the walking 0xdead

Inspecting and Manipulating binaries

Introduction.

x86 architecture. Assembler.

Binary inspection.

General sample (crackme)

Binary manipulation.

Python to the rescue!

Malware analysis

What we (you) are going to do 2

Welcome to the city of death 3

Braaaaiiinnnssss 4

$ whoami

4

Binary Reverse Engineering Malware Programming The walking dead

5

$ whoami

Binary Reverse Engineering

5

Yeah, but what is reversing ???

6

Kind of a reconstruction

Code Binary

int main(int argc, char **argv) push ebp

{ mov ebp, esp

int gv = 0; // global mov dword_403394, 0

[…] […]

Requisites

ASM knowledge

Binary format (PE32, etc.)

OS Knowledge

Patience ;)

so, i want to do some reversing

7

At the beginning, there was c0de

#include "stdafx.h"

#include <iostream> using namespace std;

int add(int x, int y)

{ return x + y; }

int main() {

int a = 0, b = 0; cout << "Enter a: ";

[…] return 0; }

8

The compiler fucks it all up

9

compiling is like...

… that scene of Apollo XIII

10

It may hurt a little bit… 11

Bytes :: opcodes

12

Opcodes :: basic blocks

13

Basic blocks :: functions

14

Cpu registers

„General purpose“ registers:

eax, ebx, ecx, edx, esi, edi, ebp, esp

32 bits (64 bits in x86_64)

Some of them have special uses.

„The rootkit arsenal“ Bill Blunden


Cpu registers

Not so „general purpose“ registers:

eax: Arithmetic and function return values

ecx: counter (loops, etc.)

esi, edi: src, dst in memcpy, strcpy, etc.

ebp, esp: stack operations :)

and more...


Some common instructions

Read

mov eax, [ecx]

mov eax, [00401000]

Write

mov ebx, 0x20

mov [ebx+0x1C], ecx



push

push 0x100

push dword_1377

pop

pop ecx

pop 0x00c0ffee



inc, dec

mul, div Use your imagination :)

add, sub

add esp, 0x08

sub esp, 0x1c



lea dst, src

lea eax, [esi*2]

lea ecx, [esi+ecx]

shl, shr

shl eax, 2



jxx dst

jmp 0xbadc0de

jnz eax

ja 0xc0ffee

jl ebx

t

call 0x00412F1E



cmp dst, src

cmp eax, ebx

cmp ecx, 0xFF

test dst, src

test ecx, edx


Important segments

.data: statically allocated *initialized*

int g = 1; char str[] = „yomamma“;

.bss: statically allocated *UNinitialized*

int var; char *ptr;

.rdata: read-only data (const c = 0)


It‘s all about the .(r)data


Moar data


Imports and all that stuff…


The problem with imports

Problem: O(n2) vs. O(n)

„Thunks and dynamic resolution makes the binary *portable* between Windows versions.

XP and Win7 don‘t have the same addresses for all

kernel32 functions


thunks Regular call

Opcode: 0xE8 + offset

Memcpy = thunk (nur jmp)

Not resolved yet


“direct“ import calls call ds:xxx

Opcodes: 0xFF15 + absolut address

Not resolved yet


Page based (4 KB pages, arch dependent)

Pages (virtual mem.) -> page tables -> page frames

(physical mem.)

Pages have several attributes:

User / Supervisor (Kernel)

read-only, read-write, read-execute, etc.

Memory is not disk, dough! 31

Picture: CC Hameed, (http://blogs.technet.com) 32

Picture: Bill Blunden (The Rootkit Arsenal) 33

Application starts. Process is generated. Process = running instance of an application.

Processes are separated from each other.

Every process gets its own virtual address space (32-bit: 4 GB)

A process is a container (own VM, Handles, Threads (min.1)) Thread = context execution of a process.

Multithreading.

Shares system resources (Code, Data, Handles)

Own stack, though.

Thread Local Storage.

Threads (within a process) can share memory.

Processes and Threads 34

Important data structures in every process

PEB: Process Environment Block (1 pro Process) Location of executable (ImageBase)

Information about DLLs

Information regarding the heap

TEB: Thread Environment Block (1 pro Thread) Location of the PEB

Location of the stack

Pointer to first SEH Chain entry

PEB vs. TEB 35

Process memory segmentation:

Code (.text): like the segment on disk

Data (.data): like the segment on disk

Stack: function arguments, local variables

Grows towards lower addresses

Defined through top (ESP) and bottom (EBP)

PUSH vs POP (dword)

Heap: managed by Allocator/Deallocator algorithms

Two new segments 36

4GB

2GB Picture courtesy of CORELAN Copyright (c) Corelan GCV

37

Use

r la

nd

K

ern

el l

and

Open cmd.exe in ImmunityDebugger

Time to take a peek 38

The stack . Push & pop.


Function prologue


function calls

Different types:

cdecl (C progs, variable arg number)

Caller* is responsible for adjusting the stack.

How many args were there? Unknown

stdcall (windows API, fixed arg number)

Function self adjusts the stack before return.

It's clear in advance how many arguments

_funcName@nrBytes


Argument passing


Argument passing ( by ref )


Argument passing ( by value )


Go home Compiler, you are drunk

#include <stdio.h> int main(void) { char x = 0xff; if(x == 0xff) puts("YES"); else puts("NO"); return 0; }

sign extensions from hell 49

There is NOT such thing as static reversing ONLY

Combine static (IDA) and dynamic (debugger).

The trick is to optimize the information transfer

between these two.

Best of both worlds 51

Examples:

IDA debugging capabilities

Dynamic Binary Instrumentation (PIN).

Import results in IDA to see code coverage

Trace with .py

Differential debugging

Best of both worlds 52

Not really scary… 54

Don't get distracted! 55

Look, it works! 56

Loooooong function 57

Don't really feel like doing this manually 58

We will solve this soon… intelligently 59

F*ck this shit I'm outta here!

Take the control! 60

Not elegant but effective… 61

I want more… finesse… 62


Tzzzzzz. Tttzzzz… 63


If it‘s in twitter it must be true 64

Keepass stalker

Materials/keepass_live_debugging_640x480.mp4

Example: utorrent readfile

Which ReadFile ?!?!

There are several references…

Manually inspecting all is a tedious job. 67

Reading from a File

CreateFile(...)

Returns handle

ReadFile(handle)

CloseHandle(handle)

Reading from a File

It's a long shot 70

And... found!

It's a long shot 71

Binary manipulation

Binaries can be easily modified Patched (on disk, live) Functions intercepted (hooking, live)

Usage:

Inspection (ex. Tracing) Change execution flow Whatever you can imagine

What you all have been waiting for… 73

Braaaaiiinnnsss… I mean, credeeeennttiiiaaalllssssss… 74

So many questions…

APIs used to send() and recv() data?

Sure? Think twice

Functions I don't see?

What happens with the data received?

How does the malware achieve persistency?

Braaaaiiinnnsss… I mean, credeeeennttiiiaaalllssssss… 75

Malware are deceiving bastards… 76

Are these the

ONLY APIs

used by this malware?

Braaaaiiinnnsss… I mean, CPU cycles… 77

I like it here. I think I‘m gonna stick for a while… 78

How does the malware

achieve

persistency?

Braaaaiiinnnsss… I mean, CPU cycles… 79

Getting in the enemy's mind 80

Hands on: STRINGS

Juicy info in two minutes 81

Hands on: imports

Very interesting imports… 82

Hands on: resources

The .rsrc section is perfect for hiding data 83

"Crypto" stuff

Takes less time and is less brain damaging 84

Hands on: sneaky bastards

I see what you did there… 85

86

There are so many! What Do i do?!?!?

Who are u gonna call? Sneakbuster!

Takes less time and is less brain damaging 87

Hands on: WTFTLS

NO ME GUSTA 88

Hands on: WTFTLS

Call, call, call … 89

Hands on: running it

Thanks for the info… 90

Hands on: running it

Here's (another?) candy for you… 91

Last chance! ;) 92

Twitter: @m0n0sapiens 93

the walking 0xdead

Technology