Debugging for Attack and Defence
Debugging for Attack and Defence: Learning to Attack, a brownbag in the 2018 series.
This is lightly formatted raw slides text. PDF of slides: http://dfirfiles.net/myslides/
set SeDebugPrivilege
- Debuggers
- Disasm, Decompile?
- Interactive
- Applications
- Powers
- Pause, Break
- Edit, Patch
- Examples
- ReverseMe
- Javascript
- Pinning EIP
- Links
No Disassemble?
- Disassembler
- Machine code (binary) => Assembly language code (text)
- Decompiler
- Binary => C or Java source code
- Interactive Debugger
- Disass, Decompile running code and data structures
Disassemble
- capstone
- radare2 rasm2
- objdump, otool
- IDA Pro =>
- FileInsight
- CyberChef …
Decompile
- Snowman
- (in x32dbg) =>
- Hex-Rays
- (in IDA Pro)
- JADx & Procyon
- Java, Dalvik =>
Interactive!
- x64dbg =>
- Olly, Immunity
- IDA Pro
- radare2 =>
- Cutter
- gdb, windbg, …
Applications: attack, defence, CTFs
- Vulnerability research
- Exploit development
- and testing and testing
-
CTFs and puzzles
- Deobfuscation/decoding
- Dynamic malware analysis
- Restart, try again
- CTFs and puzzles
Debugging Superpowers
- Stop time =>
- Some can rewind!
- See through walls =>
- Everything is memory is yours to command
- Change data and program flow
- Scriptable =>
- Extensibile =>
Debugging Superpowers
- Stop time
- Some can rewind!
- See through walls
- Everything is memory is yours to command
- Change data and program flow
- Scriptable
-
Extensibile
- Pause & Run
- On Breakpoints
- Inspect
- Watch, Follow
- Single Stepping
- Edit memory!
- Commands
- Plugins
Live Demo?!?
- Exe sample
- Nag screen ?
Dev Tools : F12 , Ctrl-Shift-C
- FireFox, Chrome, IE and Edge all have ‘em
- Fn12 on IE and Edge, Cmd-Shift-C for FF/Chrome
- Similar features, different details
- Friendly competition has made them all pretty great
- Honourable mentions:
- FireBug : now subsumed by FireFox dev tools
- Browser plugins : Cookie Editor, Tamper Data
debugger;
- Add this call to invoke Web Debugger (F12)
- and Pause execution!
- Then Step, Watch, Pause … Debug!
Towards sploits!
- Learning to crash software … deliberately
- Manipulate program memory and registers
- Take control of execution …
mov EIP, 0x4141414141414141
- Run your code!
- First in a debugger … then on the target!
$LINKDUMP
for u in $LINKDUMP; do echo -n $u; echo ‘ , ‘; done
https://github.com/zerosum0x0/winrepl ,
https://github.com/gchq/CyberChef/ , https://microcorruption.com/about ,
https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide/debugger ,
https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/ , https://www.malwaretech.com/beginner-malware-reversing-challenges ,
https://chocolatey.org/packages/x64dbg.portable/20180719.1655
https://github.com/ashishb/android-malware/tree/master/towelroot
https://securedorg.github.io/RE101/ ,
https://www.packtpub.com/networking-and-servers/learning-malware-analysis ,
https://github.com/mattgodbolt/compiler-explorer/ ,
https://nostarch.com/bughunter and forthcoming https://nostarch.com/bughunting ,
https://nostarch.com/malware and forthcoming https://nostarch.com/malwaredatascience,
https://www.sans.org/ondemand/course/reverse-engineering-malware-malware-analysis-tools-techniques
Written on August 2, 2018