10:00 AM
to 11:00 AM
Jeongwook Oh: Fight Against 1-Day Exploits
87 Attendees
Location
Augustus Ballroom 1-2
Type Reverse Engineering
Jeongwook Oh
This is about binary diffing vs anti-binary-diffing technique. Security patch is usually meant to fix security vulnerabilities. And it's for fixing problems and protect users and computers from risks. But how about releasing patch imposes new threats? We call the threat 1-day exploits. Just few minutes after the release of patches, binary diffing technique can be used to identify the vulnerabilities that the security patches are remedying. Since being introduced by Halvar back in few years ago, binary diffing is now so common and easily affordable technique. Aside from expensive commercial tools like "bindiff," there are already 2-3 free or opensource tools that can be used to identify exact patched points in the patch files.
This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. We already developed "eEye Binary Diffing Suites" back in 2006 and it's widely used by security researchers to identify vulnerabilities. Even though it's free and opensource, it's powerful enough to be used for that vulnerabilities hunting purpose. So virtually, attackers have access to all the tools and theories they need to identify unknown vulnerabilities that is just patched. They can launch attack during the time frame users or corporates are applying patches (typically takes few hours to few days).
From our observations during past few years, all the important security patches were binary diffed manually or automatically using tools. Sometimes the researchers claimed they finished analyzing patches in just 20-30 minutes. At most in a day, it's possible to identify the vulnerability itself and make working exploits. So now it became crucial to make theses practices more difficult and time-consuming so that earn more time for the consumers to apply patches. Even though using severe code obfuscation is not an option for Microsoft's products, they can still follow some strategies and techniques to defeat the binary diffing processes without forsaking stability and usability. We are going to show the methods and tactics to make binary differs life harder. And will show the in-house tool that obfuscates the binaries in a way that especially binary differs confused.
This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. We already developed "eEye Binary Diffing Suites" back in 2006 and it's widely used by security researchers to identify vulnerabilities. Even though it's free and opensource, it's powerful enough to be used for that vulnerabilities hunting purpose. So virtually, attackers have access to all the tools and theories they need to identify unknown vulnerabilities that is just patched. They can launch attack during the time frame users or corporates are applying patches (typically takes few hours to few days).
From our observations during past few years, all the important security patches were binary diffed manually or automatically using tools. Sometimes the researchers claimed they finished analyzing patches in just 20-30 minutes. At most in a day, it's possible to identify the vulnerability itself and make working exploits. So now it became crucial to make theses practices more difficult and time-consuming so that earn more time for the consumers to apply patches. Even though using severe code obfuscation is not an option for Microsoft's products, they can still follow some strategies and techniques to defeat the binary diffing processes without forsaking stability and usability. We are going to show the methods and tactics to make binary differs life harder. And will show the in-house tool that obfuscates the binaries in a way that especially binary differs confused.
11:15 AM
to 12:30 PM
Nick Harbour: Win at Reversing
102 Attendees
Location
Augustus Ballroom 1-2
Type Reverse Engineering
Nick Harbour
This presentation will discuss a new free tool for Reverse Engineering called API Thief, the "I Win" button for malware analysis. The unique way the tool operates will be explored as well as how it is able to provide better quality data than other tracing tools currently availible. Advanced usage of the tool for malware analysis will be demonstrated such as Sandboxing functionality and a new technique for automated unpacking.
1:45 PM
to 3:00 PM
Danny Quist & Lorie Liebrock: Reverse Engineering by Crayon
76 Attendees
Location
Augustus Ballroom 1-2
Type Reverse Engineering
Danny Quist, Lorie Liebrock
Recent advances in hypervisor based application profilers have changed the game of reverse engineering. These powerful tools have made it orders of magnitude easier to reverse engineer and enabled the next generation of analysis techniques. We will also present and release our tool VERA, which is an advanced code visualization and profiling tool that integrates with the Ether Xen extensions. VERA allows for high-level program monitoring, as well as low-level code analysis. Using VERA, we'll show how easy the process of unpacking armored code is, as well as identifying relevant and interesting portions of executables. VERA integrates with IDA Pro easily and helps you to annotate the executable before looking at a single assembly instruction. Initial testing with inexperienced reversers has shown that this tool provides an order of magnitude speedup compared to traditional techniques.
3:15 PM
to 4:30 PM
K. Chen: Reversing and Exploiting an AppleĀ® Firmware Update
51 Attendees
Location
Augustus Ballroom 1-2
Type Reverse Engineering
K. Chen
I describe how an attacker can install malicious code into the firmware of an Apple aluminum keyboard.
4:45 PM
to 6:00 PM
Mario Vuksan: Fast & Furious Reverse Engineering with TitanEngine
51 Attendees
Location
Augustus Ballroom 1-2
Type Reverse Engineering
Mario Vuksan, Tomislav Pericin
A great challenge of modern reverse engineering is taking apart and analyzing binary protections. During the last decade, vast number of shell modifiers has appeared. At the same time protection tools have evolved from encryption that protects executable and data parts to sophisticated protections that are "packed" with tricks that are specifically tasked to slow down the reversing process. As the number of such techniques increase, we need to ask ourselves, can we keep up with the tools that we have?
Come to this talk to learn the most optimal strategies in dealing with complex binary code and to see in action the new open source framework, the TitanEngine, addressing advanced file analysis. Today reverse engineers are limited to writing their own code for every new scenario that they encounter or to using outdated solutions that do not cover all the needed aspects. Yet when the speed is of essence, as in dealing with new outbreaks or Botnet infections, new tools are necessary to deal with the large volume of incoming samples. Accurate detection, relevant data extraction and fast decomposition in a safe and controlled manner are critical requirements.
TitanEngine has been designed so that writing unpackers would mimic the manual unpacking process. Guided execution with the set of callbacks simulates the presence of a reverse engineer. This is done by creating an execution timeline equal to the one used by reverse engineers to unpack the file. Information is gathered as the execution is led to the point from where the protection passes the control to the original code. At that point we have all the data we need to create a sample valid for execution and further analysis. During the talk, a new open source project, the TitanEngine, will be introduced and discussed in detail. Special attention will be given to addressing automation problems when writing unpackers. We will cover the following topics:
* In-depth description of integrated x86/x64 debugger
* Debugger: software, hardware, memory, library and flex breakpoints
* Dumping memory and loaded modules
* Comprehensive description of integrated import resolving module
* Repairing import table with a simple data gathering
* Automatic scan for all known import redirections and eliminations
* In-depth description of integrated PE file manipulation module
* Working with PE header, imports, exports, relocations, resources
* Complete description on how to use the engine to write an unpacker
* Making an executable unpacker
* Making a library unpacker
The talk will conclude with demos of two new tools that are based on the TitanEngine:
* RL!dePacker - generic PE x86/x64 unpacker which supporting over 100 formats
* ImportStudio - OllyDBG plugin which provides an interface for easily fixing imports
This talk will be a Black Hat exclusive; a launch and demonstration of the major version upgrades of RL!dePacker, ImportStudio that are based on the new open source project titled "The TitanEngine." All components will be available for distribution with the conference materials.
Come to this talk to learn the most optimal strategies in dealing with complex binary code and to see in action the new open source framework, the TitanEngine, addressing advanced file analysis. Today reverse engineers are limited to writing their own code for every new scenario that they encounter or to using outdated solutions that do not cover all the needed aspects. Yet when the speed is of essence, as in dealing with new outbreaks or Botnet infections, new tools are necessary to deal with the large volume of incoming samples. Accurate detection, relevant data extraction and fast decomposition in a safe and controlled manner are critical requirements.
TitanEngine has been designed so that writing unpackers would mimic the manual unpacking process. Guided execution with the set of callbacks simulates the presence of a reverse engineer. This is done by creating an execution timeline equal to the one used by reverse engineers to unpack the file. Information is gathered as the execution is led to the point from where the protection passes the control to the original code. At that point we have all the data we need to create a sample valid for execution and further analysis. During the talk, a new open source project, the TitanEngine, will be introduced and discussed in detail. Special attention will be given to addressing automation problems when writing unpackers. We will cover the following topics:
* In-depth description of integrated x86/x64 debugger
* Debugger: software, hardware, memory, library and flex breakpoints
* Dumping memory and loaded modules
* Comprehensive description of integrated import resolving module
* Repairing import table with a simple data gathering
* Automatic scan for all known import redirections and eliminations
* In-depth description of integrated PE file manipulation module
* Working with PE header, imports, exports, relocations, resources
* Complete description on how to use the engine to write an unpacker
* Making an executable unpacker
* Making a library unpacker
The talk will conclude with demos of two new tools that are based on the TitanEngine:
* RL!dePacker - generic PE x86/x64 unpacker which supporting over 100 formats
* ImportStudio - OllyDBG plugin which provides an interface for easily fixing imports
This talk will be a Black Hat exclusive; a launch and demonstration of the major version upgrades of RL!dePacker, ImportStudio that are based on the new open source project titled "The TitanEngine." All components will be available for distribution with the conference materials.
