SlideShare une entreprise Scribd logo

Deobfuscation and beyond (ZeroNights, 2014)

ReCrypt
ReCrypt

Slides from our talk at ZeroNights-2014

Logiciels
1  sur  50
Télécharger pour lire hors ligne
Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com
Agenda • We'll speak about obfuscation techniques which commercial (and not only) obfuscators use and how symbolic equation systems could help to deobfuscate such transformations • We'll form the requirements for these systems • We'll briefly skim over design of our mini- symbolic equation system and show the results of deobfuscation (and not only) using it
Software obfuscation Is used for software protection against computer piracy Is used for malware protection against signature-based and heuristic-based antiviruses
Common obfuscation techniques
Common obfuscation techniques Recursive substitution
Common obfuscation techniques
Common obfuscation techniques Code duplication
Common obfuscation techniques Code duplication in virtualization obfuscators
Previous researches and products • The Case for Semantics-Based Methods in Reverse Engineering, Rolf Rolles, RECON 2012 • Software deobfuscation methods: analysis and implementation, Sh.F. Kurmangaleev, K.Y. Dolgorukova, V.V. Savchenko, A.R. Nurmukhametov, H. A Matevosyan, V.P. Korchagin, Proceedings of the Institute for System Programming of RAS, volume 24, 2013 • CodeDoctor – deobfuscates simple expressions – plugin for OllyDbg and IDA Pro
Previous researches and products • VMSweeper – declares deobfuscation (devirtualization) of Code Virtualizer/CISC and VMProtect (works well on about 30% of virtualized samples) – not a generic tool (heavily relies on templates) – works as a decompiler not optimizer – weak symbolic equation system • CodeUnvirtualizer – declares deobfuscation (devirtualization) of Code Virtualizer/CISC/RISC and Themida new VMs – not a generic tool (heavily relies on templates) – no symbolic equation system
Previous researches and products • Ariadne – complex toolset for deobfuscation and data flow analysis – includes a lot of optimization algorithms from compiler theory – no symbolic equation system – it seems to be dead  • LLVM forks – are based on LLVM optimization algorithms (classical compiler theory algorithms) – we couldn’t find any decently working version – are limited by LLVM architecture (How fast LLVM works with 500 000 IR instructions? How much system resources it requires?)
The problem Existing deobfuscation solutions are mostly based on classical compiler theory algorithms and too weak against modern obfuscators in the most of cases
Solution • Use symbolic equation system (SES) for deobfuscation • Form input data for SES (translate source IR code to SES representation) • Simplify expressions using SES • Translate results from SES representation to IR • Apply other deobfuscation transformations
Symbolic equation system
Symbolic equation system
Symbolic equation system
Symbolic equation system
Symbolic equation system
Symbolic equation system Unfortunately, we couldn’t find an appropriate third-party symbolic equation system engine and … we decided to create a new one for ourselves. We called it Project Eq.
Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff eax.0 (v) eax.1 = eax.0 Profit! J
Eq design
Eq in work union rebx_type { UINT32 rebx; WORD rbx; BYTE rblow[2]; }; void vmp_constant_playing(rebx_type &rebx) { BYTE var0; union var1_type { UINT32 var; WORD var_med; BYTE var_low; } var1; var0 = rebx.rblow[0]; rebx.rblow[0] = 0xe7; var1.var_med = rebx.rbx; var1.var_low = 0x18; rebx.rbx = var1.var_med; rebx.rblow[0] = var0; } A C++ sample of obfuscated code. It was borrowed J from VMProtect
Eq in work
Eq in work Profit! J
Eq in work void rustock_sample(UINT32 &rebp, UINT32 &redi, UINT32 &resi) { UINT32 var0, var1, var2; var0 = rebp; rebp = redi | rebp; var1 = redi & var0; resi = ~var1; var2 = rebp & resi; redi = var0 ^ var2; } A C++ sample of obfuscated code. It was borrowed J from Rustock
Eq in work
Eq in work Profit! J
Deobfuscation with Eq
Deobfuscation with Eq After code virtualization
Deobfuscation with Eq
Deobfuscation with Eq • ASProtect • CodeVirtualizer/Themida/WinLicense – old CISC/RISC – new Fish/Tiger • ExeCryptor • NoobyProtect/SafeEngine • Tages • VMProtect • Some others… Were deobfuscated successfully J
Deobfuscation with Eq Some numbers Instructions initially ~100 Instructions after obfuscation ~300 000 Instructions after deobfuscation ~200 Code generation time ~4 min Code deobfuscation time ~2 min Memory ~300 Mb
Obfuscation with Eq We could use optimization not for deobfuscation only. What if we could stop optimization process at random step?
Obfuscation with Eq
Obfuscation with Eq
Obfuscation with Eq
Obfuscation with Eq • Easy to implement • Hard to deobfuscate using classical compiler theory optimization algorithms • Hard to deobfuscate using reverse recursive substitution • No templates and signatures in the obfuscated code
Obfuscation with Eq But this tricky obfuscation is still weak. It’s possible to deobfuscate these expressions using Eq project or another symbolic equation system. And we have to go deeper!
Obfuscation with Eq
Obfuscation with Eq Profit! J
Perspectives • Obfuscation becomes stronger – Complex mathematical expressions are used more frequently – Merges with cryptography • Obfuscation migrates to dark side – Protectors are dying – Malware market is growing
Perspectives • Obfuscation becomes undetectable – Mimicry methods are improved – Obfuscators try to avoid method of recursive substitutions – Obfuscators use well-known high-level platforms • LLVM becomes a generic platform for creating obfuscators
Questions ?

Recommandé

On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practice
Dmitry Schelkunov
 
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
DefconRussia
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
eurobsdcon
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
geeksec80
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Analyzing the Dolphin-emu project
Analyzing the Dolphin-emu projectAnalyzing the Dolphin-emu project
Analyzing the Dolphin-emu project
PVS-Studio
 

Recommandé

On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practice
Dmitry Schelkunov
 
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
DefconRussia
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
eurobsdcon
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
geeksec80
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Analyzing the Dolphin-emu project
Analyzing the Dolphin-emu projectAnalyzing the Dolphin-emu project
Analyzing the Dolphin-emu project
PVS-Studio
 
Python Programming Essentials - M6 - Code Blocks and Indentation
Python Programming Essentials - M6 - Code Blocks and IndentationPython Programming Essentials - M6 - Code Blocks and Indentation
Python Programming Essentials - M6 - Code Blocks and Indentation
P3 InfoTech Solutions Pvt. Ltd.
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
DefconRussia
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
Arduino C maXbox web of things slide show
Arduino C maXbox web of things slide showArduino C maXbox web of things slide show
Arduino C maXbox web of things slide show
Max Kleiner
 
From V8 to Modern Compilers
From V8 to Modern CompilersFrom V8 to Modern Compilers
From V8 to Modern Compilers
Min-Yih Hsu
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 
Metrics ekon 14_2_kleiner
Metrics ekon 14_2_kleinerMetrics ekon 14_2_kleiner
Metrics ekon 14_2_kleiner
Max Kleiner
 
Erlang For Five Nines
Erlang For Five NinesErlang For Five Nines
Erlang For Five Nines
Barcamp Cork
 
Runtime Bytecode Transformation for Smalltalk
Runtime Bytecode Transformation for SmalltalkRuntime Bytecode Transformation for Smalltalk
Runtime Bytecode Transformation for Smalltalk
Marcus Denker
 
Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...
Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...
Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...
🎤 Hanno Embregts 🎸
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks
Positive Hack Days
 
The Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics DevelopmentThe Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics Development
ukdpe
 
Intro dotnet
Intro dotnetIntro dotnet
Intro dotnet
OpenSource Technologies Pvt. Ltd.
 
Under the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanismsUnder the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanisms
ReCrypt
 
О чём не любят говорить ИБ-вендоры
О чём не любят говорить ИБ-вендорыО чём не любят говорить ИБ-вендоры
О чём не любят говорить ИБ-вендоры
ReCrypt
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
Teodoro Cipresso
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
frank2
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
Nicholas Davis
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
SelectedPresentations
 

Contenu connexe

Tendances

Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
DefconRussia
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 
Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...
Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...
Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...
🎤 Hanno Embregts 🎸
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks
Positive Hack Days
 

Tendances (13)

Python Programming Essentials - M6 - Code Blocks and Indentation
Python Programming Essentials - M6 - Code Blocks and IndentationPython Programming Essentials - M6 - Code Blocks and Indentation
Python Programming Essentials - M6 - Code Blocks and Indentation
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 
Arduino C maXbox web of things slide show
Arduino C maXbox web of things slide showArduino C maXbox web of things slide show
Arduino C maXbox web of things slide show
 
From V8 to Modern Compilers
From V8 to Modern CompilersFrom V8 to Modern Compilers
From V8 to Modern Compilers
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
 
Metrics ekon 14_2_kleiner
Metrics ekon 14_2_kleinerMetrics ekon 14_2_kleiner
Metrics ekon 14_2_kleiner
 
Erlang For Five Nines
Erlang For Five NinesErlang For Five Nines
Erlang For Five Nines
 
Runtime Bytecode Transformation for Smalltalk
Runtime Bytecode Transformation for SmalltalkRuntime Bytecode Transformation for Smalltalk
Runtime Bytecode Transformation for Smalltalk
 
Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...
Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...
Entering the Fourth Dimension of OCR with Tesseract - Talk from Voxxed Days B...
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks
 
The Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics DevelopmentThe Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics Development
 
Intro dotnet
Intro dotnetIntro dotnet
Intro dotnet
 

En vedette

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
Nicholas Davis
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
Ricardo L0gan
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
guest66dc5f
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...
eSAT Journals
 

En vedette (20)

Under the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanismsUnder the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanisms
 
О чём не любят говорить ИБ-вендоры
О чём не любят говорить ИБ-вендорыО чём не любят говорить ИБ-вендоры
О чём не любят говорить ИБ-вендоры
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
 
Generic attack detection engine
Generic attack detection engineGeneric attack detection engine
Generic attack detection engine
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
 
The (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined NetworksThe (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined Networks
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
 
Welcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation ConversationWelcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation Conversation
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in Perl
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
 
A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...
 

Similaire à Deobfuscation and beyond (ZeroNights, 2014)

How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
Priyanka Aash
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
LINQ Inside
LINQ InsideLINQ Inside
LINQ Inside
jeffz
 
"Applied Enterprise Metaprogramming in JavaScript", Vladyslav Dukhin
"Applied Enterprise Metaprogramming in JavaScript", Vladyslav Dukhin"Applied Enterprise Metaprogramming in JavaScript", Vladyslav Dukhin
"Applied Enterprise Metaprogramming in JavaScript", Vladyslav Dukhin
Fwdays
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
Wei Sun
 
Abstractions and Directives for Adapting Wavefront Algorithms to Future Archi...
Abstractions and Directives for Adapting Wavefront Algorithms to Future Archi...Abstractions and Directives for Adapting Wavefront Algorithms to Future Archi...
Abstractions and Directives for Adapting Wavefront Algorithms to Future Archi...
inside-BigData.com
 

Similaire à Deobfuscation and beyond (ZeroNights, 2014) (20)

Solve it Differently with Reactive Programming
Solve it Differently with Reactive ProgrammingSolve it Differently with Reactive Programming
Solve it Differently with Reactive Programming
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
OIVM
OIVMOIVM
OIVM
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
SAST, CWE, SEI CERT and other smart words from the information security world
SAST, CWE, SEI CERT and other smart words from the information security worldSAST, CWE, SEI CERT and other smart words from the information security world
SAST, CWE, SEI CERT and other smart words from the information security world
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
 
The operation principles of PVS-Studio static code analyzer
The operation principles of PVS-Studio static code analyzerThe operation principles of PVS-Studio static code analyzer
The operation principles of PVS-Studio static code analyzer
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
LINQ Inside
LINQ InsideLINQ Inside
LINQ Inside
 
How to Test Asynchronous Code (v2)
How to Test Asynchronous Code (v2)How to Test Asynchronous Code (v2)
How to Test Asynchronous Code (v2)
 
Dependency Injection in .NET applications
Dependency Injection in .NET applicationsDependency Injection in .NET applications
Dependency Injection in .NET applications
 
"Applied Enterprise Metaprogramming in JavaScript", Vladyslav Dukhin
"Applied Enterprise Metaprogramming in JavaScript", Vladyslav Dukhin"Applied Enterprise Metaprogramming in JavaScript", Vladyslav Dukhin
"Applied Enterprise Metaprogramming in JavaScript", Vladyslav Dukhin
 
Experiments in Sharing Java VM Technology with CRuby
Experiments in Sharing Java VM Technology with CRubyExperiments in Sharing Java VM Technology with CRuby
Experiments in Sharing Java VM Technology with CRuby
 
Attention mechanisms with tensorflow
Attention mechanisms with tensorflowAttention mechanisms with tensorflow
Attention mechanisms with tensorflow
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
 
Abstractions and Directives for Adapting Wavefront Algorithms to Future Archi...
Abstractions and Directives for Adapting Wavefront Algorithms to Future Archi...Abstractions and Directives for Adapting Wavefront Algorithms to Future Archi...
Abstractions and Directives for Adapting Wavefront Algorithms to Future Archi...
 

Dernier

Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 

Dernier (20)

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 

Deobfuscation and beyond (ZeroNights, 2014)

  • 1. Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com
  • 2. Agenda • We'll speak about obfuscation techniques which commercial (and not only) obfuscators use and how symbolic equation systems could help to deobfuscate such transformations • We'll form the requirements for these systems • We'll briefly skim over design of our mini- symbolic equation system and show the results of deobfuscation (and not only) using it
  • 3. Software obfuscation Is used for software protection against computer piracy Is used for malware protection against signature-based and heuristic-based antiviruses
  • 8. Common obfuscation techniques Code duplication in virtualization obfuscators
  • 9. Previous researches and products • The Case for Semantics-Based Methods in Reverse Engineering, Rolf Rolles, RECON 2012 • Software deobfuscation methods: analysis and implementation, Sh.F. Kurmangaleev, K.Y. Dolgorukova, V.V. Savchenko, A.R. Nurmukhametov, H. A Matevosyan, V.P. Korchagin, Proceedings of the Institute for System Programming of RAS, volume 24, 2013 • CodeDoctor – deobfuscates simple expressions – plugin for OllyDbg and IDA Pro
  • 10. Previous researches and products • VMSweeper – declares deobfuscation (devirtualization) of Code Virtualizer/CISC and VMProtect (works well on about 30% of virtualized samples) – not a generic tool (heavily relies on templates) – works as a decompiler not optimizer – weak symbolic equation system • CodeUnvirtualizer – declares deobfuscation (devirtualization) of Code Virtualizer/CISC/RISC and Themida new VMs – not a generic tool (heavily relies on templates) – no symbolic equation system
  • 11. Previous researches and products • Ariadne – complex toolset for deobfuscation and data flow analysis – includes a lot of optimization algorithms from compiler theory – no symbolic equation system – it seems to be dead  • LLVM forks – are based on LLVM optimization algorithms (classical compiler theory algorithms) – we couldn’t find any decently working version – are limited by LLVM architecture (How fast LLVM works with 500 000 IR instructions? How much system resources it requires?)
  • 12. The problem Existing deobfuscation solutions are mostly based on classical compiler theory algorithms and too weak against modern obfuscators in the most of cases
  • 13. Solution • Use symbolic equation system (SES) for deobfuscation • Form input data for SES (translate source IR code to SES representation) • Simplify expressions using SES • Translate results from SES representation to IR • Apply other deobfuscation transformations
  • 19. Symbolic equation system Unfortunately, we couldn’t find an appropriate third-party symbolic equation system engine and … we decided to create a new one for ourselves. We called it Project Eq.
  • 20. Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
  • 21. Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
  • 22. Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
  • 23. Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
  • 24. Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
  • 25. Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
  • 26. Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff
  • 27. Eq design eax.1 = ( ( eax.0 * 0xffffffff ) + 0xffffffff ) ^ 0xffffffff eax.0 (v) eax.1 = eax.0 Profit! J
  • 29. Eq in work union rebx_type { UINT32 rebx; WORD rbx; BYTE rblow[2]; }; void vmp_constant_playing(rebx_type &rebx) { BYTE var0; union var1_type { UINT32 var; WORD var_med; BYTE var_low; } var1; var0 = rebx.rblow[0]; rebx.rblow[0] = 0xe7; var1.var_med = rebx.rbx; var1.var_low = 0x18; rebx.rbx = var1.var_med; rebx.rblow[0] = var0; } A C++ sample of obfuscated code. It was borrowed J from VMProtect
  • 32. Eq in work void rustock_sample(UINT32 &rebp, UINT32 &redi, UINT32 &resi) { UINT32 var0, var1, var2; var0 = rebp; rebp = redi | rebp; var1 = redi & var0; resi = ~var1; var2 = rebp & resi; redi = var0 ^ var2; } A C++ sample of obfuscated code. It was borrowed J from Rustock
  • 36. Deobfuscation with Eq After code virtualization
  • 38. Deobfuscation with Eq • ASProtect • CodeVirtualizer/Themida/WinLicense – old CISC/RISC – new Fish/Tiger • ExeCryptor • NoobyProtect/SafeEngine • Tages • VMProtect • Some others… Were deobfuscated successfully J
  • 39. Deobfuscation with Eq Some numbers Instructions initially ~100 Instructions after obfuscation ~300 000 Instructions after deobfuscation ~200 Code generation time ~4 min Code deobfuscation time ~2 min Memory ~300 Mb
  • 40. Obfuscation with Eq We could use optimization not for deobfuscation only. What if we could stop optimization process at random step?
  • 44. Obfuscation with Eq • Easy to implement • Hard to deobfuscate using classical compiler theory optimization algorithms • Hard to deobfuscate using reverse recursive substitution • No templates and signatures in the obfuscated code
  • 45. Obfuscation with Eq But this tricky obfuscation is still weak. It’s possible to deobfuscate these expressions using Eq project or another symbolic equation system. And we have to go deeper!
  • 48. Perspectives • Obfuscation becomes stronger – Complex mathematical expressions are used more frequently – Merges with cryptography • Obfuscation migrates to dark side – Protectors are dying – Malware market is growing
  • 49. Perspectives • Obfuscation becomes undetectable – Mimicry methods are improved – Obfuscators try to avoid method of recursive substitutions – Obfuscators use well-known high-level platforms • LLVM becomes a generic platform for creating obfuscators