eye Title Creator

This talk will present a critical design flaw in the Windows KD (Kernel Debugger) protocol that is implemented in all Windows versions, as well as XBOX and Xbox 360, Windows CE, Singularity and some EFI/EXDI hardware. This flaw enables an attacker running in the target system to attack any host running a KD-compatible debugger, crossing machine isolation boundaries as well as VM boundaries, regardless of the virtualization product in use, be it VMWare or Virtual Box. This design flaw allows the...

Topics: recon_2010_alex_ionesco, Recon 2010, Reverse Engineering, Debugger, Windows, Cross-system Attacks,...



Unpacking automation has been attacked in many different ways. In this paper we propose a new method based on the detection of unique characteristics in unpacked code. Using proper monitorization of the process it's possible to determine when the unpacking is done, even if multiple chained packers have been used. Bio Ero Carrera is currently Chief Research Officer of Collaborative Security at VirusTotal and a reverse engineering automation researcher at zynamics GmbH (was SABRE Security GmbH),...

Topics: recon_2010_ero_carrera_and_jose_duart, Recon 2010, Reverse Engineering, Packers, Unpacking,...



As reverse engineers and exploit writers we spend much of our time trying to illuminate the relationships between input data, executed paths and the values we see in memory/registers at a later point. This work can often be tedious, especially in the presence of extensive arithmetic/logical modification of input data and complex conditions. Using recent (and not so recent) advances in run-time instrumentation we can go a long way towards automating the process of tracking input data and its...

Topics: recon_2010_sean_heelan, Reverse Engineering, Recon 2010, Security, Taint Analysis, Theorem Proving,...



I find the stories that surround how lockpickers and researchers have been able to exploit weaknesses in some of the world's most secure and trusted locks to be fascinating. This talk will present, in detail, the tales of how three major physical security products were attacked: The Mul-T-Lock, Medeco, and Kwikset Smart Series. What to look for in locks and possible routes of attack against other popular high security products will then be discussed. Bio While paying the bills as a security...

Topics: recon_2010_deviant_ollam, Recon 2010, Reverse Engineering, Locks, Lock Picking



In a nutshell: 5ESS (include VCDX under emulation), demonstration using either the simulator and/or the 3B20/21 emulator. Demonstration of MCC pages and pokes, as well as useful CRAFT commands. RC/V (Recent Change/Verify). Talk about GRASP (the 5E/DMERT/UNIX-RTR debugger). Will talk about DMS SuperNode series of switches, from the basics (how to login and get to the Command Interpreter - CI), as well as MAPCI, the Table Editor, which tables are useful, adding to tables, as well as SERVORD (RC/V...

Topics: recon_2010_jonathan_stuart, Recon 2010, DMS, 5ESS, Datakit VCS II



Swizzor is a malware family that was first seen on the Internet in 2002 and, since then, researchers have collected millions of different binary samples. The reason so many different files exist is that Swizzor uses strong server-side binary obfuscation to evade antivirus detection and slow down manual reverse engineering. In this talk, we will present a set of tools and techniques we have developed to understand and defeat Swizzor's binary protection. Upon execution, the custom packer goes...

Topics: recon_2010_pierre-marc_bureau_and_joan_calvet, Recon 2010, Reverse Engineering, Swizzor, Obfuscation



The latest advances in exploitation of memory corruption vulnerabilities revolve around applying return-oriented exploitation techniques to evade non-executable memory protections such as Microsoft's Data Execution Prevention (DEP), CPU-supported non-executable memory (NX/XD), and mandatory code-signing such as on iPhone OS. Although the ideas behind these exploitation techniques can be traced quite far back, they are receiving more attention as non-executable memory protections become more...

Topics: recon_2010_dino_dai_zovi, Recon 2010, Mac OS X, exploitation, return-oriented exploitation

