Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2020 交大程式安全:逆向工程上課講義-第二週(第二段)

terrynini
November 27, 2020

2020 交大程式安全:逆向工程上課講義-第二週(第二段)

(檔案大小有限制所以分兩段上傳...)
這是三校合開的資訊安全課程,今年有幸可以負責逆向工程的部分,逆向工程總共有三週,由於第三週為作業講解所以並沒有簡報。

這門課在三校的選課系統上的名字如下:
台大-計算機安全
台科大-資訊安全實務
交大-程式安全

terrynini

November 27, 2020
Tweet

More Decks by terrynini

Other Decks in Technology

Transcript

  1. ANTI ANALYZE 5*# 5ISFBE*OGPNBUJPO#MPDL  6 NT_TIB NtTib ... PPEB

    PEB ... TEB ... PEB ExceptionList ... PNT_TIB Self 1SPDFTT&OWJSPONFOU#MPDLଠ௕ɼNFNCFS໊ॖሜ
  2. ANTI ANALYZE )PX5P(FU5&#  8 NT_TIB NtTib ... PPEB PEB

    ... TEB FS Segment Descriptor Table ҰݸFOUSZCJU
  3. ANTI ANALYZE 5*# 5ISFBE*OGPNBUJPO#MPDL  9 ExceptionList ... PNT_TIB Self

    ... PPEB PEB ... TEB FS:[0x18] ... PEB 0x18 0x30 0x0 dereference "Self" in TEB
  4. ANTI ANALYZE 5*# 5ISFBE*OGPNBUJPO#MPDL  10 ExceptionList ... PNT_TIB Self

    ... PPEB PEB ... TEB FS:[0x30] ... PEB 0x18 0x30 0x0 dereference "PEB" in TEB
  5. ANTI ANALYZE 5*# 5ISFBE*OGPNBUJPO#MPDL  11 ExceptionList ... PNT_TIB Self

    ... PPEB PEB ... TEB FS:[0] ... PEB 0x18 0x30 0x0 dereference "ExceptionList" in TEB
  6. ANTI ANALYZE 5&#  12 FS:[0] FS:[0x18] FS:[0x30] GS:[0] GS:[0x30]

    GS:[0x60] Exceptionlist TIB Self PEB 32bit 64bit
  7. ANTI ANALYZE 1&# 1SPDFTT&OWJSPONFOU#MPDL CJU  14 ExceptionList ... PNT_TIB

    Self ... PPEB PEB ... TEB ... BeingDebugged ... ImageBaseAddress Ldr ... Processheap ... NtGlobalFlag ... PEB 0x18 0x30 0x0 0x02 0x08 0x0c 0x18 0x68
  8. ANTI ANALYZE 1&# 1SPDFTT&OWJSPONFOU#MPDL CJU  15 ... BeingDebugged ...

    ImageBaseAddress Ldr ... Processheap ... NtGlobalFlag ... PEB 0x02 0x08 0x0c 0x18 0x68 ... InLoadOrderModuleList InMemoryOrderModuleList InInitializationOrderModuleList ... _PEB_LDR_DATA LIST_ENTRY LIST_ENTRY LIST_ENTRY 0x0c 0x14 0x1c
  9. ANTI ANALYZE 1&# 1SPDFTT&OWJSPONFOU#MPDL CJU  16 ... BeingDebugged ...

    ImageBaseAddress Ldr ... Processheap ... NtGlobalFlag ... PEB 0x02 0x08 0x0c 0x18 0x68 ... InLoadOrderModuleList InMemoryOrderModuleList InInitializationOrderModuleList ... _PEB_LDR_DATA 0x0c 0x14 0x1c LDR_DATA_TABLE_ENTRY PVOID Reserved1[2] LIST_ENTRY InMemoryOrderLinks PVOID Reserved2[2]; PVOID DllBase; PVOID EntryPoint; PVOID Reserved3; UNICODE_STRING FullDllName; ...
  10. ANTI ANALYZE 1&# 1SPDFTT&OWJSPONFOU#MPDL CJU  17 ... InMemoryOrderModuleList Flink

    Blink ... _PEB_LDR_DATA LDR_DATA_TABLE_ENTRY PVOID Reserved1[2] Flink Blink PVOID Reserved2[2]; PVOID DllBase; PVOID EntryPoint; PVOID Reserved3; UNICODE_STRING FullDllName; ... LDR_DATA_TABLE_ENTRY PVOID Reserved1[2] Flink Blink PVOID Reserved2[2]; PVOID DllBase; PVOID EntryPoint; PVOID Reserved3; UNICODE_STRING FullDllName; ... 0x14 0x8 0x8
  11. DIY

  12. ANTI ANALYZE "OUJ"OBMZ[F  20 ▸ garbage code ▸ code

    alignment ▸ encryption\decryption ▸ reflactive binary ▸ api redirection ▸ polymorphic code ▸ debug blocker(self debugging, nanomite)
  13. ANTI ANALYZE %FCVHHFS%FUFDUJPO  23 ▸ NtQueryInformationProcess() ▸ CheckRemoteDebuggerPresent() ▸

    NtQueryInformationProcess() ▸ NtQuerySystemInformation() ▸ NtSetInformationThread() ▸ NtQueryObject()
  14. ANTI ANALYZE %FCVHHFS%FUFDUJPO  24 ▸ FindWindow() ▸ Parent Process

    Check() ▸ GetComputerName() ▸ GetCommandLine()
  15. END