[2013 codeengn conference 09] blueh4g - hooking and visualization
DESCRIPTION
2013 CodeEngn Conference 09 리버서들이나 어플리케이션 분석가 들에게 hooking이란 뗄레야 뗄수가 없는 존재이다. 이러한 후킹을 위해 detours 등 매우 많은 라이브러리도 나와 있지만, 많은 수의 어플리케이션을 분석하거나, 심플하게 내부 플로우만 살펴보기에는 생각보다 손이 많이가는게 사실이다. 이를 좀 더 손쉽고 심플하도록 구현해 보고, visualization 을 도입하여 좀더 직관적으로 분석할 수 있도록 해 볼 것이다. http://codeengn.com/conference/09 http://codeengn.com/conference/archiveTRANSCRIPT
![Page 1: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/1.jpg)
hooking�&�visualization
Jaeyong�Kim�(BlueH4G�at�gmail�dot�com)2013�CodeEngn�Conference 09
www.CodeEngn.com2013 CodeEngn Conference 09
![Page 2: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/2.jpg)
AGENDA
1.�Introduce
2.�about�this�presentation
3.�why�did�i�do�it?
4.�what�is�hooking?
5.�what�to�do�with�hooking?
6.�Demo
7.�QnA
![Page 3: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/3.jpg)
김재용 26세 (xx�염색체)
이글루시큐리티 &�B10S�&�Hackerschool�WG
http://wargame.kr
blueh4g�at�gmail�dotcom
who�is�me?
![Page 4: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/4.jpg)
about�this�presentation
![Page 5: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/5.jpg)
why�did�i�do�it?
![Page 6: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/6.jpg)
why�did�i�do�it?
pydbg 를이용한커스텀퍼저
Carnegie Mellon 의 FOE
기타등등….
![Page 7: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/7.jpg)
why�did�i�do�it?
![Page 8: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/8.jpg)
why�did�i�do�it?
EIP
41414141
?????
did�you�dream�about�dragon?
![Page 9: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/9.jpg)
why�did�i�do�it?
vtable!
OLE Structure!
![Page 10: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/10.jpg)
why�did�i�do�it?
![Page 11: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/11.jpg)
what�is�hooking?
I�want�to�know�flow�application�flow!
Basic�block?
or…�other?
![Page 12: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/12.jpg)
what�is�hooking?
WinAPI�- Windows�Application�Programming�
Interface윈도우에서 사용되는모든 어플리케이션은 winapi를 사용한다.
모든WinAPI에 후킹을걸어두고 flow�를 tracing�한다면?
![Page 13: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/13.jpg)
what�to�do�with�hooking?
What�is�hooking?
![Page 14: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/14.jpg)
what�to�do�with�hooking?
APPLICATION
WinAPI
APPLICATION
WinAPI
Custom Func
![Page 15: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/15.jpg)
so,�what?
1.�Application�Flow�Analysis
2.�WinAPI�Parameter,�return�value�monitoring
3.�Crash�&�Original�sample�diffing�(in�App)
4.�Call�Stack�log�of�WinAPI
5.�memcpy,�heapalloc�etc..�API�tagging
6.�invalid�param�&�invalid�ret�tagging
7.�basic�rule�is�readability
![Page 16: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/16.jpg)
hooking�tools
![Page 17: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/17.jpg)
hooking�tools
WinAPIOverride32/64
- Opensource�(Thx!)
- jacquelin.potier.free.fr/winapioverride32/
API�Monitor�v2�32/64
- not�opensource�(but�free)
- www.rohitab.com
![Page 18: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/18.jpg)
Demo
Demo
![Page 19: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/19.jpg)
another�episode..
1.�RtlWriteDecodedUcsDataIntoSmartLBlobUcsWritingContext
2.�full�GUI�interface?
![Page 20: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/20.jpg)
QnA
Question
&
Answer
…?
질문은 없는걸로...
![Page 21: [2013 CodeEngn Conference 09] BlueH4G - hooking and visualization](https://reader034.vdocuments.us/reader034/viewer/2022042521/55389074550346653f8b47f9/html5/thumbnails/21.jpg)
thx
이후에도궁금한점이있으시면메일보내주세요 :D
blueh4g�[at]�gmail�{dot}�com
www.CodeEngn.com2013 CodeEngn Conference 09