engineering - All Articles - CISO Platform2024-03-28T22:15:36Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/engineeringReverse Engineering Windows Defender;Emulatorhttps://www.cisoplatform.com/profiles/blogs/windows-offender-reverse-engineering-windows-defender-s-antivirus2018-09-24T06:00:00.000Z2018-09-24T06:00:00.000ZAmit, CISO Platformhttps://www.cisoplatform.com/members/AmitCISOPlatform<div><p><span>Windows Defender Antivirus's mpengine.dll implements the core of Defender's functionality in an enormous ~11 MB, 30,000+ function DLL. <br /> <br /> In this presentation, we'll look at Defender's emulator for analysis of potentially malicious Windows binaries on the endpoint. To the best of my knowledge, there has never been a conference talk or publication on reverse engineering any antivirus binary emulator before. <br /> <br /> We'll cover a range of topics including emulator internals—machine code to intermediate language translation and execution; memory management; Windows API emulation; NT kernel emulation; file system and registry emulation; integration with Defender's antivirus features; the virtual environment; etc.—building custom tooling for instrumenting the emulator; tricks that binaries can use to evade or subvert analysis; and attack surface within the emulator. <br /> <br /> Attendees will leave with an understanding of how modern antivirus software conducts emulation-based dynamic analysis on the endpoint, and how attackers might go about subverting or attacking these systems. I'll publish code for a binary for exploring the emulator from within, patches that I developed for instrumenting Defender built on top of Tavis Ormandy's loadlibrary project, and IDA scripts to help with analyzing mpengine.dll and Defender's "VDLLs"</span></p><p></p><p><strong>Speakers: </strong></p><p><span>Alexei Bulazel, Hacker</span></p><p></p><p><span>Alexei Bulazel (@0xAlexei) is a security researcher at ForAllSecure. He also provides expertise on reverse engineering and cyber policy at River Loop Security. Alexei has previously presented his research at venues such as Black Hat, REcon, and ShmooCon, among many others, and has published scholarly work at USENIX WOOT and ROOTS. Alexei is a proud alumnus of RPISEC.<br /> <br /> @0xAlexei</span></p><p></p><p><strong>Detailed Presentation:</strong></p><p><iframe src="//www.slideshare.net/slideshow/embed_code/key/EC2DP82vTnQrPT" width="650" height="485" frameborder="0" allowfullscreen=""></iframe></p><div style="margin-bottom:5px;"></div><div style="margin-bottom:5px;"><strong><a href="//www.slideshare.net/cisoplatform7/windows-offender-reverse-engineering-windows-defenders-antivirus-emulator" title="Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator" target="_blank">Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator</a></strong> from <strong><a href="//www.slideshare.net/cisoplatform7" target="_blank">Priyanka Aash</a></strong></div><div style="margin-bottom:5px;"><strong>(Source: DEF CON 26)</strong></div><p> <br /> </p><div style="margin-bottom:5px;"><strong><a href="http://event.cisoplatform.com/quick-member-sign-up/" target="_blank"><img width="750" src="{{#staticFileLink}}8669803288,original{{/staticFileLink}}" class="align-full" alt="8669803288?profile=original" /></a></strong></div></div>Miasm: Reverse Engineering Framework (Black Hat Conference 2018)https://www.cisoplatform.com/profiles/blogs/miasm-reverse-engineering-framework-black-hat-conference-20182018-09-27T10:00:00.000Z2018-09-27T10:00:00.000ZShubham Guptahttps://www.cisoplatform.com/members/ShubhamGupta<div><p>Miasm is a reverse engineering framework created in 2006 and first published in 2011 (GPL). Since then, it has been continuously improved through a daily use. The framework is made of several parts, including an assembler/disassembler for several architectures (x86, aarch64, arm, etc.), an human readable intermediate language describing their instructions' semantic, or sandboxing capabilities of Windows/Linux environment. On top of these foundations, higher level analysis are provided to address more complex tasks, such as variable backtracking and dynamic symbolic execution.</p><p>In this talk, we will introduce some of these features. The journey will start with the basics of the framework, go through symbolic emulation and function divination (Sibyl), and end with various components useful for malware analysis.</p><p>We will also talk about some of the new features which will be released for Black Hat. For example, the freshly implemented SSA transformation will be illustrated by applications in code simplification. Then, we will demonstrate how this feature, jointly with new operators description, enables more accurate code analyses. Finally, we will highlight what a better environment simulations and a wider support of recent instructions provides.</p><p>Miasm being a practical tool, each topic will be covered with real life use-cases.</p><p></p><p></p><p><span class="font-size-5">Speakers</span></p><p></p><p><span><strong>Camille Mougey</strong><br /> <br /> Camille Mougey is a security researchers working at CEA. He is one the main Miasm's developers. He is also the creator and main developer of Sibyl ([<a href="https://github.com/cea-sec/sibyl">https://github.com/cea-sec/sibyl</a>]). He enjoys reverse engineering, math and looking under the hood at algorithms to understand how to tweak them. He used to work on DRM obfuscation using auxiliary attacks (REcon 2014).</span></p><p></p><p><span><strong>Fabrice Desclaux</strong><br /> <br /> Fabrice Desclaux works at the CEA in the SSI lab as a research engineer. He is the creator of Miasm, a reverse engineering framework (<a href="https://github.com/cea-sec/miasm">https://github.com/cea-sec/miasm</a>). He is also the author of rr0d, the Rasta Ring 0 Debugger, an OS independent ring 0 debugger. He also worked at EADS, where he did some reverse engineering analysis on Skype (REcon 2006).</span></p><p></p><p></p><p></p><p><span class="font-size-5">Detailed Presentation:</span></p><p><iframe src="//www.slideshare.net/slideshow/embed_code/key/1SSBct0R5ML1LF" width="595" height="485" frameborder="0" allowfullscreen=""></iframe></p><div style="margin-bottom:5px;"><strong><a href="//www.slideshare.net/cisoplatform7/miasm-reverse-engineering-framework" title="Miasm: Reverse Engineering Framework" target="_blank">Miasm: Reverse Engineering Framework</a></strong> from <strong><a href="https://www.slideshare.net/cisoplatform7" target="_blank">Priyanka Aash</a></strong></div><p></p><div><p><strong>(Source: Black Hat USA 2018, Las Vegas)</strong></p><p></p><p><strong><a href="http://www.cisoplatform.com/main/authorization/signUp?" target="_blank"><img src="{{#staticFileLink}}8669820464,original{{/staticFileLink}}" width="750" class="align-full" alt="8669820464?profile=original" /></a></strong></p></div><p></p><p></p><p></p><p><span> </span></p></div>Watch the recorded webinar "The Role of Cyber Culture in a Cyber Strategy"https://www.cisoplatform.com/profiles/blogs/watch-the-recorded-webinar-the-role-of-cyber-culture-in-a-cyber2020-11-05T04:50:05.000Z2020-11-05T04:50:05.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><iframe width="560" height="315" src="https://www.youtube.com/embed/1J5NPV-OZeo?wmode=opaque" frameborder="0" allowfullscreen=""></iframe></p><p>Jack Roehrig, CISO at Turnitin, and I shared insights on how to incorporate Cyber Culture as part of an organization's Cyber Strategy.</p></div>