Object Oriented Code RE with HexraysCodeXplorer
Download as PPTX, PDF2 likes2,879 views
The document discusses challenges in reversing object-oriented C++ code and malware. It presents approaches used by the HexRaysCodeXplorer plugin for IDA to assist with reconstructing object types and navigating virtual methods in decompiled code. The plugin allows partially reconstructing object types from initialization routines and traversing related virtual methods. It has features for position independent code and supports IDA x64.
![Virtual Methods
class Cat {
private:
int _weight;
public:
Cat(int weight) : _weight(weight) {};
int eat(int food) {
return _weight += food;
};
};
int _tmain(int argc, _TCHAR* argv[])
{
Cat* cat = new Cat(130);
int newWeigth = cat->eat(20);
}
class Animal {
protected:
int _weight;
public:
Animal(int weight) : _weight(weight) {};
virtual int eat(int food) = 0;
};
class Cat : Animal {
public:
Cat(int weight) : Animal(weight) {};
virtual int eat(int food) {
return _weight += food;
};
};
int _tmain(int argc, _TCHAR* argv[])
{
Animal* cat = new Cat(130);
int newWeight = cat->eat(20);
}
vs](https://image.slidesharecdn.com/nsec2015pdf-150528071252-lva1-app6891/85/Object-Oriented-Code-RE-with-HexraysCodeXplorer-5-320.jpg)
![Virtual Methods
class Cat {
private:
int _weight;
public:
Cat(int weight) : _weight(weight) {};
int eat(int food) {
return _weight += food;
};
};
int _tmain(int argc, _TCHAR* argv[])
{
Cat* cat = new Cat(130);
int newWeigth = cat->eat(20);
}
class Animal {
protected:
int _weight;
public:
Animal(int weight) : _weight(weight) {};
virtual int eat(int food) = 0;
};
class Cat : Animal {
public:
Cat(int weight) : Animal(weight) {};
virtual int eat(int food) {
return _weight += food;
};
};
int _tmain(int argc, _TCHAR* argv[])
{
Animal* cat = new Cat(130);
int newWeight = cat->eat(20);
}
vs](https://image.slidesharecdn.com/nsec2015pdf-150528071252-lva1-app6891/85/Object-Oriented-Code-RE-with-HexraysCodeXplorer-6-320.jpg)
![HexRaysCodeXplorer: v1.7 [NSEC Edition]
Automatic virtual table identification
+
Type reconstruction](https://image.slidesharecdn.com/nsec2015pdf-150528071252-lva1-app6891/85/Object-Oriented-Code-RE-with-HexraysCodeXplorer-53-320.jpg)
![HexRaysCodeXplorer: v1.7 [NSEC Edition]
* Automatic virtual table identification](https://image.slidesharecdn.com/nsec2015pdf-150528071252-lva1-app6891/85/Object-Oriented-Code-RE-with-HexraysCodeXplorer-54-320.jpg)
![HexRaysCodeXplorer: v1.7 [NSEC Edition]
* Automatic virtual table identification](https://image.slidesharecdn.com/nsec2015pdf-150528071252-lva1-app6891/85/Object-Oriented-Code-RE-with-HexraysCodeXplorer-55-320.jpg)
![HexRaysCodeXplorer: v1.7 [NSEC Edition]
* Automatic virtual table identification
* Support for IDA Pro x64
* Bugfixes](https://image.slidesharecdn.com/nsec2015pdf-150528071252-lva1-app6891/85/Object-Oriented-Code-RE-with-HexraysCodeXplorer-56-320.jpg)
Object Oriented Code RE with HexraysCodeXplorer
- 1. Object Oriented Code RE with HexRaysCodeXplorer Eugene Rodionov @vxradius Alex Matrosov @matrosov
- 2. Agenda * Object Oriented Code Reversing Challenges -- virtual methods -- templates * Reversing Object Oriented Malware -- Flamer -- Sednit * HexRaysCodeXplorer in use
- 3. Modern C++ Malware for Targeted Attacks
- 4. Why reversing C++ code is a hard problem? Virtual Methods & Templates
- 5. Virtual Methods class Cat { private: int _weight; public: Cat(int weight) : _weight(weight) {}; int eat(int food) { return _weight += food; }; }; int _tmain(int argc, _TCHAR* argv[]) { Cat* cat = new Cat(130); int newWeigth = cat->eat(20); } class Animal { protected: int _weight; public: Animal(int weight) : _weight(weight) {}; virtual int eat(int food) = 0; }; class Cat : Animal { public: Cat(int weight) : Animal(weight) {}; virtual int eat(int food) { return _weight += food; }; }; int _tmain(int argc, _TCHAR* argv[]) { Animal* cat = new Cat(130); int newWeight = cat->eat(20); } vs
- 6. Virtual Methods class Cat { private: int _weight; public: Cat(int weight) : _weight(weight) {}; int eat(int food) { return _weight += food; }; }; int _tmain(int argc, _TCHAR* argv[]) { Cat* cat = new Cat(130); int newWeigth = cat->eat(20); } class Animal { protected: int _weight; public: Animal(int weight) : _weight(weight) {}; virtual int eat(int food) = 0; }; class Cat : Animal { public: Cat(int weight) : Animal(weight) {}; virtual int eat(int food) { return _weight += food; }; }; int _tmain(int argc, _TCHAR* argv[]) { Animal* cat = new Cat(130); int newWeight = cat->eat(20); } vs
- 7. Virtual Function Tables Class A vfPtr attr_1 attr_2 A::vfTable A::a1() A::a2() A::a3() RTTI Object Locator signature pTypeDescriptor pClassDescriptor meta
- 8. Virtual Function Tables Class A vfPtr attr_1 attr_2 A::vfTable A::a1() A::a2() A::a3() RTTI Object Locator signature pTypeDescriptor pClassDescriptor meta
- 9. Virtual Function Tables * lead to indirect method calls -- difficult to analyze statically * initialized in constructors -- need to track back object creation
- 10. C++ Templates * extra code to analyze -- another way to create polymorphic types * problematic to recognize standard library code (FLIRT) -- playing with compiler optimization options std::vector<int> std::vector<char> std::vector<std::string> std::vector<custom_type>
- 11. C++ Code Reconstruction Problems * Object identification -- type reconstruction * Class layout reconstruction -- Identify constructors/destructors -- Identify class members -- Local/global type reconstruction -- Associate object with exact method calls * RTTI reconstruction -- vftable reconstruction -- Associate vftable object with exact object -- class hierarchy reconstruction
- 12. Reversing Object Oriented Malware Practical Approaches: REconstructing Flamer Framework
- 13. REconstructing Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer MunchSniffer FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
- 14. REconstructing Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer MunchSniffer FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
- 15. Identifying Used Types * Smart pointers * Strings * Vectors to maintain objects * Custom data types: -- tasks -- triggers -- and etc.
- 16. Data Types Being Used: Smart pointers struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };
- 17. Data Types Being Used: Smart pointers
- 18. Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the virtual table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements }; * Used for handling objects: -- tasks -- triggers
- 19. Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };
- 20. Approaching Flamer * Identify Object Constructors * Reconstruct Object Attributes * Reconstruct Object Methods Type reconstruction Control Flow Graph Reconstruction
- 27. Reversing Object Oriented Malware Practical Approaches: REconstructing XAgent Framework
- 28. XAgent Framework Communication Channels Vector<IAgentChannel> AgentKernel Local Storage Cryptor Agent Modules Vector<IAgentModule> AgentKernel Module FileSystem Channel Controller DNameNode Module Remote KeyLogger Process Retranslator Module WinHttp http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
- 29. Object Interconnection: IAgentModule struct IAgentModule { LPVOID receiveMessage; LPVOID sendMessage; LPVOID getModuleId; LPVOID setModuleId; LPVOID executeModule; }; AgentKernel Module FileSystem Module Remote Keylogger Process Retranslator Module IAgentModule
- 30. Exploring RTTI* * recover type names * reconstruct class hierarchy * identify object virtual function tables * IDA ClassInformer plugin
- 31. Exploring RTTI* * recover type names * reconstruct class hierarchy * identify object virtual function tables * IDA ClassInformer plugin
- 33. XAgent: Cryptor
- 34. XAgent: Cryptor encrypted message salt (4 bytes) RC4key plain text
- 36. XAgent: Identifying Used Types * Strings: std::string * Containers to maintain objects: -- std::vector -- std::list
- 37. XAgent: Identifying Used Types * Strings: std::string * Containers to maintain objects: -- std::vector -- std::list
- 39. HexRaysCodeXplorer since 2013 * CodeXplorer V1.0 released on REcon’2013 * First third-party plugin for Hex-Rays Decompiler * v1.0 supports IDA v6.4 and Decompiler for x86 v1.8
- 40. HexRaysCodeXplorer Features * Hex-Rays decompiler plugin x86/x64 * The plugin was designed to facilitate static analysis of: -- object oriented code -- position independent code * The plugin allows to: -- partially reconstruct object type -- navigate through decompiled virtual methods
- 41. Hex-Rays Decompiler Plugin SDK * At the heart of the decompiler lies ctree structure: -- syntax tree structure -- consists of citem_t objects -- there are 9 maturity levels of the ctree structure
- 42. * Type citem_t is a base class for: -- cexpr_t – expression type -- cinsn_t – statement type * Expressions have attached type information * Statements include: -- block, if, for, while, do, switch, return, goto, asm * Hex-Rays provides iterators for traversing the citem_t objects within ctree structure: -- ctree_visitor_t, ctree_parentee_t Hex-Rays Decompiler Plugin SDK citem_t cexpr_t cinsn_t
- 43. * Type citem_t is a base class for: -- cexpr_t – expression type -- cinsn_t – statement type * Expressions have attached type information * Statements include: -- block, if, for, while, do, switch, return, goto, asm * Hex-Rays provides iterators for traversing the citem_t objects within ctree structure: -- ctree_visitor_t, ctree_parentee_t Hex-Rays Decompiler Plugin SDK citem_t cexpr_t cinsn_t
- 44. DEMO time :)
- 45. HexRaysCodeXplorer: Gapz Position Independent Code
- 46. HexRaysCodeXplorer: Virtual Methods IDA’s ‘Local Types’ is used to represent object type
- 47. HexRaysCodeXplorer: Virtual Methods IDA’s ‘Local Types’ is used to represent object type
- 48. HexRaysCodeXplorer: Virtual Methods * Hex-Rays decompiler plugin is used to navigate through the virtual methods
- 49. HexRaysCodeXplorer: Object Type REconstruction * Hex-Rays’s ctree structure may be used to partially reconstruct object type * Input: -- pointer to the object instance -- object initialization routine entry point * Output: -- C structure-like object representation
- 50. HexRaysCodeXplorer: Object Type REconstruction * citem_t objects: -- memptr, idx, memref -- call, ptr, asg
- 51. HexRaysCodeXplorer: Object Type REconstruction * citem_t objects: -- memptr, idx, memref -- call, ptr, asg
- 52. HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
- 53. HexRaysCodeXplorer: v1.7 [NSEC Edition] Automatic virtual table identification + Type reconstruction
- 54. HexRaysCodeXplorer: v1.7 [NSEC Edition] * Automatic virtual table identification
- 55. HexRaysCodeXplorer: v1.7 [NSEC Edition] * Automatic virtual table identification
- 56. HexRaysCodeXplorer: v1.7 [NSEC Edition] * Automatic virtual table identification * Support for IDA Pro x64 * Bugfixes
- 57. DEMO time :)
- 58. HexRaysCodeXplorer: Next plans * Switch to IdaPython
- 59. Why python?
- 60. HexRaysCodeXplorer: Next plans * Switch to IdaPython * Further research & development: -- find cross-references to object attributes -- handling nested structures -- code similarity based on data flow analysis
- 61. Thank you for your attention! http://REhints.com @Rehints https://github.com/REhints/HexRaysCodeXplorer