0x3e9 ways to die
TRANSCRIPT
![Page 1: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/1.jpg)
0x3e9 Ways to DIE
![Page 2: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/2.jpg)
❖ Yaniv Balmas (@ynvb)
❖ Security Researcher @ Check Point Software Technologies
❖ Malware Research
❖ Vulnerability Research
❖ Spend most of my day staring at assembly code and binary files.
RECON 2015
Who am I?
ynvb
![Page 3: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/3.jpg)
❖ Static analysis tools contain a lot of useful data about binary files.
❖ Dynamic analysis tools (e.g Debuggers) contain all execution flow related data.
❖ It seems trivial to bridge those two approaches. “Well I wish you’d just
tell me rather than try to engage my enthusiasm.”
–Marvin
RECON 2015
What is the problem?
RE Problems
![Page 4: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/4.jpg)
Previous Solutions
![Page 5: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/5.jpg)
❖ 2014, Zach Riggle
❖ Uses Intel PIN framework
❖ Very extensive tracing
❖ Branch Statistics
❖ Data is stored as .IDB comments
❖ Only works on INTEL archs and is designed mainly for Windows.
RECON 2015
IDA-Splode
RE Solution I
![Page 6: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/6.jpg)
❖ 2013, Andrzej Derezowski
❖ Uses IDA Debugging API
❖ Very intuitive solution
❖ Parses ASCII\Unicode string values
❖ New threads are not being followed
❖ Argument offsets are calculated “manually”
RECON 2015
Funcap
RE Solution II
![Page 7: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/7.jpg)
❖ The extracted dynamic data is not indexed and searching through it can be a *pain*.
❖ Entry level for adding custom functionality is relatively high.
NO Reference to value types!!
RECON 2015
What is missing?
Missing
![Page 8: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/8.jpg)
( And Prepare to DIE…)
![Page 9: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/9.jpg)
❖ DIE - “Dynamic IDA Enrichment”
❖ Collect context from function calls & returns only.
❖ Parse argument values and present them in a “Human Readable” format.
❖ Smart interaction between static & dynamic data.
❖ Use as much IDA-API Magic as possible.
RECON 2015
Howto DIE?
DIE
![Page 10: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/10.jpg)
❖ How can we query IDA for function argument types?
❖ Once we have the argument values, how do we parse them? which values should we parse?
❖ How do we parse complex data types? (structs, unions, pointers, etc)?
RECON 2015
Implementation Challenges
DIE
![Page 11: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/11.jpg)
❖ After hours of fun reading IDA-API, it turns out there are some objects we can actually use.
❖ tinfo_t objects holds a ridiculous amount of information about data types.
❖ Digging even deeper into tinfo_t object reveals the func_type_data_t, func_arg_t and arg_loc_t objects which store everything we need to parse function arguments.
RECON 2015
Function Arguments
DIE Howto
![Page 12: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/12.jpg)
❖ Impossible to think of all parsing options!
❖ Makes more sense to create an open source plugin framework.
Value Parser Plugin
Argument Type Human Readable Value
bool
0x1
TRUE
10Raw Argument
Value
Score
RECON 2015
Parsing Argument Values
DIE Howto
![Page 13: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/13.jpg)
❖ Impossible to think of all parsing options!
❖ Makes more sense to create an open source plugin framework.
Value Parser Plugin
Argument Type Human Readable Value
?
0x1
TRUE
4Raw Argument
Value
Score
RECON 2015
Parsing Argument Values
DIE Howto
![Page 14: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/14.jpg)
❖ What do we do when we encounter a complex data type?
❖ Simple. Break it up until we reach the simple types.
structs \ unions udt = udt_idaapi.udt_type_data_t type_info.get_udt_details(udt)
arrays arr = idaapi.array_type_data_t() type_info.get_array_details(arr)
references type_info.get_pointed_object()
RECON 2015
Complex Data Types
DIE Howto
![Page 15: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/15.jpg)
Dissasembler Debugger
IDA API
IDAD.I.E
Value Parsers
Core
Die DB
__cdecl main (int argc, char **argv)proc near
push 1lea eax, ds:string ; “Str1”push eaxcall func_1add esp, 8lea eax, ds:string ; “Str1”push eaxcall unknown
![Page 16: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/16.jpg)
Dissasembler Debugger
IDA API
IDA D.I.E
Value Parsers
Core
Die DB
; bool __cdecl func_1(char *a, int b)proc near
push ebpmov esp, ebp
sub esp, 0C0hmov eax, [ebp+name]push eaxcall _strcmp
ret
CHAR *a
“Str1”
int b
0x1
![Page 17: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/17.jpg)
Dissasembler Debugger
IDA API
IDA D.I.E
Value Parsers
Core
Die DB
__cdecl main (int argc, char **argv)proc near
push 1lea eax, ds:string ; “Str1”push eaxcall func_1add esp, 8lea eax, ds:string ; “Str1”push eaxcall unknown
boolTrue
![Page 18: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/18.jpg)
Dissasembler Debugger
IDA API
IDA D.I.E
Value Parsers
Core
Die DB
; int __cdecl unknown(int)proc near
push ebpmov esp, ebpsub esp, 0C0h
mov ebx, edxmov [ebp+var_4], ecxpush esixor esi, esicmp ebx, esijle loc_XXXXXX
ret
int
0x401234
“Str1”
![Page 19: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/19.jpg)
Value Parsers
0x486176
“Have a Nice Day!”
![Page 20: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/20.jpg)
String ParserUses idc.GetString to parse ASCII, Unicode, Pascal and other strings
Returns TRUE for 0x1 and FALSE for 0x0. (Duh!)
bool Parser
Returns the referenced function name.function Parser
Returns the referenced module name.module Parser
RECON 2015
Simple Value Parsers
Parsers
![Page 21: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/21.jpg)
❖ Works on Windows systems with local debugger (currently).
❖ Uses DuplicateHandle() to duplicate the handle associated with the raw value from the current running process.
❖ Uses NtQueryObject() on the local handle to retrieve the handles details.
❖ Returns the handle name and type.
RECON 2015
Advanced Parser - Handles
Parsers
![Page 22: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/22.jpg)
❖ Great example of an ad-hoc parser.
❖ Check if the value pointed by offset 4 of raw address is either a string or references a string.
❖ Also, make sure raw value is not a string.
RECON 2015
Advanced Parser - STD String
Parsers
![Page 23: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/23.jpg)
DEMO TIME
“Demos, don't talk to me about demos…”
-Marvin
![Page 24: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/24.jpg)
Your Orders:
Assigned By:
Agent M
Target Application:ATEN Firmware Upgrade Utility
Mission:
Bypass password protection
Quickly!
RECON 2015
Bypass Password Protection
Use Case 1
Watch The DEMO
![Page 25: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/25.jpg)
Your Orders:
Assigned By:
Agent M
Target Application:7zip cli (32-bit version)
Mission:
Get a complete code analysis
Quickly!
RECON 2015
Defeat C++ Code
Use Case 2
Watch The DEMO
![Page 26: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/26.jpg)
Your Orders:
Assigned By:
Agent M
Target Application:Explosive Trojan
Mission:Find the string de-obfuscation function
Quickly!
RECON 2015
String De-Obfuscation
Use Case 3
Watch The DEMO
![Page 27: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/27.jpg)
❖ Thunk Functions
❖ Complex function parsers
❖ Better GUI
❖ (Much) Better DB
❖ Solve (very) dramatic crashes
RECON 2015
#TODO
TODO
![Page 28: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/28.jpg)
❖ Yes.
❖ DIE is an open source tool.
❖ https://github.com/ynvb/DIE
❖ If you like it, contribute.
RECON 2015
Looks cool, Can I have it?
GITHUB
![Page 29: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/29.jpg)
SARKIDA Python Made Easy
• Simple• Intuitive• Object Oriented API
• Docs: sark.rtfd.org• Code: github.com/tmr232/sark• Written by Tamir Bahar @tmr232
![Page 30: 0x3E9 Ways To DIE](https://reader034.vdocuments.site/reader034/viewer/2022042716/55ca7e4cbb61eb564e8b45c5/html5/thumbnails/30.jpg)
42
@ynvb Yaniv Balmas