What Can Reverse Engineering Do For You?

ShellCon 2017 | What Can RE Do For You?
1
WHAT CAN
REVERSE
ENGINEERING
DO FOR YOU?
MALWARE UNICORN

2
ABOUT ME
WHAT I DO
securedorg.github.io
Teach Malware RE
Look at malware
DEFCON
OPCDE
CFP Reviewer
Amanda Rousseau
Host Meetups
Follow Fashion Trends
meetup.com/Dead-Drop-SF
vanitysec.com
RSA, DEFCON
44Con, CanSecWest
Bsides SF, WiCys
DC3Con, MirCon
Speak at ConsSr.
Malware
Researcher
Endgame
Inc.
Occasionally Shitpost
@malwareunicorn

3
Why
Reverse Engineering?
It is the foundation for both the blue and red teams
Vuln Research
Malware Analysis
Exploit Dev
Detection Sigs
Forensics
Pentesting Kits
Reverse Engineering
AV Engine Dev

4
Watch out for
Rabbit Holes
It’s easy to get lost debugging
some random binary.
This talk will help you identify
specific patterns in assembly
routines commonly found in
malware.

5
“YOU ONLY NEED A DISASSEMBLER,
DEBUGGER, AND A HEX EDITOR TO DO RE”
– ANONYMOUS DUDE

6
The “RE” starter pack

7
ALL TOOLS
SUPPORT
HxD Hex Editor
Python - used for automating tasks
INFORMATION GATHERING
CFF Explorer - PE header parser
PE Explorer - PE inspection
BinText - Extract strings
Sysinternals Suite
DISASSEMBLERS
Ida
Free
Pro (Most Popular)
Radare
Capstone
DEBUGGERS
x64dbg (My Favorite)
Immunity
OllyDbg (Most Popular)
WinDbg
GDB

8
Approach
• Recognizing patterns comes with experience
• Break down algorithms into basic steps
• Information gathering is key, it helps define
how the binary and assembly is used for that
specific language
• Use Backward-Forward navigation and take
notes!

9
BACKWARD-FORWARD
Start somewhere in the middle
and navigate backwards to the
entry point function.
Then go forwards to get back to
the middle while taking notes.
main()
Sub_1()
Sub_2()
Sub_4()Start
Sub_3()Next
Next
End
Sub_4()
Sub_2()
main()
Sub_1()

10
BACKWARD-FORWARD
My Notes

11
Common Assembly Patterns
Common techniques found in malware
PACKING EVASION CRYPTO SHELLCODE

12
PACKING
1. Allocate a huge memory chunk
2. Load referenced section, resource, or
.data
3. Some routine that loops
4. Recreate the import table
5. Convert to R-W-X
6. Jump to start of newly copied bytes
Things to look for

13
PACKING
HEADER
MAIN CODE
PACKED CODE
NEW MEMORY
RWX
RECREATE IMPORT TABLE
LOOP
1
2
5
4
3
6
JUMP

14
PACKING
UPX

15
PACKING
memory chuck == UPX0 section

16
PACKING
Recreate the import table

17
PACKING
Recreate the import table

18
PACKING
Import table in the debugger

19
PACKING
Convert to R-W-X with VirtualProtect
Some routine that loops
Jump to start of newly copied bytes

20
PACKING
• Look for references to sections, resources, or .data
• Look for the jump call
Debugging
• Save the address to the new memory section. Set
an execution breakpoint on that memory location.
Static Analysis
How to get around it

21
EVASION
• Lots of jumps where one jump
terminates the program
• Environment checking
• Useless routines
Things to look for

22
EVASION
Sub_0()
Sub_1()
Sub_4()
Sub_3()
Exit()
Some Check
JZ Exit()
JZ Exit()
JZ Exit()
Some Check
Some Check

23
EVASION

24
EVASION
• VM Evasion – Checking the environment for VM artifacts
• Anti-analysis – useless jumps & functions
• Anti-AV Detection – Heavy obfuscation, environment checks
• Anti Automation – requires UI activity
Types of Evasion

25
EVASION
VM Evasion
• Accessing registry keys for hardware & Bios
• Checking driver names for VM drivers
• Any check in Paranoid Fish
(https://github.com/a0rtega/pafish)
Things to look for

26
EVASION
VM Evasion
• Accessing registry keys
for hardware, Bios,
and/or Physical Drive

27
EVASION
VM Evasion
• Accessing registry keys
for hardware, Bios,
and/or Physical Drive

28
EVASION
• useless jumps & functions
• Debugger checks
• Time bombs
• Tick timer checks
Things to look for
Anti-Analysis

29
EVASION
• useless jumps & functions
• Debugger checks
• Time bombs
• Tick timer checks
Things to look for
Anti-Analysis

30
EVASION
Anti-AV Detection
• Accessing registry keys for AV names
• Checking program files, DLLs, Driver names
• Stack based strings and IOCs
Things to look for

31
EVASION
Anti-AV Detection
Stack based strings and IOCs

32
EVASION
Anti Automation
• Checking for User Interaction
• Mouse movement
• Foreground window state change
• Long sleep/wait calls
• Internet connection tests
Things to look for

33
• Checking for User Interaction
• Foreground window state
change
EVASION
Anti Automation

34
EVASION
• Patch the CMP and JNZ jump calls so that it
always passes the check
Debugging
• Modify the Zero flag to bypass the check
Static Analysis

35
EVASION
• Patch the CMP and JNZ jump calls so that it
always passes the check
Debugging
• Modify the Zero flag to bypass the check
Static Analysis

36
CRYPTO
Call a function right after
STEP 2
Loop a lot
STEP 3
Load a reference in .DATA
STEP 1
XOR something
STEP 4

37
CRYPTO
Call a function right after
STEP 2
Load a reference in .DATA
STEP 1

38
CRYPTO
Loop a lot
STEP 3

39
CRYPTO
xor A, B
xor A, A
xor [esi], al
xor eax, eax
XOR the lower byte of register eax
with the value at esi
Clear the register eax
XOR something
STEP 4

40
CRYPTO
• Look for frequent usages of the function after data
loads
• Identify the crypto algorithm and create a simple
decryption script
Debugging
• Place a breakpoint before the return or after the
function to see the decrypted string
• Place a write hardware breakpoint in the newly
allocated memory region
Static Analysis

41
SHELLCODE
• Heap or VirtualAlloc with R-W-X
permissions
• Copy a large chunk of bytes to
newly created memory
• Jump to an offset in that new
memory
• Or spawn a new thread
Things to look for

42
SHELLCODE
• Similar to unpacking
• Shellcode is process independent code
• May or may not need an import table creation
Things to note

43
SHELLCODE
HEADER
MAIN CODE
SHELLCODE
NEW MEMORY
RWX
LOOP
1
2
4
3
5
JUMP

44
SHELLCODE
• value Offset+0x42B7 is being
saved in register esi and then
pushed onto the stack before
the function returns.
• Typically functions will pop the
ebp on the stack to restore
the previous stack frame of
the calling function.
Things to note

45
SHELLCODE
• Look for references to sections, resources, or .data
• Look for the jump or push & ret call
Debugging
• Save the address to the new memory section. Set
an execution breakpoint on that memory location.
• Extract the shellcode from memory and convert it
into an exe
Static Analysis

46
SHELLCODE
Converting Shellcode to an EXE
1. Download Yasm yasm-1.3.0-win32.exe
2. Extract yasm-1.3.0-win32.exe and rename it to yasm.exe
3. Download GoLink linker Golink.zip
4. Extract golink.exe
5. Create a shellcode.asm file with the following instructions
6. From a command line run the following command to assemble the code:
• yasm.exe -f win32 -o shellcode.obj shellcode.asm
7. Now run the linker
• golink /ni /entry Start shellcode.obj
8. Change the AddressOfEntryPoint. Add the current value to 0x42B7 which was the offset of where the
malware was going to return to in function sub_45B794. AddressOfEntryPoint should be 000052B7.
This will ensure that IDA knows where to start the disassembly.
Global Start
SECTION 'AyyLmao' write, execute,read
Start: incbin "shellcode.bin"

47
Things to REmember
• Take notes
• PATCH, PATCH, PATCH - every evasion can be bypassed
• Memory & Hardware breakpoints are your friends
• Loops are annoying but good for identification
• Repeated functions are fishy indicators

48
Thanks for coming!
Questions?
Twitter: @malwareunicorn

What Can Reverse Engineering Do For You?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to What Can Reverse Engineering Do For You?

Similar to What Can Reverse Engineering Do For You? (20)

Recently uploaded

Recently uploaded (20)

What Can Reverse Engineering Do For You?