Matthew Stephen csg.utdallas.edu

Transcription

1 Matthew Stephen csg.utdallas.edu

2 Portable Executables (PEs) Java Apps/Applets Documents (PDF, DOC, etc) JavaScript Shellcode Flash (SWF)

3

4 Executables, object code, and DLLs Used in 32- and 64-bit Windows OS Several headers and sections.text,.data,.reloc, etc. Many file extensions.exe,.dll,.sys,.scr,.cpl,.ocx,.drv

5 Check against AV signatures VirusTotal.com Can upload file or search by hash Determine packing (if any) PEiD Detects several types of packing UPX One of the most common packers Strings/Look at Resources (Resource Hacker) Readable strings within a binary Program icons, menu bars, dialog windows, etc.

6 VirusTotal results

7

8 PE Viewers display header and section info PEview, PEBrowse, PE Explorer, PEframe, CFF Explorer Dependencies modules/libraries Dependency Walker shows which functions are actually being used from external modules

9

10

11 Registry view changes made in the Registry Regshot compare Registry snapshots Autoruns view startup applications Process PMDump, ProcDump create a dump for an active process Process Monitor shows file system, Registry, and process activity Process Explorer, Process Hacker shows trees of running processes

12 Registry changes recorded from RegShot

13 Process Monitor captures network, file, and Registry activity

14

15 Network Madiant ApateDNS control DNS responses WireShark capture/browse network traffic McAfee Attacker TCP/UDP port listener FakeNet simulates a network, fakes files CurrPorts lists open ports and processes TCPview Shows newly opened/closed endpoints SmartSniff, SocketSniff, Network Monitor, SuperScan, NetworkMiner, etc.

16

17 FakeNet captures network traffic

18

19 Memory Mandiant Memoryze create and analyze memory images Volatility shows open network sockets and connections, open files for each process, DLLs loaded for each process, etc. CaptureBAT behavioral analysis tool that monitors file, Registry, network, and process activity

20 CaptureBAT detects activity

21 Desktop Applications and Applets File extensions.jar,.class

22 Mostly the same as PE file analysis Differences: Obfuscation string building, bad variable names Decompilation JAD, JD-GUI

23 Both s and t are set to os.name

24 Differences with PE analysis: Process is java.exe or javaw.exe rather than something like SomeProgram.exe Use jps and jconsole to differentiate multiple java processes

25

26 Adobe files.pdf Microsoft files.doc,.ppt, etc. Embedded files or code

27 pdfid.py identify tags contained in file pdf-parser.py - can extract embedded objects Pyew.py search URLs, shellcode, etc swf_mastah.py flash file extraction JSunpack pdf.py JavaScript detection Peepdf.py encryption detection PDF Stream Dumper checks for known vulnerabilities

28 Using Pyew.py

29 OfficeMalScanner Scan for malicious traces (shellcode heuristics, PE files, or embedded OLE streams) Bruteforce detects encrypted files OffVis only looks for patched vulnerabilities pyolescanner.py Looks for shellcode, embedded executables, and API precence Can use bruteforce

30

31 Used in most web pages.js file extension if externally referenced Can be embedded in PDF documents

32 Deobfuscate - replace hexadecimal and escaped characters to a readable format Beautification insert white space Evaluate the evil eval() function

33 Malzilla Attempts to decode/deobfuscate and evaluate eval() calls without running code JSunpack JSBeautifier

34

35 Beautified JavaScript

36 Shellcode2exe embeds given shellcode into an executable file ConvertShellcode disassembles shellcode into x86 code

37

38 Used on most web pages.swf file extension Can be embedded in PDF files

39 Flare extract scripts from SWF file RABCDAsm (Robust ActionScript ByteCode Disassembler) extract and disassemble scripts SWFDump extract images, fonts, sounds, etc SWFStrings scans SWF for text data

40

41 Many Free Tools: Mandiant.com McAfee.com Sysinternals.com NirSoft.net Also check out the tools listed in presentation