Introduction to Reverse Engineering

Similar documents
INTRODUCTION TO MALWARE & MALWARE ANALYSIS

Bypassing Anti- Virus Scanners

Software Fingerprinting for Automated Malicious Code Analysis

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Fighting malware on your own

Self Protection Techniques in Malware

esrever gnireenigne tfosorcim seiranib

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Inside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010

Introduction. Figure 1 Schema of DarunGrim2

Mike Melanson

Harnessing Intelligence from Malware Repositories

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Software Reversing Engineering (a.k.a. Reversing) Spiros Mancoridis. What is Reverse Engineering? Software Reverse Engineering: Reversing

Identification and Removal of

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Spyware Analysis. Security Event - April 28, 2004 Page 1

Hydra. Advanced x86 polymorphic engine. Incorporates existing techniques and introduces new ones in one package. All but one feature OS-independent

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Diving into a Silverlight Exploit and Shellcode - Analysis and Techniques

A Tiny Guide to Programming in 32-bit x86 Assembly Language

Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

1. General function and functionality of the malware

64-Bit NASM Notes. Invoking 64-Bit NASM

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Computer Virus Strategies and Detection Methods

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Efficient Program Exploration by Input Fuzzing

Custom Penetration Testing

Mission 1: The Bot Hunter

Off-by-One exploitation tutorial

Windows XP SP3 Registry Handling Buffer Overflow

Storm Worm & Botnet Analysis

PE Explorer. Heaventools. Malware Code Analysis Made Easy

CS61: Systems Programing and Machine Organization

Packers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management

Packers. (5th April 2010) Ange Albertini Creative Commons Attribution 3.0

Buffer Overflows. Security 2011

What Happens In Windows 7 Stays In Windows 7

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess

Detecting the One Percent: Advanced Targeted Malware Detection

Anti-Virus Evasion Techniques and Countermeasures

Hotpatching and the Rise of Third-Party Patches

Security Evaluation CLX.Sentinel

Fine-grained covert debugging using hypervisors and analysis via visualization

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

Using fuzzing to detect security vulnerabilities

Test Driven Development in Assembler a little story about growing software from nothing

So You Want To Analyze Malware? Tools, Techniques, and Mindset

Stack Overflows. Mitchell Adair

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

Operation Liberpy : Keyloggers and information theft in Latin America

AntiRE en Masse. Investigating Ferrie s Documented AntiUnpacking. Kurt Baumgartner, VP Behavioral Threat Research PCTools ThreatFire

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Reverse Engineering and Computer Security

Systems Design & Programming Data Movement Instructions. Intel Assembly

Software Vulnerabilities

Deep Dive into.net Malwares

Reversing C++ Paul Vincent Sabanal. Mark Vincent Yason

Violating Database - Enforced Security Mechanisms

High-speed image processing algorithms using MMX hardware

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov.

Game Design From Concepts To Implementation

Defending Behind The Device Mobile Application Risks

How To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux (Windows 3.5) On A Pc

Jakstab: A Static Analysis Platform for Binaries

Attacking x86 Windows Binaries by Jump Oriented Programming

CORPORATE AV / EPP COMPARATIVE ANALYSIS

Protection against viruses, spyware, rootkits, and network vulnerabilities. Productivity-oriented default configuration

Return-oriented programming without returns

Lecture 26: Obfuscation

NGBPA Next Generation BotNet Protocol Analysis

Obfuscatorreloaded. Pascal Junod HEIG-VD Julien Rinaldini HEIG-VD Marc Romanens- EIA-FR Jean-Roland Schuler EIA-FR

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

Chapter 3.2 C++, Java, and Scripting Languages. The major programming languages used in game development.

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Learn the fundamentals of Software Development and Hacking of the iphone Operating System.

All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect. Steven Arzt Secure Software Engineering Group Steven Arzt 1

File Disinfection Framework (FDF) Striking back at polymorphic viruses

Encryption Wrapper. on OSX

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Binary Code Extraction and Interface Identification for Security Applications

Fighting Advanced Threats

Static detection of C++ vtable escape vulnerabilities in binary code

Chapter 12. Development Tools for Microcontroller Applications

Assembly Language: Function Calls" Jennifer Rexford!

McAfee DAT Reputation Implementation Guide. Version 1.0 for Enterprise

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Cloud App Security. Tiberio Molino Sales Engineer

Copyright Lenny Zeltser 1

Analysis and Diversion of Duqu s Driver

Peach Fuzzer Platform

OLD WIN32 CODE FOR A MODERN, SUPER-STEALTH TROJAN

Analysis of Win32.Scream

Transcription:

Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager December 2011

What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. aka: Reversing, RE, SRE 2

Why do it? Discover Trade Secrets Find Vulnerabilities Academic Research (Yeah, right ) Circumvent [Copy] Protection Patch Binary and Alter Behavior Pure Curiosity Analyse Protocols 3

Sounds awesome, right? 4

So where s the catch? Low-level is, well, low level 00401000 push ebp 00401001 mov ebp, esp 00401003 push ecx 00401004 push ecx 00401005 and dword ptr [ebp-4], 0 00401009 push esi 0040100A mov esi, [ebp+8] for (Serial = 0, i = 0; i < strlen(username); 0040100D i++) push { edi CurChar = (int) UserName[i]; 0040100E push esi Serial += CurChar; 0040100F call ds:[00402008h] Serial = (((Serial << 1) && 0xFFFFFFFE) 00401015 mov ((Serial edi, >> 31) eax && 1)); Serial = (((Serial * CurChar) + CurChar) 00401017 ^ xor CurChar); edx, edx } 00401019 test edi, edi UserSerial = ~((UserSerial ^ 0x1337C0DE) 0040101B - 0xBADC0DE5); jle 00401047h 0040101D movsx ecx, byte ptr [edx+esi] 00401021 add [ebp-4], ecx 00401024 mov [ebp-8], ecx 00401027 rol dword ptr [ebp-4], 1 0040102A mov eax, ecx 0040102C imul eax, [ebp-4] 00401030 mov [ebp-4], eax 00401033 mov eax, [ebp-8] 00401036 add [ebp-4], eax 00401039 xor [ebp-4], ecx 0040103C inc edx 0040103D cmp edx, edi 0040103F jl 0040101Dh 5

So where s the catch? Low-level is, well, low level Needle in a haystack Average opcode size: 3 bytes Average executable size: 500KB (on WinXP) There are executables, libraries, drivers. 6

So where s the catch? Low-level is, well, low level Needle in a haystack Sometimes, the code resists Packers and compressors Obfuscators 7

So where s the catch? Low-level is, well, low level Needle in a haystack Sometimes, the code resists Sometimes, the code fights back Detect reversing tools Detect VMs and emulators 8

A Battle of Wits Video clip: The Battle of Wits, The Princess Bride 9

A Battle of Wits Author writes code Reverser reverses it Author creates an anti-reversing technique Reverser bypasses it And so on 10

So what do you need in order to be a good reverser? 11

We ll come back to this 12

Tools of the Trade Debugger (Dynamic code analysis) Disassembler (Static code analysis) Hex Editor PE Analyzer Resource Editor and more 13

Debuggers באג בדיזיין זין בדיבאג 14

First, there was DEBUG 15

GUI and much more: Turbo Debugger 16

GUI and much more: Turbo Debugger 17

GUI and much more: Turbo Debugger 18

Next major step: Soft-ICE 19

And finally: OllyDbg 20

Disassemblers 21

The old world: Sourcer 22

The old world: Sourcer 23

Old ages: Sourcer 24

Old ages: Sourcer 25

Welcome to Windows: W32DASM 26

The Holy Grail: IDA-Pro Started as an Interactive Dis-Assembler, enabling user interaction with the disassembler s decisions. Slowly evolved into an automatic RE tool: Built-in full-control script language Library recognition (including user-generated) Function prototype information Display Propagate throughout the code Support for plug-ins Support for Python scripting Multi-architecture, cross-platform support Full incorporation with built-in and external debuggers 27

Hex-Editor 28

PE Analyzer 29

Resource Editor 30

Let s play with them tools 31

60 seconds on x86 registers General purpose registers: 32bit/16bit/8bit Index registers: 32bit/16bit Segment registers: 16bit Flags: 32bit/16bit 32

Exercise 1: Static Reversing 33

Exercise 1: Static Reversing Target: a 2004 Crack-Me Tools: IDA-Pro 34

Exercise 2: Dynamic Reversing 35

Exercise 2: Dynamic Reversing Target: a 2004 Crack-Me Tools: OllyDbg, IDA-Pro 36

Exercise 3: Simple Anti-Debugging 37

Exercise 3: Simple Anti Debugging Target: a 2006 Crack-Me Tools: OllyDbg 38

Reversing Malware Malware is comprised of the following building blocks: Infection Vector Concealment Operation Communications Check Point s Anti-Malware Software Blade sits at the gateway Therefore, communications interest us the most 39

Introducing: Spy Eye A CrimeWare ToolKit, originating in Russia. Used mostly for stealing financial information, but will settle for any other identity information and key logging Like any serious trojan, Spy Eye compresses its traffic and encrypts it Compression is performed using a public library (LZO) Encryption algorithm is proprietary 40

Act 1: Encryption 41

Act 2: Configuration Download 42

Act 3: Another Encryption 43

So what do you need in order to be a good reverser? 44

What makes a good reverser? Qualities Patient Curious Persistent Outside-the-Box Thinking Knowledge Assembly Language Some High-Level programming Best: origin of binary Operating System Internals API Data Structures File Structures Good scripting skills Anti-Debugging Tricks Optional: Good lookin 45

Outside-the-Box Thinking 46

And remember, kids: Binary Reverse Engineer + =? 47

Which means 48

Questions? 49

Thank you! inbarr@checkpoint.com 50

Credits All images and videos have their origin URL in the Alt Text property. All rights belong to their respective owner. 51

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information