The
Disease
Your
Researchers
Today
Jurriaan Bremer
Cuckoo Sandbox, Freelancer
Marion Marschalek
Cyphort Inc.
Back
in
time
...
Visual Basic 6.0
Microsoft, 1998
Object-based / event-driven
Rapid Application Development
Replaced by VB .NET in 2002
End...
Google
agrees.
2000: Pikachu Worm
• pikachupokemon.exe – „Pikachu is your friend!“
• Modifies AUTOEXEC.BAT
to remove C:WINDOWS and
C:WIND...
2005: Kelvir Worm
• Spreads through MSN Messenger by
„lol! see it! u'll like it” message
• Message points to omg.pif on
ho...
2009: Changeup Worm
• Polymorphic
• Spreads through removable media and shared
folders by 'LNK/PIF' Files
Automatic File E...
So.. why
are we here?
VB6
IS
NOT
DEAD
VB6 101
1991: Visual Basic born
1998: Visual Basic 5.0/6.0 p-code and native code
2002: VB.NET and MSIL byte code
NATIVE
CODE
PSEUDO
CODE
P-Code
Translation
P-code mnemonics
interpreted
by msvbvm60.dll
handler13:
ExitProcHresult
...
handler14:
ExitProc
...
han...
ProcCallEngine Jumptables
Instruction Handler
pushes integer onto the stack
Instruction Handler
pushes integer onto the stack
Instruction Handler
pushes integer onto the stack
Hello World!
Hello World!
Hello World!
Ou lá lá...
HELLOU WORLD ^^
Classical
Analysis
Approaches
DONT WORK.
Existing VB Stuff
•VB Decompiler
•Tequila Debugger
•IDA Scripts
•Peter Ferrie, Masaki Suenaga
Most Advanced
Sophisticated Private
Cloud-based Big Data
Intelligence Cyber
Solution! (tm)
MASPCbBDICS
FAIL COMPILATION
Everything that didnt work...
DYNAMIC
ANALYSIS
DECOMPILATION
ADVANCED
STATIC
ANALYSIS
DEBUGGING
DEBUGGING
DEBUGGING
V00D00 MAGIX
Most Advanced Sophisticated Private
Cloud-based Big Data Intelligence
Cyber Solution
See which instructions are executed.
...
VB6 Instrumentation
Patch the 6 jumptables!
Generic
Instrument everything
Capture everything
Create Statistics
Specific
Im...
Patching A Function Handler
Patch original address with our custom assembly stub
1. Store current register / stack state
2...
Tailored Reporting For VB6
Custom printf()
• BSTR unicode string with its size prepended
• VARIANT generic wrapper around ...
Slightly modified
Cuckoo Sandbox
Execute the sample
with our custom DLL
Cuckoofy
It
VB6 ANALYSIS
Obfuscation and garbage
Anti-X features
Three ways to call
external functions
The Somewhat Peculiar
Results a...
Import Address Table (IAT)
Only legitimate VB6 VM methods
Dynamically Resolved Functions
VB6 feature: DllFunctionCall
Runt...
x86 to call
CreateThread()
other x86 code in
a new thread
The Yet To Be
Identified
Infamous Anti-Cuckoo
Feature (c)
Thank You!
Project @ https://github.com/jbremer/vb6tracer
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Upcoming SlideShare
Loading in …5
×

Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease

737 views

Published on

Visual Basic P-code executables have been a pain for a digital eternity and even up until today reverse engineers did not come up with a helpful painkiller. So 15 years after the era of VB6 we present a tool that fully subverts the VB6 virtual machine, thus intercepting and instrumenting the VB P-code in real time. Through dynamic analysis we show that our tool aims at intercepting relevant information at runtime, such as plaintext strings in memory, and which APIs were called. Even more, with our tool an analyst could instrument the execution of byte code on-the-fly, allowing modification of the virtual machine state during execution.
With this fancy gadget it is possible to ease an analyst's life significantly. Having described all ins and outs of our tool we will demonstrate various possible use cases, concluding our talk by the profit gain for researchers, what we got from it, and possible future use-cases.

Jurriaan is a freelance security researcher and software developer from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called Capture The Flag games as a member of Eindbazen CTF Team, he’s a member of The Honeynet Project, and he’s also one of the Core Developers of Cuckoo Sandbox.

Marion Marschalek is a malware researcher at is a malware researcher at Cyphort Inc. based in Santa Clara. Marion is working as malware analyst and in incident response, but has also done research in the area of automated malware analysis and vulnerability search. Besides that she teaches basics of malware analysis at University of Applied Sciences St. Pölten. Marion has spoken at international hacker conferences such as Defcon Las Vegas and POC Seoul. In March 2013 she won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. "

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
737
On SlideShare
0
From Embeds
0
Number of Embeds
47
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease

  1. 1. The Disease
  2. 2. Your Researchers Today Jurriaan Bremer Cuckoo Sandbox, Freelancer Marion Marschalek Cyphort Inc.
  3. 3. Back in time ...
  4. 4. Visual Basic 6.0 Microsoft, 1998 Object-based / event-driven Rapid Application Development Replaced by VB .NET in 2002 End of support in 2008
  5. 5. Google agrees.
  6. 6. 2000: Pikachu Worm • pikachupokemon.exe – „Pikachu is your friend!“ • Modifies AUTOEXEC.BAT to remove C:WINDOWS and C:WINDOBadWSsystem32 • Bad coding...
  7. 7. 2005: Kelvir Worm • Spreads through MSN Messenger by „lol! see it! u'll like it” message • Message points to omg.pif on home.earthlink.net • Spreads further & downloads and executes other malware
  8. 8. 2009: Changeup Worm • Polymorphic • Spreads through removable media and shared folders by 'LNK/PIF' Files Automatic File Execution Vulnerability • Downloads other malware
  9. 9. So.. why are we here?
  10. 10. VB6 IS NOT DEAD
  11. 11. VB6 101 1991: Visual Basic born 1998: Visual Basic 5.0/6.0 p-code and native code 2002: VB.NET and MSIL byte code
  12. 12. NATIVE CODE
  13. 13. PSEUDO CODE
  14. 14. P-Code Translation P-code mnemonics interpreted by msvbvm60.dll handler13: ExitProcHresult ... handler14: ExitProc ... handler15: ExitProcI2 ... ... FC C8 13 76 ...
  15. 15. ProcCallEngine Jumptables
  16. 16. Instruction Handler pushes integer onto the stack
  17. 17. Instruction Handler pushes integer onto the stack
  18. 18. Instruction Handler pushes integer onto the stack
  19. 19. Hello World!
  20. 20. Hello World!
  21. 21. Hello World!
  22. 22. Ou lá lá... HELLOU WORLD ^^
  23. 23. Classical Analysis Approaches DONT WORK.
  24. 24. Existing VB Stuff •VB Decompiler •Tequila Debugger •IDA Scripts •Peter Ferrie, Masaki Suenaga
  25. 25. Most Advanced Sophisticated Private Cloud-based Big Data Intelligence Cyber Solution! (tm)
  26. 26. MASPCbBDICS FAIL COMPILATION Everything that didnt work...
  27. 27. DYNAMIC ANALYSIS
  28. 28. DECOMPILATION
  29. 29. ADVANCED STATIC ANALYSIS
  30. 30. DEBUGGING
  31. 31. DEBUGGING
  32. 32. DEBUGGING
  33. 33. V00D00 MAGIX
  34. 34. Most Advanced Sophisticated Private Cloud-based Big Data Intelligence Cyber Solution See which instructions are executed. Monitor interesting events as they happen. Inspect referenced strings, memory, and x86 code.
  35. 35. VB6 Instrumentation Patch the 6 jumptables! Generic Instrument everything Capture everything Create Statistics Specific Implementing specific instruction handlers “OpenFile” - filename
  36. 36. Patching A Function Handler Patch original address with our custom assembly stub 1. Store current register / stack state 2. Call custom instruction handler 3. Pass registers as parameters 4. Do STUFF 5. Restore original state Jump to original function handler. Life goes on.
  37. 37. Tailored Reporting For VB6 Custom printf() • BSTR unicode string with its size prepended • VARIANT generic wrapper around int, str, etc. Custom hexdump() to aid debugging
  38. 38. Slightly modified Cuckoo Sandbox Execute the sample with our custom DLL Cuckoofy It
  39. 39. VB6 ANALYSIS Obfuscation and garbage Anti-X features Three ways to call external functions The Somewhat Peculiar Results aka. Disease
  40. 40. Import Address Table (IAT) Only legitimate VB6 VM methods Dynamically Resolved Functions VB6 feature: DllFunctionCall Runtime decryption of API names WesumeThread, ZwWriteQirtualMemory, TetExitCodeThread Execute native x86
  41. 41. x86 to call CreateThread() other x86 code in a new thread
  42. 42. The Yet To Be Identified Infamous Anti-Cuckoo Feature (c)
  43. 43. Thank You! Project @ https://github.com/jbremer/vb6tracer

×