Slideshare.net (beta)

Home My Slidespace Upload Community Tags Widgets

Latest | Most Viewed | Most Embedded | Featured | Most Favorited | Most Downloaded | Slidecasts

 
Post: 
Myspace Hi5 Friendster Xanga LiveJournal Facebook Blogger Tagged Typepad Freewebs BlackPlanet gigya icons

All comments

Add a comment on Slide 1

If you have a SlideShare account, login to comment; else you can comment as a guest


Showing 1-50 of 0 (more)

64-bit Imports Rebuilding and Unpacking - Sébastien Doucet

From nsbuttar, 2 months ago

97 views  |  0 comments  |  0 favorites  |  3 downloads
 

Tags

pe32+ 2008 recon reconstruction import

 
 

Groups / Events

 

 
Embed
options

More Info

This slideshow is Public
Total Views: 97
on Slideshare: 97
from embeds: 0

Slideshow transcript

Slide 1: www.IITAC.org 64-bit Imports Rebuilding and Unpacking Sébastien Doucet [doucet@iitac.org] SHOW YOUR PROVEN EXCELLENCE WITH A CERTIFICATE ACCORDING TO ISO 17024! …MORE EFFICIENCY WITH “ACTION BASED TRAINING” ®

Slide 2: Who am I?  Trainer and Binary Auditor for IITAC  Moderator at reverse-engineering.net forum  Co-founder of video.reverse-engineering.net  Evil moderator at crackmes.de  Member of ARTeam 2 www.IITAC.org

Slide 3: What is CHimpRE C?  32 and 64-bit imports rebuilder  Improved version of ImpREC  Fixes many existing bugs  Introduces new features  Made especially for WoW64 compatibility  Allows for an all-in-one version 3 www.IITAC.org

Slide 4: What is CHimpRE C? 4 www.IITAC.org

Slide 5: Why do this project?  ImpREC is getting older.  There are no public 64-bit imports rebuilder freely available on the internet right now.  I was curious. I am a reverser. It’s what I do.  Somebody had to do it. That person happened to be me. 5 www.IITAC.org

Slide 6: Why do this now? 6 months 1 month year later... later... later... Geez... Hmph... Yeah... Hmph... Somebody Shmumfmum Somebody Smumfmum should be shum pfi should really be shum pfifi pfi cutting the fmuffinming cutting the fmuffinming grass... fme fmaff... grass... fme fmaff... 6 www.IITAC.org

Slide 7: Overview  Part 1: Basics of unpacking  Part 2: Making a 32-bit imports rebuilder  Part 3: Evolution to 64-bit  Part 4: 2 Live 64-bit unpacking sessions 7 www.IITAC.org

Slide 8: Part 1 :B asics of unpacking  How simple packers work  General unpacking theory  Limitations of ImpREC:  Bugs with Vista ASLR  Bugs with Vista x64 SP1 (WoW64) 8 www.IITAC.org

Slide 9: How simple packers work Entry Point Program IAT Import Directory Unpacker Stub Unpacker IAT Import Directory 9 www.IITAC.org

Slide 10: General unpacking theory Program IAT Import Entry Point Directory Unpacker Stub Unpacker IAT Import Directory Import Directory 10 www.IITAC.org

Slide 11: L imitations of ImpRE C XP or Vista w/o ASLR 11 www.IITAC.org

Slide 12: L imitations of ImpRE C Vista ASLR 12 www.IITAC.org

Slide 13: L imitations of ImpRE C Vista ASLR 13 www.IITAC.org

Slide 14: L imitations of ImpRE C Vista ASLR GDI32 KERNEL32 USER32 14 www.IITAC.org

Slide 15: L imitations of ImpRE C Vista x64 SP1 (WoW64) 15 www.IITAC.org

Slide 16: L imitations of ImpRE C Vista x64 SP1 (WoW64) 16 www.IITAC.org

Slide 17: L imitations of ImpRE C Vista x64 SP1 (WoW64) Normal Method: XP or Vista 17 www.IITAC.org

Slide 18: L imitations of ImpRE C Vista x64 SP1 (WoW64) Normal Method: Vista x64 18 www.IITAC.org

Slide 19: L imitations of ImpRE C Vista x64 SP1 (WoW64) Microsoft Drunk-on-the-Job Method: Vista x64 SP1 19 www.IITAC.org

Slide 20: L imitations of ImpRE C Vista x64 SP1 (WoW64) 20 www.IITAC.org

Slide 21: Part 2: M aking a 32-bit imports rebuilder  Toolhelp32 vs. PSAPI  Planning efficiently to save time  5-steps program:  Dump  IAT AutoSearch  Get Imports (Unforwarding)  Show Invalid  Fix Dump 21 www.IITAC.org

Slide 22: Toolhelp32 vs. PS A PI  General purpose APIs  OpenProcess  ReadProcessMemory  VirtualAlloc  VirtualProtectEx 22 www.IITAC.org

Slide 23: Toolhelp32 vs. PS A PI  Toolhelp32 APIs  CreateToolhelp32Snapshot  Process32First  Process32Next  Module32First  Module32Next  ToolHelp32ReadProcessMemory 23 www.IITAC.org

Slide 24: Toolhelp32 24 www.IITAC.org

Slide 25: Toolhelp32 25 www.IITAC.org

Slide 26: Toolhelp32 26 www.IITAC.org

Slide 27: Toolhelp32 27 www.IITAC.org

Slide 28: Toolhelp32 28 www.IITAC.org

Slide 29: Toolhelp32 29 www.IITAC.org

Slide 30: Toolhelp32 vs. PS A PI  PSAPI APIs  EnumProcesses  EnumProcessModules  EnumProcessModulesEx  GetModuleInformation  GetModuleBaseName  GetModuleFileNameEx 30 www.IITAC.org

Slide 31: PS A PI 31 www.IITAC.org

Slide 32: PS A PI 32 www.IITAC.org

Slide 33: PS A PI 33 www.IITAC.org

Slide 34: PS A PI 34 www.IITAC.org

Slide 35: PS A PI 35 www.IITAC.org

Slide 36: PS A PI 36 www.IITAC.org

Slide 37: Toolhelp32 vs. PS A PI Cross-Architecture Compatibility x86 -> x86 x64 -> x64 x86 -> x64 x64 -> x86 CreateToolhelp32Snaphot X X >< EnumProcessModules X X EnumProcessModulesEx X X X 37 www.IITAC.org

Slide 38: Toolhelp32 vs. PS A PI Windows Version Compatibility 95 98 Me NT4 2000 2003 XP Vista CreateToolhelp32Snapshot X X X X X X X EnumProcessModules X X X X X EnumProcessModulesEx X 38 www.IITAC.org

Slide 39: Planning efficiently to save time  2 Single-Architecture versions (x86 OR x64)  To each his own  APIs: CreateToolhelp32Snapshot  Best OS compatibility range  Allows for common project source and headers  Cross-Architecture All-in-one version (x86 AND x64)  Made from a different x64 project  Requires 64-bit OS  EnumProcessModules & Ex  Runs on Vista x64 only 39 www.IITAC.org

Slide 40: S tep 1: Dump  Copying the memory area of a process to a file  When the process has reached its Original Entry Point  Each section is dumped individually  Each section RawSize must be realigned from FileAlignment to SectionAlignment  RawAddress matches VirtualAddress  All sections are made writable by adding the flag:  IMAGE_SCN_MEM_WRITE  VirtualProtectEx to change the process memory to:  PAGE_EXECUTE_READWRITE 40 www.IITAC.org

Slide 41: S tep 1: Dump 41 www.IITAC.org

Slide 42: S tep 2: IA T A utoS earch  Binary search looking for indirect call opcodes:  8B0D MOV ECX,[ADDRESS]  8B15 MOV EDX,[ADDRESS]  8B1D MOV EBX,[ADDRESS]  8B25 MOV ESP,[ADDRESS]  8B2D MOV EBP,[ADDRESS]  8B35 MOV ESI,[ADDRESS]  8B3D MOV EDI,[ADDRESS]  A1 MOV EAX,[ADDRESS] 42 www.IITAC.org

Slide 43: S tep 2: IA T A utoS earch  Binary search looking for direct call opcodes:  FF15 CALL [ADDRESS]  FF25 JMP [ADDRESS]  FF35 PUSH [ADDRESS]  Binary search ignores relative calls  Starting from ImageBase or EntryPoint  Found call must lead to a valid import  Search up for the beginning of the IAT  Search down for the end of the IAT  Just like trying to identify a weird object in the dark 43 www.IITAC.org

Slide 44: S tep 2: IA T A utoS earch 44 www.IITAC.org

Slide 45: S tep 2: IA T A utoS earch 45 www.IITAC.org

Slide 46: S tep 3: Get Imports  Identify the elements of the IAT in the specified range  Exactly the contrary of GetProcAddress  Using custom-made reusable functions:  GetProcModuleName  GetProcName  GetProcOrdinal  GetProcNameAndOrdinal  GetProcInfo  Unforward 46 www.IITAC.org

Slide 47: S tep 3: Get Imports (Unforwarding)  The Entry Point of the function is not code but a string  Imports are forwarded for compatibility between all the different versions of Windows  If an import can be unforwarded, it doesn’t mean that it really was forwarded  There are many false-positives  Must analyze the context with some fuzzy logic  Could be called guessing too 47 www.IITAC.org

Slide 48: S tep 3: Get Imports (Unforwarding) 48 www.IITAC.org

Slide 49: S tep 3: Get Imports (Unforwarding) 49 www.IITAC.org

Slide 50: S tep 3: Get Imports (Unforwarding) False-positives 50 www.IITAC.org

Slide 51: S tep 3: Get Imports (Unforwarding) Forwarding by ordinal 51 www.IITAC.org

Slide 52: S tep 4: S how Invalid  Display unidentified IAT entries  Text search through the interface  Check all imports one by one for validity  Simplest step to implement 52 www.IITAC.org

Slide 53: S tep 5: Fix dump  Recreate the Import Directory to satisfy the loader  Restore the original IAT  Assemble structures that point to each other  IMAGE_IMPORT_DESCRIPTOR  IMAGE_IMPORT_BY_NAME  Like gears in a clock 53 www.IITAC.org

Slide 54: S tep 5: Fix dump HINT/NAME ARRAY IMAGE_IMPORT_BY_NAME IMAGE_IMPORT_DESCRIPTOR 54 www.IITAC.org

Slide 55: Part 3: E volution to 64-bit  Changes from PE to PE32+ format  Changes in the imports rebuilding process  Planned improvements in the near-future 55 www.IITAC.org

Slide 56: Changes from PE to PE 32+ format  All registers extended to QWORDs  EAX -> RAX  ESP -> RSP  New registers  R8X-R15X  All DLLs used must be 64-bit  BaseOfData has disappeared  New calling convention for APIs 56 www.IITAC.org

Slide 57: Changes in the imports rebuilding process  IAT elements are QWORDs  Pointer to Original First Thunk is a QWORD  ImageBase is a QWORD  Exception Handlers are now stored as structures in the new PE32+ Exception Directory 57 www.IITAC.org

Slide 58: Planned improvements in the near-future  Resizable window  DLL support  Integrated disassembler  AutoTrace support  Custom tracing plugins support 58 www.IITAC.org

Slide 59: Part 4: L ive 64-bit unpacking sessions  Tools used:  IDA Pro Advanced 64  CHimpREC-64  Example #1: MPRESS 1.07  Simple UPX-like packer  Example #2: Armadillo x64  Standard protection  Only a level beyond minimal  Imports relocation and emulation 59 www.IITAC.org

Slide 60: Thanks and Greetz  Thanks to my beta testers from:  ARTeam  Team SnD  Even bigger thanks to:  The audience  ReCon staff  Speakers  CHimpREC will shortly be available from:  IITAC website (http://www.iitac.org)  Woodmann’s Collaborative RCE Tool Library (CRCETL) 60 www.IITAC.org

Slide 61: www.IITAC.org Do you have any questions? SHOW YOUR PROVEN EXCELLENCE WITH A CERTIFICATE ACCORDING TO ISO 17024! …MORE EFFICIENCY WITH “ACTION BASED TRAINING” ®

© 2008 SlideShare Inc. All Rights Reserved.
App08 is serving you.