HACKER SUMMER CAMP 2024 GUIDES — Part Nine: TRICON & REcon 2024
Welcome to the DCG 201 Guides for Hacker Summer Camp 2024! This is part of a series where we are going to cover all the various hacker conventions and shenanigans both In-Person & Digital! This year in 2024 we have completely lost our minds and thus we will have a total of 18 guides spanning 3 months of Hacker Insanity!
As more blog posts are uploaded, you will be able to jump through the guide via these links:
HACKER SUMMER CAMP 2024 — Part One: Surviving Las Vegas & Virtually Anywhere 2024
HACKER SUMMER CAMP 2024 — Part Two: Capture The Flags & Hackathons
HACKER SUMMER CAMP 2024 — Part Three: Design Automation Conference #61
HACKER SUMMER CAMP 2024 — Part Four: ToorCamp 2024
HACKER SUMMER CAMP 2024 — Part Five: LeHack 20th
HACKER SUMMER CAMP 2024 — Part Six: HOPE XV
HACKER SUMMER CAMP 2024 — Part Seven: SummerCon 2024
HACKER SUMMER CAMP 2024 — Part Eight: DOUBLEDOWN24 by RingZer0
HACKER SUMMER CAMP 2024 — Part Nine: TRICON & REcon 2024
HACKER SUMMER CAMP 2024 — Part Ten: The Diana Initiative 2024
HACKER SUMMER CAMP 2024 — Part Eleven: Wikimania Katowice
HACKER SUMMER CAMP 2024 — Part Twelve: SquadCon 2024
HACKER SUMMER CAMP 2024 — Part Thirteen: BSides Las Vegas 2024
HACKER SUMMER CAMP 2024 — Part Fourteen: Black Hat USA 2024
HACKER SUMMER CAMP 2024 — Part Fifteen: DEFCON 32
HACKER SUMMER CAMP 2024 — Part Sixteen: USENIX Security Trifecta 2024
HACKER SUMMER CAMP 2024 — Part Seventeen: HackCon 2024
HACKER SUMMER CAMP 2024 — Part Eighteen: SIGS, EVENTS & PARTIES
TRICON by Trimarc
Date & Time: July 28th ~ 9:00 AM EST — 7:00 PM EST
Location: Virtual
Website: https://www.trimarcsecurity.com/tricon
Tickets: http://bit.ly/TRICONReg
Virtual Platform(s): Zoom, YouTube
Schedule: https://www.trimarcsecurity.com/tricon
Live Streams:
Virtual Chat: Zoom (Only For Ticket Holders)
Affordability: FREE
Code Of Conduct: TBA
TRICON is a one-day, remote conference showcasing talks and panels from industry experts in Active Directory, Microsoft Cloud, and Identity Security.
Trimarc: From Trimarcisia, “feat of three horsemen,” was an ancient Celtic military cavalry tactic where there was always a rider ready to mount the horse of a fallen soldier.
Trimarc was named based on this approach — even if the initial mitigation fails, there are additional defensive layers to back that up.
Trimarc is a professional services company based out of Washington, DC that helps organizations secure their Microsoft platform, both on-premises and in the cloud. Founded by Sean Metcalf, a Microsoft Certified Master in Active Directory, Trimarc’s mission is to help organizations better secure their critical IT infrastructure.
Adding two new additions for a double whammy, one virtual and one physical! We love to include as many remote and virtual options as we can for accessibility in terms of disability, resources and for the international audience. We are also highly curious in not only nitche-specific topics but also how individual companies and vendors view security. If you want to learn new security methods and mistakes for virtualized services from an admin perspective, you can run this in the background while you work on your projects or stuck in linecon!
ZOOM
PUTTING THE YOU BACK IN YOUTUBE
Desktop
Android
iOS
- Tap 2 gear icons on the top left of the screen to go to Settings
- Tap Locations
- Paste the link under Locations Manifest
https://r.yattee.stream/manifest-invidious-piped.json - Tap Reload manifest
- Select the Country under Public Locations
- Tap Switch to other public location (Some locations does not support Popular category like
watchapi.whatever.social, you can pickinv.riverside.rocksorvid.puffyan.usthat supports it)
You can now add Custom Locations also called Instances:
- Tap + Add Location…
- Paste the link to Address field
https://pipedapi.kavin.rocks - Optional: If you created an account on either on Invidious or Piped, you can tap the Instance you just added, tap + Add Account and enter your Username and Password.
You can get Instances from:
- Piped: https://github.com/TeamPiped/Piped/wiki/Instances
- Invidious: https://api.invidious.io
ClearNet
Tor
http://invidious.g4c3eya4clenolymqbpgwz3q3tawoxw56yhzk4vugqrl6dtu3ejvhjid.onion/watch?v=UGM-RCo0qjk
i2p
http://pjsfhqamc7k6htnumrvn4cwqqdoggeepj7u5viyimgnxg3gar72q.b32.i2p/watch?v=UGM-RCo0qjk
DCG 201 TALK HIGHLIGHTS FOR TRICON (EST)
9:30–10:15 am ET | The (almost) complete LDAP guide
Sapir Federovsky
Many blue teams avoid using LDAP for detections and sometimes do not understand the significant detection capabilities that can only be achieved using LDAP. There is very few information about decrypting encrypted LDAP (for example with NTLM GSS-API) and therefore many teams simply do not check encrypted queries and miss significant attacks. Attacks and information on Kerberos and NTLM are very common, and sometimes LDAP is pushed into a corner. It’s time to put it in the spotlight! In this talk, i will cover the following:
- Implementation with winAPI
- Authentication types
- Encryption and decryption of LDAP sessions
- Signature of attack tools based on the LDAP queries they create (this will be the main part)
- LDAP attacks such as injection and obfuscation and various identification methods (this will be the main part)
- Using LDAP to identify a dangerous configuration in the environment
- LDAP in Active Directory Web Services
10:30–10:50 am ET | DFIR on Azure Cloud
Kiran Kumar
In this talk, I’m going to cover some of the top attacks within Azure AD and methods you can use to detect those attacks. I’ll cover attacks such as:
- Password spraying
- Session cookie theft using Evilginx2
- Token theft and replay using PTR and hunting for this attack in Azure Graph logs.
I’ll also discuss the kinds of logs and policies useful in DFIR in Azure AD. When facing an incident, would you know what type of logs that you need to look into? Are you taking your storage policies for granted? For instance, depending upon licensing for things like E3 and E5, not all logs are stored more than 30 days. What’s more, do you know where to look for specific type of attacks such as initial access?
11:30–11:50 am ET | FAST Times at Contoso High
John Askew
It’s a classic coming-of-age tale… free-wheeling plans predictably go sideways in an awkward, humorous manner, as we gain wisdom and become more resilient to the demands of the “real world”. At least, for the more fortunate characters in the story. In this fast-paced session, you will learn how inherent weaknesses of 1980s cryptographic design still exist in most modern Active Directory environments, and how you can potentially fix them. FAST is a Kerberos extension for armoring and protecting your Active Directory authentication traffic that you may not have even realized was vulnerable. Isn’t it nice when the solution is right there in front of you before you even recognize there is a problem? Of course, the hard part — the part that takes the latter half of the movie to actualize — is the work of putting it into action. In the flash-forward epilogue, will you end up as a hopeful protagonist that overcomes their weakness to move forward, or a tragic side character that remains stuck in the past?
12:00–12:20 pm ET | Mitigating the identity attack surface: honeytokens to deflect identity threats
Suril Desai
Mitigating the Active Directory security findings is challenging for administrators. Service accounts are tied to critical services and applications, reducing the attack surface can result in impact to the business. For the identity attack surface that cannot be mitigated, honeytokens serve as an effective countermeasure. Honeytokens provide the benefit of detecting, and more importantly, diverting/deflecting the attacker away from the real service accounts and privileged admin accounts. While this has been known to be a mitigation measure, organizations need assistance on a strategy for the optimal count, placement, types of honeytokens. This talk discusses the evolution in identity threats, the need for reducing the identity attack surface, and the countermeasures based on honeytokens as a detection and diversion approach. Recommendations and best practices for an effective strategy for honeytokens will be shared with the community.
12:30–1:15 pm ET | Oops! I can read your Conditional Access Policies without being an admin?
Viktor Hedberg
During my work to make a PowerShell module to perform Entra ID Healtchecks, I stumbled onto something worrying. Regular user access is the bare necessity to dump Conditional Access Policies from any tenant using AAD Graph API. Now, those APIs are going out of business, but this way of exfiltrating the CA Policies allows an attacker today to identify any gaps in your policy structure. This session will look at how this is possible, and of course how to mitigate this in your tenant.
2:30–3:15 pm ET | Nightmare misconfigurations of Active Directory
Crystal Wake
Nightmare misconfigurations of Active Directory’s will focus on how certain configurations of AD have granted way more than appropriate access to the incorrect entities. This talk will go into talking about stories of incidents, how this was corrected, the mitigation process and how this could have been prevented in the first place.
4:30–5:15 pm ET | Identity crisis: Combating Microsoft 365 account takeovers at scale
Matt Kiely
Every day in the United States, about $8 million is siphoned from individuals, small businesses, large corporations, and non-profit organizations as a result of business email compromise attacks. These attacks are the symptom of a new rising tide of cloud attack tradecraft. In the cloud, proof of identity is all that you need to access private resources, even if that proof is stolen. Welcome to the identity crisis! How wide is the attack surface for these identity attacks? In the case of Microsoft 365, it is about 345 million identities and counting! M365 remains a tantalizing target for cybercriminals who want to cash in on the relative simplicity of these attacks. This talk focuses on how we can cut off attackers during one of the most critical phases of their attacks: initial access. Through technical demonstration of three common initial access attacks, this presentation will cover how we can better approach detection, response, and deterrence of account takeovers. First, we will explore the problem statement when it comes to defending M365 from account takeovers. We will cover the high-level landscape of attacks and how they differ from their on-premise analogs. We will also cover some of the differences in our strategic approach to identity attacks compared to their predecessors. Then, we will step into the attack lab and learn three common M365 attacks that grant initial access when successful. For each attack, we cover the technical steps required to execute it. Then, we cover detections and mitigations for the attack, paying special attention to the best telemetry sources that allow effective threat hunting against the attack. By the end of this presentation, attendees will have a better understanding of the specifics of some of the most common and dangerous identity attacks that result in account takeover. But more importantly, they will see the clear shift in philosophy between how we should approach legacy threats and identity threats.
REcon 2024
Date & Time: Wednesday, June 24th — Tuesday, June 30th
Location: Hilton Double Tree (1255 Rue Jeanne-Mance, Montréal, QC H5B 1E5, Canada)
Website: https://recon.cx/2024/index.html
Tickets: https://tickets.recon.cx/recon/recon2024/
Virtual Platform(s): TBA
Schedule: https://cfp.recon.cx/recon2024/schedule/
Live Streams:
TBA
YouTube: TBA
Virtual Chat: TBA
Affordability:
- January: $1000 CAD
- February: $1200 CAD
- March: $1400 CAD
- April: $1600 CAD
- May: $1700 CAD
- June: $1800 CAD
- Student before March 30: $500 CAD*
- Student between April and June: $700 CAD*
- *: Student ID required
The registration fee includes an access pass to the conference as well as lunch, and coffee breaks for all three days of the conference, as well as Welcome cocktail on the Thursday and a party on Friday and on Saturday. Provincial and federal sales taxes will be applied to all registration fees. All registration fees are payable in Canadian dollars (CAD).
Training does not includes conference pass. During training breakfast is also included.
A total of 600 tickets will be sold for this year’s conference.
Code Of Conduct: https://recon.cx/2024/policies.html
REcon is a computer security conference with a focus on reverse engineering and advanced exploitation techniques. It is held annually in Montreal, Canada since 2005.
The conference offers a single track of presentations over the span of three days along with 4 days of technical training sessions held before the presentation dates.
Those who were at SummerCon this year in New York City may have ran into some of the fine Cannuks that operate this convention. Reverse Engineering is a major important part of computer security yet we feel like it is very underrepresented in conventions and trainings. If you want to specialize in 1337 Hax and have a love of maple syrup, consider flying to America’s hat this year!
HOW TO HACK CANADA
TRAVELLING TO CANADA
No proof of vaccination nor covid test are require to enter Canada (unless exemptions). See link below for details:
As of last year many foreign travelers to Canada will require an Electronic Travel Authorization (eTA) prior to entering the country. Please check the following website to find out if this applies to you:
FLYING LIKE A GOOSE
Arriving at the YUL airport, you can decide to take the Bus or a Taxi to get to the Hotel. A Taxi will cost you a flat 41$(+tip) fee to the Montreal Downtown area, where the Hilton Double tree is located. A pass for the Airport Shuttle Bus 747 will cost you 10$, and should be bought at one of the STM stands nearby prior to taking the bus if you don’t have exact change in coins, this pass will also be valid for unlimited metro area public transport for 24 hours. The shuttle bus stop the closest to the Hilton Double Tree is located on corner of Jeanne-Mance, and is referred to as stop number 7. It is about a one-minute walk to the hotel form there.
TALKING A’BOOT TRAINS
The Montreal Central Train Station is located 1km away from the Hilton Double Tree Montreal.
Chono App on Android: https://play.google.com/store/apps/details?id=quebec.artm.chrono&hl=en_CA&gl=US
Chrono App on iOS: https://apps.apple.com/us/app/chrono-bus-metro-and-train/id1261397728
A MOOSE HAVE GUIDE FOR BUSSES
The Montreal Central Bus station is located 1.4km from the Hilton Double Tree Montreal.
TAXYS AKA CANADAN SPELLING IS WERID
In General
Montreal taxis are usually clean with fast response times — a car usually arrives in 10 minutes or less after you make a call. Cabs can be any color; the way you know they’re a cab is their sign on the roof, which is lit at night when the cab is available. You can hail Montreal cabs, call them, or get the help of hotel and restaurant staff.
About Fares
Before even calling a taxi, figure out how much the cab ride will cost with this Montreal Taxi Fare Finder. Don’t forget to tip, because the fare finder won’t have included this. The initial charge (the charge you see on the meter when your ride begins) is $3.15, with every additional kilometer (2/3 mile) adding $1.45. Each minute of waiting adds 55¢. A typical fare (say, a ride from one downtown location to another) costs about $6.
Quirks
Montreal cab drivers are generally courteous, but it’s a big city with big city temperaments and frustrations, so don’t be surprised if your driver is, um, a little eccentric! And try to have a sense of where you’re going in case French/English language barriers get interesting.
Most Montreal taxi companies will pick up customers only in central Montreal neighborhoods such as the ones listed in section A-11 of this Montreal map. But there are a few companies that send cabs to the far east and west of the island of Montreal.
If You Need to Rant
If you get terrible service file a complaint with the city of Montreal right here.
BIKING LIKE A MOUNTY
IS THIS (MONT)REAL LIFE?
DCG 201 RECON 2024 WORKSHOPS & TRAINING HILIGHTS
GameBoy ROM Extraction
06–28, 15:30–17:30 (US/Eastern), Soprano A
The Game Boy has a mask ROM bootloader that validates the Nintendo logo in the cartridge, then disables itself before executing the cartridge memory, making it difficult to extract. In this workshop, we’ll begin with a die photograph of the console’s CPU, then use Mask ROM Tool to annotate and decode bits. By the end of the workshop, you will have made a ROM image suitable for emulation or disassembly.
A laptop with a modern version of Linux, Windows or macOS is required. A mouse or second monitor is nice to have, but not required. Please install the software from http://maskromtool.com/ before the workshop begins.
Travis Goodspeed
Travis Goodspeed is a reverse engineer of embedded systems from East Tennessee, where he has recently written a book on Microcontroller Exploits. His 1964 Studebaker with nine transistors and no firmware in the drive train, but there are always books on semiconductors in the back seat.
Bare Metal Firmware Dev: Forwards and Backwards
06–29, 13:00–14:00 (US/Eastern), Soprano A
Developing firmware is an essential skill that cyber security professionals should be familiar with to gain a deeper understanding of the foundation of most systems that are being relied on. Additionally, a fundamental understanding of firmware development is a valuable asset in the realm of firmware reverse engineering. This presentation aims to tackle both directions of firmware (development/reversing) to give the audience a better understanding of the intricacies with each process. The firmware development portion of the presentation will walk the audience through the basic steps to deploy a firmware application on an embedded microcontroller (STM32). The application will be developed in such a way that it is intended to be reversed. The second half of the presentation deals with the firmware binary and the steps necessary to fully recover the firmware as much as possible. An important note is that these tools and firmware will be open-source and therefore the audience can attempt this work on their own. Takeaways from this talk include an understanding of bare metal development environments, embedded C code, memory mapping and peripherals, as well as an intermediate understanding of Ghidra.
The workshop will review the following code: https://github.com/So11Deo6loria/basicFirmwareExample
The talk will also include a tool we released to enabled manufacturer based HAL driver type loading directly into Ghidra via the API: https://github.com/So11Deo6loria/typeLoader
Caleb Davis
Caleb Davis is a founding member of the Cybersecurity organization, SolaSec. Caleb operates out of the Dallas/Fort Worth area and has a degree in Electrical Engineering from the University of Texas at Tyler. He is an inventor/patent holder and has a background in embedded hardware/software development. He leads a team of experts that regularly perform penetration testing across a wide variety of products including medical devices, ATMs, chemical control systems, security solutions, and other commercial products. Additionally, Caleb has a passion for integrating security into the product development life cycle and has helped several organizations in their approach to shifting left.
Kyle Shockley
Kyle Shockley is one of the founding members of SolaSec. He received a B.S. in Finance and International Business, as well as an M.S. in Information Systems from Indiana University. Kyle has delivered high-value information technology solutions for over 12 years to clients in multiple industries. With experience in a variety of projects, Kyle has developed vulnerability management programs, executed advanced adversarial attack simulations, and built IT strategic roadmaps for clients around the world.
.NET Exploitation WorkShop
06–29, 13:00–15:00 (US/Eastern), Soprano B
.NET Reverse engineering for vulnerability researchers, how to map the attack surface, interesting areas of focus, tools of the trade for .NET Exploitation.
A windows 10 VM Visual studio 2022 installed .NET Framework 4.0 to 4.8
A copy of https://github.com/pwntester/ysoserial.net.
During the workshop, participants will delve into the intricacies of .NET reverse engineering and gain a comprehensive understanding of the techniques involved. Starting with an overview of the .NET framework, the workshop will gradually progress towards advanced topics such as deserializations, bypassing mitigations, and a lot more, empowering attendees with the necessary skills to identify and exploit vulnerabilities.
Students will be provided with lab files before the workshop which contain tools and exercises for the workshop.
Sina Kheirkhah
@SinSinology is a full time vulnerability researcher, pwn2own 202{2,3,4} contestant, Microsoft MVR 2022/2023
Guerilla Reversing: SMALI steps towards Android reversing
06–29, 15:30–18:30 (US/Eastern), Soprano B
As consumers move to using their phones as their primary device, the financial opportunity for threat actors to deploy mobile malware becomes more appealing. People store their money, memories and digital identities in their pockets, making their phones a ripe avenue for attackers. From the high level threat landscape, down to the nitty gritty of the implementation of mobile malware TTPs, understanding the basics of Android reverse engineering can give an analyst the necessary cutting edge. This workshop will take people from zero to hero in order to give them a more thorough understanding of the Android malware landscape through hands-on labs using Android malware.
This will be a 3 hour version of our Android reverse engineering training covering some of the basics that will allow attendees to gain some initial experience. During the workshop, the topics we will cover will include: the structure of APK and DEX files and how to use them to gain initial RE insight, performing static analysis on Java and native code, overcoming obfuscation and writing a basic decryptor for a piece of Android malware, basics of dynamic analysis using FRIDA and a brief introduction to Android native code and how to approach it.
Lindsay Kaye
Lindsay Kaye is the Vice President of Threat Intelligence at HUMAN Security. Her technical specialty spans the fields of malware analysis and reverse engineering, with a keen interest in dissecting custom cryptographic systems. Lindsay is an internationally-recognized cybersecurity speaker and author. Lindsay holds a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.
Gabi Cirlig
Gabriel Cirlig is Principal Security Researcher at HUMAN Security. A software developer-turned-rogue, Gabriel is the go-to expert for any mobile reverse engineering within HUMAN’s Satori Threat Intelligence and Research team. He went from developing apps for small businesses to 2M+ DAU Facebook games while keeping an eye open for new opportunities. In the past few years, Gabriel has shifted gears and started his career as a security researcher while speaking at various conferences showcasing what he’s hacked. With a background in electronics engineering and various programming languages, he likes to dismantle and (hopefully) put back whatever he gets his hands on
Automating Malware Deobfuscation with Binary Ninja
06–30, 14:00–15:00 (US/Eastern), Soprano B
With the ever-increasing complexity of malware comes the need to automate tasks related to its analysis. Binary Ninja is a robust reverse engineering platform that provides a plethora of useful functionality when analyzing malware. This functionality includes a powerful Python API that can be used to automate a number of common malware reverse engineering tasks.
Throughout this workshop we will automate the deobfuscation of a real-world malware sample using Binary Ninja and freely available open-source tools.
[15 min] Introducing Workshop Resources and Content
The workshop will begin by familiarizing participants with the tools used in the workshop, including:
- Binary Ninja (https://binary.ninja/) and Binary Ninja’s user-interface (UI) components that we will be using throughout the workshop (mainly the disassembler, decompiler, Python REPL, and scripting interfaces)
- Binary Ninja’s Decompiler, which uses Binary Ninja Intermediate Languages (BNILs — https://docs.binary.ninja/dev/bnil-overview.html). These BNILs will be used to assist with understanding disassembled instructions during our reverse engineering process
- Binary Ninja’s Python interface, which will be used for interacting with these BNILs
Participants will then be provided with a brief overview of the malware we will be analyzing (Qakbot) and the steps that we will take to get there.
[45 min] Writing a Static Unpacker
This section will teach participants how to automate unpacking and decryption of malware samples. This will be accomplished using the Qakbot sample as an example. The Qakbot sample is packed (obfuscated using an external program that “unpacks itself”) and therefore we will perform multiple hands-on exercises to automate the extraction of Qakbot from its packed form using Binary Ninja, PEFile and Binary Refinery
- The first exercise will teach attendees how to use Binary Ninja to identify the encryption algorithm used by the first stage of the packer and how to extract key information to decrypt the second stage
- The next exercise will teach attendees how to use PEFile (https://github.com/erocarrera/pefile) to extract an embedded resource from the packed binary. Once extracted, the resource will then be decrypted using the key information from the first exercise
- The next exercise will teach attendees how to use Binary Refinery (https://github.com/binref/refinery) to carve binary files from the decrypted resource
Joshua Reynolds
Joshua Reynolds is the founder of Invoke RE. Joshua has over ten years of reverse engineering, malware analysis and security experience working for industry leading companies. He has spoken at major conferences such as RSA, DEF CON and Virus Bulletin on topics including ransomware and malicious document analysis. He is also the co-author of a malware analysis course that is taught annually at an academic institution.
AUTOMATING REVERSE ENGINEERING PROCESSES WITH AI/ML, NLP, AND LLMS
- Instructor: Malachi Jones
- Dates: June 24 to 27 2024
- Capacity: 25 Seats
- Price: 5000$ CAD before May 1, 5600$ CAD after.
This course enhances reverse engineering (RE) processes through automation, focusing on efficiency and scalability in malware and firmware analysis by integrating Neural Networks (NN), Natural Language Processing (NLP), and Large Language Models (LLMs). It introduces Blackfyre, an open-source system combining a Ghidra plugin and Python library, essential for binary analysis and applying NN/NLP/LLM techniques in RE. The curriculum covers NN and NLP in malware analysis for threat classification and anomaly detection, and in firmware analysis for predicting function/binary names and detecting similarities. It also introduces BinaryRank, inspired by PageRank, but more efficient with linear complexity, for static analysis, improving NLP’s effectiveness in binaries data representations. Advanced topics include LLMs for function and binary summarization, and malware analysis for signature and report generation. Designed for those with a foundational understanding of RE, Python object-oriented programming skills, and basic mathematical knowledge, the course aims to bolster NN/NLP/LLM capabilities in automating RE processes.
MODERN WINDOWS MALWARE OPSEC & ANTI-REVERSE TECHNIQUES IMPLEMENTATION AND REVERSING
This course will present an in-depth description of the techniques implemented in modern malware to evade defenders and security products (such as AV, IPS, IDS, EDR), and how attackers design and operate their implants in order to ensure a prompt redeployment after a detection or a public disclosure by researchers or security vendors.
- Instructor: Silvio La Porta and Antonio Villani
- Dates: June 24 to 27 2024
- Capacity: 25 Seats
- Price: 5000$ CAD before May 1, 5600$ CAD after.
click here for more details
MASTERING ADVANCED FUZZ TESTING TECHNIQUES ON UNIX
This comprehensive four-day training course is meticulously designed for professionals seeking in-depth knowledge and practical skills in advanced fuzz testing techniques on UNIX (Linux, MacOS, …). The course encompasses a thorough exploration of leading fuzzing tools such as AFL++, libafl, honggfuzz, and libFuzzer, providing an end-to-end perspective on the full fuzz testing workflow. We will look at targets with source code but also binary-only targets.
- Instructors: Marc ‘vanHauser’ Heuse
- Dates: June 24 to 27 2024
- Capacity: 20 Seats
- Price: 5000$ CAD before May 1, 5600$ CAD after.
click here for more details
SOFTWARE DEOBFUSCATION TECHNIQUES
- Instructor: Tim Blazytko
- Dates: June 24 to 27 2024
- Capacity: 20 Seats
- Price: 5000$ CAD before May 1, 5600$ CAD after.
Code obfuscation has become a vital tool to protect, for example, intellectual property against competitors. In general, it attempts to impede program understanding by making the to-be-protected program more complex. As a consequence, a human analyst reasoning about the obfuscated code has to overcome this barrier by transforming it into a representation that is easier to understand.
In this training, we get to know state-of-the-art code obfuscation techniques and look at how these complicate reverse engineering. Afterwards, we gradually familiarize ourselves with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques
SYMBOLIC EXECUTION WITH ANGR
- Instructor: Jeremy Blackthorne
- Dates: June 24 to 27 2024
- Capacity: 30 Seats
- Price: 5000$ CAD before May 1, 5600$ CAD after.
This is an 80% hands-on course with many demos, examples, exercises, and solutions. Exercises will be mostly x64 and ARM binaries for Linux, but we will also apply it to other architectures, such as MIPS and PowerPC. Although the theory behind symbolic execution is fascinating, we will only minimally cover it and will instead focus on the practical applications of angr.
Students are provided a preconfigured VM with all necessary tools and exercises. The instructor’s computer screen and voice will also be recorded during each day and provided for reference. Students can then review the recordings during the course and retain them for use afterwards.
WINDOWS INTERNALS FOR REVERSE ENGINEERS
- Instructor: Yarden Shafir
- Dates: June 24 to 27 2024
- Capacity: 25 Seats
- Price: 5600$ CAD before May 1, 6000$ CAD after.
Join the esteemed senior security researcher and endpoint security engineer, as she takes you along a deep dive into the internals of the Windows 11 Operating System.
Covering Windows 11 “23H2”, the upcoming “24H2”, and Server 2022, you’ll unravel the secrets of how GRU bootkits, PLA software supply chain implants, NSA backdoors, and other kernel and firmware malware work. You’ll learn how they, and others, abuse various system functionality, obscure mechanisms, and data structures, in order to do their dirty work, and how you can too defend against it!
You’ll observe and experiment with how kernel-mode code operates and how it can be subject to compromise by user-mode attackers wishing to elevate their privileges, as well as how to detect, both live and forensically, such attempts. Finally, you’ll learn about how CPU architecture deeply ties into OS design, and how Intel’s and AMD’s mistakes can lead to more pwnage. This course is only taught twice a year, and this is your one and only chance to attend it in America!
We’ll cover the new Windows 11 kernel changes, including Kernel Data Protection (KDP), Kernel Address Sanitizer (KASAN) and Kernel Control-flow Enforcement Technology (KCET), and explain how the Trusted Platform Module (TPM) is used for Measured Boot. We’ll go inside the Octagon and learn about System Guard Runtime Assertions and the rewritten Secure Launch framework that leverages Intel TXT and AMD SKINIT for new DRTM-based attestation.
ADVANCED IC REVERSE ENGINEERING & DATA EXTRACTION
- Instructor: Olivier Thomas
- Dates: June 24 to 27 2024
- Capacity: 24 Seats
- Price: 5000$ CAD before May 1, 5600$ CAD after.
When it comes to encrypted devices, one may want to gather embedded evidences while another would like to be able to check if a hardware backdoor is present or if the component and / or its embedded firmware (boot ROM / user code) contain intrinsic breaches, that could be exploited by a pirate. The primary goal of this training is to provide Digital Forensics & Security Professionals as well as Government Services the skills, mindset and background information necessary to successfully: -Recover ICs internal architectures -Evaluate the efficiency of existing countermeasures -Extract NVMs contents (ROM & Flash), in order to analyze and evaluate the security of the embedded firmware, and extract secret informations The Students will be shown how such informations can be used to define easier methods to find / exploit firmware + hardware weaknesses for vulnerability analysis as well as for embedded evidence extraction purposes. Concretely, Students who complete this course will: -Find out how to perform low-level hardware reverse engineering -Develop analysis strategies for the target devices and apply these strategies to recover their embedded data.
ATTACKING INSTANT MESSAGING APPLICATIONS
- Instructors: Iddo Eldor and Jacob Bech
- Dates: June 24 to 27 2024
- Capacity: 25 Seats
- Price: 5000$ CAD before May 1, 5600$ CAD after.
Few publicly-known hacks have inspired the imagination of security researchers as much as exploits against IM (instant messaging) applications. 0-click attacks aimed against applications such as WhatsApp, iMessage, and Telegram have raised unprecedented interest and have often caused political turmoil. Yet, in sharp contrast with the curiosity that IM exploitation generates, public information about this surface remains scant. This training is our bid to bridge the gap.
This course will provide students with the knowledge and hands-on experience in reverse engineering, vulnerability research, and exploitation of real-world IM applications. The target audience is advanced security professionals.
MACOS SONOMA AND IOS 17 KERNEL INTERNALS FOR SECURITY RESEARCHERS
- Instructor: Stefan Esser
- Dates: June 24 to 27 2024
- Capacity: 25 Seats
- Price: 5000$ CAD before May 1, 5600$ CAD after.
This course introduces you to the low level internals of the iOS and macOS kernels from the perspective of a security researcher interested in vulnerability analysis, kernel rootkit/malware analysis/detection or kernel exploit development. While this course is concentrating on MacOS Sonoma on the ARM64 cpu architecture the latest security enhancements of iOS 17 and some differences to the x86_64 architecture will also be discussed. The course material has been updated from the previous runs of the training.
RISC-V SECURITY TRAINING
- Instructor: Don A. Bailey
- Dates: June 24 to 27 2024
- Capacity: 20 Seats
- Price: 5000$ CAD before May 1, 5600$ CAD after.
This Recon training program has been redesigned to suit Recon students looking for tactical exploit development skills when targeting RISC-V platforms. This training previously focused on the RISC-V architecture, CPU architecture security, and exploiting CPU design flaws. However, due to popular demand, this training has been augmented with guided laboratory examples for the exploitation of both CPU design flaws and software vulnerabilities at the firmware, kernel, and userland layers.
PRACTICAL BASEBAND EXPLOITATION
- Instructors: Pedro Ribeiro and Seamus Burke
- Dates: June 24 to 27 2024
- Capacity: 24 Seats
- Price: 5000$ CAD before May 1, 5600$ CAD after.
Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim’s device by emulating a GSM or LTE base station as a difficult objective.
In reality, baseband exploitation is not as challenging! By following a simple list of steps, a baseband platform can be quickly opened up for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research — from setting up a fake base station using SDR and open-source BTS software, to achieving initial debugging abilities using our embedded hooking framework, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them.
DCG 201 TALK HIGHLIGHTS FOR RECON 2024 (EST)
This is the section where we have comb through the entire list of talks on both days and list our highlights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention schedule beforehand and make up your own talk highlight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizarre. (Sometimes, all three!)
Friday, June 28th
From Student of Compilation to Mother of Decompilation — 30 Years Edition
10:00–11:00 (US/Eastern), Grand Salon
From Student of Compilation to Mother of Decompilation — 30 years edition
Cristina Cifuentes
VP, Oracle Software Assurance
Having worked on a machine code interpreter for the Modula-2 language for my Compilers project in 1990 and later integrating it into a mixed GPM Modula-2 compiler/interpreter for the 8086 during the summer of 1990–91 meant that I was familiar with assembly language and had a notion of transforming an intermediate representation into executable assembly code. Enjoying compilers and hearing about the latest viruses that were becoming popular in DOS binaries raised my interest in looking into binaries/executable programs to determine how to reverse compile them back into a high-level language representation, to be able to aid with an automated tool in understanding what the virus code was doing. And hence I enrolled in a PhD in April 1991.
30 years ago, on 4th July 1994, I submitted my PhD thesis on “Reverse Compilation Techniques”. Little did I know that such a fun project, looking into 80286 DOS binaries and reading assembly, drawing graphs of groups of assembly instructions, understanding how parameters were passed in assembly language, determining what optimising compilers would do to optimised parameters and code, following variables through a function and the whole program to understand data flows and how variables were stored on the stack or memory; would result in techniques that would be picked up in the 2000s with the growing interest in application security.
In this keynote I give a retrospective on the decompilation PhD work, the growing interest on this technology throughout the past three decades, examples of commercial uses of decompilation, and conclude with an application of decompilation to develop a malware analysis tool.
To learn more about Cristina:
LinkedIn: https://www.linkedin.com/in/drcristinacifuentes
Twitter: @criscifuentes
Oracle: https://labs.oracle.com/pls/apex/f?p=94065:11:10856631025365:21
Cristina Cifuentes
As Vice President of Oracle’s Software Assurance organisation, I lead a team of world-class security researchers and engineers whose passion lies in solving the big issues in Software Assurance. Our mission is to make application security and software assurance, at scale, a reality. We enjoy working with today’s complex enterprise systems composed of millions of lines of code, variety of languages, established and new technologies, to detect vulnerabilities and attack vectors before others do. Automation is important, so are security assessments.
Cristina was the founding Director of Oracle Labs Australia in 2010, a team she led for close to 12 years. As Director of Oracle Labs Australia, I led a team of world-class Researchers and Engineers whose passion lies in solving the big issues in Program Analysis. Our team specialises in software vulnerability detection and developer productivity enhancement — in the context of real-world, commercial applications that contain millions of lines of code. My team successfully released Oracle Parfait, a static analysis tool used by thousands of C/C++/Java developers each day. Our inventions have resulted in dozens of US patents at Oracle and Sun Microsystems, and our impact on program analysis is well known through our active participation and publication record.
Cristina’s passion for tackling the big issues in the field of Program Analysis began with her doctoral work in binary decompilation at the Queensland University of Technology, which led to her being named the Mother of Decompilation for her contributions to this domain. In an interview with Richard Morris for Geek of the Week, Cristina talks about Parfait, Walkabout and her career journey in this field.
Before she joined Oracle and Sun Microsystems, Cristina held academic posts at major Australian Universities, co-edited Going Digital, a landmark book on Cybersecurity, and served on the executive committees of ACM SIGPLAN and IEEE Reverse Engineering.
Cristina continues to play an active role in the international programming language and software security communities. Where possible, she channels her interests into mentoring young programmers through the CoderDojo network and mentoring women in STEM.
Breaking Z-Waves: How we use Symbolic Execution to find Critical RF Vulnerabilities
11:00–12:00 (US/Eastern), Grand Salon
New IoT Radio Frequency protocols like ZigBee, Z-Wave, OpenThread, and Amazon Sidewalk are becoming ubiquitous. While these protocols make our lives easier in many ways, they also represent an interesting cyber-security challenge: as an industry we’re adding all kinds of complex and novel RF attack surface to IoT devices within our homes and neighborhoods.
In this talk we’ll explore how we’re securing that new attack surface at Amazon Element55. We’ll bring you along on our journey from initial experiments with bug hunting in the Amazon Sidewalk protocol stack using symbolic execution tools like CBMC and Klee, explore some of the challenges we faced along the way with symbolic tools, and finally walk you through the discovery of a group of new critical vulnerabilities in the implementation of SiLabs Z-Wave protocol.
Oliver Lavery
Oliver Lavery’s interest in security was born in the Montreal BBS scene, and came of age when he discovered anyone could dial into DATAPAC…
Today he’s a Sr. Security Engineer at Element55, Amazon Devices and Services’ vulnerability research team. He has a few decades of experience in defensive and offensive software security, reverse engineering, and vulnerability research for clients in hi-tech, finance, and critical infrastructure.
Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code
13:00–14:00 (US/Eastern), Grand Salon
This is an hands-on talk about what you can do with the rev.ng decompiler, a FLOSS decompiler based on LLVM and QEMU.
We will guide the audience step-by-step through how to go from the raw bytes of a file (think, a firmware) to decompiled C code.
Then we’ll dig into rev.ng intermediate representation, based on LLVM IR, and show what tools can be used on it (e.g., KLEE for symbolic execution).
Finally, we’ll show how you can use standard tools such as CodeQL and clang-static-analyzer to find bugs in the decompiled C code emitted by rev.ng, which is always syntactically valid.
Everything that will be shown will be 100% reproducible by the audience in real-time using rev.ng.
Tales From The Crypt: Bug Hunting in the Windows CryptoAPI
15:30–16:00 (US/Eastern), Grand Salon
The Microsoft CryptoAPI provides functionality to perform digital certificate authentication, management and storage, encryption and decryption of data and encoding and decoding of structured data. These are critical pieces of secure communications and present a rich attack surface, much of which is accessible via network protocols. This presentation will look at a vulnerabilitiy research effort into this area of the Windows operating system.
The road to finding remote code execution vulnerabilities is often paved with tears. Bugs may appear obvious in hindsight but in practice finding a weakness in the code and then actually triggering it can be anything but simple. Several RCE vulnerabilities were discovered during the research, the techniques used to find them and the journey to reaching them via a remote code path will be presented.
Erik Egsgard
Erik is a Principal Security Developer with Field Effect. With almost 20 years experience in the computer security field he has found vulnerabilities across a wide range of software and operating systems including Windows, MacOS, iOS and Android.
The Art of Malware C2 Scanning — How to Reverse and Emulate Protocol Obfuscated by Compiler
16:00–16:30 (US/Eastern), Grand Salon
Internet-wide malware command-and-control (C2) server scanning based on protocol emulation is a game changing technique as one of the most proactive threat detection approaches. It allows real time blocking of malicious communications of a variety of known malware families. On the other hand, protocol reversing is a challenging task, especially when the code is obfuscated at compiler-level.
In this presentation, I will detail how to reverse the C2 protocol of the malware used by one of the PRC-linked cyberespionage threat actors. The malware was obfuscated with multiple methods likely applied at compile time. In order to identify the protocol format and its encryption algorithm, I not only extended an existing tool to defeat more control flow flattening (CFF) and mixed boolean arithmetic (MBA) expression cases but also implemented another one to decode strings constructed polymorphically in stack area under the CFF conditions.
I will also explain how to emulate the C2 protocol. I validated the request/response data by implementing a fake C2 server and catching a real one. Then I developed a PoC scanner to narrow down true positives based on multiple clues such as TLS handshake errors, JARM fingerprints and HTTP header values authenticated by C2. I will demonstrate the scanner in the presentation.
The presented research techniques and findings will be beneficial to those who need deep malware RE.
Takahiro Haruyama
Takahiro Haruyama is a reverse engineer with over 15 years of extensive experience and knowledge in malware/vulnerability research and digital forensics. He has spoken at several notable conferences including REcon, Virus Bulletin, HITB, DFRWS, SANS DFIR Summit, and BlackHat Briefings USA/Europe/Asia.
Decompilation Panel
06–28, 17:30–18:30 (US/Eastern), Grand Salon
Saturday, June 29th
Seeing Through Themida’s Code Mutation
09:30–10:00 (US/Eastern), Grand Salon
Themida is a popular commercial software obfuscator which provides code
virtualization and code mutation features.
While Themida’s code mutation is unanimously considered a weaker obfuscation scheme than code virtualization, there’s little to no public information on the feature’s implementation. As a result, it’s difficult to estimate the code mutation’s impact on an attacker’s reverse engineering flow.
In this talk we fill a bit of that gap by studying Themida’s code mutation in details and looking for potential shortcomings.
We’ll use Binary Ninja and Python to understand how the code mutation works for x86–64 executables, ultimately automating its deobfuscation using Miasm and symbolic execution.
Erwan Grelet
Erwan Grelet is a security researcher currently working at Ubisoft in the Game Security team. He spent several years working as a low-level software engineer before that.
He is particularly interested in software reverse engineering, vulnerability research and software obfuscation.
Manipulating Malware: Forcing Android Malware to Self-Unpack
10:00–10:30 (US/Eastern), Grand Salon
Malicious Android applications use packing as the core technique to conceal payloads from manual and automated analysis. But what if we could force malicious Android applications to drop their payloads by unpacking themselves?
This presentation will introduce an automated and platform-independent method to autonomously unpack Android APKs. Java-based Android packers generate a unique stub per app whose sole purpose is to decrypt and load the malicious payload from inside Android’s Application subclass. I will describe the process for extracting and translating the Dalvik Bytecode, resources, and native code from these stubs into self-unpacking entities. Because the Android Framework is built on top of Java, the automation process must strip all Android-specific API calls and replace them with equivalent Java invocations. The new app can then be produced in one of two forms: a purely Java application that avoids Android emulator requirements, or a defanged version of the original APK after bytecode manipulation. This technique eradicates the need to write custom decryptors for packed Android applications while remaining entirely packer-agnostic.
I will demonstrate and equip attendees with BadUnboxing, a new open-source tool that automatically generates benign versions of Android malware to dump malicious payloads. I will also share my methodology for repackaging defanged APKs.
Laurie Kirk
Laurie Kirk is a Reverse Engineer specializing in cross-platform malware analysis with a focus on mobile threats. She also runs a YouTube channel (@LaurieWired) that covers all sorts of in-depth Malware Analysis, Reverse-Engineering, Exploitation, and security topics. She has spoken at multiple conferences including DEFCON, TROOPERS23, Objective by the Sea, KernelCon, BlueHat, and BSides Seattle.
A Tale of Reverse Engineering 1001 GPTs: The Good, the Bad, and the Ugly
10:30–11:00 (US/Eastern), Grand Salon
Back in November 6th, 2023, OpenAI unveiled “GPTs”, which are a custom version of ChatGPT that one can create for a specific purpose.
A week later, I started releasing a series of GPTs (ask_ida IDAPython GPT, ask_ida C++, etc.), and I was curious if there’s a way to protect my GPT instructions (source code) and their knowledge files. Unfortunately, it did not take me too long to realize that protecting GPTs is a futile process at the time being.
Shortly after, I embarked on a journey where I have reverse engineered and studied more than 1000 GPTs (see TheBigPromptLibrary on GitHub) and learned a lot about their internals. I will be sharing my reverse engineering insights in this talk as well as sharing around 35+ GPT anti-reverse engineering techniques.
You would be surprised what you can find when researching and reversing hundreds of GPTs:
- Taunting messages trying to scare you away from reversing GPTs
- Creative LLM anti GPT-jailbreak techniques
- Pirated ebooks and rare documents
- Secrets and API keys
- The list goes on
Please note that this research was conducted with a strong commitment to ethics and education. All insights and techniques shared are for educational purposes, aiming to strengthen AI security and transparency. I advocate for responsible exploration and the ethical use of our findings to advance the field, not to exploit it.
Elias Bachaalany
Elias is a programmer at heart and a passionate reverse engineer with focus on Windows OS and the x86 architecture. Elias loves writing and teaching and is a big fan of IDA Pro and loves sharing his knowledge about that product (he runs the AllThingsIDA YouTube channel).
JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and DCI/EXDI
14:00–15:00 (US/Eastern), Grand Salon
For the first time, JTAG debugging tools for x64 are available to the general public. Using EXDI to connect WinDbg with the SourcePoint debugger, and Intel Direct Connect Interface (DCI) on the AAEON UP Xtreme i11, Windows Hyper-V and Secure Kernel can be debugged as never before. This presentation and demonstration will cover run-control, VMM breakpoints, Intel Processor Trace, Architectural Event Trace and other new technologies on an off-the-shelf HV/SK/VBS enabled target.
Alan Sguigna
Although he does have a day job, Alan Sguigna has been moonlighting for 10+ years doing JTAG debug of UEFI targets. Having tired of that, he convinced a bunch of developers to enhance their existing UEFI tools to debug the Windows kernel as well, including Hyper-V and VBS-enabled targets.
Author of The MinnowBoard Chronicles and a prolific blogger on technical topics, Alan enjoys simplifying complex topics, and making knowledge accessible to all.
Ivan Rouzanov
Ivan Rouzanov is a seasoned software engineer with over three decades of experience, focusing on debugging software within the Windows environment. Throughout his career, he has had the privilege of contributing his expertise to esteemed tech companies such as Microsoft, CrowdStrike, and Intel. With a genuine passion for untangling the intricate web of software bugs, Ivan has debugged and resolved numerous issues, amassing a wealth of experience along the way. He is dedicated to continuous learning and improvement, and firmly believes in sharing knowledge!
DaBootZone: Breaking the DA1469x BootROM
16:00–17:00 (US/Eastern), Grand Salon
The Renesas DA1469x family of chips are used in various industrial and IoT applications due to their low power consumption, high integration capabilities, and advanced security features, including SecureBoot and firmware encryption. In this presentation, we will present a novel BootROM vulnerability allowing the bypass of secure boot and recovery of encrypted firmware images, as well as walking through the process of discovering and exploiting these vulnerabilities.
This talk provides a detailed overview of the process of analyzing and attacking the DA1469x bootrom’s security features, detailing the path from 0x0 to 0x24242424.
Attendees will gain a deeper understanding of the process of reverse engineering bootroms for security assessments and vulnerability identification, as well as insights into the techniques and tools used in this process. The presentation is intended for researchers, security professionals, and those interested in embedded systems security.
Chris Bellows
Chris is a Research Science Director at Atredis Partners leading and executing highly technical embedded, network, application, and red team assessments, as well as complex reverse engineering and exploit development projects.
Binary Golfing UEFI Applications
17:00–18:00 (US/Eastern), Grand Salon
Have you ever wondered how UEFI applications are loaded? Have you ever wondered what the smallest possible UEFI application could be? Let’s make an ultra tiny self-replicating UEFI application and answer both of these questions!
The smallest self-replicating UEFI application was developed as a submission to the 4th Annual Binary Golf Grand Prix. This talk will cover UEFI, the UEFI x64 ABI, writing UEFI applications in x86_64 assembly, Tianocore EDK2 image loader internals, QEMU automation, and binary golf strategies for UEFI PEs.
The purpose of this talk is to peel back the layers of abstraction that UEFI provides, reveal how applications actually work, and explore what can be accomplished with tiny payloads. It will also touch on techniques to obfuscate hand crafted binaries to reduce chances of detection.
netspooky
Netspooky is a security researcher. He is the founder and organizer of the Binary Golf Grand Prix, cofounder/editor/art director of Linux VX zine tmp.0ut, and was the art director for ThugCrowd. His research background includes protocol reverse engineering, file format hacking, industrial control systems, firmware dev, and embedded device security. His work has appeared in tmp.0ut, BGGP, PoC||GTFO, VX Underground, Defcon and others.
SUNDAY, JUNE 30th
Cryptography is hard: Breaking the DoNex ransomware
09:30–10:00 (US/Eastern), Grand Salon
In recent years, ransomware has been one of the most prolific forms of cybercrime with financial gain as primary motive. The problem keeps getting bigger with a new operation seeing the light almost every month. While reverse engineering ransomware is fun, it also serves a greater purpose: can we find a vulnerability that allows us to decrypt a victim’s files without interacting with the criminals?
Enter the DoNex ransomware, a new operation that has entered the scene very recently. They have a leak website on the dark web where some victims have been named and shamed. Reverse engineering of a DoNex sample revealed a vulnerability that allowed us to decrypt every encrypted file for victims under a trivial condition. To help victims recover from a ransomware attack, we published a decryption tool on the NoMoreRansom platform, an initiative from a number of parties including the Dutch National Police to keep ransomware operators from extorting victims.
In this talk, we will dive into the technical details of DoNex and how we exploited a vulnerability to decrypt files affected by DoNex without the need to negotiate with the cybercriminals.
Gijs Rijnders
Gijs is a cyber threat intelligence analyst and malware reverse engineer at the Dutch National Police where he defends the Police organization from cyber attacks. He previously worked at the CERT of Tesorion, a Dutch cyber security company where he reverse engineered various ransomware families and published decryption tools to the NoMoreRansom initiative to help victims recover from attacks.
Architecture Analysis of VMProtect 3.8: Demystifying the Complexity
11:00–12:00 (US/Eastern), Grand Salon
VMProtect stands as one of the most sophisticated software protection systems employed in obfuscating malware. Increasingly utilized by malware authors, it is crucial for reverse engineers to understand potential attack vectors and key functionalities. This presentation delves into the latest architectural changes of VMProtect 3.8, sharing insights from our extensive research.
The focus will be on the new architecture for the latest VMProtect and techniques for attacking or reversing protected binaries. I will demonstrate how reverse engineering techniques — such as symbolic execution and binary instrumentation — can facilitate the de-virtualization or de-obfuscation of the protected code. Tools like Dynamic Data Resolver (https://blog.talosintelligence.com/dynamic-data-resolver-1-0/), which I wrote earlier, will also assist the reversing process. The research will extend and update former research done on VMProtect like Jonathan Salwan’s work (https://github.com/JonathanSalwan/VMProtect-devirtualization) or projects like https://blog.back.engineering/17/05/2021/.
Attendees will gain a comprehensive understanding of VMProtect’s inner workings and the ability to develop their tools for analysis, tailored to keep pace with VMProtect’s continual evolution.
Importantly, I will discuss whether malware authors deploy VMProtect effectively or make configuration errors. While sometimes daunting, these protections can often be reversed within hours; however, there are instances where the complexity significantly escalates. The talk aims to help attendees identify these variations and will highlight the historical improvements and usage statistics of VMProtect in malware, underscoring the importance of focusing on this technology.
Structure of the Talk: Introduction to VMProtect, Operational Mechanics, Feature Set Overview, Architectural Changes in Version 3.8, Exploring Attack Vectors (Reverse Engineering Techniques,Symbolic Execution,Binary Instrumentation), Analysis of Efficacy (Making a judgment,Exploiting Configuration Errors), Successful Attack Examples, Tool Development Strategies
This talk is designed to empower researchers to better understand and combat the challenges posed by VMProtect, fostering a more profound knowledge base and enhancing custom tool development capabilities.
Holger Unterbrink
Holger is a longtime security enthusiast, with more than 25 years of experience in the information security industry. He started his career as a penetration tester and is now working for Cisco Talos as technical leader in the malware and threat hunting sector. He finds new, cutting-edge security threats and analyzes their components. Holger gave talks at international security conferences such as Recon, BlackHat, HackInTheBox, ISC, NorthSec, CiscoLive and others. He is also the author of several offensive and defensive security tools and won the IDA plugin contest with his Dynamic Data Resolver (DDR) IDA plugin in 2020. Recently, he did extensive research on reversing Nim binaries (Recon talk 2023).
WatchWitch — The Apple Watch Protocol Stack from Scratch
14:00–15:00 (US/Eastern), Grand Salon
We take a deep dive into the wireless protocols that power the Apple Watch and its deep integration into the Apple ecosystem, reversing and re-implementing them as we go — starting from foundational transport protocols all the way up to synchronization of sensitive sensor data. Along the way, we will encounter many a proprietary protocol, flawed implementations of standards, and homebrew cryptography endangering Apple’s famously strong security.
Nils Rollshausen
Somehow — and without ever having owned more than an iPod — Nils fell down the Apple rabbit hole and now spends their days reverse-engineering Apple’s devices and uncovering the bits of magic hiding inside the machines that surround us every day. After a long day of breaking things with Frida in new and interesting ways, they also enjoy building new stuff once in a while. Currently, they are pursuing a PhD in computer science at the Secure Mobile Networking Lab (SEEMOO) of TU Darmstadt.
GOP Complex: Image parsing bugs, EBC polymorphic engines and the Deus ex machina of UEFI exploit dev
16:30–17:30 (US/Eastern), Grand Salon
BIOS Hacking is back and it’s badder than ever.
Legacy BIOS is old news and UEFI is the new reigning queen bee of Platform Firmware implementations. This changing of the guard brings new challenges and mitigations for bootkit writers to thwart and bypass, as well as the opportunity for creative exploits and groundbreaking techniques in UEFI exploit development.
This talk is a deep-dive on UEFI reverse engineering and exploit development, with a focus on new and creative UEFI exploit dev techniques. It will also cover strategies for finding new exploit targets within UEFI. Applicable both to seasoned veterans of UEFI/BIOS exploit dev, and those looking to break into the space, I’ll cover both UEFI RE and exploit dev essentials and new techniques to take your UEFI PoCs to the next level. This talk combines hardware hacking and platform firmware reverse engineering and exploit development and will cover the following:
- UEFI software testing/debugging techniques with emulators
- UEFI hardware debugging and testing techniques
- UEFI reverse engineering
- Assembly programming techniques for developing UEFI shellcode on different architectures (x86–64, aarch64 and EBC)
- PCI Option ROM hacking
What happens when you combine the exploit primitives in a vulnerable image parsing driver impacted by LogoFAIL, PCI Option ROM hacking, the oft-forgotten and neglected EBC (EFI Byte code) architecture and a dash of low-level graphics programming?
GOP Complex.
Nika Korchok Wakulich
Nika Korchok Wakulich (aka ic3qu33n) is a hacker/reverse engineer/artist based in Brooklyn, NY. She is a Security Consultant at Leviathan Security Group where she works on a range of penetration testing engagements, with a focus on hardware, firmware and embedded security. Outside of work, she combines her artistic practice (woodcut prints, painting, drawing, etc.) with her independent security research on passion projects in different areas of security.
She has presented her security research at a number of InfoSec conferences including REcon, OffensiveCon, Hushcon, and BSides SF. She is a contributing writing for a number of hacker zines, including tmp.0ut and VX-Underground Black Mass.
When she isn’t making art, reverse engineering or making art as a part of her reverse engineering process, she enjoys learning languages, skateboarding, and taking long walks (à la Paul Erdös).
You can find her online, in a few of the various corners of the internet she frequents at:
- Twitter: @nikaroxanne
- GitHub: @ic3qu33n and @nikaroxanne
- Website/Portfolio: https://ic3qu33n.fyi
- Mastodon: ic3qu33n@infosec.exchange
- Keybase: @ic3qu33n
