SqrtreV

Ethical Hacker and Researching A.I with Keras ๐Ÿ˜ƒ

ํ•ดํ‚น ๋™์•„๋ฆฌ 3์ฃผ์ฐจ

Sandbox

๊ธฐ์›: ๋†€์ดํ„ฐ ๋ชจ๋ž˜ ์‚ฌ์žฅ์—์„œ ๋„˜์–ด์ ธ๋„ ๋‹ค์น˜์ง€ ์•Š๊ฒŒ ๋ณด์•ˆํ•ด์คŒ

๋ณด์•ˆ์—์„œ๋Š” ์•…์„ฑ์ฝ”๋“œ๊ฐ™์€ ๊ฒƒ์ด ์‹คํ–‰ ๋˜์ง€ ์•Š๊ฒŒ ๋ง‰๋Š”๊ฒƒ (๊ฐ€์ƒ์œผ๋กœ ๋Œ๋ ค์„œ ์•…์„ฑ ํ–‰์œ„๋ฅผ ํ•˜๋Š”์ง€ ํ™•์ธ)

IoT

Reversing(Malware) analysis

Browser (e.g Browser Exploitํ•ด์„œ ์‰˜ ๊ถŒํ•œ์„ ๋”ฐ๋„ ํ•  ์ˆ˜ ์žˆ๋Š”๊ฒƒ์ด ์—†์Œ -> ์ปค๋„๋กœ ํ•ด๊ฒฐ)

VM

Adobe Flash

Linux Sandbox

Sandbox

  • Cuckoo Sandbox

๊ณต๊ฒฉ ์–ด๋ ต๊ฒŒ

  • PIE

  • ASLR

  • DEP

  • RELRO

  • FORTIFY

  • CANARY

  • BPF(Seccomp)

๋ถ„์„์–ด๋ ต๊ฒŒ

  • Obfuscation

  • Packing

VM

VM: ์ฝ”๋“œ ๊ฐ€์ƒํ™”

์ƒˆ๋กœ์šด ์•„ํ‚คํ…์ณ(๋ฐ”์ด๋„ˆ๋ฆฌ ๋กœ๋”)

e.g) push rax; => push rax \x01

Codegate 2018

7 bit Architecture

DEFCON

9bit 3byte Architecture

Binary Loader

ELF Structure:

\x7fELF

Start Address

symbols

code base

data

...

loader๊ฐ€ kernel์ด ๋˜๊ณ , Code๊ฐ€ Binary.

binary loading -> header, memory alloc, memory useโ€ฆ

์šฐ๋ฆฌ๊ฐ€ Loader๋ฅผ ๋งŒ๋“ ๋‹ค๋ฉด Syscall ์–ด๋–ค์‹์œผ๋กœ ๊ตฌํ˜„?

์‹ค์ œ kernel syscall๋ฅผ ์‚ฌ์šฉ

๊ทธ๋Ÿฌ๋ฉด ๋ญ˜ ๋˜ ํ•ด์•ผํ• ๊นŒ?

  • Opcode์ •์˜๊ฐ€ ํ•„์š”ํ•˜๋‹ค!

e.g)

\x01 -> Opcode 1

\x02 -> Opcode 2

\x03 -> Opcode 3

push r0 ~ r8

\x01 \x00, \x01

Push r2 = \x01\x02

  • Turing Complete
  • ์‚ฐ์ˆ  ์—ฐ์‚ฐ
  • conditional jump
  • memory
  • store
  • Load
  • System call Definition (open, read, write, brk, mmap, munmap, ...)

์šฐ๋ฆฌ๊ฐ€ VM์„ ๋งŒ๋“ ๋‹ค๋ฉด ARM๊ณผ ๋น„์Šทํ•˜๊ฒŒ!

  • Store

  • Load

  • jump

  • compare

TIP

IDA: ๋‹จ์ถ•ํ‚ค o => ๋ณ€์ˆ˜ ๋งคํ•‘ํ•ด์คŒ


bbbigํ˜•์ด ์˜ˆ์ „์— ์ถœ์ œํ–ˆ๋˜ Vaaaam์ด๋ผ๋Š” ๋ฌธ์ œ๋ฅผ ๋ถ„์„ํ•ด ๋ณด๋ผ๊ณ  ๋˜์ ธ ์ฃผ์…จ๋‹ค.

๊ทธ๋ž˜์„œ VM์ฝ”๋“œ๋ฅผ ์–ด์…ˆ์ฒ˜๋Ÿผ ์ฝ์„ ์ˆ˜ ์žˆ๊ฒŒ ํŒŒ์ด์ฌ ์ฝ”๋“œ๋ฅผ ์งฐ๋‹ค.

from pwn import u32, p32

def ILLEGAL():
  print 'Illegal Instruction!'
  exit()

def VM(code):
  LEN = len(code)
  PC = 0

  while PC < LEN:
    code1 = u32(code[PC:PC+4])
    PC += 4
    t = (code1 >> 16)&0xff
    if t == 1 or t == 4:
      code2 = u32(code[PC:PC+4], sign="signed")
      a5 = code2
      PC += 4

    OP = code1 >> 24
    OP_TYPE = t
    a3 = (code1 >> 8) & 0xff
    a4 = code1 & 0xff

    print '[%3x] '%(PC - 4),     

    if OP == 0:
      if OP_TYPE:
        print 'ADD r%d, 0x%x'%(a3, code2)
      else:
        print 'ADD r%d, r%d'%(a3, a4)

    elif OP == 1:
      if OP_TYPE:
        print 'SUB r%d, 0x%x'%(a3, code2)
      else:
        print 'SUB r%d, r%d'%(a3, a4)

    elif OP == 2:
      if OP_TYPE:
        print 'XOR r%d, 0x%x'%(a3, code2)
      else:
        print 'XOR r%d, r%d'%(a3, a4)

    elif OP == 3:
      if OP_TYPE:
        print 'OR r%d, 0x%x'%(a3, code2)
      else:
        print 'OR r%d, r%d'%(a3, a4)

    elif OP == 4:
      if OP_TYPE:
        print 'AND r%d, 0x%x'%(a3, code2)
      else:
        print 'AND r%d, r%d'%(a3, a4)

    elif OP == 5:
      if OP_TYPE:
        print 'MUL r%d, 0x%x'%(a3, code2)
      else:
        print 'MUL r%d, r%d'%(a3, a4)

    elif OP == 6:
      if OP_TYPE:
        print 'DIV r%d, 0x%x'%(a3, code2)
      else:
        print 'DIV r%d, r%d'%(a3, a4)

    elif OP == 7:
      if not OP_TYPE:
        print 'INC r%d'%(a3)
      else:
        ILLEGAL()

    elif OP == 8:
      if not OP_TYPE:
        print 'DEC r%d'%(a3)
      else:
        ILLEGAL()

    elif OP == 9:
      if not OP_TYPE:
        print 'NOT r%d'%(a3)
      else:
        ILLEGAL()

    elif OP == 10:
      if OP_TYPE:
        print 'CMP r%d, 0x%x'%(a3, code2)
      else:
        print 'CMP r%d, r%d'%(a3, a4)

    elif OP == 11:
      if OP_TYPE:
        print 'JE 0x%x'%(PC-4 + a5)
      else:
        ILLEGAL()

    elif OP == 12:
      if OP_TYPE:
        print 'JNE 0x%x'%(PC-4+a5)
      else:
        ILLEGAL()

    elif OP == 13:
      if OP_TYPE:
        print 'JMP 0x%x'%(a5)
      else:
        ILLEGAL()

    elif OP == 14:
      if OP_TYPE:
        print 'CALL 0x%x'%(PC-4+a5)
      else:
        print 'CALL 0x%x'%(PC-4+a3)

    elif OP == 15:
      print 'RET'

    elif OP == 16:
      if OP_TYPE == 5:
        print 'PUSHB 0x%x'%(a3)
      elif OP_TYPE == 1:
        print 'PUSH 0x%x'%(a5)
      elif OP_TYPE == 0:
        print 'PUSH r%d'%(a3)
      else:
        ILLEGAL()

    elif OP == 17:
      if not OP_TYPE:
        print 'POP r%d'%(a3)
      else:
        ILLEGAL()

    elif OP == 18:
      if OP_TYPE:
        print 'SHR r%d, 0x%x'%(a3, code2)
      else:
        print 'SHR r%d, r%d'%(a3, a4)

    elif OP == 19:
      if OP_TYPE:
        print 'SHL r%d, 0x%x'%(a3, code2)
      else:
        print 'SHL r%d, r%d'%(a3, a4)

    elif OP == 20:
      if OP_TYPE == 1:
        print 'MOV r%d, 0x%x'%(a3, a5)
      elif OP_TYPE == 2:
        print 'MOV r%d, [stack+r%d]'%(a3, a4)
      elif OP_TYPE == 3:
        print 'MOV [stack+r%d], r%d'%(a3, a4)
      elif OP_TYPE == 4:
        print 'MOV [stack+r%d], 0x%x'%(a3, a5)
      elif OP_TYPE == 0:
        print 'MOV r%d, r%d'%(a3, a4)
      else:
        ILLEGAL()

    elif OP == 21:
      print 'SYSCALL r0'

    elif OP == 22:
      print 'NOP'
      PC -= 3
    else:
      ILLEGAL()

if __name__ == '__main__':
  VM(open("./bbbig.bin").read())