Unlocking the Researcher's Toolbox: Insights for Security Projects
Explore the essential steps and considerations for embarking on a security research project, from setting clear goals to choosing between static and dynamic analysis. Learn valuable strategies for efficient project initiation and successful outcome determination.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
THE THE RESEARCHER S RESEARCHER S TOOLBOX TOOLBOX Yarden Shafir
ABOUT ME ABOUT ME Senior Security Researcher at Train of Bits Windows Internals instructor at Winsider Researching Windows Internals, exploitation, security mitigations Circus artist @yarden_shafir
APPROACHING A APPROACHING A NEW PROJECT NEW PROJECT What is the goal? Where do we start? What should we focus on? What do we already know? How can we find out what we don t know?
BEFORE YOU BEFORE YOU RESEARCH RESEARCH Context information about the research target Public information Read the docs! Previous research on the topic Blog posts, papers, books Public code on GitHub
STARTING THE STARTING THE PROJECT PROJECT What is the goal? Finding vulnerabilities/bypasses? Understanding a mechanism? Detecting malicious activity? What areas are not important? External libraries compiled into a binary Known uninteresting protocols Areas not relevant to the project purpose Filter out unneeded components and focus on the relevant ones
STATIC OR DYNAMIC STATIC OR DYNAMIC ANALYSIS? ANALYSIS? Most projects can be done with static analysis, dynamic analysis or a combination of both Things to consider when choosing: How easy/hard is it to run the target? Does it try to avoid analysis at runtime? Can I debug the target or analyze it at runtime? How easy/hard is it to statically analyze the target? Is it packed? Obfuscated? Are any parts only generated at runtime? Is there a lot of unnecessary code? Is it hard to statically find the interesting parts?
STATIC BINARY STATIC BINARY ANALYSIS ANALYSIS Headers and Sections Imports Might be partial if app does a lot of dynamic resolving Exports Mitigation options Strings Symbols (if available) Reverse engineering
STATIC ANALYSIS STATIC ANALYSIS TOOLS TOOLS CFF Explorer SysInternals strings.exe Hex viewer/editor I use 010 editor + templates Reverse engineering tools: IDA Ghidra Binary Ninja Radare
DYNAMIC BINARY DYNAMIC BINARY ANALYSIS ANALYSIS What resources the application is using What APIs are called and how How does the application interact with other applications and with the system How does the application run on different systems or in different situations Much easier to research inter-process or inter- systems relationships dynamically
DYNAMIC ANALYSIS DYNAMIC ANALYSIS TOOLS TOOLS Process Monitoring tools Process Explorer System Informer Process Monitor Debuggers + debugger extensions WinDbg X64dbg GDB Network monitoring WireShark Custom scripts
CONCLUSION CONCLUSION Start by focusing your research topic and goals Start small can always expand later Gather as much public information as possible And keep collecting more as you get more information through your own research Decide what analysis method works best Keep track of everything you learn
