Overview of Binary Reversing Tools
Transcription
Overview of Binary Reversing Tools
Reverse Engineering Paul deGrandis Applications • Software Maintenance • Source Code and Documentation Engineering • Virus Analysis Malware • Virus • Needs a vector for propagation • Worm • No vector needed • Can spread by network shares, email, security holes Malware • Trojan Horse • Performs unstated and undesirable functions • Spyware, adware, logic bombs, backdoors, rootkits Anti-Virus • Integrity Checking • Static AV Scanners • Dynamic AV Scanners Anti-Virus • Integrity Checking • Checksum comparison • Static AV Scanners • Program properties (registry, system calls) • Malware byte sequence extraction Anti-Virus • Dynamic AV Scanners • Intercepting system calls • Analyzing audit trails • Operation patterns Procedures For Analysis • Restrict Access • Save only disassembled files • Rename Extensions, prevents double-click • Password protect dangerous files and ZIPs • NEVER SEND MALWARE !"#$"%&'()"#*+,+'-%./&++ Procedures For Analysis 51&17'D*G'>)=#$/)I1)7 J7*7#2'()*+,&#& J17'%B')17K/$9'/G&1$=*7#/)'7//+& J17'%B'B$/21&&'/G&1$=*7#/)'7//+& 5%)'B$/:$*I LG&1$=1'B$/21&&'*27#/)& ;$1*71P$1=#&1'2+#1)7'/)'D#)%O 5%)'2+#1)7 LG&1$=1')17K/$9'7$*<<#2 6E1)7#<,'&1$=#21&'$14%1&71E ;$1*71'MNJ'7*G+1& 5%)'&1$=#21&'/)'D#)%O C?G&1$AIJ%.$#10;.#90J(06K C?G&%-7H:/++$-(F6/%-7H:/++$-( <:// I>J&AK/%L+57 Tools • VMware and restore snapshots • Isolate .$(,/0" • BinText • Extracts strings from binary files (code) • IRC commands, SMTP, registry keys 90":#%"+&+":$(;+&4:-7&/0/%5"#B)/+ @/M/#)+&%)5/+N& =@A&A-77#(6+O&!I,?&%-77#(6+O&:/;$+":*& L/*+ =>'&?:- • Tools >$+#++/7B)/+&/0/%5"#B)/+&$("-&#++/7B)*& $(+":5%"$-(+ IDA Pro 9#+*P"-P5+/&$("/:4#%/ Dissassembles executables into assembly • !/H#:#"/+&+5B:-5"$(/+O&%:/#"/+&M#:$#B)/&(#7/+O %-)-:P%-6/6 Tools • UPX Decompression • Executable packer • To unpack: upx.exe -d -o dest.exe source.exe !"#$%&' Tools SysInternals.com ($9%&' • ($)&*+,-.##-/"#$-.))$,,$, FileMon - monitors file access •!*$$#0-.1."#.2#$-/*&3($)&*+,-.##-*$9",8*0-.))$,,$, - monitors registry access 444560,7'8$*'.#,5)&3 • RegMon!*$$#0-.1."#.2#$-/*&3444560,7'8$*'.#,5)&3 ($96:&8 Tools RegShot •($)&*+,-3&+"/").8"&',-8&-*$9",8*0-.'+-/"#$,0,8$3 • Records modifications to the registry, but ;&$,-'&8-+$8$)8-*$.+-.88$3<8, not reads !*$$#0-.1."#.2#$-/*&3 *$9,:&850$.:5'$8 !"#$%&'( Tools • ProcDump Dumps a processes code from memory • %&'()*("#$+)),*$#-+*."#'*'+'#"/ Useful in detecting an analyzing • 0)+.&1*.#"*(#1/'#"(23$*43"&)+) polymorphic viruses Tools OllyDbg • 511/%67 • Attaches to a process 8"+9:(#3;<) Can actively manipulate memory and • =<<9$2*<#*("#$+)) registers during operation >9;*'9;3(&19<+*'+'#"/*9;-*"+73)<+") • Swiss Army Knife ?"++1/*94931961+*9<*2#'+@<A#;13;+@-+B2#'+B511/%67 Tools • Network Activity • TCPView - displays open network ports • TDIMon - monitors network activity • Ethereal/Wireshark - Packet Sniffer • Snort - IDS / Packet Sniffer • netcat - Network swiss army knife Tools • SysInternals.com • TCPView - TCP and UDP endpoints and processes • TDIMon - Logs all network activity, but not packet contents Tools • Wireshark (formerly Ethereal) • Captures and displays all packet contents • One of your best friends Tools • Netcat - reads and writes across data connections using TCP/IP • Great for probing, listening, debugging, or exploring unknown network behavior • The other one of your best friends The Assignment • Beagle.J (and its cousin Beagle.K) • Static analysis (BinText, IDA) • Dynamic Analysis • Host Side (Registry, process, files) • Networking (Ports, connections, traffic) • Propagation, Backdoors