Unicornを用いたDead Code除去

Transcript

1. UnicornΛ༻͍ͨDead Codeআڈ Security Camp Forum 2017 tkmruɹ

2. ࣗݾ঺հ • ໊લ: ͚ͨ·Δ • ηΩϡϦςΟɾΩϟϯϓ શࠃେձ 2015 ଔۀੜ •

   twitter ID: @tkmru • CTFνʔϜ: TomoriNao

3. Dead Codeͱ͸ • Dead Code͸࣮ߦͯ͠΋ҙຯ͕ͳ͍ίʔυ • ΞϯνσόοάͷͨΊʹϚϧ΢ΣΞʹ͸େྔʹDead Codeؚ͕·ΕΔ • ղੳͷো֐ͱͳΔ

4. ؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,

   0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800

5. ؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,

   0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800 ੺จࣈҎ֎͸Dead Code

6. ྫ) Themida(Packer) A Generic Approach to Automatic Deobfuscation of Executable

   Code http://www.sysnet.ucsd.edu/~bjohanne/assets/papers/oakland2015.pdf

7. Nao(No-meaning Assembly Omiter) • Dead CodeআڈΛ͢ΔIDAϓϥάΠϯΛOSSͱͯ͠։ൃ • IDAPython • Unicorn(CPUΤϛϡϨʔλͷํ)

   • https://github.com/tkmru/nao • ࣮ࡍʹΤϛϡϨʔλ্Ͱ࣮ߦ͢ΔͷͰɺߴ͍ਫ਼౓Ͱআ ڈͰ͖Δ • ෳ਺ͷΞʔΩςΫνϟʔʹରԠՄೳ

8. Unicornͱ͸ • QEMU forkͷϚϧνϓϥοτϑΥʔϜɺϚϧνΞʔΩς ΫνϟͳCPUΤϛϡϨʔλ • όΠφϦղੳπʔϧ angrͰ༻͍ΒΕ͍ͯΔͷΛ͸͡ Ίɺ֤छπʔϧ։ൃͰ࢖ΘΕ͍ͯΔ •

   ηΩϡϦςΟք۾Ͱ஫໨ͷOSS

9. Unicorn

10. Unicornͷshowcaseʹܝࡌ

11. ΞϧΰϦζϜ • IDAͷάϥϑϏϡʔʹදࣔ͞Ε͍ͯΔόΠφϦΛऔΓग़ ͢ • NOP໋ྩʹҰߦͣͭมߋ͠ɺUnicornΛ༻͍࣮ͯߦ • ࠷ऴతͳϨδελͷ஋Λൺֱͯ͠൑அ • มߋ͞Ε͍ͯͨΒɺ݁ՌʹӨڹ͢ΔͷͰDead

    Code Ͱ͸ͳ͍ • มߋ͞Ε͍ͯͳ͚Ε͹ɺ݁ՌʹӨڹ͍ͯ͠ͳ͍ͷͰɹ Dead CodeͰ͋Δͱ൑அ

12. ؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,

    0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800 ݁Ռ eax: 0x1918632 ecx: 0x800

13. ؆୯ͳྫ x86 asm • mov eax, 0x100000 → nop •

    shr eax, 0x10 → nop • add eax, 0x913 → nop • and eax, 0x1fff → nop • mov ecx, eax → nop • mov eax, 0x1918632 • and ecx, 0x600 → nop • mov ecx, 0x800 ݁Ռ eax: 0x1918632 ecx: 0x800 ফڈͯ͠΋݁ՌʹӨڹ͕ͳ͍ͷͰDead Codeͱ൑அͰ͖Δ

14. σϞ

15. ͓ΘΓʹ • ಈ࡞ʹ೉͕͋ΔͷͰɺ·ͩमਖ਼͍ͯ͘͠ • Unicornͷ࡞ऀʹධՁͯ͠΋Β͑ͯΑ͔ͬͨ • ղੳऀͷิॿͱͳΔΑ͏ͳπʔϧΛOSSͱͯ͠ࠓޙ΋࡞ Γଓ͚͍͖͍ͯͨ