unpacking tips and tricks
play

Unpacking tips and tricks Protector Techniques Conclusion Samuel - PowerPoint PPT Presentation

Dec 01, 2022 •170 likes •439 views

Unpacking tips and tricks Samuel Chevet Presentation Process Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr http://www.lse.epita.fr 12 February 2013 Why this talk ? Unpacking tips and tricks

  1. Unpacking tips and tricks Samuel Chevet Presentation Process Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr http://www.lse.epita.fr 12 February 2013

  2. Why this talk ? Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Previously in w4kfu’s talk : Anti-Debug Detection Basics knowledges Import Table Malicious software Import Address Table Video Games Process Protector Share Reverse Engineering stu ff Techniques Conclusion Fun

  3. Packer Unpacking tips and tricks Samuel Chevet Presentation Compress executable Why this talk ? Packer Prepend decompression stub Protector Detection Decompression stub is standalone Basics knowledges Import Table Import Address Table Indistinguishable to the casual user Process Single executable Protector Techniques Unpack and transfer control to it Conclusion Original entry point Exist for DOS, Microsoft Windows and others OS Command line as GUI based

  4. Packer Benefit Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Less storage space Detection Basics knowledges Marketing a product via internet Import Table Import Address Table Less time for data transfer Process Protector Resistant to casual reverser Techniques Target must be unpacked or rebuilt Conclusion

  5. Packer Disavantages Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Everything come at a price Detection Basics knowledges Antivirus problem Import Table Import Address Table More time to decompress Process Protector Unpacked at some stage Techniques Dumped to disk ? Conclusion

  6. Protector Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Derive of the simple packer Detection Basics knowledges Import Table Packer aim to reduce size Import Address Table Add code to protect against reverse engineering Process Protector Size will considerably increase Techniques Conclusion Malicious software

  7. Detection Unpacking tips and tricks Samuel Chevet Signature based Presentation Why this talk ? Opcode-sequence-based Packer Protector Tag Detection Basics knowledges Additional heuristics Import Table Import Address Table OEP outside first section Process More than one executable section Protector ImportTable position uncommon Techniques LoadLibrary and GetProcAddress in ImportTable Conclusion TLS Unknow instruction Anti Re-Protect Compiler startup code

  8. Detection Unpacking tips and tricks Samuel Chevet Anti Presentation Why this talk ? Replace instruction Packer Protector Detection Polymorphism Basics knowledges Import Table Metamorphism Import Address Table Process Protector Toolz Techniques PEiD Conclusion Protection ID RDG packer Detector . . .

  9. Import Table Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector List of functions not part of the application Detection Basics knowledges Called imports Import Table Import Address Table Operating systems DLL’s, or homemade Process Protector Di ff erent OS Version Techniques Application don’t know where Conclusion

  10. Import Table Unpacking tips and tricks Samuel Chevet Presentation OptionalHeader- > DataDirectory[] Why this talk ? Packer IMAGE_DIRECTORY_ENTRY_IMPORT Protector Detection Basics knowledges Import Table IMAGE_IMPORT_DESCRIPTOR Import Address Table Process OriginalFirstThunk Protector TimeDateStamp Techniques Conclusion ForwarderChain Name FirstThunk

  11. Import Address Table Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Detection Loader loads DLL Basics knowledges Import Table Construct IAT Import Address Table Process All ptr in FirstThunk contain API’s address Protector Techniques call [addr], jmp [addr] Conclusion

  12. Peering inside the PE Unpacking tips and tricks Samuel Chevet Presentation Why this talk ? Packer Protector Detection Basics knowledges Import Table Import Address Table Process Protector Techniques Conclusion

  13. Original OEP Unpacking tips and tricks Samuel Chevet Presentation Process Original OEP Fix PE Trace the code Import rebuilding Protector ESP trick Techniques Conclusion VirtualProtect() Use Exceptions

  14. Fix PE Unpacking tips and tricks Samuel Chevet Presentation Process Original OEP Fix PE O ff set OEP Import rebuilding Protector O ff set IAT Techniques Conclusion Sections characteristics And more when there is some protection

  15. Import rebuilding Unpacking tips and tricks Samuel Chevet Presentation Process Original OEP Fix PE Packers / Protector destroy Import Table Import rebuilding Protector Correct RVA and Size of Import Table Techniques IMAGE_IMPORT_DESCRIPTOR nulled one Conclusion OriginalFirstThunk, FirstThunk and Name must be well informed

  16. Anti-Dumping Unpacking tips and tricks Samuel Chevet Presentation Process Protector Mutex Techniques Anti-Dumping CPUID TLS Callbacks Stolen Bytes Delete loader API Redirection Nanomites Triggers Header modification Conclusion Page level protection

  17. TLS Callbacks Unpacking tips and tricks Samuel Chevet Presentation Process Protector Thread Local Storage Techniques Anti-Dumping Execute code before EP TLS Callbacks Stolen Bytes Debugger detection API Redirection Nanomites Triggers Decryption routines Conclusion Hook

  18. Stolen Bytes Unpacking tips and tricks Samuel Chevet Presentation Process Protector Portions of code Techniques Anti-Dumping Removed from original TLS Callbacks Stolen Bytes Usually near entry point API Redirection Nanomites Triggers Executed from allocated memory Conclusion Restore them before dump

  19. API Redirection Unpacking tips IAT partially or completely destroyed and tricks Call to APIs are redirected Samuel Chevet Routines located into allocated memory or in Presentation protector stub Process Protector Techniques Anti-Dumping TLS Callbacks Stolen Bytes API Redirection Nanomites Triggers Conclusion

  20. API Redirection Unpacking tips and tricks Samuel Chevet Presentation Process Stolen instructions Protector Techniques Control transfered back in the middle Anti-Dumping TLS Callbacks Routines located into allocated memory or in Stolen Bytes protector stub API Redirection Nanomites Triggers Load whole DLL image Conclusion Redirect API Di ffi cult to set breakpoints

  21. API Redirection Unpacking tips and tricks Samuel Chevet Presentation Process Inject !!! Protector Scan for call dword ptr / jmp dword ptr Techniques Anti-Dumping Is outside PE ? TLS Callbacks Stolen Bytes API Redirection Is not an API ? Nanomites Triggers Hook routine Conclusion Call it Use against himself !

  22. Nanomites Unpacking tips and tricks Samuel Chevet JCC instruction Presentation Some Opcodes Process Replace by int3 Protector Techniques 2 Process ! Father and son Anti-Dumping TLS Callbacks Stolen Bytes Inject the father API Redirection Nanomites Father : WaitForDebugEvent() Triggers Conclusion Son : Scan 0xCC (int3) Reverse, or comportemental study Thruth table Maybe opcode will be restored to avoid performance down

  23. Triggers Unpacking tips and tricks Samuel Chevet Presentation Process Detect if protection has been deleted Protector Techniques Developpers can use SDK Anti-Dumping TLS Callbacks Invincible enemy Stolen Bytes API Redirection Nanomites Camera bug Triggers Conclusion Redirect call will return on the next instruction Return value modification

  24. Conclusion Unpacking tips and tricks Samuel Chevet Presentation Process Protector Techniques Conclusion INJECT !

  25. Real Conclusion Unpacking tips and tricks Samuel Chevet Presentation Process Protector Really fun ! Techniques Code your own toolz Conclusion Don’t use unpacker ! Write your own Internet connection permanent Kill market of multimedia library and occasion

  26. Questions ? Unpacking tips and tricks Samuel Chevet Presentation Process Thank you for your attention Protector Techniques Conclusion @w4kfu blog.w4kfu.com w4kfu@lse.epita.fr

Recommend

Productivity tips & tricks Productivity tips & tricks for a developer for a developer

Productivity tips & tricks Productivity tips & tricks for a developer for a developer

Productivity tips & tricks Productivity tips & tricks for a developer for a developer Sebastian Witowski Sebastian Witowski 1 2 3 4 5 6 vs. vs. 7 8 dotles dotles .bashrc, .vimrc, .gitcong alias ..="cd

308 views • 15 slides
HSC FCO PRESENTS UNMJobs 2.0 Onboarding, Updates, Tips & Tricks, Q&A Session May 16,

HSC FCO PRESENTS UNMJobs 2.0 Onboarding, Updates, Tips & Tricks, Q&A Session May 16,

HSC FCO PRESENTS UNMJobs 2.0 Onboarding, Updates, Tips & Tricks, Q&A Session May 16, 2017 Agenda Onboarding Regular faculty TPTs System Updates New User Interface (update roll outs) Tips & Tricks

643 views • 14 slides
Tips and Tricks For Broadcast Engineers and Managers Agenda Overview Jeff Welton, CBRE Tips

Tips and Tricks For Broadcast Engineers and Managers Agenda Overview Jeff Welton, CBRE Tips

Tips and Tricks For Broadcast Engineers and Managers Agenda Overview Jeff Welton, CBRE Tips and Tricks Regional Sales Manager Central U.S. For Engineers For Managers Paul Freeman Tinkle, CRMC, CRSM President and General

1.25k views • 56 slides
902 Grant Disbursements: Ti Tips, Tricks and Troubleshooting for a T i k d T bl h ti f

902 Grant Disbursements: Ti Tips, Tricks and Troubleshooting for a T i k d T bl h ti f

902 Grant Disbursements: Ti Tips, Tricks and Troubleshooting for a T i k d T bl h ti f Flawless Submission COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF ENVIRONMENTAL PROTECTION BUREAU OF WASTE MANAGEMENT ACT 101, SECTION 902 MUNICIPAL

635 views • 34 slides
Being the best recorder player you can be Tips and tricks for getting the most out of your

Being the best recorder player you can be Tips and tricks for getting the most out of your

Presentation Flte Alors! Being the best recorder player you can be Tips and tricks for getting the most out of your practice and tackling difficult passages Good morning everyone. My name is Sarah Jeffery, and I am a recorder player living

470 views • 6 slides
GOOD MORNING! THINK BIG, BE GREAT! Tips, tricks, and little bit of fun for engaging with our

GOOD MORNING! THINK BIG, BE GREAT! Tips, tricks, and little bit of fun for engaging with our

GOOD MORNING! THINK BIG, BE GREAT! Tips, tricks, and little bit of fun for engaging with our community Britt Delo & Keegan Aalderink Michigan West Coast Chamber of Commerce ITS ALL ABOUT YOU! Working together to improve the quality

524 views • 15 slides
Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19 getting the most (security) out of your openssh The users perspective: least amount of hassle tradeoff between anxiety, angst and

559 views • 19 slides
FM Translators for AM stations We have the license, now what? (and other translator tips, tricks

FM Translators for AM stations We have the license, now what? (and other translator tips, tricks

FM Translators for AM stations We have the license, now what? (and other translator tips, tricks and suggestions) Agenda Overview Legal Audio source Chuck Kelly Jeff Welton Originating program Regional Sales Manager, Regional

216 views • 18 slides
Tips and Tricks for Disclosures Laparoscopy I have no financial disclosures Jessica

Tips and Tricks for Disclosures Laparoscopy I have no financial disclosures Jessica

10/26/2016 Pushing the Envelope Tips and Tricks for Disclosures Laparoscopy I have no financial disclosures Jessica Opoku-Anane, MD, MS Assistant Professor, OB/GYN Minimally Invasive Gynecology Director, UCSF Center for Endometriosis

407 views • 8 slides
Throwing a Great Afterparty Other social media tips and tricks for getting the most out of your

Throwing a Great Afterparty Other social media tips and tricks for getting the most out of your

Throwing a Great Afterparty Other social media tips and tricks for getting the most out of your event Promoting the Basics Posters print and digital Leveraging Facebook and Twitter (targeting posts, frequent updates, etc)

245 views • 5 slides
FOCUS: Yes & Yes on Election Day Targeted Tips & Tricks from Three Districts

FOCUS: Yes & Yes on Election Day Targeted Tips & Tricks from Three Districts

FOCUS: Yes & Yes on Election Day Targeted Tips & Tricks from Three Districts Presenters Dr. Jason Snodgrass Amy Berendzen Superintendent Director, Fort Osage School District School-Community Relations @DrJSnodgrass

591 views • 29 slides
Getting Started with The Conversation Project: Orientation to TCP Resources, Tips and Tricks

Getting Started with The Conversation Project: Orientation to TCP Resources, Tips and Tricks

Getting Started with The Conversation Project: Orientation to TCP Resources, Tips and Tricks January 22, 2020 Patty Webster Naomi Fedna 2 Zoom Quick Reference Welcome to todays session! Click the Participants and Chat buttons Raise

861 views • 45 slides
How not to be a Git Tips and tricks for a good workflow Who am I? Adam Jimerson Software

How not to be a Git Tips and tricks for a good workflow Who am I? Adam Jimerson Software

How not to be a Git Tips and tricks for a good workflow Who am I? Adam Jimerson Software Engineer @ Code Journeymen GDG Gigcity Organizer vendion@gmail.com https://google.com/+AdamJimerson What is a Git? 1. A distributed

620 views • 58 slides
Tips and Tricks for a way cool Way Cool Presentation Thank you for your interest in

Tips and Tricks for a way cool Way Cool Presentation Thank you for your interest in

Tips and Tricks for a way cool Way Cool Presentation Thank you for your interest in doing a Way Cool Presentation for the Beaty Biodiversity Museum! Since January 2011, this monthly series allows visitors to delve deeper into specific

288 views • 3 slides
Grant Writing Tips & Tricks Sean Vroom NJIT TAB Felicia Fred USEPA Region 3, Brownfields

Grant Writing Tips & Tricks Sean Vroom NJIT TAB Felicia Fred USEPA Region 3, Brownfields

Grant Writing Tips & Tricks Sean Vroom NJIT TAB Felicia Fred USEPA Region 3, Brownfields Salem, VA October 2, 2019 Grant Writing Tips & Tricks Bootcamp Objectives: Expose participants to the NJIT TAB program Participants

681 views • 53 slides
Staff engagement Tips and tricks on getting buy-in Logistics Please use chat and for for

Staff engagement Tips and tricks on getting buy-in Logistics Please use chat and for for

Staff engagement Tips and tricks on getting buy-in Logistics Please use chat and for for questions questions I you have have! According to Merriam-Webster online sustained physical or mental effort to overcome obstacles and

605 views • 34 slides
Judging Tips, Tricks, Rules, and Regulations Without judges, we could not have a Science Day!

Judging Tips, Tricks, Rules, and Regulations Without judges, we could not have a Science Day!

Judging Tips, Tricks, Rules, and Regulations Without judges, we could not have a Science Day! We appreciate you giving up your Saturday to be with us, and hope you find the experience enjoyable. There will be a light breakfast

506 views • 28 slides
Backpropagation and Gradients Agenda Motivation Backprop Tips & Tricks

Backpropagation and Gradients Agenda Motivation Backprop Tips & Tricks

Backpropagation and Gradients Agenda Motivation Backprop Tips & Tricks Matrix calculus primer Example: 2-layer Neural Network Motivation Recall: Optimization objective is minimize loss Goal: how should we tweak the

428 views • 28 slides
Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I?

Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I?

Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I? Software Engineer Technical Team Leader Author of "Idiomatic Python Performance" (Apress) Speaker @ EuroPython, PyCon UK, PySS &

320 views • 15 slides
Js tips and tricks javascript is bad javascript is good - You can change the appearance and

Js tips and tricks javascript is bad javascript is good - You can change the appearance and

Js tips and tricks javascript is bad javascript is good - You can change the appearance and behaviour of everything that you see in a webpage - Extremely easy to make other people access your work - You can write good code if you know how

424 views • 41 slides
Tools, Tips and Tricks for Managing Cray XT Systems A perspective on what , why , and how for

Tools, Tips and Tricks for Managing Cray XT Systems A perspective on what , why , and how for

CUG2010 2010-05-24 Tools, Tips and Tricks for Managing Cray XT Systems A perspective on what , why , and how for managing complex systems in a hostile world. Kurt Carlson kcarlson@arsc.edu University of Alaska http://www.uaf.edu/ Arctic

157 views • 14 slides
Tips n Tricks with ColumnStore Jim Tommaney Alibaba Cloud 2006-2014 - InfiniDB Chief

Tips n Tricks with ColumnStore Jim Tommaney Alibaba Cloud 2006-2014 - InfiniDB Chief

Tips n Tricks with ColumnStore Jim Tommaney Alibaba Cloud 2006-2014 - InfiniDB Chief Architect/CTO Tips n Tricks with ColumnStore about Jim Tommaney 25+ years data architecture, modeling, tuning 2006-2014 Chief Architect/CTO for

872 views • 47 slides
WebEx Success Tips and Tricks Please keep your cameras off You will be automatically muted

WebEx Success Tips and Tricks Please keep your cameras off You will be automatically muted

6/8/2020 WebEx Success Tips and Tricks Please keep your cameras off You will be automatically muted when you join the meeting Do not put the WebEx on hold Make sure you do not have 2 audio functions on (example: the phone

820 views • 26 slides
Staying up-to-date with the literature: tips and tricks Jo Simons & Simon Esling Te

Staying up-to-date with the literature: tips and tricks Jo Simons & Simon Esling Te

Staying up-to-date with the literature: tips and tricks Jo Simons & Simon Esling Te Tumu Herenga - Libraries and Learning Services Discuss Introduce yourself to your neighbours What are you researching? Are you having

536 views • 36 slides

More recommend