Week 5
Agenda
- Traces
- Obfuscation
- Self-modification
Traces
Ltrace
Library Trace -
Allows us to see the libc calls in the order they are called, as well as arguments to each call
Opening
Malloc
Output
Return values
Strace
System trace -
Similar to ltrace, shows all system calls made by the process in the order they occur and arguments to them.
What is all of this?
What about these?
Syscalls that set up the running process
Syscalls from our process
Ptrace
How does strace and ltrace work?
What can ptrace do?
And a lot more!
Obfuscation
Why Obfuscation?
- Hide intent
- Avoid detection
- Cause pain to Reverse Engineers
- Obfuscating is fun!
How can we obfuscate?
- Write compilers that do weird stuff
- Abuse Language Syntax
- Write VMs for esoteric languages (really fun actually)
Lets look through MOO
See Week_5/Lecture
Is Obfuscation effective?
Self Modification
Why Self-modification?
- Avoid detection
- Make static analysis much much harder
- Slower
- Hard to write
- Hard to read
- Better than Obfuscation when avoiding detection
Pros/Cons
What might a binary need to self modify?
- Write access to Executable segments/sections
- Stub code for modification
- Packers
Is Self-modification effective?
Week 5
By Drake P
Week 5
Obfuscation, Self-Modification, Traces
- 156