Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Slides:

Advertisements

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Advertisements

Operating-System Structures

Creating a Dialog-Based Comet Windows Program Brian Levantine.

Part IV: Memory Management

Chapter 3 Loaders and Linkers

Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.

E-Glue Application Merging executables in WIN32 environment By : Gil Arbeli, Ran Didi Instructor : Gal Badishi Softlab – June 2006.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Bypassing antivirus detection with encryption

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Explanations Of Software Utilities By Tim Wong.

An introduction to systems programming

OllyDbg Debuger.

1 of 6 Microsoft ® Business Solutions–Navision ® Development I – C/SIDE Introduction Day 4.

Other Features Index and table of contents Macros and VBA.

Microsoft Access Ervin Ha.

Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.

1 Introduction to Tool chains. 2 Tool chain for the Sitara Family (but it is true for other ARM based devices as well) A tool chain is a collection of.

CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:

Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.

CW-V1 SDD 0201 Principals of Software Design and Development Introduction to Programming Languages.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.

Computer Viruses Preetha Annamalai Niranjan Potnis.

How To Fix Common Computer Errors m.

Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.

Microsoft.NET Vs Sun JAVA

‘Tirgul’ # 7 Enterprise Development Using Visual Basic 6.0 Autumn 2002 Tirgul #7.

Scalable Game Development William Roberts Senior Game Engineer

Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.

Chapter 11 An Introduction to Visual Basic 2008 Why Windows and Why Visual Basic How You Develop a Visual Basic Application The Different Versions of Visual.

Just as there are many human languages, there are many computer programming languages that can be used to develop software. Some are named after people,

CIS250 OPERATING SYSTEMS Memory Management Since we share memory, we need to manage it Memory manager only sees the address A program counter value indicates.

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

File Systems CSCI What is a file? A file is information that is stored on disks or other external media.

Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.

The Agent Based Crypto Protocol The ABC-Protocol by Jordan Hind MSE Presentation 3.

CSE451 Linking and Loading Autumn 2002 Gary Kimura Lecture #21 December 9, 2002.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.

CINT C++ Interpreter update ROOT2001 at Fermi-Lab Masaharu Goto.

Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Visual Basic for Application - Microsoft Access 2003 Finishing the application.

NSF DUE ; Wen M. Andrews J. Sargeant Reynolds Community College Richmond, Virginia.

Copyright Security-Assessment.com 2006 Unpacking Malware, Trojans and Worms PE Packers Used in Malicious Software Presented by Paul Craig Ruxcon 2006.

1 Getting Started with C++ Part 1 Windows. 2 Objective You will be able to create, compile, and run a very simple C++ program on Windows, using Microsoft.

Version Control and SVN ECE 297. Why Do We Need Version Control?

Win32 Programming Lesson 19: Introduction to DLLs.

NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.

Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun.

Lecture 11 Example Rootkit. Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using.

Software Reverse Engineering Binary analysis: concepts, methods and tools. Catalin Patulea Mar 5, 2008.

Introduction of Wget. Wget Wget is a package for retrieving files using HTTP and FTP, the most widely-used Internet protocols. Wget is non-interactive,

Object Files & Linking. Object Sections Compiled code store as object files – Linux : ELF : Extensible Linking Format – Windows : PE : Portable Execution.

Hex Editing using HxD Nick Fogal & Lindsay Shaffer.

Semi-Automatic Unpacking on IA-32 Using OllyBonE Joe Stewart.

Chapter 1. Basic Static Techniques

Chapter 2: System Structures

Separate Assembly allows a program to be built from modules rather than a single source file assembler linker source file.

CSE451 Virtual Memory Paging Autumn 2002

CMSC 491/691 Malware Analysis

CSC 497/583 Advanced Topics in Computer Security

An introduction to systems programming

CSC 497/583 Advanced Topics in Computer Security

Presentation transcript:

Sample chapter from Reverse Engineering Course

Chapter 3 - Dealing With Protected Binaries

Introduction To Protected Binaries  Packers / Protectors are following two different approaches in compressing executable files.  Packers compresses the executable files to make them smaller; same thing that WinZip does with all kind of files.  The famous packers are: UPX, PECompact, FSG, MeW.

 Protectors do the compression not for shrinking the executable files. They compress them in a special manner to protect their code against reversing and modifications.  Protectors use lots of tricks such as anti-debugging, anti- dumping, anti-disassembling, etc. to make hard the unpacking process.  Most of the times, a protected file are too bigger than a packed file.

 The famous protectors are: Asprotect, Armadillo, ExeCryptor, Themida, etc.

How packers/protectors work A program before packing: Resources Import Directory Import Address Table Code Section PE Header Original Entry Point IAT fills by Windows Loader

 Same program after packing Resources Unpacker Stub Import Directory Import Address Table Code Section PE Header IAT fills by unpacker stub Unpacker stub decompresses the code section Entry Point

Identifying The Packers/Protectors  There are few tools to identify the name of the packers / protectors based on a certain binary signature. They are called: Packer Identifiers.  A packer identifier mostly reads few bytes at entry point of the executable and compares them with its database. If a match is found, it shows the name of the packer, protector, or compiler.

Sample signature of PEiD: [Microsoft Visual C++ 8] signature = E8 ?? ?? E9 ?? ?? FF FF ep_only = true  ?? Means any bytes, and ep_only meansonly search at the entry point  The entry point in Visual C usually is: E8 7A CALL Original.00401F28 E9 36FDFFFF JMP Original E9

Packer Identifiers  PEiD is the most famous and fully featured tool which supports external database and plugins. It has a simple PE header viewer which shows useful information about the file, but it just supports x86 executables  The last version was 0.95 and released on It’s almost a dead project, but some people have created a large external dataset for new packers/protectors.

Packer Identifiers…  RDG Packer Detector is another famous tool with a strong heuristic analyzer, but it doesn’t have an user- friendly GUI. It just support x86 architecture.  The last version is and has been released on Jan It’s alive and being updated frequently.

Packer Identifiers…  ExEinfo PE is a x86-x64 support tool which tries to be similar to PEiD. It has most of the features of PEiD, but it’s not very famous, and has a messy GUI.  The last version is and has been released at the end of It’s alive and being updated frequently.

Packer Identifiers…  Detect It Easy is a new toll which supports both x86 and x64 files. It has most of the features of PEiD. It has a PE Viewer which is able to edit the PE too.  The last version is and has been released on Aug It’s alive and being updated frequently.

The art of unpacking  Unpacking a DLL file has few extra steps comparing with an EXE file.  DLL needs the Relocation Table for moving to different address spaces by Windows loader. So, it should be fixed during the unpacking procedure.  Relox is a tool for fixing relocations by comparing the dump of the DLL with two different ImageBases.

Steps of unpacking an EXE 1.Using a packer identifier to find out the name of the packer/protector. 2.After identifying the packer/protector type, an strategy should be chosen to do the unpacking based on the type of packer/protector. 3.Next step is running the program by a debugger and try to find the original entry point (OEP).

4.Then the process should be dumped by a process dumper. 5.Then, the import address table of the dump file should be fixed by an import fixer such as Import Reconstructor. 6.The final step is re-attaching the overlay (if exists) to the fixed dump.

Steps of unpacking a DLL  The procedure is same as steps 1-5 of an EXE file, but at step 4, after dumping, the ImageBase of dump should be corrected by a PE editor.  The first additional step is loading the DLL into another address space to have the dump at different ImageBase. The Imagebase of new dump should be corrected, like the first dump.

 The second additional step is opening two dumps by Relox to rebuild the Relocation Table and after that, the dump with its Import Table had been fixed at step 5, should be fixed again by Relox.  The last step is same as step 6 of an EXE file; however usually the DLLs don’t have an overlay.