Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AnalyzeCON 2016 Slides

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Aaron Shelmire Aaron Shelmire
March 04, 2016
Research
0
250

AnalyzeCON 2016 Slides

Avatar for Aaron Shelmire

Aaron Shelmire

March 04, 2016
Tweet

More Decks by Aaron Shelmire

See All by Aaron Shelmire
Effective Threat Intel - SANS CTI Summit 2017
Avatar for Aaron Shelmire ashelmire
0
130
Decreasing Dwell Time
Avatar for Aaron Shelmire ashelmire
1
120

Other Decks in Research

See All in Research
病院向け生成AIプロダクト開発の実践と課題
Avatar for Takashi Nishibayashi hagino3000
0
530
空間音響処理における物理法則に基づく機械学習
Avatar for NII S. Koyama's Lab skoyamalab
0
190
ウェブ・ソーシャルメディア論文読み会 第36回: The Stepwise Deception: Simulating the Evolution from True News to Fake News with LLM Agents (EMNLP, 2025)
Avatar for taichi_murayama hkefka385
0
150
OWASP KansaiDAY 2025.09_文系OSINTハンズオン
Avatar for OWASP Kansai owaspkansai
0
110
Proposal of an Information Delivery Method for Electronic Paper Signage Using Human Mobility as the Communication Medium / ICCE-Asia 2025
Avatar for yumulab yumulab
0
160
Aurora Serverless からAurora Serverless v2への課題と知見を論文から読み解く/Understanding the challenges and insights of moving from Aurora Serverless to Aurora Serverless v2 from a paper
Avatar for bootjp / ぶーと bootjp
6
1.5k
Stealing LUKS Keys via TPM and UUID Spoofing in 10 Minutes - BSides 2025
Avatar for AnyKeyShik anykeyshik
0
180
世界モデルにおける分布外データ対応の方法論
Avatar for Hidehisa Arai koukyo1994
6
1.3k
AIスパコン「さくらONE」の
オブザーバビリティ / Observability for AI Supercomputer SAKURAONE
Avatar for Yuuki Tsubouchi (yuuk1) yuukit
2
1.2k
ペットのかわいい瞬間を撮影する オートシャッターAIアプリへの スマートラベリングの適用
Avatar for Convergence Lab. mssmkmr
0
260
第66回コンピュータビジョン勉強会@関東 Epona: Autoregressive Diffusion World Model for Autonomous Driving
Avatar for Kento Sasaki kentosasaki
0
330
Combining Deep Learning and Street View Imagery to Map Smallholder Crop Types
Avatar for SatAI.challenge satai
3
570

Featured

See All Featured
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
900
Lightning Talk: Beautiful Slides for Beginners
Avatar for Ines Montani inesmontani
PRO
1
440
Getting science done with accelerated Python computing platforms
Avatar for Jacob Tomlinson jacobtomlinson
2
110
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
187
22k
The AI Search Optimization Roadmap by Aleyda Solis
Avatar for Aleyda Solis aleyda
1
5.2k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
Avatar for Tech SEO Connect techseoconnect
PRO
0
57
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
14k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
463
34k
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
48
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
Avatar for Aleyda Solis aleyda
1
1.1k
Mind Mapping
Avatar for Hélio Medeiros helmedeiros
PRO
0
81
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
6k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None

  10. • • •

  11. 1512 Samples

  12. • •

  13. • • ◦

  14. None
  15. None

  16. Count Useful __PAGEZERO ALL X NULL __TEXT 1832 √ Code

    and RO Data __OBJC 347* √ info often found in __TEXT sections __DATA 1825 √ Writable data __LINKEDIT 1830 X info __IMPORT 0 X Only IA32 Signature √ Code Signature
  17. None

  18. • ◦ •

  19. __TEXT Count Unique Useful __text 1830 950 √ __text sections

    show code __cstring 1709 918 √ most __cstring sections are different __stub_helper 1602 696 √ most stub sections __unwind_info 1592 715 √ __const 1300 446 X __eh_frame 1119 577 X __stubs 915 416 √ __objc_classname 670 165 √ __objc_methname 653 260 √ __objc_methtype 645 182 __symbol_stub 633 215 __gcc_except_tab 601 350 __ustring 130 57 __symbol_stub1 105 75

  20. __TEXT Count __text 1830 __cstring 1709 __stub_helper 1602 __unwind_info 1592

    715 √ __const 1300 446 X __eh_frame 1119 577 X __stubs 915 416 √ __objc_classname 670 165 __objc_methname 653 260 __objc_methtype 645 182 __symbol_stub 633 215 __gcc_except_tab 601 350 __ustring 130 57 __symbol_stub1 105 75
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None

  29. Long Tail Distribution few adware families many other “families” -

    few samples

  30. Approach Time Labeled Blind 1.5 day 316 files ML-Clustering 1

    day 304 files Exact Clustering .5 day 628 files ??

  31. • ◦ ◦ ◦ ◦

  32. Approach Time Labeled Blind 1.5 day 316 files ML-Clustering 1

    day 304 files Exact Clustering .5 day 628 files Mixed Approach ? ? and teamwork!
  33. None

  34. • 64a130000000 • 8b400c • 8b401c • 8b00 • 8b4820

    • 81790c33003200 • 75f2 • 8b4008 • c3

  35. • 64a130000000 • 8b400c • 8b401c • 8b00 • 8b4820

    • 81790c33003200 • 75f2 • 8b4008 • c3

  36. 64a130000000 ffff00000000 8b400c ffff00 8b401c ffff00 8b00 ffff 8b4820 ffff00

    81790c00000000 ffff0000000000 75f2 ff00 8b4008 ffff00 c3 ff

  37. • Operands ◦ Operand.type == Mnem == 0 == missing

    Operand ◦ up to idapi.UA_MAXOP Operands (6) ▪ workaround - just nulling out rest of instruction
  38. None

  39. • Library Functions - already in PAT (is this really

    a problem??) • Small Functions ◦ Jmp. ◦ retn 0 ◦ retn 1 ◦ Only hash functions that are greater than 3 instructions

  40. • • •

  41. None
  42. None
  43. None
  44. None
  45. None
  46. None

  47. • • ◦ • • • … • • •

  48. • • •

  49. None