Reverse Engineering 101

Yasin SRER http://twitter.com/yasinsurer

Jargon
A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application. An exploit is a piece of software, a chunk of data, or sequence of commands that takes

advantage of a bug

A shellcode is a small piece of code used as the payload in the exploitation of a software

vulnerability

A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.

Attacker Mindset
Vulnerability Research
Find the vulnerability, and developing weaponized-exploits.

Exploit Development

Zero-day attack uses advanced-exploitation technique

Understanding undocumented system functions malware authors; Rootkit, worm, keylogger, spyware etc.

Defensive Perspective
Patch and Vulnerability Analysis
Developing signatures against zero-day

threats for IDS/IPS appliance

Binary Code Analysis

Finding new zero-day

vulnerabilities to take advantage on defensive

perspective

Advanced Exploit Development

Penetration Test and Vulnerability assesment.

Malware Analysis
Anti-Virus, Anti-Spyware and Digital

Forensics

companies

Real-World Crime Example

May 2008 in New York for the Dave & Busters case May 2008 in Massachusetts for the TJ

Maxx case

August 2009 in New Jersey in connection with the Heartland

Payment case.

State-Sponsored Attack Example

The group obtained a sponsor who paid them 2000 RMB ($325) per month Their sponsor is likely the People's Liberation Army (PLA)

Tan Dailin attacks on US Department of Defense in May and

June 2006

GinWui Rootkit (Manipulate Service, Start and Kill Process etc.) iDefense says,35 zero-day Microsoft Office Exploit

State-Sponsored Attack Example

Advanced Persistent Threat

We do not call those types of threats as Advanced Persistent Threat since they use widely known, old-school tactics Microsoft

US Department of Defense Offensive Contractors

Reverse Engineering

What is Reverse Engineering ?

Static Analysis or Reversing
Static program analysis is the analysis of computer software that is
performed without

actually executing programs

Dynamic Analysis or Reversing

Dynamic program analysis is

the analysis of computer software that is

performed by executing programs on a real or virtual processor.

x86 Architecture & Assembly

Arithmetic Instructions

mov eax, 5 mov ebx, 3 add eax, ebx sub ebx, 2

; eax=5 ; ebx=3 ; eax = eax + ebx ; ebx = ebx -2

Accessing Memory
cmp eax, 2
je label ja label jb label jbe label jne label jmp label

; compare eax with 2

; if(eax == 2) ; if(eax > 2) ; if(eax < 2) ; if(eax <= 2) ; if(eax != 2) ; jump label

Function Calls
call function ; store return addr on the stack ; and jump to function!

func: push esi pop esi ret ; save esi ; restore esi ; read return addr from the stack ; and jump to it.

Modern Compiler
Native Language Intermediate Representation

Low-level Intermediate representation

x86 Assembly

Binary Reverse Engineering

How the compiler

works and to translate it into machine code

Understanding operating

system structures

Understanding executable (PE/ELF) file

We need to think

formats

like the compiler, but in reverse!

Toolbag

Reverser Toolbag (1)

IDA Disassembler from Hex-Rays
IDA is a disassembler for computer software which generates assembly language source code from machine-executable code OllyDbg is Free Debugger OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available Windbg from Microsoft

It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode.

Reverser Toolbag (2)

Virtual Machines (Virtualbox, VMWare, Hyper-V) A virtual machine (VM) is a software implemented abstraction of the underlying hardware, which is presented to the application layer of the system.

Packet Sniffers (Wireshark, tcpdump)

The sniffer captures packets, if needed, decodes the packet's raw data, showing the values of various fields in the packet Sysinternals Suite

technical resources and utilities to manage, diagnose, troubleshoot, and monitor

a Microsoft

Windows environment.

PEiD

IDA Pro

IDA Pro (2)

IDA Pro (3)

IDA Pro (4)

OllyDbg

OllyDbg (2)

Windbg

Windbg (2)

Intro to Windbg
r: display current register content t: trace-step (until call) pt: single-step (until-ret) g: process run (go!) .hh: help command. (for example .hh t) lm: list modules

Sysinternal: Process Explorer

Sysinternal: Process Monitor

Sysinternal: Autoruns

ImpREC

LordPE

Anti-Reverse Engineering
Anti-Debugging, the implementation of one or more techniques within
computer code that hinders attempts at reverse engineering or debugging

target process
Anti-Dumping, describes the process of taking an executable that has been

protected and after the executable has been decrypted into memory Code obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand. Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single executable

Executable Compression (Packed Executables)

Packed Executable

Packed Executable

Packed Executable

Packed Executable

Packed Executable

Anti-Debugging

Anti-Debugging

Anti-Debugging

Anti-Debugging

Anti-Debugging

Anti-Debugging

FATMAL (Real-World Example)

FATMAL

Loader

Loader

Payload

InstallBot()

Payload

Payload

Payload

Payload

Payload

Who could be behind the FATMAL attack?

Memory Analysis - Sality -

Memory Analysis

Memory Analysis

Memory Analysis

Memory Analysis

Memory Analysis

Resources

Analysis of Mobile Threats

Mobile Market
5%

3%
Android

11% iPhone BlackBerry Windows Phone Symbian Other

13%

49%

19%

Mobile Threats
0.7 0.3 0.7 0.3 19

Android Symbian Windows Mobile iPhone BlackBerry J2ME

79

Mobile Threats
3.7 11.2 Trojan

Downloader
7 Spy Adware 5.6 0.3 2.7 1 0.7 Backdoor Hacktool Monitoring Riskware 66.1 Spyware Application

Android

Android is a Linux-based operating system, runs on custom Linux.

Google I/O statshot, 900 million Android devices activated
Google play hits 600.000 application,

20 billion total installs.

Manufacturers; Samsung, HTC, Asus, Amazon, Sony, Toshiba, Acer

Android Apps
Android Market

APK/ZIP
Metadata (manifest, images) Dex File (classes.dex)

Android Architecture

Geinimi

Geinimi

Geinimi

Geinimi

Geinimi

Geinimi

Geinimi

5 years of silence

The ProGuard tool shrinks, optimizes, and obfuscates

your code by removing

obscure

unused code and renaming classes, fields, and methods with semantically

names.

DexGuard is our specialized optimizer and obfuscator for Android. Create apps that are faster, more compact, and more difficult to crack.

Obfuscation

Obfuscation

Obfuscation

Modifying The bytecode

Android Application
Launcher

Activity Manager

Zygote

Activity Thread
Dalvik VM!

Modifying the byte-code

JNI

Native Code

Dalvik bytecode

Modified!

Processor

so what

Malware writers is getting ready to implement x86 techniques for Android.

Questions