unpacking malware using ida pro extensions

Upload: torontogoat

Post on 04-Jun-2018

222 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/13/2019 Unpacking Malware Using IDA Pro Extensions

    1/4

    Unpacking malicious software using IDA Pro extensions

    A paper by Dennis Elser

    In almost all cases of today's malicious software, executable packers or -crypters are used in order to obfuscate code and data. In some cases unpackers and dumpers area ailable. In ery few cases t!ey actually work on packed malware executables dueto modifications of internal structures suc! as t!e P" !eader.

    In t!e following example an unknown binary is loaded into IDA Pro #. $!e code at t!e entry point of t!e executable looks like t!is%

    &ig. #

    A segment named UP(#), an in alid import address table and an empty list of strings are an indicator for a packed file. UP( * !owe er, can not unpack t!e file

    because internal structures !a e been modified. $!is tec!ni+ue often is used by malware aut!ors to make unpacking and re erse engineering !arder.

    $!e first step now is to obtain a readable representation of t!e packed executable. A good and +uick start in ac!ie ing t!is is to run t!e executable and dump t!e pre iously packed segment s , once t!ey !a e been unpacked. Preferably, t!e dumps!ould be made rig!t after t!e executable !as been completely unpacked in

    memory. $!is often is t!e case after t!e original entry point "P !as been reac!ed. &inding t!e "P isn't always tri ial and can be a time consuming process because you need to single step t!roug! t!e code. Using t!e IDA Pro /D0, a plugin named "P& 1 "ntry Point &inder !as been created, aimed towardsautomating t!e process of finding t!e original entry point.

    An isolated en ironment a irtual mac!ine for example is used to carefully

    &ig. *

    run t!e executable in IDA Pro's debugger. &igure * s!ows t!e extended instruction

  • 8/13/2019 Unpacking Malware Using IDA Pro Extensions

    2/4

    pointer "IP pointing to a pus!a) mnemonic. $!is statement is used as t!e first instruction to back up) t!e content of all standard registers. 2any executablecompressors use a popa) instruction at t!e end of t!eir code to restore t!e

    pre iously sa ed state. $!is be!a ior can be exploited by t!e "P& plugin3 t!e pluginoffers an option to let t!e IDA Pro debugger trace code until a specific mnemonic

    is reac!ed.

    &ig. 1

    After t!e "P& plugin !as been started and configured, t!e process can be resumedbe careful, don't run malware on your !ost system4 . After a few seconds, t!e process is paused and "P& turned off. $!e following message appears%

    &ig. 5

    $!e code at "IP points to a popa) mnemonic followed by a 6ump and t!e end of

    &ig. 7

  • 8/13/2019 Unpacking Malware Using IDA Pro Extensions

    3/4

    t!e start) procedure. /ingle stepping o er t!e 6ump leads to t!e following message box%

    &ig. 8

    9!oosing :es) creates an instruction at "IP and IDA Pro begins to analy;e controlflow.

    &ig.