What Can Reverse Engineering Do For You?

1. ShellCon 2017 | What Can RE Do For You? 1 WHAT CAN REVERSE ENGINEERING DO FOR YOU? MALWARE UNICORN

2. ShellCon 2017 | What Can RE Do For You? 2 ABOUT ME WHAT I DO securedorg.github.io Teach Malware RE Look at malware DEFCON OPCDE CFP Reviewer Amanda Rousseau Host Meetups Follow Fashion Trends meetup.com/Dead-Drop-SF vanitysec.com RSA, DEFCON 44Con, CanSecWest Bsides SF, WiCys DC3Con, MirCon Speak at ConsSr. Malware Researcher Endgame Inc. Occasionally Shitpost @malwareunicorn

3. ShellCon 2017 | What Can RE Do For You? 3 Why Reverse Engineering? It is the foundation for both the blue and red teams Vuln Research Malware Analysis Exploit Dev Detection Sigs Forensics Pentesting Kits Reverse Engineering AV Engine Dev

4. ShellCon 2017 | What Can RE Do For You? 4 Watch out for Rabbit Holes It’s easy to get lost debugging some random binary. This talk will help you identify specific patterns in assembly routines commonly found in malware.

5. ShellCon 2017 | What Can RE Do For You? 5 “YOU ONLY NEED A DISASSEMBLER, DEBUGGER, AND A HEX EDITOR TO DO RE” – ANONYMOUS DUDE

6. ShellCon 2017 | What Can RE Do For You? 6 The “RE” starter pack

7. ShellCon 2017 | What Can RE Do For You? 7 ALL TOOLS SUPPORT HxD Hex Editor Python - used for automating tasks INFORMATION GATHERING CFF Explorer - PE header parser PE Explorer - PE inspection BinText - Extract strings Sysinternals Suite DISASSEMBLERS Ida Free Pro (Most Popular) Radare Capstone DEBUGGERS x64dbg (My Favorite) Immunity OllyDbg (Most Popular) WinDbg GDB

8. ShellCon 2017 | What Can RE Do For You? 8 Approach • Recognizing patterns comes with experience • Break down algorithms into basic steps • Information gathering is key, it helps define how the binary and assembly is used for that specific language • Use Backward-Forward navigation and take notes!

9. ShellCon 2017 | What Can RE Do For You? 9 BACKWARD-FORWARD Start somewhere in the middle and navigate backwards to the entry point function. Then go forwards to get back to the middle while taking notes. main() Sub_1() Sub_2() Sub_4()Start Sub_3()Next Next End Sub_4() Sub_2() main() Sub_1()

10. ShellCon 2017 | What Can RE Do For You? 10 BACKWARD-FORWARD My Notes

11. ShellCon 2017 | What Can RE Do For You? 11 Common Assembly Patterns Common techniques found in malware PACKING EVASION CRYPTO SHELLCODE

12. ShellCon 2017 | What Can RE Do For You? 12 PACKING 1. Allocate a huge memory chunk 2. Load referenced section, resource, or .data 3. Some routine that loops 4. Recreate the import table 5. Convert to R-W-X 6. Jump to start of newly copied bytes Things to look for

13. ShellCon 2017 | What Can RE Do For You? 13 PACKING HEADER MAIN CODE PACKED CODE NEW MEMORY RWX RECREATE IMPORT TABLE LOOP 1 2 5 4 3 6 JUMP

14. ShellCon 2017 | What Can RE Do For You? 14 PACKING UPX

15. ShellCon 2017 | What Can RE Do For You? 15 PACKING memory chuck == UPX0 section

16. ShellCon 2017 | What Can RE Do For You? 16 PACKING Recreate the import table

17. ShellCon 2017 | What Can RE Do For You? 17 PACKING Recreate the import table

18. ShellCon 2017 | What Can RE Do For You? 18 PACKING Import table in the debugger

19. ShellCon 2017 | What Can RE Do For You? 19 PACKING Convert to R-W-X with VirtualProtect Some routine that loops Jump to start of newly copied bytes

20. ShellCon 2017 | What Can RE Do For You? 20 PACKING • Look for references to sections, resources, or .data • Look for the jump call Debugging • Save the address to the new memory section. Set an execution breakpoint on that memory location. Static Analysis How to get around it

21. ShellCon 2017 | What Can RE Do For You? 21 EVASION • Lots of jumps where one jump terminates the program • Environment checking • Useless routines Things to look for

22. ShellCon 2017 | What Can RE Do For You? 22 EVASION Sub_0() Sub_1() Sub_4() Sub_3() Exit() Some Check JZ Exit() JZ Exit() JZ Exit() Some Check Some Check

23. ShellCon 2017 | What Can RE Do For You? 23 EVASION

24. ShellCon 2017 | What Can RE Do For You? 24 EVASION • VM Evasion – Checking the environment for VM artifacts • Anti-analysis – useless jumps & functions • Anti-AV Detection – Heavy obfuscation, environment checks • Anti Automation – requires UI activity Types of Evasion

25. ShellCon 2017 | What Can RE Do For You? 25 EVASION VM Evasion • Accessing registry keys for hardware & Bios • Checking driver names for VM drivers • Any check in Paranoid Fish (https://github.com/a0rtega/pafish) Things to look for

26. ShellCon 2017 | What Can RE Do For You? 26 EVASION VM Evasion • Accessing registry keys for hardware, Bios, and/or Physical Drive

27. ShellCon 2017 | What Can RE Do For You? 27 EVASION VM Evasion • Accessing registry keys for hardware, Bios, and/or Physical Drive

28. ShellCon 2017 | What Can RE Do For You? 28 EVASION • useless jumps & functions • Debugger checks • Time bombs • Tick timer checks Things to look for Anti-Analysis

29. ShellCon 2017 | What Can RE Do For You? 29 EVASION • useless jumps & functions • Debugger checks • Time bombs • Tick timer checks Things to look for Anti-Analysis

30. ShellCon 2017 | What Can RE Do For You? 30 EVASION Anti-AV Detection • Accessing registry keys for AV names • Checking program files, DLLs, Driver names • Stack based strings and IOCs Things to look for

31. ShellCon 2017 | What Can RE Do For You? 31 EVASION Anti-AV Detection Stack based strings and IOCs

32. ShellCon 2017 | What Can RE Do For You? 32 EVASION Anti Automation • Checking for User Interaction • Mouse movement • Foreground window state change • Long sleep/wait calls • Internet connection tests Things to look for

33. ShellCon 2017 | What Can RE Do For You? 33 • Checking for User Interaction • Foreground window state change EVASION Anti Automation

34. ShellCon 2017 | What Can RE Do For You? 34 EVASION • Patch the CMP and JNZ jump calls so that it always passes the check Debugging • Modify the Zero flag to bypass the check Static Analysis How to get around it

35. ShellCon 2017 | What Can RE Do For You? 35 EVASION • Patch the CMP and JNZ jump calls so that it always passes the check Debugging • Modify the Zero flag to bypass the check Static Analysis How to get around it

36. ShellCon 2017 | What Can RE Do For You? 36 CRYPTO Call a function right after STEP 2 Loop a lot STEP 3 Load a reference in .DATA STEP 1 XOR something STEP 4

37. ShellCon 2017 | What Can RE Do For You? 37 CRYPTO Call a function right after STEP 2 Load a reference in .DATA STEP 1

38. ShellCon 2017 | What Can RE Do For You? 38 CRYPTO Loop a lot STEP 3

39. ShellCon 2017 | What Can RE Do For You? 39 CRYPTO xor A, B xor A, A xor [esi], al xor eax, eax XOR the lower byte of register eax with the value at esi Clear the register eax XOR something STEP 4

40. ShellCon 2017 | What Can RE Do For You? 40 CRYPTO • Look for frequent usages of the function after data loads • Identify the crypto algorithm and create a simple decryption script Debugging • Place a breakpoint before the return or after the function to see the decrypted string • Place a write hardware breakpoint in the newly allocated memory region Static Analysis How to get around it

41. ShellCon 2017 | What Can RE Do For You? 41 SHELLCODE • Heap or VirtualAlloc with R-W-X permissions • Copy a large chunk of bytes to newly created memory • Jump to an offset in that new memory • Or spawn a new thread Things to look for

42. ShellCon 2017 | What Can RE Do For You? 42 SHELLCODE • Similar to unpacking • Shellcode is process independent code • May or may not need an import table creation Things to note

43. ShellCon 2017 | What Can RE Do For You? 43 SHELLCODE HEADER MAIN CODE SHELLCODE NEW MEMORY RWX LOOP 1 2 4 3 5 JUMP

44. ShellCon 2017 | What Can RE Do For You? 44 SHELLCODE • value Offset+0x42B7 is being saved in register esi and then pushed onto the stack before the function returns. • Typically functions will pop the ebp on the stack to restore the previous stack frame of the calling function. Things to note

45. ShellCon 2017 | What Can RE Do For You? 45 SHELLCODE • Look for references to sections, resources, or .data • Look for the jump or push & ret call Debugging • Save the address to the new memory section. Set an execution breakpoint on that memory location. • Extract the shellcode from memory and convert it into an exe Static Analysis How to get around it

46. ShellCon 2017 | What Can RE Do For You? 46 SHELLCODE Converting Shellcode to an EXE 1. Download Yasm yasm-1.3.0-win32.exe 2. Extract yasm-1.3.0-win32.exe and rename it to yasm.exe 3. Download GoLink linker Golink.zip 4. Extract golink.exe 5. Create a shellcode.asm file with the following instructions 6. From a command line run the following command to assemble the code: • yasm.exe -f win32 -o shellcode.obj shellcode.asm 7. Now run the linker • golink /ni /entry Start shellcode.obj 8. Change the AddressOfEntryPoint. Add the current value to 0x42B7 which was the offset of where the malware was going to return to in function sub_45B794. AddressOfEntryPoint should be 000052B7. This will ensure that IDA knows where to start the disassembly. Global Start SECTION 'AyyLmao' write, execute,read Start: incbin "shellcode.bin"

47. ShellCon 2017 | What Can RE Do For You? 47 Things to REmember • Take notes • PATCH, PATCH, PATCH - every evasion can be bypassed • Memory & Hardware breakpoints are your friends • Loops are annoying but good for identification • Repeated functions are fishy indicators

48. ShellCon 2017 | What Can RE Do For You? 48 Thanks for coming! Questions? Twitter: @malwareunicorn

What Can Reverse Engineering Do For You?

You are reading a preview.

Check these out next

What Can Reverse Engineering Do For You?

More Related Content

Slideshows for you (20)

Similar to What Can Reverse Engineering Do For You? (20)

Recently uploaded (20)