Presentation is loading. Please wait.

Presentation is loading. Please wait.

R4H Reversing for Humans

Published byJanis Greene Modified over 6 years ago

Similar presentations

Presentation on theme: "R4H Reversing for Humans"— Presentation transcript:

1 R4H Reversing for Humans
Juan C. Cortes @kongo_86

2 Outline About me Intro Why we reverse things? Purpose
Malware Intro x 10 Tools Reversing Time

3 About Me Malware Researcher & Reverser @ <3‘s
redbull, chocolate covered expresso beans, assembly, learning

4 Intro Reversing is hard… There is a load of malware
We all want to save the world

5 Why RE all the things?

6 Why do we RE things? Reverse engineering:
disassemble and examine or analyze in detail (as a product or device) to discover the concepts involved in manufacture usually in order to produce something similar JCC Dictionary: Figure out what thing is doing what thing Should be part of some component of YOUR Incident Response Plan

7 Why do we RE things? For me: At the end:
I love the challenge and puzzles. Want to know the What,Why,How of an attacker’s code Slow || Stop their badness At the end:

8 Goal for today

9 What is the goal for today?
Help you reverse faster Help your reversers help you

10 What is the goal for today?
Get better at all things!

11 What is the goal for today?
Help your reversers help you Known what to ask your reversers for Provide CONTEXT. More is better. Offsets, offsets, offsets

12 What is the goal for today?

13 What is this Malware you speak of?

14 What is this Malware you speak of?
Malware is short of malicious software. A general term to describe all forms of malicious software Worms Virus Backdoors||Trojans (ransom|spy|ad|scare)ware

15 What is this Malware you speak of?
Malware doesn’t play favorites: Windows OSX Android iOS Linux

16 What is this Malware you speak of?

17 T00ls

18 T00ls Static Dynamic FakeNet InetSim ByteCodeViewer dnSpy

19 Reversing Methodology & Goal

20 Reversing Methodology
Security Event/Alert AV/FW/Webfilter Notifications Basic Static Analysis Inspect PE file Public Resources Dynamic/Behavioral Analysis Sandbox Execution in VM Advanced Analysis Debugging Disassembling Code Analysis

21 Reversing with a Goal Why are you reversing it? What do you want?
-no meme fail.sorry

22 Reversing Time

23 Sample #1 Hi friend, I've got a DLL with export 'CI' which beacons to google. c00lguy1 c00lguy2 Hi back friend, Ok! Much excite! It looks like it's decoding strings with function

24 Sample #1 2d22bd6df33d18d366686c5b8338dad653dfcb20863a546718f11b17b6a60035

25 Sample #2 Yo friend, fo sho! c00lguy1 c00lguy2
Yo friend, interested in helping me again? Yo friend, fo sho! c00lguy1 c00lguy2 Here's the scenario: PotPlayerMini.exe loads PotPlayer.dll. calls export PreprocessCmdLineExW. That export does 2 things 1) persistence 2) loads update.dat, shellcode Delivered in a self extracting archive so they are all in the same directory when executed Shellcode decodes two buffers. I can’t figure out the second routine. Cool. Give me those Offset & Files

26 Sample #2 cont… c00lguy1 c00lguy2
PotPlayerMini.exe calls PotPlayer.dll code around 4011BB PotPlayer.dll opens update.dat around PotPlayer.dll does the incremental xor at C8 PotPlayer.dll calls the shellcode at DD The shellcode should be at offset 3b0000 in memory The decoding routing I'm curious about begins at 3b1bb3 c00lguy1 c00lguy2

27 Sample #2 76da9d0046fe76fc28b80c4c1062b fd873b7dd781f39491f911e0 71dc3d e0a885d388d54d30770e06664d5cf52a9b5e1c0620d039f29f0

28 Sample #3 I have a case with a cust that did not provide a lot of information. Not even a hash. They gave me a screenshot of a google search Can you help? guy1 c00lguy2 Um... No hash? Um... No sample?

29 Sample #3 c00lguyA c00lguy2 Hey! I seen this!
It is suppose to do the following... But according to cuckoo is not doing anything. Here is an analysis of someone in Chinese. c00lguyA c00lguy2 Thank the InternetGods for Google Translate.

30 Sample #3

31 Sample #3

Download ppt "R4H Reversing for Humans"

Similar presentations

Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.

.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Automated Malware Analysis

Automated Malware Analysis
© 2004 Cisco Systems, Inc. All rights reserved. Managing Your Network Environment Managing Router Startup and Configuration INTRO v2.0—9-1.

© 2004 Cisco Systems, Inc. All rights reserved. Managing Your Network Environment Managing Router Startup and Configuration INTRO v2.0—9-1.
Presentation By Deepak Katta

Presentation By Deepak Katta
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Lecture 14: Operating Systems Intro to IT COSC1078 Introduction to Information Technology Lecture 14 Operating Systems James Harland

Lecture 14: Operating Systems Intro to IT COSC1078 Introduction to Information Technology Lecture 14 Operating Systems James Harland
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Binary Auditing Geller Bedoya Michael Wozniak. Background  Binary auditing is a technique used to test the security and discover the inner workings of.

Binary Auditing Geller Bedoya Michael Wozniak. Background  Binary auditing is a technique used to test the security and discover the inner workings of.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Malware Dynamic Analysis Veronica Kovah vkovah.ost at gmail See notes for citation1

Malware Dynamic Analysis Veronica Kovah vkovah.ost at gmail See notes for citation1
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Similar presentations

Ads by Google