This is Block Fighting with a Hooker, Block Fighter 2. So please join me in welcoming K2.
What's up everyone? Thank you. DEF CON! Woo! Thanks everyone for coming. Um, everyone
watching on DEF CON TV. I hope it's been a good time. Uh, the only problem I had so far was uh,
you couldn't get a beer this morning in the cafe. Beer sales were closed. So. No it was man,
in the little cafe over there. But luckily, luckily uh, I don't know, I mean maybe sort of
luckily my ex-wife is on the way over to give me a beer. Pretty lucky that um, kept it cool.
Anyhow, enough of the drama and uh, non-technical talk I guess but thanks again everyone. Uh,
you know, so this talk is gonna kind of cover a bunch of different things in uh, uh, sort of a
exception based hooking technique. Um, it's using capstone under the covers in various places.
But um, I just committed the code, um, oh I thought this slide had the like GitHub on it. Let
me see, go to the next one. So the neat thing about this um, hooking technique is that you can, um,
you can play around with like with
looking at trace data, modifying your inputs, rerunning the binary from scratch. So you're
kind of like constantly re-executing this binary all the time. But um at least with this
method um you're only going to execute one time so you have all your state with you and
you're actually interrupting the execution and you're able to make a decision based on like
hey do I want to um uh emulate these instructions? Do I want to um change what the program
thinks it's doing? Do I want to um um sniff other aspects of it? And in this particular
talk so when I um you know when I was uh thinking about what to do for these different block
fighters I call them, in a nutshell as well uh the block fighters are I'm talking about basic
blocks. So like assembly instructions, these blocks that kind of um you know are around the
execution of your application that uh every time the
there's a conditional and a branch is taken those are two new blocks that kind of fork off. So
you've got these blocks and we're going to fight those blocks. Some people call it binary
steering or other things like that. Um you know I've seen I've seen a lot of different trace or
performance um you know explanations for you know um getting coverage you know moving your
coverage up. Static checkers do something similar in some cases for um ensuring that they can
test all the code and I'm sure all the DARPA stuff earlier whoever saw all that stuff um this
kind of fits in in in some of those aspects but uh you know the more tools the better and I can't
tell you how many times I've been working on you know like a forensics thing or like an incident
and you know I'm trying to use like whatever tool and because whatever constraint of my
environment and how this thing runs the analysis method that I was previously you know super
successful with wasn't working all the time. So you know it's always fun and and and and good to
kind of learn new things and to be aware of um flexible or easy to use analysis primitives. So
in terms of this method uh I wrote three what I call block fighters. One is this ROP defender
thing. So everyone who doesn't know what a ROP is, a ROP is return oriented programming.
There's also JOPS, jump oriented or LOPS, loop oriented. Um I wanted to call it like DOP
drop defender maybe? joke no? okay. There's a music reference in there somewhere I
forget who the artist was who did that track. Um in any case it's super easy um to to do this ROP
protection. So kinda ad hoc, you know maybe if you're you're debbing an exploit or you're doing
whatever you're just tracing whatever you want to understand the execution of something you can
use something similar to this ROP defender that I wrote to kind of understand um where your ROP chain is being oriented.
breaking or you know if you're defending something maybe you want to like analyze an exploit
and and do do whatever I'll show you the code in a bit but um it's pretty fun and uh
straightforward kind of like the ROP defender itself is just like not even 20, 30 lines of
code you know to drop that in. The other thing um I thought was kind of cool it's just like a
concept really is uh you know everyone's talking about ransomware like ransomware is a big
terrorizing thing and you're gonna you know and steal all our money and everything so I wrote
this thing um this ransom escrow so it will enforce key escrow of the encryption going on in
your computer so that like you know hey if something's encrypting something on my box I want
that encryption key well you know too late if you weren't watching where the encryption key
came from right? So this is a super simple
primitive it's on github right now um I was gonna expand it in a couple of ways but I'll cover
more of that later or I'll talk about it uh as I do a little demo of it. Um there's a
hypervisor DOS thing it's cross hypervisor um this is just something that came up while I was
writing this tool and I was like hey my friend was like um actually Rich uh Rich in
Seattle um he's doing another trace tool it's very cool a run speed tracer I've got a
reference to it in here um he's doing this other tool and he's like hey man why don't you do this in the cloud?
I was like yeah okay that's cool because the technique he was using couldn't work in the
cloud because he was using these low level um performance tuning intel features that aren't
exposed to the hypervisor or whatever um so anyhow the stuff I'm the the stuff in here in
Atrace is uh not as new right it's not like super bleeding edge so there is kind of like sort of
support for it in the hypervisors unfortunately though um they all break. Well except for the
actually I gotta take that back the only hypervisor that does not fall into its knees trying to
execute this code is um VirtualBox so thanks VirtualBox uh I tend to you know they're kinda
like a whipping boy sometimes but you know hey got this one oh yeah and there's some graphing
stuff I did um if anyone's interested in graphing I saw a lot of cool graphing stuff with
the these DARPA computers I wanted to do this like 3D thing in the future if you're into graphing and
like computer uh visualization of code execution let me know I got some ideas I wanna shoot
around um okay yeah hey oops I must have been just talking all over the place but hooking
tracing so tracing again what's executing the hooking I wanna modify it right pretty simple
straightforward I'm gonna talk about some various frustrations and hurdles like the hypervisor
DOS that was kind of a frustration I really wanted this to go cloud scale. I'm gonna talk about some
other things you know but hey maybe eventually when uh when they get fixed or who knows um and
then also symbol support I was gonna have that in I kinda backed it out because symbol
handling is kind of a pain talk about that later um use some other tools oh yeah here's the
GitHub if you wanna check it out that's my GitHub K2 really short GitHub username should be
easy to remember um Atrace this other one is the one we're talking about today I'm gonna talk about
today uh inverter row was the thing I did uh started a couple years ago Defcon on 22 it's like
a nested virtualization memory like recursive physical to virtual extraction thing it's kinda
neat oh yeah anyone wanna drop the code let me know if I forgot something um the the good thing
about what we've got here is it runs on bare metal really nice um it can run on an hypervisor
probably VirtualBox is your best bet um and we're trying to make sure that it runs on a virtual box so we're trying to make sure that it runs on a virtual box so we're trying to make sure that it runs on a virtual box so we're trying to make sure that it runs on a virtual box so we're
trying to make sure that it runs on a virtual box so we're trying to make sure that it runs on a virtual box so we're trying to make sure that it runs on a virtual box so we're trying to do this binary steering
thing and what that means is like... there's some there's some things I have to do I had we
have to reset the flags because the way this exception management works is the flags is reset
every time in a different trap handler from the kernel when it calls us so we gotta like set that so
you know if we see the binary looking for that flag set or unset we need to either emulate that
instruction or handle it in some way to
neutralize it from detecting us. It's kind of like a classic sandbox problem. Um this might
be kind of like a loose sandbox for all intents and purposes. Um there's obviously a lot of
issues uh fighting code in your own address space. However we are guaranteed certain things
being in the exception handling path. Um you know in terms of state um being synchronous. Um
so again yeah um there's some other DBI stuff it's pretty cool. Um totally want to check it
out in the future. Um some dreams for this stuff. You know lots more block fighters, fun
little ideas. They're pretty straight forward to bang out. I mean I did the ROP one in like
20 lines. I did the key escrow thing and you know super and the key escrow is a generic hooker
for any function pre post condition. Um which is great. Uh the the performance is kind of
ranging. Um slicing is your friend and what that means is figuring out how to confine what
you're looking at and not.
Executing a bunch of random other stuff which you don't care about right. So discounting stuff
that you don't want to look at and figuring out what you want to look at. More or less. Um
water up here. Uh anyway uh I do this on Windows X, Windows X 64, Windows 10. Um other
versions your mileage may vary. This guy uh um fair no. Sorry if I'm bastardizing that thing
on the x86 esm net board for me. Um I don't know. Um I don't know. Um I don't know. Um I don't
know its good for me. My family in California, um you know I do this at work. Um maybe two
years ago kind of reversed this technique and found it. Um and then so you can check that out
and then this other guy uh Laughfool um showed me this other zip that you can do to patch and
and uh help make it work better on other versions of Windows. But thanks to those guys. Um
back in DEF CON 15. Here's a paper you know they're talking about covert debugging. Well in a
sense this A-Trace stuff is sort of like an in-proc debugger. So all of our debugging happens
in-proc in the same address space as what you're looking at. The, the, the easy, what makes it
nice is that you don't have to use base pointers all the time. So like if you're logging the,
the payload for the function call to this thing you want to look at, well I don't have to
rebase my pointer addresses because I'm in a different process and everything's mapped
weirdly, you know, and um, randomization of addresses is all the rage now so um, by being in
the address space of that process you don't have to do like a lot of, I mean it's not that
hard but um, in a sense it just makes it super easy and straight forward to um, code naturally.
Oh, thanks, thanks Allison, I like that. Thank you. She brought the beer. Woohoo!
Wow.
Cottonmouth. Um, oh yeah, some modern stuff. This Triton library from Quark's lab, this thing
is super cool. Um, if anyone's looked at it, you know, this is like, kind of like one of those
ideal designs for DBI frameworks. It's got all these um, components to it. Um, if you see in
that example of tracers on the left hand uh, side of that block diagram, um, essentially we
could fit in, or A-Trace could fit in, in, in place of any of those. So this can, you can
basically drop A-Trace in for free. Um, you can, you can basically drop A-Trace in for free.
For pin or DynamoRio or something. And in fact, I started to do that with um, uh, an Winif, WinAFL
port, um, to A-Trace instead of using DynamoRio. Um, but I just quite didn't get it all done.
It's kind of in the GitHub a little bit if you want to look at it. Um, I wanted to narrow down
the slicing on it a bit more because um, the, you know, obviously those are more mature tools
and they have like focused right in on the DLLs like uh, the GDI plus test case or whatever for
DynamoRio and, and WinAFL. You know, it's just that one module but I don't want to trace like
NTDLL and all these other things. So, it is what it is but hopefully eventually um, we could
get to decent um, performance level that um, it's not um, you know, too bad to just use this
thing for fun as well um, if you need to. It is really great um, as well A-Trace in that um, you
don't need really to know much about the symbols, right? You're getting invoked by the system during
execution and um, all you really have to do is flip some flags and you'll maintain execution.
Um, you don't need to do any hooking so you don't need to know the symbols, you don't need to know
how many arguments there were. You really don't have to know very much at all um, which is
really great. And you, and you get a lot of invocations or you can, you know, you can tune
that down. Um, the disassembly again is, you know, right now it's capstone based which is a
great tool. I really appreciate what those guys have done there and uh, I'm looking forward to
their future releases but um, you know, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's
great. Um, I, obviously you're not going to want to do too much of that so I'm going to want to
try and do some kind of caching and you know, it, things get overly complicated the more you
start, you know, thinking about it. Like okay, how am I going to defend against this? What
am I going to do? I'll cache that result and I'll be fine. Um, again this is just some
background on hooking execution and you know, instruction-led decoders that go on and you
know, hey, you know, when uh, there, there could be a new instruction set in that binary that
you know, prevents it from being, you know, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh,
being hooked with your favorite hooker. So you're unable to like scook the execution of
something whereas you know, with a model like this, you really don't have a problem.
What's the problem? Oh, yeah the buggers are slow. And also typically
when something wants to detect that it's being analyzed like it will be checksums on
itself, hashes like hey what's my checksum? Or maybe you're executing in like uh, uh, uh,
secure environment like uh, integrity mode, OS that, that sort of thing.
is like hey this DLL can't be changed, right? Well then how do I trace the execution of that
thing with these existing tools, right? What if I want to fuzz this thing you know in release
mode and I don't want to have to do a debug and I don't want to have to do this and you know I
want to just trace what's going on right now because anytime I alter anything about my test
case it stops reproing. So this is nice in some circumstances because you won't have to make as
many changes to your test case or whatever you're doing to repro what you want, right? So
we're not changing the code, we're not altering execution so um introducing some latency in the
exception handler is not a big deal I mean what people swap memory and this and that, right?
It's not um a huge impact to what a normal execution guarantee is for a binary so they're
just going to kind of assume it's a slow box or whatever you know it's it's it just
reduces the amount of problems you've got to worry about.
So these are the some of the different things, some of the micro benchmarking. Um we're
total worst case scenario was a thousand percent. So mmm sounds slow. But uh and and if
if you slice it up and um you're able to um have good checkpoints of where you want to enable
and disable tracing um it's as low as 25 percent, right? It's just kind of you know
it's it's impossible to have like the the one method that does everything all the time but you
know hey and then you know if we do do some caching of inputs and we do understand the
slicing of of this binary and the you know um uh you know we we we can we can understand like
okay at this point it's doing x so we could just time warp you know or fast forward the state of
execution to like this other checkpoint and skip something that might have been um you know not
really to worry about. A trace. So it's I'm I'm I'm partially Canadian. A. A boot. Something
else Canadian. Let's go. Let's take the canoe. Woo! Anyhow uh you know I'll just throw that in
there. Some of the other stuff we tried on the way to write this was um kind of like stack
hooking and um the so one of the other concepts of you know so I said I had the rock fighter. So I
had the a trace. So with a trace you can also essentially hook your tracing your tracing code
your tracing code can be just a set of rock gadgets or lops or dops or whatever the heck. It's
just a function pointer that gets called since you're not making any changes to these binaries
you're actually just getting like inserted into the stack and you can manipulate the execution
without worrying about introducing unsigned code and these kind of issues or un you know whatever
else it might be so it's kind of fun from that aspect as well and if you want to go ahead and um
bang out like um you know crazy you know back door or whatever else um you know hey uh there's
some there's some rock back doors or rock malware I've seen floating around um or if you want
to trace those things you can use this as well it's kind of fun. It's very flexible so um I guess
one of the ideas is any time you make like a offensive thing you've always gotta remember to pair it
it with like a countermeasure. So there's a lot of like measures and countermeasures in
analyzing stuff right? Like okay well you know I'm going to analyze it by um extracting the
state um uh you know whenever it crosses the kernel but then oh okay well it repairs itself
before it calls the kernel and make it look normal right? So it falls within these
normalized uh uh assumptions you know who knows right? There could be a lot of different
ways to um counteract or act uh you know when you're when you're talking about trying to
understand this like huge amount of state and this huge amount of moving parts in uh binary
execution. Um and I guess as we get to the demo the hypervisor thing that's kind of like um an
explanation of why all these hypervisors are DOSed from this thing. It's like well uh there's
a lot of uh a lot of uh state moving around and no one's um hit this path before and so
it's really expensive and there's it doesn't matter how many CPU cores you have it'll you
know it'll just take you down if you're not um uh efficient overall. So um anyhow yeah the
stack hooking in in the end I might do some kind of hybrid technique because if you're if if
I'm hooking the stack directly by chop like theoretically chopping in an exception manipulating
the stack and then executing I'm kind of I'm I'm thinking about using that as a a
mechanistic way to do it. So I'm thinking about using that as a mechanism to kind of like
turn this on and off dynamically. So obviously that'd be a lot faster to kind of you know trim
down your exception handling. This is how it works super easy. This DR7 thing this is like um
I guess um a back door that uh Fenro found um so this is typically not a register that you can
effect from user space this is like a kernel only thing. The uh debug MSR right there. So this DR7
actually winds its winds weaves its way back into the debug MSR and um that's why in um if you
don't have Windows 10 so this works great in Windows 10 other people have gotten varying
reports but if you're not using Windows 10 like you know 2008 or whatever it is you gotta go to
slash debug and then I do the MSR write for you but you don't need to right so when when I do the
demo here it'll just be user space you'll even see the warning hey this thing didn't work and it
obviously does.
So the ROPH hook idea kind of fun. Um what else is it good for? Um basic block coverage back
into DVI. Um try not to emulate too much. You know I'll be working on some new updates for
caching or making it better based on uh what people think and uh what they'd like to see. Um
you know it infuriates me to no end every time I go to get my favorite tracing tool when it doesn't
have the capability to trace the version of the OS I'm using and I gotta do this symbol thing or
manually edit you know there's a lot a lot of times there's like so much rigmarole just to start
doing what you want to do with um certain types of hooking. Having um the flexibility to use
this technique um has really helped me out in um uh analyzing binaries in execution environments
that um were really confined.
So maintaining control I mentioned it before. There's a flag register but there's other
things that you want to do. Um you want to make sure no one's like taking over control of the
EH. Like if you're gonna go ahead and build like a whole sandbox around this you know hey go for
it. Um you know but um that's like a really long war you're gonna have to fight. Of course
Street Fighter 2 everybody.
Yaaaaaaaaaaaahh!
Ohhhh!
I was really good with Ken myself. I like the, I like the uppercuts. Um, these are some
comments on like other areas that I need to like flesh out or if you're going to do some kind
of like analyzing malware or whatever like sandboxy stuff. Some, some things to think
about. Where you would want to do some monitoring to make sure you're not being
desynchronized from the execution. Um, branch 3, branch 4, branch 5, branch 6, branch
7. Um, the re-stepping is great. However, um, in the end if we do kind of, I mean, there are
these like ROP jitters. Kind of also I've seen a lot of them like Capstone based as well. Like
ROP jitters and different k-types of jitting. Um, if there was like a LOP eh, EL- loop? Uh, OP.
Ha- loop oriented programming, uh jitter. Uh, I think the performance of this thing would be
like near native, so, would be great. Um, line 6, um, I think this one is great because
mention some of this stuff. The ransom warrior. Here I'll I'll fire this guy up. You let me
know what you think. Do do do. Okay. Oh my projector is not. Hold on. Let me kill Outlook here
for a second. Whoops. Whoops. Okay. I think I can see. Okay. So. So this thing here um the
code for this is just gonna do standard crypto calls. I canned it. There's a static
lib I use for test cases that so I don't have to like race the injection of the DLL and all
this kind of stuff. Anyhow. When we execute this um this is like crypt gen random being
called um that this is the data that was actually exfilled in the in in A-trace through the
exception monitoring of the execution through the um uh code analysis or block analysis rather and
then you know this is like the return value from the program so like you know the post condition
on that hook like hooked and logged the incoming random data before the return which is great.
You know so we know um we're at a really good place to egress this information to like a network
server or if there was some kind of like hypervisor enclave like protecting my secrets and
stuff I could I could be like oh send this over there this is some bits that I might care about in
the future if I'm current you know and I'm you know if I'm gonna get ransomwared I could uh
unwind that spool of bits and say hey are any of these used in my crypto key? Luckily with um
crypto functions even if the ransomware is like got this static lib of like open SSL built into
the binary um I don't know if everybody knows but a pretty good technique for finding in crypto
functions is uh constants cause you know everyone wants to use like standard cryptographic
you know APIs and what not and functions that are provably secure in in one way or another by
math people. So even the bad guys want that so they're not gonna be shipping their own stuff so
you know if we're able to raise the bar in monitoring the crypto and monitoring the execution
of um anything that's gonna try to do any kind of crypto op on your box well then hey you know
now they're gonna have to either roll their own or you know which will probably be something that'll be crackable
uh give us some lead time to get everybody uh you know just saving all their data in the cloud
right? So yeah I mean the cloud's great I'm sorry but I love the cloud actually. Love hate
relationship. Okay so that was a key escrow now the raw stuff is super straight forward um
I'm just gonna show the code it's so it's in here I'm just gonna show the code it's in here
rop defender so that rop defender is actually executing so they're all like chained together so
that rop this rop defender is running at the same time as the key escrow guy as well the perf
overhead once you're already done the exception pump you can do a lot you've already you've
already spent the cycles so you can do a lot of stuff right you know you know you've already taken
the hit you might as well do ten things or a hundred it don't matter um so this kind of
rop defense stuff was like uh few years ago people were talking about this like uh K-bouncer and
these things this is um some code um you know lots of people had like you know hey let's pair
these things up right if you're doing a ret there better be a call instruction that's paired with
that ret or else it's invalid so let's reduce the gadget space so that's when everyone started to talk
about oh let's do lops and jops and dot drop. You know? So uh so that was pretty
straightforward all you and it's cake you know you just go hey what's the RSP and what not and
yeah and you know you'll see things if anyone's like a major coder and wants to get involved
you'll see things like hey you know the the stack pointer is really nice to have because you
can understand the depth you are and everything else. Okay let me get my state here. Ah
there we go. So yeah enforce cryptographic key escrow. Good idea I think. I want to know
what's encrypted on my computer. Uh coverage! Can you hear me now? I guess he switched
networks.
Um flame graph. So I did a bunch of different graphs here. Uh here's one. One of the issues
with this much data though you can imagine if I'm logging every basic block that's executed in
this binary there's so much data like how are you gonna visualize that? Um turns out really
hard problem. Uh that's why I got some I got some 3D ideas coming up but um these are
three different graphs that are already built in. I did it with like WPF and um Microsoft AGL.
I actually got a bug on the MSAGL guys. Um as soon as that comes in there's gonna be a much
cooler graph which is called a graph map and it's all navigatable and expandable and you click on
you click on this block and it'll be like psh you know like a spider web kind of blowing up.
It's kind of nice. Um but they depend on this like uh janky uh edu like university guy thing
that's like hasn't been updated in like 15 years and they're just like just wait just wait it's
almost fixed. I'm like okay thanks for making it free. Oh yeah here we go. So this is a flame
graph. So all of these graphs are actually generated with just the stock data that's logged
in the logging function which is just um you know it's a fairly limited amount of bits it's
about 64 no 128 bits per block. But this is kind of like the stack depth over time. Um
and then per block so there'd be like 3 or 4 blocks horizontally at the same stack depth. That
means that that function had 3 blocks right? And then you see the ones with just 1 that was like a
leaf or just like a single call or something. But you know that's kind of how that thing
looks. Um unfortunately like the Perl scripts the Perl scripts that um uh are used to generate
this stuff were like generating like gigabyte files and stuff so that was kind of uh a little bit of a
um you know needed to really trim that down. So again the symbols are coming. I'm also
kind of waiting on Microsoft's um PDB to be uh their Github to be uh fixed up a little bit.
It's almost it looks almost ready too so. It's coming it's coming source code commit's coming.
You know some different stuff. Have fun you know try and do your own thing. Um I'm going to
um you know there's a lot of kind of just hints at what to do and like different ideas. Um I'd
love to like engage people on different concepts of like analysis and modeling and just kind of
understanding and comprehension of what's executing. Feel free to like uh shoot me an idea
of something you want me to do or think about. Okay here I'm going to do the uh hypervisor one.
Okay I get the the thing reset. Um hold on. Okay cool. This A prep here. This is a
this exe is like from the repro and I committed this stuff before I realized the effect of it or
how far wide reaching it was. So you know one thing like if your code like you know I I've been
kind of jumping back and forth between the good and the bad and the evil versus good. A little
bit here. Code versus code or you know whatever us against the robots or something. Um the this
code here you know so frequently if you're in a in a in a in a hypervisor you're not going to want
to execute maybe.
If you're being virtualized or or emulated you don't want to execute necessarily. So to have a
neat little you know tiny amount of code like this that can tell you right away hey something
um you know you're being looked at or you're you're not in a native execution context um is
nice. You know or you know if you just want to DOS an infrastructure I guess that's possible.
Uh some people like to do that. The um the fun thing is here so the CPU utilization in the
user space um VM monitors goes up to like 100% per thread you give it. So I gave this 8 cores.
Um certain hypervisors have additional overhead behind that on the kernel side roughly 10% so you
can imagine if a cloud vendor hasn't necessarily planned for that excess capacity they may be
negatively impacted if this is going on like crazy on their box right if they if they've over
committed resources. Um I was really tempted to run this I saw a couple times a CPU utilization
like up over like even just one CPU is like say it'd say like 350% and I was like oh man did I
overflow something in the percentage? Are they going to pay me now to like DOS their
infrastructure? That'd be kind of cool. So. Oops. So the CPU there is at 12 and it's like
uh and I can't see math card here right? So like a local manufacturer should never just run out and
they pull out the scripts in mourning of what happens but like only if there's something that
sort of like uh they get away with it than they'll like make the cut of that computer. Okay.
Sorry.
And oh you can see the graph at least, the graph's up uh pegged. So it's kinda neat, it's
kinda easy. So with just one thread doing this it's like killed the box. Cool. So it doesn't
matter how many CPUs you give this thing with just one thread we're gonna kill it. So that's
kinda fun. Um feel free to figure out what's going on cause uh it's kinda like um affecting
different things but um you know emulation of a CPU uh is kind of a complex thing and and
and with this tracing stuff is what we're talking about as well is that um you know uh either
emulating or fighting the block to maintain control or maintain your understanding of what's
going on is not the easiest thing in the world. So as stuff gets more complex you're always
gonna see these um you know these sort of things kinda creep in.
Um basically if anyone has any questions uh probably wrap up pretty quick here and talk
about it or see any of the other artifacts we're doing. Um thanks again for coming uh let me
know if uh anyone has any questions. Give you a couple minutes to think about it. Perfectly
explained. I love it. Every time. Oh yeah hey. Sure dude. So uh for crypto identification
um apart from constants. Yes. Uh have you looked at identifying blocks of code so say like if I
look at the disassembly of an RC4 function or well leading up to an RC4 you see the key stream
generation stuff like have you looked at how you'd be able to identify those in line? Um you
know well the cool thing is if you're doing the logging you have this like block level
telemetry coming from the app so you could do some post processing like some of the perf guys do
with feeding the you know an understanding but you know that's that might slow it down a lot at
runtime cause I mean you know with like RC4 it's kind of like a simple set of
operations right like it's not like overly complex you can like mask those pretty easily um
but in terms of like what the RC4 is using for its you know basis you know vis-a-vis what is
the key that it's using the input um you know if it's not able to access random you know if
it's if we if we remove its entropy sources then it's maybe not as important to know that per
day because then we can understand hey this thing it has a limited set of of keys now right
it's it's possible um uh outputs is x you know so yeah something like RC4 will be a little bit
tough but um you know maybe you could do it with some of the graph detection um but um in the
end hopefully um by understanding the inputs and reducing the entropy I hope to be um sufficient in
some ways you know.
Cool thanks.
Cool thanks good question thanks.
Awesome.
Anyone else?
Jump around.
Well hope hopefully uh we won't have any more ransomware next year so we'll all have backup keys
right you know I'd really appreciate that um or insurance I guess cool thanks again guys.
Thank you.