added deobfuscation overview as a wish from Sven
This commit is contained in:
parent
683a130664
commit
70712ef6ce
Binary file not shown.
After Width: | Height: | Size: 785 KiB |
Binary file not shown.
After Width: | Height: | Size: 85 KiB |
|
@ -28,6 +28,70 @@
|
||||||
margin: 0 0.8em 0.2em -1.6em;
|
margin: 0 0.8em 0.2em -1.6em;
|
||||||
vertical-align: middle;
|
vertical-align: middle;
|
||||||
}
|
}
|
||||||
|
/* CSS for syntax highlighting */
|
||||||
|
pre > code.sourceCode { white-space: pre; position: relative; }
|
||||||
|
pre > code.sourceCode > span { line-height: 1.25; }
|
||||||
|
pre > code.sourceCode > span:empty { height: 1.2em; }
|
||||||
|
.sourceCode { overflow: visible; }
|
||||||
|
code.sourceCode > span { color: inherit; text-decoration: inherit; }
|
||||||
|
div.sourceCode { margin: 1em 0; }
|
||||||
|
pre.sourceCode { margin: 0; }
|
||||||
|
@media screen {
|
||||||
|
div.sourceCode { overflow: auto; }
|
||||||
|
}
|
||||||
|
@media print {
|
||||||
|
pre > code.sourceCode { white-space: pre-wrap; }
|
||||||
|
pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; }
|
||||||
|
}
|
||||||
|
pre.numberSource code
|
||||||
|
{ counter-reset: source-line 0; }
|
||||||
|
pre.numberSource code > span
|
||||||
|
{ position: relative; left: -4em; counter-increment: source-line; }
|
||||||
|
pre.numberSource code > span > a:first-child::before
|
||||||
|
{ content: counter(source-line);
|
||||||
|
position: relative; left: -1em; text-align: right; vertical-align: baseline;
|
||||||
|
border: none; display: inline-block;
|
||||||
|
-webkit-touch-callout: none; -webkit-user-select: none;
|
||||||
|
-khtml-user-select: none; -moz-user-select: none;
|
||||||
|
-ms-user-select: none; user-select: none;
|
||||||
|
padding: 0 4px; width: 4em;
|
||||||
|
color: #aaaaaa;
|
||||||
|
}
|
||||||
|
pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; }
|
||||||
|
div.sourceCode
|
||||||
|
{ }
|
||||||
|
@media screen {
|
||||||
|
pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
|
||||||
|
}
|
||||||
|
code span.al { color: #ff0000; font-weight: bold; } /* Alert */
|
||||||
|
code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
|
||||||
|
code span.at { color: #7d9029; } /* Attribute */
|
||||||
|
code span.bn { color: #40a070; } /* BaseN */
|
||||||
|
code span.bu { color: #008000; } /* BuiltIn */
|
||||||
|
code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
|
||||||
|
code span.ch { color: #4070a0; } /* Char */
|
||||||
|
code span.cn { color: #880000; } /* Constant */
|
||||||
|
code span.co { color: #60a0b0; font-style: italic; } /* Comment */
|
||||||
|
code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
|
||||||
|
code span.do { color: #ba2121; font-style: italic; } /* Documentation */
|
||||||
|
code span.dt { color: #902000; } /* DataType */
|
||||||
|
code span.dv { color: #40a070; } /* DecVal */
|
||||||
|
code span.er { color: #ff0000; font-weight: bold; } /* Error */
|
||||||
|
code span.ex { } /* Extension */
|
||||||
|
code span.fl { color: #40a070; } /* Float */
|
||||||
|
code span.fu { color: #06287e; } /* Function */
|
||||||
|
code span.im { color: #008000; font-weight: bold; } /* Import */
|
||||||
|
code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
|
||||||
|
code span.kw { color: #007020; font-weight: bold; } /* Keyword */
|
||||||
|
code span.op { color: #666666; } /* Operator */
|
||||||
|
code span.ot { color: #007020; } /* Other */
|
||||||
|
code span.pp { color: #bc7a00; } /* Preprocessor */
|
||||||
|
code span.sc { color: #4070a0; } /* SpecialChar */
|
||||||
|
code span.ss { color: #bb6688; } /* SpecialString */
|
||||||
|
code span.st { color: #4070a0; } /* String */
|
||||||
|
code span.va { color: #19177c; } /* Variable */
|
||||||
|
code span.vs { color: #4070a0; } /* VerbatimString */
|
||||||
|
code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
|
||||||
</style>
|
</style>
|
||||||
<link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/theme/dracula.css" id="theme">
|
<link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/theme/dracula.css" id="theme">
|
||||||
</head>
|
</head>
|
||||||
|
@ -153,7 +217,7 @@ Symbol Tree</figcaption>
|
||||||
<section class="slide level1">
|
<section class="slide level1">
|
||||||
|
|
||||||
<h3 id="strings">Strings</h3>
|
<h3 id="strings">Strings</h3>
|
||||||
<p><img src="./defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto"></p>
|
<p><img src="./images/defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto"></p>
|
||||||
<p>Strings can not only be located in data but also in other code
|
<p>Strings can not only be located in data but also in other code
|
||||||
segments, sometimes obfuscated</p>
|
segments, sometimes obfuscated</p>
|
||||||
</section>
|
</section>
|
||||||
|
@ -180,6 +244,118 @@ on tryhackme</a></li>
|
||||||
<li class="fragment">Download firmware of your favorite IoT
|
<li class="fragment">Download firmware of your favorite IoT
|
||||||
appliances</li>
|
appliances</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
</section>
|
||||||
|
<section class="slide level1">
|
||||||
|
|
||||||
|
<h2 id="a-word-on-binary-obfuscation">A Word On Binary Obfuscation</h2>
|
||||||
|
<p>Software Obfuscation was born in 1984 at the <a
|
||||||
|
href="https://ioccc.org/">International Obfuscated C Code
|
||||||
|
Contest</a></p>
|
||||||
|
<p><img src="./images/donut.gif" alt="A donut as code compiles to a spinning donut by Jim Hague" width="50%" height="auto"></p>
|
||||||
|
</section>
|
||||||
|
<section class="slide level1">
|
||||||
|
|
||||||
|
<h3 id="what-exactly-might-be-obfuscated-in-your-code">What Exactly
|
||||||
|
might be Obfuscated in Your Code?</h3>
|
||||||
|
<section>
|
||||||
|
<a
|
||||||
|
href="https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf">Layered
|
||||||
|
obfuscation: a taxonomy of software obfuscation techniques for layered
|
||||||
|
security by Hui Xu et. al</a>
|
||||||
|
</section>
|
||||||
|
<section>
|
||||||
|
<ul>
|
||||||
|
<li class="fragment">Code Element Layers
|
||||||
|
<ul>
|
||||||
|
<li class="fragment">Layout</li>
|
||||||
|
<li class="fragment">Controls</li>
|
||||||
|
<li class="fragment">Data</li>
|
||||||
|
<li class="fragment">Methods</li>
|
||||||
|
<li class="fragment">Classes</li>
|
||||||
|
</ul></li>
|
||||||
|
</ul>
|
||||||
|
</section>
|
||||||
|
<section>
|
||||||
|
<ul>
|
||||||
|
<li class="fragment">Component
|
||||||
|
<ul>
|
||||||
|
<li class="fragment">Library Calls</li>
|
||||||
|
<li class="fragment">Used Resources</li>
|
||||||
|
</ul></li>
|
||||||
|
<li class="fragment">Application Layer
|
||||||
|
<ul>
|
||||||
|
<li class="fragment">DRM System</li>
|
||||||
|
<li class="fragment">Neural Networks</li>
|
||||||
|
</ul></li>
|
||||||
|
</ul>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<section class="slide level1">
|
||||||
|
|
||||||
|
<h2 id="techniques-of-obfuscation">Techniques of Obfuscation</h2>
|
||||||
|
</section>
|
||||||
|
<section class="slide level1">
|
||||||
|
|
||||||
|
<h3 id="splitting-merging-of-strings">Splitting & Merging of
|
||||||
|
Strings</h3>
|
||||||
|
<div class="sourceCode" id="cb1"><pre class="sourceCode sh"><code class="sourceCode bash"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="ex">a</span> = <span class="st">"BABE"</span></span>
|
||||||
|
<span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a><span class="ex">b</span> = <span class="st">"CAFFEE"</span></span>
|
||||||
|
<span id="cb1-3"><a href="#cb1-3" aria-hidden="true" tabindex="-1"></a><span class="ex">f</span><span class="st">"{b}{a}"</span></span></code></pre></div>
|
||||||
|
<p><a href="https://github.com/mandiant/flare-floss/">String
|
||||||
|
Deobfuscation with FLOSS</a></p>
|
||||||
|
</section>
|
||||||
|
<section class="slide level1">
|
||||||
|
|
||||||
|
<h2 id="packing">Packing</h2>
|
||||||
|
<div class="sourceCode" id="cb2"><pre class="sourceCode sh"><code class="sourceCode bash"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a> <span class="ex">ooooo</span> ooo ooooooooo. ooooooo ooooo</span>
|
||||||
|
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">888</span><span class="st">' `8'</span> <span class="kw">`</span>888 <span class="kw">`</span><span class="ex">Y88.</span> <span class="kw">`</span>8888 d8<span class="st">'</span></span>
|
||||||
|
<span id="cb2-3"><a href="#cb2-3" aria-hidden="true" tabindex="-1"></a><span class="st"> 888 8 888 .d88'</span> Y888..8P</span>
|
||||||
|
<span id="cb2-4"><a href="#cb2-4" aria-hidden="true" tabindex="-1"></a> <span class="ex">888</span> 8 888ooo88P<span class="st">' `8888'</span></span>
|
||||||
|
<span id="cb2-5"><a href="#cb2-5" aria-hidden="true" tabindex="-1"></a> <span class="ex">888</span> 8 888 .8PY888.</span>
|
||||||
|
<span id="cb2-6"><a href="#cb2-6" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">88.</span> .8<span class="st">' 888 d8'</span> <span class="kw">`</span>888b</span>
|
||||||
|
<span id="cb2-7"><a href="#cb2-7" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">YbodP</span><span class="st">' o888o o888o o88888o</span></span></code></pre></div>
|
||||||
|
<p><a href="https://upx.github.io/">UPX Packer/Unpacker</a></p>
|
||||||
|
</section>
|
||||||
|
<section class="slide level1">
|
||||||
|
|
||||||
|
<h3 id="mangling">Mangling</h3>
|
||||||
|
<section>
|
||||||
|
<pre><code data-trim data-noescape>
|
||||||
|
c++filt
|
||||||
|
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
|
||||||
|
std::__cxx11::collate_byname<char>::collate_byname(std::__cxx11::basic_string<char,
|
||||||
|
std::char_traits<char>, std::allocator<char> > const&, unsigned long)
|
||||||
|
</code></pre>
|
||||||
|
</section>
|
||||||
|
<section>
|
||||||
|
<a href="https://demangler.io/" alt="demangler">Online Demangler</a>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<section class="slide level1">
|
||||||
|
|
||||||
|
<h3 id="code-elements">Code Elements</h3>
|
||||||
|
<ul>
|
||||||
|
<li class="fragment">Adding Unnecessary Instructions</li>
|
||||||
|
<li class="fragment">Changing Control Flows</li>
|
||||||
|
<li class="fragment">Protecting Data</li>
|
||||||
|
</ul>
|
||||||
|
<p><img src="./images/spaghetti.jpg" alt="Convoluted Code" width="30%" height="30%"></p>
|
||||||
|
</section>
|
||||||
|
<section class="slide level1">
|
||||||
|
|
||||||
|
<h3 id="deobfuscation-tools">Deobfuscation Tools</h3>
|
||||||
|
<ul>
|
||||||
|
<li class="fragment">DotNet
|
||||||
|
<ul>
|
||||||
|
<li class="fragment"><a href="https://github.com/de4dot/de4dot">de4dot
|
||||||
|
Deobfuscator and Unpacker</a></li>
|
||||||
|
<li class="fragment"><a href="https://github.com/dnSpy/dnSpy">dnSpy
|
||||||
|
Debugger and Assembly Editor</a></li>
|
||||||
|
<li class="fragment"><a
|
||||||
|
href="https://github.com/icsharpcode/ILSpy">ILSpy Decompiler instead of
|
||||||
|
Ghidra</a></li>
|
||||||
|
</ul></li>
|
||||||
|
</ul>
|
||||||
</section>
|
</section>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
@ -129,3 +129,107 @@ Strings can not only be located in data but also in other code segments, sometim
|
||||||
* [Find more binaries on hackthebox](https://hackthebox.eu)
|
* [Find more binaries on hackthebox](https://hackthebox.eu)
|
||||||
* [Or Find even more on tryhackme](https://tryhackme.com)
|
* [Or Find even more on tryhackme](https://tryhackme.com)
|
||||||
* Download firmware of your favorite IoT appliances
|
* Download firmware of your favorite IoT appliances
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## A Word On Binary Obfuscation
|
||||||
|
|
||||||
|
Software Obfuscation was born in 1984 at the [International Obfuscated C Code Contest](https://ioccc.org/)
|
||||||
|
|
||||||
|
<img src="./images/donut.gif" alt="A donut as code compiles to a spinning donut by Jim Hague" width="50%" height="auto">
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
### What Exactly might be Obfuscated in Your Code?
|
||||||
|
|
||||||
|
<section>
|
||||||
|
[Layered obfuscation: a taxonomy of software obfuscation techniques for layered security by Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
|
||||||
|
* Code Element Layers
|
||||||
|
* Layout
|
||||||
|
* Controls
|
||||||
|
* Data
|
||||||
|
* Methods
|
||||||
|
* Classes
|
||||||
|
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
* Component
|
||||||
|
* Library Calls
|
||||||
|
* Used Resources
|
||||||
|
|
||||||
|
* Application Layer
|
||||||
|
* DRM System
|
||||||
|
* Neural Networks
|
||||||
|
|
||||||
|
</section>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Techniques of Obfuscation
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
### Splitting & Merging of Strings
|
||||||
|
|
||||||
|
```sh
|
||||||
|
a = "BABE"
|
||||||
|
b = "CAFFEE"
|
||||||
|
f"{b}{a}"
|
||||||
|
```
|
||||||
|
|
||||||
|
[String Deobfuscation with FLOSS](https://github.com/mandiant/flare-floss/)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Packing
|
||||||
|
|
||||||
|
```sh
|
||||||
|
ooooo ooo ooooooooo. ooooooo ooooo
|
||||||
|
`888' `8' `888 `Y88. `8888 d8'
|
||||||
|
888 8 888 .d88' Y888..8P
|
||||||
|
888 8 888ooo88P' `8888'
|
||||||
|
888 8 888 .8PY888.
|
||||||
|
`88. .8' 888 d8' `888b
|
||||||
|
`YbodP' o888o o888o o88888o
|
||||||
|
```
|
||||||
|
|
||||||
|
[UPX Packer/Unpacker](https://upx.github.io/)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
### Mangling
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<pre><code data-trim data-noescape>
|
||||||
|
c++filt
|
||||||
|
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
|
||||||
|
std::__cxx11::collate_byname<char>::collate_byname(std::__cxx11::basic_string<char,
|
||||||
|
std::char_traits<char>, std::allocator<char> > const&, unsigned long)
|
||||||
|
</code></pre></section>
|
||||||
|
|
||||||
|
<section><a href="https://demangler.io/" alt="demangler">Online Demangler</a></section>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
### Code Elements
|
||||||
|
|
||||||
|
* Adding Unnecessary Instructions
|
||||||
|
* Changing Control Flows
|
||||||
|
* Protecting Data
|
||||||
|
|
||||||
|
<img src="./images/spaghetti.jpg" alt="Convoluted Code" width="30%" height="30%">
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
### Deobfuscation Tools
|
||||||
|
|
||||||
|
|
||||||
|
* DotNet
|
||||||
|
* [de4dot Deobfuscator and Unpacker](https://github.com/de4dot/de4dot)
|
||||||
|
* [dnSpy Debugger and Assembly Editor](https://github.com/dnSpy/dnSpy)
|
||||||
|
* [ILSpy Decompiler instead of Ghidra](https://github.com/icsharpcode/ILSpy)
|
||||||
|
|
Loading…
Reference in New Issue