OWASP Israel + Defcon Israel Joint Meetup

This is a past event

69 people went

Location image of event venue

Details

• What we'll do
Agenda:
18:30 - 18:45 networking
18:45 - 19:00 Brief introductions and updates.
19:00 - 19:45 Jumping into Heaven’s Gate - Yarden Shafir
19:45 - 20:30 Breaking obfuscations - Tomer Zait Presentations abstract:
Title: Jumping into Heaven’s Gate - Yarden Shafir Abstract:
The old days of 32bit applications are long bygone, nowadays most Operating Systems are running in a 64bit environment, requiring 64bit applications.
So how can a 64bit Operating System run a 32bit legacy Application?
The native 64bit environment cannot directly support the execution of a 32bit Application.
32bit Applications expect several surrounding pillars which help it perform necessary actions,
and those no longer exist in a 64bit environment.
However, in practice Windows contains many secrets, and one of those secrets is the WoW64
subsystem.
The Wow64 Subsystem supplies a natural environment for the legacy 32bit Application and enables anyone to run them on newer 64bit Operating Systems without any trouble.
How the subsystem actually does this remains a question to many.
Any Application, whatever its type, begins its execution in 64bit mode.
The Operating System then relentlessly moves forward to the 32bit world by loading the WoW64 Subsystem, in order to let the 32bit Application execute freely.
In this talk we will dive into the WoW64 Subsystem and explain how a 32bit Application performs 64bit (native) system calls.
We will also see how it is possible to exploit this mechanism in order to create smarter malware that evade Next-Generation and Previous-Generation AV products and integrates with the Cuckoo Sandbox to “detonate” the user-supplied specimen in a controlled environment to observe active mutex objects and their effects on the malicious program. Title: Breaking obfuscations - Tomer Zait Abstract:
During my journey in de-obfuscating malicious scripts, such as JavaScript and PowerShell, I have realized that there is a lack of good one-stop-shop solution. Researchers still perform this tedious task manually while encountering exploit kits, web injects, PowerShell and python post exploitation agents as well as different legitimate JavaScript products.
During this Session I will demonstrate working with de-obfuscation tools I created, of-the-shelf tools and how to create similar tools on your own . In addition, I will touch Android de-obfuscation in practice and the obfuscation attack surface each language provides.

• What to bring

• Important to know