Redback: Advanced Static Binary Injection

Presented at Black Hat Asia 2020 Virtual, Oct. 2, 2020, 1:30 p.m. (30 minutes)

Static binary injection is a technique to permanently insert external code to an executable file, in order to observe or modify target behavior at run-time. From an attacker's perspective, this is helpful to enable persistent infection. For the defense side, this plays a crucial step in binary instrumentation. Unfortunately, good injection tools are seriously lacking: firstly, existing tools only support some limited platforms or CPU architectures. Secondly, they all restrict the injected code to be written in low-level assembly, which significantly raises the cost of development and maintenance.<br /> <br /> It is highly complicated to implement a good static injection tool, which in essential requires to build an advanced static linker to properly link target binary with external code, so the output executable can be legitimately executed on modern systems with many mitigation techniques enabled by default. Considering that we wish to inject code built from high-level languages such as C/C++, the task is much more challenging.<br /> <br /> This work provides a comprehensive overview on how static code injection is done on all platforms (Windows, MacOS, Linux, BSD). We will present all the technical issues we had to overcome, including understanding different executable file formats, how to expand the original binary to accommodate new code, data and meta-data coming from external binary, and how our static linker leverage the OS dynamic linker to do heavy lifting job for us.<br /> <br /> We implemented all the ideas in a new solution named Redback. Our tool can inject code built from high-level languages like C/C++ into target executable of all platfoms (Windows, MacOS, Linux, BSD are confirmed). Redback also works cross-architecture (with support for ARM, ARM64, Mips, PPC, X86), and can handle multiple executable formats (PE/PE+, MachO & ELF).<br /> <br /> This talk will be concluded with some exciting demos. Redback will be released after our talk, with full source code.

Presenters:

• Minh Tuan Do - Security Researcher, CyStack
  Do Minh Tuan is a security researcher of CyStack, Vietnam. Soon going to finish his university study, he already has four years of working experience. A passionate member of BabyPhD CTF team, Tuan also enjoys exploring deeply technique of fuzzing and software exploitation. He has also given some talks about his research at Xcon Beijing and T2 Helsinki.
• Anh Quynh Nguyen - Dr, NTU
  Dr. Nguyen Anh Quynh is a regular speaker at numerous industrial cybersecurity conferences such as Black Hat USA/Europe/Asia, DEF CON, Recon, Eusecwest, Syscan, HackInTheBox, Hack.lu, Deepsec, XCon, Confidence, Hitcon, Opcde, Shakacon, Brucon, Zeronights, Tensec, H2HC, T2, etc. He has also presented his research in academic venues such as Usenix, IEEE, ACM, LNCS. His contribution to the field lays a foundation for various innovative works in the cybersecurity industry and academia. As a passionate coder, Dr. Nguyen is the founder and maintainer of several open source reversing projects: Capstone (http://capstone-engine.org), Unicorn (http://unicorn-engine.org) & Keystone (http://keystone-engine.org).

Links:

• https://www.blackhat.com/asia-20/briefings/schedule/#redback-advanced-static-binary-injection-18660

Similar Presentations:

• Black Hat Europe 2016 / Bypassing Secure Boot Using Fault Injection
• Black Hat USA 2020 Virtual / Demigod: The Art of Emulating Kernel Rootkits
• Black Hat Europe 2020 Virtual / Jack-in-the-Cache: A New Code injection Technique through Modifying X86-to-ARM Translation Cache