Re: [boost] Boost.Binaries Project

21 Mar 2014

      Good!

Now look, you need to write an officail proposal. here's a  template:
https://svn.boost.org/trac/boost/wiki/SoCSubmissionTemplate

Send it to the boost@lists.boost.org.

After that I'll tell the list that you have the qualification, finished
test task and I'm willing to mentor you.

Get hurry! March 21 is a deadline for student application.

A few thoughts about the Binary project:

Signing/shifrating a whole section is good idea, I like it.

The very initial idea was to allow user specify code block or variable
location to shifrate/checksum. That's what for the task with
PUT_HELLO_THERE_IN_BINARY was meant for. Inserting markers into binary
we'll be able to find code blocks later (find(binary, "Hello there!")). As
you've mentioned compiler eliminates dead code, however there is a way to
bypass it: if we put the jmp instruction directly in assembly block,
compiler will not eliminate it (at least 3 years ago it was not
eliminating).

Binary library must consist of two parts:
postprocessing: tools to find markers, modify marked variables, change
sections and entry point...
core: markers for code, markers for variables, functions to do something at
code block enter/leave.

2014-03-20 20:43 GMT+04:00 Flavius Condrea :
...
Hi Antony,
I solved the task you gave me. I attached the source code where you will
find a comment, too.
I worked last summer at Bitdefender as a full-time Malware Researcher. I
studied a lot of reverse engineering, Windows API and basic Python.  While
working there, I made researches on several malwares, developing detection
and cleaning algorithms.
Also, using Pin library, developed by Intel, I created a C++
information-revealing application when running a binary file, such as:
-          For each call it obtains information about the instruction
call address ,  the procedure address, the procedure parameters including
the parameters values.
-          It shows if the function writes in memory and in case it does
the application obtains these information from memory
-          It reveals if a new process or thread is created
Then I developed a plugin (written in Python) for IDA Disassembler
Application. The plugin inserts strategically-placed comments with the
information mentioned in above.  This way, it can be done an easier
binary-file analysis. I attached a few print screens  for seeing clearly
what actually my tool does.
In the same time, if a binary file has encrypted code (most of the
malwares have this), the developed application dumps the image from memory
(in the memory the code is decrypted) and restore the PE Header and
imported functions for an easier IDA analysis of the malware.
Best regards,
Flavius Condrea
PS: About this task: should I include it in the application form?
2014-03-20 9:13 GMT+02:00 Antony Polukhin :
2014-03-19 21:17 GMT+04:00 Flavius Condrea :
...
...
Hi Antony,
Hi and welcome!
...
I was thinking to apply for Boost.Binaries project. Therefore lately
I made researches about what does this involve. I thought of a way to
encrypt an executable file and decrypt itself at runtime. I have the
following solution for this:
1.      Create an encryption key and a decryption key (public or
private)
2.      Iterate each section and see if it contains executable code and
then encrypt that section with the key from point one.
3.      Create a new section that will contain the Original Entry
Point(OEP) and decryption algorithm that will be executed at runtime. The
decryption algorithm will contain (at the end) a jmp to the Original Entry
Point. The decryption key will be delivered separately.
4.      Change the executable header (PE Header) so that makes it valid
after the effectuated changes (this involves modifying the entry point to
point to the decryption algorithm and other things)
Sounds pretty good. Looks like you've done some investigations and know
what you are talking about.
...
Besides these things I am willing to add other features according to
your wishes.
I am waiting for your opinion.
You've got a good start, but there is a requirement in community to give
some small tasks for the student.
If you are willing to start Boost.Binary project, then you need to make
a main.cpp file, that contains the following
#include <iostream>
int main() {
  std::cout << "Hello ";
  goto foo;
  PUT_HELLO_THERE_IN_BINARY
  foo:
  std::cout << "World";
}
There you must define PUT_HELLO_THERE_IN_BINARY macro to some code, that
will put the "Hello there!" string between two calls to operator << in
binary file. In disassembly there must be something like this:
...
    call basic_ostream::operator<<
    jmp foo
    48 65 6c 6c 6f 20 74 68 65 72 65 21 ; 'Hello there!' in raw view
foo:
    ...
    call basic_ostream::operator<<
If you'll make your solution portable between MSVC and GCC compilers -
you're almost certanly in :)
--
Best regards,
Antony Polukhin
-- 
Best regards,
Antony Polukhin

Antony Polukhin

tags

participants (1)