Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AnalyzeCON 2016 Slides

Aaron Shelmire
March 04, 2016
Research
0
220

AnalyzeCON 2016 Slides

Aaron Shelmire

March 04, 2016
Tweet

More Decks by Aaron Shelmire

See All by Aaron Shelmire
Effective Threat Intel - SANS CTI Summit 2017
ashelmire
0
120
Decreasing Dwell Time
ashelmire
1
99

Other Decks in Research

See All in Research
第14回対話システムシンポジウム EMNLP 2023 参加報告
atsumoto
0
160
Ground Metric Learning with applications in genomics
gpeyre
0
370
自己教師あり学習による事前学習(CVIMチュートリアル)
naok615
2
1.4k
リサーチに組織を巻き込むための「準備8割」の話
terasho
0
470
Equivalence of Geodesics and Importance Weighting from the Perspective of Information Geometry
mkimura
0
140
時系列解析と疫学
kingqwert
2
940
Embodied AIについて / About Embodied AI
nttcom
1
580
媒介分析と疫学
kingqwert
0
110
第12回全日本コンピュータビジョン勉強会:画像の自己教師あり学習における大規模データセット
naok615
0
530
Introduction of NII S. Koyama's Lab (AY2024)
skoyamalab
0
130
脳卒中患者・家族からみた循環器病対策推進基本計画の進捗に関する調査
japanstrokeassociation
0
540
オープンな日本語埋め込みモデルの選択肢 / Exploring Publicly Available Japanese Embedding Models
nttcom
14
5.6k

Featured

See All Featured
How to name files
jennybc
65
93k
The Invisible Side of Design
smashingmag
294
49k
Web Components: a chance to create the future
zenorocha
306
41k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
117
18k
A Philosophy of Restraint
colly
197
16k
[RailsConf 2023] Rails as a piece of cake
palkan
28
4k
The Cult of Friendly URLs
andyhume
74
5.7k
Agile that works and the tools we love
rasmusluckow
325
20k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
Building Adaptive Systems
keathley
32
1.9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
660
120k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
20
1.6k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None

  10. • • •

  11. 1512 Samples

  12. • •

  13. • • ◦

  14. None
  15. None

  16. Count Useful __PAGEZERO ALL X NULL __TEXT 1832 √ Code

    and RO Data __OBJC 347* √ info often found in __TEXT sections __DATA 1825 √ Writable data __LINKEDIT 1830 X info __IMPORT 0 X Only IA32 Signature √ Code Signature
  17. None

  18. • ◦ •

  19. __TEXT Count Unique Useful __text 1830 950 √ __text sections

    show code __cstring 1709 918 √ most __cstring sections are different __stub_helper 1602 696 √ most stub sections __unwind_info 1592 715 √ __const 1300 446 X __eh_frame 1119 577 X __stubs 915 416 √ __objc_classname 670 165 √ __objc_methname 653 260 √ __objc_methtype 645 182 __symbol_stub 633 215 __gcc_except_tab 601 350 __ustring 130 57 __symbol_stub1 105 75

  20. __TEXT Count __text 1830 __cstring 1709 __stub_helper 1602 __unwind_info 1592

    715 √ __const 1300 446 X __eh_frame 1119 577 X __stubs 915 416 √ __objc_classname 670 165 __objc_methname 653 260 __objc_methtype 645 182 __symbol_stub 633 215 __gcc_except_tab 601 350 __ustring 130 57 __symbol_stub1 105 75
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None

  29. Long Tail Distribution few adware families many other “families” -

    few samples

  30. Approach Time Labeled Blind 1.5 day 316 files ML-Clustering 1

    day 304 files Exact Clustering .5 day 628 files ??

  31. • ◦ ◦ ◦ ◦

  32. Approach Time Labeled Blind 1.5 day 316 files ML-Clustering 1

    day 304 files Exact Clustering .5 day 628 files Mixed Approach ? ? and teamwork!
  33. None

  34. • 64a130000000 • 8b400c • 8b401c • 8b00 • 8b4820

    • 81790c33003200 • 75f2 • 8b4008 • c3

  35. • 64a130000000 • 8b400c • 8b401c • 8b00 • 8b4820

    • 81790c33003200 • 75f2 • 8b4008 • c3

  36. 64a130000000 ffff00000000 8b400c ffff00 8b401c ffff00 8b00 ffff 8b4820 ffff00

    81790c00000000 ffff0000000000 75f2 ff00 8b4008 ffff00 c3 ff

  37. • Operands ◦ Operand.type == Mnem == 0 == missing

    Operand ◦ up to idapi.UA_MAXOP Operands (6) ▪ workaround - just nulling out rest of instruction
  38. None

  39. • Library Functions - already in PAT (is this really

    a problem??) • Small Functions ◦ Jmp. ◦ retn 0 ◦ retn 1 ◦ Only hash functions that are greater than 3 instructions

  40. • • •

  41. None
  42. None
  43. None
  44. None
  45. None
  46. None

  47. • • ◦ • • • … • • •

  48. • • •

  49. None