Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] so like edy said I'm looking to in 30 minutes make you reverse engineering experts no but seriously I want to try and demonstrate some of the benefits of why you should if you don't already have the skills in reversing and even an exploit development why you should head there and I'm happy to hopefully answer some questions at the end I will try to be as quick as possible I am one of those individuals as you can see I brought my own laptop because I'm hoping we're far enough down in the basement the demo gods can't reach like my cell phone can't really reach down here because I'm one of those people that has to always show demos or it drives me crazy but we're looking for a smooth no problems demo session today so we'll see how that goes now let me say a couple things here to kind of explain what I'm gonna be talking about and why here it says but I'm a pen tester why should I care about coding reversing and exploit dev and having taught for over ten years with sans especially in penetration testing type courses there that's a common attitude I have a lot of people who say exploit dev is not pen testing reversing is not pen testing and that's why I put there on the bottom exploit Deb is in the GXP n which is in the 660 course and the OS CP from offensive security which is another very popular certification so if it's in those courses and if things are just getting harder and harder as we go forward I'll show you some examples he absolutely should be at least scripting at least understand how to do basic reversing how to look at something like a Metasploit script and and understand what's going on so if you have to change something I've seen it many times where if someone would have simply changed one little bite over one little offset in that script they could have gotten the exploit to work and they would have won the pen test or the capture the flag but they didn't know how to do it so just a quick rant about the past and present a sound like you know an old person here saying back when I was a kid I walked in the snow for 20 miles to get to school back when I started there were not many jobs in the field of exploit dead and reversing malware and that's early 2000s and nowadays there's a ton I live in Berkeley California and around the Bay Area there are a ton of jobs recruiters can still find enough people with the skills in C C++ objective-c assembler to be able to fill the positions that they that they need C and C++ will never go away some people are like waiting like it's gonna go no it's not gonna go away because it's a low-level language it's extremely powerful you've got direct control over registers and memory and hardware and it's extremely fast just a simple example there's a tool I use a lot called bin DIF which is binary diff and it allows you to take two versions of a file like an unpatched application and a past application to identify the code changes inside when I use bin diff which was acquired by Google used to be dynamics it's very very fast when I use another fantastic tool but it was written in Python called di'ja for Abijah key and curette brilliant tool is absolutely brilliant guy he's donated and given so many things to the security community but my point is it's 10 times slower sometimes it's it's just it's a high-level language it's just a lot slower as it goes through and tries to do these low-level operations it's just an example there but the number of people who knew how to write exploits was very very low I think I just saw on Twitter a couple days ago was the I don't know 50th anniversary of a left one smashing a stack for fun and profit you know that was back in the mid 90s and I remember people saying memory corruption bugs are dead they're going away right what where attacks are going away that you're gonna be gone and here we are in 2017 they're still there it's the exploit mitigations that are blocking the ability to successfully exploit them a lot they're trying to mitigate bug classes by preventing you from attacking them and compared to today I'll just say exploit writing back to them is easy if anyone misses that world like Pearl Jam and Soundgarden and Nirvana the IOT world is there for you and it is like getting the 90s back which is fantastic but Windows 10 with the latest fall creators update man it's hard if they've now put in it into the Windows Defender and it's absolutely powerful in terms of stopping attackers from being able to exploit a system not it's not stopping everything of course I wouldn't be doing it but it's a lot more challenging and at the end of the day I know that's a very overused meme but you don't want to be that person right I feel like that every day still no matter how far I think I get in my career but you you want to be and that's why I love telling people in the courses I teach you want to be that person who solves problems where other people are failing your that just clever person who comes up with these brilliant and creative solutions to solve hard problems if you go and interview down at places like Google and VMware and Facebook and all these other companies out by where I live you go into the interview room there's gonna be a bunch of whiteboards around the room and when you see that going into an interview be afraid because that means you're gonna be composing code on the walls and they expect you they'll they'll even tell you I'm making this up because you know Google can listen to all things and they'll know if you gave away an interview question but they'll say something like we want you to solve the binary hash table collision problem using this pseudo language with the following constraints composing on the whiteboard for us it's like oh and a lot of times the problems not even solvable they just want to see how you approach it and if you at least try and where your brain goes and that really helps them determine whether or not you're a good fit for the organization so this I'll just put it up there I don't know I love that photo I don't know why it's look it makes no sense if you first look at it so look at my entire dog but to me that's the attack surface of Windows XP like it's all reachable there's no protection on that dog and Windows XP is still out there sadly in some places I have a friend who works at Riot Games and he said that XP is still common in China with video game users because they don't want to get away from XP because they can do cheats on these games and if they move off XP to camp they've been that way the company could upgrade XP also of course don't ATM machines out there and other environments I heard about one big 8 see in Australia who's not getting off of Windows XP until 2018 so it's still out there but we shouldn't I mean it shouldn't be right I just make this funny little thing that's XP on the Left compared to Windows 10 on the right someone who does exploit dev it's it's hard I will tell you you and a lot of people come to courses and they say how come we're not starting with Windows 10 64 bit with the fall creators update available and just going at it and I always say you can't if you're gonna teach math for the first time you're not just gonna start with calculus right you're gonna you're gonna learn the basics and algebra and those types of things can work your way up you can't jump in and attack that dog so this is a quick note low level versus high level languages there's no specific formula here specific classification but you know easier languages higher level like PowerShell and Python Lua and Perl and then you work your way down you get to medium level or languages like C sharp and Java then you get up higher into the harder stuff like C and C++ eventually you know you get those binary ninjas who can just pound out opcodes and write a whole program that way the lower level languages are typically what we refer to as unmanaged code unmanaged meaning that you can get yourself into a lot more trouble you've got a lot more power you've got the ability to do many many things that you can't with the higher-level languages but they're dangerous potentially I mean now all of our kernels our operating system kernels our big applications like Microsoft Office suite Adobe those are all C C++ low-level applications so let's get into reversing a little bit disassembly is to practice up on the left there we've got the machine code right then you can look at it in binary or hexadecimal but when we think of op codes we're looking at hexadecimal op codes that are specific to an instruction set tied to an architecture like MIPS or arm or PowerPC or x64 so on the left you can see it says 9 0 and it's the infamous no op instruction if you're on x86 so those are the opcodes on the left and on the right over there those are the instructions and operands so 9 0 maps to knop no operation B is a structure as the opcode for the instruction junk short and then you can see we're saying jump shorts 16 bytes and then 5 zero is the opcode for the instruction push the accumulator register on to the ax stack so I'm just showing you what the process of disassembly is you're taking machine code and you're disassembling it into its pneumonic instruction that's more human readable and then we can go further than that of course and go all the way up to D compilation and get back to some sort of see like pseudocode so two flavors of disassembly syntax Intel and Intel as secure as you could see I crossed out 18 t but it does exist for some reason Intel people think that AT&T people are insane but really the the big differences are the source and destination are swapped so I have an example down there on the bottom and you can see the top one says Intel eight nine zero four two four those are the opcodes and as you can see within teller AT&T they're the same so this is disassembly syntax it's the way you would like it shown to you it's not changing the code at all it's just how it displays it to you so an Intel we would read that top instruction as move into the top of the stack would ever store it in the accumulator register so we're saying that the destination is first and the source is second and then the bottom one in AT&T we're looking at it where we say move long which means 32-bit integer or here move long whatever stored is that in direct operand the percent sign means indirect whatever is inside the accumulated register into the top of the stack how do we know top of the stack because there's parentheses around it which indicates it's a pointer if we didn't have the parentheses or the square brackets above we'd be saying copy the contents of one register into another register but here since we put the little pointer syntax we're saying move it to that destination so just one thing to keep in mind is your if you can read one you can read both if you look at gdb the good new debugger it defaults to AT&T typically but you can change it if you look at something like immunity debugger or ida pro or wind bug or is this one Italian student I had a few months ago in a Mia so to win the BG which I think it's way better that's gonna be an Intel syntax by default so quick recommend a resource if you're familiar with a Chris Eagle who's a brilliant reverse-engineer expert at the Naval Postgraduate California his team school of route one a couple years of a row in def cons black you get the black badge and the CTF challenge and then they ran the game for a couple of years brilliant reverse engineer here oats on the Ida Pro unofficial book an ill FAQ who is the lead architect and owner of hex rays who makes Ida says we're not even gonna bother writing a manual because this one's better than we could ever do so I highly recommend that there's also a resources like the hex rays forum you have to have an active license there's plugins available there's a plugin contest every year that hex raised has Ida seven finally came out which is great because it's now a true 64-bit application but they did redesign the API so all of your plugins don't work anymore you have to port them over which you know not too big of a deal but it's cleaned up it's much much nicer so what is Ida real quickly it's an interactive disassembler is what it stands for it allows you to do what I showed you a couple slides ago take machine code op codes and convert them into their pneumonic instruction and there's a couple different types of disassemblers there are recursive descent disassemblers and linear sweep i'll explain both of those in a moment they can disassemble many different processor architectures many it supports remote debugging we'll talk about that for a second it allows you to view cross references it just expedites your ability to reverse-engineer exponentially and like I say at the bottom a tool and that makes you visually and look and feel smarter cuz you have that up on your and your screen when somebody walks by but like we're keeping that guy the first time I pulled up Ida that's what I saw it's uh it's complicated at first if you don't know where to start and yeah it's extreme Donkey Kong there was bored one day on a conference call made that and what you see there though that's a graphical display that's a graphical disassembly in what's called recursive descent mode and it makes it much more easy to follow the paths because we can visualize it so the disassembly types linear sweep means start at this entry point and go one instruction at a time disassembling onward so it's linear sweep start here just disassemble down that's what most disassemblers do Ida is a recursive descent this assembler which means that you start at one block and it understands things like conditional branches it understands things like switches or how data can be commingled in and what that looks like is here if this were linear sweep you would not see what you see on the slide there you would just see all the disassembly in a row with no separated blocks like that the advantage here is you can see up in the top I know it's kind of small on the screen but it says compare what EAX is pointing to to what's stored in ESI and those are process and registers so it's basically just a comparison and if the comparison is a match so if we're comparing two strings for example and the strings are equal we're going to set something called the zero flag and then you can see this conditional jump that says jump if zero jump on zero it's gonna check the result of that comparison to see if it was true or not and it's gonna go one direction or the other so again it allows you to much more easily visualize where what path your code is going to take or the process is going to to take here's our primary dashboard let me just jump over to Ida here for a moment so here's Ida where we've got and again if you never used it before it's a lot to just digest by looking at it on the screen the big window in the middle is your disassembly window and it's in recursive descent mode right now if you hit the spacebar it switches it over to more of a linear sweep view it's still recursive descent because on the left it actually shows you where things are going but this is more of a disassembly kind of linear sweep and there again is your graphical view your recursive descent over on the left the big window here is your function so that's all the internal functions in the program you have of course a graphical overview you've got at the bottom there on the left your log window and if you've taken a sense course with me in the not-too recent past you'd probably see me show you this because this was a big deal to me how many of you have used Ida before it's a quite a few so I've just done something horrible here what did I do I undocked a window in Ida how dare me you don't do that because what I used to think was once you did that you can't redock it because you grab it and you start going around and it doesn't want to redock anywhere you can fullscreen it but no redocking and I took Chris Eagles advance I'd of course a black hat many years ago just to see if I was missing anything from 768 it should be in there and I was like raised my hand like Chris how do I read och he's like I've got this he's like see that little gray bar between the top and the in the main window just very gently hover over it and it expands then you can pull that down and you can read och it anywhere you want I was like yeah worth the price of the class okay so things like this a little things right I showed my wife when Jesus liked it so um we've also got a bunch of panes up here like your tabs up here like we can look at the import address table and the export address table by the way how much time do I have left someone help me sweet that's perfect alright so we've got all that all that fun stuff to look at now if we want to zoom in it's one problem with Ida it's not really a problem it's just like News Vai or vim for the first time right no one let you get stuck and you feel dumb you're like how do I get out of this what do you mean you hit escape and then colon and then exclamation point into UI how did you not know that like and then and then once you live in VY and vim for a while you're like wow this is an amazing tool it's powerful I love it this is similar it's like one in W zoom in and zoom out but if you didn't know that then you wouldn't know to hit those buttons but there's like it's you know a list of shortcuts you can pull up and you can modify it and there's lots of templates out there and registry changes you can make the kind of design out of the way you want so if you want to zoom in we can just click on a block here and then hit one and we zoom into the disassembly there let me jump back out to the slides for a moment we looked at that there's our imports imports are important because if you have dynamically linked a program so you're not statically compiling it where everything you need I do the silly analogy like if I was gonna come over to your house and I was going to cook food and I show up I don't think I'm good at cooking Thai food and I'm gonna bring my stuff over to your house and cook it at your house and a knock on the door and you're hey Steve come on in and I have a truck outside and I'm bringing my stove and tables and everything I could possibly need to make this meal that would be static compilation I wouldn't do that right I would bring over just the ingredients because I assume that you have all the rest of the things that I need my dependencies so when I get to your house then I have to do what's called linking I say where is your stove and you say it's over there and now I've linked it so all of those dependencies are stored in your import address table and windows or if you're on Linux it would be in your procedural linkage table and your global offset table and again those are dynamic dependencies that have to be linked at runtime if we do statically compiled things then I bring things along but you're really not supposed to do that for various reasons one it makes your program unnecessarily large and also if if you statically compiled a dynamic link library into your program and then someone discovers a vulnerability in that DLL and Microsoft patches it too bad you've statically compiled the old version in so the program's going to use the vulnerable version another important thing is if you can get them debugging symbols these will save you if you've done malware reverse engineering then you're not lucky enough to get symbols typically one time I I was at Wells Fargo as a security architect for many years and I got they asked me to look at some malware and the symbols came with it a symbol file came at the malware I'm like it says odd the developer must have made a mistake and I open it up and link this put the symbols in and it's all profanity it was the name so somebody was trolling it's like well played it ran so but this over on the left you know it says sub underscore and then some hexadecimal address if you don't have the symbols for those those functions that's what they're named and that doesn't help you very much like if I say I noticed laser pointers not very bright but if I say what's that function right there in the middle do who knows but if we look to their right we can see it says low cursors and icons so function names or symbols are very very helpful when reverse engineering so Microsoft is nice enough to give them to us I don't think that they want to give them to us but they have to give them to us because developers need to be able to look at the symbols when they're debugging their applications to run on Windows they don't give us the symbols for libraries associated with Microsoft Office for example because they don't have to but symbols are immensely useful and speeding up your reverse alternatives to Ida cuz Ida does cost money out of seven just came out you know it's it's I can't remember exactly how much but like seven hundred dollars for the 32-bit version and and double that for the 64-bit version but you can use Rodari - it's a open source free disassembler and does many other things as well and it's fantastic lots of community support and then Hopper is a commercial but much cheaper alternative to Ida as well but at the end of the day most people will use Ida at some point if you're working in a big company and you're doing lots of reverse engineering but these are fantastic tools remote debugging is something you want with a disassembler it's got support for a windy bug it's got support for remote gdb servers all kinds of different devices you can see a list there in the middle that's just a sample of them what you're doing here is you're using Ida as your front end like one thing we cover in 760 on day one is how to set this up because if you're inside gdb on Linux and you're using a command line debugger it's not very intuitive and you might want something graphical so you could use DD D or EDP or one of these other versions or you can use Ida as your front-end so you run a little stub a little application it runs on Linux and it debugs locally but it opens up a socket and it waits for Ida to connect and then you're able to go and do your debugging with Ida as your front-end it makes life a lot more you know attractive visually here Ida SDK and automation one thing that you greatly he´ll it would greatly help you if you utilize it is scripting Ida scripting you can use the native IDC scripting language but most people use Ida Python which I'll show you some examples here coming up you can also write plugins and C++ but you're going to be very very fast of course but then you have to compile them and it's a lot more difficult if you're not a programmer to write a plug-in versus getting something working like Ida Python scripting but if I had to manually do the things that I need to do and I'm reversing and doing exploit death I would not be effective but I would just take way way too long and a lot of what I do in my home life in my career is exploit development I write exploits I've sold over probably I would say fifty to sixty exploits now I'm not too long ago I sold a Windows 10 kernel exploit and those can be very lucrative so any chance anything you can do to cut corners to automate bug hunting the more you learn about bugs the more you can write scripts to go and find in instances of potentially what are potential bugs so I had a Python I'll just show you some examples here in a moment but it replaces the interactive box at the bottom of Ida and by default on newer versions of Ida Ida Python will be what's there you can click on it and change it to IDC if you want this right here let me let me show you a couple because this is hard to explain there's something called stack pivoting and I drew this I brought my little drawing pad here to see if I can get this working to show you what this actually does but so let's say we've got it's actually working yes it is working alright let's say we've got the stack over here and the stack it's round familiar is the procedure stack for the process every thread gets a stack and it's used by function so if a function gets called that function gets its own little allocation on the stack called a stack frame it's all it is so again to simplify when a function gets called every function gets a little stack frame which is able to store local variables and things like that allocate buffer space their finite in lifetime though cuz when the function is done we just terminate we just tear it down so there's some powerful registers over here one's called the stack pointer of put ESP for a 32 bit extended stack pointer and there's 3 and I know a lot of you know this answer what are three instructions that are extremely powerful associated with this pointer pushpop and return yep so push pop and ret those only take action on this register here and they're extremely powerful because the push instruction will push whatever you tell it onto the stack where the stack pointer points the pop instruction will pop off the stack into a designated register whatever you tell it from to pop and then the return redirects the instruction pointer to that address where it continues execution of code so if you can get control of the instruction pointer that's the most powerful register of course but the stack pointer is what we rely on heavily for things like return oriented programming because of those three instructions so a lot of times what happens is I'll draw really quickly you've got like a C++ object out here and you've got a virtual function table so I'll put C++ object and the top of the object there's something called a virtual pointer v PTR and it points to something called a virtual function table and inside the virtual function table are a bunch of slots and these slots have pointers to virtual functions this is called indirection an indirection is typically seen as bad and c++ loves indirection of my joke my analogy is if you call a pizza place and you order a pizza to be delivered to you you have no you you just trust the pizza what could happen to that pizza we don't think about those things versus you go to Whole Foods you know you want spend a lot of money you make your own pizza at home and you know it's safe because there's no indirection you bought the ingredients you cut them up you cooked it you ate it that pizza coming from a delivery place could have gone on some pulp fiction style adventure on its way to your house and you're just trusting it this is indirection so we take advantage of this by exploiting this but type confusion bugs and use after free bugs and the problem here that I'm trying to demonstrate with pivoting is you've got the accumulator register which points out to the virtual function table right now and the stack pointer that points to the stack and what we want to do is pivot we want to hit this instruction that says exchange EAX with ESP I know my handwriting is atrocious but by exchanging these that means a stack pointer will point out to here after we've done some kind of use after free exploit and then we can take advantage of those wretched those instructions there that we we like so much so this silly drawing here I did I found it from years ago I made it it's it's Sam and Frodo from Lord of the Rings and remember the scene where he's like Athena I haven't been this far from the Shire Sam or something like that and it's like it'll be okay it'll be an adventure like that's that stack pivoting sometimes my analogies are great sometimes they're awful but I'm okay with that you should have seen no one I did our essay a couple years ago I explained you see after free buy a kid's hamster dying while she was in school and then the parents go into a pet store replacing the hamster so she wouldn't know but it was a malicious hamster and the audience is like whoa and then I had James Line explain that part because James line is a very you know attractive British accent and like you can pull that stuff off way better than me so I'll just run an example script so if we look at notepad plus plus here there's a few lines of code and you could do it in fewer lines of code if you wanted to and all we're doing here is a little bit of Python but we're interacting with the api's and Ida and it's going through looking for c3 94 94 is the opcode for a stack pivot and c3 is a return and if it finds them in the code then it will tell us so here I've got my my guys up so I double click it and you can see on the log window it's going through Sophos antivirus main engine and it's looking for stack pivot instructions at least it's supposed to be hey there it goes so you can see it found one and it found it it's going through and finding a bunch of them now so by scripting we can go through an input file and we can find instances of code sequences we want to use in our exploits like if you've ever run a Metasploit script and it does what's called a jump ESP which is a very common old stack technique and we and it's broken like I used to do an interview where we did that 10 thanks I used to do an interview where we did that I'm one of those interviewers I have you come in and you sit down and I'm like we can talk all day but instead we're just gonna do stuff I want to see you in action so I would intentionally break a script like a Metasploit script and I would say it's broken so you can have the debugger you can have whatever you want fix it and all I did was change the address that was used to overwrite the return pointer to a bad one and I was waiting to see if they could go in and find a new jump ESP or whatever opcode and plug that address in alright so I have a little bit more time let me see what I also wanted to cover here so flirt and flare just don't mention this and I'll do a couple last-minute quick things and then take questions flirt and flare are used primarily by like CTF teams capture the flag teams and also like a malware if you've done a lot of our research these can help you because when things are statically compiled into the program wouldn't it be nice to know what is library code and what is not library code because we don't want to reverse engineer library code and if we don't have the symbols we have no idea that it is library code so wouldn't it be nice to have a way to go in and identify that as we can remove it that's what flirt and flare are for flare are the is the tool that you can use to write these signatures like against G Lib C or whatever and then flirt are the signatures that you apply it's a quick demo I'll show you what it looks like I've got Ida up here and I'll bring up this flair example so it's just disassembling it it should be pretty quick now look up top here this color coding it says that all this is regular functions and it doesn't see any library code well in fact actually I statically compiled this and it's a ton of library code in there so how do we do it we have we would have had to generate a flirt signature we can use strings or something to look and see what libraries we use and then we generate flirt signatures using flare and then we apply the signature and watch what happens so let's say load file flirt signature file we'll scroll down and run it the correct one now watch the top and pull this up what's what happens let me zoom out no it did see a color law over here it's all like light blue now I'm not sure why it didn't there it goes it's just a weird bug but see how it's all light blue now so it's all library code almost the whole thing if you zoom way in up in the top corner you can see there's a little bit of internal code regular function code in there so if you were doing a CTF and you can rule that out you just sped yourself up extremely fast and places like Def Con and all of course there they're doing this one last script I'll show you real quickly and then take questions this is Sophos antivirus I've shown us a couple of times is that Tim MIDI in here just doing here yeah hurry good I hope Tim actually helped me out a little bit with this when it's a band functions check it looks for the SDL violations and you can see in here that this particular instance of Sophos antivirus uses ster copy and ster cat and if we scroll up we can actually go to those locations in the code and it sets software breakpoints on them so you can debug and find out where potential 0 days are so my point of all this is to show you that by getting into reversing and using Ida and a little bit of exploit dev you can greatly speed up your time and remove the intimidation because a lot of people will say I don't have time to do this stuff during a pen test in my quest my question is why if you're good at it and you've got to spend your personal time 11 p.m. to 7:00 a.m. nobody bothers you and you use that time and you get better at it and then you can start applying it to pen test and you're and then you get that job that maybe you've always wanted to so hopefully I helped you remove any little fear or something or help you out with potentially getting into reversing happy to take questions but thank you very much for listening [Applause] any questions questions yep there we go question is if you have zero experience in reversing where do you start sans 660 right there's a lot of great tutorials out there if you go to coral and ve coral encoder so Co re le and that be e they have a lot of great introductory exploit development and reversing type tutorials open RC e has some good stuff I mean really any picked just grabbing a demo copy of Ida for free and loading hello world into it and then just start looking at the disassembly and googling googling googling stuff like that really helps any other questions no other questions alright thank oh we got one here yes how do we know it's library function to you so you talking about Li the flirt Flair example I just did yeah so what you could do is go in and see if I have Kali Linux up right now yeah yeah I changed it to root instead of Tor so if I say strings ping at the top here you can start if you go through the strings you can see what libraries and stuff for use and you can learn some of that information at least that's one way there's like a lot of tools like PE studio and different ones that show you kind of information about the compilation of that or ever decompilers and disassemblers can help you yep yep so when you're starting some exploit dev do you like on your main box you do all your disassembly is it in up-to-date Windows 10 version of this or do you have you ever taken a executable or software your debugging move it to an old version of Windows possibly without restrictions and debug it there um it's kind like do you start your exploit dev to find an exploit in the program itself without having to deal with SLR or things like that yeah that's a big question it's a good question but big questions there's obviously you want to see if it's whatever is the easiest possible that's that's gonna work like a good example would be patch tipping when I do pad sniffing if patches are still available on embedded XP I will get those because reversing patches on XP that also that same bug affects Windows 10 it's gonna be a lot easier than going in on Windows 10 so whatever you can do to get the bug working on the easiest operating system possible at first is usually very I like to start there if we can and then yeah you start adding things in like Emmett to see which Emmett controls are gonna stop your exploit or you might have to get like a memory leak to work with your type confusion bug to be able to because all the libraries are randomized so you've got to find a memory leak to be able to rebase and yeah it's a big question we should talk offline about that I heard there's beers later maybe we can either confirm nor deny that last one yep how do you still have a Windows XP is oh man the dark web and tor I've got Windows 95 and Windows 3-1 okay it's a good question to finish up with but thank you again Thank You ed for having me everything yes round of applause thank you Steve

Info

Channel: SANS Institute

Views: 12,742

Rating: 4.9462366 out of 5

Keywords: sans institute, information security, cyber security, cybersecurity, information security training, cybersecurity training, cyber security training, Pen Test HackFest, SANS HackFest, Penetration Testing, malware analysis, ethical hacking, stephen sims

Id: fnYp2DN_XZc

Channel Id: undefined

Length: 35min 51sec (2151 seconds)

Published: Mon May 07 2018