|
|
Boost : |
Subject: Re: [boost] Boost.Binaries Project
From: Antony Polukhin (antoshkka_at_[hidden])
Date: 2014-03-21 03:40:06
Good!
Now look, you need to write an officail proposal. here's a template:
https://svn.boost.org/trac/boost/wiki/SoCSubmissionTemplate
Send it to the boost_at_lists.boost.org.
After that I'll tell the list that you have the qualification, finished
test task and I'm willing to mentor you.
Get hurry! March 21 is a deadline for student application.
A few thoughts about the Binary project:
Signing/shifrating a whole section is good idea, I like it.
The very initial idea was to allow user specify code block or variable
location to shifrate/checksum. That's what for the task with
PUT_HELLO_THERE_IN_BINARY was meant for. Inserting markers into binary
we'll be able to find code blocks later (find(binary, "Hello there!")). As
you've mentioned compiler eliminates dead code, however there is a way to
bypass it: if we put the jmp instruction directly in assembly block,
compiler will not eliminate it (at least 3 years ago it was not
eliminating).
Binary library must consist of two parts:
postprocessing: tools to find markers, modify marked variables, change
sections and entry point...
core: markers for code, markers for variables, functions to do something at
code block enter/leave.
2014-03-20 20:43 GMT+04:00 Flavius Condrea <flavius.condrea_at_[hidden]>:
> Hi Antony,
>
>
> I solved the task you gave me. I attached the source code where you will
> find a comment, too.
>
> I worked last summer at Bitdefender as a full-time Malware Researcher. I
> studied a lot of reverse engineering, Windows API and basic Python. While
> working there, I made researches on several malwares, developing detection
> and cleaning algorithms.
>
> Also, using Pin library, developed by Intel, I created a C++
> information-revealing application when running a binary file, such as:
>
> - For each call it obtains information about the instruction
> call address , the procedure address, the procedure parameters including
> the parameters values.
>
> - It shows if the function writes in memory and in case it does
> the application obtains these information from memory
>
> - It reveals if a new process or thread is created
>
> Then I developed a plugin (written in Python) for IDA Disassembler
> Application. The plugin inserts strategically-placed comments with the
> information mentioned in above. This way, it can be done an easier
> binary-file analysis. I attached a few print screens for seeing clearly
> what actually my tool does.
>
> In the same time, if a binary file has encrypted code (most of the
> malwares have this), the developed application dumps the image from memory
> (in the memory the code is decrypted) and restore the PE Header and
> imported functions for an easier IDA analysis of the malware.
>
>
> Best regards,
>
> Flavius Condrea
>
>
> PS: About this task: should I include it in the application form?
>
>
> 2014-03-20 9:13 GMT+02:00 Antony Polukhin <antoshkka_at_[hidden]>:
>
> 2014-03-19 21:17 GMT+04:00 Flavius Condrea <flavius.condrea_at_[hidden]>:
>>
>>> Hi Antony,
>>>
>>
>> Hi and welcome!
>>
>>
>>> I was thinking to apply for Boost.Binaries project. Therefore lately
>>> I made researches about what does this involve. I thought of a way to
>>> encrypt an executable file and decrypt itself at runtime. I have the
>>> following solution for this:
>>>
>>> 1. Create an encryption key and a decryption key (public or
>>> private)
>>>
>>> 2. Iterate each section and see if it contains executable code and
>>> then encrypt that section with the key from point one.
>>>
>>> 3. Create a new section that will contain the Original Entry
>>> Point(OEP) and decryption algorithm that will be executed at runtime. The
>>> decryption algorithm will contain (at the end) a jmp to the Original Entry
>>> Point. The decryption key will be delivered separately.
>>>
>>> 4. Change the executable header (PE Header) so that makes it valid
>>> after the effectuated changes (this involves modifying the entry point to
>>> point to the decryption algorithm and other things)
>>>
>> Sounds pretty good. Looks like you've done some investigations and know
>> what you are talking about.
>>
>>
>>
>>> Besides these things I am willing to add other features according to
>>> your wishes.
>>>
>>> I am waiting for your opinion.
>>>
>>
>> You've got a good start, but there is a requirement in community to give
>> some small tasks for the student.
>> If you are willing to start Boost.Binary project, then you need to make
>> a main.cpp file, that contains the following
>>
>> #include <iostream>
>>
>> int main() {
>> std::cout << "Hello ";
>> goto foo;
>> PUT_HELLO_THERE_IN_BINARY
>> foo:
>> std::cout << "World";
>> }
>>
>> There you must define PUT_HELLO_THERE_IN_BINARY macro to some code, that
>> will put the "Hello there!" string between two calls to operator << in
>> binary file. In disassembly there must be something like this:
>>
>> ...
>> call basic_ostream::operator<<
>> jmp foo
>> 48 65 6c 6c 6f 20 74 68 65 72 65 21 ; 'Hello there!' in raw view
>> foo:
>> ...
>> call basic_ostream::operator<<
>>
>> If you'll make your solution portable between MSVC and GCC compilers -
>> you're almost certanly in :)
>>
>>
>> --
>> Best regards,
>> Antony Polukhin
>>
>
>
-- Best regards, Antony Polukhin
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk