the walking 0xdead

Inspecting and Manipulating binaries

Introduction.

x86 architecture. Assembler.

Binary inspection.

General sample (crackme)

Binary manipulation.

Python to the rescue!

Malware analysis

What we (you) are going to do 2

Welcome to the city of death 3

Braaaaiiinnnssss 4

$ whoami

Binary Reverse Engineering Malware Programming The walking dead

$ whoami

Binary Reverse Engineering

Yeah, but what is reversing ???

Kind of a reconstruction

Code Binary

int main(int argc, char **argv) push ebp

{ mov ebp, esp

int gv = 0; // global mov dword_403394, 0

[…] […]

Requisites

ASM knowledge

Binary format (PE32, etc.)

OS Knowledge

Patience ;)

so, i want to do some reversing

At the beginning, there was c0de

#include "stdafx.h"

#include <iostream> using namespace std;

int add(int x, int y)

{ return x + y; }

int main() {

int a = 0, b = 0; cout << "Enter a: ";

[…] return 0; }

The compiler fucks it all up

compiling is like...

… that scene of Apollo XIII

It may hurt a little bit… 11

Bytes :: opcodes

Opcodes :: basic blocks

Basic blocks :: functions

Cpu registers

„General purpose“ registers:

eax, ebx, ecx, edx, esi, edi, ebp, esp

32 bits (64 bits in x86_64)

Some of them have special uses.

„The rootkit arsenal“ Bill Blunden

Cpu registers

Not so „general purpose“ registers:

eax: Arithmetic and function return values

ecx: counter (loops, etc.)

esi, edi: src, dst in memcpy, strcpy, etc.

ebp, esp: stack operations :)

and more...

Some common instructions

mov eax, [ecx]

mov eax, [00401000]

mov ebx, 0x20

mov [ebx+0x1C], ecx

push 0x100

push dword_1377

pop ecx

pop 0x00c0ffee

inc, dec

mul, div Use your imagination :)

add, sub

add esp, 0x08

sub esp, 0x1c

lea dst, src

lea eax, [esi*2]

lea ecx, [esi+ecx]

shl, shr

shl eax, 2

jxx dst

jmp 0xbadc0de

jnz eax

ja 0xc0ffee

jl ebx

call 0x00412F1E

cmp dst, src

cmp eax, ebx

cmp ecx, 0xFF

test dst, src

test ecx, edx

Important segments

.data: statically allocated *initialized*

int g = 1; char str[] = „yomamma“;

.bss: statically allocated *UNinitialized*

int var; char *ptr;

.rdata: read-only data (const c = 0)

It‘s all about the .(r)data

Moar data

Imports and all that stuff…

The problem with imports

Problem: O(n2) vs. O(n)

„Thunks and dynamic resolution makes the binary *portable* between Windows versions.

XP and Win7 don‘t have the same addresses for all

kernel32 functions

thunks Regular call

Opcode: 0xE8 + offset

Memcpy = thunk (nur jmp)

Not resolved yet

“direct“ import calls call ds:xxx

Opcodes: 0xFF15 + absolut address

Not resolved yet

Page based (4 KB pages, arch dependent)

Pages (virtual mem.) -> page tables -> page frames

(physical mem.)

Pages have several attributes:

User / Supervisor (Kernel)

read-only, read-write, read-execute, etc.

Memory is not disk, dough! 31

Picture: CC Hameed, (http://blogs.technet.com) 32

Picture: Bill Blunden (The Rootkit Arsenal) 33

Application starts. Process is generated. Process = running instance of an application.

Processes are separated from each other.

Every process gets its own virtual address space (32-bit: 4 GB)

A process is a container (own VM, Handles, Threads (min.1)) Thread = context execution of a process.

Multithreading.

Shares system resources (Code, Data, Handles)

Own stack, though.

Thread Local Storage.

Threads (within a process) can share memory.

Processes and Threads 34

Important data structures in every process

PEB: Process Environment Block (1 pro Process) Location of executable (ImageBase)

Information about DLLs

Information regarding the heap

TEB: Thread Environment Block (1 pro Thread) Location of the PEB

Location of the stack

Pointer to first SEH Chain entry

PEB vs. TEB 35

Process memory segmentation:

Code (.text): like the segment on disk

Data (.data): like the segment on disk

Stack: function arguments, local variables

Grows towards lower addresses

Defined through top (ESP) and bottom (EBP)

PUSH vs POP (dword)

Heap: managed by Allocator/Deallocator algorithms

Two new segments 36

2GB Picture courtesy of CORELAN Copyright (c) Corelan GCV

Open cmd.exe in ImmunityDebugger

Time to take a peek 38

The stack . Push & pop.

Function prologue

function calls

Different types:

cdecl (C progs, variable arg number)

Caller* is responsible for adjusting the stack.

How many args were there? Unknown

stdcall (windows API, fixed arg number)

Function self adjusts the stack before return.

It's clear in advance how many arguments

_funcName@nrBytes

Argument passing

Argument passing ( by ref )

Argument passing ( by value )

Go home Compiler, you are drunk

#include <stdio.h> int main(void) { char x = 0xff; if(x == 0xff) puts("YES"); else puts("NO"); return 0; }

sign extensions from hell 49

There is NOT such thing as static reversing ONLY

Combine static (IDA) and dynamic (debugger).

The trick is to optimize the information transfer

between these two.

Best of both worlds 51

Examples:

IDA debugging capabilities

Dynamic Binary Instrumentation (PIN).

Import results in IDA to see code coverage

Trace with .py

Differential debugging

Best of both worlds 52

Not really scary… 54

Don't get distracted! 55

Look, it works! 56

Loooooong function 57

Don't really feel like doing this manually 58

We will solve this soon… intelligently 59

F*ck this shit I'm outta here!

Take the control! 60

Not elegant but effective… 61

I want more… finesse… 62

Tzzzzzz. Tttzzzz… 63

If it‘s in twitter it must be true 64

Keepass stalker

Example: utorrent readfile

Which ReadFile ?!?!

There are several references…

Manually inspecting all is a tedious job. 67

Reading from a File

CreateFile(...)

Returns handle

ReadFile(handle)

CloseHandle(handle)

Reading from a File

It's a long shot 70

And... found!

It's a long shot 71

Binary manipulation

Binaries can be easily modified Patched (on disk, live) Functions intercepted (hooking, live)

Usage:

Inspection (ex. Tracing) Change execution flow Whatever you can imagine

What you all have been waiting for… 73

Braaaaiiinnnsss… I mean, credeeeennttiiiaaalllssssss… 74

So many questions…

APIs used to send() and recv() data?

Sure? Think twice

Functions I don't see?

What happens with the data received?

How does the malware achieve persistency?

Braaaaiiinnnsss… I mean, credeeeennttiiiaaalllssssss… 75

Malware are deceiving bastards… 76

Are these the

ONLY APIs

used by this malware?

Braaaaiiinnnsss… I mean, CPU cycles… 77

I like it here. I think I‘m gonna stick for a while… 78

How does the malware

achieve

persistency?

Braaaaiiinnnsss… I mean, CPU cycles… 79

Getting in the enemy's mind 80

Hands on: STRINGS

Juicy info in two minutes 81

Hands on: imports

Very interesting imports… 82

Hands on: resources

The .rsrc section is perfect for hiding data 83

"Crypto" stuff

Takes less time and is less brain damaging 84

Hands on: sneaky bastards

I see what you did there… 85

There are so many! What Do i do?!?!?

Who are u gonna call? Sneakbuster!

Takes less time and is less brain damaging 87

Hands on: WTFTLS

NO ME GUSTA 88

Hands on: WTFTLS

Call, call, call … 89

Hands on: running it

Thanks for the info… 90

Hands on: running it

Here's (another?) candy for you… 91

Last chance! ;) 92

Twitter: @m0n0sapiens 93

the walking 0xdead

Technology

new on walking aids for the disabled : disability walking...

the walking dead

the walking dead_hq_01_pdf_pt_br

walking the labyrinthmay2010

the walking dead_hq_0001_pdf_pt_br

our feet were made for walking the benefits of walking

walking across the stage doesn’t mean walking away...

fear the walking

the walking dead_hq_0003_pdf_pt_br

walking the walk

walking the series

the walking dead_hq_0012_pdf_pt_br

walking information handbook - encounter walking … ·...

about the walking tour - llanpumsaint walkthe walking tour...

the walking dead_hq_0009_pdf_pt_br

review walking worthy of the calling (4:1) walking no longer...

the walking dead_hq_0002_pdf_pt_br

the walking dead.article

walking the imagination

walking on stones walking on stones walking on stones