Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example.

Slides:



Advertisements
Similar presentations
Practical Malware Analysis
Advertisements

Remote Procedure Call (RPC)
Utilizing the GDB debugger to analyze programs Background and application.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 Postdelivery Maintenance Xiaojun Qi. 2 Why Postdelivery Maintenance Is Necessary Corrective maintenance: To correct residual faults –Analysis, design,
PC hardware and x86 3/3/08 Frans Kaashoek MIT
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
SRE  Introduction 1 Software Reverse Engineering (SRE)
SEG Software Maintenance1 Software Maintenance “The modification of a software product after delivery to correct faults, to improve performance or.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Application Security Tom Chothia Computer Security, Lecture 14.
Practical Malware Analysis Ch 8: Debugging Rev
6.828: PC hardware and x86 Frans Kaashoek
CS-2710 Computer Organization Dr. Mark L. Hornick web: faculty-web.msoe.edu/hornick – CS-2710 info syllabus, homework, labs… –
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Goals: To gain an understanding of assembly To get your hands dirty in GDB.
1 CPSC 185 Introduction to Computing The course home page
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
CS 346 – Chapter 2 OS services –OS user interface –System calls –System programs How to make an OS –Implementation –Structure –Virtual machines Commitment.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005.
Lecture 5 Page 1 CS 111 Online Processes CS 111 On-Line MS Program Operating Systems Peter Reiher.
Understanding the Behavior of Java Programs Tarja Systa Software Systems Lab. Tampere Univ. Sookmyung Women’s Univ. PSLAB Choi, yoon jeong.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Other Processors. Having learnt MIPS, we can learn other major processors. Not going to be able to cover everything; will pick on the interesting aspects.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
Operating System Protection Through Program Evolution Fred Cohen Computers and Security 1992.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University 1 Extracting Sequence.
Lab 9 Department of Computer Science and Information Engineering National Taiwan University Lab9 - Debugging I 2014/11/4/ 28 1.
EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)
Enabling Control over Adaptive Program Transformation for Dynamically Evolving Mobile Software Validation Mike Jochen, Anteneh Anteneh, Lori Pollock University.
Software Reverse Engineering Binary analysis: concepts, methods and tools. Catalin Patulea Mar 5, 2008.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Lecture 1 Page 1 CS 111 Summer 2013 Important OS Properties For real operating systems built and used by real people Differs depending on who you are talking.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
Malware malicious software which is specifically designed to disrupt, damage, or gain authorized access to a computer system Analysis detailed examination.
Instruction Set Architecture
Static and dynamic analysis of binaries
Live Phishing Attack Authentication Activity from a Foreign Address.
Techniques, Tools, and Research Issues
Malware Reverse Engineering Process
Techniques, Tools, and Research Issues
Chapter 1. Basic Static Techniques
Dynamic Analysis ddaa.
Techniques, Tools, and Research Issues
Other Processors.
Malware Reverse Engineering Process
Techniques, Tools, and Research Issues
Malware Incident Response  Dynamic Analysis - 2
COAL Chapter 1,2,3.
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Multi-modules programming
System Level Programming Software College of SCU
Basic Dynamic Analysis VMs and Sandboxes
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Dynamic Binary Translators and Instrumenters
Hello World Program In Visual Studio and Debugging
Computer Architecture and System Programming Laboratory
Presentation transcript:

Dean Carlson and Beth Anne Byrd CpSc 420

 What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example

 “[T]he process of analyzing a subject system to create representations of the system at a higher level of abstraction” (Chikofsky, 1990).  Going through the software development cycle backwards

 Started as analyzing hardware in an attempt to gain an advantage.  The first time this was applied to a piece of malware was in  Bernt Fix disassembled and neutralized the Charlie virus.

 Analysis of a product  Recreating lost or nonexistent documentation  Academic use  Curiosity  With Malware  Contain it  Remove it  Prevent it

 Diffuse “time bombs”  Conficker virus ▪ The Y2K of today

1. Set up a controlled, isolated laboratory 2. Perform behavioral analysis to examine the specimen’s interactions with its environment. 3. Perform static code analysis to further understand the specimen’s inner-workings. 4. Perform dynamic code analysis to understand the more difficult aspects of the code. 5. If necessary, unpack the specimen. 6. Repeat steps 2, 3, and 4 (order may vary) until sufficient analysis objectives are met. 7. Document findings and clean-up the laboratory for future analysis.

 HOST:  Windows XP in Virtual Machine  DataRescue IDA Pro  Microsoft Visual C++ ▪ Dumpbin  UltraEdit  SERVER  Solaris 9 (SPARC)  Snoop  BIND (DNS)  GCC  GDB

 The and DNS programs on the server were setup to log all of their activity and network traffic in order to see the virus interact with the server.

 Open in IDA Pro  Breaks it down into assembly and hex

 Open in dumpbin to determine type  PE (Portable Executable)

 Walk through the virus step by step with a debugger and look at register values. Especially EAX, EIP, ZF bit of EFLAGS  EAX = return values from functions  ZF = flag used for comparisons and decisions  EIP = useful for thread usage

 Use IDA to chart subroutines

 Use IDA to identify function parameters and variables  arg_8 can be accessed by adding “10h” to the EBP Register

 Multiple Thread  Extended Instruction Pointer (EIP) doesn’t follow new threads unless specified

 The Bagle virus was not packed  Compressed or encrypted  It also was not polymorphic  Changing the assembly, usually by inserting “noop” thus changing the virus signature but not changing the effectiveness  The Bagle virus has many removal tools

 Reverse engineering malware started in 1987  It is good to contain, remove, and prevent malware  7 steps 1. Set up lab 2. Behavioral analysis 3. Static code analysis 4. Dynamic code analysis 5. Unpack 6. Repeat steps 2, 3, and 4 7. Document and clean-up

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.