 / 44 ROOTS’19

  6. Introduction RevEngE Evaluation Final Remarks The Problem Insights & Proposal (2/2) Current Analysts’ Tasks Analysts already debug binaries in a sliced manner. Analysts perform their own anti-anti-analysis routines. What If? Could we combine analysts manual work with decompiler? And decompile the small pieces debugged by the analyst? And let the analyst to overcome anti-analysis by themselves? RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 6 / 44 ROOTS’19

  7. Introduction RevEngE Evaluation Final Remarks Background Topics Introduction 1 The Problem Background RevEngE 2 Overview Architecture Evaluation 3 Malware Decompilation Malware Reassembly Final Remarks 4 Limitations Conclusion Questions? RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 7 / 44 ROOTS’19

  8. Introduction RevEngE Evaluation Final Remarks Background Background Compiler Parsing, Pre-Processing, Assemblying, Optimization, and Code Generation. Decompiler Disassembly, Lifting, data type recovery, and Code Generation. Notice: Not the same code generation routines. Decompiler is an inverse compiler. There are cross-platform compilers and decompilers. RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 8 / 44 ROOTS’19

  9. Introduction RevEngE Evaluation Final Remarks Background The Challenges (1/2) Disassembly Opaque Constants. Overlapping Instructions. Data and Code are mixed. Lifting A typical ISA is VERY large. Have you ever executed VFMADDSUBPS ? and O.S. support as well... Do you know what is NUMA ? RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 9 / 44 ROOTS’19

  10. Introduction RevEngE Evaluation Final Remarks Background The Challenges (2/2) Data Type Reconstruction Whats is the difference between an array ( int a[2]; ) and consecutive variables ( int a,b; )? Is 0x77FF... an integer or a pointer? Code Generation How to implement? Which optimizations? How to name variables? Evaluation Is recovered code a good metric for malware decompilation? RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 10 / 44 ROOTS’19

  11. Introduction RevEngE Evaluation Final Remarks Overview Topics Introduction 1 The Problem Background RevEngE 2 Overview Architecture Evaluation 3 Malware Decompilation Malware Reassembly Final Remarks 4 Limitations Conclusion Questions? RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 11 / 44 ROOTS’19

  12. Introduction RevEngE Evaluation Final Remarks Overview Reverse Engineering Engine Overview PoC Decompiler focused on malware analysis. GDB-powered (no-reimplementation). Dynamic Inspection (no static analysis constraints). Trace-Oriented (decompile what is debugged). Reassembler (merge the decompiled pieces in a new software). RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 12 / 44 ROOTS’19

  13. Introduction RevEngE Evaluation Final Remarks Architecture Topics Introduction 1 The Problem Background RevEngE 2 Overview Architecture Evaluation 3 Malware Decompilation Malware Reassembly Final Remarks 4 Limitations Conclusion Questions? RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 13 / 44 ROOTS’19

  14. Introduction RevEngE Evaluation Final Remarks Architecture RevEngE -GDB Integration Figure: RevEngE Architecture. GDB provides the basic debugging capabilities and was armored to handle malware anti-analysis techniques. RevEngE decompiler is developed on top of the armored GDB. RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 14 / 44 ROOTS’19

  15. Introduction RevEngE Evaluation Final Remarks Architecture GDB Armoring __libc_start_main (main=<value >, argc=<value >, 1 ubp_av=<value >, init=<value >, fini=<value >, rtld_fini=<value >, stack_end=<value > Code Snippet 1: Libc Entry Point. First argument points to application entry point. output = gdb.execute("set␣$eflags |=0x%x" % self. 1 flag_map[flag],to_string=True) Code Snippet 2: Invert Branch Direction. Flags register is changed according a map of possible flags for such command. RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 15 / 44 ROOTS’19

  16. Introduction RevEngE Evaluation Final Remarks Architecture Instruction Representation Figure: Instruction Representation . RevEngE benefits from Python’s polymorphism to model instruction’s behaviors and overloads method declarators to support each x86 instruction’s possible multiple argument types. RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 16 / 44 ROOTS’19

  17. Introduction RevEngE Evaluation Final Remarks Architecture Instruction Factory class IFactory (...): 1 def get(self , args): 2 newclass = globals ()[name ]( args) 3 newclass return 4 Code Snippet 3: Instruction Factory. The Factory design pattern allows instantiating objects from the proper class by exploring Python OOP capabilities. self.classes[’div’] = "IDiv" 1 self.classes[’divl ’] = "IDiv" 2 self.classes[’idiv ’] = "IDiv" 3 self.classes[’idivl ’] = "IDiv" 4 Code Snippet 4: Instruction Lifting. RevEngE assumes only signed integer operations to handle all instructions via the same high-level class. RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 17 / 44 ROOTS’19

  18. Introduction RevEngE Evaluation Final Remarks Architecture Lifting Complex Instructions 0x4004eb cmp -0x8(%rbp) ,%eax 1 0x4004ee jle 4004 fb <main +0x25 > 2 Code Snippet 5: Low level representation of a conditional decision. IF instructions are composed by multiple assembly instructions. class HighLevelCompare (): 1 def __init__ (self ,cmp ,set): 2 self.op1 = cmp.op1 3 self.op2 = cmp.op2 4 self.op3 = set.op3 5 Code Snippet 6: High level conditional decision representation. Assembly instructions are promoted to a single class that represents a high level conditional structure (e.g., IFs). RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 18 / 44 ROOTS’19

  19. Introduction RevEngE Evaluation Final Remarks Architecture Handling Variables self.vars = VariableManager () 1 self.vars. remove_registers (reg=arg1.get_operand ()) 2 self.vars. check_is_pointer (var.get_value ()) 3 Code Snippet 7: Variable Management. RevEngE does not handle variables directly but via a centralized manager to keep context consistent. self.var = self.vars.new_var(reg="%eax") 1 self.var = self.vars.new_var(reg=arg1.get_operand (), 2 value=val) self.var = self.vars.new_var(value=arg1.get_value (), 3 mem=arg2.get_operand ()) Code Snippet 8: Variable Manager. Context complexity is encapsulated by the manager, thus releasing RevEngE to focus on decompilation logic. RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly 19 / 44 ROOTS’19

Recommend

ORAL HISTORIES IN THE DIGITAL AGE OR JUDICIAL INDEDPENDENCE IS A DISH BEST SERVED COLD: SUPPORT

ORAL HISTORIES IN THE DIGITAL AGE OR JUDICIAL INDEDPENDENCE IS A DISH BEST SERVED COLD: SUPPORT

ORAL HISTORIES IN THE DIGITAL AGE OR JUDICIAL INDEDPENDENCE IS A DISH BEST SERVED COLD: SUPPORT YOUR LEGAL HISTORY PROJECT! By F. Richard Lyford Dickinson Mackaman Tyler &amp; Hagen 699 Walnut Street, Suite 1600 Des Moines, IA 50309

455 views • 10 slides
CS 10: Problem solving via Object Oriented Programming Lists Part 2 (Arrays Revenge!) Agenda

CS 10: Problem solving via Object Oriented Programming Lists Part 2 (Arrays Revenge!) Agenda

CS 10: Problem solving via Object Oriented Programming Lists Part 2 (Arrays Revenge!) Agenda 1. Growing array List implementation 2. Orders of growth 3. Asymptotic notation 4. List analysis 5. Iteration 2 Linked lists are a logical

1.05k views • 83 slides
STRESS OFFSET DISH FOR 1296 EME By Al - K2UYH OUTLINE HOW STARTED WHY A STRESS DISH

STRESS OFFSET DISH FOR 1296 EME By Al - K2UYH OUTLINE HOW STARTED WHY A STRESS DISH

STRESS OFFSET DISH FOR 1296 EME By Al - K2UYH OUTLINE HOW STARTED WHY A STRESS DISH WHY A OFFSET DISH CONSTRUCTION MOUNTING PERFORMANCE BECAME INTERESTED IN EME IN HIGH SCHOOL EVERYONE SEEMED TO BE USING DISH FOR

258 views • 25 slides
Cool Cisco IOS Commands: debug interface debug interface When you are performing debugs you have

Cool Cisco IOS Commands: debug interface debug interface When you are performing debugs you have

Cool Cisco IOS Commands: debug interface debug interface When you are performing debugs you have at least two concerns: 1) making sure the that debug does not clobber the CPU of your device, and 2) filtering the debug output to get to the

460 views • 9 slides
PROJA TRADITIONAL SERBIAN DISH This is teacher Mira and her class... This recipe for Serbian

PROJA TRADITIONAL SERBIAN DISH This is teacher Mira and her class... This recipe for Serbian

PROJA TRADITIONAL SERBIAN DISH This is teacher Mira and her class... This recipe for Serbian corn bread or srpska proja was a staple among Serbian peasants and more common than white wheat bread. Proja is served warm often with cracklings,

581 views • 8 slides
The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA

The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA

The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA mario.natali@gmail.com ARI ARI Perugia EME Conference 2016, Venice Impedimentum pro occasione arripere Mario Armando Natali , I0NAA The stealt he stealth h dish

607 views • 19 slides
To use it, you must compile your code with the -g option CXXFLAGS += -g g++ -g debug.cpp -o

To use it, you must compile your code with the -g option CXXFLAGS += -g g++ -g debug.cpp -o

To use it, you must compile your code with the -g option CXXFLAGS += -g g++ -g debug.cpp -o debug To run, type in gdb ./debug After typing in gdb ./debug you will enter the debugger Type run and it will run

502 views • 6 slides
The Contribution of Male Peer Support What is Revenge Pornography? Following Salter and Crofts

The Contribution of Male Peer Support What is Revenge Pornography? Following Salter and Crofts

The Contribution of Male Peer Support What is Revenge Pornography? Following Salter and Crofts (2015), Revenge porn images and videos are typically made by men with the consent of the women they were intimately involved with, but then

456 views • 16 slides
Cold War Development of the Cold War The Cold War (1945-91) was one of perception where

Cold War Development of the Cold War The Cold War (1945-91) was one of perception where

Origins of the Cold War Development of the Cold War The Cold War (1945-91) was one of perception where neither side fully understood the intentions and ambitions of the other. This led to mistrust and military build-ups. United States

398 views • 37 slides
Solving Montezuma's Revenge with Planning and Reinforcement Learning Adri Garriga Supervisor:

Solving Montezuma's Revenge with Planning and Reinforcement Learning Adri Garriga Supervisor:

Solving Montezuma's Revenge with Planning and Reinforcement Learning Adri Garriga Supervisor: Anders Jonsson Introduction: Why Montezumas Revenge? Sparse rewards. &gt; 6 s &gt; 60 actions 1/8 60 &lt; 10 -55 (branching factor = 8)

688 views • 32 slides
Ku FTA Dish Broadcast Station Dish farm ca. 2011 Temporary experimental mount Temporary

Ku FTA Dish Broadcast Station Dish farm ca. 2011 Temporary experimental mount Temporary

Satellite (bird) Mario Filippi, N2HUN m51f08@yahoo.com Delaware Valley Radio Assn. Jan. 10, 2018 Terrestrial Ku FTA Dish Broadcast Station Dish farm ca. 2011 Temporary experimental mount Temporary (satellite fishing) mount Tune

762 views • 36 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Radio recombination lines: the synergy between a big dish and dipoles Pedro Salas The Big

Radio recombination lines: the synergy between a big dish and dipoles Pedro Salas The Big

Radio recombination lines: the synergy between a big dish and dipoles Pedro Salas The Big Impact of a Big Dish: Science with the Effelsberg 100-m telescope Bonn, Germany, 20 February 2018 With support from RadioNet and NWO Assembly of

828 views • 13 slides
Fondue Larry Stein What is Fondue? / fnd (y) o o/ a. A hot dish made of melted

Fondue Larry Stein What is Fondue? / fnd (y) o o/ a. A hot dish made of melted

Presents Fondue Larry Stein What is Fondue? / fnd (y) o o/ a. A hot dish made of melted cheese and wine and eaten with bread. b. A similar dish, especially one consisting of a melted sauce in which pieces of food, such as

397 views • 13 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Cold Brew THIS IS COLD BREW Cofgee brewed with cold fresh water over a long time gets unique

Cold Brew THIS IS COLD BREW Cofgee brewed with cold fresh water over a long time gets unique

Cold Brew THIS IS COLD BREW Cofgee brewed with cold fresh water over a long time gets unique fmavour characteristics. Cold Brew is already a hot trend in USA and Japan. Now we ofger the Swedish market an innovative product that matches an

75 views • 6 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides

More recommend