Vitali Kremez
  • Home
  • About
  • Contact
  • Cyber Security
  • Cyber Intel
  • Programming
  • Reverse Engineering
  • Exploit Development
  • Penetration Test
  • WIN32 Assembly
  • On Writing
    • Blog
    • LSAT
    • Photo
  • Honeypot
  • Forum

Reverse engineering Malware

Manual Malware Unpacking

5/30/2016

0 Comments

 
Unpacker Tail Transitions
  • often (not always) found at the end of unpacking code
  • Usually comes in one of the following forms:
    • jump immediate (jmp 0401234)
      • Jumps generally take 1 byte operand, while transitions from unpackers to application code require a larger operand (e.g. 4 bytes)
    • push / ret
      • A push followed by a return is fishy as the pushed value becomes the return address
      • The unpacker may have a constant or set a register that it jumps to
    • pusha / popa
      • Not a transition technique, but usually used for restoring registers to entry-point state
      • Hardware Breakpoint on one of the saved registers may halt debugger just before transition to OEP
        • View ESP in dump, select one of the 4 byte aligned values, and set bp (f2)
When a tail jump is unidentifiable, attempt to locate OEP by a section hop
  • Generally code resides in single section of the PE file.
  • Hops between sections are unusual and occur often in the transition from unpacker stubs to application code
  • OllyDump automates the search for such a hop and attempts to break when found
Beware of self-modifying code
  • How Software Breakpoints work
    • Debugger stores a copy of the byte at the breakpoint address
    • This byte is replaced with 0xCC
    • When the address is reached, the debugger swaps in the original byte
  • How self-modifying code works
    • A byte or block is read from memory
    • Optional transformations are applied
    • The byte is written (original location or elsewhere)
  • Self-modify reads may read wrong (0xCC) byte
  • Self-modify writes may overwrite breakpoints
  • Use Hardware breakpoints when possible (4 in 32-bit)
Breaking on common events
  • Debuggers often allow breaking on Library Load/Unload
    • Packers often end with a series of LoadLibrary / GetProcAddress calls
  • Could set a breakpoint on common start-up functions
    • GetCommandLineA, GetVersion
    • Catch is they have to be loaded and available for brea
0 Comments

String Obfuscation via MOV Instructions

5/30/2016

0 Comments

 
mov ecx, 0x400000
mov [ecx], 0x53 // 'S'
inc ecx
mov [ecx], 0x54 // 'T'
inc ecx
mov [ecx], 0x52 // 'R'
inc ecx
mov [ecx], 0x00

This sequence would put the ASCII string “STR” at the memory location 0x400000.

A variant of this is to construct the string via one or more PUSH instructions:
  • PUSH 0x00525453
0 Comments

Generic RE Algorithm

5/30/2016

0 Comments

 
​Source: OpenSecurityTraining
  1. Gather information
    • IAT (Import Address Table)
    • Strings
    • Dynamic analysis
  2. Identify function of interest
  3. Identify CALLs
  4. Identify algorithms and data structures
  5. Pseudo-code it!
    • If having trouble, draw the memory and CPU and map what happens at each instruction
  6. Rename function(s), argument(s), variable(s)
  7. Add comments
  8. GOTO 2
0 Comments

IDC Script: Coloring Unusual Instructions: Anti-Analysis

5/30/2016

0 Comments

 
#include <idc.idc> static main() {
auto start, end, addr, mnem, count, opnd, opnd1, opnd2;

start = SegStart( ScreenEA() );
nd = SegEnd( ScreenEA() );
addr = start; count = 0;
while( addr < end ) {
mnem = GetMnem( addr );

// Common VM detect instructions
if( mnem == "sidt" || mnem == "sgdt" || mnem == "sldt" || mnem == "smsw" || mnem == "str" ) { Message( "%08x: Found %s\n", addr, mnem );
SetColor( addr, CIC_ITEM, 0x0088ff ); // orange
}
// Read Time Stamp Counter
if( mnem == "rdtsc" ) {
Message( "%08x: Found %s\n", addr, mnem );
SetColor( addr, CIC_ITEM, 0xff8800 ); // blue
}
// Exception Handling or other PEB/TEB access
opnd = "";
opnd1 = GetOpnd( addr, 0 );
opnd2 = GetOpnd( addr, 1 );
if( strstr( opnd1, "fs:" ) > -1 ) {
opnd = opnd1;
}
else {
if( strstr( opnd2, "fs:" ) > -1 ) opnd = opnd2;
}
if( opnd != "" ) {
Message( "%08x: Found %s\n", addr, opnd );
SetColor( addr, CIC_ITEM, 0xff8888 ); // purple
}
addr = NextHead( addr, BADADDR );
count = count + 1;
}
Message( "Processed %d instructions from %08x to %08x\n", count, start, end );
}
0 Comments

    Author

    Vitali Kremez

    Archives

    August 2016
    June 2016
    May 2016
    April 2016

    Categories

    All

    RSS Feed

Powered by Create your own unique website with customizable templates.
  • Home
  • About
  • Contact
  • Cyber Security
  • Cyber Intel
  • Programming
  • Reverse Engineering
  • Exploit Development
  • Penetration Test
  • WIN32 Assembly
  • On Writing
    • Blog
    • LSAT
    • Photo
  • Honeypot
  • Forum