![Page 1: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/1.jpg)
Object Oriented Code RE with HexRaysCodeXplorer
Eugene Rodionov@vxradius
Alex Matrosov@matrosov
![Page 2: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/2.jpg)
Agenda
* Object Oriented Code Reversing Challenges -- virtual methods -- templates
* Reversing Object Oriented Malware -- Flamer -- Sednit
* HexRaysCodeXplorer in use
![Page 3: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/3.jpg)
Modern C++ Malware for Targeted Attacks
2010
Stux
net
2011
Duqu
2012
Flam
erGa
uss
2013
Dino
2014
Sedn
itBu
nny
Casp
erBa
bar
2015
![Page 4: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/4.jpg)
Why reversing C++ code is a hard problem?Virtual Methods & Templates
![Page 5: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/5.jpg)
Virtual Methods
class Cat {private: int _weight;public: Cat(int weight) : _weight(weight) {};
int eat(int food) { return _weight += food; };};
int _tmain(int argc, _TCHAR* argv[]){ Cat* cat = new Cat(130); int newWeigth = cat->eat(20);}
class Animal {protected: int _weight;public: Animal(int weight) : _weight(weight) {}; virtual int eat(int food) = 0;};
class Cat : Animal {public: Cat(int weight) : Animal(weight) {};
virtual int eat(int food) { return _weight += food; };};
int _tmain(int argc, _TCHAR* argv[]){ Animal* cat = new Cat(130); int newWeight = cat->eat(20);}
vs
![Page 6: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/6.jpg)
Virtual Methods
class Cat {private: int _weight;public: Cat(int weight) : _weight(weight) {};
int eat(int food) { return _weight += food; };};
int _tmain(int argc, _TCHAR* argv[]){ Cat* cat = new Cat(130); int newWeigth = cat->eat(20);}
class Animal {protected: int _weight;public: Animal(int weight) : _weight(weight) {}; virtual int eat(int food) = 0;};
class Cat : Animal {public: Cat(int weight) : Animal(weight) {};
virtual int eat(int food) { return _weight += food; };};
int _tmain(int argc, _TCHAR* argv[]){ Animal* cat = new Cat(130); int newWeight = cat->eat(20);}
vs
![Page 7: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/7.jpg)
Virtual Function TablesClass A
vfPtr
attr_1
attr_2
A::vfTable
A::a1()
A::a2()
A::a3()
RTTI Object Locator
signature
pTypeDescriptor
pClassDescriptor
meta
![Page 8: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/8.jpg)
Virtual Function TablesClass A
vfPtr
attr_1
attr_2
A::vfTable
A::a1()
A::a2()
A::a3()
RTTI Object Locator
signature
pTypeDescriptor
pClassDescriptor
meta
![Page 9: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/9.jpg)
Virtual Function Tables
* lead to indirect method calls -- difficult to analyze statically
* initialized in constructors -- need to track back object creation
![Page 10: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/10.jpg)
C++ Templates
* extra code to analyze -- another way to create polymorphic types
* problematic to recognize standard library code (FLIRT)
-- playing with compiler optimization options
std::vector<int> std::vector<char> std::vector<std::string> std::vector<custom_type>
![Page 11: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/11.jpg)
C++ Code Reconstruction Problems* Object identification -- type reconstruction
* Class layout reconstruction -- Identify constructors/destructors -- Identify class members -- Local/global type reconstruction -- Associate object with exact method calls
* RTTI reconstruction -- vftable reconstruction -- Associate vftable object with exact object -- class hierarchy reconstruction
![Page 12: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/12.jpg)
Reversing Object Oriented MalwarePractical Approaches: REconstructing Flamer Framework
![Page 13: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/13.jpg)
REconstructing Flamer Framework
Vector<Command Executor>
DB_Query ClanCmd
Vector<Task>
IDLER CmdExec
Vector<DelayedTasks>
EuphoriaShare
Supplier
Vector<Consumer>
MobileConsumer
CmdConsumer
MunchSniffer FileFinder
FileCollect Driller GetConfig
LSSSender
Frog Beetlejuice
LuaConsumer
MediaConsumer
http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
![Page 14: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/14.jpg)
REconstructing Flamer Framework
Vector<Command Executor>
DB_Query ClanCmd
Vector<Task>
IDLER CmdExec
Vector<DelayedTasks>
EuphoriaShare
Supplier
Vector<Consumer>
MobileConsumer
CmdConsumer
MunchSniffer FileFinder
FileCollect Driller GetConfig
LSSSender
Frog Beetlejuice
LuaConsumer
MediaConsumer
http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
![Page 15: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/15.jpg)
Identifying Used Types
* Smart pointers
* Strings
* Vectors to maintain objects
* Custom data types: -- tasks -- triggers -- and etc.
![Page 16: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/16.jpg)
Data Types Being Used: Smart pointersstruct SMART_PTR{
void *pObject; // pointer to the objectint *RefNo; // reference counter
};
![Page 17: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/17.jpg)
Data Types Being Used: Smart pointers
![Page 18: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/18.jpg)
Data Types Being Used: Vectors
struct VECTOR{ void *vTable; // pointer to the virtual table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements};
* Used for handling objects: -- tasks -- triggers
![Page 19: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/19.jpg)
Data Types Being Used: Strings
struct USTRING_STRUCT{ void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer};
![Page 20: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/20.jpg)
Approaching Flamer
* Identify Object Constructors
* Reconstruct Object Attributes
* Reconstruct Object Methods
Type reconstruction
Control Flow Graph Reconstruction
![Page 21: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/21.jpg)
Identifying Object Constructors
![Page 22: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/22.jpg)
REconstructing Object’s Attributes
![Page 23: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/23.jpg)
REconstructing Object’s Attributes
![Page 24: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/24.jpg)
REconstructing Object’s Methods
![Page 25: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/25.jpg)
REconstructing Object’s Methods
![Page 26: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/26.jpg)
REconstructing Object’s Methods
![Page 27: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/27.jpg)
Reversing Object Oriented MalwarePractical Approaches: REconstructing XAgent Framework
![Page 28: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/28.jpg)
XAgent Framework
Communication ChannelsVector<IAgentChannel>
AgentKernel
Local Storage
Cryptor
Agent ModulesVector<IAgentModule>
AgentKernel
ModuleFileSystem
Channel Controller
DNameNode
ModuleRemote
KeyLogger
ProcessRetranslator
Module
WinHttp
http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
![Page 29: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/29.jpg)
Object Interconnection: IAgentModule
struct IAgentModule { LPVOID receiveMessage; LPVOID sendMessage; LPVOID getModuleId; LPVOID setModuleId; LPVOID executeModule;};
AgentKernel ModuleFileSystem
Module Remote
Keylogger
ProcessRetranslator
Module
IAgentModule
![Page 30: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/30.jpg)
Exploring RTTI*
* recover type names
* reconstruct class hierarchy
* identify object virtual function tables
* IDA ClassInformer plugin
![Page 31: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/31.jpg)
Exploring RTTI*
* recover type names
* reconstruct class hierarchy
* identify object virtual function tables
* IDA ClassInformer plugin
![Page 32: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/32.jpg)
XAgent: LocalDataStorage
LocalDataStorag
e
Registry reader/writer
Filereader/writer
![Page 33: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/33.jpg)
XAgent: Cryptor
![Page 34: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/34.jpg)
XAgent: Cryptor
encrypted message salt(4 bytes)
RC4key
plain text
![Page 35: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/35.jpg)
XAgent: IReservedApi
![Page 36: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/36.jpg)
XAgent: Identifying Used Types
* Strings: std::string
* Containers to maintain objects: -- std::vector -- std::list
![Page 37: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/37.jpg)
XAgent: Identifying Used Types
* Strings: std::string
* Containers to maintain objects: -- std::vector -- std::list
![Page 38: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/38.jpg)
HexRaysCodeXplorer
![Page 39: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/39.jpg)
HexRaysCodeXplorer since 2013
* CodeXplorer V1.0 released on REcon’2013
* First third-party plugin for Hex-Rays Decompiler
* v1.0 supports IDA v6.4 and Decompiler for x86 v1.8
![Page 40: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/40.jpg)
HexRaysCodeXplorer Features
* Hex-Rays decompiler plugin x86/x64
* The plugin was designed to facilitate static analysis of:
-- object oriented code
-- position independent code
* The plugin allows to:
-- partially reconstruct object type
-- navigate through decompiled virtual methods
![Page 41: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/41.jpg)
Hex-Rays Decompiler Plugin SDK
* At the heart of the decompiler lies ctree structure:
-- syntax tree structure
-- consists of citem_t objects
-- there are 9 maturity levels of the ctree structure
![Page 42: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/42.jpg)
* Type citem_t is a base class for:
-- cexpr_t – expression type
-- cinsn_t – statement type
* Expressions have attached type information
* Statements include:
-- block, if, for, while, do, switch, return, goto, asm
* Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:
-- ctree_visitor_t, ctree_parentee_t
Hex-Rays Decompiler Plugin SDKcitem_t
cexpr_t cinsn_t
![Page 43: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/43.jpg)
* Type citem_t is a base class for:
-- cexpr_t – expression type
-- cinsn_t – statement type
* Expressions have attached type information
* Statements include:
-- block, if, for, while, do, switch, return, goto, asm
* Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:
-- ctree_visitor_t, ctree_parentee_t
Hex-Rays Decompiler Plugin SDKcitem_t
cexpr_t cinsn_t
![Page 44: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/44.jpg)
DEMO time :)
![Page 45: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/45.jpg)
HexRaysCodeXplorer: Gapz Position Independent Code
![Page 46: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/46.jpg)
HexRaysCodeXplorer: Virtual Methods
IDA’s ‘Local Types’ is used to represent object type
![Page 47: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/47.jpg)
HexRaysCodeXplorer: Virtual Methods
IDA’s ‘Local Types’ is used to represent object type
![Page 48: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/48.jpg)
HexRaysCodeXplorer: Virtual Methods* Hex-Rays decompiler plugin is used to navigate through the
virtual methods
![Page 49: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/49.jpg)
HexRaysCodeXplorer: Object Type REconstruction
* Hex-Rays’s ctree structure may be used to partially reconstruct object type
* Input:
-- pointer to the object instance
-- object initialization routine entry point
* Output:
-- C structure-like object representation
![Page 50: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/50.jpg)
HexRaysCodeXplorer: Object Type REconstruction* citem_t objects: -- memptr, idx, memref -- call, ptr, asg
![Page 51: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/51.jpg)
HexRaysCodeXplorer: Object Type REconstruction* citem_t objects: -- memptr, idx, memref -- call, ptr, asg
![Page 52: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/52.jpg)
HexRaysCodeXplorer: Object Type REconstruction
// reference of DWORD at offset 12 in buffer a1*(DWORD *)(a1 + 12) = 0xEFCDAB89;
![Page 53: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/53.jpg)
HexRaysCodeXplorer: v1.7 [NSEC Edition]
Automatic virtual table identification
+Type reconstruction
![Page 54: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/54.jpg)
HexRaysCodeXplorer: v1.7 [NSEC Edition]
* Automatic virtual table identification
![Page 55: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/55.jpg)
HexRaysCodeXplorer: v1.7 [NSEC Edition]
* Automatic virtual table identification
![Page 56: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/56.jpg)
HexRaysCodeXplorer: v1.7 [NSEC Edition]
* Automatic virtual table identification
* Support for IDA Pro x64
* Bugfixes
![Page 57: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/57.jpg)
DEMO time :)
![Page 58: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/58.jpg)
HexRaysCodeXplorer: Next plans
* Switch to IdaPython
![Page 59: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/59.jpg)
Why python?
![Page 60: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/60.jpg)
HexRaysCodeXplorer: Next plans
* Switch to IdaPython
* Further research & development: -- find cross-references to
object attributes -- handling nested structures -- code similarity based on data flow analysis
![Page 61: Object Oriented Code RE with HexraysCodeXplorer](https://reader035.vdocuments.us/reader035/viewer/2022081418/55b1b31ebb61eb32378b45c3/html5/thumbnails/61.jpg)
Thank you for your attention!
http://REhints.com
@Rehints
https://github.com/REhints/HexRaysCodeXplorer