DEF CON 26 - Alexei Bulazel - Reverse Engineering Windows Defenders Emulator

Рет қаралды 43,105

Күн бұрын

Windows Defender Antivirus's mpengine.dll implements the core of Defender's functionality in an enormous ~11 MB, 30,000+ function DLL.
In this presentation, we'll look at Defender's emulator for analysis of potentially malicious Windows binaries on the endpoint. To the best of my knowledge, there has never been a conference talk or publication on reverse engineering any antivirus binary emulator before.
We'll cover a range of topics including emulator internals-machine code to intermediate language translation and execution; memory management; Windows API emulation; NT kernel emulation; file system and registry emulation; integration with Defender's antivirus features; the virtual environment; etc.-building custom tooling for instrumenting the emulator; tricks that binaries can use to evade or subvert analysis; and attack surface within the emulator.
Attendees will leave with an understanding of how modern antivirus software conducts emulation-based dynamic analysis on the endpoint, and how attackers might go about subverting or attacking these systems. I'll publish code for a binary for exploring the emulator from within, patches that I developed for instrumenting Defender built on top of Tavis Ormandy's loadlibrary project, and IDA scripts to help with analyzing mpengine.dll and Defender's "VDLLs"

Пікірлер: 62

@jonashansen2512 5 жыл бұрын

So username JohnDoe & hostname hal9000 would be a pretty solid defense against most Windows malware, that checks for Windows defender. Nice.

@Encysted 5 жыл бұрын

and a text file C:\aaa_TouchMeNot_.txt with "GOATGOATGOATGOATGOATGOAT...." If you emulate the emulator, you find the safest place is, logically, inside Windows Defender itself.

@nrok113 5 жыл бұрын

but then you're credentials are extremely likely to be in a rainbow table

@johnbecker3116 5 жыл бұрын

Rip inbox and free time... See y'all in a week

@DantalionNl 5 жыл бұрын

The process name should not be altered this makes it trivial to detect that we are running in defender sandbox. M$ should really patch this.

@dp4kallday 5 жыл бұрын

This was pretty interesting and pretty hard to keep up with at the same time.

@alansolomon113 5 жыл бұрын

I think I wrote the first emulator for an antivirus, that was in 1992 or thereabouts. I called it the "Generic Decryption Engine", because I didn't want the bad guys to know it was an emulator. And I did it specifically to deal with polymorphic viruses. In particlar, a thing called the "Nuke Encryption Device", which, when I looked at it, I guessed would take me a week to write a reliable detector that didn't false-alarm. With the GDE, it took half an hour.

@whamer100 3 жыл бұрын

yo is this true? if so if you have a source/paper id love to read about this

@inspiredbymichansenpai2393 5 жыл бұрын

nice, all defcon videos should be made like this, where presentations are put in fullscreen, even not all the time

@Smorgan2010 5 жыл бұрын

This was just dense in terms of the amount of material that you covered.

@mikesum32 5 жыл бұрын

IMesh? Now that's a name I haven't heard in a long time.

@DrTune 5 жыл бұрын

Quality geekin'

@thomhughes4617 5 жыл бұрын

How was communicating to the internet handled within the emulator?

@CharlesVanNoland Жыл бұрын

Or using other APIs like GDI+ or WinMM, or even just looking for user input, or responses to a MessageBoxA call.

@AdamBast Жыл бұрын

Next time you install windows, make the host name hal9th, make your name johndoe, and you'll never get viruses

@GeorgeTsiros 2 жыл бұрын

... why is operating system security an afterthought, an extra service, instead of being integral to the operating system itself?

@AnonYmous-spyonmepls 2 жыл бұрын

$$$$

@abeer_nawaf_sul 5 жыл бұрын

Could someone please mention prerequisites to *watch and understand* a DEFCON presentation video like this?

@miniwarrior7 5 жыл бұрын

😂😂😂😂😂😂 you find those prerequisites as you need them no one can Define your prerequisite that are different from everyone else.

@MrGillb 5 жыл бұрын

as you go along collect a set of questions; then search up those questions and do the same. Alternatively take on an overly ambitious project; as your flailing around directionless you'll end up reaching out and creating things to make your project float.

@Encysted 5 жыл бұрын

@@miniwarrior7 If different people have learned different things, they would understand different parts of this talk. To understand all of it, you'd necessarily need a familiarity in a minimum of topics. There's an enumerable, base set of topics you'd need to be able to follow this talk.

@Encysted 5 жыл бұрын

My background is literally watching a lot of these talks, from different conferences, including things like PyCon, CppCon, BSDCan, etc. I've never compiled a program, but other people have, and will share the experience. My suggested prerequisites for this talk are listed by KZfaq search links in no particular order. The first video in each result is likely good, but everyone learns differently, and googling the phrase or asking it to a person should be just as effective: - Basic computer use - kzfaq.info?search_query=how+code+gets+compiled - kzfaq.info?search_query=how+does+qemu+work - kzfaq.info?search_query=how+to+read+assembly+code ^---Most of this can be inferred from watching the others - en.wikipedia.org/wiki/C_(programming_language)#Syntax ^--- Click a lot of links in here - kzfaq.info/get/bejne/b7RjgdWByqmuoJ8.html ^--- For fun! - Interest in computers

@shreyaslolage8963 5 жыл бұрын

Literally just google what u cant understand. Learn how to learn.

@illusion180976 5 жыл бұрын

The statement regarding sending an executable file through gmail is false, one would think that gmail project zero team members would know that for some years now gmail blocks sending or receiving of executable (.exe) files as attachments along with many other file types, (see below content pasted directly from gmail help). There is however a workaround, (sort of), involving sending the file as a google drive attachment, this however requires action by the intended recipient and therefore would not function as described @2:27. Gmail help content: Types you can't include as attachments To protect your account, Gmail doesn't allow you to attach certain types of files. Gmail often updates the types of files not allowed to keep up with harmful software that is constantly changing. Some examples include: .ADE, .ADP, .APK, .BAT, .CHM, .CMD, .COM, .CPL, .DLL, .DMG, .EXE, .HTA, .INS, .ISP, .JAR, .JS, .JSE, .LIB, .LNK, .MDE, .MSC, .MSI, .MSP, .MST, .NSH .PIF, .SCR, .SCT, .SHB, .SYS, .VB, .VBE, .VBS, .VXD, .WSC, .WSF, .WSH, .CAB

@illusion180976 Жыл бұрын

@@mew3385 You are just plain wrong, I made this comment years ago and it still stands, sorry :-(

@Marienkarpfen 5 жыл бұрын

5:20

@fudeiq 5 жыл бұрын

myapp.exe

@tech.plucero 5 жыл бұрын

This guy needs to do some cardio.

@CharlesVanNoland Жыл бұрын

Listen to his talk is giving me cardio.

@Kyusoath 5 жыл бұрын

how can someone so tech savvy use .mov shit and amazingly, vlc.

@BanditLeader 5 жыл бұрын

Forced to by defcon

@averagegeek3957 5 жыл бұрын

What's wrong with VLC?

@Reichstaubenminister Жыл бұрын

@@averagegeek3957 Use mpv for a day and you'll see.

@recklessroges 5 жыл бұрын

Yeah, this has never been done... except by Kyle Adams back in 2014 (Evading Code Emulation: Writing Ridiculously Obvious Malware That Bypasses AV) presented at BSides. (So you're only 4 years late to the party; but still some impressive work.) I'll dig into github.com/0xAlexei/WindowsDefenderTools and see if there is a wheel that you didn't re-invent.

@charliesmith874 5 жыл бұрын

I would've enjoyed this presentation MUCH more if he wasn't so close to the fucking mic! All I can hear is him gulping and making noises with his mouth and breathing every 0.00001 nanoseconds

@CharlesVanNoland Жыл бұрын

It's way more preferable to someone saying "uhhhhh" and "ummmm" once or twice every sentence.

@charliesmith874 Жыл бұрын

@@CharlesVanNoland hahahah bro I commented this 4 years ago when I was 16, don't even remember it 😭😂 valid point u make tho Hope u are having a good day homie

@Hobypyrocom 5 жыл бұрын

wtf guys? wtf is with all this spam? cant you just set each video to get published one week apart like any normal youtube channel instead?

@VGScreens 5 жыл бұрын

But then you don't get to pick all the stuff you're most interested in and/or binge everything when it suits you. I'd agree with you for most other channels that do massive upload dumps, but they are normally product demos/ads and stuff, this is all proper content, enjoy it :D

@Hobypyrocom 5 жыл бұрын

VGScreens either my english is bad or you didnt understand my comment... i dont mind the content from this channel, i love their videos, but at the moment i will watch one and then forget in few days that they have more new videos that i never watched... its better for their channel if they upload videos once a week (or even one video per day), it will draw more views and more subscribers and also will not get the subscribers mad because of the spamming... with the functionality of youtube you can upload 100 video at once and set them to get published example every Friday one by one...

@VGScreens 5 жыл бұрын

Maybe... Or maybe the people that are interested in DEFCON wont forget about it for an entire year after viewing one video... Flag it as "watch later" or something if you' fear you'll forget about it. I think the dump is great and I will gradually get through a lot of them at my own pace as time permits. I suspect many others are the same.

@Hobypyrocom 5 жыл бұрын

VGScreens unfortunately older fans (like me) who are also interested about DEFCON have too much stuff on their mind so they cant keep their mind on the videos they didnt watch and also they have jobs and dont have time to watch all this videos at once... my watch later list is over 200 videos at the moment... anyhow, spamming the feed of the subscribers is not the way to go...

@VGScreens 5 жыл бұрын

Wow, attempting to slip in a straw man implying I don't have a job? Haha, how wrong you are. Also, if they released one a week, and a couple didn't catch my attention for a few weeks I'd honestly be more likely to forget about checking for something I hadn't watched yet. Wow, I'm so impressed by your 200 watch queue! Thanks for sharing! Stop being ungrateful, just fucking set a phone reminder for like a month or something if you're that forgetful. Heck, I'll even manually reply to this comment chain to remind you in a few weeks if life is genuinely that difficult for you... However, you seem to have a lot of free time to type retarded comments on youtube. PSA: anybody else who sees this useless thread at any point in the future, please post something to give IamIJareU a notification just in case he has forgotten that DEFCON did a 2018 dump. I thank you in advance on his behalf.

@georgegonzalez2476 Жыл бұрын

Why go into this level of detail? Nobody really wants or needs to go this deep and there’s the downside of exposing so many loopholes and special excepting]s that a malicious bit of code can exploit.

@Reichstaubenminister Жыл бұрын

It's very interesting to see, especially for those who want to get into AV development themselves. And obscurity shouldn't be of any concert, a serious attacker would easily be able to find these vulnerabilities by himself.