 |
2013 Day2P16 Life of Binaries: Code Signing Security |
 |
by Xeno Kovah |
 |
Thumbnail |
|
Download |
 |
Web page |
|
|
|
The class materials are available at |
|
http://www.OpenSecurityTraining.info/LifeOfBinaries.html |
|
[1] |
|
Follow us on Twitter for class news @OpenSecTraining[2]. |
|
|
|
Have you ever wondered what happens when a C program is |
|
compiled and executed on a system? This three-day class |
|
by Xeno Kovah will investigate the life of a binary from |
|
birth as C source code to death as a process running in |
|
memory being terminated. |
|
|
|
Topics will include but are not limited to: |
|
|
|
*Scanning and tokenizing source code. |
|
|
|
*Parsing a grammar and outputting assembly code. |
|
|
|
*Different targets for x86 assembly object files |
|
generation. (E.g. relocatable vs. position independent |
|
code). |
|
|
|
*Linking object files together to create a well-formed |
|
binary. |
|
|
|
*Detailed description of the Windows PE binary format. |
|
|
|
*How Windows loads a binary into memory and links it on |
|
the fly before executing it. |
|
|
|
*Detailed description of the Unix/Linux/BSD ELF binary |
|
format. |
|
|
|
Along the way we will discuss the relevance of security |
|
at different stages of a binary's life, from how viruses |
|
*really* work, to the way which malware "packers" |
|
duplicate OS process execution functionality, to the |
|
benefit of a security-enhanced OS loader which implements |
|
address space layout randomization (ASLR). |
|
|
|
Lab work will include: |
|
|
|
*Using the new "Binary Scavenger Hunt[3]" tool which |
|
creates randomized PE binaries and asks randomized |
|
questions about the material you just learned! |
|
|
|
*Manipulating compiler options to change the type of |
|
assembly which is output |
|
|
|
*Manipulating linker options to change the structure of |
|
binary formats |
|
|
|
*Reading and understanding PE files with PEView |
|
|
|
*Using WinDbg to watch the loader resolve imports in an |
|
executable |
|
|
|
*Using Thread Local Storage (TLS) to obfuscate control |
|
flow and serve as a basic anti-debug mechanism |
|
|
|
*Creating a simple example virus for PE |
|
|
|
*Analyze the changes made to the binary format when a |
|
file is packed with UPX |
|
|
|
*Using the rootkit technique of Import Address Table |
|
(IAT) hooking to subvert the integrity of a program's |
|
calls to external libraries, allowing processes to be |
|
hidden. |
|
|
|
|
|
The prerequisites for this class are a basic |
|
understanding of C programming and compilation. This |
|
class is recommended for a later class on Rootkits[4] |
|
(playlist: http://bit.ly/HLkPVG[5]) as we talk about IAT |
|
Hooking, and required for a later class on malware |
|
analysis. |
|
|
|
References |
|
|
|
1. http://www.opensecuritytraining.info/LifeOfBinaries.html (link) |
|
2. http://twitter.com/OpenSecTraining (link) |
|
3. https://code.google.com/p/roxor-arcade/wiki/BinaryScavengerHunt (link) |
|
4. http://opensecuritytraining.info/Rootkits.html (link) |
|
5. http://bit.ly/HLkPVG (link) |
|
|
|
Date Published: 2014-06-28 12:06:29 |
|
Identifier: LoB2013D2P16 |
|
Item Size: 109192265 |
|
Media Type: movies |
|
|
|
# Topics |
|
OpenSecurityTraining.info |
|
Computer security class |
|
security |
|
Computer Security |
|
Cyber Security |
|
Host Security |
|
binaries |
|
binary executable format |
|
Windows executable |
|
Windows PE |
|
PE |
|
PE/COFF |
|
Portable Executable |
|
parsing |
|
lexing |
|
tokenizing |
|
concrete syntax tree |
|
parse tree |
|
abstract syntax tree |
|
abstract assembly tree |
|
context free grammars |
|
compiling |
|
linking |
|
x86 assembly |
|
IAT |
|
IAT hooking |
|
EAT |
|
TLS |
|
DEP |
|
ASLR |
|
SEH |
|
computer virus |
|
packers |
|
UPX |
|
debugging |
|
WinDbg |
|
ELF binary format |
|
Executable and Linkable Format |
|
ELF |
|
|
|
# Collections |
|
opensecuritytraining |
|
computersandtechvideos |
|
|
|
# Uploaded by |
|
@opensecuritytraining_info |
|
|
|
# Similar Items |
|
View similar items |
|
|
|
PHAROS |
|
