Most Popular Blogs

  1. Advanced Signature Writing via FuzzyHashing

    Hi there,

    In this period I'm heavy working on Signature Generation for big malware families, this mean that there is a large amount of binaries to be checked for Static Patterns recurrences, you should understand that this work can't be done by hand on families of 400+k number of samples, and hashing would not help, this because Hash Algorithms respects the Avalanche Effect via its most famous generalization the SAC ( Strict Avalanche Criterion ), this mean that, this property it is satisfied if, whenever a single input bit is complemented, each of the output bits changes with a probability of one half.

    In other words a minimum little change will deeply change the hash result and we can't come back to similarities, so we need a technology that does not respect the SAC, also in this case the wonderful cryptography help us

    We have the CTPH that mean Context Triggered Piecewise Hashes, called also Fuzzy Hashes, this will help us to match inputs that have homologies like sequences of identical bytes in the same order.

    Here an interesting paper about CTPH Identifying almost identical files using context triggered piecewise hashing

    http://dfrws.org/2006/proceedings/12-Kornblum.pdf

    and here an open source implementation of fuzzyhashing called DeepToad

    http://code.google.com/p/deeptoad/

    Regards,
    Giuseppe 'Evilcry' Bonfa
  2. Dynamic Binary Code and Data Flow Analysis Instrumentation.

    by , July 30th, 2010 at 15:23 (BanMe.From.Native_Development)
    So I've been integrating Boomerang into Sin32 and I am releasing all future code under BSD and GPL licenses references therein.

    In doing this I dont want to use the GC stuff or the wierd LOG class provided to do the logging of all this important information that is gleaned out of this project, so a reimplementation of that is needed( all 367 or so calls that I commented out) as well as the reimplementation of the GUI..removing QT was fun.. But reworking the controller GUI to also view output of server..is primary goal. But as seen with my post in rekindled hope(maybe) I'm trying to probe for remote console allocation for output as well as input commands.

    For the Most Part I am done with getting it to compile correctly, now I have to make the code not examine 'Binary Files' and examine 'mapped Binary portions' which isnt anything 'really different' from what it does anyways, my method is just runtime based ...

    But I know the 'some' benefits from the inclusion of the marvelous little tool, but there is so much to be done..But I will give you the source and the first 'complete compiling project'.. This update is only running what has been released in the past for the 'LPC Server portion of this maybe with minor updates' expect a BIG update on that regard soon.

    heres a download link for sources
    http://www.filefactory.com/file/b2ca04f/n/SIN32.zip

    Updated July 30th, 2010 at 15:37 by BanMe

    Categories
    BanMe.From.Native_Development , Lpc Server Development
  3. IDAQ: The result of 7 months at Hex-Rays

    It is not a mistery that Hex-Rays is preparing for the IDA 6.0 beta program. In this post I'll write a bit about my personal, behind the scenes, experience with the project.

    It took me 7 months to port/rewrite the old VCL GUI of IDA Pro. The new GUI, as it had been already anticipated months ago on the official blog, is Qt based.

    The main difficulties I have faced were mostly not of technical nature, although it was a complex task, but psychological ones. It took a lot of patience and it was very difficult every morning to go to work and to have to see an unfinished product with the old GUI reminding myself how much was still to do.

    What follows is a rough roadmap of my work, I'll mention only the milestones and not the hundreds of smaller parts. It has to be noted that at least for what concerns the docking I wrote most of it before joining Hex-Rays to accelerate the development of the actual GUI once in the company. While Qt has a docking system, it is not as advanced as the one used by the VCL GUI, which is a commercial control. So, I wrote a docking system myself in order to offer all the advanced features the old GUI had.

    January: first impact with the code. Took me a week to grasp the initial concepts to start. Basically at the end of the month I could display disassembly and graph mode of a file. Also, hints, graph overview and disassembly arrows were implemented.

    February: implemented chooser and forms (which I actually completely changed internally, that's why I had to improve them again later on to obtain better backwards compatibility).

    March: marathon month. Implemented every day one or more dialogs/views such as: hex view, cpu regs view, enum view, struct view, options, navigation band, colors, etc. etc. More than 30, some very easy, some advanced controls such as the hex view or the cpu regs view.

    April: two weeks to finish the docking and smaller things.

    May: two weeks to implement the desktop part (the ability to save/restore layouts and options) and smaller things.

    June: fixes, help system and improved the forms implementation.

    July: Hundreds of fixes for the beta.

    While there will be still bugs to fix, I consider the project as completed and I wrote this post to close a chapter for myself.
    Categories
    Uncategorized
  4. New face and new concept for the Reverse Code Engineering Video Portal

    As promised, the site has been improved greatly.
    http://video.reverse-engineering.net

    We are now using a multi-lingual Video Gallery interface with many useful features.

    Everybody can now publish their own RCE-related videos (not porn!) in their personal gallery by manual upload or direct URL download by the server.
    So many good videos disappear every day from RapidShare-like hosting.

    The most interesting ones will be moved to the main sections for more visibility.

    For those who don't like watching videos online or downloading many separate files, it is possible to create your own custom downloadable ZIP package (batch-download) by adding videos to your Favorites folder.

    We added more than 100 videos to the local database, including:

    40 videos from the Lena series
    43 conference videos from Recon 05 and 06 (including Woodmann, Fravia and Zero)
    7 buffer overflow videos, some using olly
    3 video solutions from crackmes.de
    and many more, all in one place.

    As if that wasn't enough, 3 new videos in my IDA series:

    6. TLS-CallBacks and preventing debugger detection with IDA
    7. Unwrapping a Flash Video Executable (exe2swf)
    8. Stop fishing and start keygenning.

    The last one is an analysis of a crackme using anti-debugging techniques with IDA.

    I hope we will receive some contributions soon.
    Categories
    Uncategorized
  5. x64 SEH & Explorer Suite Update

    Yesterday I took a bit of time and updated the Explorer Suite. One important new feauture is the addition of the Exception Directory. I'm no longer working on the old CFF Explorer. However, I thought this feature was too important for people to wait for the new CFF Explorer. Here's a screenshot of the Exception Directory UI:



    If you have no idea how the x64 Structured Exception Handling works, you can briefly read this article on <a href="http://www.osronline.com/article.cfm?id=469">osronline</a> or my article about Vista x64. There's also a pretty in depth quantity of information in a series of posts on <a href="http://www.nynaeve.net/?p=99">Ken Johnson's blog</a>. However, don't hope to find too much information on the web about the real physical layout of the Exception Directory. The MSDN information is incomplete if not wrong and even the SDK doesn't help. This post isn't a complete guide to x64 exceptions, I just want to explain how to analyze them inside the CFF Explorer.

    In the screenshot above you can see two arrays of tables. The first one is an array of RUNTIME_FUNCTION structures. The last column isn't part of this structure though: it shows the five high bits of the first byte of the UNWIND_INFO structure refrenced by the UnwindData member of RUNTIME_FUNCTION. This is the declaration of UNWIND_INFO:

    Code:
    typedef struct _UNWIND_INFO {
        UBYTE Version       : 3;
        UBYTE Flags         : 5;
        UBYTE SizeOfProlog;
        UBYTE CountOfCodes;
        UBYTE FrameRegister : 4;
        UBYTE FrameOffset   : 4;
        UNWIND_CODE UnwindCode[1];
    /*  UNWIND_CODE MoreUnwindCode[((CountOfCodes + 1) & ~1) - 1];
    *   union {
    *       OPTIONAL ULONG ExceptionHandler;
    *       OPTIONAL ULONG FunctionEntry;
    *   };
    *   OPTIONAL ULONG ExceptionData[]; */
    } UNWIND_INFO, *PUNWIND_INFO;
    The flags represent the type of handlers. An exception flag represents __try/__except blocks, while the termination flag represents __try/__finally blocks.

    The second is an array of scope records. An UNWIND_INFO can contain more than one scope records. Let's consider this little code sample:

    Code:
    __try
    {
    	__try
    	{
    		// code
    	}
    	__finally
    	{
    		// code
    	}
    	
    	__try
    	{
    		// code
    	}
    	__finally
    	{
    		// code
    	}
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
    	// code
    }
    As you can see from the screenshot, it results in 3 scope records. The HandlerAddress in a scope record structure can be an RVA to a C_exception_handler function. Or it can be a simple value like EXCEPTION_EXECUTE_HANDLER (which is 1). The last scope record represents the __except statement. Don't confuse the exception handler (or filter) with its code.

    The JumpTarget member, if not 0, is an RVA to the exception code. It's possible to see if a particular address has an entry inside the Exception Directory by right clicking on the first table and then clicking 'Is Address Handled' in the pop-up menu. Nevertheless, remember that exception handlers can be added at runtime with APIs like RtlAddFunctionTable and RtlInstallFunctionTableCallback.

    I fixed some minor bugs in the CFF Explorer and one major bug in the Task Explorer. I noticed this bug years ago but never took time to fix it. It showed only when trying to dump the region of an x86 process using the 64 bit version of the Task Explorer. However, x64 is becoming very used and so the bug is now fixed. Also, I thought it a good idea on 64-bit platforms to install a 32-bit version of the Task Explorer and a 64-bit one. Thus, the installer now behaves accordingly.

    Updated January 18th, 2009 at 19:16 by Daniel Pistelli

    Categories
    Uncategorized
Page 5 of 5 FirstFirst 12345