such a weird processor: messing with opcodes (...and a little bit of pe) (hashdays 2011 : complete...
DESCRIPTION
After being trapped by a malware, I went back to the basics, studied ASM and PE from scratch, and failed all tools I tried in the process. This presentation introduces the complete details that are shared on Corkami.com, and highlights some of the most interesting cases.TRANSCRIPT
- 1. Such a weird processor messing with opcodes (...and a little bit of PE) Ange Albertini 28 thOctober 2011 @ange4771 @corkami(news only) Creative Commons BY
2. (if you read this without the presentation)
- introduce Corkami.com, a RCE site
3. why correct disassembly is important for analysis,
- why undocumented opcodes are a dead end
a few examples of undocumented opcodes and CPU weirdness 4. theory-only sucks, so I created CoST for practicing and testing. 5. CoST also tests PE, but it's not enough by itself 6. So I documented PE separately, and give some examples. 7. [version: release 1] HIDDEN SLIDE 8. presented by...
- a reverse-engineering enthusiast
- ...since dos 3.21
9. Corkami.com 10. Mame (the arcade emulator) a malware analyst 11. Corka-what ?
- RCE project, only technical stuff
12. free to:
- browse, download
13. test, modify, compile updated 14. useful daily 15. but.... only a hobby ! 16. what is in Corkami ?
- wiki pages, cheat sheets
17. many PoCs
- hand-written (not generated), minimalists
18. binaries available on PDF, x86, PE... 19. 100% open
- BSD, CC BY
- sources, images, docs
20. Story
- CPU are electronic, thus perfect
21. tricked by a malware 22. back to the basics 23. documented on Corkami 24. this presentation 25. Achievement unlocked WinDbg 6.12.0002.633 Odbg 2.1a4 Hiew 8.15 IDA 6.1 (Authors notified, and most bugs already fixed) 26. Agenda
- why does it matter ?
- (an easy introduction, for everybody)
a bunch of tricks
-
- (technical stuff starts now, for technical people)
- CoST
27. a bit more of PE 28. 29. from C to binary 30. inside the binary 31. our code, 'translated' 32. opcodes assembly 33. 34. Assembly
- generated by the compiler
35. executed directly by the CPU 36. the only code information in a standard binary
- what 'we' (analysts, hackers...) read
disassembly is only for humans
- no text code in the final binary
37. let's mess a bit now... 38. let's insert 'something' 39. 40. What did we do?
- Inserting an unrecognized byte
- directly in the binary
41. not even documented nor identified !! it could only crash... 42. the CPU doesn't care 43. what happened ?
- D6 = S[ET]ALC
- Set AL on Carry
44. AL = CF ? -1 : 0 trivial, but not documented
- unreliable or shameful ?
45. Intel: 'do what I do...' Intel's XED F1int1 D6salc F7C890909090test eax, 0x90909090 0F1E84C090909090nop dword ptr [eax+eax*8-0x6f6f6f70], eax 0F2090mov eax, cr2 660FC8bswap ax MS' WinDbg ?? ?? ?? ?? ?? bswap eax 46. the problem
- the CPU does its stuff
47. if we/our tools don't know what's next, we're blind. 48. no exhaustive or clean test set
- deep into malwares or packers
49. scattered 50. let's start the real stuff... 51. a multi-generation CPU: standard... English let's go! you win sandwich hello f*ck Assembly push mov call retn jmp 52. ...old-style... thou porpentine enmity hither unkennel aaa xlat verr smsw lsl 53. 54. ...newest generation tweet poke google pwn apps crc32 aesenc pcmpistrm vfmsubadd132ps rcpss andMOVBE , the rejected offspring 55. registers
- Initial values (Windows)
- eax =
- version = (eax != 0) ? Vista_or_later : XP
gs =
- bits = (gs == 0) ? 32 : 64
Complex relations
- FPUchanges FST, STx, Mmx (ST0 overlaps MM7)
- changes CR0, under XP
56. smsw
- CR0 access, from user-mode
- 286 opcode
higher word of reg32 'undefined' 57. under XP
- influenced by FPU
58. eventually reverts 59. GS
- reset on thread switch (Windows 32b)
60. eventually reset
- debugger stepping
61. wait 62. timings 63. nop
- nopisxchg *ax, *ax
- butxchg *ax, *axcandosomething, in 64b !
- 87 c0: xchg eax, eax
.. .. .. ..01 23 45 67=>00 00 00 00 01 23 45 67
- hint nop0F1E84C090909090 nop dword ptr [eax+eax*8-0x6f6f6f70], eax
- partially undocumented, actually 0f 18-1f
64. can trigger exception 65. mov
- documented, but sometimes tricky
- mov [cr0], eax mov cr0, eax
- mod/RM is ignored
movsxd eax, ecx mov eax, ecx
- no REX prefix
mov eax, cs movzx eax,cs
- 'undefined' upper word
66. bswap rax 12 34 56 78 90 ab cd ef=>ef cd ab 90 78 56 34 12 eax .. .. .. ..01 23 45 67=>00 00 00 00 67 45 23 01 ax .. .. .. .. .. ..01 23=>.. .. .. .. .. ..00 00 67. push + ret 68. 69. ...and so on...
- much more @http://x86.corkami.com
- also graphs, cheat sheet...
too much theory for now... 70. Co rkamiS tandardT est 71. CoST
- http://cost.corkami.com
72. testing opcodes 73. in a hardened PE
- available in easy mode
74. more than 150 tests
- classic, rare
75. jumps (JMP to IP, IRET, ) 76. undocumented (IceBP, SetALc...) 77. cpu-specific (MOVBE, POPCNT,...) 78. os-dependant, anti-VM/debugs 79. exceptions triggers, interrupts, OS bugs,... 80. ... 81. a documented binary exports + VEH = self commented assembly a lot of DbgOutput 82. 32+64 = ... 83. same opcodes, different code 84. CoST vs WinDbg & Hiew WinDbg 6.12.0002.633 Hiew 8.15 85. a hardened PE Top PE 'footer' 86. CoST vs IDA 87. CoST vs Dumpbin Microsoft (R) COFF/PE Dumper Version 10.00.30319.01 Copyright (C) Microsoft Corporation.All rights reserved. Dump of file CoST.exe File Type: EXECUTABLE IMAGE LINK : fatal error LNK1248: image size (9B097F81) exceeds maximum allowable size (80000000) HIDDEN SLIDE 88. a bit more of PE... 89. PE on corkami
- some graphs
90. a wiki page
- http://pe.corkami.com
91. not finished 92. more than 100 PoCs 93. good enough to break 94. virtual section table vs Hiew 95. Folded header 96. Weird export names
- exports = , 0
97. 65535 sections vs OllyDbg 98. one last...
- TLS AddressOfIndex is overwritten on loading
99. Import are parsed until Name is 0 100. under XP, overwritten after imports
- imports are fully parsed
under W7, before
- truncated
same PE, loaded differently under different Windows 101. conclusion
- x86 and PE are far from perfectly documented
102. still some gray areas of PE or x86
- but a bit less, every day
official documentations lead to FAILURE
-
- visit Corkami.com
- 103. download the PoCs
104. fix the bugs ;) 105. Thanks
- Peter Ferrie
106. Candid West Adam Baszczyk, BeatriX, Bruce Dang, Cathal Mullaney, Czerno, Daniel Reynaud, Elias Bachaalany, Ero Carrera, Eugeny Suslikov, Georg Wicherski, Gil Dabah, Guillaume Delugr, Gunther, Igor Skochinsky, Ilfak Guilfanov, Ivanlef0u, Jean-Baptiste Bdrune, Jim Leonard, Jon Larimer, Joshua J. Drake, Markus Hinderhofer, Mateusz Jurczyk, Matthieu Bonetti, Moritz Kroll, Oleh Yuschuk, Renaud Tabary, Rewolf, Sebastian Biallas, StalkR, Yoann Guillot,... Questions ? 107. Such a weird processor messing with opcodes (...and a little bit of PE) Ange Albertini 28 thOctober 2011 @ange4771 @corkami(news only) Creative Commons BY