Reverse Engineering 101

1,321 views

Published on

Reversing 101 - Gazi Üniversitesi

Published in: Education, Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,321
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
77
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • Native Language : C/C++ etc.IntermediateRep. : Makine ve dil bağımsız objectcodeLow Level Int.Rep. : Allocating Memory (offsetetc.)
  • Run process, süreçlerin çalıştırılması.
  • Run process, süreçlerin çalıştırılması.
  • Disk hakkında bilgi
  • Botuncalismasi
  • Modullerincalismasi
  • Fonksiyon isimleri hash olarak cagriliyor.
  • Run process, süreçlerin çalıştırılması.
  • Run process, süreçlerin çalıştırılması.
  • Reverse Engineering 101

    1. 1. Reverse Engineering 101 Yasin SÜRER http://twitter.com/yasinsurer
    2. 2. Jargon A zero-day(or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application. An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug A shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
    3. 3. Attacker Mindset Vulnerability Research Find the vulnerability, and developing weaponized-exploits. Exploit Development Zero-day attack uses advanced-exploitationtechnique Understanding undocumented system functions malware authors; Rootkit, worm, keylogger, spyware etc.
    4. 4. Defensive Perspective Patch and Vulnerability Analysis Developing signatures against zero-day threats for IDS/IPS appliance Binary Code Analysis Finding new zero-day vulnerabilities to take advantage on defensive perspective Advanced Exploit Development Penetration Test and Vulnerability assesment. Malware Analysis Anti-Virus, Anti-Spyware and Digital Forensics companies
    5. 5. Real-World Crime Example May 2008 in New York for the Dave & Busters case May 2008 in Massachusetts for the TJ Maxx case August 2009 in New Jersey in connection with the Heartland Payment case.
    6. 6. State-Sponsored Attack Example The group obtained a sponsor who paid them 2000 RMB ($325) per month Their sponsor is likely the People's Liberation Army (PLA) Tan Dailin attacks on US Department of Defense in May and June 2006 GinWui Rootkit (Manipulate Service, Start and Kill Process etc.) iDefense says,35 zero-day Microsoft Office Exploit
    7. 7. State-Sponsored Attack Example
    8. 8. Advanced Persistent Threat
    9. 9. ‘’We do not call those types of threats as Advanced Persistent Threat since they use widely known, old-school tactics’’ Microsoft
    10. 10. US Department of Defense Offensive Contractors
    11. 11. Reverse Engineering
    12. 12. What is Reverse Engineering ? Static Analysis or Reversing Static program analysis is the analysis of computer software that is performed without actually executing programs Dynamic Analysis or Reversing Dynamic program analysis is the analysis of computer softwarethat is performed by executing programs on a real or virtual processor.
    13. 13. x86 Architecture & Assembly
    14. 14. Arithmetic Instructions mov eax, 5 ; eax=5 mov ebx, 3 ; ebx=3 add eax, ebx ; eax = eax + ebx sub ebx, 2 ; ebx = ebx -2
    15. 15. Accessing Memory cmp eax, 2 ; compare eax with 2 je label ; if(eax == 2) ja label ; if(eax > 2) jb label ; if(eax < 2) jbe label ; if(eax <= 2) jne label ; if(eax != 2) jmp label ; jump label
    16. 16. Function Calls call function ; store return addr on the stack ; and jump to function! func: push esi ; save esi … pop esi ; restore esi ret ; read return addr from the stack ; and jump to it.
    17. 17. Modern Compiler Native Language Intermediate Representation Low-level Intermediate representation x86 Assembly
    18. 18. Binary Reverse Engineering How the compiler works and to translate it into machine code Understanding operating system structures Understanding executable (PE/ELF) file formats We need to think like the compiler, but in reverse!
    19. 19. Toolbag
    20. 20. Reverser Toolbag (1) IDA Disassembler from Hex-Rays IDA is a disassembler for computer software which generates assembly language source code from machine-executable code OllyDbg is Free Debugger OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available Windbg from Microsoft It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode.
    21. 21. Reverser Toolbag (2) Virtual Machines (Virtualbox, VMWare, Hyper-V) A virtual machine (VM) is a software implemented abstraction of the underlying hardware, which is presented to the application layer of the system. Packet Sniffers (Wireshark, tcpdump) The sniffer captures packets, if needed, decodes the packet's raw data, showing the values of various fields in the packet Sysinternals Suite technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.
    22. 22. PEiD
    23. 23. IDA Pro
    24. 24. IDA Pro (2)
    25. 25. IDA Pro (3)
    26. 26. IDA Pro (4)
    27. 27. OllyDbg
    28. 28. OllyDbg (2)
    29. 29. Windbg
    30. 30. Windbg (2)
    31. 31. Intro to Windbg • r: display current register content • t: trace-step (until call) • pt: single-step (until-ret) • g: process run (go!) • .hh: help command. (for example .hh t) • lm: list modules
    32. 32. Sysinternal: Process Explorer
    33. 33. Sysinternal: Process Monitor
    34. 34. Sysinternal: Autoruns
    35. 35. ImpREC
    36. 36. LordPE
    37. 37. Anti-Reverse Engineering Anti-Debugging, the implementation of one or more techniques within computer code that ‘’hinders attempts’’ at reverse engineering or debugging a target process Anti-Dumping, describes the process of taking an executable that has been protected and after the executable has been decrypted into memory Code obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand. Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single executable
    38. 38. Executable Compression (Packed Executables)
    39. 39. Packed Executable
    40. 40. Packed Executable
    41. 41. Packed Executable
    42. 42. Packed Executable
    43. 43. Packed Executable
    44. 44. Anti-Debugging
    45. 45. Anti-Debugging
    46. 46. Anti-Debugging
    47. 47. Anti-Debugging
    48. 48. Anti-Debugging
    49. 49. Anti-Debugging
    50. 50. FATMAL (Real-World Example)
    51. 51. FATMAL
    52. 52. Loader
    53. 53. Loader
    54. 54. Payload InstallBot()
    55. 55. Payload
    56. 56. Payload
    57. 57. Payload
    58. 58. Payload
    59. 59. Payload
    60. 60. Who could be behind the FATMAL attack?
    61. 61. Memory Analysis - Sality -
    62. 62. Memory Analysis
    63. 63. Memory Analysis
    64. 64. Memory Analysis
    65. 65. Memory Analysis
    66. 66. Memory Analysis
    67. 67. Resources
    68. 68. Analysis of Mobile Threats
    69. 69. Mobile Market 49% 19% 13% 11% 5% 3% Android iPhone BlackBerry Windows Phone Symbian Other
    70. 70. Mobile Threats 79 19 0.30.70.30.7 Android Symbian Windows Mobile iPhone BlackBerry J2ME
    71. 71. Mobile Threats 66.1 0.71 2.7 0.3 5.6 7 11.2 3.7 0 Trojan Downloader Spy Adware Backdoor Hacktool Monitoring Riskware Spyware Application
    72. 72. Android Android is a Linux-based operating system, runs on custom Linux. Google I/O statshot, 900 million Android devices activated Google play hits 600.000 application, 20 billion total installs. Manufacturers; Samsung, HTC, Asus, Amazon, Sony, Toshiba, Acer…
    73. 73. Android Apps Android Market APK/ZIP Metadata (manifest, images) Dex File (classes.dex)
    74. 74. Android Architecture
    75. 75. Geinimi
    76. 76. Geinimi
    77. 77. Geinimi
    78. 78. Geinimi
    79. 79. Geinimi
    80. 80. Geinimi
    81. 81. Geinimi
    82. 82. 5 years of silence…
    83. 83. The ProGuard tool shrinks, optimizes, and obfuscates your code by removing unused code and renaming classes, fields, and methods with semantically obscure names. DexGuardis our specialized optimizer and obfuscator for Android. Create apps that are faster, more compact, and more difficult to crack.
    84. 84. Obfuscation
    85. 85. Obfuscation
    86. 86. Obfuscation
    87. 87. Modifying The bytecode
    88. 88. Android Application Dalvik VM! Activity Thread Zygote Activity Manager Launcher
    89. 89. Modifying the byte-code JNI Native Code Dalvik bytecode Modified!
    90. 90. Processor
    91. 91. so what…
    92. 92. Malware writers is getting ready to implement x86 techniques for Android.
    93. 93. Questions…

    ×