pokas x86 emulator for generic unpacking by amr thabet [email protected]
TRANSCRIPT
The Problem:
Many packed worms : no time to reverse and step through the packer’s code
Many polymorphic viruses around change their decryptor code and algorithm
Need to write a detection algorithm for such viruses
The Solution Concept:
We need an automatic unpacker Static Unpacker : very sensitive of any changes of the
packer No Time for keeping up-to-date of every release of any
Unpacker Dynamic Unpacker: not sensitive of the minor changes. It can unpack new packers. We need a Program runs the packed application until it
unpacked and stop in the real OEP So we need a Debugger
Why not a Debugger?
Easily to be detected Dangerous Can’t monitor the memory Writes Allows only breakpoints on a specific place
in memory
Previous Solutions:
OllyBone: dangerous if it’s not a packer and could be fooled
It’s not scriptable and semi-automatic It could be easy detected Ida-x86emu: doesn’t monitor memory writes and no
conditional Breakpoints Pandora’s Bochs: hard to be installed, hard to be
customized very slow 200 secs for notepad.exe packed with
PECompact 2 with a PC 3.14 GHz and 2.00 GB ram
Pokas x86 Emulator It’s a Dynamic link library Easily to be customized Monitor all memory writes and log up to 10 previous Eips and saves
the last accessed and the last modified place in memory. Support a very powerful debugger that has a parser that parses the
condition you give and create a very fast native code that perform the check on this condition.
Support Dumping the PE File with correct File Alignment Support adding new APIs Has an assembler and a disassembler from and to mnemonics for
debugging. Support seh and support tib, teb, peb and peb_ldr_data it support 6 APIs:GetModuleHandleA, LoadLibrayA,
GetProcAddress,VirtualAlloc, VirtualFree and VirtualProtect it's FREE and open source
Reliability:
It successfully unpack:1. UPX2. FSG3. MEW4. PECompact5. Aspack6. Morphine It surely still contains bugs
Getting The Emulator
Download it from www.sourceforge.net/projects/x86emu/
x86emu-bin.zip files: X86emu.dll : The Emulator itself ~ 580 kb X86emu.h : The header file (should be included
in any project uses the emulator Pe.h , tib.h : included by x86emu.h and should
be beside it.
Pokas x86 Emulator Design
Usage Steps
1.Initialize your Emulated OS and Cpu 2.Manage the dlls and Apis 3.Emulate the undefined Apis 4.Adding the Stop Condition 5.Emulate your Process 6.Handle the Unhandled Exceptions 7.Waiting for your Breakpoints to be triggered 8.Dump your Process to a File
Debugger Conditions:
Similar to C conditions Not case-sensitive Doesn’t decrease the performance Up to 10 Supported Functions inside the
Debugger Allow adding new Functions with different types
of variables including string You can Add up to 100 Breakpoint
Debugger Examples
Int3 Breakpoint or Hardware on Execution:“Eip==0x00401000” Memory on Access or Write:“__lastaccessed()==0x00401000”“__lastmodified()==0x00401000” Execution on Modified Data:“__isdirty(eip)” In .text section only:“__isdirty(eip) && eip>=0x401000 && eip<=0x405000” Anti-unpackers trick: write “ret” on the real OEP and calls to it:“__isdirty(eip) && (__read(eip) & 0xff) !=0xC3)” API Hooking:“__isapi()”“__isapiequal(‘Getprocaddress’)” //not case sensitive in the api name
Example : UPX
How Easy this Emulator is :
int main() { EnviromentVariables* vars= (EnviromentVariables*)malloc(sizeof(EnviromentVariables)); memset( vars,0,sizeof(EnviromentVariables)); vars->dllspath="C:\\Windows\\System32\\"; System* sys=new System(vars); Process* c=new Process(sys,“upx.exe"); c->debugger->AddBp(“__isdirty(eip)"); int x=c->emulate(); if (x==EXP_BREAKPOINT){ PEDump(c->GetThread(0)->Eip,c,"test.exe"); }}Only 10 lines and very simple
Multi-Layer unpacker if we know the number of layers we can clear the
dirty flag and continue If not we can add this breakpoint:“__isdirty(eip) && Eip<=0x406000” // the .text size Notepad.exe : take less than 30 secs in a PC Intel Core 2 Duo 2.10 GHz with 2.00 GB
ram
Example : PECompact 1.33
TODO
Support reconstructing the Import Table Fixing the bugs Create a Linux version Add cmovcc ,setcc ,bts instructions Support multithreading Support ELF File Formats Adding new Debugger Functions Allow saving the state
