Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005.

Published byJoel Mathews Modified over 9 years ago

Similar presentations

Presentation on theme: "Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005."— Presentation transcript:

1 Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005

2 Major Analysis Methods Sacrificial Lamb Resource Monitoring –Filemon, Regmon, Ethereal Disassembly –Including light debugging BinDiff

3 Focus on Disassembly Gives the most complete picture Allows reuse of code fragments Enables modification for research Unfortunately, can also be the slowest method

4 Purpose of Disassembly Understanding! You are trying to get the binary into your head Most of the time you are NOT trying to modify the binary, find a vulnerability, or fix and improve it

5 Contrast With Cracking Vulnerability research Debugging Borrowing algorithms and methods

6 Why MC Analysis is easy (Easier than porting Linux to a closed device) We don’t need to patch the binary We already know some of what it does We can make big sweeping assumptions We can skip big sections of code

7 Bottom-up Analysis Yes, we use IDA Pro Identify sections that give you the biggest impact Try to start with the most commonly-used pieces Stick to the program flow you need to know about

8 Priority Library Functions Imports Function Prototypes Entry Points Interesting calls –LoadLibrary, network, rand, registry, file, CreateThread Structure cleanup (SEH, fragments, etc…)

9 Unpacked Demo Hotworld Special thanks to Zone Labs for assistance with this trojan

10 My Conventions Bottom-up, identify RETNs first Mark loops Name vars Naming convention –TO meaning or FROM meaning Copious comments, manually trace register values

11 Barriers Packing/crypting Higher-level languages/Object Orientation P-Code Self-modification

12 Packed Demo - Intro Michael Jackson trojan

13 Unpacking - Nico

14 Unpacking PE Files Unpacking knowledge is very handy for a Reverse Engineer. A lot of files are packed nowadays. Especially malware. There are a LOT of different PE packers and PE protectors.

15 Is my file Packed/Protected? Is the last section executable ? Is the first section writeable ? Is the first section's rawsize null ? Is the Entry Point starting in the last section ?

16 Is my file Packed/Protected? Check the section names Check the Import Table : Very few imported functions ? Check the strings : no strings at all ? Is the Raw Size way smaller than the Virtual Size? Compressed!

17 Is my file Packed/Protected?

18

19 Basic Unpacking Methods Find the Original Entry Point Trace slowly until you jump to the real program code. Use Static Disassembly to find the jump to original entry point. Smart use of hardware breakpoints. Breakpoints on API Functions. Dump the Process to disk

20 Basic Unpacking Methods Reconstruct the Import Table ➔ Trace the packer and find where the IAT handling is, so you can grab information about the import table and reconstruct it manually, eventually. ➔ You can just use Import Reconstructor to reconstruct the import table and get ride of the boring work.

21 Unpacking Demo

22 Questions?

23 Thank you! Ryan Russell – ryan@thievco.com Nicolas Brulez - nico@recon.cx

Download ppt "Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005."

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Pokas x86 Emulator for Generic Unpacking By Amr Thabet
1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching, 80286.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,
Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
A look at interrupts What are interrupts and why are they needed.

A look at interrupts What are interrupts and why are they needed.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example.

Dean Carlson and Beth Anne Byrd CpSc 420.  What is reverse engineering?  Brief History  Usefulness  The process  Bagle Virus example.
Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
Designing a Virtual Machine. Basic Approach Object-oriented design Try to model the hardware. Seek a level of detail that is appropriate for interpretation.

Designing a Virtual Machine. Basic Approach Object-oriented design Try to model the hardware. Seek a level of detail that is appropriate for interpretation.
Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.

Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.
OllyDbg Debuger.

OllyDbg Debuger.
SRE  Introduction 1 Software Reverse Engineering (SRE)

SRE  Introduction 1 Software Reverse Engineering (SRE)
MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.

MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.
Unit Testing & Defensive Programming. F-22 Raptor Fighter.

Unit Testing & Defensive Programming. F-22 Raptor Fighter.
Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.

Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.
Part 5: Anti-Reverse-Engineering Chapter 15: Anti-Disassembly Chapter 16: Anti-Debugging Chapter 17: Anti-Virtual Machine Techniques Chapter 18: Packing.

Part 5: Anti-Reverse-Engineering Chapter 15: Anti-Disassembly Chapter 16: Anti-Debugging Chapter 17: Anti-Virtual Machine Techniques Chapter 18: Packing.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Similar presentations

Ads by Google