Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005.

Slides:



Advertisements
Similar presentations
Pokas x86 Emulator for Generic Unpacking By Amr Thabet
Advertisements

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,
Sample chapter from Reverse Engineering Course.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
A look at interrupts What are interrupts and why are they needed.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example.
Investigating Malicious Software Steve Romig The Ohio State University April 2002.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
Designing a Virtual Machine. Basic Approach Object-oriented design Try to model the hardware. Seek a level of detail that is appropriate for interpretation.
Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.
OllyDbg Debuger.
SRE  Introduction 1 Software Reverse Engineering (SRE)
MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.
Unit Testing & Defensive Programming. F-22 Raptor Fighter.
Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.
Part 5: Anti-Reverse-Engineering Chapter 15: Anti-Disassembly Chapter 16: Anti-Debugging Chapter 17: Anti-Virtual Machine Techniques Chapter 18: Packing.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Application Security Tom Chothia Computer Security, Lecture 14.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
How to think through your program [ principles of good program design ] Rachel Denison MATLAB for Cognitive Neuroscience ICN, 13 December 2007.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
Part 5: Anti-Reverse-Engineering
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
ENGI 3655 Lab Sessions 1Richard Khoury.  Linked Allocation ◦ Section Richard Khoury2.
Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.
DEBUGGING. BUG A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Eric Laspe, Reverse Engineer Jason.
Amit Malik SecurityXploded Research Group FireEye Labs.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad
Copyright Security-Assessment.com 2006 Unpacking Malware, Trojans and Worms PE Packers Used in Malicious Software Presented by Paul Craig Ruxcon 2006.
Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Lecture 11 Example Rootkit. Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using.
By Anand George SourceLens.org Copyright. All rights reserved. Content Owner - Meera R (meera at sourcelens.org)
Software Reverse Engineering Binary analysis: concepts, methods and tools. Catalin Patulea Mar 5, 2008.
Reverse Engineering Contemporary Countermeasures By: Joshua Schwartz.
Rogue Wireless Router By Alex Crowell and James Kasten.
Polymorphic Virus Analysis Nicolas BRULEZ Senior Virus Researcher Websense Security Labs IMPROVISED TALK MMMKAY?!
An introduction to Reverse engineering, the tools and assembly
Lab assignments Follow each lab walkthrough in textbook
CHAPTER 4 Methodology.
Cyber Physiology Analysis Framework Concept
Techniques, Tools, and Research Issues
Chapter 1. Basic Static Techniques
Dynamic Analysis ddaa.
Techniques, Tools, and Research Issues
Malware Incident Response  Dynamic Analysis - 2
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
Attacking Obfuscated Code with IDA Pro
Lab assignments Follow each lab walkthrough in textbook
Part 5: Anti-Reverse-Engineering
Homework Any Questions?.
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Reverse engineering through full system simulations
CMSC 491/691 Malware Analysis
Following Malware Execution in IDA
Presentation transcript:

Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005

Major Analysis Methods Sacrificial Lamb Resource Monitoring –Filemon, Regmon, Ethereal Disassembly –Including light debugging BinDiff

Focus on Disassembly Gives the most complete picture Allows reuse of code fragments Enables modification for research Unfortunately, can also be the slowest method

Purpose of Disassembly Understanding! You are trying to get the binary into your head Most of the time you are NOT trying to modify the binary, find a vulnerability, or fix and improve it

Contrast With Cracking Vulnerability research Debugging Borrowing algorithms and methods

Why MC Analysis is easy (Easier than porting Linux to a closed device) We don’t need to patch the binary We already know some of what it does We can make big sweeping assumptions We can skip big sections of code

Bottom-up Analysis Yes, we use IDA Pro Identify sections that give you the biggest impact Try to start with the most commonly-used pieces Stick to the program flow you need to know about

Priority Library Functions Imports Function Prototypes Entry Points Interesting calls –LoadLibrary, network, rand, registry, file, CreateThread Structure cleanup (SEH, fragments, etc…)

Unpacked Demo Hotworld Special thanks to Zone Labs for assistance with this trojan

My Conventions Bottom-up, identify RETNs first Mark loops Name vars Naming convention –TO meaning or FROM meaning Copious comments, manually trace register values

Barriers Packing/crypting Higher-level languages/Object Orientation P-Code Self-modification

Packed Demo - Intro Michael Jackson trojan

Unpacking - Nico

Unpacking PE Files Unpacking knowledge is very handy for a Reverse Engineer. A lot of files are packed nowadays. Especially malware. There are a LOT of different PE packers and PE protectors.

Is my file Packed/Protected? Is the last section executable ? Is the first section writeable ? Is the first section's rawsize null ? Is the Entry Point starting in the last section ?

Is my file Packed/Protected? Check the section names Check the Import Table : Very few imported functions ? Check the strings : no strings at all ? Is the Raw Size way smaller than the Virtual Size? Compressed!

Is my file Packed/Protected?

Basic Unpacking Methods Find the Original Entry Point Trace slowly until you jump to the real program code. Use Static Disassembly to find the jump to original entry point. Smart use of hardware breakpoints. Breakpoints on API Functions. Dump the Process to disk

Basic Unpacking Methods Reconstruct the Import Table ➔ Trace the packer and find where the IAT handling is, so you can grab information about the import table and reconstruct it manually, eventually. ➔ You can just use Import Reconstructor to reconstruct the import table and get ride of the boring work.

Unpacking Demo

Questions?

Thank you! Ryan Russell – Nicolas Brulez -

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Условия использования

© 2024 SlidePlayer.com. Inc. All rights reserved.