DOCSLIB.ORG

Automated Malware Analysis Report For

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Automated Malware Analysis Report For ID: 195574 Sample Name: FileOpenInstaller64.msi Cookbook: default.jbs Time: 23:32:33 Date: 11/12/2019 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report FileOpenInstaller64.msi 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 Spreading: 7 Networking: 7 System Summary: 7 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Language, Device and Operating System Detection: 8 Malware Configuration 8 Behavior Graph 8 Simulations 9 Behavior and APIs 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 12 Static File Info 12 General 12 File Icon 12 Static OLE Info 12 General 12 Authenticode Signature 13 OLE File "FileOpenInstaller64.msi" 13 Indicators 13 Summary 13 Streams 13 Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 7246 13 General 13 Copyright Joe Security LLC 2019 Page 2 of 26 Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 32 14 General 14 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 560 14 General 14 Stream Path: \x16786\x17522\x17022\x18418\x17583\x17578\x17214\x17574, File Type: MS Windows icon resource - 19 icons, 256x256, 32 bits/pixel, 128x128, 32 bits/pixel, Stream Size: 544750 14 General 14 Stream Path: \x17163\x16689\x18229\x15358\x15128\x17848\x17591\x15024\x17894\x17580\x17841\x15693\x18453, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 1735680 14 General 14 Stream Path: \x17163\x16689\x18229\x15358\x17388\x15912\x16947\x15793\x15516\x17886\x17388\x18486, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 90112 14 General 14 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x18485, File Type: PC bitmap, Windows 3.x format, 500 x 63 x 24, Stream Size: 94556 15 General 15 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x18474, File Type: PC bitmap, Windows 3.x format, 503 x 314 x 24, Stream Size: 474824 15 General 15 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 General 1515 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 General 1615 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x18480, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766 16 General 16 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078 16 General 16 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 107008 General 1616 Stream Path: \x17167\x16943\x17624\x17512\x17490\x17910\x17380\x16943\x18357\x14923\x14537\x16830\x16740, File Type: Microsoft Cabinet archive data, 1397022 bytes, 20 files, Stream Size: 1397022 17 General 17 Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1576 17 General 17 Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 204 17 General 17 Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ISO-8859 text, with very long lines, Stream Size: 36704 17 General 17 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 3672 18 General 18 Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 78 18 General 18 Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 4776 18 General 18 Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 12 18 General 18 Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: data, Stream Size: 36 18 General 18 Stream Path: \x18496\x16786\x17522, File Type: data, Stream Size: 4 19 General 19 Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: x86 executable not stripped, Stream Size: 48 19 General 19 Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: x86 executable not stripped, Stream Size: 42 19 General 19 Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: x86 executable not stripped, Stream Size: 42 19 General 19 Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 80 19 General 19 Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 80 19 General 20 Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14 20 General 20 Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 30 20 General 20 Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 12 20 General 20 Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394, File Type: data, Stream Size: 12 20 General 20 Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391, File Type: data, Stream Size: 32 20 General 20 Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36 21 General 21 Stream Path: \x18496\x17100\x16808\x15086\x18162, File Type: data, Stream Size: 8 21 General 21 Stream Path: \x18496\x17163\x16689\x18229, File Type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.1, Stream Size: 36 21 General 21 Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 90 21 General 21 Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 396 21 General 21 Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 400 21 General 22 Stream Path: \x18496\x17180\x17514\x17892\x17784\x18472, File Type: data, Stream Size: 52 22 General 22 Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 198 22 General 22 Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 102 22 General 22 Stream Path: \x18496\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 6 22 General 22 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 240 23 Copyright Joe Security LLC 2019 Page 3 of 26 General 23 Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: iAPX 286 executable large model (COFF) not stripped, Stream Size: 536 23 General 23 Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 1404 23 General 23 Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 4628 23 General 23 Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 28 23 General 24 Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 16 24 General 24 Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 4 24 General 24 Stream Path: \x18496\x17741\x17557\x16678\x17591\x18485, File Type: data, Stream Size: 32 24 General 24 Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 76 24 General 24 Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475, File Type: CLIPPER COFF executable (VAX #) not stripped - version 425, Stream Size: 280 24 General 24 Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 96 25 General 25 Stream Path: \x18496\x17933\x17395\x16812\x17892\x15336\x17388\x18472, File Type: data, Stream Size: 80 25 General 25 Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 32 25 General 25 Network Behavior 25 Code Manipulations 25 Statistics 25 System Behavior 26 Analysis Process: msiexec.exe PID: 4400 Parent PID: 4220 26 General 26 File Activities 26 Disassembly 26 Code Analysis 26 Copyright Joe Security LLC 2019 Page 4 of 26 Analysis Report FileOpenInstaller64.msi Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 195574 Start date: 11.12.2019 Start time: 23:32:33 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 10s Hypervisor based Inspection enabled: false Report type: light Sample file name: FileOpenInstaller64.msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winMSI@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found.
Load more

Recommended publications
  • The “Stabs” Debug Format
    The \stabs" debug format Julia Menapace, Jim Kingdon, David MacKenzie Cygnus Support Cygnus Support Revision TEXinfo 2017-08-23.19 Copyright c 1992{2021 Free Software Foundation, Inc. Contributed by Cygnus Support. Written by Julia Menapace, Jim Kingdon, and David MacKenzie. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled \GNU Free Documentation License". i Table of Contents 1 Overview of Stabs ::::::::::::::::::::::::::::::: 1 1.1 Overview of Debugging Information Flow ::::::::::::::::::::::: 1 1.2 Overview of Stab Format ::::::::::::::::::::::::::::::::::::::: 1 1.3 The String Field :::::::::::::::::::::::::::::::::::::::::::::::: 2 1.4 A Simple Example in C Source ::::::::::::::::::::::::::::::::: 3 1.5 The Simple Example at the Assembly Level ::::::::::::::::::::: 4 2 Encoding the Structure of the Program ::::::: 7 2.1 Main Program :::::::::::::::::::::::::::::::::::::::::::::::::: 7 2.2 Paths and Names of the Source Files :::::::::::::::::::::::::::: 7 2.3 Names of Include Files:::::::::::::::::::::::::::::::::::::::::: 8 2.4 Line Numbers :::::::::::::::::::::::::::::::::::::::::::::::::: 9 2.5 Procedures ::::::::::::::::::::::::::::::::::::::::::::::::::::: 9 2.6 Nested Procedures::::::::::::::::::::::::::::::::::::::::::::: 11 2.7 Block Structure
    [Show full text]
  • Portable Executable File Format
    Chapter 11 Portable Executable File Format IN THIS CHAPTER + Understanding the structure of a PE file + Talking in terms of RVAs + Detailing the PE format + The importance of indices in the data directory + How the loader interprets a PE file MICROSOFT INTRODUCED A NEW executable file format with Windows NT. This for- mat is called the Portable Executable (PE) format because it is supposed to be portable across all 32-bit operating systems by Microsoft. The same PE format exe- cutable can be executed on any version of Windows NT, Windows 95, and Win32s. Also, the same format is used for executables for Windows NT running on proces- sors other than Intel x86, such as MIPS, Alpha, and Power PC. The 32-bit DLLs and Windows NT device drivers also follow the same PE format. It is helpful to understand the PE file format because PE files are almost identi- cal on disk and in RAM. Learning about the PE format is also helpful for under- standing many operating system concepts. For example, how operating system loader works to support dynamic linking of DLL functions, the data structures in- volved in dynamic linking such as import table, export table, and so on. The PE format is not really undocumented. The WINNT.H file has several struc- ture definitions representing the PE format. The Microsoft Developer's Network (MSDN) CD-ROMs contain several descriptions of the PE format. However, these descriptions are in bits and pieces, and are by no means complete. In this chapter, we try to give you a comprehensive picture of the PE format.
    [Show full text]
  • Common Object File Format (COFF)
    Application Report SPRAAO8–April 2009 Common Object File Format ..................................................................................................................................................... ABSTRACT The assembler and link step create object files in common object file format (COFF). COFF is an implementation of an object file format of the same name that was developed by AT&T for use on UNIX-based systems. This format encourages modular programming and provides powerful and flexible methods for managing code segments and target system memory. This appendix contains technical details about the Texas Instruments COFF object file structure. Much of this information pertains to the symbolic debugging information that is produced by the C compiler. The purpose of this application note is to provide supplementary information on the internal format of COFF object files. Topic .................................................................................................. Page 1 COFF File Structure .................................................................... 2 2 File Header Structure .................................................................. 4 3 Optional File Header Format ........................................................ 5 4 Section Header Structure............................................................. 5 5 Structuring Relocation Information ............................................... 7 6 Symbol Table Structure and Content........................................... 11 SPRAAO8–April 2009
    [Show full text]
  • Linkers and Loaders Do?
    Linkers & Loaders by John R. Levine Table of Contents 1 Table of Contents Chapter 0: Front Matter ........................................................ 1 Dedication .............................................................................................. 1 Introduction ............................................................................................ 1 Who is this book for? ......................................................................... 2 Chapter summaries ............................................................................. 3 The project ......................................................................................... 4 Acknowledgements ............................................................................ 5 Contact us ........................................................................................... 6 Chapter 1: Linking and Loading ........................................... 7 What do linkers and loaders do? ............................................................ 7 Address binding: a historical perspective .............................................. 7 Linking vs. loading .............................................................................. 10 Tw o-pass linking .............................................................................. 12 Object code libraries ........................................................................ 15 Relocation and code modification .................................................... 17 Compiler Drivers .................................................................................
    [Show full text]
  • Mach-O Internals
    Mach-O Internals William Woodru February 10, 2016 1 / 31 General Agenda 1. Who are you? 2. What is Mach-O? 3. An Extremely Brief History of Mach and Mach-O 4. Structure of a Mach-O File 5. Quirks Encountered 6. Concluding Notes 2 / 31 Who are you? My name is William Woodru. I'm a Computer Science major and Philosophy minor at the University of Maryland, College Park. Outside of school, I'm a member of the Homebrew project and a regular contributor to several open source groups. My work for Homebrew is largely concerned with the underlying system interface and reconciling OS X's intricacies/irregularities with the package manager. 3 / 31 What is Mach-O? Mach-O is the Mach Object binary format. Mach-O is used primarily by Apple in OS X and iOS. Apps on both platforms are really just directory trees containing Mach-O binaries and resources (fonts, icons, congurations). Metadata is stored in a number of places, but mainly within bundled plists (XML) and the binaries themselves. Like its cousins on Linux (ELF) and Windows (PE), Mach-O supports multiple object types: I Executable I Core dump I Shared library/object I Prelinked object le I etc. 4 / 31 . and multiple architectures: I m68k/m88k (yes, it's still supported!*) I x86 I AMD64 I POWER I ARMv6/7/8 Unlike ELF or PE, Mach-O has been extended to allow multi-architecture fat binaries. This has resulted in some interesting properties not shared by the other two. More on that later.
    [Show full text]
  • Compiling, Linking
    Compiling, linking,... • Let’s see what happens when we compile a program using gcc • Some of this material is based on section 7 of Computer Systems, A Programmer’s Perspective, by Bryant O’Hallaron. 1 /* main.c */ /* swap.c */ void swap(); extern int buf[] int buf[2] = {1,2}; int *bufp0 = &buf[0]; int main() int *bufp1; { { swap(); int temp; return 0; bufp1 = &buf[1]; } temp = *bufp0; *bufp0 = *bufp1; *bufp1 = temp; } 2 Compiling, linking,... • What happens when you use the compiler driver gcc: gcc -O2 -g -o test main.c swap.c 3 Step1: Preprocessor (cpp) • The C preprocessor translates the C source file main.c into an ASCII intermediate file main.i • cpp [other args] main.c /tmp/main.i 4 Step2: C compiler (cc1) • Driver runs C compiler cc1 • translates main.i into an ASCII assembly language file main.s • cc1 /tmp/main.i main.c -O2 [other args] -o /tmp/main.s 5 Step3: assembler (as) • driver runs assembler as to translate main.s into relocatable object file main.o • as [other args] -o /tmp/main.o /tmp/main.s • Same 3 steps are executed for swap.c 6 Step4: Linker (ld) • driver runs linker ld to combine main.o and swap.o into the executable file test • ld -o test [sys obj files and args] /tmp/main.o / tmp/swap.o 7 Overview main.c swap.c Source files! Translators! Translators! (cpp, cc1, as)! (cpp, cc1, as)! Relocatable! main.o swap.o object files! Linker (ld)! Fully linked! p! executable object file! 8 Run executable test • unix> ./test • shell invokes function in OS called loader • copy code and data of executable test into memory • then transfers control to the beginning of the program 9 Static linking • What does the static linker all do? • takes as input a collection of relocatable object files and command-line arguments • generates fully linked executable object file that can be loaded and run 10 Static linking • Linker performs two tasks: • symbol resolution: associates each symbol reference with exactly one symbol definition • relocation: compiler and assembler generate code and data sections that start at address 0.
    [Show full text]
  • Outline Executable/Object File Formats Brief History of Binary File Formats
    Outline CSci 5980/8980 ELF basics Manual and Automated Binary Reverse Engineering Slides 5: The ELF Binary File Format Stephen McCamant Static and dynamic linking University of Minnesota Executable/object file formats Brief history of binary file formats (Unix) Modern systems usually use a common format for Early Unix had a simple a.out format relocatable object files during compilation and final Lasted until early days of free Linux/BSD, now obsolete executables AT&T’s second try was named COFF Mostly binary data representing code and data Still limited, but widely adopted with changes Plus metadata allowing the data to be linked and AT&T’s third try was ELF, now used in almost all Unix loaded systems Brief history of binary file formats (non-Unix) Compile-time and run-time Early DOS and Windows had several limited formats Some file features are used during compilation Since the 32-bit era, Windows uses the PE (Portable Typically first created by assembler, then used/modified Executable) format by the linker Partially derived from COFF Other features are used when the program runs OS X era Apple (including iOS, etc) uses a format By the OS when the program starts named Mach-O And now also by runtime linking First developed for the Mach microkernel used on the NeXT Static and dynamic/shared linking ELF Traditional “static” linking happens all at compile time Executable (or Extensible) and Linking (or Linkable) Libraries become indistinguishable from the rest of the Format program First appeared in System V Release 4 Unix, c. 1989 For efficiency and flexibility, it is now more common to postpone library linking until runtime Linux switched to ELF c.
    [Show full text]
  • Novel Framework for Hidden Data in the Image Page Within Executable File Using Computation Between Advanced Encryption Standard and Distortion Techniques
    (IJCSIS) International Journal of Computer Science and Information Security, Vol. 3, No. 1, 2009 Novel Framework for Hidden Data in the Image Page within Executable File Using Computation between Advanced Encryption Standard and Distortion Techniques A.W. Naji*, Shihab A. Hameed, , B.B.Zaidan**, Wajdi F. Al-Khateeb, Othman O. Khalifa, A.A.Zaidan and Teddy S. Gunawan, Department of Electrical and Computer Engineering, Faculty of Engineering, International Islamic University Malaysia, P.O. Box 10, 50728 Kuala Lumpur, Malaysia * [email protected], ** [email protected] message. In doing this, we make it far less likely that an ABSTRACT----- The hurried development of multimedia and encrypted message will be found [2],[3]. Also, if a message internet allows for wide distribution of digital media data. It concealed through Steganography is discovered, the becomes much easier to edit, modify and duplicate digital discoverer is still faced with the formidable task of information. In additional, digital document is also easy to copy and distribute, therefore it may face many threats. It deciphering it. Also the strength of the combination between became necessary to find an appropriate protection due to the hiding and encryption science is due to the non-existence of significance, accuracy and sensitivity of the information. standard algorithms to be used in (hiding and encryption) Furthermore, there is no formal method to be followed to secret messages. Also there is randomness in hiding discover a hidden data. In this paper, a new information hiding methods such as combining several media (covers) with framework is presented.The proposed framework aim is different methods to pass a secret message.
    [Show full text]
  • Effective File Format Fuzzing
    Effective file format fuzzing Thoughts, techniques and results Mateusz “j00ru” Jurczyk Black Hat Europe 2016, London PS> whoami • Project Zero @ Google • Part time developer and frequent user of the fuzzing infrastructure. • Dragon Sector CTF team vice captain. • Low-level security researcher with interest in all sorts of vulnerability research and software exploitation. • http://j00ru.vexillium.org/ • @j00ru Agenda • What constitutes real-life offensive fuzzing (techniques and mindset). • How each of the stages is typically implemented and how to improve them for maximized effectiveness. • Tips & tricks on the examples of software I’ve fuzzed during the past few years: Adobe Reader, Adobe Flash, Windows Kernel, Oracle Java, Hex-Rays IDA Pro, FreeType2, FFmpeg, pdfium, Wireshark, … Fuzzing Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. http://en.wikipedia.org/wiki/Fuzz_testing In my (and this talk’s) case • Software = commonly used programs and libraries, both open and closed-source, written in native languages (C/C++ etc.), which may be used as targets for memory corruption-style 0-day attacks. • Inputs = files of different (un)documented formats processed by the target software (e.g. websites, applets, images, videos, documents etc.). On a scheme START choose input mutate input feed to target yes no target save input crashed Easy to learn, hard to master. Key questions • How do we choose the fuzzing
    [Show full text]
  • Advanced Programming in the UNIX Environment – Dæmon Processes, Shared Libraries
    CS631-AdvancedProgrammingintheUNIXEnvironment Slide1 CS631 - Advanced Programming in the UNIX Environment – Dæmon Processes, Shared Libraries Department of Computer Science Stevens Institute of Technology Jan Schaumann [email protected] https://stevens.netmeister.org/631/ Lecture 11: Dæmon Processes, Shared Libraries November 11, 2019 CS631-AdvancedProgrammingintheUNIXEnvironment Slide2 Dæmon processes So... what’s a dæmon process anyway? Lecture 11: Dæmon Processes, Shared Libraries November 11, 2019 CS631-AdvancedProgrammingintheUNIXEnvironment Slide3 Dæmon characteristics Commonly, dæmon processes are created to offer a specific service. Dæmon processes usually live for a long time are started at boot time terminate only during shutdown have no controlling terminal Lecture 11: Dæmon Processes, Shared Libraries November 11, 2019 CS631-AdvancedProgrammingintheUNIXEnvironment Slide4 Dæmon characteristics The previously listed characteristics have certain implications: do one thing, and one thing only no (or only limited) user-interaction possible resource leaks eventually surface consider current working directory how to create (debugging) output Lecture 11: Dæmon Processes, Shared Libraries November 11, 2019 CS631-AdvancedProgrammingintheUNIXEnvironment Slide5 Writing a dæmon fork off the parent process change file mode mask (umask) create a unique Session ID (SID) change the current working directory to a safe place close (or redirect) standard file descriptors open any logs for writing enter actual dæmon code Lecture 11: Dæmon Processes,
    [Show full text]
  • CS 449 – Executables and Linking
    Executables and Linking CS449 Spring 2016 Remember External Linkage Scope? #include <stdio.h> >> gcc ./main.c ./foo.c int global = 0; >> ./a.out void foo(); global=10 int main() { foo(); printf(“global=%d\n”, global); • How did global in foo.c find global in main.c? return 0; • How did foo() in main.c find foo() in foo.c? } • Where is the code for printf() and how does the call to printf() find it? <main.c> • What does a.out look like in the file system? extern int global; How does it look like while executing in memory? void foo() { global += 10; } <foo.c> 2 Compiler gcc Preprocessed Object C source source files Executable .c cpp cc1 .o ld Preprocessor Compiler Linker Preprocessor gcc Preprocessed Object C source source files Executable .c cpp cc1 .o ld Preprocessor Compiler Linker Preprocessor • Input: A C source file with directives • Output: A C source file after directives have been processed and comments stripped off. • #include directive – #include <...> or #include “...” – Copies the contents of the file to source file – Contain function/variable declarations and type definitions – <...> searches for file under standard include path (usually /usr/include) – “....” searches for file under local directory or paths given as –I arguments (e.g. gcc –I ~/local/include main.c) Preprocessor • #define directive – Defines a macro (a symbol that is expanded to some other text) – #define PI 3.14 • All instances of PI gets replaced by 3.14 in source – #define AVG(a, b) (((a) + (b)) / 2) • AVG(2, 4) in source gets replaced by ((2 + 4) / 2) – No type checking • CPP is just a text translator; no concept of types • Will even work on AVG(“Hello”, “World”) Compiler gcc Preprocessed Object C source source files Executable .c cpp cc1 .o ld Preprocessor Compiler Linker Compiler • Input: A preprocessed C source file • Output: An object file in machine language • In the process it performs: – Syntax and type checking – Compiler optimizations to reduce execution time and memory footprint • E.g.
    [Show full text]
  • Using OFD Utility to Create a DSP Boot Image
    Application Report SPRAA64 − November 2004 Using OFD Utility to Create a DSP Boot Image Jelena Nikolic-Popovic DSP Field Applications ABSTRACT The object file display (OFD) utility processes common object file format (COFF) files and converts the information contained in such files into XML format. This application note describes how to create a DSP boot image using COFF and XML files, and a simple Perl script. The resulting image is a C source file, which can be included into the host processor’s application program and downloaded to the DSP via HPI or PCI interfaces. The OFD utility is available in Code Composer Studio Release 3.0 or greater. This application report contains project code that can be downloaded from this link. http://www−s.ti.com/sc/psheets/spraa64/spraa64.zip Contents 1 Motivation . 1 2 COFF Format . 3 3 OFD Text Output . 4 4 OFD XML Output . 6 5 Tools for Processing OFD Output. 9 6 Creating a Host Image. 10 7 Summary and Conclusion. 12 8 References . 13 List of Figures Figure 1. COFF File Structure. 4 Figure 2. OFD Output (Text Format). 5 Figure 3. Tree Representation of XML Tags Generated by OFD. 8 Figure 4. Sample OFD XML Output. 9 Figure 5. Boot image .h file . 10 Figure 6. Boot image .c file . 11 1 Motivation In a signal processing system consisting of one or more DSPs and a host processor where the DSP code initially resides in host’s memory space, the DSP code needs to be converted into a particular format; so that, it can be included into host’s application program, and then copied to the DSP memory space upon system startup.
    [Show full text]