Week 5

Agenda

  • Traces
  • Obfuscation
  • Self-modification

Traces

Ltrace

Library Trace -

Allows us to see the libc calls in the order they are called, as well as arguments to each call

Opening

Malloc

Output

Return values

Strace

System trace -

Similar to ltrace, shows all system calls made by the process in the order they occur and arguments to them.

What is all of this?

What about these?

Syscalls that set up the running process

Syscalls from our process

Ptrace

How does strace and ltrace work?

What can ptrace do?

And a lot more!

Obfuscation

Why Obfuscation?

  • Hide intent
  • Avoid detection
  • Cause pain to Reverse Engineers
  • Obfuscating is fun!

How can we obfuscate?

  • Write compilers that do weird stuff
  • Abuse Language Syntax
  • Write VMs for esoteric languages (really fun actually)

Lets look through MOO

See Week_5/Lecture

Is Obfuscation effective?

Self Modification

Why Self-modification?

  • Avoid detection
  • Make static analysis much much harder
  • Slower
  • Hard to write
  • Hard to read
  • Better than Obfuscation when avoiding detection

Pros/Cons

What might a binary need to self modify?

  • Write access to Executable segments/sections
  • Stub code for modification
  • Packers

 

Is Self-modification effective?

Week 5

By Drake P

Week 5

Obfuscation, Self-Modification, Traces

  • 156