SlideShare a Scribd company logo

Reconstructing Gapz: Position-Independent Code Analysis Problem

Alex Matrosov
Alex Matrosov

This document summarizes the Gapz malware, including its dropper, bootkit, rootkit, and payload capabilities. The dropper uses an explorer.exe code injection trick to bypass HIPS. The bootkit implements a new VBR technique and hooks various boot components. The rootkit implements a hidden FAT32 file system and self-defense mechanisms. It also injects a user-mode payload and establishes covert network communication using an HTTP protocol. Forensic approaches discussed include a hidden file system reader tool and challenges in reconstructing C++ code.

Technology
1 of 89
Download to read offline
Reconstructing Gapz: Position-Independent Code Analysis Problem Aleksandr Matrosov Eugene Rodionov @matrosov @vxradius
Outline of The Presentation  Gapz: dropper  exploprer.exe code injection trick  Gapz: bootkit  Classification of modern bootkits  New VBR bootkit technique  Gapz: payload  Hidden file system implementation  Disk hooks and Hooking engine  NDIS, TCP/IP stack implementation, HTTP protocol  C&C communications  Gapz: forensic approaches  HexRaysCodeXplorer
Gapz: dropper
PowerLoader Builder (since September 2012)
PowerLoader Builder (since September 2012)
Gapz Dropper Execution Stages Injecting into explorer.exe (entry point) Local Privilege Escalation (icmnf) Infecting the system (isyspf) stage 1 stage 2
Bypassing HIPS with eplorer.exe Code Injection opens shared sections from BaseNamedObjects mapped into explorer.exe and writes shellcode
Bypassing HIPS with eplorer.exe Code Injection The dropper searches for the window “Shell_TrayWnd”
Bypassing HIPS with eplorer.exe Code Injection The dropper calls GetWindowLong() so as to get the address of the routine related to the “Shell_TrayWnd” window handler The dropper calls SetWindowLong() to modify “Shell_TrayWnd” window-related data
Bypass HIPS with eplorer.exe Code Injection calls SendNotifyMessage() to trigger shellcode execution in explorer.exe address space arbitrary code execution in WndProc() of “Shell_TrayWnd”:
Triggering Shellcode Execution SendNotifyMessage() transfers control to the address pointed to address points to the KiUserApcDispatcher() routine
Triggering Shellcode Execution uses ROP-gadgets to jump into shellcode memory region and execute shellcode
Triggering Shellcode Execution uses ROP-gadgets to jump into shellcode memory region and execute shellcode
Triggering Shellcode Execution
Gapz: bootkit
Modern Bootkits Classification (BIOS based) Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
Gapz Bootkit Overview Module Name Hooked Routine ntldr BlLoadBootDrivers bootmgr Archx86TransferTo32BitApplicationAsm winload.exe OslArchtransferToKernel ntoskrnl.exe IoInitSystem Gapz bootkit features:  hooks int 13h handler  patches modules: ntldr, bootmgr, winload.exe, kernel image to survive processor execution mode switching and kernel-mode code integrity checks
Gapz Bootkit Workflow Hook Archx86TransferTo32BitApplicationAsm in bootmgr Hook OslArchTransferToKernel in winload.exe Hook IoInitSystem in kernel image Int 13h handler is hooked Bootmgr loads winload.exe Winload.exe loads kernel image Bootkit loads malicious kernel-mode code and runs it in a new system thread
Gapz VBR Bootkit Gapz VBR bootkit features:  Relies on Microsoft Windows VBR layout  The infections results in modifying only 4 bytes of VBR  The patched bytes might differ on various installations jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA 0x000 0x003 0x054 0x19C 0x1FE 0x200 transfer control
Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
Gapz BPB Modification MBR NTFS File SystemIPLVBR NTFS Volume 0x200 0x1E00 Number of “Hidden Sectors” MBR NTFS File SystemIPL Infected VBR NTFS Volume 0x200 0x1E00 Hard Drive Modified value of number of “Hidden Sectors” Bootkit before infection after infection
Gapz: rootkit
Gapz Rootkit Overview Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms Gapz rootkit capabilities:  Hidden storage implementation  User-mode payload injection  Covert network communication channel  C&C server authentication mechanism
Gapz Rootkit Overview Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms Gapz rootkit capabilities:  Hidden storage implementation  User-mode payload injection  Covert network communication channel  C&C server authentication mechanism
Gapz Kernel-mode Code Organization struct GAPZ_BASIC_BLOCK_HEADER { // A constant which is used to obtain addresses // of the routines implemented in the block unsigned int ProcBase; unsigned int Reserved[2]; // Offset to the next block unsigned int NextBlockOffset; // Offset of the routine performing block initialization unsigned int BlockInitialization; // Offset to configuration information // from the end of the kernel-mode module // valid only for the first block unsigned int CfgOffset; // Set to zeroes unsigned int Reserved1[2]; };
Gapz Kernel-mode Code Blocks Block # Implemented Functionality 1 General API, gathering information on the hard drives, CRT string routines and etc. 2 Cryptographic library: RC4, MD5, SHA1, AES, BASE64 and etc. 3 Hooking engine, disassembler engine. 4 Hidden Storage implementation. 5 Hard disk driver hooks, self-defense. 6 Payload manager. 7 Payload injector into processes’ user-mode address space. 8 Network communication: Data link layer. 9 Network communication: Transport layer. 10 Network communication: Protocol layer. 11 Payload communication interface. 12 Main routine.
Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
Gapz Crypto Library Implementation  Gapz crypto library functionality:  Hashing: MD5, SHA1  Symmetric ciphers: RC4, AES  Asymmetric cipher: ECC
Gapz Self-Defence Mechanisms  Gapz hooks IRP_MJ_INTERNAL_DEVICE_CONTROL and IRP_MJ_DEVICE_CONTROL handlers to monitor:  IOCTL_SCSI_PASS_THROUGH  IOCTL_SCSI_PASS_THROUGH_DIRECT  IOCTL_ATA_PASS_THROUGH  IOCTL_ATA_PASS_THROUGH_DIRECT  Gapz protects:  MBR/VBR from being read/overwritten  its image on the hard drive from being overwritten
Gapz Hooking Engine Implementation  Gapz hooking engine is based on the ”Hacker Disassembler Engine”  Tries to avoid patching the very first bytes of the routine being hooked (nop; mov edi, edi; etc.):
Gapz Hooking Engine Implementation  Gapz hooking engine is based on the ”Hacker Disassembler Engine”  Tries to avoid patching the very first bytes of the routine being hooked (nop; mov edi, edi; etc.):
Gapz Code Injection Functionality Allocate memory buffer in target process address space Write payload and loader code into allocated buffer Create remote thread in the target process Loader code DLL loader (load/unload DLL modules) Command executer (call specific handler in DLL payload and pass necessary parameters) EXE loader 1 (run EXE modules) EXE loader 2 (run EXE modules)
Gapz Payload Loader Code: DLL Loader & Command Executer Map image into address space Fix relocations and initialize IAT Load or unload? Execute export #1 Execute export #2 Release image memory unload load
Gapz Payload Loader Code: EXE Loaders Drop payload image into %TEMP% directory Execute CreateProcessW API EXE Loader 1 Create legitimate suspended process (via CreateProcessAsUser) Overwrite process image with the malicious one Set process thread context according to malicious image Resume process thread EXE Loader 2
Gapz Network Protocol Implementation svchost.exe overlord32(64).dll Win32/Gapz kernel-mode module TCP/IP protocol stack implementation Message to be sent to C&C Server user mode kernel mode C&C Server Send using Win32 socket implementation Send directly using NDIS miniport driver
Gapz Network Protocol Architecture Gapz implementation OSI Model HTTP protocol (block #10) TCP/IP protocol (block #9) NDIS miniport wrapper (block #8) Application/Presentation Layer Network/Transport Layer Data Link Layer
Gapz Network Protocol Implementation: NDIS Gapz network protocol stack relies on miniport adapter driver: Miniport adapter driver Intermediate driver Protocol driver (tcpip.sys) Filter driver......... At the level of protocol or intermediate drivers Win32/Gapz’s network packet is “invisible” Win32/Gapz communicates directly to miniport adapter Win32/Gapz Network packet
Gapz C&C Communication Protocol  Gapz communicates to C&C servers over HTTP protocol  Capabilities of the protocol:  00 - download payload  01 - send bot information to C&C  02 - request payload download information  03 - report on running payload  04 - update payload download URL  The requests corresponding to commands 0x01, 0x02 and 0x03 are performed by the POST method of the HTTP protocol.
Gapz C&C Communication Protocol: HTTP Request Message HeaderHTTP Header Request specific data HTTP header HTTP body struct MESSAGE_HEADER { // Output of PRNG unsigned char random[128]; // a DWORD from configuration file unsigned int reserved; // A binary string which is used to authenticate C&C servers unsigned char auth_str[64]; };
Gapz C&C Communication Protocol: HTTP Request Message HeaderHTTP Header Request specific data HTTP header HTTP body struct MESSAGE_HEADER { // Output of PRNG unsigned char random[128]; // a DWORD from configuration file unsigned int reserved; // A binary string which is used to authenticate C&C servers unsigned char auth_str[64]; };
Gapz C&C Communication Protocol: C&C Reply Encrypted rc4 key K1 HTTP Header Reply specific data HTTP message header HTTP message body Authentication string rc4 encrypted data with key k1 Decrypt key K1 Decrypt authentication string and reply-specific data using key K1 Check authentication string Process reply-specific data Reject reply-specific data matchdoesn’t match
Gapz C&C Communication Protocol: URLs
Gapz C&C Communication Protocol: URLs
Gapz User-mode Payload Functionality The module overlord32(64).dll is essential part of the Gapz bootkit Overlord32(64).dll is injected into svchost.exe process Overlord32(64).dll dispatches the requests from kernel-mode Cmd # Command Description 0 gather information about all the network adapters installed in the system and their properties and send it to kernel-mode module 1 gather information on the presence of particular software in the system 2 check internet connection by trying to reach update.microsoft.com 3 send & receive data from a remote host using Windows sockets 4 get the system time from time.windows.com 5 get the host IP address given its domain name (via Win32 API gethostbyname) 6 get Windows shell (by means of querying “Shell” value of “SoftwareMicrosoftWindows NTCurrentVersionWinlogon” registry key)
Gapz User-mode Payload Interface Gapz impersonates the handler of the payload requests in the null.sys driver to communicate with the injected payload: Win32/Gapz module DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload = NULL DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler Gapz’s hook jmp gapz_hook Payload interface before patching after patching
Gapz User-mode Payload Interface Gapz impersonates the handler of the payload requests in the null.sys driver to communicate with the injected payload: Win32/Gapz module DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload = NULL DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler Gapz’s hook jmp gapz_hook Payload interface before patching after patching
Modern bootkits comparison Functionality Gapz Olmarik (TDL4) Rovnix (Cidox) Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system type FAT32 custom FAT16 modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack     
Gapz: forensic approaches
Hidden File System Reader
Hidden File System Reader
Hidden File System Reader
HiddenFsReader: Free public forensic tool http://download.eset.com/special/ESETHfsReader.exe
C++ code reconstruction problems
C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
C++ Code Reconstruction Problems Class A vfPtr a1() a2() A::vfTable meta A::a1() A::a2() RTTI Object Locator signature pTypeDescriptor pClassDescriptor
C++ Code Reconstruction Problems
Identify Smart Pointer Structure
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Objects Constructors
Identify Objects Constructors
Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
Reconstructing Object’s Methods
Reconstructing Object’s Methods
Reconstructing Object’s Methods
HexRaysCodeXplorer
HexRaysCodeXplorer Features  Hex-Rays decompiler plugin  The plugin was designed to facilitate static analysis of:  object oriented code  position independent code  The plugin allows to:  navigate through decompiled virtual methods  partially reconstruct object type
Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t citem_t cexpr_t cinsn_t
Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t citem_t cexpr_t cinsn_t
HexRaysCodeXplorer: Gapz Position Independent Code
HexRaysCodeXplorer: Virtual Methods  The IDA’s “Local Types” is used to represent object type
 Hex-Rays decompiler plugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
 Hex-Rays decompiler plugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
DEMO
HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
HexRaysCodeXplorer: Object Type REconstruction  citem_t objects to monitor:  memptr  idx  memref  call (LOBYTE, etc.)
DEMO
http://REhints.com Follow us on twitter and github:  @REhints  https://github.com/REhints Beta testing will be open in July  send request to info@REhints.com
References  Gapz and Redyms droppers based on Power Loader code http://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/  Mind the Gapz: The most complex bootkit ever analyzed? http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf  Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy http://go.eset.com/us/resources/white-papers/Rodionov-Matrosov.pdf  Defeating Anti-Forensics in Contemporary Complex Threats http://go.eset.com/us/resources/white-papers/Matrosov_Rodionov_VB2012.pdf  Bootkit Threats: In-Depth Reverse Engineering & Defense http://www.welivesecurity.com/wp-content/media_files/REcon2012.pdf
Thank you for your attention! Aleksandr Matrosov @matrosov Eugene Rodionov @vxradius

Recommended

Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode CompositionsVasily Sartakov
 
Genode Components
Genode ComponentsGenode Components
Genode ComponentsVasily Sartakov
 

Recommended

Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode CompositionsVasily Sartakov
 
Genode Components
Genode ComponentsGenode Components
Genode ComponentsVasily Sartakov
 
Genode Architecture
Genode ArchitectureGenode Architecture
Genode ArchitectureVasily Sartakov
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezShakacon
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법GangSeok Lee
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?Tetsuyuki Kobayashi
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentMohammed Farrag
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Tetsuyuki Kobayashi
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Android - ADB
Android - ADBAndroid - ADB
Android - ADBYossi Gruner
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
RunningFreeBSDonLinuxKVM
RunningFreeBSDonLinuxKVMRunningFreeBSDonLinuxKVM
RunningFreeBSDonLinuxKVMTakeshi HASEGAWA
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 

More Related Content

What's hot

How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezShakacon
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법GangSeok Lee
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?Tetsuyuki Kobayashi
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentMohammed Farrag
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Tetsuyuki Kobayashi
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 

What's hot (20)

Genode Architecture
Genode ArchitectureGenode Architecture
Genode Architecture
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew Suarez
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!
 
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Android - ADB
Android - ADBAndroid - ADB
Android - ADB
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
RunningFreeBSDonLinuxKVM
RunningFreeBSDonLinuxKVMRunningFreeBSDonLinuxKVM
RunningFreeBSDonLinuxKVM
 

Viewers also liked

Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyCODE BLUE
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIAleksey Lukatskiy
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 

Viewers also liked (16)

Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 

Similar to Reconstructing Gapz: Position-Independent Code Analysis Problem

[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹GangSeok Lee
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareCylance
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
Hadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionHadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionCloudera, Inc.
 
Android Logging System
Android Logging SystemAndroid Logging System
Android Logging SystemWilliam Lee
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdbRoman Podoliaka
 
Porting C++ apps to FLASCC
Porting C++ apps to FLASCCPorting C++ apps to FLASCC
Porting C++ apps to FLASCCPavel Nakaznenko
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit developmentPayampardaz
 
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovJava 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovSvetlin Nakov
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosurech0psticks
 

Similar to Reconstructing Gapz: Position-Independent Code Analysis Problem (20)

[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security Software
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Hadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionHadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault Injection
 
Android Logging System
Android Logging SystemAndroid Logging System
Android Logging System
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
EKON27_Pas2JS_sign.pdf
EKON27_Pas2JS_sign.pdfEKON27_Pas2JS_sign.pdf
EKON27_Pas2JS_sign.pdf
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
 
Porting C++ apps to FLASCC
Porting C++ apps to FLASCCPorting C++ apps to FLASCC
Porting C++ apps to FLASCC
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
Xdebug from a to x
Xdebug from a to xXdebug from a to x
Xdebug from a to x
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
Revers engineering
Revers engineeringRevers engineering
Revers engineering
 
A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpoint
 
Building
BuildingBuilding
Building
 
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovJava 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Reconstructing Gapz: Position-Independent Code Analysis Problem

  • 1. Reconstructing Gapz: Position-Independent Code Analysis Problem Aleksandr Matrosov Eugene Rodionov @matrosov @vxradius
  • 2. Outline of The Presentation  Gapz: dropper  exploprer.exe code injection trick  Gapz: bootkit  Classification of modern bootkits  New VBR bootkit technique  Gapz: payload  Hidden file system implementation  Disk hooks and Hooking engine  NDIS, TCP/IP stack implementation, HTTP protocol  C&C communications  Gapz: forensic approaches  HexRaysCodeXplorer
  • 4. PowerLoader Builder (since September 2012)
  • 5. PowerLoader Builder (since September 2012)
  • 6. Gapz Dropper Execution Stages Injecting into explorer.exe (entry point) Local Privilege Escalation (icmnf) Infecting the system (isyspf) stage 1 stage 2
  • 7. Bypassing HIPS with eplorer.exe Code Injection opens shared sections from BaseNamedObjects mapped into explorer.exe and writes shellcode
  • 8. Bypassing HIPS with eplorer.exe Code Injection The dropper searches for the window “Shell_TrayWnd”
  • 9. Bypassing HIPS with eplorer.exe Code Injection The dropper calls GetWindowLong() so as to get the address of the routine related to the “Shell_TrayWnd” window handler The dropper calls SetWindowLong() to modify “Shell_TrayWnd” window-related data
  • 10. Bypass HIPS with eplorer.exe Code Injection calls SendNotifyMessage() to trigger shellcode execution in explorer.exe address space arbitrary code execution in WndProc() of “Shell_TrayWnd”:
  • 11. Triggering Shellcode Execution SendNotifyMessage() transfers control to the address pointed to address points to the KiUserApcDispatcher() routine
  • 12. Triggering Shellcode Execution uses ROP-gadgets to jump into shellcode memory region and execute shellcode
  • 13. Triggering Shellcode Execution uses ROP-gadgets to jump into shellcode memory region and execute shellcode
  • 16. Modern Bootkits Classification (BIOS based) Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
  • 17. Gapz Bootkit Overview Module Name Hooked Routine ntldr BlLoadBootDrivers bootmgr Archx86TransferTo32BitApplicationAsm winload.exe OslArchtransferToKernel ntoskrnl.exe IoInitSystem Gapz bootkit features:  hooks int 13h handler  patches modules: ntldr, bootmgr, winload.exe, kernel image to survive processor execution mode switching and kernel-mode code integrity checks
  • 18. Gapz Bootkit Workflow Hook Archx86TransferTo32BitApplicationAsm in bootmgr Hook OslArchTransferToKernel in winload.exe Hook IoInitSystem in kernel image Int 13h handler is hooked Bootmgr loads winload.exe Winload.exe loads kernel image Bootkit loads malicious kernel-mode code and runs it in a new system thread
  • 19. Gapz VBR Bootkit Gapz VBR bootkit features:  Relies on Microsoft Windows VBR layout  The infections results in modifying only 4 bytes of VBR  The patched bytes might differ on various installations jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA 0x000 0x003 0x054 0x19C 0x1FE 0x200 transfer control
  • 20. Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
  • 21. Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
  • 22. Gapz BPB Modification MBR NTFS File SystemIPLVBR NTFS Volume 0x200 0x1E00 Number of “Hidden Sectors” MBR NTFS File SystemIPL Infected VBR NTFS Volume 0x200 0x1E00 Hard Drive Modified value of number of “Hidden Sectors” Bootkit before infection after infection
  • 24. Gapz Rootkit Overview Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms Gapz rootkit capabilities:  Hidden storage implementation  User-mode payload injection  Covert network communication channel  C&C server authentication mechanism
  • 25. Gapz Rootkit Overview Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms Gapz rootkit capabilities:  Hidden storage implementation  User-mode payload injection  Covert network communication channel  C&C server authentication mechanism
  • 26. Gapz Kernel-mode Code Organization struct GAPZ_BASIC_BLOCK_HEADER { // A constant which is used to obtain addresses // of the routines implemented in the block unsigned int ProcBase; unsigned int Reserved[2]; // Offset to the next block unsigned int NextBlockOffset; // Offset of the routine performing block initialization unsigned int BlockInitialization; // Offset to configuration information // from the end of the kernel-mode module // valid only for the first block unsigned int CfgOffset; // Set to zeroes unsigned int Reserved1[2]; };
  • 27. Gapz Kernel-mode Code Blocks Block # Implemented Functionality 1 General API, gathering information on the hard drives, CRT string routines and etc. 2 Cryptographic library: RC4, MD5, SHA1, AES, BASE64 and etc. 3 Hooking engine, disassembler engine. 4 Hidden Storage implementation. 5 Hard disk driver hooks, self-defense. 6 Payload manager. 7 Payload injector into processes’ user-mode address space. 8 Network communication: Data link layer. 9 Network communication: Transport layer. 10 Network communication: Protocol layer. 11 Payload communication interface. 12 Main routine.
  • 28. Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
  • 29. Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
  • 30. Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
  • 31. Gapz Crypto Library Implementation  Gapz crypto library functionality:  Hashing: MD5, SHA1  Symmetric ciphers: RC4, AES  Asymmetric cipher: ECC
  • 32. Gapz Self-Defence Mechanisms  Gapz hooks IRP_MJ_INTERNAL_DEVICE_CONTROL and IRP_MJ_DEVICE_CONTROL handlers to monitor:  IOCTL_SCSI_PASS_THROUGH  IOCTL_SCSI_PASS_THROUGH_DIRECT  IOCTL_ATA_PASS_THROUGH  IOCTL_ATA_PASS_THROUGH_DIRECT  Gapz protects:  MBR/VBR from being read/overwritten  its image on the hard drive from being overwritten
  • 33. Gapz Hooking Engine Implementation  Gapz hooking engine is based on the ”Hacker Disassembler Engine”  Tries to avoid patching the very first bytes of the routine being hooked (nop; mov edi, edi; etc.):
  • 34. Gapz Hooking Engine Implementation  Gapz hooking engine is based on the ”Hacker Disassembler Engine”  Tries to avoid patching the very first bytes of the routine being hooked (nop; mov edi, edi; etc.):
  • 35. Gapz Code Injection Functionality Allocate memory buffer in target process address space Write payload and loader code into allocated buffer Create remote thread in the target process Loader code DLL loader (load/unload DLL modules) Command executer (call specific handler in DLL payload and pass necessary parameters) EXE loader 1 (run EXE modules) EXE loader 2 (run EXE modules)
  • 36. Gapz Payload Loader Code: DLL Loader & Command Executer Map image into address space Fix relocations and initialize IAT Load or unload? Execute export #1 Execute export #2 Release image memory unload load
  • 37. Gapz Payload Loader Code: EXE Loaders Drop payload image into %TEMP% directory Execute CreateProcessW API EXE Loader 1 Create legitimate suspended process (via CreateProcessAsUser) Overwrite process image with the malicious one Set process thread context according to malicious image Resume process thread EXE Loader 2
  • 38. Gapz Network Protocol Implementation svchost.exe overlord32(64).dll Win32/Gapz kernel-mode module TCP/IP protocol stack implementation Message to be sent to C&C Server user mode kernel mode C&C Server Send using Win32 socket implementation Send directly using NDIS miniport driver
  • 39. Gapz Network Protocol Architecture Gapz implementation OSI Model HTTP protocol (block #10) TCP/IP protocol (block #9) NDIS miniport wrapper (block #8) Application/Presentation Layer Network/Transport Layer Data Link Layer
  • 40. Gapz Network Protocol Implementation: NDIS Gapz network protocol stack relies on miniport adapter driver: Miniport adapter driver Intermediate driver Protocol driver (tcpip.sys) Filter driver......... At the level of protocol or intermediate drivers Win32/Gapz’s network packet is “invisible” Win32/Gapz communicates directly to miniport adapter Win32/Gapz Network packet
  • 41. Gapz C&C Communication Protocol  Gapz communicates to C&C servers over HTTP protocol  Capabilities of the protocol:  00 - download payload  01 - send bot information to C&C  02 - request payload download information  03 - report on running payload  04 - update payload download URL  The requests corresponding to commands 0x01, 0x02 and 0x03 are performed by the POST method of the HTTP protocol.
  • 42. Gapz C&C Communication Protocol: HTTP Request Message HeaderHTTP Header Request specific data HTTP header HTTP body struct MESSAGE_HEADER { // Output of PRNG unsigned char random[128]; // a DWORD from configuration file unsigned int reserved; // A binary string which is used to authenticate C&C servers unsigned char auth_str[64]; };
  • 43. Gapz C&C Communication Protocol: HTTP Request Message HeaderHTTP Header Request specific data HTTP header HTTP body struct MESSAGE_HEADER { // Output of PRNG unsigned char random[128]; // a DWORD from configuration file unsigned int reserved; // A binary string which is used to authenticate C&C servers unsigned char auth_str[64]; };
  • 44. Gapz C&C Communication Protocol: C&C Reply Encrypted rc4 key K1 HTTP Header Reply specific data HTTP message header HTTP message body Authentication string rc4 encrypted data with key k1 Decrypt key K1 Decrypt authentication string and reply-specific data using key K1 Check authentication string Process reply-specific data Reject reply-specific data matchdoesn’t match
  • 45. Gapz C&C Communication Protocol: URLs
  • 46. Gapz C&C Communication Protocol: URLs
  • 47. Gapz User-mode Payload Functionality The module overlord32(64).dll is essential part of the Gapz bootkit Overlord32(64).dll is injected into svchost.exe process Overlord32(64).dll dispatches the requests from kernel-mode Cmd # Command Description 0 gather information about all the network adapters installed in the system and their properties and send it to kernel-mode module 1 gather information on the presence of particular software in the system 2 check internet connection by trying to reach update.microsoft.com 3 send & receive data from a remote host using Windows sockets 4 get the system time from time.windows.com 5 get the host IP address given its domain name (via Win32 API gethostbyname) 6 get Windows shell (by means of querying “Shell” value of “SoftwareMicrosoftWindows NTCurrentVersionWinlogon” registry key)
  • 48. Gapz User-mode Payload Interface Gapz impersonates the handler of the payload requests in the null.sys driver to communicate with the injected payload: Win32/Gapz module DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload = NULL DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler Gapz’s hook jmp gapz_hook Payload interface before patching after patching
  • 49. Gapz User-mode Payload Interface Gapz impersonates the handler of the payload requests in the null.sys driver to communicate with the injected payload: Win32/Gapz module DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload = NULL DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler Gapz’s hook jmp gapz_hook Payload interface before patching after patching
  • 50. Modern bootkits comparison Functionality Gapz Olmarik (TDL4) Rovnix (Cidox) Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system type FAT32 custom FAT16 modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack     
  • 55. HiddenFsReader: Free public forensic tool http://download.eset.com/special/ESETHfsReader.exe
  • 57. C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
  • 58. C++ Code Reconstruction Problems Class A vfPtr a1() a2() A::vfTable meta A::a1() A::a2() RTTI Object Locator signature pTypeDescriptor pClassDescriptor
  • 61. Identify Exact Virtual Function Call in vtable
  • 62. Identify Exact Virtual Function Call in vtable
  • 63. Identify Exact Virtual Function Call in vtable
  • 66. Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  • 67. Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  • 72. HexRaysCodeXplorer Features  Hex-Rays decompiler plugin  The plugin was designed to facilitate static analysis of:  object oriented code  position independent code  The plugin allows to:  navigate through decompiled virtual methods  partially reconstruct object type
  • 73. Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
  • 74. Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
  • 75. Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t citem_t cexpr_t cinsn_t
  • 76. Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t citem_t cexpr_t cinsn_t
  • 78. HexRaysCodeXplorer: Virtual Methods  The IDA’s “Local Types” is used to represent object type
  • 79.  Hex-Rays decompiler plugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
  • 80.  Hex-Rays decompiler plugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
  • 81. DEMO
  • 82. HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
  • 83. HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
  • 84. HexRaysCodeXplorer: Object Type REconstruction  citem_t objects to monitor:  memptr  idx  memref  call (LOBYTE, etc.)
  • 85. DEMO
  • 86. http://REhints.com Follow us on twitter and github:  @REhints  https://github.com/REhints Beta testing will be open in July  send request to info@REhints.com
  • 87. References  Gapz and Redyms droppers based on Power Loader code http://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/  Mind the Gapz: The most complex bootkit ever analyzed? http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf  Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy http://go.eset.com/us/resources/white-papers/Rodionov-Matrosov.pdf  Defeating Anti-Forensics in Contemporary Complex Threats http://go.eset.com/us/resources/white-papers/Matrosov_Rodionov_VB2012.pdf  Bootkit Threats: In-Depth Reverse Engineering & Defense http://www.welivesecurity.com/wp-content/media_files/REcon2012.pdf
  • 88.
  • 89. Thank you for your attention! Aleksandr Matrosov @matrosov Eugene Rodionov @vxradius