Dynamic Binary Instrumentation

Nov 21, 20160 likes820 views

This document discusses dynamic binary instrumentation using Intel's PIN tool. It provides an overview of instrumentation, why dynamic binary instrumentation (DBI) is useful, and examples of using PIN for instrumentation and analysis. Key points include that instrumentation inserts extra code into a process's memory, PIN is useful for reverse engineering and malware analysis, and examples demonstrate using PIN to count instructions and detect heap bugs.

What is Instrumentation
● Inserting extra lines of code into the processes memory.
● Intel’s PIN, Google’s Address Sanitizer, DynamoRIO, Valgrind, GDB.
● Useful for reverse engineering and malware analysis.

$Why DBI …... if (size < sizeof(min_buf)) { iov_to_buf(iov, iovcnt, 0, min_buf, size); memset(&min_buf[size], 0, sizeof(min_buf) - size); } else if (iov->iov_len < MAXIMUM_ETHERNET_HDR_LEN) { /* This is very unlikely, but may happen. */ iov_to_buf(iov, iovcnt, 0, min_buf, MAXIMUM_ETHERNET_HDR_LEN); filter_buf = min_buf; } …...$

$…. if (size < sizeof(min_buf)) { printf(“Good size branchn”); iov_to_buf(iov, iovcnt, 0, min_buf, size); memset(&min_buf[size], 0, sizeof(min_buf) - size); } else if (iov->iov_len < MAXIMUM_ETHERNET_HDR_LEN) { /* This is very unlikely, but may happen. */ printf(“Got a rare casen”); iov_to_buf(iov, iovcnt, 0, min_buf, MAXIMUM_ETHERNET_HDR_LEN); filter_buf = min_buf; } ….$

Installation guidelines
● https://labs.portcullis.co.uk/blog/an-introduction-to-binary-dynamic-
analysis/
● https://software.intel.
com/sites/landingpage/pintool/docs/76991/Pin/html/

Where’s the code?
● Comes with pre-existing scripts.
● Feature to add custom scripts.
● Written in C or C++.
● Examples in ~/pin/source/tools/SimpleExamples/

$#include <iostream> #include "pin.H" UINT64 icount = 0; VOID IncCounter() { icount++;} VOID Instruction(INS ins, VOID *v) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)IncCounter, IARG_END);} VOID Fini(INT32 code, VOID *v) { std::cerr << "Count " << icount << endl;} int main(int argc, char * argv[]) { PIN_Init(argc, argv); INS_AddInstrumentFunction(Instruction, 0); PIN_AddFiniFunction(Fini, 0); PIN_StartProgram(); return 0;} Analysis Instrumentation$

Execution
$ pin -t inscount.so -- /bin/ls
inscount.cpp inscount.so inscount.o
Count 422838 Output of inscount
$

Detecting Heap bugs
● Keep list of used and free chunks.
● If input is read to any of these chunks, check sizes and number of bytes
being read.
● In case of structure objects, check for input being read to an address
inside a chunk.
● If input is read to free chunk => UAF.
● If number of bytes read > size of chunk => heap overflow.
● If chunk_start + size - address < number of bytes => heap overflow.

The code
● Heap_trace.cpp
● Need to check for other functions like scanf(), strncpy(), memcpy() etc.
● Alerts:
○ When the same chunk is returned by malloc more than once.
○ When the same chunk is going to be freed more than once.
○ When input crosses chunk boundaries.
○ When input is copied to free chunks.
● Around 200 lines of code (excluding the nice comments).
● Let’s have a look.
● Demo1

C or C++ ? That’s it?
● Kudos to the owners.
● Blankwall - Python Pin.
● A python wrapper to PIN.
● Not yet complete.

import sys, pin
total = 0
info = file("inscount.out", "w")
def counter(trace_addr):
global total
x = pin.TRACE_BblHead(trace_addr)
y = pin.BBL_Address(x)
instrucs = pin.BBL_NumIns(x)
total += instrucs
info.write("Basic Block @ %x SIZE: %x NUM INS= IN BLOCK: %x TOTAL: %xn" % (y, pin.BBL_Size
(x), instrucs, total ))
pin.TRACE_AddInstrumentFunction(counter)

$ pin -t obj-intel64/Python_Pin.so -m ins_count.py -- /bin/ls
$ cat inscount.out|head
Basic Block @ 7ffff7ddb2d0 SIZE: 8 NUM INS= IN BLOCK: 2 TOTAL: 2
Basic Block @ 7ffff7ddea40 SIZE: 55 NUM INS= IN BLOCK: 16 TOTAL: 18
Basic Block @ 7ffff7ddeaef SIZE: 6 NUM INS= IN BLOCK: 2 TOTAL: 1a
Basic Block @ 7ffff7ddead8 SIZE: 17 NUM INS= IN BLOCK: 6 TOTAL: 20

Heap_Tracer.py ?
● 90 lines of code. ( Hurray! )
● Let’s take a look.
● Demo2

The document discusses binary instrumentation using the Pin tool. It introduces instrumentation as a technique to insert code into programs to collect runtime information. It describes Pin as a dynamic binary instrumentation engine that can instrument binaries just before execution without recompilation. An example Pin tool is provided that instruments each instruction to count the total number of instructions executed.

Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)securityxploded

The document is a disclaimer and overview of a reversing and malware analysis training program offered by SecurityXploded, emphasizing that the information is provided 'as is' without warranties. It outlines basic concepts related to breakpoints, flags, and reversing techniques, highlighting specific methods for debugging and analyzing software behavior. The document also includes acknowledgments to community contributions and a brief example of a crackme program.

nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationn|u - The Open Security Community

The document discusses automatic program analysis using dynamic binary instrumentation with PIN. It provides a high-level overview of dynamic binary instrumentation and the PIN framework. It also describes a custom PinTool called Puncture that was developed to monitor registry, file system and network activity by applications. Puncture instruments Windows API functions to log their arguments and return values.

Reversing malware analysis training part4 assembly programming basicsCysinfo Cyber Security Community

The document provides information about a reversing and malware analysis training program. It begins with a disclaimer stating that the views expressed are solely of the trainer and not the company. It then acknowledges those who supported the training program. It states that the presentation is part of a reversing and malware analysis training program currently only offered locally for free. It introduces the two trainers and provides their backgrounds and contact information. It outlines topics that will be covered including x86 assembly, instructions, stack operations, and calling conventions. It notes that a demonstration will be included.

Buffer overflow attacksKapil Nagrale

This document discusses buffer overflow attacks. It begins with an introduction that defines a buffer overflow and examples like the Morris worm. It then explains how buffer overflows work by corrupting the stack and overwriting return addresses. Methods for implementing buffer overflows using Metasploit and injecting shellcode are provided. Countermeasures like stack canaries and bounds checking are described. The document concludes that while defenses have improved, legacy systems remain vulnerable and buffer overflows remain a problem.

Buffer overflowEvgeni Tsonev

Buffer overflows occur when a program writes more data to a buffer than it is configured to hold. This can overwrite adjacent memory and compromise the program. Common types of buffer overflows include stack overflows, heap overflows, and format string vulnerabilities. Buffer overflows have been exploited by major computer worms to spread, including the Morris worm in 1988 and the SQL Slammer worm in 2003. Techniques like canaries can help detect buffer overflows by placing check values between buffers and control data. Programming best practices like bounds checking and safe string functions can prevent buffer overflows.

Presentation buffer overflow attacks and theircountermeasurestharindunew

Buffer overflow attacks take advantage of vulnerabilities in C and C++ programs that do not perform bounds checking on buffers. An attacker can exploit this by writing past the end of a buffer to corrupt memory and hijack the program flow. Common countermeasures include writing secure code with bounds checking, enabling stack protection features of compilers, and using runtime protections like Address Space Layout Randomization. However, none can prevent all possible attacks.

Buffer Overflow Demo by Saurabh Sharman|u - The Open Security Community

The document discusses buffer overflows, which occur when user input exceeds the maximum size of a buffer and overwrites other areas of memory. This can allow malicious users to execute arbitrary code by injecting machine code into the overflowed buffer. The document provides examples of stack layout, shellcode payloads, and prevention techniques like bounds checking functions and security mechanisms like ASLR.

Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded

The document presents a disclaimer stating that the content is provided 'as is' without any warranties, and neither the trainer nor the organization is liable for any damages from using the information. It covers a training program on reverse engineering and malware analysis, detailing assembly language and x86-32 architecture, including registers, instructions, calling conventions, and stack operations. The document concludes with a demonstration of a simple C program demonstrating function calls.

Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community

This document provides information about an advanced malware analysis training program. It begins with disclaimers about the content being provided as-is without warranty. It then acknowledges those who supported the training program. The document introduces the trainer, Harsimran Walia, and their background and areas of expertise. It outlines that the training will discuss automation techniques using Python scripts and modules like PEfile for portable executable file analysis, PyDbg for debugging, and IDAPython for integrating Python scripts with IDA Pro.

Buffer OverflowsSumit Kumar

Buffer overflows occur when more data is written to a buffer than it was designed to hold, corrupting the call stack. This can allow arbitrary code execution or modification of return addresses. Developers should use safe string functions, validate user input, grant least privileges, and use compiler tools to help prevent buffer overflows. Reporting vulnerabilities and keeping up to date on security bulletins is also important.

Control hijackingPrachi Gulihar

This document discusses control hijacking attacks that aim to take control of a victim's machine by exploiting vulnerabilities in programs. It covers different types of attacks like buffer overflow attacks, integer overflow attacks, and format string vulnerabilities. These attacks work by injecting attack code or parameters to abuse vulnerabilities and modify memory to redirect the control flow. The document also discusses defenses like choosing programming languages with strong typing and automatic checks, auditing software, and adding runtime checks using techniques like stack canaries to detect exploits and prevent code execution.

Buffer overflow attacksJapneet Singh

This document discusses buffer overflow attacks. It begins with an overview of the topics that will be covered, including vulnerabilities, exploits, and buffer overflows. It then provides definitions for key terms and describes different types of memory corruption vulnerabilities. The bulk of the document focuses on stack-based buffer overflows, explaining how they work by overwriting the return address on the stack to point to injected shellcode. It includes diagrams of stack layout and function prologue and epilogue. The document concludes with a demonstration of a buffer overflow and discusses some mitigations like stack cookies and ASLR.

Anatomy of a Buffer Overflow AttackRob Gillen

The presentation by Rob Gillen details the anatomy of a buffer overflow attack, focusing on its technical aspects and the responsibilities associated with knowledge in cybersecurity. It covers scenarios involving vulnerabilities, fuzzing, shellcode, and the exploitation process, emphasizing the importance of bounds checking and responsible testing. The session aims to educate attendees about real attack methods on systems they have explicit permission to test.

Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community

The document provides information about an advanced malware analysis training program. It begins with disclaimers about the content being provided "as is" and acknowledges those who supported the training. It then introduces the trainer, Amit Malik, and provides an overview of topics to be covered including bots and botnets, important reverse engineering techniques, case studies on the Waledac botnet, and a summary. The trainer's goal is to help attendees understand malware through code analysis and tracing methods.

Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields

The document discusses anti-debugging techniques, defining terms like debugging, anti-debugging, and dumping. It covers why anti-debugging is useful, references past work, and categorizes anti-debugging methods into classes like API based detection, process/thread blocking, hardware/register based detection, exception based detection, modified code based detection, and timing based detection. The goal is to make reversing applications more difficult by implementing multiple layers of defense.

6 buffer overflowsdrewz lin

Buffer overflows occur when a program allows user input that exceeds the maximum buffer size, overflowing into adjacent memory and potentially altering the program flow. This is a common security issue that has been exploited in many worms. Proper bounds checking on all buffers and techniques like StackGuard and static analysis can help prevent buffer overflows. Other memory corruption issues also exist, such as format string vulnerabilities and integer overflows.

CodeChecker summary 21062021Olivera Milenkovic

CodeChecker is a static analysis tool that finds bugs in code by performing interprocedural analysis across files and functions. It uses the Clang compiler infrastructure to run checks from tools like the Clang Static Analyzer and Clang Tidy. CodeChecker provides features like cross-translation unit analysis, suppressing and tagging issues, and integration with version control systems. It outputs analysis results that are easy for developers to understand and fix issues.

Buffer Overflow Attacksharshal kshatriya

Buffer overflow attacks can exploit vulnerabilities in C library functions like strcpy() that do not perform bounds checking on buffers. By passing in a string longer than the buffer size, an attacker can overwrite adjacent memory, such as the return address on the stack, allowing them to execute arbitrary code. Defenses include using type-safe languages, marking the stack as non-executable, static source code analysis, and runtime checks.

Reversing malware analysis training part3 windows pefile formatbasicsCysinfo Cyber Security Community

This document provides a disclaimer and overview of a reversing and malware analysis training program. It consists of 3 parts: 1. The disclaimer states that the content is provided "as is" and the views expressed are solely of the trainer and not their employer. Neither the trainer nor the organization are responsible for any damage caused by the information. 2. An acknowledgement section thanks various communities and trainers for their support in making the training program possible. 3. An introduction announces that the presentation is part of a reversing and malware analysis training program currently only offered locally for free. It provides contact information for two of the trainers.

Dynamic PHP web-application analysisax330d

This document discusses dynamic analysis of PHP web applications. It begins by explaining what dynamic analysis is and its benefits and limitations. It then surveys the current state of tools for PHP dynamic analysis, including code instrumentation tools, patches and extensions for PHP interpreters, and external profiling tools. A key focus is on developing a PHP extension for dynamic analysis, as it allows full control and transparency. The document outlines the capabilities of a PHP extension, such as handling function entry and exit, working with opcodes, and hooking dynamically evaluated strings. It introduces PVT, a new PHP dynamic analysis tool implemented as a PHP extension, covering its features and providing statistics on its performance. It concludes with plans for further improving PVT and references.

Reversing malware analysis training part6 practical reversingCysinfo Cyber Security Community

This document provides a disclaimer and acknowledgements for a training on reversing and malware analysis. The disclaimer states that the content is provided as-is without warranty. It also notes that the views expressed are solely those of the trainer. The acknowledgements thank various communities and trainers for their support in making the training possible. The document concludes by introducing the trainer and providing an outline of topics that will be covered in the reversing and malware analysis training.

08 - Return Oriented Programming, the chosen oneAlexandre Moneger

Return oriented programming (ROP) allows an attacker to bypass address space layout randomization (ASLR) and data execution prevention (DEP). It works by identifying small "gadgets" in a program's code that end with a return instruction. These gadgets can be stitched together to perform operations or redirect execution flow. First, gadgets are found in the program using tools like ROPeMe or objdump. Useful gadgets include those that load registers from memory or call functions indirectly. The gadgets can then be chained to build ROP payloads that copy shellcode into memory and pivot the stack to execute it.

Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan

This document provides an introduction and overview of Return Oriented Programming (ROP). It discusses classical stack overflow attacks and the mitigations put in place like Address Space Layout Randomization (ASLR) and No eXecute (NX) bit. It then introduces ROP as a technique to bypass these mitigations by chaining small snippets of existing code, called gadgets, to perform malicious tasks without injecting code. Several tools for finding gadgets are presented, and an example exploitation of the CVE-2011-1938 vulnerability is discussed to demonstrate ROP in practice. The document concludes with discussing mitigations against ROP and some related research topics.

CodeChecker Overview Nov 2019Olivera Milenkovic

The document provides an overview of CodeChecker, a static code analysis tool developed by Ericsson to find bugs and improve code reliability in C/C++ and Objective-C. It highlights the tool's features, such as full path coverage, integration with other analyzers, and its ability to comply with coding standards, while also discussing its limitations and deployment strategies. The document concludes with a demo and references for further exploration of CodeChecker's capabilities and open-source contributions.

Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community

The document provides information about an advanced malware analysis training program. It begins with disclaimers about the content being provided as-is without warranty. It then acknowledges those who supported and contributed to the training. It states that the presentation is part of an advanced malware analysis training program currently only delivered locally for free. It introduces the speaker, Swapnil Pathak, and provides an outline of the topics to be covered, including anti-reversing techniques, anti-debugging, anti-VM, and anti-anti-reversing, followed by a question and answer section.

Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai

Step-Oriented Programming (SOP) allows executing arbitrary code on embedded systems by repeating step execution and changing the program counter value. A debugger communicates with a target system's stub using the Remote Serial Protocol to read/write memory and registers, enabling full control via simple commands if the connection is compromised. SOP constructs code by combining pieces of existing machine code and executes it without needing to directly inject new code. Therefore attacks are possible even if execution from data areas is prevented. The presentation will demonstrate this attack principle and results from actual experimentation.

Return oriented programming (ROP)Pipat Methavanitpong

This document discusses Return Oriented Programming (ROP), which is a technique for exploiting software vulnerabilities to execute malicious code without injecting new code. It can be done by manipulating return addresses on the program stack to divert execution flow to existing code snippets ("gadgets") that perform the desired task when executed in sequence. The document covers the anatomy of the x86 stack, common ROP attack approaches like stack smashing and return-to-libc, how gadgets work by chaining neutral instructions, and various defenses such as stack canaries, non-executable memory, address space layout randomization, and position-independent executables.

Format string vunerabilityCysinfo Cyber Security Community

This document discusses format string vulnerabilities, how they work, and how they differ from buffer overflows. It introduces common format string functions like printf and sprintf, and explains how format specifiers like %s and %d are passed to these functions. It notes that exploiting format strings was discovered later than buffer overflows and has resulted in fewer exploits due to being easier for programmers to detect and fix.

Buffer overflow AttacksCysinfo Cyber Security Community

This document provides an introduction to buffer overflow attacks. It discusses buffer overflows, stack smashing, and controlling the execution flow by manipulating the EIP. It demonstrates how user input can make its way onto the stack and be used to control the call and return instructions. The document shows an example of writing exit shellcode and using it in a proof of concept attack. It notes that real attacks are illegal and this presentation is for demonstration purposes only.

More Related Content

What's hot (20)

Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded

Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community

Buffer OverflowsSumit Kumar

Control hijackingPrachi Gulihar

Buffer overflow attacksJapneet Singh

Anatomy of a Buffer Overflow AttackRob Gillen

Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community

Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields

6 buffer overflowsdrewz lin

CodeChecker summary 21062021Olivera Milenkovic

Buffer Overflow Attacksharshal kshatriya

Reversing malware analysis training part3 windows pefile formatbasicsCysinfo Cyber Security Community

Dynamic PHP web-application analysisax330d

Reversing malware analysis training part6 practical reversingCysinfo Cyber Security Community

08 - Return Oriented Programming, the chosen oneAlexandre Moneger

Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan

CodeChecker Overview Nov 2019Olivera Milenkovic

Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community

Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai

Return oriented programming (ROP)Pipat Methavanitpong

Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded

Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community

Buffer OverflowsSumit Kumar

Control hijackingPrachi Gulihar

Buffer overflow attacksJapneet Singh

Anatomy of a Buffer Overflow AttackRob Gillen

Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community

Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields

6 buffer overflowsdrewz lin

CodeChecker summary 21062021Olivera Milenkovic

Buffer Overflow Attacksharshal kshatriya

Reversing malware analysis training part3 windows pefile formatbasicsCysinfo Cyber Security Community

Dynamic PHP web-application analysisax330d

Reversing malware analysis training part6 practical reversingCysinfo Cyber Security Community

08 - Return Oriented Programming, the chosen oneAlexandre Moneger

Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan

CodeChecker Overview Nov 2019Olivera Milenkovic

Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community

Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai

Return oriented programming (ROP)Pipat Methavanitpong

Viewers also liked (20)

Format string vunerabilityCysinfo Cyber Security Community

Buffer overflow AttacksCysinfo Cyber Security Community

Dll preloading-attackCysinfo Cyber Security Community

This document summarizes a presentation about DLL loading vulnerabilities. It will cover the history of these issues, types like hijacking and preloading, how Windows searches for DLLs and factors that can affect the search order like directory permissions, and recommendations such as using fully qualified paths or SafeDllSearchMode to prevent exploitation. A demo will also be included along with references for further information.

Watering hole attacks case study analysisCysinfo Cyber Security Community

The document describes a watering hole attack campaign that targeted military websites. It used a zero-day exploit in Internet Explorer 10 along with a malicious Flash file to download an image file containing hidden payload data. This payload contained two malware files - a DLL and a ZxShell backdoor executable. The backdoor made DNS queries to malicious domains and attempted to connect on port 443. The content is provided without warranty and solely represents the author's views.

Dissecting Android APKCysinfo Cyber Security Community

This document provides an overview of reversing Android applications. It discusses the Android security model including permissions and ARM TrustZone. It describes real world Android malware like ransomware and data stealing malware. The structure of an Android APK file is explained including the dex, resources, libraries and manifest. Tools for analyzing APKs are introduced, like APKTool for decompiling and Dex2Jar for extracting dex files. The document demonstrates decompiling an APK and analyzing the smali code. It provides a glossary of related terms and references for further reading.

Homomorphic encryptionCysinfo Cyber Security Community

This document provides an overview of homomorphic encryption. It begins by defining homomorphic encryption as a form of encryption that allows specific types of computations to be performed on ciphertext and generate an encrypted result that matches the operations performed on the plaintext when decrypted. It then discusses different types of homomorphic encryption including partially homomorphic (additive or multiplicative), fully homomorphic encryption, and provides examples like RSA, ElGamal, and Paillier. The document concludes by listing some applications of homomorphic encryption such as e-voting, biometric verification, and discusses Paillier encryption specifically.

Return addressCysinfo Cyber Security Community

Amit Malik presents research on using return addresses to analyze and detect malicious code. He discusses how return addresses point to the next instruction after a function call. By tracking return addresses during execution, his approach traces program flow and detects deviations, such as calls originating from non-code regions like the stack or heap. This technique can help analyze execution hijacking by exploits and spot system manipulation by unpacked or injected code. While challenging for malware, return address tracing provides a way to better understand and potentially detect some malicious behaviors.

Reversing malware analysis training part11 exploit development advancedCysinfo Cyber Security Community

The document provides information about a reversing and malware analysis training program. It begins with disclaimers stating that the content is provided as-is without warranty. It then acknowledges those who supported and contributed to the training. It describes that the presentation is part of a local training program delivered for free. It introduces the trainer, Amit Malik, and provides their background and areas of expertise, which include reverse engineering, exploit development, and malware analysis.

Advanced malware analysis training session11 part2 dissecting the heart beat ...Cysinfo Cyber Security Community

This document provides an overview and demonstration of the functionalities of the HeartBeat RAT (Remote Access Trojan). It discusses how the RAT encrypts communications with the command and control server, and demonstrates various capabilities including process enumeration, process termination, creating and writing files, launching new processes, establishing a reverse shell, and restarting the system. The presentation is intended to be part of an advanced malware analysis training program.

Investigating Malware using Memory ForensicsCysinfo Cyber Security Community

This document discusses memory forensics, which involves acquiring volatile memory from a system as a non-volatile image that can then be analyzed. It lists Monnappa K A's background and expertise in security investigations and memory forensics. The key steps in memory forensics are outlined as acquiring the memory dump, analyzing it to find forensic artifacts that can help reveal processes, network activity, registry changes and assist with unpacking malware and detecting rootkits. Several tools for acquiring memory on physical and virtual machines are also listed. An example scenario of using memory forensics to investigate a potentially infected system is provided.

Advanced malware analysis training session3 botnet analysis part2Cysinfo Cyber Security Community

This document provides an overview and introduction to advanced malware analysis techniques, specifically dynamic taint analysis (DTA). It begins with recapping previous discussions on botnets and analysis techniques. It then introduces the concept of using DTA to generate data flow graphs to track how untrusted data propagates through a program. This allows identifying suspicious behavior that deviates from expected normal data flows. Examples of how DTA can be used for exploit detection, malware analysis, and developing detection policies are provided. Challenges and examples of DTA tools and graphs are also summarized. The document aims to illustrate how DTA provides a more fine-grained approach than traditional analysis for understanding a program's behavior.

Reversing malware analysis training part10 exploit development basicsCysinfo Cyber Security Community

This document provides information about an upcoming training on reversing engineering and malware analysis. It contains disclaimers about the content being provided "as is" without warranty. It also includes acknowledgements and introduces the trainers, Harsimran Walia and Amit Malik, along with their backgrounds and areas of expertise. An overview of some of the topics to be covered is then given, including exploits, vulnerabilities, and exploitation techniques like buffer overflows and structured exception handling overwrites.

Introduction to Binary Exploitation Cysinfo Cyber Security Community

This document provides an introduction to binary exploitation. It outlines the course, which will cover basic stack overflows, shellcode injection, and exploit mitigation technologies. It explains how buffer overflows can be used to overwrite the return address and change the flow of execution. By injecting shellcode into the buffer and overwriting the return address to point to it, arbitrary code can be executed to gain unauthorized access. Modern defenses like ASLR and NX are discussed, as well as future topics like return-oriented programming and format string vulnerabilities. The overall goal is to understand software exploitation and how to identify vulnerabilities in programs.

Exploits & Mitigations - Memory Corruption TechniquesCysinfo Cyber Security Community

The document discusses various memory corruption techniques like stack buffer overflows, return-oriented programming (ROP) attacks, heap spraying, and use-after-free vulnerabilities. It covers mitigations for these issues like data execution prevention (DEP), address space layout randomization (ASRL), stack canaries, and isolated heaps. The document also examines heap memory management and references additional resources on topics like exploiting vulnerabilities in Adobe Flash and bypassing exploit mitigation technologies.

POS Malware: Is your Debit/Credit Transcations Secure?Cysinfo Cyber Security Community

This document discusses point-of-sale (POS) malware and credit card transaction security. It begins by explaining how POS terminals and the credit card transaction ecosystem work. It then introduces POS malware, noting how early breaches captured card data during transmission but modern malware extracts it from RAM. The document outlines the evolution of POS malware from 2011-2015 and common infection methods. It provides a case study on the BlackPOS malware and discusses new technologies like EMV chips, NFC payments, and their impacts on security.

Introduction to ICS/SCADA securityCysinfo Cyber Security Community

Understanding APT1 malware techniques using malware analysis and reverse engi...Cysinfo Cyber Security Community

Hunting rootkit from dark corners of memoryCysinfo Cyber Security Community

XXE - XML External Entity Attack Cysinfo Cyber Security Community

This document discusses XML External Entity (XXE) attacks. It begins with an introduction to XML and DTDs. It then explains how XML entities work and how parsers handle XML. The document outlines several attack vectors for XXE, including local file inclusion, internal port scanning, denial of service, and in rare cases, remote code execution. It provides examples of XXE in different contexts like Microsoft Office documents and JSON payloads. Finally, it recommends solutions like disabling external DTD fetching and entity parsing to prevent XXE vulnerabilities.

Linux Malware Analysis Cysinfo Cyber Security Community

Format string vunerabilityCysinfo Cyber Security Community

Buffer overflow AttacksCysinfo Cyber Security Community

Dll preloading-attackCysinfo Cyber Security Community

Watering hole attacks case study analysisCysinfo Cyber Security Community

Dissecting Android APKCysinfo Cyber Security Community

Homomorphic encryptionCysinfo Cyber Security Community

Return addressCysinfo Cyber Security Community

Reversing malware analysis training part11 exploit development advancedCysinfo Cyber Security Community

Advanced malware analysis training session11 part2 dissecting the heart beat ...Cysinfo Cyber Security Community

Investigating Malware using Memory ForensicsCysinfo Cyber Security Community

Advanced malware analysis training session3 botnet analysis part2Cysinfo Cyber Security Community

Reversing malware analysis training part10 exploit development basicsCysinfo Cyber Security Community

Introduction to Binary Exploitation Cysinfo Cyber Security Community

Exploits & Mitigations - Memory Corruption TechniquesCysinfo Cyber Security Community

POS Malware: Is your Debit/Credit Transcations Secure?Cysinfo Cyber Security Community

Introduction to ICS/SCADA securityCysinfo Cyber Security Community

Understanding APT1 malware techniques using malware analysis and reverse engi...Cysinfo Cyber Security Community

Hunting rootkit from dark corners of memoryCysinfo Cyber Security Community

XXE - XML External Entity Attack Cysinfo Cyber Security Community

Linux Malware Analysis Cysinfo Cyber Security Community

Similar to Dynamic Binary Instrumentation (20)

Using Pin++ to Author Highly Configurable Pintools for PinJames Hill

The document is a tutorial on using pin++ to create configurable pintools for the Pin dynamic binary instrumentation tool, outlining its goals to simplify development and promote code reuse through an object-oriented framework. It details the structure and components involved in creating a pintool, including examples of code and discussions on developer challenges. The tutorial emphasizes that pin++ aims to alleviate common complexities and improve software engineering practices in pintool development.

Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Positive Hack Days

This document discusses dynamic binary instrumentation (DBI) and provides two examples of DBI tools. DBI allows analyzing a program's behavior at runtime by injecting instrumentation code. Two open-source DBI tools are described: WinHeap Explorer detects heap-based bugs with low overhead, while DrLtrace transparently traces malware library calls. DBI provides a powerful method for software security analysis, malware analysis, and reverse engineering. Traditional data structures in DBI can introduce significant overhead, so lightweight approaches are discussed.

Exploring billion states of a program like a pro. How to cook your own fast a...Maksim Shudrak

The document discusses dynamic binary instrumentation (DBI) as a technique for analyzing binary applications at runtime, comparing the Dynamorio and Intel Pin frameworks. It highlights applications in software security, malware analysis, and reverse-engineering, along with the introduction of two specific tools: Winheap Explorer for detecting heap-based bugs and DRLTrace for tracing API calls. The conclusion emphasizes DBI's potential and the challenges posed by traditional data structures regarding performance overhead.

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum

This document summarizes a lightning talk presentation about binary instrumentation using Intel's Pin tool. It introduces Pin as a dynamic binary instrumentation tool that can insert code into programs at runtime. It then discusses several applications of Pin like performance profiling, security tools for sandboxing and reversing, and academic uses. The document provides examples of using Pin APIs and also lists some alternative dynamic instrumentation engines. It encourages the audience to start using Pin and sharing tools they create with the community.

Dmitriy D1g1 Evdokimov - DBI IntroDefconRussia

Dynamic binary instrumentation (DBI) frameworks make it easy to build dynamic binary analysis (DBA) tools by injecting instrumentation code into running processes. Popular DBI frameworks include PIN, Valgrind, DynamoRIO, and DynInst. Each framework uses different techniques like dynamic binary compilation, caching, and patching to instrument binaries at runtime. DBI frameworks are useful for tasks like performance analysis, correctness checking, security monitoring, and vulnerability detection.

WCTF 2018 binja EditorialCharo_IT

The document describes a .NET reversing challenge that appears simple but has a deception. Through static analysis, it seems the challenge involves decrypting a resource to obtain matrices A, B, C and vectors d, y, then calculating the flag as A^-1B^-1C^-1(y - d). However, running this approach yields an incorrect flag. The truth is that the binary modifies the just-in-time compiled code and method descriptor table to alter the real behavior of functions 3, 4, and 5, decrypting the real code from the resource.

Effective Memory Protection Using Dynamic Tainting (ASE 2007)James Clause

The document describes an approach for detecting illegal memory accesses using dynamic taint analysis. It assigns taint marks to track data from untrusted sources as it propagates through a program. It propagates taint marks at runtime and checks for illegal accesses when data with taint reaches sensitive program points like memory references. The approach operates at the binary level with minimal modifications, avoiding limitations of prior static and dynamic techniques. It outlines assigning taint marks, propagating them, and checking them to detect illegal accesses with an empirical evaluation and conclusions.

printf tricksShaun Colley

The document discusses techniques for exploiting format string vulnerabilities in C programs despite defenses like FORTIFY_SOURCE. It describes how the GLIBC vfprin't.c source code allows arbitrary writes to memory locations by overflowing alloca-allocated buffers. This can be used to disable FORTIFY_SOURCE protections or shift the stack pointer into controlled memory like the heap. Further techniques are presented for exploiting the arbitrary writes without needing a %n specifier, such as corrupting data used by signal handlers or overwriting areas modified by other threads.

Appsec obfuscator reloadedCyber Security Alliance

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)James Clause

This document discusses a technique for detecting memory leaks by tainting pointers returned from allocation functions. It involves three main steps: 1) tainting pointers with metadata, 2) propagating taint marks to track pointer flow, and 3) identifying leaks by checking taint mark metadata. The metadata tracks information like last use location, allocation size, and whether a pointer was deallocated. Tracking pointer flow updates metadata like pointer counts. Leaks are identified by checking if a taint mark's pointer count is zero but it was not deallocated, or if it was not deallocated at program end.

DConf 2016: Bitpacking Like a Madman by Amaury SechetAndrei Alexandrescu

The document discusses techniques for optimizing memory usage through bit packing and value type polymorphism. It describes: 1. Bit packing techniques like storing multiple values in a single integer using bitwise operations to reduce memory usage. This includes examples of packing booleans and enums. 2. Using a "tagged union" approach to represent different value types polymorphically by storing a type tag and common data in a single value. 3. The concept of "value type polymorphism" where subtypes all fit within a size budget by using a tag to differentiate them while presenting a common API. This allows efficiently representing types in a compiler.

The walking 0xDEADCarlos Garcia Prado

The document covers topics related to binary inspection and manipulation, specifically focusing on malware analysis and reverse engineering in x86 architecture. It discusses key concepts such as assembly language, CPU registers, common instructions, and the structure of processes and memory. The presentation highlights the evolution from static to dynamic analysis and emphasizes the use of Python for binary manipulation and analysis.

Given below is the completed code along with comments. Output of the.pdfaparnacollection

Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON

Radare2 is a comprehensive framework for reverse engineering and binary analysis, focusing on better API design, portability across various operating systems, and modularity with about 40 modules. The 0.4 release aims for compatibility with the older version, offering significantly improved performance and a range of scripting and language bindings. Key features include a debugging API, a relocatable code compiler, and enhanced data/code analysis capabilities with a focus on supporting multiple binary formats.

Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas

The document discusses Gustavo A. R. Silva's experiences in identifying and fixing bugs in the Linux kernel, emphasizing the use of Coverity for static code analysis to address both high and medium impact issues. It also highlights challenges, such as the significant number of warnings generated by the '-wimplicit-fallthrough' compiler flag, and describes efforts to eliminate ancient bugs and improve kernel self-protection mechanisms. Additionally, it touches on the balance between fixing bugs and maintaining the integrity of the codebase amidst community responses to proposed changes.

CNIT 127: Ch 8: Windows overflows (Part 2)Sam Bowne

Chapter 8 of CNIT 127 covers Windows overflow vulnerabilities, focusing on stack protections like security cookies, heap-based buffer overflows, and how to manipulate them. It explains various heap operations, potential exploitation techniques, including overwriting exception handler pointers, and discusses the use of COM objects on the heap. Additionally, it addresses other overflow vulnerabilities in the .data section and TEB/PEB, indicating a lack of public examples for such exploits.

Security Applications For EmulationSilvio Cesare

The document discusses using emulation for security applications like reverse engineering Cisco IOS's heap management, tracing program execution to evaluate binaries, implementing dynamic taint analysis, and developing automated unpacking tools. It describes how emulation allows intercepting program execution at the instruction level and adding instrumentation to perform these dynamic analyses, avoiding detection by anti-debugging techniques. Specific tools mentioned include Dynamips, TTAnalyze, Argos, Pandora's Bochs, and the author's own unpacker and emulator.

Heap Base ExploitationUTD Computer Security Group

The document covers heap-based exploitation techniques and the structure of heaps in memory management, primarily focusing on the dlmalloc algorithm used in Linux. It outlines several exercises from a training environment called Protostar, which include challenges like basic heap overflow, code flow hijacking, and issues related to stale pointers. Each challenge provides insights into how heap vulnerabilities can be exploited to manipulate memory and execute arbitrary code.

Buffer OverFlowRambabu Duddukuri

Buffer overruns occur when a program allows writing more data to a buffer than it was allocated to hold. This can lead to code injection attacks by overwriting memory addresses like return addresses on the stack. Common types of buffer overruns include stack overruns, heap overruns, array indexing errors, and format string bugs. Developers can prevent buffer overruns by carefully handling untrusted user input, using bounds-checked functions, and compiling with protections like GS flags.

Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf

The document discusses Linux hardening techniques and mitigations against memory corruption vulnerabilities, highlighting specific CVEs related to memory safety bugs that could be exploited. It covers various mitigation strategies such as Non-Executable Stack, Address Space Layout Randomization (ASLR), and Stack Canaries, and introduces advanced concepts like Return-Oriented Programming (ROP) and Side Channels (Spectre). The presentation concludes with discussions on modern mitigation techniques and the importance of kernel self-protection projects.

Using Pin++ to Author Highly Configurable Pintools for PinJames Hill

Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Positive Hack Days

Exploring billion states of a program like a pro. How to cook your own fast a...Maksim Shudrak

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum

Dmitriy D1g1 Evdokimov - DBI IntroDefconRussia

WCTF 2018 binja EditorialCharo_IT

Effective Memory Protection Using Dynamic Tainting (ASE 2007)James Clause

printf tricksShaun Colley

Appsec obfuscator reloadedCyber Security Alliance

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)James Clause

DConf 2016: Bitpacking Like a Madman by Amaury SechetAndrei Alexandrescu

The walking 0xDEADCarlos Garcia Prado

Given below is the completed code along with comments. Output of the.pdfaparnacollection

Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON

Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas

CNIT 127: Ch 8: Windows overflows (Part 2)Sam Bowne

Security Applications For EmulationSilvio Cesare

Heap Base ExploitationUTD Computer Security Group

Buffer OverFlowRambabu Duddukuri

Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf

More from Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K ACysinfo Cyber Security Community

Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community

This document discusses techniques for analyzing obfuscated malicious web scripts. It begins by noting some limitations and objectives of the analysis. It then covers common obfuscation techniques used such as minification, visual noise, character encoding, and multiple layers of obfuscation. Methods for deobfuscation without wasting time are presented, such as using beautification tools and writing custom scripts. Specific tools are also highlighted that can aid in deobfuscation, like Didier Stevens tools and JavaScript analysis tools. Lastly, it discusses prevention best practices like keeping systems updated and avoiding unknown links/emails.

Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKCysinfo Cyber Security Community

This document provides an introduction to getting started with security training through Capture the Flag (CTF) competitions. It discusses two common styles of CTF - Jeopardy and Attack/Defense - and gives examples of categories and tools used in each. The document advocates that CTFs provide a hands-on learning experience compared to traditional institution-based cybersecurity education. Resources for practicing skills and information on upcoming CTF events are provided.

Emerging Trends in Cybersecurity by Amar PrustyCysinfo Cyber Security Community

The document summarizes emerging security trends related to the Internet of Things. It discusses how IoT devices present many new vulnerabilities and risks if not properly secured. Recommendations include strengthening security practices to accommodate IoT, planning for increased network traffic and complexity from IoT growth, and strengthening partnerships between security researchers, vendors, and procurement to help address IoT security challenges. While IoT poses risks if misconfigured, it also provides opportunities if the right security measures are put in place.

A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community

The document provides an overview of sanitizers, which are dynamic testing tools that detect bugs like buffer overflows and uninitialized memory reads. It focuses on Address Sanitizer (ASan), which detects invalid address usage bugs, and Undefined Behavior Sanitizer (UBSan), which finds unspecified code semantic bugs. ASan works by dividing memory into main and shadow spaces and instruments code to check shadow values for poisoning. UBSan detects issues like integer overflow and out-of-bounds memory access. Both tools are compiler-instrumented to add checks and generate detailed reports of encountered bugs.

Closer look at PHP Unserialization by Ashwin ShenoiCysinfo Cyber Security Community

This document discusses PHP unserialization vulnerabilities. It begins with an introduction to PHP classes, objects, serialization and unserialization. It explains that unserialization can be exploited if an attacker can influence the input and trigger malicious code through PHP magic methods like __destruct or __wakeup. Two examples of exploits are shown using the __destruct and __wakeup methods. The document concludes with mitigation strategies like using the options parameter in PHP7's unserialize function and avoiding unserialization of user input.

Unicorn: The Ultimate CPU Emulator by Akshay AjayanCysinfo Cyber Security Community

This document discusses the Unicorn CPU emulator engine. It provides an overview of CPU emulation and the challenges involved. Unicorn is presented as an open source, lightweight alternative to Qemu that supports multiple architectures. Its features like clean APIs, JIT compilation, and instrumentation capabilities are highlighted. Demos are shown of Unicorn being used in tools like Radare2 and Cuckoo. The document concludes with references for learning more about Unicorn.

The Art of Executing JavaScript by Akhil MahendraCysinfo Cyber Security Community

This document outlines a presentation on executing JavaScript and preventing cross-site scripting (XSS) attacks. It discusses the types of XSS, including reflected, stored, and DOM-based XSS. It also covers same origin policy, content security policy (CSP) directives and keywords, common CSP mistakes like unsafe-inline, and bypassing CSP. It provides examples of XSS in different contexts like HTML, attributes, scripts, styles, and URLs. Finally, it mentions escaping the expression sandbox in Angular JS and demonstrates XSS and CSP bypass techniques.

Reversing and Decrypting Malware Communications by MonnappaCysinfo Cyber Security Community

DeViL - Detect Virtual Machine in Linux by SreelakshmiCysinfo Cyber Security Community

Sreelakshmi Panangatt graduated from Vrije University and Amrita Vishwa Vidyapeetham. She focuses on reverse engineering. Her tool DeViL (Detect Virtual Machine in Linux) demonstrates techniques malware uses to detect virtual machines. It determines how the current Linux configuration exposes itself. DeViL checks files, CPU instructions, network settings and timing to detect signs the system is running in a VM like VMWare or VirtualBox rather than physical hardware. It aims to help analysts understand how malware detects analysis environments.

Analysis of android apk using adhrit by Abhishek J.MCysinfo Cyber Security Community

This document introduces Adhrit, an open source Android APK analysis tool created by Team bi0s at the Amrita Center for Cybersecurity. Adhrit allows for extracting details from Android APKs like source code, manifest details, and checking for malware. It aims to simplify the reversing and analysis process. The tool is designed for security researchers, CTF enthusiasts, and beginners in APK reversing. Future updates will add dynamic analysis capabilities and other features.

Understanding evasive hollow process injection techniques monnappa k aCysinfo Cyber Security Community

Security challenges in d2d communication by ajithkumar vyasaraoCysinfo Cyber Security Community

The document discusses the security challenges in device-to-device (D2D) communications, highlighting vulnerabilities such as eavesdropping and the need for enhanced safety alongside the fast communication provided by technologies like Bluetooth and Wi-Fi. It presents a network-based anomaly detection approach and defines various outcomes of security controls, while introducing two models: the Cyber Kill Chain and the Diamond Model for analyzing attacks. The Cyber Kill Chain outlines stages of an attack, emphasizing that attackers may not follow a strict sequence.

S2 e (selective symbolic execution) -shivkrishna aCysinfo Cyber Security Community

Dynamic binary analysis using angr siddharth muraleeCysinfo Cyber Security Community

The document presents a talk by Siddharth M on dynamic binary analysis using the angr framework, which automates analyzing executables to identify vulnerabilities efficiently. It covers the basics of binary analysis, the uses of angr including symbolic execution and hooking, and demonstrates its application with examples. Additionally, it highlights the benefits of using angr for reverse engineering tasks, emphasizing its open-source nature and various analytical capabilities.

Bit flipping attack on aes cbc - ashutosh ahelleyaCysinfo Cyber Security Community

This document discusses CBC (Cipher Block Chaining) mode of encryption, explaining its vulnerabilities and the specifics of a bit-flipping attack. The bit-flipping attack is demonstrated with an example that circumvents HTTP session tokens, allowing unauthorized access. Preventive measures against such attacks include verifying that a random string prepended during encryption remains consistent after decryption.

Security Analytics using ELK stack Cysinfo Cyber Security Community

The document discusses using the ELKB stack for security analytics. It describes the roles of Elasticsearch for data storage and querying, Logstash for data ingestion and processing, Beats for data collection, and Kibana for visualization. It notes that the session will demonstrate using these tools to turn log and event data into insights through analytics by asking the right questions and modeling the data needed to answer them.

ATM Malware: Understanding the threat Cysinfo Cyber Security Community

This document provides an overview of ATM malware threats. It describes the XFS subsystem that is commonly used in ATMs to interface with devices from different vendors. The XFS architecture and important APIs are explained. The evolution of ATM malware from skimmers to more advanced malware like RIPPER is documented. RIPPER is able to read magnetic stripe and EMV chip data as well as control the cash dispenser. The document concludes with a reference to analyze the RIPPER malware code.

Image (PNG) Forensic Analysis Cysinfo Cyber Security Community

This document discusses PNG image forensic analysis and describes how the speaker analyzed a corrupted PNG file from the Plaid CTF 2015 competition. It provides an overview of PNG structure including chunks containing image data and metadata, and describes how the speaker repaired the header and IDAT chunks by adjusting offsets and replacing carriage returns to recover half the image before the competition ended.

Malware Detection using Machine Learning Cysinfo Cyber Security Community

This document discusses using machine learning for malware detection. It begins with an introduction to machine learning and feature selection for classification problems. Popular supervised learning algorithms that can be used for malware detection are discussed, including K-Nearest Neighbors (KNN), K-Means clustering, Support Vector Machines (SVM), Decision Trees, and Random Forests. Features that could be used for malware detection, such as file size, entropy, and behavioral patterns, are also outlined. The document concludes with brief mentions of neural networks, deep learning, and Python libraries that can be used like Scikit-Learn.

Understanding Malware Persistence Techniques by Monnappa K ACysinfo Cyber Security Community

Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community

Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKCysinfo Cyber Security Community

Emerging Trends in Cybersecurity by Amar PrustyCysinfo Cyber Security Community

A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community

Closer look at PHP Unserialization by Ashwin ShenoiCysinfo Cyber Security Community

Unicorn: The Ultimate CPU Emulator by Akshay AjayanCysinfo Cyber Security Community

The Art of Executing JavaScript by Akhil MahendraCysinfo Cyber Security Community

Reversing and Decrypting Malware Communications by MonnappaCysinfo Cyber Security Community

DeViL - Detect Virtual Machine in Linux by SreelakshmiCysinfo Cyber Security Community

Analysis of android apk using adhrit by Abhishek J.MCysinfo Cyber Security Community

Understanding evasive hollow process injection techniques monnappa k aCysinfo Cyber Security Community

Security challenges in d2d communication by ajithkumar vyasaraoCysinfo Cyber Security Community

S2 e (selective symbolic execution) -shivkrishna aCysinfo Cyber Security Community

Dynamic binary analysis using angr siddharth muraleeCysinfo Cyber Security Community

Bit flipping attack on aes cbc - ashutosh ahelleyaCysinfo Cyber Security Community

Security Analytics using ELK stack Cysinfo Cyber Security Community

ATM Malware: Understanding the threat Cysinfo Cyber Security Community

Image (PNG) Forensic Analysis Cysinfo Cyber Security Community

Malware Detection using Machine Learning Cysinfo Cyber Security Community

Recently uploaded (20)

“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2025/06/key-requirements-to-successfully-implement-generative-ai-in-edge-devices-optimized-mapping-to-the-enhanced-npx6-neural-processing-unit-ip-a-presentation-from-synopsys/ Gordon Cooper, Principal Product Manager at Synopsys, presents the “Key Requirements to Successfully Implement Generative AI in Edge Devices—Optimized Mapping to the Enhanced NPX6 Neural Processing Unit IP” tutorial at the May 2025 Embedded Vision Summit. In this talk, Cooper discusses emerging trends in generative AI for edge devices and the key role of transformer-based neural networks. He reviews the distinct attributes of transformers, their advantages over conventional convolutional neural networks and how they enable generative AI. Cooper then covers key requirements that must be met for neural processing units (NPU) to support transformers and generative AI in edge device applications. He uses transformer-based generative AI examples to illustrate the efficient mapping of these workloads onto the enhanced Synopsys ARC NPX NPU IP family.

Bridging the divide: A conversation on tariffs today in the book industry - T...BookNet Canada

A collaboration-focused conversation on the recently imposed US and Canadian tariffs where speakers shared insights into the current legislative landscape, ongoing advocacy efforts, and recommended next steps. This event was presented in partnership with the Book Industry Study Group. Link to accompanying resource: https://bnctechforum.ca/sessions/bridging-the-divide-a-conversation-on-tariffs-today-in-the-book-industry/ Presented by BookNet Canada and the Book Industry Study Group on May 29, 2025 with support from the Department of Canadian Heritage.

No-Code Workflows for CAD & 3D Data: Scaling AI-Driven InfrastructureSafe Software

When projects depend on fast, reliable spatial data, every minute counts. AI Clearing needed a faster way to handle complex spatial data from drone surveys, CAD designs and 3D project models across construction sites. With FME Form, they built no-code workflows to clean, convert, integrate, and validate dozens of data formats – cutting analysis time from 5 hours to just 30 minutes. Join us, our partner Globema, and customer AI Clearing to see how they: -Automate processing of 2D, 3D, drone, spatial, and non-spatial data -Analyze construction progress 10x faster and with fewer errors -Handle diverse formats like DWG, KML, SHP, and PDF with ease -Scale their workflows for international projects in solar, roads, and pipelines If you work with complex data, join us to learn how to optimize your own processes and transform your results with FME.

Murdledescargadarkweb.pdfvolumen1 100 elementaryJorgeSemperteguiMont

High Availability On-Premises FME Flow.pdfSafe Software

FME Flow is a highly robust tool for transforming data both automatically and by user-initiated workflows. At the Finnish telecommunications company Elisa, FME Flow serves processes and internal stakeholders that require 24/7 availability from underlying systems, while imposing limitations on the use of cloud based systems. In response to these business requirements, Elisa has implemented a high-availability on-premises setup of FME Flow, where all components of the system have been duplicated or clustered. The goal of the presentation is to provide insights into the architecture behind the high-availability functionality. The presentation will show in basic technical terms how the different parts of the system work together. Basic level understanding of IT technologies is required to understand the technical portion of the presentation, namely understanding the purpose of the following components: load balancer, FME Flow host nodes, FME Flow worker nodes, network file storage drives, databases, and external authentication services. The presentation will also outline our lessons learned from the high-availability project, both benefits and challenges to consider.

Raman Bhaumik - Passionate Tech EnthusiastRaman Bhaumik

vertical-cnc-processing-centers-drillteq-v-200-en.pdfAmirStern2

FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptxFIDO Alliance

ENERGY CONSUMPTION CALCULATION IN ENERGY-EFFICIENT AIR CONDITIONER.pdfMuhammad Rizwan Akram

DC Inverter Air Conditioners are revolutionizing the cooling industry by delivering affordable, energy-efficient, and environmentally sustainable climate control solutions. Unlike conventional fixed-speed air conditioners, DC inverter systems operate with variable-speed compressors that modulate cooling output based on demand, significantly reducing energy consumption and extending the lifespan of the appliance. These systems are critical in reducing electricity usage, lowering greenhouse gas emissions, and promoting eco-friendly technologies in residential and commercial sectors. With advancements in compressor control, refrigerant efficiency, and smart energy management, DC inverter air conditioners have become a benchmark in sustainable climate control solutions

Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...Safe Software

Jacobs has developed a 3D utility solids modelling workflow to improve the integration of utility data into 3D Building Information Modeling (BIM) environments. This workflow, a collaborative effort between the New Zealand Geospatial Team and the Australian Data Capture Team, employs FME to convert 2D utility data into detailed 3D representations, supporting enhanced spatial analysis and clash detection. To enable the automation of this process, Jacobs has also developed a survey data standard that standardizes the capture of existing utilities. This standard ensures consistency in data collection, forming the foundation for the subsequent automated validation and modelling steps. The workflow begins with the acquisition of utility survey data, including attributes such as location, depth, diameter, and material of utility assets like pipes and manholes. This data is validated through a custom-built tool that ensures completeness and logical consistency, including checks for proper connectivity between network components. Following validation, the data is processed using an automated modelling tool to generate 3D solids from 2D geometric representations. These solids are then integrated into BIM models to facilitate compatibility with 3D workflows and enable detailed spatial analyses. The workflow contributes to improved spatial understanding by visualizing the relationships between utilities and other infrastructure elements. The automation of validation and modeling processes ensures consistent and accurate outputs, minimizing errors and increasing workflow efficiency. This methodology highlights the application of FME in addressing challenges associated with geospatial data transformation and demonstrates its utility in enhancing data integration within BIM frameworks. By enabling accurate 3D representation of utility networks, the workflow supports improved design collaboration and decision-making in complex infrastructure projects

MuleSoft for AgentForce : Topic Center and API Catalogshyamraj55

This presentation dives into how MuleSoft empowers AgentForce with organized API discovery and streamlined integration using Topic Center and the API Catalog. Learn how these tools help structure APIs around business needs, improve reusability, and simplify collaboration across teams. Ideal for developers, architects, and business stakeholders looking to build a connected and scalable API ecosystem within AgentForce.

Data Validation and System InteroperabilitySafe Software

Edge-banding-machines-edgeteq-s-200-en-.pdfAmirStern2

AI vs Human Writing: Can You Tell the Difference?Shashi Sathyanarayana, Ph.D

Securing Account Lifecycles in the Age of Deepfakes.pptxFIDO Alliance

Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdfcaoyixuan2019

Security Tips for Enterprise Azure SolutionsMichele Leroux Bustamante

Delivering solutions to Azure may involve a variety of architecture patterns involving your applications, APIs data and associated Azure resources that comprise the solution. This session will use reference architectures to illustrate the security considerations to protect your Azure resources and data, how to achieve Zero Trust, and why it matters. Topics covered will include specific security recommendations for types Azure resources and related network security practices. The goal is to give you a breadth of understanding as to typical security requirements to meet compliance and security controls in an enterprise solution.

AI VIDEO MAGAZINE - June 2025 - r/aivideo1pcity Studios, Inc

AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...SOFTTECHHUB

Providing an OGC API Processes REST Interface for FME FlowSafe Software

This presentation will showcase an adapter for FME Flow that provides REST endpoints for FME Workspaces following the OGC API Processes specification. The implementation delivers robust, user-friendly API endpoints, including standardized methods for parameter provision. Additionally, it enhances security and user management by supporting OAuth2 authentication. Join us to discover how these advancements can elevate your enterprise integration workflows and ensure seamless, secure interactions with FME Flow.

“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...Edge AI and Vision Alliance

Bridging the divide: A conversation on tariffs today in the book industry - T...BookNet Canada

No-Code Workflows for CAD & 3D Data: Scaling AI-Driven InfrastructureSafe Software

Murdledescargadarkweb.pdfvolumen1 100 elementaryJorgeSemperteguiMont

High Availability On-Premises FME Flow.pdfSafe Software

Raman Bhaumik - Passionate Tech EnthusiastRaman Bhaumik

vertical-cnc-processing-centers-drillteq-v-200-en.pdfAmirStern2

FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptxFIDO Alliance

ENERGY CONSUMPTION CALCULATION IN ENERGY-EFFICIENT AIR CONDITIONER.pdfMuhammad Rizwan Akram

Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...Safe Software

MuleSoft for AgentForce : Topic Center and API Catalogshyamraj55

Data Validation and System InteroperabilitySafe Software

Edge-banding-machines-edgeteq-s-200-en-.pdfAmirStern2

AI vs Human Writing: Can You Tell the Difference?Shashi Sathyanarayana, Ph.D

Securing Account Lifecycles in the Age of Deepfakes.pptxFIDO Alliance

Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdfcaoyixuan2019

Security Tips for Enterprise Azure SolutionsMichele Leroux Bustamante

AI VIDEO MAGAZINE - June 2025 - r/aivideo1pcity Studios, Inc

AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...SOFTTECHHUB

Providing an OGC API Processes REST Interface for FME FlowSafe Software

Dynamic Binary Instrumentation

1. Dynamic Binary Instrumentation Using Intel’s PIN

2. What is Instrumentation ● Inserting extra lines of code into the processes memory. ● Intel’s PIN, Google’s Address Sanitizer, DynamoRIO, Valgrind, GDB. ● Useful for reverse engineering and malware analysis.

3. Why DBI …... if (size < sizeof(min_buf)) { iov_to_buf(iov, iovcnt, 0, min_buf, size); memset(&min_buf[size], 0, sizeof(min_buf) - size); } else if (iov->iov_len < MAXIMUM_ETHERNET_HDR_LEN) { /* This is very unlikely, but may happen. */ iov_to_buf(iov, iovcnt, 0, min_buf, MAXIMUM_ETHERNET_HDR_LEN); filter_buf = min_buf; } …...

4. …. if (size < sizeof(min_buf)) { printf(“Good size branchn”); iov_to_buf(iov, iovcnt, 0, min_buf, size); memset(&min_buf[size], 0, sizeof(min_buf) - size); } else if (iov->iov_len < MAXIMUM_ETHERNET_HDR_LEN) { /* This is very unlikely, but may happen. */ printf(“Got a rare casen”); iov_to_buf(iov, iovcnt, 0, min_buf, MAXIMUM_ETHERNET_HDR_LEN); filter_buf = min_buf; } ….

5. Installation guidelines ● https://labs.portcullis.co.uk/blog/an-introduction-to-binary-dynamic- analysis/ ● https://software.intel. com/sites/landingpage/pintool/docs/76991/Pin/html/

6. Where’s the code? ● Comes with pre-existing scripts. ● Feature to add custom scripts. ● Written in C or C++. ● Examples in ~/pin/source/tools/SimpleExamples/

7. #include <iostream> #include "pin.H" UINT64 icount = 0; VOID IncCounter() { icount++;} VOID Instruction(INS ins, VOID *v) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)IncCounter, IARG_END);} VOID Fini(INT32 code, VOID *v) { std::cerr << "Count " << icount << endl;} int main(int argc, char * argv[]) { PIN_Init(argc, argv); INS_AddInstrumentFunction(Instruction, 0); PIN_AddFiniFunction(Fini, 0); PIN_StartProgram(); return 0;} Analysis Instrumentation

8. Execution $ pin -t inscount.so -- /bin/ls inscount.cpp inscount.so inscount.o Count 422838 Output of inscount $

9. Detecting Heap bugs ● Keep list of used and free chunks. ● If input is read to any of these chunks, check sizes and number of bytes being read. ● In case of structure objects, check for input being read to an address inside a chunk. ● If input is read to free chunk => UAF. ● If number of bytes read > size of chunk => heap overflow. ● If chunk_start + size - address < number of bytes => heap overflow.

10. The code ● Heap_trace.cpp ● Need to check for other functions like scanf(), strncpy(), memcpy() etc. ● Alerts: ○ When the same chunk is returned by malloc more than once. ○ When the same chunk is going to be freed more than once. ○ When input crosses chunk boundaries. ○ When input is copied to free chunks. ● Around 200 lines of code (excluding the nice comments). ● Let’s have a look. ● Demo1

11. C or C++ ? That’s it? ● Kudos to the owners. ● Blankwall - Python Pin. ● A python wrapper to PIN. ● Not yet complete.

12. import sys, pin total = 0 info = file("inscount.out", "w") def counter(trace_addr): global total x = pin.TRACE_BblHead(trace_addr) y = pin.BBL_Address(x) instrucs = pin.BBL_NumIns(x) total += instrucs info.write("Basic Block @ %x SIZE: %x NUM INS= IN BLOCK: %x TOTAL: %xn" % (y, pin.BBL_Size (x), instrucs, total )) pin.TRACE_AddInstrumentFunction(counter)

13. $ pin -t obj-intel64/Python_Pin.so -m ins_count.py -- /bin/ls $ cat inscount.out|head Basic Block @ 7ffff7ddb2d0 SIZE: 8 NUM INS= IN BLOCK: 2 TOTAL: 2 Basic Block @ 7ffff7ddea40 SIZE: 55 NUM INS= IN BLOCK: 16 TOTAL: 18 Basic Block @ 7ffff7ddeaef SIZE: 6 NUM INS= IN BLOCK: 2 TOTAL: 1a Basic Block @ 7ffff7ddead8 SIZE: 17 NUM INS= IN BLOCK: 6 TOTAL: 20

14. Heap_Tracer.py ? ● 90 lines of code. ( Hurray! ) ● Let’s take a look. ● Demo2

Dynamic Binary Instrumentation

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Dynamic Binary Instrumentation (20)

More from Cysinfo Cyber Security Community (20)

Recently uploaded (20)

Dynamic Binary Instrumentation