Powerpoint exploring the locations used in television show Time Clash
What Can Reverse Engineering Do For You?
1. ShellCon 2017 | What Can RE Do For You?
1
WHAT CAN
REVERSE
ENGINEERING
DO FOR YOU?
MALWARE UNICORN
2. ShellCon 2017 | What Can RE Do For You?
2
ABOUT ME
WHAT I DO
securedorg.github.io
Teach Malware RE
Look at malware
DEFCON
OPCDE
CFP Reviewer
Amanda Rousseau
Host Meetups
Follow Fashion Trends
meetup.com/Dead-Drop-SF
vanitysec.com
RSA, DEFCON
44Con, CanSecWest
Bsides SF, WiCys
DC3Con, MirCon
Speak at ConsSr.
Malware
Researcher
Endgame
Inc.
Occasionally Shitpost
@malwareunicorn
3. ShellCon 2017 | What Can RE Do For You?
3
Why
Reverse Engineering?
It is the foundation for both the blue and red teams
Vuln Research
Malware Analysis
Exploit Dev
Detection Sigs
Forensics
Pentesting Kits
Reverse Engineering
AV Engine Dev
4. ShellCon 2017 | What Can RE Do For You?
4
Watch out for
Rabbit Holes
It’s easy to get lost debugging
some random binary.
This talk will help you identify
specific patterns in assembly
routines commonly found in
malware.
5. ShellCon 2017 | What Can RE Do For You?
5
“YOU ONLY NEED A DISASSEMBLER,
DEBUGGER, AND A HEX EDITOR TO DO RE”
– ANONYMOUS DUDE
6. ShellCon 2017 | What Can RE Do For You?
6
The “RE” starter pack
7. ShellCon 2017 | What Can RE Do For You?
7
ALL TOOLS
SUPPORT
HxD Hex Editor
Python - used for automating tasks
INFORMATION GATHERING
CFF Explorer - PE header parser
PE Explorer - PE inspection
BinText - Extract strings
Sysinternals Suite
DISASSEMBLERS
Ida
Free
Pro (Most Popular)
Radare
Capstone
DEBUGGERS
x64dbg (My Favorite)
Immunity
OllyDbg (Most Popular)
WinDbg
GDB
8. ShellCon 2017 | What Can RE Do For You?
8
Approach
• Recognizing patterns comes with experience
• Break down algorithms into basic steps
• Information gathering is key, it helps define
how the binary and assembly is used for that
specific language
• Use Backward-Forward navigation and take
notes!
9. ShellCon 2017 | What Can RE Do For You?
9
BACKWARD-FORWARD
Start somewhere in the middle
and navigate backwards to the
entry point function.
Then go forwards to get back to
the middle while taking notes.
main()
Sub_1()
Sub_2()
Sub_4()Start
Sub_3()Next
Next
End
Sub_4()
Sub_2()
main()
Sub_1()
10. ShellCon 2017 | What Can RE Do For You?
10
BACKWARD-FORWARD
My Notes
11. ShellCon 2017 | What Can RE Do For You?
11
Common Assembly Patterns
Common techniques found in malware
PACKING EVASION CRYPTO SHELLCODE
12. ShellCon 2017 | What Can RE Do For You?
12
PACKING
1. Allocate a huge memory chunk
2. Load referenced section, resource, or
.data
3. Some routine that loops
4. Recreate the import table
5. Convert to R-W-X
6. Jump to start of newly copied bytes
Things to look for
13. ShellCon 2017 | What Can RE Do For You?
13
PACKING
HEADER
MAIN CODE
PACKED CODE
NEW MEMORY
RWX
RECREATE IMPORT TABLE
LOOP
1
2
5
4
3
6
JUMP
15. ShellCon 2017 | What Can RE Do For You?
15
PACKING
memory chuck == UPX0 section
16. ShellCon 2017 | What Can RE Do For You?
16
PACKING
Recreate the import table
17. ShellCon 2017 | What Can RE Do For You?
17
PACKING
Recreate the import table
18. ShellCon 2017 | What Can RE Do For You?
18
PACKING
Import table in the debugger
19. ShellCon 2017 | What Can RE Do For You?
19
PACKING
Convert to R-W-X with VirtualProtect
Some routine that loops
Jump to start of newly copied bytes
20. ShellCon 2017 | What Can RE Do For You?
20
PACKING
• Look for references to sections, resources, or .data
• Look for the jump call
Debugging
• Save the address to the new memory section. Set
an execution breakpoint on that memory location.
Static Analysis
How to get around it
21. ShellCon 2017 | What Can RE Do For You?
21
EVASION
• Lots of jumps where one jump
terminates the program
• Environment checking
• Useless routines
Things to look for
22. ShellCon 2017 | What Can RE Do For You?
22
EVASION
Sub_0()
Sub_1()
Sub_4()
Sub_3()
Exit()
Some Check
JZ Exit()
JZ Exit()
JZ Exit()
Some Check
Some Check
24. ShellCon 2017 | What Can RE Do For You?
24
EVASION
• VM Evasion – Checking the environment for VM artifacts
• Anti-analysis – useless jumps & functions
• Anti-AV Detection – Heavy obfuscation, environment checks
• Anti Automation – requires UI activity
Types of Evasion
25. ShellCon 2017 | What Can RE Do For You?
25
EVASION
VM Evasion
• Accessing registry keys for hardware & Bios
• Checking driver names for VM drivers
• Any check in Paranoid Fish
(https://github.com/a0rtega/pafish)
Things to look for
26. ShellCon 2017 | What Can RE Do For You?
26
EVASION
VM Evasion
• Accessing registry keys
for hardware, Bios,
and/or Physical Drive
27. ShellCon 2017 | What Can RE Do For You?
27
EVASION
VM Evasion
• Accessing registry keys
for hardware, Bios,
and/or Physical Drive
28. ShellCon 2017 | What Can RE Do For You?
28
EVASION
• useless jumps & functions
• Debugger checks
• Time bombs
• Tick timer checks
Things to look for
Anti-Analysis
29. ShellCon 2017 | What Can RE Do For You?
29
EVASION
• useless jumps & functions
• Debugger checks
• Time bombs
• Tick timer checks
Things to look for
Anti-Analysis
30. ShellCon 2017 | What Can RE Do For You?
30
EVASION
Anti-AV Detection
• Accessing registry keys for AV names
• Checking program files, DLLs, Driver names
• Stack based strings and IOCs
Things to look for
31. ShellCon 2017 | What Can RE Do For You?
31
EVASION
Anti-AV Detection
Stack based strings and IOCs
32. ShellCon 2017 | What Can RE Do For You?
32
EVASION
Anti Automation
• Checking for User Interaction
• Mouse movement
• Foreground window state change
• Long sleep/wait calls
• Internet connection tests
Things to look for
33. ShellCon 2017 | What Can RE Do For You?
33
• Checking for User Interaction
• Foreground window state
change
EVASION
Anti Automation
34. ShellCon 2017 | What Can RE Do For You?
34
EVASION
• Patch the CMP and JNZ jump calls so that it
always passes the check
Debugging
• Modify the Zero flag to bypass the check
Static Analysis
How to get around it
35. ShellCon 2017 | What Can RE Do For You?
35
EVASION
• Patch the CMP and JNZ jump calls so that it
always passes the check
Debugging
• Modify the Zero flag to bypass the check
Static Analysis
How to get around it
36. ShellCon 2017 | What Can RE Do For You?
36
CRYPTO
Call a function right after
STEP 2
Loop a lot
STEP 3
Load a reference in .DATA
STEP 1
XOR something
STEP 4
37. ShellCon 2017 | What Can RE Do For You?
37
CRYPTO
Call a function right after
STEP 2
Load a reference in .DATA
STEP 1
38. ShellCon 2017 | What Can RE Do For You?
38
CRYPTO
Loop a lot
STEP 3
39. ShellCon 2017 | What Can RE Do For You?
39
CRYPTO
xor A, B
xor A, A
xor [esi], al
xor eax, eax
XOR the lower byte of register eax
with the value at esi
Clear the register eax
XOR something
STEP 4
40. ShellCon 2017 | What Can RE Do For You?
40
CRYPTO
• Look for frequent usages of the function after data
loads
• Identify the crypto algorithm and create a simple
decryption script
Debugging
• Place a breakpoint before the return or after the
function to see the decrypted string
• Place a write hardware breakpoint in the newly
allocated memory region
Static Analysis
How to get around it
41. ShellCon 2017 | What Can RE Do For You?
41
SHELLCODE
• Heap or VirtualAlloc with R-W-X
permissions
• Copy a large chunk of bytes to
newly created memory
• Jump to an offset in that new
memory
• Or spawn a new thread
Things to look for
42. ShellCon 2017 | What Can RE Do For You?
42
SHELLCODE
• Similar to unpacking
• Shellcode is process independent code
• May or may not need an import table creation
Things to note
43. ShellCon 2017 | What Can RE Do For You?
43
SHELLCODE
HEADER
MAIN CODE
SHELLCODE
NEW MEMORY
RWX
LOOP
1
2
4
3
5
JUMP
44. ShellCon 2017 | What Can RE Do For You?
44
SHELLCODE
• value Offset+0x42B7 is being
saved in register esi and then
pushed onto the stack before
the function returns.
• Typically functions will pop the
ebp on the stack to restore
the previous stack frame of
the calling function.
Things to note
45. ShellCon 2017 | What Can RE Do For You?
45
SHELLCODE
• Look for references to sections, resources, or .data
• Look for the jump or push & ret call
Debugging
• Save the address to the new memory section. Set
an execution breakpoint on that memory location.
• Extract the shellcode from memory and convert it
into an exe
Static Analysis
How to get around it
46. ShellCon 2017 | What Can RE Do For You?
46
SHELLCODE
Converting Shellcode to an EXE
1. Download Yasm yasm-1.3.0-win32.exe
2. Extract yasm-1.3.0-win32.exe and rename it to yasm.exe
3. Download GoLink linker Golink.zip
4. Extract golink.exe
5. Create a shellcode.asm file with the following instructions
6. From a command line run the following command to assemble the code:
• yasm.exe -f win32 -o shellcode.obj shellcode.asm
7. Now run the linker
• golink /ni /entry Start shellcode.obj
8. Change the AddressOfEntryPoint. Add the current value to 0x42B7 which was the offset of where the
malware was going to return to in function sub_45B794. AddressOfEntryPoint should be 000052B7.
This will ensure that IDA knows where to start the disassembly.
Global Start
SECTION 'AyyLmao' write, execute,read
Start: incbin "shellcode.bin"
47. ShellCon 2017 | What Can RE Do For You?
47
Things to REmember
• Take notes
• PATCH, PATCH, PATCH - every evasion can be bypassed
• Memory & Hardware breakpoints are your friends
• Loops are annoying but good for identification
• Repeated functions are fishy indicators
48. ShellCon 2017 | What Can RE Do For You?
48
Thanks for coming!
Questions?
Twitter: @malwareunicorn