DC9723/OWASPIL January 2018 Meeting
When: 28 of January, 2018 from 18:30 to 22:00
Where: SafeBreach Offices in Tel-Aviv (Yosef Karo 18, 4th floor, Tel Aviv.)
This month we are doing a joint meeting with OWASP IL.
Agenda:
Brief Introduction
OWASP IL updates
Jumping into Heaven’s Gate – Yarden Shafir
Breaking obfuscations – Tomer Zait
As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org
*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org
Title:
Jumping into Heaven’s Gate – Yarden Shafir
Abstract:
The old days of 32bit applications are long bygone, nowadays most Operating Systems are running in a 64bit environment, requiring 64bit applications.
So how can a 64bit Operating System run a 32bit legacy Application?
The native 64bit environment cannot directly support the execution of a 32bit Application.
32bit Applications expect several surrounding pillars which help it perform necessary actions,
and those no longer exist in a 64bit environment.
However, in practice Windows contains many secrets, and one of those secrets is the WoW64
subsystem.
The Wow64 Subsystem supplies a natural environment for the legacy 32bit Application and enables anyone to run them on newer 64bit Operating Systems without any trouble.
How the subsystem actually does this remains a question to many.
Any Application, whatever its type, begins its execution in 64bit mode.
The Operating System then relentlessly moves forward to the 32bit world by loading the WoW64 Subsystem, in order to let the 32bit Application execute freely.
In this talk we will dive into the WoW64 Subsystem and explain how a 32bit Application performs 64bit (native) system calls.
We will also see how it is possible to exploit this mechanism in order to create smarter malware that evade Next-Generation and Previous-Generation AV products.
Title:
Breaking obfuscations – Tomer Zait
Abstract:
During my journey in deobfuscating malicious scripts, such as JavaScript and PowerShell, I have realized that there is a lack of good one-stop-shop solution. Researchers still perform this tedious task manually while encountering exploit kits, web injects, PowerShell and python post exploitation agents as well as different legitimate JavaScript products.
During this Session I will demonstrate working with deobfuscation tools I created, of-the-shelf tools and how to create similar tools on your own . In addition, I will touch Android deobfuscation in practice and the obfuscation attack surface each language provides.