Documente Academic
Documente Profesional
Documente Cultură
Virus Researcher
Agenda
§ Introduction
§ First Steps
– File Format Analysis : Is my file packed?
– Unpacking
– Disassembly
§ Unpacking Demo
§ Finding interesting code in Malwares (Basic but works most of the time)
– WinMain
– Imports
– Threads
– Strings
§ R.E Example:
– Malware Protocol Reverse Engineering
2
Introduction
§ Reverse Engineering Malcode is most of the time a fairly
easy task (Easier than porting Linux to a closed device)
3
First Steps: Is my file Packed?
§ What is Packing anyway ?
4
First Steps: Is my file Packed?
§ Is the last section executable ?
6
First Steps: Unpacking
• Unpacking knowledge is very handy for Reverse Engineers.
7
First Steps: Unpacking
8
First Steps : Unpacking
§ Reconstruct the Import Table
– Trace the packer’s code and find where the IAT handling
is, so you can grab information about the import table
and reconstruct it manually, eventually. (or patch the
protector so it will not destroy the imports at all J )
9
Disassembly
§ Once our file has been unpacked, we can start
disassembling it, looking for malicious code.
10
Finding interesting code in Malwares
§ WinMain
For malware written in C/C++, you will quite often find interesting
information right at the WinMain function.
12
Finding interesting code in Malwares
§ Imports
You can use imports to find interesting parts of
a malcode. Eg:
13
Finding interesting code in Malwares
§ Threads
14
Finding interesting code in Malwares
§ Strings
15
Example: A Proxy Trojan Protocol R.E
§ Don’t forget that most Malcode authors are naives (or
stupids).
16
Example: A Proxy Trojan Protocol R.E
§ I saw many interesting strings inside the binary:
17
Example: A Proxy Trojan Protocol R.E
§ The malcode author is so nice with us
18
Example: A Proxy Trojan Protocol R.E
§ When we run this malcode we will never see those strings
on our screen.
§ I assumed they were lazy or naives, and made their
application a GUI one, so we actually don’t see anything.
§ Fire up your favorite PE Editor and make it a Console
application.
19
Example: A Proxy Trojan Protocol R.E
20
Example: A Proxy Trojan Protocol R.E
§ Let’s try to Reverse Engineer the remote command feature.
21
Example: A Proxy Trojan Protocol R.E
§ The code is looking for « CTL » inside a buffer, and if we
scroll up a little bit, we will find that, it’s actually, a socket
buffer. (The recv functions is a good hint).
22
Example: A Proxy Trojan Protocol R.E
§ We learn that we need to send « CTL findme something »
here.
23
Example: A Proxy Trojan Protocol R.E
§ Third parameter is used as an index to select the command
to execute.
24
Example: A Proxy Trojan Protocol R.E
§ Switch Jump Table
25
Example: A Proxy Trojan Protocol R.E
§ All the other commands work the same way, so we can
reverse engineer the whole proxy protocol.
§ We could easily « flood » the collector with bogus
information by chaning the interval to something very
small. He most likely use some sort of logging, to know
which computers are infected.
§ This one was easy, but most of the malwares are THAT
easy.
26
Questions?
§ If you have any questions, please talk SLOOOWLY, or just
come to talk to me after the presentation. (Better :p)
§ Thanks J
nbrulez@websense.com
http://WebsenseSecurityLabs.com
27