Native Code Crash Course

In this session we’re diving head-first into understanding and hacking native code. This is an extremely advanced topic, but by the time you are done with this video, you will have a great head start on the subject. You’ll learn about the fundamentals of how computers work, several types of memory corruption bugs, the protections in use by modern systems, and how to bypass some of these protections.

What you’ll learn

• Intro
  • What is native code?
  • Breadth not depth
• System Architecture Crash Course
  • Registers
  • Memory
    • Physical
    • Virtual
      • Page tables
  • Stack
  • Endianness
  • Instructions
  • Program Counter
  • Calls
  • Syscalls
  • Shared Libraries
• Tools
  • Debuggers
  • Disassemblers
  • Decompilers
  • Hex editors
  • Assemblers
• Bugs
  • Buffer overflows
  • Out of bounds writes
  • Use After Free
• Protections
  • Stack canaries
  • NX
  • W^X
  • ASLR
• Bypassing Protections
  • JS is an attacker’s best friend
  • Information leaks (ASLR)
  • ROP

Resources

• Computing Fundamentals
  • Assembly
    • x86 Guide
    • x86 Instruction Encoding References
    • ARM Guide
    • x86-64 Cheat Sheet
  • Kernel Resources
  • Memory Management
  • CPU Cache
  • Shared Library Loading Process
  • Binary File Formats
    • ELF
    • PE
    • Mach-O
  • Becoming a Full-Stack Reverse-Engineer
• Tools
  • Debuggers
    • GDB
    • LLDB
    • WinDbg
    • OllyDbg
  • Disassemblers/Decompilers
    • IDA Pro
    • Hopper
    • Binary Ninja
    • Ghidra
  • Hex Editors
    • 0xED
    • HxD
  • Assemblers
    • Online Assembler and Disassembler
    • GNU Assembler
    • Netwide Assembler (nasm)
  • ROP Gadget Hunters
    • ROPgadget
    • Ropper
  • Emulators
    • QEMU
    • Unicorn
  • Fuzzers
    • afl
    • libFuzzer
  • Instrumentation
    • Valgrind
    • Pin
  • Executable Lifters
    • McSema
• Bugs
  • Buffer Overflows
    • Smashing The Stack For Fun And Profit
  • Out of Bounds Writes
    • Analyzing and Reproducing the EOS Out-of-Bound Write Vulnerability in nodeos
  • Use After Free
    • An Introduction to Use After Free Vulnerabilities
    • What do Nintendo Switch and iOS 9.3 have in common? CVE-2016-4657 walk-through
  • Speculative Execution Bugs
    • Meltdown and Spectre, explained
• Protections
  • Canaries
  • NX bit
  • W^X
  • How do ASLR and DEP work?
  • Pointer Authentication on ARMv8.3
• Bypassing Protections
  • The info leak era on software exploitation
  • return-into-lib(c)
  • Introduction to return oriented programming (ROP)
  • Jump-Oriented Programming: A New Class of Code-Reuse Attacks
  • Examining Pointer Authentication on the iPhone XS
• JavaScript Engine Exploitation Resources
  • Attacking JavaScript Engines
  • Heap Feng Shui in JavaScript
  • JIT spraying and mitigations
  • SoK: Make JIT-Spray Great Again
• Reports
  • Controlled address leak due to type confusion - ASLR bypass ($100 bounty)
  • Adobe Flash Player Out-of-Bound Read/Write Vulnerability ($5000 bounty)
  • RCE on Steam Client via buffer overflow in Server Info ($18000 bounty)
  • heap-buffer-overflow in S_pack_rec ($1000 bounty)
  • Nintendo Switch nvservices Info Leak
  • Buffer overflow in HTTP parse_hostinfo(), parse_userinfo() and parse_scheme() ($1000 bounty)
  • Use After Free in Flash MessageChannel.send can cause arbitrary code execution ($7500 bounty)
  • Virtually Unlimited Memory: Escaping the Chrome Sandbox
  • Splitting atoms in XNU
  • voucher_swap: Exploiting MIG reference counting in iOS 12
  • Technical Analysis of the Pegasus Exploits on iOS

Video