Patching Windows Executives with the Backdoor Factory is a presentation about binary patching techniques. It discusses the history of patching, how key generators and Metasploit patch binaries, and how the author learned to manually patch binaries. The presentation then introduces the Backdoor Factory tool, which can automatically patch Windows binaries by injecting shellcode into code caves. It demonstrates patching via code cave insertion, single cave jumps, and cave jumping. Mitigations like self-validation and antivirus are discussed.
Analog modulation involves representing analog information as an analog signal. It is needed when the transmission medium is bandpass in nature or only a bandpass channel is available. There are three main types of analog modulation: amplitude modulation (AM), which changes the amplitude of the carrier signal; frequency modulation (FM), which changes the frequency; and phase modulation (PM), which changes the phase. AM encodes the modulating signal as variations in the envelope of the carrier signal. This results in a spectrum with the carrier frequency flanked by upper and lower sidebands. The bandwidth required is twice that of the modulating signal.
A Brief Knowledge about Differential Pulse Code Modulation.
It contains the basics of Pulse Code modulation and why we all switching to Differential Pulse Code Modulation.
All the things about the Differential Pulse Code Modulation is given in a good understandable way
Phase-shift keying (PSK) is a digital modulation technique that conveys data by changing the phase of a carrier wave. There are several types of PSK including binary PSK (BPSK) and quadrature PSK (QPSK). BPSK uses two phases separated by 180 degrees to transmit 1 bit per symbol, while QPSK uses four phases separated by 90 degrees to transmit 2 bits per symbol for higher data rates. PSK has advantages like more efficient data transmission compared to frequency-shift keying. However, it is non-coherent and more prone to incorrect demodulations. PSK finds applications in optical communications, local oscillators, and delay-and-add demodulation.
Design and Realization of 2.4GHz Branch-line CouplerQuang Binh Pham
This project report describes the design and measurement of a 2.4GHz branch-line coupler. Binh Pham Quang designed the coupler using ADS software, simulating both the schematic and electromagnetic models. Key steps included calculating transmission line impedances from design specifications, synthesizing physical dimensions, and tuning for optimal performance. The coupler was then fabricated on an RO4350B substrate and measured using a vector network analyzer. Results showed good agreement with simulations, achieving high reflection coefficient, coupling, and directivity near the target frequency.
WDM (wavelength-division multiplexing) allows multiple optical signals at different wavelengths to be transmitted simultaneously over the same optical fiber. Key components of WDM systems include multiplexers that combine signals and demultiplexers that separate them. Passive components like fiber couplers split and combine light streams without converting to electrical signals. 2x2 fiber couplers fuse two fibers together, allowing a portion of light from one fiber to couple to the other based on length and properties of the fused region. Waveguide couplers also combine light between neighboring waveguides based on their properties and length.
1) The document discusses various topics related to digital communication including sampling theory, analog to digital conversion, pulse code modulation, quantization, coding, and time division multiplexing.
2) In analog to digital conversion, an analog signal is sampled, quantized by assigning it to discrete amplitude levels, and coded by mapping each level to a binary sequence.
3) The Nyquist sampling theorem states that a signal must be sampled at a rate at least twice its highest frequency to avoid aliasing when reconstructing the original signal.
Digital: Operating by the use of discrete signals to represent data in the form of numbers.
Signal: A parameter (Electrical quantity or effect) that can be varied in such a way as to convey information.
Processing: A series operations performed according to programmed instructions.
CST STUDIO SUITE 2011 is a software that provides electromagnetic and circuit simulation tools. It includes solvers for microwave, static electric and magnetic, particle, cable, printed circuit board, thermal, and mechanical analysis. The suite has a common interface that facilitates multi-physics simulations and co-simulation of electromagnetic and circuit models.
This document discusses solving RLC series parallel circuits using Simulink. It introduces Kirchhoff's voltage law and differentiating the voltage equations to express the RLC response in general form. It provides a Simulink model for a series RLC circuit and instructs the reader to change component values and make a parallel RLC model. It also introduces the SimPowerSystems library for modeling electrical systems in Simulink and lists some commonly used blocks with an example circuit.
This document discusses various digital modulation techniques. It begins by defining modulation as adding information to a carrier signal. It then distinguishes between analog and digital modulation. Digital modulation modulates an analog carrier signal with a discrete signal, and can be considered as converting digital-to-analog and vice versa. Some key digital modulation techniques discussed include amplitude shift keying (ASK), frequency shift keying (FSK), phase shift keying (PSK), quadrature amplitude modulation (QAM), and differential phase shift keying (DPSK). Metrics for comparing digital modulation techniques include power efficiency, bandwidth efficiency, and implementation cost-effectiveness.
1. The document provides instructions for laboratory experiments involving operational amplifiers. It includes procedures for measuring op-amp parameters, designing basic circuits like inverting and non-inverting amplifiers, and setting up more advanced circuits like integrators, differentiators, and instrumentation amplifiers.
2. Key circuits and components are explained theoretically before providing diagrams and step-by-step procedures to build and test each circuit. Characteristics like gain, frequency response, and output waveforms are analyzed.
3. The goal is to design and set up basic and advanced op-amp circuits, make voltage and waveform measurements, and analyze frequency responses to understand circuit behavior.
1. The document discusses different types of waveguides including parallel plate, rectangular, and circular waveguides. It provides information on their modes of propagation, field components, cutoff frequencies, and other related parameters.
2. Formulas are presented for calculating propagation constants, cutoff frequencies, wavelengths, velocities, and impedances for TE and TM waves in various waveguide structures.
3. Examples are worked out demonstrating the application of the formulas to determine parameters for given waveguide geometries and operating frequencies.
PCM is an important method of analog-to-digital conversion where an analog signal is converted into an electrical waveform of two or more levels. The essential operations in a PCM transmitter are sampling, quantizing, and coding the analog signal. In the receiver, the operations are regeneration, decoding, and demodulation of the quantized samples. Regenerative repeaters are used to reconstruct the transmitted sequence of coded pulses and perform equalization, timing, and decision making functions. While PCM systems allow for regeneration and multiplexing, they are more complex than analog methods and increase channel bandwidth requirements.
This document provides an introduction to root locus analysis. It defines a root locus as a graphical representation of how closed-loop poles move in the s-plane as a system parameter, such as gain, is varied. The objectives are to learn how to sketch a root locus using five rules, including starting and ending points, symmetry, real axis behavior, and asymptotes. An example problem sketches the root locus for a system and calculates the gain value where the locus intersects a radial line representing a specific percent overshoot value. Calculating this intersection point accurately calibrates the root locus sketch.
This document provides an overview and table of contents for a textbook on control systems by Dr. N.C. Jagan. The textbook covers various topics related to modeling, analysis, and design of control systems, including mathematical modeling of physical systems, time response analysis, stability analysis using Routh-Hurwitz and root locus methods, frequency response analysis using Bode and Nyquist plots, and closed loop control design. It contains 7 chapters and provides problems at the end of each chapter. The textbook is copyrighted and published by BSP BS Publications in Hyderabad, India.
FellowBuddy.com is an innovative platform that brings students together to share notes, exam papers, study guides, project reports and presentation for upcoming exams.
We connect Students who have an understanding of course material with Students who need help.
Benefits:-
# Students can catch up on notes they missed because of an absence.
# Underachievers can find peer developed notes that break down lecture and study material in a way that they can understand
# Students can earn better grades, save time and study effectively
Our Vision & Mission – Simplifying Students Life
Our Belief – “The great breakthrough in your life comes when you realize it, that you can learn anything you need to learn; to accomplish any goal that you have set for yourself. This means there are no limits on what you can be, have or do.”
Like Us - https://www.facebook.com/FellowBuddycom
Here are the key steps for how SPI works:
1. The master device initiates the data transfer by selecting a slave device using the chip select (CS) line. This brings the slave device online.
2. The master outputs the clock signal (SCLK) which is used by both the master and slave devices to synchronize the data transfer.
3. The master sends data on the MOSI (master out, slave in) line which the slave receives on its SDI pin in sync with the clock.
4. In parallel, the slave sends data on the MISO (master in, slave out) line which the master receives on its SDO pin, also in sync with the clock.
The document discusses waveguides, which are hollow metallic tubes that transmit electromagnetic waves through successive reflections off the inner walls. There are two main types of waveguides: rectangular and circular. Rectangular waveguides support TE and TM modes of propagation, with the dominant TE10 mode determining the cutoff frequency below which waves do not propagate. Circular waveguides have advantages like greater power handling capacity but are larger in size. Common applications of waveguides include radar systems and long-distance high-frequency signal transmission.
Linear Integrated Circuits -LIC, Based On Anna University. From Basics to the Graduated Degree's. BE Based On. With Reference Of Two Text Books.
Visit insmartworld.blogspot.in if ur a geek & interested in new tech's.
This document summarizes a talk given by Joshua Pitts about techniques for evading detection of malware. It discusses two main topics:
1. Recomposer, a Python tool that can modify PE files to change signatures and evade detection. It randomly changes file/section names, inserts NOPs into code caves. This created 11,200 variants from one binary with no collisions.
2. Uploading malware to online sandboxes like VirusTotal to test detection. However, the talk shows the sandboxes are not truly anonymous - a web server was able to detect uploads and saw responses from known security vendors' IP addresses. This demonstrates risks of attribution when using online sandboxes.
The document discusses different types of shellcodes and their uses. It provides examples of x86 and x86_64 shellcode code to execute a Linux system call. It also lists resources for further information on shellcode design and exploitation techniques.
The document discusses bypassing address space layout randomization (ASLR) on Linux. It begins with a refresher on buffer overflows and modern protections like ASLR and DEP. It then explores finding fixed addresses in the .text section that are not subject to ASLR to redirect execution, such as calls and jumps to registers. The document shows searching binaries for these instruction sequences and checking register values to leverage them for exploiting a vulnerable program while ASLR is enabled.
The document discusses efficient techniques for detecting shellcode inline. It describes the structure of shellcode and challenges in detecting it. It introduces libscizzle, which uses efficient emulation to identify possible shellcode execution sequences and verifies candidates using sandboxed hardware execution. Libscizzle scans data at gigabit speeds with no false positives and no known false negatives, representing about a 1000x speed improvement over previous tools like libemu.
The document provides a basic guide to reverse engineering Linux x86 shellcode. It summarizes reversing two sample shellcodes: 1) A simple program that reads the /etc/passwd file by executing the cat command. By examining registers, it is determined the shellcode executes execve to read the file. 2) An XOR encrypted shellcode that decrypts itself before launching a ksh shell with root privileges using the setreuid system call. Breakpoints are used to stop and disassemble the shellcode at key points to understand its functionality.
This document discusses bypassing address space layout randomization (ASLR) protections to execute shellcode on the stack. It begins with an overview of stack-based buffer overflows and modern protections like non-executable stacks. It then describes using return-oriented programming (ROP) techniques like ret2libc to hijack control flow and call library functions like system() to spawn a shell. Specifically, it outlines overwriting a return address to call mprotect() to make the stack executable, then jumping to shellcode on the stack. The document provides example exploit code and steps to find needed addresses in memory.
Shellcode and heapspray detection in phoneycZ Chen
The document discusses using the libemu library to detect shellcode and heapspray in the Python honeyclient phoneyc. Libemu allows for shellcode detection using x86 instruction emulation and GetPC heuristics. The document outlines integrating libemu into phoneyc to defend browsers against drive-by downloads and heap-spraying code injection attacks in web-based malware.
This document discusses running shellcode from Java by overwriting the pointer to a Java method with a pointer to shellcode. It explains that Java is cross-platform, has an extensive library, and is widely deployed. It then provides an example of NOP shellcode in C to call the shellcode. It links to resources on injecting shellcode from Java without JNI. The document shows a Java method with volatile variables that is overwritten by the shellcode and demonstrates calling the shellcode from Java.
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
This document discusses using the Browser Exploitation Framework (BeEF) and inter-protocol exploitation techniques to gain control of victim browsers. It begins with an overview of traditional browser attack vectors and their limitations. It then introduces BeEF and how it can be used to hook victim browsers through XSS and control them remotely with JavaScript. The document proposes revitalizing inter-protocol exploitation techniques to bypass cross-domain restrictions and allow executing commands on the victim's machine. It presents the design of a new BeEF Bind shellcode that sets up a web server to accept commands and control a process like cmd.exe on the victim internally without needing an outbound connection.
This document provides an overview of shellcode mastering techniques. It discusses the basics of shellcode including features, types, and development tasks. It covers basic shellcode techniques like call/ret algorithms and delta offset approaches. Optimization techniques are analyzed like instruction format optimizations, register value reusing, and avoiding the stack. An example analysis is given of the evolution of smaller shellcodes over time in a shellcode size competition. Hands-on labs are described to practice skills like addressing variables, using strings, and finding Windows API entry points. Required tools are listed for the labs including debuggers and assemblers.
Hacking school computers for fun profit and better grades shortVincent Ohprecio
The document discusses various topics related to hacking including motivations, methodologies, and tools. It describes how hackers conduct reconnaissance on targets, develop exploits, execute exploits, and maintain access. Specific hacking methods like fuzzing, malware kits, and shellcode are explained. Potential targets mentioned include students, faculty computers, wireless networks, and websites. The document also provides biographical information about the author and recommends books and resources for hacking.
The document discusses analyzing malicious PDF files. It describes decompressing PDFs using PDFTK to extract JavaScript. JavaScript is analyzed using a JavaScript emulator like SpiderMonkey to deobfuscate code. Any shellcode is reformed from Unicode and analyzed using Sctest for its behavior. The document provides examples of analyzing sample PDFs, extracting JavaScript, decompressing streams, and inspecting shellcode payloads. Analysis steps and tools used are explained to help understand how malicious PDF files work and discover embedded exploits.
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers.
Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year.
Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul.
https://www.tinfoilsecurity.com/blog/cross-platform-exploitation
This is a presentation I put together and presented for my colleagues at IBM back in 2006. I started on the section featuring heap exploits and never finished it. I want to finish it someday.
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
Decades history of kernel exploitation, however still most used techniques are such as ROP. Software based approaches comes finally challenge this technique, one more successful than the others. Those approaches usually trying to solve far more than ROP only problem, and need to handle not only security but almost more importantly performance issues. Another common attacker vector for redirecting control flow is stack what comes from design of today’s architectures, and once again some software approaches lately tackling this as well. Although this software based methods are piece of nice work and effective to big extent, new game changing approach seems coming to the light. Methodology closing this attack vector coming right from hardware - intel. We will compare this way to its software alternatives, how one interleaving another and how they can benefit from each other to challenge attacker by breaking his most fundamental technologies. However same time we go further, to challenge those approaches and show that even with those technologies in place attackers is not yet in the corner.
The document discusses retooling offensive techniques in .NET for red teams. It proposes building modular code blocks and dynamic payloads that can be retooled on live systems to avoid detection. This involves leveraging existing system facilities and compiling code dynamically and in-memory using techniques like CodeDOM. The goals are to recon under the radar for longer, deliver payloads without being detected, and quickly retool for unknown systems. It explores options for live retooling like PowerShell, WMI, managed code, and COM/unmanaged code. The document also discusses building a managed execution toolkit called Typhoon CSaw that uses these techniques to achieve dynamic compilation, a REPL environment, removal of artifacts, and improved inter
The document appears to be a block of random letters with no discernible meaning or purpose. It consists of a series of letters without any punctuation, formatting, or other signs of structure that would indicate it is meant to convey any information. The document does not provide any essential information that could be summarized.
The document summarizes post-exploitation techniques on OSX and iPhone. It describes a technique called "userland-exec" that allows executing applications on OSX without using the kernel. This technique was adapted to work on jailbroken iPhones by injecting a non-signed library and hijacking the dynamic linker (dlopen) to map and link the library. With some additional patches, the authors were able to load an arbitrary non-signed library into the address space of a process on factory iPhones, representing the first reliable way to execute payloads on these devices despite code signing protections.
Common technique in Bypassing Stuff in Python.Shahriman .
This document discusses bypassing antivirus detection in Python by using its ability to call functions in DLLs and shared libraries via ctypes. It provides examples of using ctypes to call Windows API functions like MessageBoxA, WinExec to launch calc.exe, and chaining VirtualAlloc, WriteProcessMemory, CreateThread and WaitForSingleObject to execute shellcode in-memory and bypass antivirus. The document suggests this technique can be used for post-exploitation and antivirus bypass. It also mentions freezing the Python code into an executable and provides references on Windows shellcoding.
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
When Node.js Goes Wrong: Debugging Node in Production
The event-oriented approach underlying Node.js enables significant concurrency using a deceptively simple programming model, which has been an important factor in Node's growing popularity for building large scale web services. But what happens when these programs go sideways? Even in the best cases, when such issues are fatal, developers have historically been left with just a stack trace. Subtler issues, including latency spikes (which are just as bad as correctness bugs in the real-time domain where Node is especially popular) and other buggy behavior often leave even fewer clues to aid understanding. In this talk, we will discuss the issues we encountered in debugging Node.js in production, focusing upon the seemingly intractable challenge of extracting runtime state from the black hole that is a modern JIT'd VM.
We will describe the tools we've developed for examining this state, which operate on running programs (via DTrace), as well as VM core dumps (via a postmortem debugger). Finally, we will describe several nasty bugs we encountered in our own production environment: we were unable to understand these using existing tools, but we successfully root-caused them using these new found abilities to introspect the JavaScript VM.
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
The document proposes a one-byte modification method to potentially abort memory forensic analysis tools without impacting the running system or hiding specific objects. It identifies three sensitive operations in memory analysis: 1) virtual address translation in kernel space, 2) guessing the OS version and architecture, and 3) getting kernel objects like processes. For each operation, it outlines how top tools like Volatility and Memoryze perform the operation and identifies specific "abort factors", or one-byte values that could be modified to abort the analysis without direct detection. Modifying these factors could stop analysis tools from functioning properly without blue screening the system or hiding specific objects.
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
Over the past year, Tripwire Security Researchers Tyler Reguly and Andrew Swoboda have invested numerous hours into understanding the Microsoft Remote Desktop Protocol, specifically the pre-authentication portions of RDP. The Microsoft Open Protocol Specifications were heavily utilized for this projected and, while both researchers had used the specifications before, neither had fully realized their usefulness to security researchers. This session will be a discussion of The Microsoft Open Protocol Specification with RDP as the example. The culmination of the session will be the release of a new RDP Fuzzer and a discussion around the vulnerabilities it has already discovered.
Attendees can expect to walk away with a strong understanding of the Microsoft Open Protocol Specifications and how they can leverage them to build protocol implementations and fuzzers, as well as investigate inherent flaws and discover new vulnerabilities. Attendees will have a better understanding of the pre-authentication RDP connection sequence and exactly what data is exchanged and what an attacker can deduce from this communication. Finally, attendees will gain insight into new RDP vulnerabilities.
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device.
This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried.
Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
This document discusses using WinDbg for kernel debugging and analyzing rootkits. It explains that WinDbg can debug in both user-mode and kernel-mode, unlike OllyDbg which is only for user-mode. Device drivers run code in the Windows kernel and are difficult to analyze. The DriverEntry routine is called when a driver is loaded and it registers callback functions. Malware often imports functions from Ntoskrnl.exe and Hal.dll to manipulate the kernel. WinDbg commands like bp, lm, and dt are demonstrated for setting breakpoints, listing modules, and viewing structures. Symbol files from Microsoft provide function and structure names to make debugging easier.
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
Vulnerability Inheritance in ICS (English)Digital Bond
This document discusses vulnerability inheritance in programmable logic controllers (PLCs) from third-party libraries and software. It provides a specific example of vulnerabilities found in the CoDeSys runtime and engineering software used by hundreds of industrial control system vendors. The document outlines how two major Japanese PLC vendors were found to be affected by these vulnerabilities due to their use of CoDeSys, and concludes that vendors need to implement secure development practices like security testing to prevent inheriting vulnerabilities from third-party components.
VB2013 - Security Research and Development FrameworkAmr Thabet
That's my presentation in VB2013 in Berlin, Germany ... talking about a new development framework for security
it's created for writing security tools, malware analysis tools and network tools
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
This document discusses techniques for exploiting DLL hijacking vulnerabilities remotely through user interaction. It argues that DLL hijacking is still a viable attack vector despite protections like DEP and ASLR. It proposes manipulating the current directory to execute exploits and hiding DLLs in archives, email attachments, and browser redressing to trigger exploits without appearing suspicious. While not suitable for mass attacks, it concludes DLL hijacking enables rapid targeted attacks by abusing existing vulnerabilities.
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
This document provides an introduction to exploiting vulnerabilities in Windows kernel drivers for privilege escalation. It discusses the differences between user mode and kernel mode, how drivers communicate with user programs through I/O requests, techniques for analyzing and fuzzing drivers, potential privilege escalation methods like overwriting function pointers and token stealing, and how to set up a kernel debugging environment. The overall goal is to find bugs in kernel drivers that could allow gaining kernel-level code execution and full system access.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
Similar to Patching Windows Executables with the Backdoor Factory | DerbyCon 2013 (20)
How CXAI Toolkit uses RAG for Intelligent Q&AZilliz
Manasi will be talking about RAG and how CXAI Toolkit uses RAG for Intelligent Q&A. She will go over what sets CXAI Toolkit's Intelligent Q&A apart from other Q&A systems, and how our trusted AI layer keeps customer data safe. She will also share some current challenges being faced by the team.
Flame emission spectroscopy is an instrument used to determine concentration of metal ions in sample. Flame provide energy for excitation atoms introduced into flame. It involve components like sample delivery system, burner, sample, mirror, slits, monochromator, filter, detector (photomultiplier tube and photo tube detector). There are many interference involved during analysis of sample like spectral interference, ionisation interference, chemical interference ect. It can be used for both quantitative and qualitative study, determine lead in petrol, determine alkali and alkaline earth metal, determine fertilizer requirement for soil.
Multimodal Embeddings (continued) - South Bay Meetup SlidesZilliz
Frank Liu will walk through the history of embeddings and how we got to the cool embedding models used today. He'll end with a demo on how multimodal RAG is used.
Understanding the NFT marketplace ecosystem involves exploring platforms for creating, buying, selling, and trading digital assets. These platforms use blockchain technology for security and smart contracts for automated transactions. Key components include digital wallets, NFT standards, and marketplaces like OpenSea and Rarible. This ecosystem is shaped by the roles of creators, collectors, and developers, offering insights into the dynamics and trends of the digital asset economy.
IT market in Israel, economic background, forecasts of 160 categories and the infrastructure and software products in those categories, professional services also. 710 vendors are ranked in 160 categories.
The Challenge of Interpretability in Generative AI Models.pdfSara Kroft
Navigating the intricacies of generative AI models reveals a pressing challenge: interpretability. Our blog delves into the complexities of understanding how these advanced models make decisions, shedding light on the mechanisms behind their outputs. Explore the latest research, practical implications, and ethical considerations, as we unravel the opaque processes that drive generative AI. Join us in this insightful journey to demystify the black box of artificial intelligence.
Dive into the complexities of generative AI with our blog on interpretability. Find out why making AI models understandable is key to trust and ethical use and discover current efforts to tackle this big challenge.
Ensuring Secure and Permission-Aware RAG DeploymentsZilliz
In this talk, we will explore the critical aspects of securing Retrieval-Augmented Generation (RAG) deployments. The focus will be on implementing robust secured data retrieval mechanisms and establishing permission-aware RAG frameworks. Attendees will learn how to ensure that access control is rigorously maintained within the model when ingesting documents, ensuring that only authorized personnel can retrieve data. We will also discuss strategies to mitigate risks of data leakage, unauthorized access, and insider threats in RAG deployments. By the end of this session, participants will have a clearer understanding of the best practices and tools necessary to secure their RAG deployments effectively.
Generative AI technology is a fascinating field that focuses on creating comp...Nohoax Kanont
Generative AI technology is a fascinating field that focuses on creating computer models capable of generating new, original content. It leverages the power of large language models, neural networks, and machine learning to produce content that can mimic human creativity. This technology has seen a surge in innovation and adoption since the introduction of ChatGPT in 2022, leading to significant productivity benefits across various industries. With its ability to generate text, images, video, and audio, generative AI is transforming how we interact with technology and the types of tasks that can be automated.
Planetek Italia is an Italian Benefit Company established in 1994, which employs 120+ women and men, passionate and skilled in Geoinformatics, Space solutions, and Earth science.
We provide solutions to exploit the value of geospatial data through all phases of data life cycle. We operate in many application areas ranging from environmental and land monitoring to open-government and smart cities, and including defence and security, as well as Space exploration and EO satellite missions.
Project Delivery Methodology on a page with activities, deliverablesCLIVE MINCHIN
I've not found a 1 pager like this anywhere so I created it based on my experiences. This 1 pager details a waterfall style project methodology with defined phases, activities, deliverables, assumptions. There's nothing in here that conflicts with commonsense.
2. Other Potential Titles
• I’M DOWN WITH APT (yeah you know me)
• Lassie, did Timmy fall in a Code Cave again??
• Why I Cyber and How You Can Cyber too
• When ET met EMET (A Love Story)
• Hugging Your Way to the Top, One Hug at a
Time
• How I Owned Your Mother
3. About Me
• US Marine, Pre-911: SIGINT
• Past: IT and Physical Security Auditor,
Operational Security Lead, Malware and
Forensic Analyst
• Current: Reverse Engineer, Pentester
• Python, C/C++, ASM (INTEL)
• I have certs.. Serious inquires only :P
• Currently work at Leviathan Security Group
5. Overview
• History of Patching
• How I learned to patch binaries
• The Backdoor Factory
– Features
– Capabilities
• Demos (Live and Video)
• Mitigations
• Going forward
6. What is Patching
Definition (Wikipedia):
A patch is a piece of software designed to fix
problems with, or update a computer program
or its supporting data. This includes fixing
security vulnerabilities and other bugs, and
improving the usability or performance.
7. For This Presentation
My Definition:
Adding or taking away content or functionality
to a compiled binary.
8. Security Pros and Patching
• Red Teaming
– persistence in plain sight
• Pentesting/Social Engineering
– Salt all the parking lots!
• Research
– Just because :D
• Malware/Code analysis
– Break the anti-analysis code
10. The MS Method
• MSP – Windows install patch file.
• Contains at least two data transforms
– One updates the install database
– One has info that the installer uses for ‘patching
files’
• The installer will then use this info to apply
the patch from the cabinet file
• Yada Yada Yada…
11. What does this mean?
MS definition of patching is replacing old
registry entries, dlls, and exes with new items
Not the patching that we’re taking about today
12. How Key Gens/Crackers do it
• Find code branch(es) that validate(s) the
software’s protection mechanism(s)
• Make it return to a value that meets a valid
condition for approved/continued operation
• Sometimes its a function that returns a
True/False (0/1) value after the check.
13. How Metasploit Patches
• msfvenom –p windows/shell_reverse_tcp –x
psexec.exe … The overwrite program entry
method
• msfvenom –p windows/shell_reverse_tcp –x
psexec.exe –k … The allocate and create
thread and return to original program entry
method (Keep)
18. MSF Create Thread Method (Keep)
Immunity is telling the truth, memory sections:
Original memory sections:
19. Msfvenom x32 Keep Method
Explained
• Two separate functions or stubs
• Part Two: The shellcode payloads that we all
know
• Part One: Is not new, not so well known, but is
awesome
• Looks like an un-named section of code that
has RWE attributes (very suspicious)
• Very important for stager payloads
21. Pros And Cons of the Msfvenom Keep
Method
• PRO: Attacker receives shell and the binary
works ‘normally’ for the user
– That’s a WIN-WIN
• CON: Should be easy for AV to catch
• CON: Size of binary has increased
22. MSFVenom Win64 Patching Support
Only supports x32
– Submitted a bug post on security street
– A feature request was submitted (#8383):
24. The Portable Executable Format
MS-DOS 2.0 HEADER
and unused space
OEM ID/INFO
OFFSET to PE header
MS-DOS 2.0 Stub and Reloc
table
And unused Space
PE Header
Section Headers
Import pages
(import/export info
Base reloc info
Resource info)
• Not much has changed in the last 20 or so years
• Must be backwards compatible (win8 must read
the header)
• Easy to automatically manipulate
• http://msdn.microsoft.com/library/windows/har
dware/gg463125
25. The Common Object File Format
(COFF) Format
Microsoft COFF Header
(machine type, number
of sections, etc..)
Section Headers
Raw Data
Code
Data
Debug Info
Relocations
• This is included in the PE File Format
• The most important section for RE
• Includes:
- Machine Type
- Number of Sections
- Size and Access (RWE) of Sections
• Typically includes the rest of the file Code,
Data, Debug, Reloc (the actual sections)
27. How I learned to Backdoor Windows
Binaries
• Though the Offensive Security Cracking the Perimeter
course
– Duh
• Manual Labor
• Time Consuming
– At first hours
– Now about 10-15 mintues
• Missing some important concepts:
– Working with the import table
– Working with staged payloads (stagers)
– Multi cave jumping
– win32 only (slight differences in x64 asm)
28. CTP Methods
• Append a new section of code
– Similar to the Metasploit msfvenom keep
– Named RWX section (e.g. .sdata, .moo, .what,
etc…)
• Use existing code caves for encoding/decoding
shellcode in the appended section
– We looked at XOR encoding
– XOR encoding is no longer effective against AV
31. Code Caves?
A code cave is an area of bytes in a binary that
contain a null byte pattern (x00) greater than
two bytes.
32. How are code caves created?
• Not sure, so I did some research…
• Or went on a quest…
33. How are code caves created?
• Starting out, I assumed that a unicorn would
know everything.
• So I went to defcon.
• And what’s better than a unicorn at
DEFCON!!!
34. How are code caves created?
Hi Unicorn!
Hi.. err, human!
How are code
caves made?
I don’t know.
Aww. Want a
beer?
Pssst… Check
compliers…
o/
35. How are code caves created?
Tested the following x32 compilers:
• G++ - GNU C++
• Cl.exe – MS compiler linker.
• Lcc-win32
• Mingw32-c++
36. How are code caves created?
Against this code:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <windows.h>
int array[600] = {0};
int main(int argc, char **argv)
{
printf("hello world");
return 0;
}
This Code is FREE as in BEER.
38. How Are Code Caves Created?
Results for code caves greater than 200 bytes in
named sections (e.g. .text, .data, .idata, etc…):
• Cl.exe : 7
• G++: 4
• Mingw32-c++: 3
• Lcc-win32: 0
39. How Are Code Caves Created?
• Remember this line of code:
– int array[600] = {0};
• Not one had a cave of at least 600 bytes.
40. How Are Code Caves Created?
Lesson:
If you want to minimize code caves in your code, carefully
pick your compiler.**
**More research could be done in this area.***
***I don’t write compilers****
****Nor do I want too…
…yet :P
42. Some Ideas
• Automation
• Split shellcode into smaller sections
• Use multiple code caves
• Non-sequential cave jumping
• Use user provided shellcode
• Combine the Metasploit Stager solution with
the CTP code cave use
43. Solution: BDF
• x32 version released in March 2013
– Supported only single cave jumping
– No x32 stagers support
• Python27 - Single Script
• Supports win32/64
– Supports x32 stagers
– No stagers payloads for x64 yet. (Remember that bug feature
request?)
• Code Cave injection (single and multiple)
• Support user-provided shellcode
• Some Randomization (different hash every time an EXE is created)
– Through random one’s compliment in the code
– And different types of nops
• Injector Module
44. How BDF works
• Enumerates PE/COFF Header format
• Determines if binary is supported (win32/64
intel)
• Locates code caves that correspond to size of
shellcode
• Patches executable in an attempt to return
registers/flags to the original state for continued
execution
– Patches entry location with a JMP to the first selected
code cave/appended section
– Patches each user selected code cave
45. How BDF works
• Very primitive disassembler to do just what
we need
• Reworked the x32 msfvenom stager ‘keep’
stub to work in code caves and with user
provided shellcode
-x64 stager support is in the works
• Reworked a handful of useful metasploit
payloads to allow for multiple code cave
jumping
50. Demos
• Support Check (Live)
• Backdooring win32/64 binaries (Live)
– Append code cave
– Single code caving
– Code Cave jumping
• Mass backdooring (directory) - Live
• Provide your own shellcode - Live
• Prototyping shellcode (video)
• The injector module (video)
51. DEMO – Support Check
• If not supported, then what?
• Email me with the disassembly of the entry
function (from a legitimate email)
• I’ll send you the opcode update
52. DEMO - Patch a file with shellcode
win32/64
• Append
• Pick a single Cave
• Multi-Jumps
• Note – Non-stager payloads will ‘hang’ if C2 is
not available
– Payloads are patched ‘in-line’ and not run in a
separate thread
55. DEMO – Injector Module
• Injector is the hunt and backdoor binary of
doom.
• Use responsibly
56. DEMO - Provide your own shellcode
• Can be anything, just make sure it matches
the process type (x32 for x32)
• Make sure you use ExitFunction=Thread or
you will kill the parent process (not good)
57. Attack Scenarios or Methods
• Salting Parking Lots with USBs
• Hosting Rouge Exes
• Attacking system services
• Linux Setuid Attack for Windows
– Patching binaries that require elevated perms but
might be in non-admin directories
• Sysinternal tools
• Setup files
59. Mitigations - UPX Encoding
• Not supported by BDF
• Unpack – Patch – Pack
• UPX is not protection against patching
• Could opens your up your Exe to potential
weaknesses
– Are you unpacking to unprotected memory space?
60. Mitigations - Self Validation
• Team Viewer
• Round Robin Checking
• Find the check, patch it
61. Mitigations – Anti-Virus’
• I broke the “rule” and uploaded my samples to
Virustotal for this presentation
• It really doesn’t matter
• AV is dead
62. MSFVENOM keep vs MSVENOM non-keep vs
BDF Cave Jumping
MSFVENOM –k –t exe
Hash: 6d0cb53a4fa983287310260f5c8659ab6c3a761ef8dbd147cf2cfd9e971f4295
63. MSFVENOM keep vs MSVENOM non-keep vs
BDF Cave Jumping
MSFVENOM –t exe
Hash: 6d0cb53a4fa983287310260f5c8659ab6c3a761ef8dbd147cf2cfd9e971f4295
64. MSFVENOM keep vs MSVENOM non-keep vs
BDF Cave Jumping
BDF Cave jumping
Hash: 5620ba8c64ff0d9cde65eda4156fbb85186f2bd0f16636cded5c9a0d8024d4e9
65. win32 BDF vs win64 BDF
ZoomIt.exe vs ZoomIt64.exe
66. EMET 4.0+ FTW?
• If you use position-independent shellcode
(metasploit)
• And the target binary is protected by EMET…
• And the Caller protection setting is enabled…
• And the application is running as win32…
• EMET will stop this type of attack!
67. EMET 4.0+ FTW?
• If the binary executes as a win64 process
• EMET will not stop this type of attack!
From the EMET 4.0 User Guide:
68. Mitigations - Whitelisting
• Based on what you’ve seen today, why would
you use trust AV.
• There are whitelisting vendors, I’m not
endorsing any of them
• I did not test it, but they “should” work – if
based on hashing verification and not name
• Not the end game solution (e.g. powershell
memory injection)
69. Enterprise Mitigations
• Don’t let end users download binaries
• Verify Your Binaries before Deploying
– Verify hashes
– Conduct forensic analysis and testing
– Look at network traffic
– Etc…
70. Road Map
• x64 stub to support staged payloads
• Support Mach-O and ELF formats
• Patch the IAT and api pointers to shorten
required shellcode and elimiate ROP-like calls
• MITM patching of binaries during download