00:00:01.168-->00:00:06.173 >> This is block fighting with a hooker. Block Fighter 2. So please join me in welcoming K2. 00:00:10.711-->00:00:15.716 [applause] >> Thank you. DefCon. Wooo! Thanks everyone for coming. Um, everyone watchin' on 00:00:22.356-->00:00:27.361 DefCon TV. I hope it's been a good time. Uh, the only problem I had so far was, uh, you 00:00:30.497-->00:00:35.502 couldn't get a beer this morning. From the cafe. Beer sales were closed. So. No, it 00:00:37.938-->00:00:42.943 was man in the little cafe over there. But, luckily, luckily, uh, I don't now but maybe sort 00:00:45.445-->00:00:50.450 of luckily, my ex-wife is on the way over to get me a beer. Pretty lucky, that um, kept it 00:00:53.220-->00:00:58.792 cool. Anyhow, enough of the drama and, uh, non-technical talk, I guess, but thanks again 00:00:58.792-->00:01:03.997 everyone. Um, you know so this talk is gonna kind of cover a bunch of different things in, 00:01:03.997-->00:01:09.002 uh, uh, sort of a exception based hooking technique. Um, it's using Capstone, under the 00:01:13.807-->00:01:20.714 cover in various places, but, um, I just committed code, um, oh I thought this slide had the 00:01:20.714-->00:01:25.719 GitHub on it. Let me see. The next one. So the neat thing about this, um, hooking 00:01:29.890-->00:01:35.762 technique, really is, in a nutshell, ya know, tracing's great. Ya know, performance 00:01:35.762-->00:01:40.233 tracing is great and, um, you know the kind of trace telemetry you get out of a binary when 00:01:40.233-->00:01:45.238 you're monitoring it, awesome, for performance testing and you know, the um, AFL dyes, ya know 00:01:47.874-->00:01:52.879 the fuzzy lop. Um, they use a lot of that kind of feedback to expand their algorithm based on 00:01:56.350-->00:02:01.888 that trace data. But there's a lot of, um, looking at trace data, modifying your inputs, 00:02:01.888-->00:02:06.226 re-running the binary from scratch. So you're gonna like constantly be re-executing this 00:02:06.226-->00:02:11.865 binary all the time. But, um, at least this method, um, you're only going to execute one time, 00:02:11.865-->00:02:16.603 so you have all your state with you and you're actually interrupting the execution and 00:02:16.603-->00:02:22.909 you're able to make a decision based on like, hey, do I wanna um, emulate these instructions. 00:02:22.909-->00:02:27.914 Do I want to, um, change what the program thinks it's doing. Do I want to, um, um, sniff 00:02:31.351-->00:02:37.057 other aspects of it. And in this particular talk, so when I, um, ya know, when I was um, thinking 00:02:37.057-->00:02:42.062 of what to do for these different block fighters, I call them, in a nutshell as well, uh. 00:02:44.664-->00:02:49.369 The block fighters are, I'm talking about basic blocks, so like assembly instructions. 00:02:49.369-->00:02:54.508 These blocks that kind of, um, you know are around the execution of your application 00:02:54.508-->00:02:59.980 that, uh, every time there's a conditional and a branch is taken, those are two new blocks 00:02:59.980-->00:03:06.119 that kind of fork off. So you've got these blocks and we're gonna fight those blocks. Some people 00:03:06.119-->00:03:11.825 call it binary steering or other things like that, um, ya know, I've seen, I've seen a lot of 00:03:11.825-->00:03:18.432 different trace or performance, um, you know, inclinations for, you know, um, getting coverage. 00:03:18.432-->00:03:25.172 And moving your coverage up. Static checkers do something similar in some cases for, um, 00:03:25.172-->00:03:29.609 insuring that they tested all the code and I'm not sure all the Darpus stuff earlier, 00:03:29.609-->00:03:35.182 whoever saw all that stuff. Um, this kind of fits in into some of those aspects, but, uh, you 00:03:35.182-->00:03:40.854 know, the more tools the better and I can't tell you how many times I've been working on, you 00:03:40.854-->00:03:45.926 know, a forensics thing or like an incident and you know, I'm trying to use like whatever tool 00:03:45.926-->00:03:50.931 and because whatever constraint of my environment and how this thing runs, the analysis method 00:03:54.034-->00:03:58.205 that I was previously, you know super successful with wasn't working all the time time. So, 00:03:58.205-->00:04:02.609 you know, it's always fun and and and and good to kind of learn new things and to be aware 00:04:02.609-->00:04:07.614 of, um, flexible or easy to use analysis primitives. So. In terms of this method, uh, I 00:04:10.650-->00:04:15.489 wrote three, what I call block fighters. One is this RoP defender thing. So anyone who 00:04:15.489-->00:04:19.759 doesn't know what a RoP is, a RoP is return-oriented programming. There's also JOPS. 00:04:19.759-->00:04:26.366 Jump-oriented or LOPS, loop-oriented. Um, I wanted to call it like DOP DROP Defender 00:04:26.366-->00:04:31.371 maybe. So no. Ok. There's a music reference in there somewhere, I just forget who the 00:04:34.474-->00:04:39.479 artist was who did that track. Um, in any case, it's super easy to do this RoP protection. So 00:04:41.715-->00:04:45.752 kind of ad hoc. You know may maybe if you're you're getting an exploit or you're doing 00:04:45.752-->00:04:49.656 whatever you're just tracing whatever you want to understand the execution of something, you 00:04:49.656-->00:04:54.961 can use something similar to this RoP Defender that I wrote to kind of understand um, where 00:04:54.961-->00:04:59.666 your RoP chain is breaking or you know, if you're defending something maybe you want to 00:04:59.666-->00:05:05.172 analyze an exploit and do what do whatever. I'll show you the code in a bit, but it's pretty 00:05:05.172-->00:05:11.878 fun and straight-forward kind of like, the RoP Defender itself is just like not even 20 30 lines 00:05:11.878-->00:05:17.684 of code. You get to drop that in. The other thing, um, I thought was kind of cool, it's 00:05:17.684-->00:05:22.022 just like a concept really, is, uh, you know, everyone's talking about Ransomeware, like 00:05:22.022-->00:05:27.060 Ransomeware is a big terrorizing thing and, ya know, and steal all our money and everything, ya 00:05:27.060-->00:05:32.065 know. So, I wrote this thing, um, this Ransom Escrow, so, it will enforce key escrow of the 00:05:36.303-->00:05:41.808 encryption going on in your computer so that, like, ya know, hey, if something's encrypting 00:05:41.808-->00:05:47.681 something on my box, I want that encryption key. Well, ya know, too late, if you weren't 00:05:47.681-->00:05:53.620 watching where the encryption key came from right? So, this is a super simple primitive, it's 00:05:53.620-->00:05:57.624 on GitHub right now. Um, I was going to expand it in a couple of ways, but I'll cover more of 00:05:57.624-->00:06:02.562 that later or I'll talk about it as a I do a little demo of it. Um, the hypervisor DoS thing, 00:06:04.631-->00:06:09.302 it's cross hypervisor, um this is just something that came out while I was writing this tool 00:06:09.302-->00:06:16.243 and I was like, hey, my friend like, um, actually Rich, uh, Rich in Seattle, um, he's doing 00:06:16.243-->00:06:20.146 another trace tool, it's very cool, um, Run Speed Tracer, I've got a reference to it in here. 00:06:20.146-->00:06:23.283 Um, he's doing this other thing and I'm like, hey man, why don't you do this in the cloud? I was 00:06:23.283-->00:06:27.787 like, yeah, ok, that's cool. Because the technique he was using couldn't work in the cloud 00:06:27.787-->00:06:32.892 because he was using these low level, um, performance tuning intel features that aren't 00:06:32.892-->00:06:37.764 exposed to the hypervisor or whatever, so anyhow, this stuff I'm, this this stuff in here in 00:06:37.764-->00:06:42.769 EhTrace, is uh not as new, right, it's not like super leading edge, so, there is kind 00:06:45.705-->00:06:52.579 of like, sort of support for it in the hypervisor. Unfortunately though, um, they all break. 00:06:52.579-->00:06:57.817 Well, except for actually, I gotta take that back. The only hypervisor that is not falling 00:06:57.817-->00:07:02.756 to its knees trying to execute this code, is, um, Virtual Box. So, thanks Virtual Box, uh, I 00:07:05.959-->00:07:10.964 tend to you know, there's kind of like a whipping boy sometimes, but hey. Forgot this 00:07:10.964-->00:07:14.668 one. Oh yeah and there's some graphing stuff I did, um, if anyone's interested in graphing. 00:07:14.668-->00:07:19.005 I saw a lot of cool graphing stuff with the, these Darpa computers. I wanted to do this 00:07:19.005-->00:07:25.245 like 3D thing in the future, if you're into graphing and like computer, uh, visualization and 00:07:25.245-->00:07:31.885 vex code execution, let me know, I got some ideas, I wanna shoot around. Um, ok, yeah, hey, oops, 00:07:31.885-->00:07:36.890 I must a, been just talking all over the place, but hooking tracing, so tracing again, 00:07:39.693-->00:07:45.231 what's executing. The hooking, I wanna modify it, right? Pretty simple, straight forward. We'll 00:07:45.231-->00:07:49.235 talk about some various frustrations and hurdles, like the hypervisor DoS, that was 00:07:49.235-->00:07:55.108 kind of a frustration I want us to go cloud scale. Ya know, but hey, maybe eventually when uh, 00:07:55.108-->00:08:00.046 when they get fixed, or who knows. Um, and then also, symbol support, I was gonna have that 00:08:02.882-->00:08:07.087 in, I kind of backed it out because symbol handling is kind of a pain. Talk about that 00:08:07.087-->00:08:12.459 later. Um, use some other tools. Oh yeah, here's the GitHub. If you want to check it out, that's 00:08:12.459-->00:08:17.464 my GitHub. K2, really short, GitHub username. Should be easy to remember. Um, EhTrace this 00:08:20.200-->00:08:25.171 other one is the one we're talking about today, uh, Invertero is the thing I did, uh 00:08:25.171-->00:08:31.511 started a couple years ago. DefCon, uh, 22. It's like, um, a nested virtualization memory, 00:08:31.511-->00:08:36.516 like, recursive physical to to virtual extraction thing. It's kind of neat. Oh, yeah, anyone 00:08:43.356-->00:08:45.358 want to drop the code, let me know if I forgot something. Um, the goo- the good thing about 00:08:45.358-->00:08:49.562 what we've got here is that it runs on Bare Metal really nice. Um, it can run your Improviser, 00:08:49.562-->00:08:54.534 probably VirtualBox is your best bet. Um, and we're trying to do this binary steering thing and 00:08:54.534-->00:09:00.040 what that means is, like, there's there's some things I have to do. Like, I have- we 00:09:00.040-->00:09:05.812 have to reset the flags, because the way this exception management works is the flags is 00:09:05.812-->00:09:10.216 reset every time in a different track handler, like, the kernel when it calls us, so we gotta 00:09:10.216-->00:09:15.221 like set that. So you know, if we see the binary looking for that flag set or unset, we need 00:09:18.124-->00:09:23.663 to either emulate that instruction or handle it in some way to neutralize it from 00:09:23.663-->00:09:28.034 detecting us. It's kind of like a classic sandbox problem. Um, this might be kind of like a 00:09:28.034-->00:09:33.406 loose end box. For all intents and purposes. Um, there's obviously a lot of issues, uh, 00:09:33.406-->00:09:38.778 fighting code in your own address space. However, we are guaranteed certain things being 00:09:38.778-->00:09:43.783 in the exception handling path. Um, you know in terms of state, um, being synchronous. So again, 00:09:47.320-->00:09:51.424 yeah, uh, there's some other DBI stuff that's pretty cool. Um, totally wanna check it out in 00:09:51.424-->00:09:56.329 the future. Some dreams for this stuff, you know, lots more block fighters, fun little ideas are 00:09:56.329-->00:10:00.967 pretty straight forward to bang out. I mean, I did the RoP one in like 20 lines. I did the key 00:10:00.967-->00:10:06.439 escrow thing in you know sup-. And the key escrow is generic hooker for any function pre-post 00:10:06.439-->00:10:11.444 condition. Um, which is great. Uh, the per- the performance is kind of ranging. Um, slicing is 00:10:13.613-->00:10:18.618 your friend and what that means is figuring out how to confine what you're looking and not 00:10:21.221-->00:10:24.657 executing a bunch of random other stuff which you don't care about, right? So discounting 00:10:24.657-->00:10:28.428 stuff that you don't want to look at, figuring out what you want to look at. More or less. 00:10:28.428-->00:10:33.433 Um, uh, anyway, uh, I do this on Windows X, Windows X64, Windows 10. Um, other version your 00:10:40.740-->00:10:45.745 mileage may vary. This guy, uh, um, Ferno, sorry if I'm bastardizing that thing on the 00:10:47.881-->00:10:52.886 x86asmnet board from years ago, kind of reversed this technique and found it. Um, and then, so 00:10:57.724-->00:11:03.997 you can check that out. And then this other guy, uh, LaughFool, um, showed me this other zip 00:11:03.997-->00:11:07.967 that you can do to patch and help make it work better on other versions of Windows. But, 00:11:07.967-->00:11:14.040 thanks to those guys. Um, back in DefCon 15, here's a paper, you know they're talking about 00:11:14.040-->00:11:19.712 covert debugging. Well, in a sense, this EhTrace stuff is sort of like an in PROC 00:11:19.712-->00:11:24.984 debugger, so all of our debugging happens in PROC in the same address space at what 00:11:24.984-->00:11:30.089 you're looking at. The the ease-, what makes it nice, is that you don't have to use base 00:11:30.089-->00:11:35.128 pointers all the time, so if like you're logging the, the, payload for the function call 00:11:35.128-->00:11:39.199 for this thing you want to look at, well, I don't have to rebase my pointer addresses because I'm 00:11:39.199-->00:11:43.770 in a different process and everything's mapped weirdly, you know and um, randomization 00:11:43.770-->00:11:48.775 addresses is all the rage now, easy and straightforward to um, code naturally. She brought the 00:11:59.786-->00:12:04.724 beer. Woo hoo. [applause] Wow. Cotton mouth. Um, oh yes, some modern stuff, this Triton 00:12:15.368-->00:12:20.173 library from Corks Lab. This thing is super cool. Um, if anyone's looked at it, you know, 00:12:20.173-->00:12:25.278 this is like, kind of like one of those ideal designs for DBI frameworks, it's got all these, 00:12:25.278-->00:12:31.517 um, components to it. Um, if you see in that example of tracers on the left hand, uh, side of 00:12:31.517-->00:12:37.323 that block diagram. Um, essentially we could fit in, or EhTrace could fit in, in place 00:12:37.323-->00:12:42.295 of any of those. So, this could, you could basically drop EhTrace in for pen or DynamoRio or 00:12:42.295-->00:12:47.300 something and in fact I started to do that with, um, uh, when if, winafl port, um to EhTrace 00:12:49.836-->00:12:54.741 instead of using DynamoRio. Um, but I just quite didn't get it all done, it's kind of in the 00:12:54.741-->00:12:59.278 GitHub a little bit, if you want to look at it. Um, I wanted to narrow down the slicing on it a 00:12:59.278-->00:13:04.817 bit more, because um, the, you know, obviously those are more mature tools and they have focus 00:13:04.817-->00:13:10.790 right in on the .dlls, like, uh, the gdiplus test case or whatever for DynamoRIO and win 00:13:10.790-->00:13:14.394 winafl, you know it's just that one module, but I don't want to trace like NTDL and all the 00:13:14.394-->00:13:21.034 other things. So, it is what it is, but hopefully eventually, um, we can get to decent, um, 00:13:21.034-->00:13:26.305 performance level that, um, it's not um, you know, too bad to just use this thing for fun as 00:13:26.305-->00:13:32.612 well um, if you need to. It is really great, um, as well EhTrace, in that, um, you don't 00:13:32.612-->00:13:38.084 need really to know much about the symbols, right? You're getting invoked by the system 00:13:38.084-->00:13:42.989 during execution and, um, all you really have to do is flip some flags and you'll maintain 00:13:42.989-->00:13:47.160 execution. You don't need to do any hooking. So you don't need to know the symbols, you don't 00:13:47.160-->00:13:50.797 need to know how many arguments there were, you really don't have to know very much at all. 00:13:50.797-->00:13:55.268 Um, Which is really great. And you, and you get a lot of invocations or you can you know, 00:13:55.268-->00:14:00.973 you can tune that down. Um, the disassembly again is, you know, right now it's CapStone based, 00:14:00.973-->00:14:04.777 which is a great tool, I really appreciate what those guys have done there and looking forward 00:14:04.777-->00:14:09.782 to their future releases, but, um, you know, I obviously you're not gonna wanna do too much of 00:14:12.085-->00:14:17.323 that. So I'm gonna wanna try and do some kind of caching and you know, it gets, things get overly 00:14:17.323-->00:14:20.526 complicated the more you start, you know, thinking about it, like ok, how am I going to 00:14:20.526-->00:14:27.200 defend against this, what am I gonna do? I'll hash that result. That'll be fine. Um, again this 00:14:27.200-->00:14:31.771 is just some background of hooking execution and you know, and instruction let decoders 00:14:31.771-->00:14:36.342 that go on. You know, hey, you know when there could be a new instruction set in that binary 00:14:36.342-->00:14:42.014 that you know, prevents it from being hooked with your favorite hooker, so you're unable to like 00:14:42.014-->00:14:47.053 hook the execution of something, whereas you know, with a model like this, you really don't have 00:14:47.053-->00:14:52.058 a problem. What's the problem? Oh yeah, debuggers are slow. And also, typically, when something 00:14:56.028-->00:15:00.233 wants to detect that it's being analyzed, like it will do checksums on itself, hashes, 00:15:00.233-->00:15:05.738 like, hey what's my textsum? Or maybe you're executing in like uh, um, secure environment, like 00:15:05.738-->00:15:11.677 Integrity Mode OS, that is like, hey this .dll can't be changed. Right? Well, then how do I trace 00:15:11.677-->00:15:16.682 execution of that thing with existing tools, right? What if I want to fuzz this thing you know 00:15:16.682-->00:15:20.586 in release mode? And I don't want to have to do a debug and I don't want to have to do this 00:15:20.586-->00:15:26.592 and you know, I want to just trace what's going on right now, because anytime I alter anything 00:15:26.592-->00:15:33.332 about my test case, it stopes reproing. So, this is nice in some circumstances, because you 00:15:33.332-->00:15:39.772 won't have to make as many changes to your test case or whatever you're doing to repro 00:15:39.772-->00:15:45.378 what you want, right? So, we're not changing the code, we're not altering execution, so, um, 00:15:45.378-->00:15:49.315 introducing some latency in the exception handler is not a big deal, I mean, what? People swap 00:15:49.315-->00:15:55.555 memory and this and that, right? It's not, um a huge impact to what a normal execution 00:15:55.555-->00:15:59.826 guarantee is for a binary. So they're just gonna kind of assume it's a slow box or 00:15:59.826-->00:16:04.263 whatever, you know, it's it's, it just reduces the amount of problems you gotta worry about. 00:16:04.263-->00:16:09.268 So these are the, some of the different things. Some of the micro benchmarking, um, we're 00:16:14.974-->00:16:19.979 total worst case scenario was 1000 percent. So, ehhh. Sounds slow. But, uh, the in in if you 00:16:24.150-->00:16:29.689 slice it up and um, you're able to um have good checkpoints of where you want to enable and 00:16:29.689-->00:16:35.428 disable tracing, um, it's as low as 25 percent. Right, it's just kind of, you know, it's 00:16:35.428-->00:16:41.434 impossible to have like the the one method that does everything all the time. But ya know hey 00:16:41.434-->00:16:46.272 and then you know if we do do some caching of inputs and we do understand the slicing of this 00:16:46.272-->00:16:51.277 binary and the you know, um, uh, you know, we we we can we can understand, ok this point, it's 00:16:53.946-->00:16:58.417 doing 'x' so you we can just time warp, you know or fast forward the state of execution 00:16:58.417-->00:17:04.891 to like, this other checkpoint and skip something that might have been um, you know, not 00:17:04.891-->00:17:09.896 really to worry about. EhTrace, so it's, I'm I'm partially Canadian. Eh. About. Something 00:17:15.034-->00:17:20.039 else Canadian. Let's take the canoe. Whoo who! Anyhow, uh, so just throw that in there. Some 00:17:23.643-->00:17:28.648 of the other stuff we tried on the way to write this, was um, kind of like stack hooking and, 00:17:28.648-->00:17:35.288 um, so one of the other concepts of, you know, so I said I had the RoP Fighter. So, with 00:17:35.288-->00:17:40.293 EhTrace, you can also, essentially hook, your tracing, your tracing code, your tracing 00:17:42.762-->00:17:49.068 code can be, just a set of RoP gadgets or LOPS or JOPS or whatever the heck. It's just a 00:17:49.068-->00:17:53.272 function pointer that gets called, since you're not making any changes to these binaries, 00:17:53.272-->00:17:57.443 you're actually just getting, like, inserted into the stack and you can manipulate the 00:17:57.443-->00:18:02.815 execution without worrying about introducing unsigned code in these kind of issues or un- you 00:18:02.815-->00:18:07.787 know, whatever else it might be. So, it's kind of fun from that aspect as well and if you want 00:18:07.787-->00:18:12.792 to go ahead and um, bang out, like um, you know, crazy, you know backdoor or whatever else, 00:18:15.561-->00:18:21.067 um, you know, hey, uh, there's some, there's some, RoP backdoors or RoP malwares I've 00:18:21.067-->00:18:26.372 seen floating around. Um, or if you want to trace those things, you can use this as well, it's 00:18:26.372-->00:18:31.644 kind of fun, it's very flexible. So um, I guess one of the ideas that anytime you make like an 00:18:31.644-->00:18:35.615 offensive thing, you just got to remember to pair it with, like, uh, a counter measure, so 00:18:35.615-->00:18:41.153 there's a lot of measures and counter measures in analyzing stuff. Like, ok, well, you know 00:18:41.153-->00:18:47.626 I'm gonna analyze it by, um, extracting the state uh, uh, you know whenever it crosses the 00:18:47.626-->00:18:53.132 kernel, but then, oh, ok, well, it repairs itself before it calls the kernel, make it look 00:18:53.132-->00:18:59.338 normal, right? So, it falls within these normanize- normalized, uh, uh assumptions. 00:18:59.338-->00:19:04.276 You know, who knows right? There could be a lot of different ways to, um, counteract or act, uh, 00:19:06.512-->00:19:10.649 you know, you know when you're, when you're talking about trying to understand, this like, huge 00:19:10.649-->00:19:16.589 amount of state and this huge amount of moving parts in, um, binary execution. Um, and I 00:19:16.589-->00:19:21.861 guess as we get to the demo, the hypervisor things, that's kind of like, um, an explanation of 00:19:21.861-->00:19:26.665 why all these hypervisors are DoSed from this thing. It's like, well, there's a lot of, 00:19:26.665-->00:19:33.172 uh, lot of, uh, state moving around and no one's um, hit this path before and it's really 00:19:33.172-->00:19:37.943 expensive and does, it doesn't matter how many CPU cores you have, it'll, you know, it'll 00:19:37.943-->00:19:42.948 just take you down if you're not, um, uh, efficient overall. So, um, anyhow, the stack 00:19:45.618-->00:19:50.322 hooking, in the end I might do some kind of hybrid technique, because if you're, if I'm 00:19:50.322-->00:19:56.962 hooking the stack directly by cho-, theoretically chopping in an exception, manipulating the 00:19:56.962-->00:20:02.968 stack and then executing, I'm kind of, I'm I'm thinking about using that as a a mechanism to 00:20:02.968-->00:20:08.407 turn this on and off dynamically. So, obviously that would be a lot faster to kind 00:20:08.407-->00:20:13.412 of, you know, trim down your exception handling. This is how it works, super easy. This DR7 00:20:16.115-->00:20:22.388 thing, this is like, um, I guess, um a backdoor that, uh Fenero found, um, so this is 00:20:22.388-->00:20:26.559 typically not a register that you can affect from user space, this is like a kernel only 00:20:26.559-->00:20:33.432 thing. The, uh, debug MSR. Right there. So this DR7 actually winds it, winds, weaves it's way 00:20:33.432-->00:20:38.437 about back into the debug MSR and, um, that's why in um, if you don't have Windows 10, so 00:20:41.140-->00:20:44.944 this works great in Windows 10. Other people have gotten varying reports. But if you're not using 00:20:44.944-->00:20:50.182 Windows 10, like, you know 2008 or whatever it is, you gotta go slash debug and then I do the 00:20:50.182-->00:20:55.821 MSR write for you, but you don't need to, right. So when I do the demo here, it will just be user 00:20:55.821-->00:21:01.694 space, you can see the warning, hey, this thing didn't work and it, obviously does. So the RoP 00:21:01.694-->00:21:06.699 hook idea, kind of fun. Um, what else is it good for. Um, basic block, coverage, back in the 00:21:12.738-->00:21:19.178 DBI. Um, try not to emulate too much. You know I'll be working on some new updates for caching 00:21:19.178-->00:21:25.651 or making it better based on what people thing and what they'd like to see. Um, you 00:21:25.651-->00:21:30.256 know, it infuriates me to no end, every time I go to get my favorite tracing tool, when it 00:21:30.256-->00:21:34.460 doesn't have the capability to trace the version of the OAS I'm using and I gotta do a symbol 00:21:34.460-->00:21:39.632 ping or manually edit, ya know, so a lot, a lot of times there's like so much rigmarole just to 00:21:39.632-->00:21:45.104 start doing what you want to do, with, um, certain types of hooking. Having, um, the 00:21:45.104-->00:21:50.109 flexibility to use this technique, um, has really helped me out in, um, uh, analyzing 00:21:53.546-->00:21:58.551 binaries in execution environments that, um, were really confined. So maintaining 00:22:02.621-->00:22:05.691 control, I mentioned it before, there's a flag register, but there's other things that you 00:22:05.691-->00:22:09.628 want to do, um you want to make sure no one's like taking over control of the DEH, like if 00:22:09.628-->00:22:14.266 you're gonna go ahead and build, like a whole sandbox around this, you know, hey, go for it. 00:22:14.266-->00:22:19.271 Um, you know, but, um, that's like a very long war you're gonna have to fight. Of course, 00:22:23.876-->00:22:28.881 a fight or two. Everybody. [noise and applause] Woo! I was really good with 10 myself, I 00:22:35.721-->00:22:41.827 like to, I like the uppercuts. Uh um. These are some comments on like other areas that I need 00:22:41.827-->00:22:46.432 to like flesh out or if you're going to do some kind of analyzing malware or whatever, 00:22:46.432-->00:22:52.204 like sandboxy stuff. Some things to think about. Where you would want to do the monitoring and 00:22:52.204-->00:22:57.209 make sure you're not being de-synchronized from the execution. Um, branch stepping 00:22:59.612-->00:23:04.550 is great. However, um, in the end if you do kind of, I mean there are all these like RoP 00:23:08.387-->00:23:14.059 jitters. Kind of also I've seen a lot of them like CapStone based as well. RoP jitters and 00:23:14.059-->00:23:19.064 different types of jitting. Um, if there was like a LOP L-loop OP, loop oriented programming, 00:23:22.901-->00:23:28.707 uh, jitter, uh, I think the performances thing would be like near native. So, would be great. 00:23:28.707-->00:23:33.712 Um, I mentioned some of this stuff. The Ransom Warrior. Here I'll I'll fire this guy up. You 00:23:38.284-->00:23:43.289 let me know what you think. Doo doo doo. Ok. Oh. My projector is not, hold on. We We kill Outlook 00:23:52.131-->00:23:57.136 here for a sec. Oops. Oops. Ok. I think I can see. Ok, so. So this thing here, um, the code 00:24:16.922-->00:24:22.895 for this is just gonna do standard crypto calls. I canned it. There's a static lib I use 00:24:22.895-->00:24:27.299 for test cases that so I don't have to like, erase the injection of the .dll and all 00:24:27.299-->00:24:32.304 this kind of stuff. Anyhow, when we execute this, um, this is like crypGenRandom being called. 00:24:36.408-->00:24:41.413 Um, that this is the data that was actually x filled, in in in EhTrace, through the exception 00:24:45.617-->00:24:52.257 monitoring of the execution, through the um, uh code analysis or block analysis rather. And 00:24:52.257-->00:24:57.429 then, you know this is like the return value from like the program. So like, you know the 00:24:57.429-->00:25:03.669 post condition on that hook, like hooked and logged data incoming random data before the 00:25:03.669-->00:25:08.040 return which is great. You know, so we know um we're at a really good place to egress this 00:25:08.040-->00:25:13.512 information to like a network server or if there was some kind of like hypervisor enclave 00:25:13.512-->00:25:18.350 protecting my secrets and stuff, I could, I could be like, oh, send this over there. This is 00:25:18.350-->00:25:23.856 some bits that I might care about in the future if I'm current, you know and then, you 00:25:23.856-->00:25:29.661 know if I'm going to get Ransomewared, I could uh, unwind that spool of bits and say, hey 00:25:29.661-->00:25:35.868 are any of these used in my crypto key? Luckily with, um, crypto functions, even if the 00:25:35.868-->00:25:41.373 Ransomware has got like this static lib of like open SSL built into the binary, um, I 00:25:41.373-->00:25:46.612 don't know if everybody knows, but a pretty good technique for finding encrypto functions is 00:25:46.612-->00:25:50.816 Constance, 'cause you know, everyone wants to use like standard cryptographic, you 00:25:50.816-->00:25:55.187 know, APIs and what not and functions that are approvabley secure in in one way or another 00:25:55.187-->00:26:00.893 by math people. Haha, so, even the bad guys want that, so they're not going to be shipping 00:26:00.893-->00:26:06.331 their own stuff, so ya know, if we're able to raise the bar in monitoring the crypto and 00:26:06.331-->00:26:12.037 monitoring the execution of, um, anything that's gonna try to do any kind of crypto op on your 00:26:12.037-->00:26:17.910 box, well, then hey, ya know, now they're gonna either have to roll their own, or you know, 00:26:17.910-->00:26:22.481 which will probably be something that will be crackable. Give us some lead time to get everybody, 00:26:22.481-->00:26:27.486 uh, ya know, just saving all the data in the cloud, right? So, haha, yeah, I mean the cloud's 00:26:29.988-->00:26:34.993 great, I'm sorry, but, I love cloud actually. Love hate relationship. Ok. So that was a 00:26:38.764-->00:26:43.769 key escrow. Now the RoP stuff, is super straight forward, um, I'm just gonna show, the code, 00:26:47.806-->00:26:52.811 so, it's in here. Doo doo doo. RoP Defender. So that RoP Defender was actually executing, 00:27:02.521-->00:27:06.358 so they're all like chained together. So that RoP, this RoP Defender is running in the same 00:27:06.358-->00:27:10.462 time as the key escrow guy as well, the perf overhead, once you're already done the 00:27:10.462-->00:27:15.701 exception pump, you can do a lot. You've already, you've already spent the cycles, so you 00:27:15.701-->00:27:20.105 can do a lot of stuff, right. You're not, you know, you've already taken the hit, you might 00:27:20.105-->00:27:25.911 as well do 10 things or 100, so it doesn't matter. Um, so, this kind of RoP Defense stuff, was 00:27:25.911-->00:27:30.115 like, uh a few years ago. People were talking about this like, uh, K Bouncer and these things. 00:27:30.115-->00:27:36.955 This is um, some code, um, ya know, lots of people had like, you know know, hey let's pair 00:27:36.955-->00:27:41.360 these things up, right, if you're doing a ret there better be a call instruction that's 00:27:41.360-->00:27:46.899 paired with that ret or else it's invalid, so let's reduce the gadget space. So that's when 00:27:46.899-->00:27:51.904 everyone started to talk about, oh, let's do LOPs and JOPs and dot drop. You know. So, uh, that 00:27:56.608-->00:27:59.478 one's pretty straight forward, all it is and it's cake you know, you just go, hey, what's 00:27:59.478-->00:28:04.950 the RSP, and what not and yeah, you know, you'll see things if anyone's like a major coder and 00:28:04.950-->00:28:10.122 wants to get involved you'll see like, hey, you know, the the stack pointer is really nice to 00:28:10.122-->00:28:15.127 have because you can understand the depth you are and everything else. Get my state here. Ahh. 00:28:19.331-->00:28:24.336 That was that one. Uh. Hold on. There we go. So yeah, enforce cryptographic key escrow. Good 00:28:34.980-->00:28:39.985 idea, I think. I want to know what's encrypted on my computer. Uh, coverage. Can you hear me 00:28:44.222-->00:28:50.095 now? Alright. I guess he switched networks. Um. FlameGraph. So I did a bunch of 00:28:50.095-->00:28:55.801 different graphs here, uh, here's one, one of the issues with this much data though, you 00:28:55.801-->00:29:00.606 can imagine, if I'm logging every basic block that's executed in this binary, there's 00:29:00.606-->00:29:07.312 so much data, like how are you going to visualize that. Um, turns out, really hard problem. 00:29:07.312-->00:29:11.783 Uh, that's why I got some, I got some 3D ideas coming up, but um, these are 3 different graphs 00:29:11.783-->00:29:18.056 that are already built in. I did it with like WPF and, um, Microsoft AGL. I actually got a 00:29:18.056-->00:29:22.961 bug on the MSAGL guys, um, as soon as that comes in, there's gonna be a much cooler graph, 00:29:22.961-->00:29:27.265 which is kind a graph map. And it's all navigatable and expandable and you click on, you 00:29:27.265-->00:29:31.503 click on this block and it'll be like "shhh" you know like a spider web kind of blowin' up. 00:29:31.503-->00:29:36.508 It's kind of nice, um, but they depend on this like, uh, janky, uh EDU, like university guy 00:29:38.644-->00:29:45.350 thing that's like, hasn't been updated in like 15 years and they're just like, just wait, 00:29:45.350-->00:29:51.823 just wait, it's almost fixed. I'm like, alright. Thanks for making it free. Oh, yeah here we 00:29:51.823-->00:29:57.496 go. So this is a flame graph. So all of these graphs actually generate with just the stock 00:29:57.496-->00:30:02.100 data that's logged in the logging function which is just, um, you know, it's a fairly 00:30:02.100-->00:30:07.105 limited amount of bits, it's about 64, you know 128 bits per block. But this is kind of like 00:30:10.308-->00:30:15.313 the stack depth overtime, um, and then, per block so there'd be like 3 or 4 blocks 00:30:20.652-->00:30:26.324 horizontally at the same stack depth. That means that that function had 3 blocks, right. 00:30:26.324-->00:30:30.328 And then you see the ones with just one that was like a leaf or just like a single call or 00:30:30.328-->00:30:36.401 something, but you know that's kind of how that thing looks. Um, unfortunately, like the 00:30:36.401-->00:30:42.941 pearl scripts, the pearl scripts that, um, uh are used to generate this stuff, were like, 00:30:42.941-->00:30:49.281 generating like gigabyte files and stuff so it was kind of, um, you know needed to like trim 00:30:49.281-->00:30:54.286 that down, so. Again the symbols are coming. I'm also kind of waiting on Microsoft, some PDB 00:30:58.490-->00:31:03.428 to be, uh, their GitHub to be fixed up a bit, it's almost, it looks almost ready too, so. It's 00:31:06.798-->00:31:13.438 coming, it's got a source code commits coming. Yeah know, some different stuff. Have fun, you 00:31:13.438-->00:31:18.176 know, try and do your own thing. Um, you know, there's a lot of kind of just hints on what to do 00:31:18.176-->00:31:23.181 and different ideas. Um, I'd love to like engage people on different concepts on like 00:31:23.181-->00:31:26.752 analysis and modeling and just kind of understanding comprehension of what's 00:31:26.752-->00:31:31.690 executing. Feel free to like, ah, shoot me an idea of something you want to do. Or 00:31:31.690-->00:31:36.695 think about. Ok, here I'm gonna do the hypervisor one. Ok, could I get, uh, the the thing reset? 00:31:54.179-->00:31:59.184 Um, hold on. Ok, cool. This a_prep here, this exe is like from the repro and I committed 00:32:19.938-->00:32:24.810 this stuff before I realized the effect of it or how, how far wide reaching it was. So, ya 00:32:24.810-->00:32:28.680 know, one thing, like if your code like you know, I, I, I've been kind of jumping back and 00:32:28.680-->00:32:32.984 forth between the good and the bad and the evil versus good a little bit here. Code versus 00:32:32.984-->00:32:37.989 code or you know whatever. Us against the robot or something. Um, the, this code here you 00:32:40.192-->00:32:45.297 know, so frequently if you're in a, in a, in a, in a hypervisor you're not gonna want to execute 00:32:45.297-->00:32:48.733 maybe or if you're being virtualized, or emulated, you don't want to execute 00:32:48.733-->00:32:54.906 necessarily. So, to have a neat little, you know, tiny amount of code like this that can tell you 00:32:54.906-->00:32:59.811 right away, hey, something, um, you know, you're being looked at, or you're you're not in a 00:32:59.811-->00:33:06.618 native execution context. Um, is nice. You know. Or you know, if you just wanna DoS an 00:33:06.618-->00:33:12.557 infrastructure, I guess that's possible. Um, some people like to do that. The um, the fun 00:33:12.557-->00:33:17.562 thing is here, so the CPU utilization in the user space, um, VM monitors goes up to like 00:33:20.999-->00:33:26.004 100 percent per thread unit, so I gave this 8 cores. Um, certain hypervisors have additional 00:33:28.707-->00:33:33.712 overheard behind that on the kernel side, roughly 10 percent. So you can imagine if a cloud 00:33:36.381-->00:33:41.419 vendor hasn't necessarily planned for that excess capacity, they may be negatively 00:33:41.419-->00:33:44.856 impacted if this is going on like crazy on their box right, if they, if they've over 00:33:44.856-->00:33:49.794 committed resources. Um, I was really tempted to run this, I saw a couple times the CPU 00:33:49.794-->00:33:56.301 utilization like up over like even just one CPU is like, it's say like 350 percent. And I was 00:33:56.301-->00:34:01.907 like oh man, did I overflow something in the percentage, are they gonna pay me now? To like 00:34:01.907-->00:34:06.912 DoS their infrastructure? That's be kind of cool. So. So the CPU there is at 12. Ah. I'm really 00:34:31.803-->00:34:36.808 bad at my swipes. I think my mouse. There we go. So I don't know if you can see that, I 00:34:41.046-->00:34:46.051 think it says 760 percent. And oh you can see the graph at least, the graphs up uh pegged. 00:34:49.621-->00:34:56.027 So, it's kind of neat, it's kind of easy. So with just one thread doing this, it's like, killed 00:34:56.027-->00:35:00.966 the box. Cool. So it doesn't matter how many CPUs you give this thing, with just one 00:35:03.068-->00:35:08.773 thread, we're gonna, kill it. So that's kind of fun. Um, feel free to figure out what's going 00:35:08.773-->00:35:13.778 on, 'cause, it's kind of like um, affecting different things, but um, ya know, emulation of a 00:35:17.349-->00:35:21.953 CPR, uh, is kind of a complex thing and and and and with this tracing stuff is what we're 00:35:21.953-->00:35:26.958 talking about as well is that um, you know, uh, either emulating or fighting the block 00:35:28.994-->00:35:34.532 to maintain control or maintain your understanding of what's going on, is not the easiest 00:35:34.532-->00:35:40.605 thing in the world, so as stuff gets more complex, you're always going to see this, um, ya know, 00:35:40.605-->00:35:45.610 these sort of things kind of creep in. Um, basically if anyone has any questions, 00:35:49.214-->00:35:54.219 probably wrap up pretty quick here and talk about or see me the other artifacts we're doing. 00:35:57.122-->00:36:02.060 Um, thanks again for coming, uh, let me know if, uh, anyone has any questions. Give you a couple 00:36:04.562-->00:36:09.567 minutes. Think about it. Perfectly explained. I love it. Every time. Oh yeah, hey! Sure, 00:36:22.914-->00:36:27.919 dude. >> So, uh, for crypto identification, um, a part from constants... >> Yes >> Uh, have 00:36:31.923-->00:36:38.496 you looked at identifying box code, so say like, if I look at the disassembly of an RC4 00:36:38.496-->00:36:45.203 function, or well, leading up to RC4 to uh key stream generation stuff, like, have you looked at 00:36:45.203-->00:36:50.608 how you'd be able to identify those in line? >> Um, you know, well the cool thing is, if 00:36:50.608-->00:36:54.379 you're doing the logging, you have this like block level telemetry coming from the app, 00:36:54.379-->00:36:58.783 so you could do some post processing, like some of the perf guys do with feeding the, 00:36:58.783-->00:37:04.055 you know, an understanding, but you know, that might slow it down a lot at run time, 'cause I 00:37:04.055-->00:37:07.092 mean know with like RC4 it's kind of like a simple set of operations, right, like it's 00:37:07.092-->00:37:13.465 not, like overly complex. You like, mask those pretty easily. Um, but in terms of like what 00:37:13.465-->00:37:18.470 the RC4 is using for its you know basis. You know, Visa V, what is the key that it's using, 00:37:20.972-->00:37:25.977 the input um, you know, if it's not able to access random you know, if it's, if we, if we 00:37:28.213-->00:37:33.218 remove it's entropy sources, then it's maybe not as important to know that per say, because 00:37:37.021-->00:37:42.026 then we can understand hey, this thing has a limited set of keys now. Right, it's it's possible, 00:37:44.028-->00:37:49.033 um, uh, outputs is 'x' you know. So, yeah, something like RC4 would be a little bit tough, 00:37:51.102-->00:37:56.508 but, um, you know, maybe you could do it with some of the graph detection, but, um, in the 00:37:56.508-->00:38:02.514 end, hopefully, um, by understanding the inputs and reducing the entropy, I hope to 00:38:02.514-->00:38:09.287 be um, sufficient in some ways. You know. >> Cool thanks. >> Cool. Thanks. Good question. 00:38:09.287-->00:38:14.292 Thanks. Awesome. Anyone else? Jump around. Well, hope hopefully, uh, we won't have any 00:38:23.034-->00:38:28.206 more Ransomemware next year, so we'll all have backup keys, right, ya know I'd really 00:38:28.206-->00:38:33.211 appreciate that, um, or insurance I guess. Cool. Thanks again guys. [applause]