Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Unicornを用いたDead Code除去

@tkmru
March 20, 2017
0
220

Unicornを用いたDead Code除去

セキュリティ・キャンプ フォーラム 2017

@tkmru

March 20, 2017
Tweet

More Decks by @tkmru

See All by @tkmru
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
tkmru
2
1.2k
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
310
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
tkmru
0
160
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
5.3k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
4.4k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
870
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
200
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
4.1k
めんどうくさいゲームセキュリティ
tkmru
20
11k

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
69
4.7k
Java REST API Framework Comparison - PWX 2021
mraible
29
8.5k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7.1k
Code Review Best Practice
trishagee
67
18k
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.6k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Done Done
chrislema
183
16k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
The Cult of Friendly URLs
andyhume
78
6.3k
Become a Pro
speakerdeck
PRO
27
5.2k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
227
22k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.3k

Transcript

  1. UnicornΛ༻͍ͨDead Codeআڈ Security Camp Forum 2017 tkmruɹ

  2. ࣗݾ঺հ • ໊લ: ͚ͨ·Δ • ηΩϡϦςΟɾΩϟϯϓ શࠃେձ 2015 ଔۀੜ •

    twitter ID: @tkmru • CTFνʔϜ: TomoriNao

  3. Dead Codeͱ͸ • Dead Code͸࣮ߦͯ͠΋ҙຯ͕ͳ͍ίʔυ • ΞϯνσόοάͷͨΊʹϚϧ΢ΣΞʹ͸େྔʹDead Codeؚ͕·ΕΔ • ղੳͷো֐ͱͳΔ

  4. ؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,

    0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800

  5. ؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,

    0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800 ੺จࣈҎ֎͸Dead Code

  6. ྫ) Themida(Packer) A Generic Approach to Automatic Deobfuscation of Executable

    Code http://www.sysnet.ucsd.edu/~bjohanne/assets/papers/oakland2015.pdf

  7. Nao(No-meaning Assembly Omiter) • Dead CodeআڈΛ͢ΔIDAϓϥάΠϯΛOSSͱͯ͠։ൃ • IDAPython • Unicorn(CPUΤϛϡϨʔλͷํ)

    • https://github.com/tkmru/nao • ࣮ࡍʹΤϛϡϨʔλ্Ͱ࣮ߦ͢ΔͷͰɺߴ͍ਫ਼౓Ͱআ ڈͰ͖Δ • ෳ਺ͷΞʔΩςΫνϟʔʹରԠՄೳ

  8. Unicornͱ͸ • QEMU forkͷϚϧνϓϥοτϑΥʔϜɺϚϧνΞʔΩς ΫνϟͳCPUΤϛϡϨʔλ • όΠφϦղੳπʔϧ angrͰ༻͍ΒΕ͍ͯΔͷΛ͸͡ Ίɺ֤छπʔϧ։ൃͰ࢖ΘΕ͍ͯΔ •

    ηΩϡϦςΟք۾Ͱ஫໨ͷOSS

  9. Unicorn

  10. Unicornͷshowcaseʹܝࡌ

  11. ΞϧΰϦζϜ • IDAͷάϥϑϏϡʔʹදࣔ͞Ε͍ͯΔόΠφϦΛऔΓग़ ͢ • NOP໋ྩʹҰߦͣͭมߋ͠ɺUnicornΛ༻͍࣮ͯߦ • ࠷ऴతͳϨδελͷ஋Λൺֱͯ͠൑அ • มߋ͞Ε͍ͯͨΒɺ݁ՌʹӨڹ͢ΔͷͰDead

    Code Ͱ͸ͳ͍ • มߋ͞Ε͍ͯͳ͚Ε͹ɺ݁ՌʹӨڹ͍ͯ͠ͳ͍ͷͰɹ Dead CodeͰ͋Δͱ൑அ

  12. ؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,

    0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800 ݁Ռ eax: 0x1918632 ecx: 0x800

  13. ؆୯ͳྫ x86 asm • mov eax, 0x100000 → nop •

    shr eax, 0x10 → nop • add eax, 0x913 → nop • and eax, 0x1fff → nop • mov ecx, eax → nop • mov eax, 0x1918632 • and ecx, 0x600 → nop • mov ecx, 0x800 ݁Ռ eax: 0x1918632 ecx: 0x800 ফڈͯ͠΋݁ՌʹӨڹ͕ͳ͍ͷͰDead Codeͱ൑அͰ͖Δ

  14. σϞ

  15. ͓ΘΓʹ • ಈ࡞ʹ೉͕͋ΔͷͰɺ·ͩमਖ਼͍ͯ͘͠ • Unicornͷ࡞ऀʹධՁͯ͠΋Β͑ͯΑ͔ͬͨ • ղੳऀͷิॿͱͳΔΑ͏ͳπʔϧΛOSSͱͯ͠ࠓޙ΋࡞ Γଓ͚͍͖͍ͯͨ