Reverse Engineering 101

Yasin SÜRERhttp://twitter.com/yasinsurer

Jargon

A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application.

An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug

A shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability

A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.

Attacker Mindset

Vulnerability ResearchFind the vulnerability, and developing weaponized-exploits.

Exploit DevelopmentZero-day attack uses advanced-exploitation technique

Understanding undocumented system functions

malware authors; Rootkit, worm, keylogger, spyware etc.

Defensive Perspective

Patch and Vulnerability AnalysisDeveloping signatures against zero-day threats for IDS/IPS appliance

Binary Code AnalysisFinding new zero-day vulnerabilities to take advantage on defensive perspective

Advanced Exploit Development

Penetration Test and Vulnerability assesment.

Malware AnalysisAnti-Virus, Anti-Spyware and Digital Forensics companies

Real-World Crime Example

May 2008 in New York for the Dave & Busters case

May 2008 in Massachusetts for the TJ Maxx case

August 2009 in New Jersey in connection with the Heartland Payment case.

State-Sponsored Attack Example

The group obtained a sponsor who paid them 2000 RMB ($325) per month

Their sponsor is likely the People's Liberation Army (PLA)

Tan Dailin attacks on US Department of Defense in May and June 2006

GinWui Rootkit (Manipulate Service, Start and Kill Process etc.)

iDefense says,35 zero-day Microsoft Office Exploit

State-Sponsored Attack Example

Advanced Persistent Threat

‘’We do not call those types of threats as Advanced Persistent Threat since they use widely known, old-school tactics’’

Microsoft

US Department of DefenseOffensive Contractors

Reverse Engineering

What is Reverse Engineering ?

Static Analysis or ReversingStatic program analysis is the analysis of computer software that is

performed without actually executing programs

Dynamic Analysis or Reversing Dynamic program analysis is the analysis of computer software that is

performed by executing programs on a real or virtual processor.

x86 Architecture & Assembly

Arithmetic Instructions

mov eax, 5 ; eax=5

mov ebx, 3 ; ebx=3

add eax, ebx ; eax = eax + ebx

sub ebx, 2 ; ebx = ebx -2

Accessing Memory

cmp eax, 2 ; compare eax with 2

je label ; if(eax == 2)

ja label ; if(eax > 2)

jb label ; if(eax < 2)

jbe label ; if(eax <= 2)

jne label ; if(eax != 2)

jmp label ; jump label

Function Calls

call function ; store return addr on the stack

; and jump to function!

func:

push esi ; save esi

…

pop esi ; restore esi

ret ; read return addr from the stack

; and jump to it.

Modern CompilerNative Language

Intermediate Representation

Low-level Intermediate representation

x86 Assembly

Binary Reverse Engineering

How the compiler works and to translate it into machine code

Understanding operating system structures

Understanding executable (PE/ELF) file formats We need to think like the compiler, but in reverse!

Toolbag

Reverser Toolbag (1)

IDA Disassembler from Hex-Rays

IDA is a disassembler for computer software which generates assembly

language source code from machine-executable codeOllyDbg is Free Debugger

OllyDbg is an x86 debugger that emphasizes binary code analysis, which

is useful when source code is not availableWindbg from Microsoft

It can be used to debug user mode applications, drivers, and the

operating system itself in kernel mode.

Reverser Toolbag (2)

Virtual Machines (Virtualbox, VMWare, Hyper-V)

A virtual machine (VM) is a software implemented abstraction of the underlying hardware, which is presented to the application layer of the system.

Packet Sniffers (Wireshark, tcpdump)

The sniffer captures packets, if needed, decodes the packet's raw data, showing the values of various fields in the packet

Sysinternals Suite

technical resources and utilities to manage, diagnose, troubleshoot, and monitor

a Microsoft Windows environment.

PEiD

IDA Pro

IDA Pro (2)

IDA Pro (3)

IDA Pro (4)

OllyDbg

OllyDbg (2)

Windbg

Windbg (2)

Intro to Windbg

• r: display current register content

• t: trace-step (until call)

• pt: single-step (until-ret)

• g: process run (go!)

• .hh: help command. (for example .hh t)

• lm: list modules

Sysinternal: Process Explorer

Sysinternal: Process Monitor

Sysinternal: Autoruns

ImpREC

LordPE

Anti-Reverse Engineering

Anti-Debugging, the implementation of one or more techniques within

computer code that ‘’hinders attempts’’ at reverse engineering or debugging a target process

Anti-Dumping, describes the process of taking an executable that has been protected and after the executable has been decrypted into memory

Code obfuscation is the deliberate act of creating obfuscated code, i.e. source or

machine code that is difficult for humans to understand.

Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single

executable

Executable Compression(Packed Executables)

Packed Executable

Packed Executable

Packed Executable

Packed Executable

Packed Executable

Anti-Debugging

Anti-Debugging

Anti-Debugging

Anti-Debugging

Anti-Debugging

Anti-Debugging

FATMAL(Real-World Example)

FATMAL

Loader

Loader

Payload

InstallBot()

Payload

Payload

Payload

Payload

Payload

Who could be behind the FATMAL attack?

Memory Analysis- Sality -

Memory Analysis

Memory Analysis

Memory Analysis

Memory Analysis

Memory Analysis

Resources

Analysis of Mobile Threats

Mobile Market

49%

19%

13%

11%

5%3%

Android

iPhone

BlackBerry

Windows Phone

Symbian

Other

Mobile Threats

79

19

0.30.70.30.7

AndroidSymbian Windows MobileiPhoneBlackBerryJ2ME

Mobile Threats

66.10.71

2.70.3

5.6

7

11.2

3.7

TrojanDownloaderSpyAdwareBackdoorHacktoolMonitoringRiskwareSpywareApplication

Android

Android is a Linux-based operating system, runs on custom Linux.

Google I/O statshot, 900 million Android devices activated

Google play hits 600.000 application, 20 billion total installs.

Manufacturers; Samsung, HTC, Asus, Amazon, Sony, Toshiba, Acer…

Android AppsAndroid Market

APK/ZIP

Metadata (manifest, images)

Dex File (classes.dex)

Android Architecture

Geinimi

Geinimi

Geinimi

Geinimi

Geinimi

Geinimi

Geinimi

5 years of silence…

The ProGuard tool shrinks, optimizes, and obfuscates your code by removing

unused code and renaming classes, fields, and methods with semantically obscure names.

DexGuard is our specialized optimizer and obfuscator for Android. Create apps that

are faster, more compact, and more difficult to crack.

Obfuscation

Obfuscation

Obfuscation

Modifying The bytecode

Android Application

Modifying the byte-code

JNI

Native Code

Dalvik bytecode

Modified!

Processor

so what…

Malware writers is getting ready to implement x86 techniques for

Android.

Questions…