Pokas x86 Emulator for Generic Unpacking By Amr Thabet
The Problem: Many packed worms : no time to reverse and step through the packers code Many polymorphic viruses around change their decryptor code and algorithm Need to write a detection algorithm for such viruses
The Solution Concept: We need an automatic unpacker Static Unpacker : very sensitive of any changes of the packer No Time for keeping up-to-date of every release of any Unpacker Dynamic Unpacker: not sensitive of the minor changes. It can unpack new packers. We need a Program runs the packed application until it unpacked and stop in the real OEP So we need a Debugger
Why not a Debugger? Easily to be detected Dangerous Cant monitor the memory Writes Allows only breakpoints on a specific place in memory
Previous Solutions: OllyBone: dangerous if its not a packer and could be fooled Its not scriptable and semi-automatic It could be easy detected Ida-x86emu: doesnt monitor memory writes and no conditional Breakpoints Pandoras Bochs: hard to be installed, hard to be customized very slow 200 secs for notepad.exe packed with PECompact 2 with a PC 3.14 GHz and 2.00 GB ram
Pokas x86 Emulator Its a Dynamic link library Easily to be customized Monitor all memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition. Support Dumping the PE File with correct File Alignment Support adding new APIs Has an assembler and a disassembler from and to mnemonics for debugging. Support seh and support tib, teb, peb and peb_ldr_data it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress,VirtualAlloc, VirtualFree and VirtualProtect it's FREE and open source
Reliability: It successfully unpack: 1. UPX 2. FSG 3. MEW 4. PECompact 5. Aspack 6. Morphine It surely still contains bugs
Getting The Emulator Download it from x86emu-bin.zip files: X86emu.dll : The Emulator itself ~ 580 kb X86emu.h : The header file (should be included in any project uses the emulator Pe.h, tib.h : included by x86emu.h and should be beside it.
Pokas x86 Emulator Design
Usage Steps 1.Initialize your Emulated OS and Cpu 2.Manage the dlls and Apis 3.Emulate the undefined Apis 4.Adding the Stop Condition 5.Emulate your Process 6.Handle the Unhandled Exceptions 7.Waiting for your Breakpoints to be triggered 8.Dump your Process to a File
Debugger Conditions: Similar to C conditions Not case-sensitive Doesnt decrease the performance Up to 10 Supported Functions inside the Debugger Allow adding new Functions with different types of variables including string You can Add up to 100 Breakpoint
Debugger Examples Int3 Breakpoint or Hardware on Execution: Eip==0x Memory on Access or Write: __lastaccessed()==0x __lastmodified()==0x Execution on Modified Data: __isdirty(eip) In.text section only: __isdirty(eip) && eip>=0x && eip<=0x Anti-unpackers trick: write ret on the real OEP and calls to it: __isdirty(eip) && (__read(eip) & 0xff) !=0xC3) API Hooking: __isapi() __isapiequal(Getprocaddress) //not case sensitive in the api name
Example : UPX How Easy this Emulator is : int main() { EnviromentVariables* vars= (EnviromentVariables*)malloc(sizeof(EnviromentVariables)); memset( vars,0,sizeof(EnviromentVariables)); vars->dllspath="C:\\Windows\\System32\\"; System* sys=new System(vars); Process* c=new Process(sys,upx.exe"); c->debugger->AddBp(__isdirty(eip)"); int x=c->emulate(); if (x==EXP_BREAKPOINT){ PEDump(c->GetThread(0)->Eip,c,"test.exe"); } Only 10 lines and very simple
Multi-Layer unpacker if we know the number of layers we can clear the dirty flag and continue If not we can add this breakpoint: __isdirty(eip) && Eip<=0x // the.text size Notepad.exe : take less than 30 secs in a PC Intel Core 2 Duo 2.10 GHz with 2.00 GB ram Example : PECompact 1.33
TODO Support reconstructing the Import Table Fixing the bugs Create a Linux version Add cmovcc,setcc,bts instructions Support multithreading Support ELF File Formats Adding new Debugger Functions Allow saving the state
The End By Amr Hassan Thabet Any Questions?