Saturday, June 13, 2009

Generic unpacking paper revision

I have done a little updates to the "Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs" paper. Basically the Testimonials section was extended. Now the tests were performed on bigger and more "typical" Windows application. Additionally Mmmbop was tested with other packers as well, this now includes: UPX ver. 3.03w, Yoda's Crypter ver. 1.3 tElock ver. 0.98, PESpin ver. 1.32, FSG ver. 2.0, MEW ver. 11SE, ASPack ver. 2.2, nSpack ver. 3.4, PECompact ver. 2.98.6.

You can download the paper here:
http://piotrbania.com/all/articles/pbania-dbi-unpacking2009.pdf


Besides sometime ago i have obtained my BSc degree in Electrical Engineering, that makes me wonder should i do the MSc or not? Well, i have three months to find the answer...

Posted by Piotr Bania at 7:23 AM 0 comments

Labels: ,

Wednesday, June 10, 2009

PAPER: Evading network-level emulation

ABSTRACT

Recently more and more attention has been paid to the intrusion detection systems (IDS) which don't rely on signature based detection approach. Such solutions try to increase their defense level by using heuristics detection methods like network-level emulation. This technique allows the intrusion detection systems to stop unknown threats, which normally couldn't be stopped by standard signature detection techniques.

In this article author will describe general concepts of network-level emulation technique including its advantages and disadvantages (weak sides) together with providing potential countermeasures against this type of detection method.

Paper can be found at:
http://piotrbania.com/all/articles/pbania-evading-nemu2009.pdf


Besides the new article:
Number of Kon-boot downloads exceeded 100.000 copies (still increasing) just from my website and this includes only downloads of the version published on 16.04.2009 - so barely two months ago. This really exceeded my expectations. A lot of people nuked me with huge number of e-mail messages demanding features, help and additional things. I am afraid i am unable to answer all of them. Not to mention e-mails like "how to burn this to CD" or "this iso image is empty" are simply ignored by default. Additionally i was forced to ban all the mass-downloaders, spam-bots and other nasty things from my website. If you were accidentally banned as well feel free to let me know. Occasionally i would like to send some kudos to Rafal Lesniak, who still hosts me :-)

P.S I'm currently moving to another city, so sorry for the answering delays.

Posted by Piotr Bania at 4:08 PM 0 comments

Labels: ,

Wednesday, May 27, 2009

Some graphs

While playing with MmmBop sometimes i was recording the transfers between basic blocks. I tried to produce some graphs from it to make a nice visualization, however it appears in a various cases ie. tElock, PESpin i have recorded so many egdes that GraphViz was unable to produce a correct graph. Tried few other things like Tulip, but it haven't really worked either. One thing that actually worked was Walrus3D but the graphs are not really a good visualization for this example - IMHO. Anyway may be you will like following ones:


MmmBop tracing the unpacking process of UPX packed binary:


MmmBop vs UPX



MmmBop tracing the unpacking process of tElock packed binary (Walrus as renderer here):


MmmBop vs tElock - RENDER1
MmmBop vs tElock - RENDER2

Posted by Piotr Bania at 9:28 AM 0 comments

Labels: , ,

Monday, May 25, 2009

PAPER: Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs

ABSTRACT

Nowadays most of the malware applications are either packed or protected. This techniques are applied especially to evade signature based detectors and also to complicate the job of reverse engineers or security analysts. The time one must spend on unpacking or decrypting malware layers is often very long and in fact remains the most complicated task in the overall process of malware analysis. In this report author proposes MmmBop as a relatively new concept of using dynamic binary instrumentation techniques for unpacking and bypassing detection by self-modifying and highly aggressive packed binary code. MmmBop is able to deal with most of the known and unknown packing algorithms and it is also suitable to successfully bypass most of currently used anti-reversing tricks. [...]


Paper can be found at:
http://piotrbania.com/all/articles/pbania-dbi-unpacking2009.pdf

Posted by Piotr Bania at 5:22 PM 0 comments

Labels: ,

Monday, May 18, 2009

Dynamic Data Flow Analysis via Virtual Code Integration (aka The SpiderPig case)

SpiderPig is a project created for performing and visualizing data flow analysis of a selected binary program. SpiderPig was created in the purpose of providing a tool which would be able to help vulnerability and security researchers with tracing and analyzing any necessary data and it's further propagation. Such tasks are very often crucial in the vulnerability discovering/identifying process and typically require a lot of time consuming manual work. Following paper discusses methods and techniques implemented in SpiderPig in order to perform semi-automatic data flow analysis.

Paper is available here:
http://piotrbania.com/all/spiderpig/pbania-spiderpig2008.pdf

Simple video demo and some other things available on project website:
http://piotrbania.com/all/spiderpig/

Big thanks to Matt "skape" Miller and Julien Vanegue!

Posted by Piotr Bania at 1:34 PM 1 comments

Labels: , ,

Thursday, April 16, 2009

If I had a nickel for every time I had a nickel, I'd have TWO NICKELS

It has been quite a while since i put the last post here. Some summing up some of the news i may now reveal:

1) Microsoft Windows DirectX MJPEG Decoder Remote Heap Corruption

Advisory available here: http://www.piotrbania.com/all/adv/ms-directx-mjpeg-adv.txt

2) VMware Workstation IO Port Request Virtualized Machine Denial Of Service

Advisory available here: http://www.piotrbania.com/all/adv/vmware-io-adv.txt

3) Kon-Boot for Windows

As one of my past projects for KryptosLogic Kon-Boot was moved to Windows platforms. Kon-Boot now supports Microsoft Windows systems, and allows logging in to any password protected profile without any any knowledge of the password. Currently following Windows systems were tested:

+ Windows Server 2008 Standard SP2 (v.275)
+ Windows Vista Business SP0
+ Windows Vista Ultimate SP1
+ Windows Vista Ultimate SP0
+ Windows Server 2003 Enterprise
+ Windows XP
+ Windows XP SP1
+ Windows XP SP2
+ Windows XP SP3
+ Windows 7

You can download Kon-Boot from the project page:
http://piotrbania.com/all/kon-boot/

The rest of the stuff im currently working may be announced something around 2015. okthxbye.


P.S I found fantastic anthem for #nomorefreebugs, check this out.


"Naród wspaniały, tylko ludzie chuje" - Józef Piłsudski

Posted by Piotr Bania at 6:24 AM 0 comments

Saturday, October 18, 2008

The FALL

Yesterday i saw a movie called "The FALL" and after seeing it i still wonder how come i haven't found it before (since it appears it was already released(?) in 2006). It seems i have liked it so badly that i actually decided to drop a short note about it here. To be honest it is still haunting me :)





The Fall is one of the movies that you can't compare to any other. The movie was filmed in 28 different countries across the world for about 4 years and regarding what i have read the director spent his own money to finally realize it. The imaginery, photos, painting, music is a really gorgeus i can't even find a proper words to describe it. I even have no idea if the landscapes were real or just generated by computers. I should speak about the plot here but I don't want to spoil your potencial fun.

It is surely not a movie for everyone, but why not to give it a try?

Links:
1) Official trailer
2) Official movie website

Posted by Piotr Bania at 7:08 PM 0 comments

Labels: ,

Subscribe to: Posts (Atom)