Overview of Binary Reversing Tools

Reverse Engineering
Paul deGrandis
Applications
• Software Maintenance
• Source Code and Documentation
Engineering
• Virus Analysis
Malware
• Virus
• Needs a vector for propagation
• Worm
• No vector needed
• Can spread by network shares, email,
security holes
Malware
• Trojan Horse
• Performs unstated and undesirable
functions
• Spyware, adware, logic bombs, backdoors,
rootkits
Anti-Virus
• Integrity Checking
• Static AV Scanners
• Dynamic AV Scanners
Anti-Virus
• Integrity Checking
• Checksum comparison
• Static AV Scanners
• Program properties (registry, system calls)
• Malware byte sequence extraction
Anti-Virus
• Dynamic AV Scanners
• Intercepting system calls
• Analyzing audit trails
• Operation patterns
Procedures For Analysis
• Restrict Access
• Save only disassembled files
• Rename Extensions, prevents double-click
• Password protect dangerous files and ZIPs
• NEVER SEND MALWARE
!"#$"%&'()"#*+,+'-%./&++
Procedures For Analysis
51&17'D*G'>)=#$/)I1)7
J7*7#2'()*+,&#&
J17'%B')17K/$9'/G&1$=*7#/)'7//+&
J17'%B'B$/21&&'/G&1$=*7#/)'7//+&
5%)'B$/:$*I
LG&1$=1'B$/21&&'*27#/)&
;$1*71P$1=#&1'2+#1)7'/)'D#)%O
5%)'2+#1)7
LG&1$=1')17K/$9'7$*<<#2
6E1)7#<,'&1$=#21&'$14%1&71E
;$1*71'MNJ'7*G+1&
5%)'&1$=#21&'/)'D#)%O
C?G&1$AIJ%.$#10;.#90J(06K
C?G&%-7H:/++$-(F6/%-7H:/++$-(
<://
I>J&AK/%L+57
Tools
• VMware
and restore snapshots
• Isolate
.$(,/0"
• BinText
• Extracts strings from binary files (code)
• IRC commands, SMTP, registry keys
90":#%"+&+":$(;+&4:-7&/0/%5"#B)/+
@/M/#)+&%)5/+N&
=@A&A-77#(6+O&!I,?&%-77#(6+O&:/;$+":*&
L/*+
=>'&?:-
•
Tools
>$+#++/7B)/+&/0/%5"#B)/+&$("-&#++/7B)*&
$(+":5%"$-(+
IDA Pro
9#+*P"-P5+/&$("/:4#%/
Dissassembles executables into assembly
• !/H#:#"/+&+5B:-5"$(/+O&%:/#"/+&M#:$#B)/&(#7/+O
%-)-:P%-6/6
Tools
• UPX Decompression
• Executable packer
• To unpack:
upx.exe -d -o dest.exe source.exe
!"#$%&'
Tools
SysInternals.com
($9%&'
• ($)&*+,-.##-/"#$-.))$,,$,
FileMon - monitors file access
•!*$$#0-.1."#.2#$-/*&3($)&*+,-.##-*$9",8*0-.))$,,$,
- monitors registry access
444560,7'8$*'.#,5)&3
• RegMon!*$$#0-.1."#.2#$-/*&3444560,7'8$*'.#,5)&3
($96:&8
Tools
RegShot
•($)&*+,-3&+"/").8"&',-8&-*$9",8*0-.'+-/"#$,0,8$3
• Records modifications to the registry, but
;&$,-'&8-+$8$)8-*$.+-.88$3<8,
not reads
!*$$#0-.1."#.2#$-/*&3
*$9,:&850$.:5'$8
!"#$%&'(
Tools
• ProcDump
Dumps a processes code from memory
• %&'()*("#$+)),*$#-+*."#'*'+'#"/
Useful in detecting an analyzing
• 0)+.&1*.#"*(#1/'#"(23$*43"&)+)
polymorphic viruses
Tools
OllyDbg
• 511/%67
• Attaches to a process
8"+9:(#3;<)
Can actively manipulate memory and
• =<<9$2*<#*("#$+))
registers during operation
>9;*'9;3(&19<+*'+'#"/*9;-*"+73)<+")
• Swiss Army Knife
?"++1/*94931961+*9<*2#'+@<A#;13;+@-+B2#'+B511/%67
Tools
• Network Activity
• TCPView - displays open network ports
• TDIMon - monitors network activity
• Ethereal/Wireshark - Packet Sniffer
• Snort - IDS / Packet Sniffer
• netcat - Network swiss army knife
Tools
• SysInternals.com
• TCPView - TCP and UDP endpoints and
processes
• TDIMon - Logs all network activity, but
not packet contents
Tools
• Wireshark (formerly Ethereal)
• Captures and displays all packet contents
• One of your best friends
Tools
• Netcat - reads and writes across data
connections using TCP/IP
• Great for probing, listening, debugging, or
exploring unknown network behavior
• The other one of your best friends
The Assignment
• Beagle.J (and its cousin Beagle.K)
• Static analysis (BinText, IDA)
• Dynamic Analysis
• Host Side (Registry, process, files)
• Networking (Ports, connections, traffic)
• Propagation, Backdoors