SlideShare una empresa de Scribd logo

DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee

Felipe Prado
Felipe Prado

DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee

Tecnología
1 de 40
Descargar para leer sin conexión
Next Generation Process Emulation with Binee Kyle Gwinnup @switchp0rt John Holowczak @skipwich Carbon Black TAU
The Problem: getting information from binaries Each sample contains some total set of information. Our goal is to extract as much of it as possible Time/Cost to analyze Samplecoverage Static Dynamic High coverage Immediate discovery Few features Low coverage Long discovery Many features Core Problems 1. Obfuscation hides much of the info 2. Anti-analysis is difficult to keep up with 3. Not all Malware is equal opportunity
Our Goal: Reduce cost of information extraction 1. Reduce the cost of features extracted via dynamic analysis 2. Increase total number of features extracted via static analysis 3. Ideally, do both of these at scale Time/Cost to analyze SampleCoverage Dynamic Static + Emulation High coverage Immediate discovery Many features Low coverage Long discovery Many features
The How: Emulation Extend current emulators by mocking functions, system calls and OS subsystems
Existing PE Emulators ● PyAna https://github.com/PyAna/PyAna ● Dutas https://github.com/dungtv543/Dutas ● Unicorn_pe https://github.com/hzqst/unicorn_pe ● Long list of other types of emulators https://www.unicorn-engine.org/showcase/
Requirements: What are we adding/extending from current work? 1. Mechanism for loading up a PE file with its dependencies 2. Framework for defining function and API hooks 3. Mock OS subsystems such as a. Memory management b. Registry c. File system d. Userland process structures 4. Mock OS environment configuration file a. Config file specifies language, keyboard, registry keys, etc… b. Rapid transition from one Mock OS configuration to another
Binee
Where to start? Parse the PE and DLLs, then map them into emulation memory...
Build hook table by linking DLLs outside emulator Target PE DLL1 DLL2 DLL3 Emulated Process Memory Binee Address to Hook table 1. Open PE and all dependencies 2. Update DLL base addresses 3. Update relocations 4. Build Binee exports lookup table 5. Resolve Import Address Tables for each 6. Map PE and DLLs into memory
Overcoming Microsoft’s ApiSet abstraction layer Parse ApiSetSchema.dll (multiple versions) and load proper real dll. Geoff Chappell https://www.geoffchappell.com/studies/windows/win32/apisetschema/index.htm api-ms-<something>.dll ApiSet Schema Table kernelbase.dll
kernel32:CreateFileA What is the minimum that the malware needs in order to continue proper execution?
Requirements for hooking 1. A mapping of real address to Binee’s Hook for that specific function? 2. The calling convention used? 3. How many parameters are passed to the function? 4. Need to determine the return value if any? type Hook struct { Name string Parameters []string Fn func(*WinEmulator, *Instruction) bool Return uint64 ... }
emu.AddHook("", "Sleep", &Hook{ Parameters: []string{"dwMilliseconds"}, Fn: func(emu *WinEmulator, in *Instruction) bool { emu.Ticks += in.Args[0] return SkipFunctionStdCall(false, 0x0)(emu, in) }, }) Partial Hook, where the function itself is emulated within the DLL emu.AddHook("", "GetCurrentThreadId", &Hook{Parameters: []string{}}) emu.AddHook("", "GetCurrentProcess", &Hook{Parameters: []string{}}) emu.AddHook("", "GetCurrentProcessId", &Hook{Parameters: []string{}}) Two types of hooks in Binee Full Hook, where we define the implementation
Hook Parameters field defines how many parameters will be retrieved from emulator and The name/value pair in output [1] 0x21bc0780: P memset(dest = 0xb7feff1c, char = 0x0, count = 0x58) emu.AddHook("", "memset", &Hook{Parameters: []string{"dest", "char", "count"}}) Output is the following
Example: Entry point execution ./binee -v tests/ConsoleApplication1_x86.exe [1] 0x0040142d: call 0x3f4 [1] 0x00401821: mov ecx, dword ptr [0x403000] [1] 0x0040183b: call 0xffffff97 [1] 0x004017d2: push ebp [1] 0x004017d3: mov ebp, esp [1] 0x004017d5: sub esp, 0x14 [1] 0x004017d8: and dword ptr [ebp - 0xc], 0 [1] 0x004017dc: lea eax, [ebp - 0xc] [1] 0x004017df: and dword ptr [ebp - 8], 0 [1] 0x004017e3: push eax [1] 0x004017e4: call dword ptr [0x402014] [1] 0x219690b0: F GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xb7feffe0) = 0xb7feffe0 [1] 0x004017ea: mov eax, dword ptr [ebp - 8] [1] 0x004017ed: xor eax, dword ptr [ebp - 0xc] [1] 0x004017f0: mov dword ptr [ebp - 4], eax [1] 0x004017f3: call dword ptr [0x402018]
At this point, we have a simple loader that will handle all mappings of imports to their proper DLL. We’re basically done, right?
Still have some functions that require user land memory objects that do not transition to kernel via system calls We need segment registers to point to the correct memory locations (thanks @ceagle) Not inside of main yet…
Userland structures, TIB/PEB/kshareduser We need a TIB and PEB with some reasonable values Generally, these are configurable. Many just need some NOP like value, e.g. NOP function pointer for approximate malware emulation.
All address resolution and mappings are built outside of the emulator type ThreadInformationBlock32 struct { CurentSEH uint32 //0x00 StackBaseHigh uint32 //0x04 StackLimit uint32 //0x08 SubSystemTib uint32 //0x0c FiberData uint32 //0x10 ArbitraryDataSlock uint32 //0x14 LinearAddressOfTEB uint32 //0x18 EnvPtr uint32 //0x1c ProcessId uint32 //0x20 CurrentThreadId uint32 //0x24 … }
PEs are parsed and loaded. Basic structures like the segment registers and TIB/PEB are mapped with minimum functionality. We’re defining the entire environment outside of the emulator...
Almost Everything in Windows needs HANDLEs type Handle struct { Path string Access int32 File *os.File Info os.FileInfo RegKey *RegKey Thread *Thread } type WinEmulator struct { ... Handles map[uint64]*Handle ... } What is the minimum we need for a HANDLE in Binee? 1. An abstraction over subsystem data types 2. Helper methods for reading/writing/etc... to and from subsystems.
HANDLEs get allocated directly from the Heap The Heap plays a central role in Binee The Heap is what enables and ultimately distributes HANDLEs for all other emulation layers, including file IO and the registry. kernel32:* ntdll:* Binee MM Basically, anything not in the stack after execution has started goes into Binee’s Heap Manager.
Now we have a decent core, at least with respect to the user land process. Now it is time to build out the Mock OS subsystems
Starting with the Mock File System What are the requirements for CreateFileA? Returns a valid HANDLE into EAX register
Creating Files in the Mock File Subsystem CreateFile Emulator Full Hook Handler HANDLE Lookup Table Full hook captures HANDLE from parameters to CreateFile If file exists in Mock File System or permissions are for “write”. Create a new Handle object and get unique ID from Heap Manager Write HANDLE back to EAX
Writing Files in the Mock File Subsystem WriteFile Emulator Full Hook Handler HANDLE Lookup Table Temp Real File System (Sandboxed) Full hook captures HANDLE from parameters to WriteFile HANDLE is used as key to lookup actual Handle object outside of emulator All writes are written to sandboxed file system for later analysis. Malware thinks file was written to proper location and continues as if everything is successful
[1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'ERROR_SUCCESS = 0x%xn', p0 = 0x0) = 0x403380 [1] 0x21970b80: F CreateFileA(lpFileName = 'malfile.exe', dwDesiredAccess = 0xc0000000, dwShareMode = 0x0, lpSecurityAttributes = 0x0, dwCreationDisposition = 0x2, dwFlagsAndAttributes = 0x80, hTemplateFile = 0x0) = 0xa00007b6 [1] 0x219c8fbe: F VerSetConditionMask() = 0xa00007b6 [1] 0x20af60a0: P __acrt_iob_func() = 0xa00007b6 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0xa00007b6) = 0x403380 [1] 0x219c8fbe: F VerSetConditionMask() = 0x403380 [1] 0x20af60a0: P __acrt_iob_func() = 0x403380 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0x403380) = 0x403380 [1] 0x219c8fbe: F VerSetConditionMask() = 0x403380 [1] 0x20af60a0: P __acrt_iob_func() = 0x403380 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0x403380) = 0x403380 [1] 0x218f5780: P memset(dest = 0xb7feff1c, char = 0x0, count = 0x58) = 0xb7feff1c [1] 0x21971000: F WriteFile(hFile = 0xa00007b6, lpBuffer = 0xb7feff10, nNumberOfBytesToWrite = 0xb, lpNumberOfBytesWritten = 0xb7feff0c, lpOverlapped = 0x0) = 0xb [1] 0x21969500: F IsProcessorFeaturePresent(ProcessorFeature = 0x17) = 0x1 [1] 0x2196cef0: F SetUnhandledExceptionFilter(lpTopLevelExceptionFilter = 0x0) = 0x4
And in the console > ls temp malfile.exe > cat temp/malfile.exe hello world Now you can see the file contents. Obviously trivial… more to come….
At this point, the user space is largely mocked. We also have the ability to hook functions, dump parameters and modify the call execution. Additionally, we have some mock HANDLEs. Can we emulate more?!
Mock Registry Subsystem RegOpenKeyA Mock Registry EmulatorFull Hook on Registry functions Our hook interacts with the Mock Registry subsystem that lives outside of the emulation Mock Registry has helper functions to automatically convert data to proper types and copy raw bytes back into emulation memory
Configuration files defines OS environment quickly ● Yaml definitions to describe as much of the OS context as possible ○ Usernames, machine name, time, CodePage, OS version, etc… ● All data gets loaded into the emulated userland memory root: "os/win10_32/" code_page_identifier: 0x4e4 registry: HKEY_CURRENT_USERSoftwareAutoIt v3AutoItInclude: "yep" HKEY_LOCAL_MACHINESYSTEMControlSet001ControlArbitersInaccessibleRangePsi: "PhysicalAddress" HKEY_LOCAL_MACHINESYSTEMControlSet001ControlArbitersInaccessibleRangeRoot: "PhysicalAddress" HKEY_LOCAL_MACHINESYSTEMControlSet001ControlArbitersInaccessibleRangePhysicalAddress: "hex(a):48,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,0 0,00,00,01,00,00,00,00,03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,ff,ff,ff,ff,ff,f f,ff,ff"
[1] 0x2230c420: F RegOpenKeyExA(hKey = 'HKEY_LOCAL_MACHINE', lpSubKey = 'SYSTEMControlSet001ControlWindows', ulOptions = 0x0, samDesired = 0x20019, phkResult = 0xb7feff40) = 0x0 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'successfully opened key %sn', p0 = 'SYSTEMControlSet001ControlWindows') = 0x403378 [1] 0x2230c3e0: F RegQueryValueExA(key = 0xa000099c, lpValueName = 'ComponentizedBuild', lpReserved = 0x0, lpType = 0xb7feff44, lpData = 0xb7feff4c, lpcbData = 0xb7feff48) = 0x0 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'status code = 0x%xn', p0 = 0x0) = 0x403378 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'ComponentizedBuild = %dn', p0 = 0x1) = 0x403378 [1] 0x2230c3e0: F RegQueryValueExA(key = 0xa000099c, lpValueName = 'CSDBuildNumber', lpReserved = 0x0, lpType = 0xb7feff44, lpData = 0xb7feff4c, lpcbData = 0xb7feff48) = 0x0 [1] 0x20af60a0: P __acrt_iob_func() = 0x0 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'CSDBuildNumber = %dn', p0 = 0x194) = 0x403378 [1] 0x2230c1d0: F RegCloseKey(key = 0xa000099c) = 0x0 [1] 0x22336bd0: F RegCreateKeyA(hKey = 'HKEY_CURRENT_USER', lpSubKey = 'SoftwareBinee', phkResult = 0xb7feff40) = 0x0 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'successfully opened key %sn', p0 = 'SoftwareBinee') = 0x403378 [1] 0x22337640: F RegSetValueA(hKey = '', lpSubKey = 'Testing', dwType = 0x1, lpDate = 0xb7feff80, cbData = 0x0) = 0x57
Configuration files can be used to make subtle modifications to the mock environment which allows you to rapidly test malware in diverse environments Let’s do more...
Mocked Threading Round robin scheduler approximately simulates a multi-thread environment. Time slices are configurable but equal for each “thread” of execution. Thread manager handles all the context switching and saving of registers. Allows us to hand wave (punt for later) most multithreading issues. Thread 1 Thread 2 Thread 3 Thread 4 Thread Manager Threads inside the emulator
[1] 0x20ae3f80: F CreateThread(lpThreadAttributes = 0x0, dwStackSize = 0x0, lpStartAddress = 0x401040, lpParameter = 0xa01007ee, dwCreationFlags = 0x0, lpThreadId = 0x0) = 0x3 [1] 0x20ae06d0: F GetProcessHeap() = 0x123456 [2] 0x20dd0710: F __stdio_common_vfprintf(stream = 0x0, format = 'tid %d, count %dn', p0 = 0x0, p1 = 0x0) = 0x403378 [3] 0x20dc10a0: P __acrt_iob_func() = 0xa01007ee [1] 0x20b3f05a: F HeapAlloc(hHeap = 0x123456, dwFlags = 0x8, dwBytes = 0x4) = 0xa0200826 [1] 0x20ae3f80: F CreateThread(lpThreadAttributes = 0x0, dwStackSize = 0x0, lpStartAddress = 0x401040, lpParameter = 0xa0200826, dwCreationFlags = 0x0, lpThreadId = 0x0) = 0x4 [2] 0x20dc10a0: P __acrt_iob_func() = 0x403378 [3] 0x20dd0710: F __stdio_common_vfprintf(stream = 0x0, format = 'tid %d, count %dn', p0 = 0x1, p1 = 0x0) = 0x403378 [1] 0x20aeaaf0: **WaitForMultipleObjects**() = 0xb7feffa4 [1] 0x2011e5a0: **WaitForMultipleObjects**() = 0xb7feffa4 [2] 0x20dc10a0: P __acrt_iob_func() = 0x403378 [4] 0x20dc10a0: P __acrt_iob_func() = 0xa0200826 [1] 0x2011e5d0: **WaitForMultipleObjectsEx**() = 0xb7feffa4 [3] 0x20dc10a0: P __acrt_iob_func() = 0x403378 [2] 0x20dd0710: F __stdio_common_vfprintf(stream = 0x0, format = 'tid %d, count %dn', p0 = 0x0, p1 = 0x1) = 0x403378
Increasing fidelity with proper DllMain execution Need to setup stack for DllMain call, set up proper values for DLLs loaded by the PE. Call this for every DLL loaded by the PE. But how to do this in the emulator? Start emulation at each DllMain and stop at ??? BOOL WINAPI DllMain( _In_ HINSTANCE hinstDLL, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved );
ROP Gadgets — an easy shortcut to loading DLLs A simpler approach is to only start the emulator once when the entire process space is layed out. However, the start point is no longer the PE entry point. Instead, entry point is now the start of our ROP chain that calls each loaded DllMain in order and ending with the PE’s entry point address lpvReserved fdwReason hinstDll ret lpvReserved fdwReason hinstDll ret lpvReserved fdwReason hinstDll ret envp argv argc dll_1 dll_2 dll_3 malware
Demos ● ea6<sha256> shows unpacking and service starting ● ecc<sha256> shows unpacking and wrote malicious dll to disk, loaded dll and executed it
We’ve open-sourced this — What’s next ● Increase fidelity with high quality hooks ● Single step mode, debugger style ● Networking stack and implementation, including hooks ● Add ELF (*nix) and Mach-O (macOS) support ● Anti-Emulation
Thank you and come hack with us https://github.com/carbonblack/binee

Recomendados

source code which create file and write into it
source code which create file and write into itsource code which create file and write into it
source code which create file and write into itmelakusisay507
 
[Java] #7 - Input & Output Stream
[Java] #7 - Input & Output Stream[Java] #7 - Input & Output Stream
[Java] #7 - Input & Output StreamGhadeer AlHasan
 
Magic Clusters and Where to Find Them - Eugene Pirogov
Magic Clusters and Where to Find Them - Eugene PirogovMagic Clusters and Where to Find Them - Eugene Pirogov
Magic Clusters and Where to Find Them - Eugene PirogovElixir Club
 
«iPython & Jupyter: 4 fun & profit», Лев Тонких, Rambler&Co
«iPython & Jupyter: 4 fun & profit», Лев Тонких, Rambler&Co«iPython & Jupyter: 4 fun & profit», Лев Тонких, Rambler&Co
«iPython & Jupyter: 4 fun & profit», Лев Тонких, Rambler&CoMail.ru Group
 
5java Io
5java Io5java Io
5java IoAdil Jafri
 
Automate the boring stuff with python
Automate the boring stuff with pythonAutomate the boring stuff with python
Automate the boring stuff with pythonDEEPAKSINGHBIST1
 
Looking Ahead to Tcl 8.6
Looking Ahead to Tcl 8.6Looking Ahead to Tcl 8.6
Looking Ahead to Tcl 8.6ActiveState
 
Python - An Introduction
Python - An IntroductionPython - An Introduction
Python - An IntroductionEueung Mulyana
 

Recomendados

source code which create file and write into it
source code which create file and write into itsource code which create file and write into it
source code which create file and write into itmelakusisay507
 
[Java] #7 - Input & Output Stream
[Java] #7 - Input & Output Stream[Java] #7 - Input & Output Stream
[Java] #7 - Input & Output StreamGhadeer AlHasan
 
Magic Clusters and Where to Find Them - Eugene Pirogov
Magic Clusters and Where to Find Them - Eugene PirogovMagic Clusters and Where to Find Them - Eugene Pirogov
Magic Clusters and Where to Find Them - Eugene PirogovElixir Club
 
«iPython & Jupyter: 4 fun & profit», Лев Тонких, Rambler&Co
«iPython & Jupyter: 4 fun & profit», Лев Тонких, Rambler&Co«iPython & Jupyter: 4 fun & profit», Лев Тонких, Rambler&Co
«iPython & Jupyter: 4 fun & profit», Лев Тонких, Rambler&CoMail.ru Group
 
5java Io
5java Io5java Io
5java IoAdil Jafri
 
Automate the boring stuff with python
Automate the boring stuff with pythonAutomate the boring stuff with python
Automate the boring stuff with pythonDEEPAKSINGHBIST1
 
Looking Ahead to Tcl 8.6
Looking Ahead to Tcl 8.6Looking Ahead to Tcl 8.6
Looking Ahead to Tcl 8.6ActiveState
 
Python - An Introduction
Python - An IntroductionPython - An Introduction
Python - An IntroductionEueung Mulyana
 
file handling, dynamic memory allocation
file handling, dynamic memory allocationfile handling, dynamic memory allocation
file handling, dynamic memory allocationindra Kishor
 
Filesin c++
Filesin c++Filesin c++
Filesin c++HalaiHansaika
 
SQLite Techniques
SQLite TechniquesSQLite Techniques
SQLite TechniquesBen Scheirman
 
C5 c++ development environment
C5 c++ development environmentC5 c++ development environment
C5 c++ development environmentsnchnchl
 
Java Input Output and File Handling
Java Input Output and File HandlingJava Input Output and File Handling
Java Input Output and File HandlingSunil OS
 
Python and sysadmin I
Python and sysadmin IPython and sysadmin I
Python and sysadmin IGuixing Bai
 
Programming Under Linux In Python
Programming Under Linux In PythonProgramming Under Linux In Python
Programming Under Linux In PythonMarwan Osman
 
Talk - Query monad
Talk - Query monad Talk - Query monad
Talk - Query monad Fabernovel
 
Python for Linux System Administration
Python for Linux System AdministrationPython for Linux System Administration
Python for Linux System Administrationvceder
 
17 files and streams
17 files and streams17 files and streams
17 files and streamsDocent Education
 
file handling c++
file handling c++file handling c++
file handling c++Guddu Spy
 
Learn 90% of Python in 90 Minutes
Learn 90% of Python in 90 MinutesLearn 90% of Python in 90 Minutes
Learn 90% of Python in 90 MinutesMatt Harrison
 
Introduction to advanced python
Introduction to advanced pythonIntroduction to advanced python
Introduction to advanced pythonCharles-Axel Dein
 
Spsl iv unit final
Spsl iv unit finalSpsl iv unit final
Spsl iv unit finalSasidhar Kothuru
 
C programming file handling
C programming file handlingC programming file handling
C programming file handlingargusacademy
 
Pemrograman Python untuk Pemula
Pemrograman Python untuk PemulaPemrograman Python untuk Pemula
Pemrograman Python untuk PemulaOon Arfiandwi
 
working file handling in cpp overview
working file handling in cpp overviewworking file handling in cpp overview
working file handling in cpp overviewgourav kottawar
 
Module 03 File Handling in C
Module 03 File Handling in CModule 03 File Handling in C
Module 03 File Handling in CTushar B Kute
 
File handling in C++
File handling in C++File handling in C++
File handling in C++Hitesh Kumar
 
File Handling In C++
File Handling In C++File Handling In C++
File Handling In C++Kulachi Hansraj Model School Ashok Vihar
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Dmitry Vostokov
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisDmitry Vostokov
 

Más contenido relacionado

La actualidad más candente

file handling, dynamic memory allocation
file handling, dynamic memory allocationfile handling, dynamic memory allocation
file handling, dynamic memory allocationindra Kishor
 
C5 c++ development environment
C5 c++ development environmentC5 c++ development environment
C5 c++ development environmentsnchnchl
 
Java Input Output and File Handling
Java Input Output and File HandlingJava Input Output and File Handling
Java Input Output and File HandlingSunil OS
 
Python and sysadmin I
Python and sysadmin IPython and sysadmin I
Python and sysadmin IGuixing Bai
 
Programming Under Linux In Python
Programming Under Linux In PythonProgramming Under Linux In Python
Programming Under Linux In PythonMarwan Osman
 
Talk - Query monad
Talk - Query monad Talk - Query monad
Talk - Query monad Fabernovel
 
Python for Linux System Administration
Python for Linux System AdministrationPython for Linux System Administration
Python for Linux System Administrationvceder
 
file handling c++
file handling c++file handling c++
file handling c++Guddu Spy
 
Learn 90% of Python in 90 Minutes
Learn 90% of Python in 90 MinutesLearn 90% of Python in 90 Minutes
Learn 90% of Python in 90 MinutesMatt Harrison
 
Introduction to advanced python
Introduction to advanced pythonIntroduction to advanced python
Introduction to advanced pythonCharles-Axel Dein
 
C programming file handling
C programming file handlingC programming file handling
C programming file handlingargusacademy
 
Pemrograman Python untuk Pemula
Pemrograman Python untuk PemulaPemrograman Python untuk Pemula
Pemrograman Python untuk PemulaOon Arfiandwi
 
working file handling in cpp overview
working file handling in cpp overviewworking file handling in cpp overview
working file handling in cpp overviewgourav kottawar
 
Module 03 File Handling in C
Module 03 File Handling in CModule 03 File Handling in C
Module 03 File Handling in CTushar B Kute
 
File handling in C++
File handling in C++File handling in C++
File handling in C++Hitesh Kumar
 

La actualidad más candente (20)

file handling, dynamic memory allocation
file handling, dynamic memory allocationfile handling, dynamic memory allocation
file handling, dynamic memory allocation
 
Filesin c++
Filesin c++Filesin c++
Filesin c++
 
SQLite Techniques
SQLite TechniquesSQLite Techniques
SQLite Techniques
 
C5 c++ development environment
C5 c++ development environmentC5 c++ development environment
C5 c++ development environment
 
Java Input Output and File Handling
Java Input Output and File HandlingJava Input Output and File Handling
Java Input Output and File Handling
 
Python and sysadmin I
Python and sysadmin IPython and sysadmin I
Python and sysadmin I
 
Programming Under Linux In Python
Programming Under Linux In PythonProgramming Under Linux In Python
Programming Under Linux In Python
 
Talk - Query monad
Talk - Query monad Talk - Query monad
Talk - Query monad
 
Python for Linux System Administration
Python for Linux System AdministrationPython for Linux System Administration
Python for Linux System Administration
 
17 files and streams
17 files and streams17 files and streams
17 files and streams
 
file handling c++
file handling c++file handling c++
file handling c++
 
Learn 90% of Python in 90 Minutes
Learn 90% of Python in 90 MinutesLearn 90% of Python in 90 Minutes
Learn 90% of Python in 90 Minutes
 
Introduction to advanced python
Introduction to advanced pythonIntroduction to advanced python
Introduction to advanced python
 
Spsl iv unit final
Spsl iv unit finalSpsl iv unit final
Spsl iv unit final
 
C programming file handling
C programming file handlingC programming file handling
C programming file handling
 
Pemrograman Python untuk Pemula
Pemrograman Python untuk PemulaPemrograman Python untuk Pemula
Pemrograman Python untuk Pemula
 
working file handling in cpp overview
working file handling in cpp overviewworking file handling in cpp overview
working file handling in cpp overview
 
Module 03 File Handling in C
Module 03 File Handling in CModule 03 File Handling in C
Module 03 File Handling in C
 
File handling in C++
File handling in C++File handling in C++
File handling in C++
 
File Handling In C++
File Handling In C++File Handling In C++
File Handling In C++
 

Similar a DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee

Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Dmitry Vostokov
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisDmitry Vostokov
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical fileAnkit Dixit
 
eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureNetronome
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisDmitry Vostokov
 
Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008guestd9065
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Py winx86emu
Py winx86emuPy winx86emu
Py winx86emuilhyunJu
 
(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_netNico Ludwig
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
MSMDC_CLI363
MSMDC_CLI363MSMDC_CLI363
MSMDC_CLI363mokacao
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 

Similar a DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee (20)

Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump Analysis
 
Built in function
Built in functionBuilt in function
Built in function
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical file
 
eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging Infrastructure
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
 
Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Py winx86emu
Py winx86emuPy winx86emu
Py winx86emu
 
(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Activity 5
Activity 5Activity 5
Activity 5
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
MSMDC_CLI363
MSMDC_CLI363MSMDC_CLI363
MSMDC_CLI363
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 Essay
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
 

Más de Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

Más de Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Último

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee

  • 1. Next Generation Process Emulation with Binee Kyle Gwinnup @switchp0rt John Holowczak @skipwich Carbon Black TAU
  • 2. The Problem: getting information from binaries Each sample contains some total set of information. Our goal is to extract as much of it as possible Time/Cost to analyze Samplecoverage Static Dynamic High coverage Immediate discovery Few features Low coverage Long discovery Many features Core Problems 1. Obfuscation hides much of the info 2. Anti-analysis is difficult to keep up with 3. Not all Malware is equal opportunity
  • 3. Our Goal: Reduce cost of information extraction 1. Reduce the cost of features extracted via dynamic analysis 2. Increase total number of features extracted via static analysis 3. Ideally, do both of these at scale Time/Cost to analyze SampleCoverage Dynamic Static + Emulation High coverage Immediate discovery Many features Low coverage Long discovery Many features
  • 4. The How: Emulation Extend current emulators by mocking functions, system calls and OS subsystems
  • 5. Existing PE Emulators ● PyAna https://github.com/PyAna/PyAna ● Dutas https://github.com/dungtv543/Dutas ● Unicorn_pe https://github.com/hzqst/unicorn_pe ● Long list of other types of emulators https://www.unicorn-engine.org/showcase/
  • 6. Requirements: What are we adding/extending from current work? 1. Mechanism for loading up a PE file with its dependencies 2. Framework for defining function and API hooks 3. Mock OS subsystems such as a. Memory management b. Registry c. File system d. Userland process structures 4. Mock OS environment configuration file a. Config file specifies language, keyboard, registry keys, etc… b. Rapid transition from one Mock OS configuration to another
  • 8. Where to start? Parse the PE and DLLs, then map them into emulation memory...
  • 9. Build hook table by linking DLLs outside emulator Target PE DLL1 DLL2 DLL3 Emulated Process Memory Binee Address to Hook table 1. Open PE and all dependencies 2. Update DLL base addresses 3. Update relocations 4. Build Binee exports lookup table 5. Resolve Import Address Tables for each 6. Map PE and DLLs into memory
  • 10. Overcoming Microsoft’s ApiSet abstraction layer Parse ApiSetSchema.dll (multiple versions) and load proper real dll. Geoff Chappell https://www.geoffchappell.com/studies/windows/win32/apisetschema/index.htm api-ms-<something>.dll ApiSet Schema Table kernelbase.dll
  • 11. kernel32:CreateFileA What is the minimum that the malware needs in order to continue proper execution?
  • 12. Requirements for hooking 1. A mapping of real address to Binee’s Hook for that specific function? 2. The calling convention used? 3. How many parameters are passed to the function? 4. Need to determine the return value if any? type Hook struct { Name string Parameters []string Fn func(*WinEmulator, *Instruction) bool Return uint64 ... }
  • 13. emu.AddHook("", "Sleep", &Hook{ Parameters: []string{"dwMilliseconds"}, Fn: func(emu *WinEmulator, in *Instruction) bool { emu.Ticks += in.Args[0] return SkipFunctionStdCall(false, 0x0)(emu, in) }, }) Partial Hook, where the function itself is emulated within the DLL emu.AddHook("", "GetCurrentThreadId", &Hook{Parameters: []string{}}) emu.AddHook("", "GetCurrentProcess", &Hook{Parameters: []string{}}) emu.AddHook("", "GetCurrentProcessId", &Hook{Parameters: []string{}}) Two types of hooks in Binee Full Hook, where we define the implementation
  • 14. Hook Parameters field defines how many parameters will be retrieved from emulator and The name/value pair in output [1] 0x21bc0780: P memset(dest = 0xb7feff1c, char = 0x0, count = 0x58) emu.AddHook("", "memset", &Hook{Parameters: []string{"dest", "char", "count"}}) Output is the following
  • 15. Example: Entry point execution ./binee -v tests/ConsoleApplication1_x86.exe [1] 0x0040142d: call 0x3f4 [1] 0x00401821: mov ecx, dword ptr [0x403000] [1] 0x0040183b: call 0xffffff97 [1] 0x004017d2: push ebp [1] 0x004017d3: mov ebp, esp [1] 0x004017d5: sub esp, 0x14 [1] 0x004017d8: and dword ptr [ebp - 0xc], 0 [1] 0x004017dc: lea eax, [ebp - 0xc] [1] 0x004017df: and dword ptr [ebp - 8], 0 [1] 0x004017e3: push eax [1] 0x004017e4: call dword ptr [0x402014] [1] 0x219690b0: F GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xb7feffe0) = 0xb7feffe0 [1] 0x004017ea: mov eax, dword ptr [ebp - 8] [1] 0x004017ed: xor eax, dword ptr [ebp - 0xc] [1] 0x004017f0: mov dword ptr [ebp - 4], eax [1] 0x004017f3: call dword ptr [0x402018]
  • 16. At this point, we have a simple loader that will handle all mappings of imports to their proper DLL. We’re basically done, right?
  • 17. Still have some functions that require user land memory objects that do not transition to kernel via system calls We need segment registers to point to the correct memory locations (thanks @ceagle) Not inside of main yet…
  • 18. Userland structures, TIB/PEB/kshareduser We need a TIB and PEB with some reasonable values Generally, these are configurable. Many just need some NOP like value, e.g. NOP function pointer for approximate malware emulation.
  • 19. All address resolution and mappings are built outside of the emulator type ThreadInformationBlock32 struct { CurentSEH uint32 //0x00 StackBaseHigh uint32 //0x04 StackLimit uint32 //0x08 SubSystemTib uint32 //0x0c FiberData uint32 //0x10 ArbitraryDataSlock uint32 //0x14 LinearAddressOfTEB uint32 //0x18 EnvPtr uint32 //0x1c ProcessId uint32 //0x20 CurrentThreadId uint32 //0x24 … }
  • 20. PEs are parsed and loaded. Basic structures like the segment registers and TIB/PEB are mapped with minimum functionality. We’re defining the entire environment outside of the emulator...
  • 21. Almost Everything in Windows needs HANDLEs type Handle struct { Path string Access int32 File *os.File Info os.FileInfo RegKey *RegKey Thread *Thread } type WinEmulator struct { ... Handles map[uint64]*Handle ... } What is the minimum we need for a HANDLE in Binee? 1. An abstraction over subsystem data types 2. Helper methods for reading/writing/etc... to and from subsystems.
  • 22. HANDLEs get allocated directly from the Heap The Heap plays a central role in Binee The Heap is what enables and ultimately distributes HANDLEs for all other emulation layers, including file IO and the registry. kernel32:* ntdll:* Binee MM Basically, anything not in the stack after execution has started goes into Binee’s Heap Manager.
  • 23. Now we have a decent core, at least with respect to the user land process. Now it is time to build out the Mock OS subsystems
  • 24. Starting with the Mock File System What are the requirements for CreateFileA? Returns a valid HANDLE into EAX register
  • 25. Creating Files in the Mock File Subsystem CreateFile Emulator Full Hook Handler HANDLE Lookup Table Full hook captures HANDLE from parameters to CreateFile If file exists in Mock File System or permissions are for “write”. Create a new Handle object and get unique ID from Heap Manager Write HANDLE back to EAX
  • 26. Writing Files in the Mock File Subsystem WriteFile Emulator Full Hook Handler HANDLE Lookup Table Temp Real File System (Sandboxed) Full hook captures HANDLE from parameters to WriteFile HANDLE is used as key to lookup actual Handle object outside of emulator All writes are written to sandboxed file system for later analysis. Malware thinks file was written to proper location and continues as if everything is successful
  • 27. [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'ERROR_SUCCESS = 0x%xn', p0 = 0x0) = 0x403380 [1] 0x21970b80: F CreateFileA(lpFileName = 'malfile.exe', dwDesiredAccess = 0xc0000000, dwShareMode = 0x0, lpSecurityAttributes = 0x0, dwCreationDisposition = 0x2, dwFlagsAndAttributes = 0x80, hTemplateFile = 0x0) = 0xa00007b6 [1] 0x219c8fbe: F VerSetConditionMask() = 0xa00007b6 [1] 0x20af60a0: P __acrt_iob_func() = 0xa00007b6 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0xa00007b6) = 0x403380 [1] 0x219c8fbe: F VerSetConditionMask() = 0x403380 [1] 0x20af60a0: P __acrt_iob_func() = 0x403380 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0x403380) = 0x403380 [1] 0x219c8fbe: F VerSetConditionMask() = 0x403380 [1] 0x20af60a0: P __acrt_iob_func() = 0x403380 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0x403380) = 0x403380 [1] 0x218f5780: P memset(dest = 0xb7feff1c, char = 0x0, count = 0x58) = 0xb7feff1c [1] 0x21971000: F WriteFile(hFile = 0xa00007b6, lpBuffer = 0xb7feff10, nNumberOfBytesToWrite = 0xb, lpNumberOfBytesWritten = 0xb7feff0c, lpOverlapped = 0x0) = 0xb [1] 0x21969500: F IsProcessorFeaturePresent(ProcessorFeature = 0x17) = 0x1 [1] 0x2196cef0: F SetUnhandledExceptionFilter(lpTopLevelExceptionFilter = 0x0) = 0x4
  • 28. And in the console > ls temp malfile.exe > cat temp/malfile.exe hello world Now you can see the file contents. Obviously trivial… more to come….
  • 29. At this point, the user space is largely mocked. We also have the ability to hook functions, dump parameters and modify the call execution. Additionally, we have some mock HANDLEs. Can we emulate more?!
  • 30. Mock Registry Subsystem RegOpenKeyA Mock Registry EmulatorFull Hook on Registry functions Our hook interacts with the Mock Registry subsystem that lives outside of the emulation Mock Registry has helper functions to automatically convert data to proper types and copy raw bytes back into emulation memory
  • 31. Configuration files defines OS environment quickly ● Yaml definitions to describe as much of the OS context as possible ○ Usernames, machine name, time, CodePage, OS version, etc… ● All data gets loaded into the emulated userland memory root: "os/win10_32/" code_page_identifier: 0x4e4 registry: HKEY_CURRENT_USERSoftwareAutoIt v3AutoItInclude: "yep" HKEY_LOCAL_MACHINESYSTEMControlSet001ControlArbitersInaccessibleRangePsi: "PhysicalAddress" HKEY_LOCAL_MACHINESYSTEMControlSet001ControlArbitersInaccessibleRangeRoot: "PhysicalAddress" HKEY_LOCAL_MACHINESYSTEMControlSet001ControlArbitersInaccessibleRangePhysicalAddress: "hex(a):48,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,0 0,00,00,01,00,00,00,00,03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,ff,ff,ff,ff,ff,f f,ff,ff"
  • 32. [1] 0x2230c420: F RegOpenKeyExA(hKey = 'HKEY_LOCAL_MACHINE', lpSubKey = 'SYSTEMControlSet001ControlWindows', ulOptions = 0x0, samDesired = 0x20019, phkResult = 0xb7feff40) = 0x0 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'successfully opened key %sn', p0 = 'SYSTEMControlSet001ControlWindows') = 0x403378 [1] 0x2230c3e0: F RegQueryValueExA(key = 0xa000099c, lpValueName = 'ComponentizedBuild', lpReserved = 0x0, lpType = 0xb7feff44, lpData = 0xb7feff4c, lpcbData = 0xb7feff48) = 0x0 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'status code = 0x%xn', p0 = 0x0) = 0x403378 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'ComponentizedBuild = %dn', p0 = 0x1) = 0x403378 [1] 0x2230c3e0: F RegQueryValueExA(key = 0xa000099c, lpValueName = 'CSDBuildNumber', lpReserved = 0x0, lpType = 0xb7feff44, lpData = 0xb7feff4c, lpcbData = 0xb7feff48) = 0x0 [1] 0x20af60a0: P __acrt_iob_func() = 0x0 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'CSDBuildNumber = %dn', p0 = 0x194) = 0x403378 [1] 0x2230c1d0: F RegCloseKey(key = 0xa000099c) = 0x0 [1] 0x22336bd0: F RegCreateKeyA(hKey = 'HKEY_CURRENT_USER', lpSubKey = 'SoftwareBinee', phkResult = 0xb7feff40) = 0x0 [1] 0x20b05710: F __stdio_common_vfprintf(stream = 0x0, format = 'successfully opened key %sn', p0 = 'SoftwareBinee') = 0x403378 [1] 0x22337640: F RegSetValueA(hKey = '', lpSubKey = 'Testing', dwType = 0x1, lpDate = 0xb7feff80, cbData = 0x0) = 0x57
  • 33. Configuration files can be used to make subtle modifications to the mock environment which allows you to rapidly test malware in diverse environments Let’s do more...
  • 34. Mocked Threading Round robin scheduler approximately simulates a multi-thread environment. Time slices are configurable but equal for each “thread” of execution. Thread manager handles all the context switching and saving of registers. Allows us to hand wave (punt for later) most multithreading issues. Thread 1 Thread 2 Thread 3 Thread 4 Thread Manager Threads inside the emulator
  • 35. [1] 0x20ae3f80: F CreateThread(lpThreadAttributes = 0x0, dwStackSize = 0x0, lpStartAddress = 0x401040, lpParameter = 0xa01007ee, dwCreationFlags = 0x0, lpThreadId = 0x0) = 0x3 [1] 0x20ae06d0: F GetProcessHeap() = 0x123456 [2] 0x20dd0710: F __stdio_common_vfprintf(stream = 0x0, format = 'tid %d, count %dn', p0 = 0x0, p1 = 0x0) = 0x403378 [3] 0x20dc10a0: P __acrt_iob_func() = 0xa01007ee [1] 0x20b3f05a: F HeapAlloc(hHeap = 0x123456, dwFlags = 0x8, dwBytes = 0x4) = 0xa0200826 [1] 0x20ae3f80: F CreateThread(lpThreadAttributes = 0x0, dwStackSize = 0x0, lpStartAddress = 0x401040, lpParameter = 0xa0200826, dwCreationFlags = 0x0, lpThreadId = 0x0) = 0x4 [2] 0x20dc10a0: P __acrt_iob_func() = 0x403378 [3] 0x20dd0710: F __stdio_common_vfprintf(stream = 0x0, format = 'tid %d, count %dn', p0 = 0x1, p1 = 0x0) = 0x403378 [1] 0x20aeaaf0: **WaitForMultipleObjects**() = 0xb7feffa4 [1] 0x2011e5a0: **WaitForMultipleObjects**() = 0xb7feffa4 [2] 0x20dc10a0: P __acrt_iob_func() = 0x403378 [4] 0x20dc10a0: P __acrt_iob_func() = 0xa0200826 [1] 0x2011e5d0: **WaitForMultipleObjectsEx**() = 0xb7feffa4 [3] 0x20dc10a0: P __acrt_iob_func() = 0x403378 [2] 0x20dd0710: F __stdio_common_vfprintf(stream = 0x0, format = 'tid %d, count %dn', p0 = 0x0, p1 = 0x1) = 0x403378
  • 36. Increasing fidelity with proper DllMain execution Need to setup stack for DllMain call, set up proper values for DLLs loaded by the PE. Call this for every DLL loaded by the PE. But how to do this in the emulator? Start emulation at each DllMain and stop at ??? BOOL WINAPI DllMain( _In_ HINSTANCE hinstDLL, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved );
  • 37. ROP Gadgets — an easy shortcut to loading DLLs A simpler approach is to only start the emulator once when the entire process space is layed out. However, the start point is no longer the PE entry point. Instead, entry point is now the start of our ROP chain that calls each loaded DllMain in order and ending with the PE’s entry point address lpvReserved fdwReason hinstDll ret lpvReserved fdwReason hinstDll ret lpvReserved fdwReason hinstDll ret envp argv argc dll_1 dll_2 dll_3 malware
  • 38. Demos ● ea6<sha256> shows unpacking and service starting ● ecc<sha256> shows unpacking and wrote malicious dll to disk, loaded dll and executed it
  • 39. We’ve open-sourced this — What’s next ● Increase fidelity with high quality hooks ● Single step mode, debugger style ● Networking stack and implementation, including hooks ● Add ELF (*nix) and Mach-O (macOS) support ● Anti-Emulation
  • 40. Thank you and come hack with us https://github.com/carbonblack/binee