The walking 0xDEAD

Inspecting and Manipulating binaries

Introduction.
x86 architecture. Assembler.
Binary inspection.
General sample (crackme)
Binary manipulation.
Python to the rescue!
Malware analysis

What we (you) are going to do 2

Welcome to the city of death 3

$ whoami

Braaaaiiinnnssss 4
4

$ whoami
Binary Reverse Engineering
Malware
Programming
The walking dead

5
5

Yeah, but what is reversing ???

Kind of a reconstruction
Code Binary

int main(int argc, char **argv) push ebp
{ mov ebp, esp
int gv = 0; // global mov dword_403394, 0
[…] […]

6

so, i want to do some reversing

Requisites
ASM knowledge
Binary format (PE32, etc.)
OS Knowledge
Patience ;)

7

At the beginning, there was c0de
#include "stdafx.h"
#include <iostream>

using namespace std;

int add(int x, int y)
{
return x + y;
}

int main()
{
int a = 0, b = 0;
cout << "Enter a: ";
[…]
return 0;
}

8

The compiler fucks it all up

9

compiling is like...
… that scene of Apollo XIII

10

It may hurt a little bit… 11

Bytes :: opcodes

12

Opcodes :: basic blocks

13

Basic blocks :: functions

14

Cpu registers
„General purpose“ registers:
eax, ebx, ecx, edx, esi, edi, ebp, esp
32 bits (64 bits in x86_64)
Some of them have special uses.

„The rootkit arsenal“ Bill Blunden


Cpu registers
Not so „general purpose“ registers:
eax: Arithmetic and function return values
ecx: counter (loops, etc.)
esi, edi: src, dst in memcpy, strcpy, etc.
ebp, esp: stack operations :)
and more...


Some common instructions
Read
mov eax, [ecx]
mov eax, [00401000]
Write
mov ebx, 0x20
mov [ebx+0x1C], ecx


push
push 0x100
push dword_1377
pop
pop ecx
pop 0x00c0ffee


inc, dec
mul, div
Use your imagination :)

add, sub
add esp, 0x08
sub esp, 0x1c


lea dst, src
lea eax, [esi*2]
lea ecx, [esi+ecx]

shl, shr
shl eax, 2


jxx dst
jmp 0xbadc0de
jnz eax
ja 0xc0ffee
jl ebx
t
call 0x00412F1E


cmp dst, src
cmp eax, ebx
cmp ecx, 0xFF

test dst, src
test ecx, edx


Important segments
.data: statically allocated *initialized*
int g = 1; char str[] = „yomamma“;
.bss: statically allocated *UNinitialized*
int var; char *ptr;
.rdata: read-only data (const c = 0)


It‘s all about the .(r)data


Moar data


Imports and all that stuff…


The problem with imports

Problem: O(n2) vs. O(n)

„Thunks and dynamic resolution makes the binary
*portable* between Windows versions.
XP and Win7 don‘t have the same addresses for all
kernel32 functions


Regular call thunks Opcode:
0xE8 + offset

Memcpy = thunk Not resolved yet
(nur jmp)


call ds:xxx “direct“ import calls
Opcodes:
0xFF15 + absolut address

Not resolved yet


Page based (4 KB pages, arch dependent)

Pages (virtual mem.) -> page tables -> page frames
(physical mem.)

Pages have several attributes:
User / Supervisor (Kernel)
read-only, read-write, read-execute, etc.
Memory is not disk, dough! 31

Picture: CC Hameed, (http://blogs.technet.com) 32

Picture: Bill Blunden (The Rootkit Arsenal) 33

Application starts. Process is generated.
Process = running instance of an application.
Processes are separated from each other.
Every process gets its own virtual address space (32-bit: 4 GB)

A process is a container (own VM, Handles, Threads (min.1))
Thread = context execution of a process.
Multithreading.
Shares system resources (Code, Data, Handles)
Own stack, though.
Thread Local Storage.
Threads (within a process) can share memory.

Processes and Threads 34

Important data structures in every process

PEB: Process Environment Block (1 pro Process)
Location of executable (ImageBase)
Information about DLLs
Information regarding the heap

TEB: Thread Environment Block (1 pro Thread)
Location of the PEB
Location of the stack
Pointer to first SEH Chain entry

PEB vs. TEB 35

Process memory segmentation:

Code (.text): like the segment on disk

Data (.data): like the segment on disk

Stack: function arguments, local variables
Grows towards lower addresses
Defined through top (ESP) and bottom (EBP)
PUSH vs POP (dword)

Heap: managed by Allocator/Deallocator algorithms

Two new segments 36

User land

Picture courtesy of CORELAN
2GB
Kernel land

Copyright (c) Corelan GCV

4GB 37

Open cmd.exe in ImmunityDebugger

Time to take a peek 38

The stack . Push & pop.


Function prologue


function calls
Different types:
cdecl (C progs, variable arg number)
Caller* is responsible for adjusting the stack.
How many args were there? Unknown
stdcall (windows API, fixed arg number)
Function self adjusts the stack before return.
It's clear in advance how many arguments
_funcName@nrBytes

Argument passing


Argument passing ( by ref )


Argument passing ( by value )


Go home Compiler, you are drunk
#include <stdio.h>
int main(void) {
char x = 0xff;

if(x == 0xff)
puts("YES");
else
puts("NO");

return 0;
}
sign extensions from hell 49

There is NOT such thing as static reversing ONLY

Combine static (IDA) and dynamic (debugger).
The trick is to optimize the information transfer
between these two.

Best of both worlds 51

Examples:
IDA debugging capabilities
Dynamic Binary Instrumentation (PIN).
Import results in IDA to see code coverage

Trace with .py
Differential debugging

Best of both worlds 52

Don't really feel like doing this manually 58

F*ck this shit
I'm outta here!

We will solve this soon… intelligently 59

Not elegant but effective… 61

I want more… finesse… 62


Tzzzzzz. Tttzzzz… 63


If it‘s in twitter it must be true 64

Which ReadFile ?!?!

There are several references…
Manually inspecting all is a tedious job. 67

Reading from a File
CreateFile(...)
Returns handle
ReadFile(handle)
CloseHandle(handle)

Reading from a File

It's a long shot 70

And... found!

It's a long shot 71

Binary manipulation

Binaries can be easily modified
Patched (on disk, live)
Functions intercepted (hooking, live)

Usage:
Inspection (ex. Tracing)
Change execution flow
Whatever you can imagine

What you all have been waiting for… 73

So many questions…

APIs used to send() and recv() data?
Sure? Think twice
Functions I don't see?
What happens with the data received?
How does the malware achieve persistency?

Braaaaiiinnnsss… I mean, credeeeennttiiiaaalllssssss… 74

Braaaaiiinnnsss… I mean, credeeeennttiiiaaalllssssss… 75

Are these the
ONLY APIs
used by this malware?

Malware are deceiving bastards… 76

Braaaaiiinnnsss… I mean, CPU cycles… 77

How does the malware
achieve
persistency?

I like it here. I think I‘m gonna stick for a while… 78

Braaaaiiinnnsss… I mean, CPU cycles… 79

Getting in the enemy's mind 80

Hands on: STRINGS

Juicy info in two minutes 81

Hands on: imports

Very interesting imports… 82

Hands on: resources

The .rsrc section is perfect for hiding data 83

"Crypto" stuff

Takes less time and is less brain damaging 84

Hands on: sneaky bastards

I see what you did there… 85

There are so many!
What Do i do?!?!?

86

Who are u gonna call? Sneakbuster!

Takes less time and is less brain damaging 87

Hands on: WTFTLS

NO ME GUSTA 88

Hands on: WTFTLS

Call, call, call … 89

Hands on: running it

Thanks for the info… 90

Hands on: running it

Here's (another?) candy for you… 91

The walking 0xDEAD

More Related Content

What's hot (20)

Similar to The walking 0xDEAD (20)

Recently uploaded (20)

The walking 0xDEAD