SlideShare a Scribd company logo

Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease

A
Area41

This document discusses analyzing Visual Basic 6 programs. It begins by providing background on VB6 and transitions to discussing challenges with classical analysis approaches. It then outlines approaches for dynamic analysis using instrumentation of the VB6 virtual machine to monitor execution and APIs called. This includes patching jump tables and implementing custom instruction handlers. The goal is to generate tailored reporting and analyze obfuscation techniques in VB6 programs.

Technology
1 of 46
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
The Disease
Your Researchers Today Jurriaan Bremer Cuckoo Sandbox, Freelancer Marion Marschalek Cyphort Inc.
Back in time ...
Visual Basic 6.0 Microsoft, 1998 Object-based / event-driven Rapid Application Development Replaced by VB .NET in 2002 End of support in 2008
Google agrees.
2000: Pikachu Worm • pikachupokemon.exe – „Pikachu is your friend!“ • Modifies AUTOEXEC.BAT to remove C:WINDOWS and C:WINDOBadWSsystem32 • Bad coding...
2005: Kelvir Worm • Spreads through MSN Messenger by „lol! see it! u'll like it” message • Message points to omg.pif on home.earthlink.net • Spreads further & downloads and executes other malware
2009: Changeup Worm • Polymorphic • Spreads through removable media and shared folders by 'LNK/PIF' Files Automatic File Execution Vulnerability • Downloads other malware
So.. why are we here?
VB6 IS NOT DEAD
VB6 101 1991: Visual Basic born 1998: Visual Basic 5.0/6.0 p-code and native code 2002: VB.NET and MSIL byte code
NATIVE CODE
PSEUDO CODE
P-Code Translation P-code mnemonics interpreted by msvbvm60.dll handler13: ExitProcHresult ... handler14: ExitProc ... handler15: ExitProcI2 ... ... FC C8 13 76 ...
ProcCallEngine Jumptables
Instruction Handler pushes integer onto the stack
Instruction Handler pushes integer onto the stack
Instruction Handler pushes integer onto the stack
Hello World!
Hello World!
Hello World!
Ou lá lá... HELLOU WORLD ^^
Classical Analysis Approaches DONT WORK.
Existing VB Stuff •VB Decompiler •Tequila Debugger •IDA Scripts •Peter Ferrie, Masaki Suenaga
Most Advanced Sophisticated Private Cloud-based Big Data Intelligence Cyber Solution! (tm)
MASPCbBDICS FAIL COMPILATION Everything that didnt work...
DYNAMIC ANALYSIS
DECOMPILATION
ADVANCED STATIC ANALYSIS
DEBUGGING
DEBUGGING
DEBUGGING
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
V00D00 MAGIX
Most Advanced Sophisticated Private Cloud-based Big Data Intelligence Cyber Solution See which instructions are executed. Monitor interesting events as they happen. Inspect referenced strings, memory, and x86 code.
VB6 Instrumentation Patch the 6 jumptables! Generic Instrument everything Capture everything Create Statistics Specific Implementing specific instruction handlers “OpenFile” - filename
Patching A Function Handler Patch original address with our custom assembly stub 1. Store current register / stack state 2. Call custom instruction handler 3. Pass registers as parameters 4. Do STUFF 5. Restore original state Jump to original function handler. Life goes on.
Tailored Reporting For VB6 Custom printf() • BSTR unicode string with its size prepended • VARIANT generic wrapper around int, str, etc. Custom hexdump() to aid debugging
Slightly modified Cuckoo Sandbox Execute the sample with our custom DLL Cuckoofy It
VB6 ANALYSIS Obfuscation and garbage Anti-X features Three ways to call external functions The Somewhat Peculiar Results aka. Disease
Import Address Table (IAT) Only legitimate VB6 VM methods Dynamically Resolved Functions VB6 feature: DllFunctionCall Runtime decryption of API names WesumeThread, ZwWriteQirtualMemory, TetExitCodeThread Execute native x86
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
x86 to call CreateThread() other x86 code in a new thread
The Yet To Be Identified Infamous Anti-Cuckoo Feature (c)
Thank You! Project @ https://github.com/jbremer/vb6tracer

More Related Content

PDF
IzPack at Devoxx 2010
julien.ponge
 
PPTX
Microsoft & Open Source - a 'brave new world' - ProgSCon 2017
Matt Warren
 
PDF
Containers what are they, and why are they important v2.1
Derrick Wippler
 
PDF
Git Money
Tim N
 
PDF
Introduction to Docker
Emil Stenqvist
 
PPTX
Telehack: May the Command Line Live Forever
Gregory Hanis
 
PDF
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 
PDF
Device inspection to remote root
Tim N
 
IzPack at Devoxx 2010
julien.ponge
 
Microsoft & Open Source - a 'brave new world' - ProgSCon 2017
Matt Warren
 
Containers what are they, and why are they important v2.1
Derrick Wippler
 
Git Money
Tim N
 
Introduction to Docker
Emil Stenqvist
 
Telehack: May the Command Line Live Forever
Gregory Hanis
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 
Device inspection to remote root
Tim N
 

What's hot (14)

PDF
ifwt remote (sydney ruxmon edition)
Tim N
 
PDF
Practically DROWNing
Tim N
 
PPTX
My virtual firewall
Brian Drew
 
PPTX
Kali net hunter
Prashanth Sivarajan
 
PPTX
Kwort Linux 4.3 the new stable version is released
Linux Training Chennai
 
PPTX
Find the Hacker
Sysdig
 
PDF
Streamlining HPC Workloads with Containers
Dustin Kirkland
 
PPTX
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates
 
PPTX
Metasploit for Web Workshop
Dennis Maldonado
 
PPTX
20160929 android taipei Sonatype nexus on amazon ec2
TSE-JU LIN(Louis)
 
PPTX
So Easy, A Ten Year Old Can Do It by Zeph Gardler
Docker, Inc.
 
PPTX
The internet of $h1t
Amit Serper
 
PPTX
Enemy at the gates: vulnerability research in embedded appliances
Chris Hernandez
 
PDF
Exploiting Llinux Environment
Enrico Scapin
 
ifwt remote (sydney ruxmon edition)
Tim N
 
Practically DROWNing
Tim N
 
My virtual firewall
Brian Drew
 
Kali net hunter
Prashanth Sivarajan
 
Kwort Linux 4.3 the new stable version is released
Linux Training Chennai
 
Find the Hacker
Sysdig
 
Streamlining HPC Workloads with Containers
Dustin Kirkland
 
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates
 
Metasploit for Web Workshop
Dennis Maldonado
 
20160929 android taipei Sonatype nexus on amazon ec2
TSE-JU LIN(Louis)
 
So Easy, A Ten Year Old Can Do It by Zeph Gardler
Docker, Inc.
 
The internet of $h1t
Amit Serper
 
Enemy at the gates: vulnerability research in embedded appliances
Chris Hernandez
 
Exploiting Llinux Environment
Enrico Scapin
 
Ad

Similar to Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease (20)

PDF
EMBA Firmware analysis - TROOPERS22
EMBA Firmware Analyzer
 
PPT
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet
 
PDF
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
PDF
ITB 2023 Creating and managing a QA focused production-replicating environmen...
Ortus Solutions, Corp
 
PDF
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
PDF
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
PDF
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA Firmware Analyzer
 
PDF
Project Basecamp: News From Camp 4
Digital Bond
 
PPTX
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
PDF
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
Felipe Prado
 
PDF
PHP Backends for Real-Time User Interaction using Apache Storm.
DECK36
 
PPTX
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
PDF
Iot Bootcamp - abridged - part 1
Marcus Tarquinio
 
PDF
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
Felipe Prado
 
DOCX
Project Malware AnalysisCS 6262 Project 3Agenda.docx
briancrawford30935
 
PDF
Beefing Up AIR - FITC AMS 2012
Wouter Verweirder
 
PDF
IzPack - PoitouJUG
julien.ponge
 
PDF
Automating Security Response with Serverless
Michael Ducy
 
PDF
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware Analyzer
 
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
ITB 2023 Creating and managing a QA focused production-replicating environmen...
Ortus Solutions, Corp
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA Firmware Analyzer
 
Project Basecamp: News From Camp 4
Digital Bond
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
Felipe Prado
 
PHP Backends for Real-Time User Interaction using Apache Storm.
DECK36
 
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Iot Bootcamp - abridged - part 1
Marcus Tarquinio
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
Felipe Prado
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
briancrawford30935
 
Beefing Up AIR - FITC AMS 2012
Wouter Verweirder
 
IzPack - PoitouJUG
julien.ponge
 
Automating Security Response with Serverless
Michael Ducy
 
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
Ad

More from Area41 (11)

PDF
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Area41
 
PDF
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Area41
 
PDF
Rob "Mubix" Fuller: Attacker Ghost Stories
Area41
 
PPTX
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
PDF
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
 
PDF
hashdays 2011: Mikko Hypponen - Keynote
Area41
 
PDF
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
Area41
 
PDF
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
Area41
 
PDF
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
PDF
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
PDF
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
Area41
 
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Area41
 
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Area41
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Area41
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
 
hashdays 2011: Mikko Hypponen - Keynote
Area41
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
Area41
 
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
Area41
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
Area41
 

Recently uploaded (20)

PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation theory and applications.pdf
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Teaching material agriculture food technology
LiaRayya
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease