Presentation is loading. Please wait.

Presentation is loading. Please wait.

Semi-Automatic Unpacking on IA-32 Using OllyBonE Joe Stewart.

Published byGladys Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "Semi-Automatic Unpacking on IA-32 Using OllyBonE Joe Stewart."— Presentation transcript:

1 Semi-Automatic Unpacking on IA-32 Using OllyBonE Joe Stewart

2 Introduction Packers – so many to reverse-engineer, so little time! We've got a lot of malware to analyze, we need to spend our time looking at the malicious code, not the packer Let's take a look at how it's being done now...

3 The Hard Way Painstakingly reverse-engineer the packer code Write an unpacking engine to handle the specific algorithms/tricks of the code Who has time for this? Even AV companies have a hard time keeping up with every version of every packer Even if they could, the scanner engine gets increasingly bloated

4 The Expensive Way Buy (or write) an emulation engine which can pretend to execute the code and unpack it along the way Then you only have to deal with minor variations/tricks in the code A lot of time to write, and even more time to maintain (therefore usually not free)

5 Cheating Just run the code on a goat system and dump it from memory after it's unpacked Doesn't give us a clean starting image – variables in memory which have changed since the start of execution are now dumped at their current value Where is the OEP?

6 Simplifying it all Most (not all) unpacking code works the same way from a high-level view Code is packed/encrypted, and a stub section is added to the end The EntryPoint in the PE header now points to the stub Unpacking code runs, unpacks the other sections, then jumps to the code section

7 Most common packing method

8 Your wishlist How many times have you wished for a way to set a breakpoint in OllyDbg on an entire section of code? Well, of course you can already do this – but this is break-on-access The stub code has to write to the section you're going to execute So you'd be breaking thousands of times before it executed Might as well trace it if you're going to do that

9 Tracing What's wrong with tracing? Oldest trick in the book Trivially detected Can be sloooowwwww... So, you say, “I wish I had a simple way to just break on execution of a memory section, without all that tracing...”

10 OllyBonE OllyBonE = Break on Execute for Olly! How is this possible? X86 architecture at least doesn't allow for NX without a special CPU But wait, this problem was already solved for stack/heap overflows, by the PaX project So, we adapt the idea of protecting stack/heap to protecting arbitrary pages of memory

11 PaX Review We all know how PaX works, right? VA translation lookaside buffers x86 architecture uses separate TLBs DTLB for read/write ITLB for execution We can cache one and not the other – let the OS read the stack, but kill process if it tries to execute it Marks pages by overloading the meaning of the user/supervisor PTE bit

12 Making it work as an unpacker Instead of protecting the stack/heap from execution, we protect all pages of a target PE section in memory Instead of killing the process on execution attempt, we jump from the page fault handler to the INT1 handler This raises a single-step exception inside OllyDbg – returning control to us

13 OllyBonE Architecture OllyBonE.dll - OllyDbg plugin ollybone.sys – kernel driver, implements arbitrary PaX-like page protection OllyBonE interfaces with ollybone.sys via IOCTL, tells it what page of virtual memory to protect or un-protect

14 Internals Data access Unpacking program attempts to write to target section VA translation is not already cached; page table walk generates page fault Our page fault handler checks to see if page fault is our fault If so, check to see if this is a data access (faulting address != EIP) If so, toggle the PTE bit, then read from the page in order to cache the DTLB entry Toggle the PTE entry back to original state

15 Internals 2 Instruction (execute) access Unpacking program attempts to execute code in target section VA translation is not already cached; page table walk generates page fault Our page fault handler checks to see if page fault is our fault If so, check to see if execute access (faulting address == EIP) If so, pop extra argument off the stack and jump to INT1 handler

16 Virtual Machines Virtual machines don't always correctly implement the IA-32 TLBs VMs that can run OllyBone: Known to work: VMWare Doesn't work: Bochs Qemu Unknown: Microsoft Virtual PC

17 Using OllyBonE Usage is straightforward Load target EXE in OllyDbg Locate potential final code segment Toggle break-on-execute flag Run Program encounters INT1 (single-step break) when trying to execute protected page Control is passed back to OllyDbg We are at the OEP, unpacked (hopefully)

18 Demonstration Video demo Brought to you by xvidcap & Cinelerra-CV Cinelerra-CV needs more developers! Help out at http://cvs.cinelerra.org/http://cvs.cinelerra.org/ Special thanks go to Piotr Bania for providing a copy of his packed sample library to demonstrate on http://www.piotrbania.com/

19 Pitfalls Problems with running code under debugger are not solved So packers with anti-debugging code will have to be thwarted in other ways Packers which dynamically unpack code as the program is run will not fall prey to this type of attack But there aren't many of those

20 Evasion Once the packer author knows what we are doing, they can change the code to work differently For example, appending the stub code as part of the code section, instead of a whole new section But, we could still get finer-grained with our page protection

21 Evasion 2 Packer could detect ollybone.sys in the loaded drivers list or even send its own IOCTL to un-protect the code section Use the source, Luke! Change the naming convention and IOCTL numbers and recompile Affecting memory permissions via VirtualProtect? May need to maintain marker bit during execution, or hook VirtualProtect

22 Code You can download OllyBonE right now: http://www.joestewart.org/ollybone/ Code is released under the GNU GPL TODO: Implement break-on-execute for heap/stack locations Implement break-on-execute for shared DLL memory sections Force Copy-on-Write, then set BoE?

23 Q & A Joe Stewart Senior Security Researcher LURHQ

Download ppt "Semi-Automatic Unpacking on IA-32 Using OllyBonE Joe Stewart."

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Pokas x86 Emulator for Generic Unpacking By Amr Thabet
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
May 7, 20151 A Real Problem  What if you wanted to run a program that needs more memory than you have?

May 7, A Real Problem  What if you wanted to run a program that needs more memory than you have?
1 A Real Problem  What if you wanted to run a program that needs more memory than you have?

1 A Real Problem  What if you wanted to run a program that needs more memory than you have?
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
Memory Management (II)

Memory Management (II)
Operating System Support Focus on Architecture

Operating System Support Focus on Architecture
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.

CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.

Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
Translation Buffers (TLB’s)

Translation Buffers (TLB’s)
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
Review of Memory Management, Virtual Memory CS448.

Review of Memory Management, Virtual Memory CS448.
CS 153 Design of Operating Systems Spring 2015 Lecture 17: Paging.

CS 153 Design of Operating Systems Spring 2015 Lecture 17: Paging.
Memory Management – Page 1 of 49CSCI 4717 – Computer Architecture Memory Management Uni-program – memory split into two parts –One for Operating System.

Memory Management – Page 1 of 49CSCI 4717 – Computer Architecture Memory Management Uni-program – memory split into two parts –One for Operating System.
Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.

Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.

Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.
Virtual Memory Expanding Memory Multiple Concurrent Processes.

Virtual Memory Expanding Memory Multiple Concurrent Processes.

Similar presentations

Ads by Google