binary analysis
TRANSCRIPT
-
8/12/2019 Binary Analysis
1/20
-
8/12/2019 Binary Analysis
2/20
Binary Analysis Defined
The examination of a file to determine theauthenticity and functionality of the file
-
8/12/2019 Binary Analysis
3/20
Why Binary Analysis
In an Intrusion investigation, the unknownbinary could be the key to the case
It could be a benign file It could be a legitimate file
Either way, for a case going to prosecution it
is necessary to ensure thoroughness
-
8/12/2019 Binary Analysis
4/20
Conducted In Addition
Operating System Analysis
Registry Analysis
Processes Analysis
Reverse Engineering
BINARY ANALYSIS IS ONLY ONE STEPIN THE PROCESS
-
8/12/2019 Binary Analysis
5/20
Steps in Binary Analysis
Header
Libraries
Body
Footer
Strings
Metadata Packers/Compressors
-
8/12/2019 Binary Analysis
6/20
File Header
Signature Analysis
Interested File Headers
4D 5A (MZ)
00 00 00 4D 5A (MZ)
-
8/12/2019 Binary Analysis
7/20
File Libraries
Compare Dynamic Link Library Files (DLL) toknown Files
Hackers usually name Trojan Files to Legitimate
Named Files
-
8/12/2019 Binary Analysis
8/20
File Body
Compare a Known File to the Unknown File
We are looking for HEX
-
8/12/2019 Binary Analysis
9/20
File Footer
Compared Known File To Unknown File
Verisign and Hotfix 1234 are normally a good sign
-
8/12/2019 Binary Analysis
10/20
File Strings
Compare a Known File to the Unknown File Command line >strings filename
Strings v2.3 Copyright (C) 1999-2006 Mark Russinovich Sysinternals - www.sysinternals.com
- script block VBScript !This program cannot be run in DOS mode. $Rich .text `.data .rsrc @.reloc B{N ADVAPI32.dll GDI32.dll KERNEL32.dll NTDLL.DLL MFC42.DLL msvcrt.dll ole32.dll OLEAUT32.dll USER32.dll
-
8/12/2019 Binary Analysis
11/20
File Strings Continued
Compare two filesusing a program likediff for linux or cfdiff for
Windows
-
8/12/2019 Binary Analysis
12/20
Metadata
Data that is used to describe other data
Metadata is stored in plain text
-
8/12/2019 Binary Analysis
13/20
Packers/Compressors
Binary Packers/Compressors offers theHacker numerous advantages:
1. Masks contents of file from our eyes
2. Smaller files = faster uploads
3. Can trick IDS due to signature differences
-
8/12/2019 Binary Analysis
14/20
Types of Packers
Most common type is UPX. This is easilyunpacked with the UPX Toolkits
upx.sourceforge.net
WinRar is great tool to unpack exe files
-
8/12/2019 Binary Analysis
15/20
Static vs Runtime Analysis
Use Static analysis for object code (pre-linking)
Use Runtime analysis for executable code(post-linking)
-
8/12/2019 Binary Analysis
16/20
Runtime Analysis
Many things may happen when a file isrun:
1. Direct access to system resources (RAM,HDDs, etc)
2. Net Libraries may execute
3. Registry Changes may be made
4. May affect or disable other programs
5. May open system up for further attacks
-
8/12/2019 Binary Analysis
17/20
Sandbox
A system that is closed and can be closelymonitored
Best sandbox is a virtual machine:1. Easy to configure as needed
2. No risk of harming productionmachines/networks
3. Easy to pull the plug if something goeshorribly wrong
-
8/12/2019 Binary Analysis
18/20
Sandbox Continued
Two good Windows Virtual MachineProducts
VMWare
Virtual PC by Microsoft
-
8/12/2019 Binary Analysis
19/20
Sandbox Continued
Need to monitor ports, registry, and newfiles added to system
1. System Hash of Virtual PC file (vmdk files)
2. Regmon from www.sysinternals.com
3. ZoneAlarm from www.zonelabs.comor
4. Use fport, pslist, netstat, and psservice
http://www.sysinternals.com/http://www.zonelabs.com/http://www.zonelabs.com/http://www.sysinternals.com/ -
8/12/2019 Binary Analysis
20/20
Running the Binary
Run the Binary
IDA Pro running in the background will
capture (www.datarescue.com)A debugger allows you to step through code
A disassembler allows create maps of theirexecution
Gets into reverse engineering
http://www.datarescue.com/http://www.datarescue.com/