reverse engineering 101
DESCRIPTION
Reverse Engineering 101, Gazi University, May, 20, 2013, Ankara/Turkey.TRANSCRIPT
Reverse Engineering 101
Yasin SÜRERhttp://twitter.com/yasinsurer
Jargon
A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application.
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug
A shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability
A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
Attacker Mindset
Vulnerability ResearchFind the vulnerability, and developing weaponized-exploits.
Exploit DevelopmentZero-day attack uses advanced-exploitation technique
Understanding undocumented system functions
malware authors; Rootkit, worm, keylogger, spyware etc.
Defensive Perspective
Patch and Vulnerability AnalysisDeveloping signatures against zero-day threats for IDS/IPS appliance
Binary Code AnalysisFinding new zero-day vulnerabilities to take advantage on defensive perspective
Advanced Exploit Development
Penetration Test and Vulnerability assesment.
Malware AnalysisAnti-Virus, Anti-Spyware and Digital Forensics companies
Real-World Crime Example
May 2008 in New York for the Dave & Busters case
May 2008 in Massachusetts for the TJ Maxx case
August 2009 in New Jersey in connection with the Heartland Payment case.
State-Sponsored Attack Example
The group obtained a sponsor who paid them 2000 RMB ($325) per month
Their sponsor is likely the People's Liberation Army (PLA)
Tan Dailin attacks on US Department of Defense in May and June 2006
GinWui Rootkit (Manipulate Service, Start and Kill Process etc.)
iDefense says,35 zero-day Microsoft Office Exploit
State-Sponsored Attack Example
Advanced Persistent Threat
‘’We do not call those types of threats as Advanced Persistent Threat since they use widely known, old-school tactics’’
Microsoft
US Department of DefenseOffensive Contractors
Reverse Engineering
What is Reverse Engineering ?
Static Analysis or ReversingStatic program analysis is the analysis of computer software that is
performed without actually executing programs
Dynamic Analysis or Reversing Dynamic program analysis is the analysis of computer software that is
performed by executing programs on a real or virtual processor.
x86 Architecture & Assembly
Arithmetic Instructions
mov eax, 5 ; eax=5
mov ebx, 3 ; ebx=3
add eax, ebx ; eax = eax + ebx
sub ebx, 2 ; ebx = ebx -2
Accessing Memory
cmp eax, 2 ; compare eax with 2
je label ; if(eax == 2)
ja label ; if(eax > 2)
jb label ; if(eax < 2)
jbe label ; if(eax <= 2)
jne label ; if(eax != 2)
jmp label ; jump label
Function Calls
call function ; store return addr on the stack
; and jump to function!
func:
push esi ; save esi
…
pop esi ; restore esi
ret ; read return addr from the stack
; and jump to it.
Modern CompilerNative Language
Intermediate Representation
Low-level Intermediate representation
x86 Assembly
Binary Reverse Engineering
How the compiler works and to translate it into machine code
Understanding operating system structures
Understanding executable (PE/ELF) file formats We need to think like the compiler, but in reverse!
Toolbag
Reverser Toolbag (1)
IDA Disassembler from Hex-Rays
IDA is a disassembler for computer software which generates assembly
language source code from machine-executable codeOllyDbg is Free Debugger
OllyDbg is an x86 debugger that emphasizes binary code analysis, which
is useful when source code is not availableWindbg from Microsoft
It can be used to debug user mode applications, drivers, and the
operating system itself in kernel mode.
Reverser Toolbag (2)
Virtual Machines (Virtualbox, VMWare, Hyper-V)
A virtual machine (VM) is a software implemented abstraction of the underlying hardware, which is presented to the application layer of the system.
Packet Sniffers (Wireshark, tcpdump)
The sniffer captures packets, if needed, decodes the packet's raw data, showing the values of various fields in the packet
Sysinternals Suite
technical resources and utilities to manage, diagnose, troubleshoot, and monitor
a Microsoft Windows environment.
PEiD
IDA Pro
IDA Pro (2)
IDA Pro (3)
IDA Pro (4)
OllyDbg
OllyDbg (2)
Windbg
Windbg (2)
Intro to Windbg
• r: display current register content
• t: trace-step (until call)
• pt: single-step (until-ret)
• g: process run (go!)
• .hh: help command. (for example .hh t)
• lm: list modules
Sysinternal: Process Explorer
Sysinternal: Process Monitor
Sysinternal: Autoruns
ImpREC
LordPE
Anti-Reverse Engineering
Anti-Debugging, the implementation of one or more techniques within
computer code that ‘’hinders attempts’’ at reverse engineering or debugging a target process
Anti-Dumping, describes the process of taking an executable that has been protected and after the executable has been decrypted into memory
Code obfuscation is the deliberate act of creating obfuscated code, i.e. source or
machine code that is difficult for humans to understand.
Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single
executable
Executable Compression(Packed Executables)
Packed Executable
Packed Executable
Packed Executable
Packed Executable
Packed Executable
Anti-Debugging
Anti-Debugging
Anti-Debugging
Anti-Debugging
Anti-Debugging
Anti-Debugging
FATMAL(Real-World Example)
FATMAL
Loader
Loader
Payload
InstallBot()
Payload
Payload
Payload
Payload
Payload
Who could be behind the FATMAL attack?
Memory Analysis- Sality -
Memory Analysis
Memory Analysis
Memory Analysis
Memory Analysis
Memory Analysis
Resources
Analysis of Mobile Threats
Mobile Market
49%
19%
13%
11%
5%3%
Android
iPhone
BlackBerry
Windows Phone
Symbian
Other
Mobile Threats
79
19
0.30.70.30.7
AndroidSymbian Windows MobileiPhoneBlackBerryJ2ME
Mobile Threats
66.10.71
2.70.3
5.6
7
11.2
3.7
TrojanDownloaderSpyAdwareBackdoorHacktoolMonitoringRiskwareSpywareApplication
Android
Android is a Linux-based operating system, runs on custom Linux.
Google I/O statshot, 900 million Android devices activated
Google play hits 600.000 application, 20 billion total installs.
Manufacturers; Samsung, HTC, Asus, Amazon, Sony, Toshiba, Acer…
Android AppsAndroid Market
APK/ZIP
Metadata (manifest, images)
Dex File (classes.dex)
Android Architecture
Geinimi
Geinimi
Geinimi
Geinimi
Geinimi
Geinimi
Geinimi
5 years of silence…
The ProGuard tool shrinks, optimizes, and obfuscates your code by removing
unused code and renaming classes, fields, and methods with semantically obscure names.
DexGuard is our specialized optimizer and obfuscator for Android. Create apps that
are faster, more compact, and more difficult to crack.
Obfuscation
Obfuscation
Obfuscation
Modifying The bytecode
Android Application
Modifying the byte-code
JNI
Native Code
Dalvik bytecode
Modified!
Processor
so what…
Malware writers is getting ready to implement x86 techniques for
Android.
Questions…