Map and projects (the most frequently updated page of this blog)

Map

PoC binaries and sources are included whenever it's possible.
Entries without link are not blogged on yet, but are planned and may already be in the source.


Libraries
  • kabopan: a python module of various algorithms, written in a readable way (performance is not a priority)
    • compression: Aplib, BriefLZ, JCALG1,...
    • hash: MD2/4/5, SHA0/1/2, Tiger, HAS, RIPEMD,...
    • cipher: streams (RC4), block (TEA),...
    • encoding: Base16/32/64, Ascii85, uu/xxencode
    • and other categories of algorithms (unary encoding, etc...)
  • libdasm: a C (with python bindings) disassembly library, with support for undocumented opcodes
  • PyUDD: a python module to manage OllyDbg .UDD files

PE file format schema
  • rules : description of the true limitations of the PE format
  • Header:
    • minimal : a working PE file with only 16 defined elements in the header
    • compiled : a complete reproduction of a masm-generated executable, for complete understanding.
    • tinier: a 97 bytes working PE file, like TinyPE, but with even less defined elements
  • EntryPoint
    • none: a working executable with no entry point
    • remote: a working PE file with the entry point outside of the PE
    • rounded: EP is in the slackspace due to section alignment
  • Sections
    • none : a working PE file with no section table and a null SizeOfOptionalHeader
    • duplicate, full pe: 2 examples of PE files that map twice the same sections, or the entire PE
  • TLS:
    • TLS : different examples of use of TLS callbacks
      • normal use
      • fake entry in the callback list, to fool tools
      • the callbacks points to external code that is correctly executed
      • a callback updates the list on the fly, to add another (aka, the real one) callback
      • a callback that doesn't run because only kernel32 is loaded, then is executed after another DLL is loaded.
    • in imports: a callback pointing to an import entry will not only look corrupted, but can also be used to execute an external file
  • SubSystems : minimalist driver and console PE executables, manually generated
  • Drivers in user mode: how to debug (to unpack, for example) simple drivers, in user-mode
  • Imports:
    • forwarding
    • collapsed: a working file where all the imports are scattered in gaps of the header
    • kernel31: a trampoline dll to bring backward compatibility to binaries compiled under XP SP3
    • unicode
  • Exports
    • none
    • self: the file uses its own exports to transfer execution
  • Resources:
    • shuffled structure: except the root directories, all the other can be in any order. and Data can be anywhere, outside the resource directory
    • loop: 1-level and 2-level recursive references in the resources, putting various PE tools in infinite loops.
    • fail7: a specific resource structure that fails on loading under windows 7.
  • Structure
    • slack space
    • stealth appended data: adding a fake empty section turns appended data into slack space
  • Infographics 

Countermeasures (anti-debuggers, etc...) cheat sheet PDF
  • Opcodes
    • smsw : anti-emulation/stepping, based on the SMSW opcode
    • gs : example of use of the GS register as a timer/anti-emulation/analysis
    • undocumented opcodes : a working PE file relying on undocumented opcodes or opcode behaviors (which can be used as anti-emulation).
    • sysenter: anti stepping/emulation, using SYSENTER
    • Int2A : a delay-loop based around the use of Int 2A
  • exceptions
    • triggers: enumerating the various ways to triggers exceptions (Lock, Violation, Ints, IceBp, Apis)
    • trap flag stepping
    • fake return
    • hardware breakpoints
    • handler overwriting
    • flow: (conditional) jumps are overwritten, and the flow of execution is controlled by an exception handler
  • tools-specific:
    • vmware
    • ollydbg
  • misc
  • self-debugging

Opcodes infographics
  • all: source and binaries using all opcodes, including SSE5 XOP, AVX, Padlock
  • all working user-mode: a working executable using every user-mode opcode with tests
  • get IP: enumerating all the ways to get the current EIP.(Call/pop, FPU, Exceptions, Int)
  • mem copy: use of specific opcodes to copy large blocks of memory
  • strings obfuscation
    • inline: strings are put in the code and called over
    • stack: strings are pushed dword by dword on the stack before use
    • crypted: each string is encrypted individually

    Infographic: one-byte overview, two-byte perspective, description

Obfuscation
  • Junk
    • common
      • gaps: big gaps of junks are inserted, making readability lower
      • junk: simple junk opcodes between meaningful ones.
      • fake start: fake common code is added to fool tools
      • fake code: real code is put in the middle of non-used 'real' code, so this junk doesn't look unnatural.
      • overlapping: execution jumps in the middle of the next instruction to prevent an overview of disassembly.
      • spaghetti: jumps are inserted between each instruction, making things harder to follow
      • poly+spaghetti: spaghetti code, but each jump is different, making things even harder
    • artistic
      • block: a funny form of obfuscation where all the lines look the same
  • relocator: if all functions are supposed to execute from the same address, you can't dump them.
  • virtualization: various forms of code virtualization, using different architectures: standard, stack, TTA, SubLEQ (the last 2 only use a single opcode)
  • self-generating: polymorphic code is generated on the fly before execution
  • jumps (part 2): enumerating all the ways to change EIP - to jump: opcodes, exceptions, APIs (SetLdtEntries, Enum*)...
  • loops: unusual forms of looping
    • no conditional jump
    • too many conditional jumps
    • exceptions
    • hidden counter and exit
  • API loops: looping by using specific apis
  • Blank section, Overlapping instruction, imports interference, exports interference

Executable formats
  • Com
  • Exe
    • HelloWorld
    • ZM
    • tiny
Packers infographics
  • categories
    • extension
      • patcher: simple redirection to OEP
      • faker: fake code from known packer is inserted before redirection
      • protecter: an anti-debugger is used before OEP jump
      • crypter: original code is encrypted
      • compresser: original code is compressed
    • transformation:
      • mutater: original code is transformed to synonyms
      • virtualizer: original code is rewritten into bytecode. engine is included.
        • x86
        • stack
        • subleq
        • tta
        • binary
  • droppers
    • resource
    • appended data
    • thread injection
    • spawn itself suspended, modifies thread then resume
  • api hooking: hooking APIs when external files are bundled inside the executable
  • imports loading
    • manual: imports are loaded manually before each use
    • structured: imports are loaded once for all according to a specific structure
    • packer (like FSG)
    • hash-based
  • imports obfuscation
    • junk: junk is inserted between the import trampoline and the call
    • stolen: the first bytes of the API are stolen in the program memory space.
    • ip-dispatched: all imports are going through a dispatcher that relies on the EIP of the call
    • param-dispatched: all imports are going through a dispatcher that relies on a specific parameter
    • hooks: hooks are placed, either between the trampoline and the call, either at the start of the API
    • trampolines on external buffer: trampolines are generated in a standalone buffer, usually ignored by dumping tools.
  • crypters' algorithms
    • xor
    • prng
    • rc4
  • techniques
    • free on leaving
    • lower APIs: use of lower level APIs to prevent hooking/debugging
    • unmapping
Infographics: landscape, categories, detailed features, common entrypoints, models

PDF

  • javascript a 60 bytes PDF that triggers Javascript on closing. reports error, though (the 'tiny pdf' reference, from FireEye)
  • empty displays a blank page, and no error from Acrobat, in 43 bytes - possibly the smallest working PDF. this one actually implements a real page (correct zoom level, etc...), in 73 bytes.
  • helloworld a page showing Hello World as standard text. no error, straightforward to modify (Acrobat 8,199 bytes) (Acrobat 9-X version, 204 bytes)
  • helloworld_js a 111 byte PDF that displays Hello World via javascript on opening.(Acrobat 8 only). (Acrobat 9-X version, 139 bytes).
  • global variables a PDF that implements the global variable trick in Adobe Javascript (presented by Sebastian Porst)
Archives:
Subscribe to: Posts (Atom)