Shulou(Shulou.com)06/01 Report--

Wen / Ali Security Orion Laboratory Hunter

"if the automation level and ability of antivirus software manufacturers is equivalent to the satellite in the sky, you can see the antelope running on the ground. so, to what extent can we do it? we can see every cell in the antelope."

This is the description of its automated reverse robot TimePlayer by Hunter, a senior Ali security expert and head of Ali Security Orion Lab. Although this thing is full of combat power, Hunter said faintly that this is just the beginning.

What is reverse?

Xxx (or white hat) belongs to a very mysterious race in the eyes of many people, as if they can do anything: crack devices, * systems, and find all kinds of loopholes in cattle B. Reverse ability is these basic skills. In fact, all kinds of industries have their own basic skills, for example, to learn martial arts, you must first practice standing horse steps, otherwise the next plate is unstable, a little push will fall; surgery, the hands should be stable and flexible, otherwise the hands shake and cut in the wrong place, then …... Of course, the basic skills to the top, can achieve a miraculous effect, such as martial arts novels with deep internal force, you can use wooden branches as swords and leaves as darts.

So when do you need this basic skill? That's when he needs to figure out what a program is doing. Here are a few more examples: what if early domestic enterprises wanted to build cars but did not accumulate them? Buy a Japanese car, take it apart, take apart the engine gearbox, study it piece by piece, and then copy your own model according to the gourd painting ladle; when a patient comes to see a doctor, the doctor uses a stethoscope to look, hear, hear and cut, and various advanced tests plus CT MRI are all in order to find out what is abnormal about the patient; biological and medical research requires a variety of microscopes to observe the various operating conditions of cells, and so on.

Through reverse, you can understand: when you click the mouse, how your picture is displayed on the screen step by step, how the acne on your face is eliminated step by step; when you enter the payment password, how your CAPTCHA is verified step by step, how your transfer records are generated step by step Run an online download "is a man down a hundred layers" game, behind is how to secretly steal your chat records and online game account …...

How do you do the reverse now?

Unfortunately, most of it is still in a relatively primitive state, with the exception of a few general-purpose tools (IDA, Ollydbg, etc.), most of the work needs to be done by people. For beginners, there is still some sense of achievement in the manual reverse monster upgrade, such as "reading these files", "sending these data", "Oh, that's what happened", "MD, it dares to do this", "ha, finally bypassed these restrictions". But with the passage of time and the improvement of skills, reverse work has become pure manual labor, which can only run programs, set breakpoints, obtain interface data, modify data, and write analytical records over and over again every day. a lot of time is spent in these red tape.

At present, the main contradiction is that the number of objects to be analyzed is increasing and the scale is becoming more and more complex, but the number of analysts is limited, and there are often problems (for example, the capabilities of senior analysts cannot be empowered to junior analysts, the capacity convergence caused by personnel mobility is not enough, and the accuracy of manual analysis cannot be guaranteed). Can repetitive manual analysis tasks be done entirely by automated tools? The answer is yes.

There must be some professionals to challenge: there is a thing called "script". It is not difficult for you to write a script for common operations, or to develop an analysis platform.

Here's an analogy:

Driving, as a basic skill of modern people, is not difficult. Of course, it takes one or two months to study and take an exam in a driving school. If manual driving is changed to autopilot, will it be more difficult? At present, few companies dare to say that they have reached the autopilot of Level4 and Level5. Go, rules can be learned by ordinary people in almost a day. But if you let the supercomputer play chess with people according to this rule and beat the human champion, even if you have super computing power, it will be very difficult. Otherwise, why is AlphaGo so famous?

Some professionals will retort: nonsense, those antivirus software manufacturers who check and kill hundreds of millions of samples every day must be automated. I can only say that this rebuttal has a certain degree of professionalism, but it only shows the appearance. Each antivirus software vendor has a large operational team (usually hundreds to thousands) for manual analysis of automated screening samples. Their automation level and ability are equivalent to the satellites in the sky, and they can see the antelope running on the ground, that's all. And to what extent can we do it? We can see every cell in the antelope.

We fully automate most of the reverse work capabilities of security practitioners and create an automated reverse robot, TimePlayer. Being the leader in the world, or even the first in the world, is not convinced to fight.

The relevant techniques used by TimePlayer are very obscure and will not be expanded here. Here's a visual description of the robot's capabilities:

Camera: if you want to analyze a program, you only need to run it once in TimePlayer. TimePlayer will record all the actions of the program faithfully and will not miss any details. Player: previously filmed content, you can play forward, backward, fast, slow, zoom in on details anywhere, and track any target. It is very difficult to note that the result of this broadcast should be exactly the same as that of the camera. Microscope: the behavior of the program, to achieve instruction-level granularity, everything needs to be observed, including what each instruction is, the state of the register, the contents of memory accessed, and so on. When you open an App, billions of instructions are usually executed, and none of the above can be left out.

You can compare this robot to a Leonardo da Vinci robot in the medical field, and with highly skilled doctors, you can achieve many things that many experts cannot do:

Some time ago, we all heard of the WannaCry blackmail virus, and a lot of users' important data was encrypted by this malware. If you want to recover this data, you need the blackmailer to provide something called a "private key", which has a small amount of data and is actually generated on the victim's machine. As the blackmail software deliberately deletes the "private key" of the machine, in theory, it can only be obtained from the blackmailer. Although many security vendors have done all kinds of analysis, which seems to be very thorough, we have not found exclusively that this "private key" actually has residues in both user mode and kernel state, and compared with the method of brute force searching in user mode memory, accurate kernel state residue extraction is more stable. Security personnel often need to reverse some network protocols or file formats. For example, only by reversing the super-complex file format of doc and the parsing process of Word, WPS can open doc documents and process them. Now, you just need to put the doc document on the TimePlayer to open, you can automatically analyze the doc file format. The analytical work that used to be done by several people for many years can now be done in a few days without human participation. * is a process of confrontation. In order to combat artificial reverse, protectors have developed a variety of tools and products to improve the difficulty of reverse, the most famous of which is called "virtual shell". This kind of shell is essentially a super complex ecstasy array, which makes the contrarian spin around constantly, wasting their time and energy. Generally speaking, only very senior professionals can deal with this kind of complex object after a certain period of time. TimePlayer uses unique technology to easily resolve these obsession, so that the most junior analysts can quickly understand the algorithm details of the program, do not even need to know, can be used. "virtual shell" is a pure engineering cover, if it is not combined with some theoretical problems, the ceiling will be very low in the future.

The above content is only a pilot test of TimePlayer capabilities, and more advanced features cannot be shared due to confidentiality. We will release them at an appropriate time.

In addition, talk about the direction of the form of the future. With the comprehensive Internet and even the Internet of things in social life, the objects that need to be analyzed, both in type and number, show explosive growth. It is unrealistic to expect a limited number of analysts to cover these objects, and human-sea tactics will not be able to meet the requirements. Automation, scale is the general trend, but also the only way to precipitate the ability.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.