upx lab-11 ceh · upx lab-11 ceh lab 1: upx program packer. lets use upx program packer on netcat...
TRANSCRIPT
UPX Lab-11 CEH
Lab 1: UPX Program Packer Lets use UPX Program Packer on Netcat and see what we happens. First lets get the MD5 hash of Netcat and see what it looks like.
From what we see here Netcat’s MD5 is (AB41B1E2DB77CEBD9E2779110EE3915D) Now we will use UPX to pack it and get the MD5 sum again. Navigate to where you upzipped your upx303w. Lets look what we get when we start upx without any parameters set.
UPX Lab-11 CEH
for a more detailed help type “upx --help”
To do what we want we are going to use “upx --brute –o nc_packed.exe nc.exe”
UPX Lab-11 CEH
Before we move on let me explain the previous command a little. Upx, of course, initiates the program. The --brute flag tells upx that we want to try all available compression methods and filters. The –o flag is what we want to output. Now that we have packed our original “nc.exe” to “nc_packed.exe.” Lets compare the sizes.
Unpacked – 61,440 Packed – 30,720 Quite the difference, almost half, now we will check the MD5 of the packed program.
UPX Lab-11 CEH
The MD5 hash has changed. (81A9B88C87C39415E4C734965ECC7534) nc.exe = AB41B1E2DB77CEBD9E2779110EE3915D nc_packed.exe = 81A9B88C87C39415E4C734965ECC7534 Now we are going to edit nc.exe using Hex Workshop and get the MD5 hash. Once you’ve opened up nc.exe in Hex Workshop, change the word “program” to “PROGRAM.”
UPX Lab-11 CEH
Save this file at nc_mod1.exe. Because we edited only the header information the program will work fine. Now get the MD5 hash.
UPX Lab-11 CEH
nc_mod1.exe = 23575179C749575323868E5ADDCFE94C Once, again we will pack the program and check the hash.
UPX Lab-11 CEH
nc_mod1_packed.exe = 0B5C8E85CA30EBCC5C228BC29F43287C So now we have 4 different files:
• nc.exe – original • nc_packed.exe – original netcat executable packed • nc_mod1.exe – edited header information • nc_mod1_packed.exe – edited header information packed
Lets compare size
UPX Lab-11 CEH
Just like we stated earlier, there is almost a 50% difference from the packed files compared to the originals. Next lets compare the MD5 hashes, this is where we start to see something interesting. MD5 hashes nc.exe = AB41B1E2DB77CEBD9E2779110EE3915D nc_packed.exe = 81A9B88C87C39415E4C734965ECC7534 nc_mod1.exe = 23575179C749575323868E5ADDCFE94C nc_mod1_packed.exe = 0B5C8E85CA30EBCC5C228BC29F43287C Why is this important? This is important because it shows that the program has been changed from the original. Does Netcat still work after it has been packed?
UPX Lab-11 CEH The answer is yes. Netcat still works fine. Why is this important to us? To explain this we have to use www.virustotal.com. This is a free service that we can use to check our files against many different antivirus programs. Lets start uploading our files and see what the results are. Nc.exe Result: 24/41 (58.54%) a-squared 4.5.0.24 2009.08.10 - AhnLab-V3 5.0.0.2 2009.08.10 - AntiVir 7.9.0.248 2009.08.10 SPR/Tool.NetCat.B Antiy-AVL 2.0.3.7 2009.08.10 RemoteAdmin/Win32.NetCat.gen Authentium 5.1.2.4 2009.08.09 W32/Netcat Avast 4.8.1335.0 2009.08.09 - AVG 8.5.0.406 2009.08.10 RemoteAdmin.BX BitDefender 7.2 2009.08.10 - CAT-QuickHeal 10.00 2009.08.10 Trojan.Agent.WC ClamAV 0.94.1 2009.08.10 PUA.NetTool.Netcat-6 Comodo 1931 2009.08.10 ApplicUnsaf.Win32.RemoteAdmin.NetCat DrWeb 5.0.0.12182 2009.08.10 Tool.Netcat eSafe 7.0.17.0 2009.08.09 Win32.Banker eTrust-Vet 31.6.6667 2009.08.08 - F-Prot 4.4.4.56 2009.08.09 W32/Netcat F-Secure 8.0.14470.0 2009.08.10 Riskware:W32/NetCat.C Fortinet 3.120.0.0 2009.08.10 HackerTool/Nt110 GData 19 2009.08.10 - Ikarus T3.1.1.64.0 2009.08.10 - Jiangmin 11.0.800 2009.08.10 Trojan/VulnWatch.a K7AntiVirus 7.10.814 2009.08.08 Non-Virus:RemoteAdmin.Win32.NetCat Kaspersky 7.0.0.125 2009.08.10 not-a-virus:RemoteAdmin.Win32.NetCat.a McAfee 5704 2009.08.09 - McAfee+Artemis 5704 2009.08.09 - McAfee-GW-Edition 6.8.5 2009.08.10 Heuristic.LooksLike.Win32.NetCat.L Microsoft 1.4903 2009.08.10 - NOD32 4321 2009.08.10 Win32/RemoteAdmin.NetCat Norman 6.01.09 2009.08.07 - nProtect 2009.1.8.0 2009.08.10 - Panda 10.0.0.14 2009.08.09 - PCTools 4.4.2.0 2009.08.09 Backdoor.NetCat32.C Prevx 3.0 2009.08.10 - Rising 21.42.03.00 2009.08.10 Backdoor.Win32.Gpigeon.dkl Sophos 4.44.0 2009.08.10 NetCat Sunbelt 3.2.1858.2 2009.08.09 Trojan.Win32.Generic!BT Symantec 1.4.4.12 2009.08.10 - TheHacker 6.3.4.3.378 2009.08.08 Aplicacion/NetCat TrendMicro 8.950.0.1094 2009.08.10 -
UPX Lab-11 CEH VBA32 3.12.10.9 2009.08.10 - ViRobot 2009.8.10.1877 2009.08.10 Not_a_virus:RemoteAdmin.NetCat.61440 VirusBuster 4.6.5.0 2009.08.09 Backdoor.NetCat32.C Next up is nc_packed.exe Nc_packed.exe Result: 18/36 (50.00%) AhnLab-V3 - - - AntiVir - - SPR/Tool.NetCat.B Authentium - - - Avast - - - AVG - - RemoteAdmin.BX BitDefender - - Application.Tool.Nt110.W CAT-QuickHeal - - - ClamAV - - PUA.NetTool.Netcat-27 DrWeb - - - eSafe - - Suspicious File eTrust-Vet - - - Ewido - - Not-A-Virus.RemoteAdmin.Win32.NetCat F-Prot - - - F-Secure - - RemoteAdmin.Win32.NetCat Fortinet - - - GData - - - Ikarus - - not-a-virus:RemoteAdmin.Win32.NetCat K7AntiVirus - - not-a-virus:RemoteAdmin.Win32.NetCat.x Kaspersky - - not-a-virus:RemoteAdmin.Win32.NetCat McAfee - - - Microsoft - - - NOD32v2 - - Win32/RemoteAdmin.NetCat Norman - - - Panda - - HackTool/NetCat.A PCTools - - - Prevx1 - - Malicious Software Rising - - Backdoor.Shelop Sophos - - NetCat Sunbelt - - - Symantec - - NetCat TheHacker - - - TrendMicro - - PAK_Generic.001 VBA32 - - - ViRobot - - - VirusBuster - - - Webwasher-Gateway - - Riskware.Tool.NetCat.B There should have been several things that popped into your mind after comparing the 2 results. The original netcat file was found by 24 of 41 antivirus’, whereas the packed file was found by
UPX Lab-11 CEH 18 of 36. That means that 5 of the original antivirus programs didn’t even see it. Another thing to note here as well is the fact that many of the antivirus programs either found, did not find, changed their result just by packing the application. You can see the differences pretty clearly by looking at the 2 examples.
Lab 2: Converting Hexadecimal to Decimal
Hexadecimal Decimal Octet
0 0 0 1 1 1 2 2 2 3 3 3 4 4 4 5 5 5 6 6 6 7 7 7 8 8 10 9 9 11 A 10 12 B 11 13 C 12 14 D 13 15 E 14 16 F 15 17
It seems a bit overwhelming at first, but with some practice. It will become a bit easier to
deal with. Or you could always use the scientific calculator that Windows includes. Lets do some quick exercises to get you started. Steps:
1. Get the last digit of the hex number. 2. Make a variable and set the value to 0 3. Multiply the current digit with (16^power) 4. Increment the power by 1 5. Repeat for the next 3 digits 6. Sum the result of step 3 to get the answer
The steps will make a bit more sense after some exercises. Example 1 Lets convert 5386 to decimal: Step 1: Is to take the last digit, which is 6
UPX Lab-11 CEH Step 2: Is to make a variable and set the value to 0. We will use this number as a power. Step 3: Multiply the current digit with (16^power). Our current digit is 6 so we will multiply it with 16^0 power. 6 x (16^0) = 6 ** Here we must keep in mind that anything to the power of 0 is 1 ** Step 4: Increment the power by 1 Step 5: Is to repeat steps 1 – 4 with the previous 3 digits 8 x (16^1) = 128 3 x (16^2) = 768 5 x (16^3) = 20480 Step 6: Now we take the sum of all the results.
6 + 128 + 768 + 20480 = 21382 So if we expand that out it will look like this 5 x (16^3) + 3 x (16^2) + 8 x (16^1) + 6 x (16^0) = 21382 Using Windows XP’s scientific calculator we can confirm our results. Hexadecimal
UPX Lab-11 CEH Decimal
Example 2 Lets try another one together. Convert B26F to decimal:
UPX Lab-11 CEH Step 1: Take the last digit F Step 2: Set the variable power to 0 Step 3: Multiply the digit with (16^power). F x (16^0) = 15 ** referring to the table above we see that F is equal to 15 ** Step 4: Increment the power by 1 Step 5: Repeat steps 1 – 4 with the previous 3 digits. 6 x (16^1) = 96 2 x (16^2) = 512 B x (16^3) = 45056 Step 6: Now take the sum of the results 15 + 96 + 512 + 45056 = 45679 Once again, if we expand it out. It will look like this B x (16^3) + 2 x (16^2) + 6 x (16^1) + F x (16^0) = 45679 Again, Windows XP’s scientific calculator confirms out results. Hexadecimal
UPX Lab-11 CEH Decimal
Give it a try on your own and check your results with the scientific calculator.
Lab 3: Converting Decimal to Hexadecimal
UPX Lab-11 CEH First, look at this list of powers of 16: 16^0 = 1 16^1 = 16 16^2 = 256 16^3 = 4096 16^4 = 65536 16^5 = 1048576 so on and so on Step 1: Divide the decimal number by 16. Treat the division as an integer division. Step 2: Write down the remainder, in hexadecimal. Step 3: Divide the result again by 16. Treat the division as an integer division. Step 4: Repeat step 2 and 3 until the result is 0 Step 5: The hex value is the digit sequence of the remainders from last to the first. Convert 21382 to Hexadecimal **Note: this is easier seen in a table**
UPX Lab-11 CEH
Notes Division Result Remainder (in Hexadecimal)
Start by dividing the number by 16. In this case, 21382 divided by 16 is 1336.375 Multiply the numbers after the decimal (.375) by 16. Which is 6
21382/16 1336 6
Then divide the result again by 16 In this case 1336/16=83.5 The remainder (.5) is multiplied by 16, which is 8
1336/16 83 8
Again, divide the result by 16 Divide 83/16 = 5.1875 The remainder (.1875) is multiplied to 16, which is 3
83/16 5 3
Once again, divide the result by 16 Note here that 5/16 = .3125. So the integer division is 0 The result is 0, so we stop here.
5/16 0 5
We now combine the numbers in the Remainder column
5386
UPX Lab-11 CEH Referring to the Hexadecimal to Decimal conversion lab above, this is confirmed by the screenshots. Lets try another one together. Convert 45679 to Hexadecimal.
Notes Division Result Remainder (in Hexadecimal)
Start by dividing the number by 16 45679/16 is 2854.9375 multiply .9375 by 16, which is 15 or F
45679/16 2854 F
Divide the result again by 16 2854/16 is 178.375 multiply .375 by 16, which is 6
2854/16 178 6
Again, divide the result by 16 178/16 is 11.125 multiply .125 by 16, which is 2
178/16 11 2
Once again, divide the result by 16 11/16 is .6875 multiply .6875 by 16, which is 11 or B
11/16 0 B
We now combine the numbers in the Remainder column
B26F
UPX Lab-11 CEH