Week 5

Agenda

• Traces
• Obfuscation
• Self-modification

Traces

Ltrace

Library Trace -

Allows us to see the libc calls in the order they are called, as well as arguments to each call

Strace

System trace -

Similar to ltrace, shows all system calls made by the process in the order they occur and arguments to them.

How does strace and ltrace work?

What can ptrace do?

And a lot more!

Obfuscation

Why Obfuscation?

• Hide intent
• Avoid detection
• Cause pain to Reverse Engineers
• Obfuscating is fun!

How can we obfuscate?

• Write compilers that do weird stuff
• Abuse Language Syntax
• Write VMs for esoteric languages (really fun actually)

• https://en.wikipedia.org/wiki/Obfuscation_(software)
• https://en.wikipedia.org/wiki/Esoteric_programming_language
• https://github.com/xoreaxeaxeax/movfuscator
• https://www.youtube.com/watch?v=2VF_wPkiBJY

Lets look through MOO

See Week_5/Lecture

Is Obfuscation effective?

Self Modification

Why Self-modification?

• Avoid detection
• Make static analysis much much harder

• Slower
• Hard to write
• Hard to read
• Better than Obfuscation when avoiding detection

What might a binary need to self modify?

• Write access to Executable segments/sections
• Stub code for modification
• Packers

Is Self-modification effective?