Tag: Triton

Symbolic Deobfuscation: From Virtualized Code Back to the Original

~ hucktech ~ Leave a comment

This micro blog post introduces our research regarding symbolic deobfuscation of virtualized hash functions in collaboration with the CEA and VERIMAG. Since 2016 we have been playing around symbolic execution and binary deobfuscation in order to (1) test and improve our binary protector (Epona) (2) improve our DSE (Dynamic Symbolic Execution) framework (Triton). Last week we published at DIMVA 2018 a part of this research focusing on attacking virtualization based-software protections and specially when hash functions are virtualized in order to protect integrity checks, identifications etc. For this study we relied on an open-use source protector (Tigress) and provided scripts and results of our attack as well as some solutions of the Tigress challenge.[…]

https://blog.quarkslab.com/symbolic-deobfuscation-from-virtualized-code-back-to-the-original-dimva-2018.html

 

gdb-symbolic: symbolic execution for GDB

~ hucktech ~ Leave a comment

gdb-symbolic – symbolic execution extention for gdb

Commands
* symbolize argv Make symbolic
* memory [address][size]
* target address Set target address
* triton Run symbolic execution
* answer Print symbolic variables
* debug symbolic gdb Show debug message

https://github.com/SQLab/symgdb

Click to access d2_s1_r0.pdf

https://bananaappletw.github.io/2016/02/23/symbolic-exection-introduction.html

Triton 0.5 released

~ hucktech ~ Leave a comment

Triton is a Dynamic Binary Analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a Taint Engine, AST representations of the x86 and the x86-64 instructions set semantics, SMT simplification passes, an SMT Solver Interface and, the last but not least, Python bindings.

https://github.com/JonathanSalwan/Triton/milestone/8
https://github.com/JonathanSalwan/Triton
https://triton.quarkslab.com/
https://triton.quarkslab.com/documentation/doxygen/

Triton's architecture

Wikileaks: Vault 7: Dark Matter

~ hucktech ~ Leave a comment

Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware. Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter. “DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants. Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0. Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008. While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.

https://wikileaks.org/vault7/darkmatter/?cia

https://wikileaks.org/vault7/darkmatter/document/SonicScrewdriver_1p0/
https://wikileaks.org/vault7/darkmatter/document/DerStarke_v1_4_DOC/
https://wikileaks.org/vault7/darkmatter/document/DerStarke_v1_4_RC1_IVVRR_Checklist/
https://wikileaks.org/vault7/darkmatter/document/Triton_v1_3_DOC/
https://wikileaks.org/vault7/darkmatter/document/DarkSeaSkies_1_0_URD/

 

Triton

~ hucktech ~ Leave a comment

“Triton is a dynamic binary analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a Taint Engine, AST representations of the x86 and the x86-64 instructions set semantics, SMT simplification passes, a SMT Solver Interface and, the last but not least, Python bindings. Based on these components, you are able to build program analysis tools, automate reverse engineering and perform software verification”

http://triton.quarkslab.com/blog/What-kind-of-semantics-information-Triton-can-provide/
http://triton.quarkslab.com/