![ShellCon 2017 | What Can RE Do For You?
39
CRYPTO
xor A, B
xor A, A
xor [esi], al
xor eax, eax
XOR the lower byte of register eax
with the value at esi
Clear the register eax
XOR something
STEP 4](https://image.slidesharecdn.com/whatcanredoforyoushellc0n-171019213656/85/What-Can-Reverse-Engineering-Do-For-You-39-320.jpg)
What Can Reverse Engineering Do For You?
- 1. ShellCon 2017 | What Can RE Do For You? 1 WHAT CAN REVERSE ENGINEERING DO FOR YOU? MALWARE UNICORN
- 2. ShellCon 2017 | What Can RE Do For You? 2 ABOUT ME WHAT I DO securedorg.github.io Teach Malware RE Look at malware DEFCON OPCDE CFP Reviewer Amanda Rousseau Host Meetups Follow Fashion Trends meetup.com/Dead-Drop-SF vanitysec.com RSA, DEFCON 44Con, CanSecWest Bsides SF, WiCys DC3Con, MirCon Speak at ConsSr. Malware Researcher Endgame Inc. Occasionally Shitpost @malwareunicorn
- 3. ShellCon 2017 | What Can RE Do For You? 3 Why Reverse Engineering? It is the foundation for both the blue and red teams Vuln Research Malware Analysis Exploit Dev Detection Sigs Forensics Pentesting Kits Reverse Engineering AV Engine Dev
- 4. ShellCon 2017 | What Can RE Do For You? 4 Watch out for Rabbit Holes It’s easy to get lost debugging some random binary. This talk will help you identify specific patterns in assembly routines commonly found in malware.
- 5. ShellCon 2017 | What Can RE Do For You? 5 “YOU ONLY NEED A DISASSEMBLER, DEBUGGER, AND A HEX EDITOR TO DO RE” – ANONYMOUS DUDE
- 6. ShellCon 2017 | What Can RE Do For You? 6 The “RE” starter pack
- 7. ShellCon 2017 | What Can RE Do For You? 7 ALL TOOLS SUPPORT HxD Hex Editor Python - used for automating tasks INFORMATION GATHERING CFF Explorer - PE header parser PE Explorer - PE inspection BinText - Extract strings Sysinternals Suite DISASSEMBLERS Ida Free Pro (Most Popular) Radare Capstone DEBUGGERS x64dbg (My Favorite) Immunity OllyDbg (Most Popular) WinDbg GDB
- 8. ShellCon 2017 | What Can RE Do For You? 8 Approach • Recognizing patterns comes with experience • Break down algorithms into basic steps • Information gathering is key, it helps define how the binary and assembly is used for that specific language • Use Backward-Forward navigation and take notes!
- 9. ShellCon 2017 | What Can RE Do For You? 9 BACKWARD-FORWARD Start somewhere in the middle and navigate backwards to the entry point function. Then go forwards to get back to the middle while taking notes. main() Sub_1() Sub_2() Sub_4()Start Sub_3()Next Next End Sub_4() Sub_2() main() Sub_1()
- 10. ShellCon 2017 | What Can RE Do For You? 10 BACKWARD-FORWARD My Notes
- 11. ShellCon 2017 | What Can RE Do For You? 11 Common Assembly Patterns Common techniques found in malware PACKING EVASION CRYPTO SHELLCODE
- 12. ShellCon 2017 | What Can RE Do For You? 12 PACKING 1. Allocate a huge memory chunk 2. Load referenced section, resource, or .data 3. Some routine that loops 4. Recreate the import table 5. Convert to R-W-X 6. Jump to start of newly copied bytes Things to look for
- 13. ShellCon 2017 | What Can RE Do For You? 13 PACKING HEADER MAIN CODE PACKED CODE NEW MEMORY RWX RECREATE IMPORT TABLE LOOP 1 2 5 4 3 6 JUMP
- 14. ShellCon 2017 | What Can RE Do For You? 14 PACKING UPX
- 15. ShellCon 2017 | What Can RE Do For You? 15 PACKING memory chuck == UPX0 section
- 16. ShellCon 2017 | What Can RE Do For You? 16 PACKING Recreate the import table
- 17. ShellCon 2017 | What Can RE Do For You? 17 PACKING Recreate the import table
- 18. ShellCon 2017 | What Can RE Do For You? 18 PACKING Import table in the debugger
- 19. ShellCon 2017 | What Can RE Do For You? 19 PACKING Convert to R-W-X with VirtualProtect Some routine that loops Jump to start of newly copied bytes
- 20. ShellCon 2017 | What Can RE Do For You? 20 PACKING • Look for references to sections, resources, or .data • Look for the jump call Debugging • Save the address to the new memory section. Set an execution breakpoint on that memory location. Static Analysis How to get around it
- 21. ShellCon 2017 | What Can RE Do For You? 21 EVASION • Lots of jumps where one jump terminates the program • Environment checking • Useless routines Things to look for
- 22. ShellCon 2017 | What Can RE Do For You? 22 EVASION Sub_0() Sub_1() Sub_4() Sub_3() Exit() Some Check JZ Exit() JZ Exit() JZ Exit() Some Check Some Check
- 23. ShellCon 2017 | What Can RE Do For You? 23 EVASION
- 24. ShellCon 2017 | What Can RE Do For You? 24 EVASION • VM Evasion – Checking the environment for VM artifacts • Anti-analysis – useless jumps & functions • Anti-AV Detection – Heavy obfuscation, environment checks • Anti Automation – requires UI activity Types of Evasion
- 25. ShellCon 2017 | What Can RE Do For You? 25 EVASION VM Evasion • Accessing registry keys for hardware & Bios • Checking driver names for VM drivers • Any check in Paranoid Fish (https://github.com/a0rtega/pafish) Things to look for
- 26. ShellCon 2017 | What Can RE Do For You? 26 EVASION VM Evasion • Accessing registry keys for hardware, Bios, and/or Physical Drive
- 27. ShellCon 2017 | What Can RE Do For You? 27 EVASION VM Evasion • Accessing registry keys for hardware, Bios, and/or Physical Drive
- 28. ShellCon 2017 | What Can RE Do For You? 28 EVASION • useless jumps & functions • Debugger checks • Time bombs • Tick timer checks Things to look for Anti-Analysis
- 29. ShellCon 2017 | What Can RE Do For You? 29 EVASION • useless jumps & functions • Debugger checks • Time bombs • Tick timer checks Things to look for Anti-Analysis
- 30. ShellCon 2017 | What Can RE Do For You? 30 EVASION Anti-AV Detection • Accessing registry keys for AV names • Checking program files, DLLs, Driver names • Stack based strings and IOCs Things to look for
- 31. ShellCon 2017 | What Can RE Do For You? 31 EVASION Anti-AV Detection Stack based strings and IOCs
- 32. ShellCon 2017 | What Can RE Do For You? 32 EVASION Anti Automation • Checking for User Interaction • Mouse movement • Foreground window state change • Long sleep/wait calls • Internet connection tests Things to look for
- 33. ShellCon 2017 | What Can RE Do For You? 33 • Checking for User Interaction • Foreground window state change EVASION Anti Automation
- 34. ShellCon 2017 | What Can RE Do For You? 34 EVASION • Patch the CMP and JNZ jump calls so that it always passes the check Debugging • Modify the Zero flag to bypass the check Static Analysis How to get around it
- 35. ShellCon 2017 | What Can RE Do For You? 35 EVASION • Patch the CMP and JNZ jump calls so that it always passes the check Debugging • Modify the Zero flag to bypass the check Static Analysis How to get around it
- 36. ShellCon 2017 | What Can RE Do For You? 36 CRYPTO Call a function right after STEP 2 Loop a lot STEP 3 Load a reference in .DATA STEP 1 XOR something STEP 4
- 37. ShellCon 2017 | What Can RE Do For You? 37 CRYPTO Call a function right after STEP 2 Load a reference in .DATA STEP 1
- 38. ShellCon 2017 | What Can RE Do For You? 38 CRYPTO Loop a lot STEP 3
- 39. ShellCon 2017 | What Can RE Do For You? 39 CRYPTO xor A, B xor A, A xor [esi], al xor eax, eax XOR the lower byte of register eax with the value at esi Clear the register eax XOR something STEP 4
- 40. ShellCon 2017 | What Can RE Do For You? 40 CRYPTO • Look for frequent usages of the function after data loads • Identify the crypto algorithm and create a simple decryption script Debugging • Place a breakpoint before the return or after the function to see the decrypted string • Place a write hardware breakpoint in the newly allocated memory region Static Analysis How to get around it
- 41. ShellCon 2017 | What Can RE Do For You? 41 SHELLCODE • Heap or VirtualAlloc with R-W-X permissions • Copy a large chunk of bytes to newly created memory • Jump to an offset in that new memory • Or spawn a new thread Things to look for
- 42. ShellCon 2017 | What Can RE Do For You? 42 SHELLCODE • Similar to unpacking • Shellcode is process independent code • May or may not need an import table creation Things to note
- 43. ShellCon 2017 | What Can RE Do For You? 43 SHELLCODE HEADER MAIN CODE SHELLCODE NEW MEMORY RWX LOOP 1 2 4 3 5 JUMP
- 44. ShellCon 2017 | What Can RE Do For You? 44 SHELLCODE • value Offset+0x42B7 is being saved in register esi and then pushed onto the stack before the function returns. • Typically functions will pop the ebp on the stack to restore the previous stack frame of the calling function. Things to note
- 45. ShellCon 2017 | What Can RE Do For You? 45 SHELLCODE • Look for references to sections, resources, or .data • Look for the jump or push & ret call Debugging • Save the address to the new memory section. Set an execution breakpoint on that memory location. • Extract the shellcode from memory and convert it into an exe Static Analysis How to get around it
- 46. ShellCon 2017 | What Can RE Do For You? 46 SHELLCODE Converting Shellcode to an EXE 1. Download Yasm yasm-1.3.0-win32.exe 2. Extract yasm-1.3.0-win32.exe and rename it to yasm.exe 3. Download GoLink linker Golink.zip 4. Extract golink.exe 5. Create a shellcode.asm file with the following instructions 6. From a command line run the following command to assemble the code: • yasm.exe -f win32 -o shellcode.obj shellcode.asm 7. Now run the linker • golink /ni /entry Start shellcode.obj 8. Change the AddressOfEntryPoint. Add the current value to 0x42B7 which was the offset of where the malware was going to return to in function sub_45B794. AddressOfEntryPoint should be 000052B7. This will ensure that IDA knows where to start the disassembly. Global Start SECTION 'AyyLmao' write, execute,read Start: incbin "shellcode.bin"
- 47. ShellCon 2017 | What Can RE Do For You? 47 Things to REmember • Take notes • PATCH, PATCH, PATCH - every evasion can be bypassed • Memory & Hardware breakpoints are your friends • Loops are annoying but good for identification • Repeated functions are fishy indicators
- 48. ShellCon 2017 | What Can RE Do For You? 48 Thanks for coming! Questions? Twitter: @malwareunicorn