Professional Documents
Culture Documents
Why
2
Reverse engineering vs malware analysis
• You can use a huge amount of utilities and enterprise solutions, but there will come a day when
they don't help you.
• A reverse engineer can add utilities to his toolkit and use automatic solutions.
• A malware analyst will never be able to understand the malicious capabilities without
a reverse engineering if the sample bypasses analyst's tools.
3
I hope you know
4
Programming cycle
linker
• Source • Executable
code • Object file • Running
code process
compiler OS loader
5
Reverse engineering cycle
decompiler
•55 8B EC •void func {
•Push ebp
•Mov ebp
esp
disassembler
6
The code does not differ from the data
Disassembled code
Disassembled data
7
Constant or offset?
8
Little endian
9
Code or data?
10
Assembler as an instrument for reverse engineering
11
Registers
12
General-Purpose Registers
• Accumulator register (EAX). Used in arithmetic operations, also stored return value.
• Counter register (ECX). Used in shift/rotate instructions and loops.
• Data register (EDX). Used in arithmetic operations and I/O operations.
• Base register (EBX). Used as a pointer to data.
• Stack Pointer register (ESP). Pointer to the top of the stack.
• Stack Base Pointer register (EBP). Used to point to the base of the stack.
• Source Index register (ESI). Used as a pointer to a source in stream operations.
• Destination Index register (EDI). Used as a pointer to a destination in stream operations.
13
Instruction Pointer
• EIP - The EIP register contains the address of the next instruction to be executed if
no branching is done.
14
Stack Pointers
• ESP is the current stack pointer. EBP is the base pointer for the current stack frame.
15
EFLAGS
EFLAGS register holds many single bit flags. You should remember the following:
• Sign Flag (SF) – Set equal to the most-significant bit of the result, which is the
sign bit of a single integer. (0 indicates a positive value and 1 indicates a negative value)
16
Instructions
operation
arguments
• Destination first
17
Operand types
18
Addressing Memory
• There is a difference between address of data and data (like pointers)
• Square brackets mean dereference
[0x00B8F416] = CharUpperW
Mov eax, 0x00B8F416 eax = 0x00B8F416
Mov eax, offset aCharupperw eax = 0x00B8F416
Mov eax, [0x00B8F416] eax = 0x43686172
ASCII
0x43 C
0x68 h
0x61 a
0x72 r
0x55 U
0x79 p
19
Basic instructions
• nop
• mov
• lea
• add, sub
• cmp
• test
• xor
• jmp, jz, jnz, je
• push/pop
• call
• ret
• leave
20
nop
21
mov
22
lea
23
add sub
• Add – add
• Sub – substraction
Add eax, 1
Sub ebx, eax
24
cmp
• This instruction basically subtracts one operand from the other for comparing
whether the operands are equal or not.
• It does not disturb the destination or source operands.
• It is used along with the conditional jump instruction for decision making.
25
test
26
xor
27
Jmp/jcc
Branching instructions
• jmp – unconditional jump
• jcc – conditional jumps
• jz – jump if zero
• je – jump if equal
• ja – jump if above
• jb – jump is below
• jnz – jump if not zero
28
Push/pop
Push eax
Push 0x10
Pop eax
29
Call & Ret
call ds:WriteFile
call sub_401887
ret
retn
30
Function prologue and epilogue
C++ ASM
void myfunc (void) push ebp
{ mov ebp, esp
31
Functions
C++ ASM
void myfunc (void) push ebp
{ mov ebp, esp
push ebp
void myfunc2 (void) mov ebp, esp
{ call myfunc
myfunc(); mov esp, ebp
} pop ebp
ret
32
Stack frame
33
Passing arguments
34
Stack frame
myfunc:
push ebp
mov ebp, esp 0x00000000
ESP
myfunc2:
push ebp
mov ebp, esp
call myfunc
mov esp, ebp
pop ebp
ret 0xFFFFFFFF
35
Stack frame
myfunc:
myfunc:
push ebp
ebp
mov ebp,
ebp, esp
esp 0x00000000
mov
mov esp,
esp, ebp
ebp
pop
pop ebp
ebp
ret
ret
ESP
EBP (func2)
myfunc2:
myfunc2:
push ebp
push ebp
mov ebp, esp
mov ebp, esp
call myfunc
call myfunc
mov esp, ebp
mov esp, ebp
pop ebp
pop
ret ebp
ret 0xFFFFFFFF
36
Stack frame
myfunc:
myfunc:
push ebp
ebp
mov ebp,
ebp, esp
esp 0x00000000
mov
mov esp,
esp, ebp
ebp
pop
pop ebp
ebp
ret
ret
EBP ESP
EBP (func2)
myfunc2:
myfunc2:
push ebp
push ebp
mov ebp, esp
mov ebp, esp
call myfunc
call myfunc
mov esp, ebp
mov esp, ebp
pop ebp
pop
ret ebp
ret 0xFFFFFFFF
37
Stack frame
myfunc:
myfunc:
push ebp
ebp
mov ebp,
ebp, esp
esp 0x00000000
mov
mov esp,
esp, ebp
ebp
pop
pop ebp
ebp ESP
ret Return addr
ret
EBP
EBP (func2)
myfunc2:
myfunc2:
push ebp
push ebp
mov ebp, esp
mov ebp, esp
call myfunc
call myfunc
mov esp, ebp
mov esp, ebp
pop ebp
pop
ret ebp
ret 0xFFFFFFFF
38
Stack frame
myfunc:
myfunc:
push ebp
ebp
mov ebp,
ebp, esp
esp 0x00000000
mov
mov esp,
esp, ebp
ebp
pop
pop ebp
ebp ESP
ret Return addr
ret
EBP
EBP (func2)
myfunc2:
myfunc2:
push ebp
push ebp
mov ebp, esp
mov ebp, esp
call myfunc
call myfunc
mov esp, ebp
mov esp, ebp
pop ebp
pop
ret ebp
ret 0xFFFFFFFF
42
Stack frame
myfunc:
myfunc:
push ebp
ebp
mov ebp,
ebp, esp
esp 0x00000000
mov
mov esp,
esp, ebp
ebp
pop
pop ebp
ebp
ret
ret
EBP ESP
EBP (func2)
myfunc2:
myfunc2:
push ebp
push ebp
mov ebp, esp
mov ebp, esp
call myfunc
call myfunc
mov esp, ebp
mov esp, ebp
pop ebp
pop
ret ebp
ret 0xFFFFFFFF
43
Stack frame
myfunc:
myfunc:
push ebp
ebp
mov ebp,
ebp, esp
esp 0x00000000
mov
mov esp,
esp, ebp
ebp
pop
pop ebp
ebp
ret
ret
EBP ESP
EBP (func2)
myfunc2:
myfunc2:
push ebp
push ebp
mov ebp, esp
mov ebp, esp
call myfunc
call myfunc
mov esp, ebp
mov esp, ebp
pop ebp
pop
ret ebp
ret 0xFFFFFFFF
44
Stack frame
myfunc:
myfunc:
push ebp
ebp
mov ebp,
ebp, esp
esp 0x00000000
mov
mov esp,
esp, ebp
ebp
pop
pop ebp
ebp
ret
ret
ESP
myfunc2:
myfunc2:
push ebp
push ebp
mov ebp, esp
mov ebp, esp
call myfunc
call myfunc
mov esp, ebp
mov esp, ebp
pop ebp
pop
ret ebp
ret 0xFFFFFFFF
45
Return value
C++ ASM
int myfunc (void) myfunc:
{ push ebp
int a=0x10; mov ebp, esp
return a; sub esp, 4
} mov [ebp-4],0x10
mov eax, [ebp-4]
pop ebp
ret
46
Return value
myfunc:
push ebp
mov ebp, esp 0x00000000
sub esp, 4
mov [ebp-4],0x10
mov eax, [ebp-4]
mov esp, ebp
pop ebp
ret EBP ESP
EBP v1.0
0xFFFFFFFF
47
Return value
myfunc:
push ebp
mov ebp, esp 0x00000000
sub esp, 4
mov [ebp-4],0x10
mov eax, [ebp-4]
mov esp, ebp
ESP
pop ebp
ret EBP
EBP v1.0
0xFFFFFFFF
48
Return value
myfunc:
push ebp
mov ebp, esp 0x00000000
sub esp, 4
mov [ebp-4],0x10
mov eax, [ebp-4]
mov esp, ebp ESP
pop ebp 0x00000010
ret EBP
EBP v1.0
0xFFFFFFFF
49
Return value
myfunc:
push ebp
mov ebp, esp 0x00000000
sub esp, 4
mov [ebp-4],0x10
mov eax, [ebp-4]
mov esp, ebp ESP
pop ebp 0x00000010
ret EBP
EBP v1.0
0xFFFFFFFF
50
Return value
myfunc:
push ebp
mov ebp, esp 0x00000000
sub esp, 4
mov [ebp-4],0x10
mov eax, [ebp-4]
mov esp, ebp
pop ebp
ret EBP ESP
EBP v1.0
0xFFFFFFFF
51
Return value
myfunc:
push ebp
mov ebp, esp 0x00000000
sub esp, 4
mov [ebp-4],0x10
mov eax, [ebp-4]
mov esp, ebp
pop ebp
ret
ESP
0xFFFFFFFF
52
Passing arguments
myfunc:
push ebp
int myfunc (int b) mov ebp, esp
{ sub esp, 4
int a=0x10; mov [ebp-4],0x10
return a+b; mov eax, [ebp-4]
} mov edx, [ebp+8]
add eax, edx
mov esp, ebp
pop ebp
ret
myfunc2:
push ebp
int myfunc2 (void) mov ebp, esp
{ push 8
myfunc(8); call myfunc
} mov esp, ebp
pop ebp
53
ret
Passing arguments
myfunc2:
push ebp
mov ebp, esp
push 8
call myfunc
mov esp, ebp
pop ebp
ret
EBP ESP
EBP v1.0
0xFFFFFFFF
54
Passing arguments
myfunc2:
push ebp
mov ebp, esp
push 8
call myfunc
mov esp, ebp
pop ebp ESP
ret 0x00000008
EBP
EBP v1.0
0xFFFFFFFF
55
Passing arguments
myfunc:
push ebp
mov ebp, esp
sub esp, 4
mov [ebp-4],0x10
mov eax, [ebp-4] ESP
Return addr
mov edx, [ebp+8]
add eax, edx 0x00000008
mov esp, ebp EBP
EBP v1.0
pop ebp
ret
0xFFFFFFFF
56
Passing arguments
myfunc:
push ebp
mov ebp, esp
sub esp, 4 ESP
mov [ebp-4],0x10 EBP v2.0
mov eax, [ebp-4] Return addr
mov edx, [ebp+8]
add eax, edx 0x00000008
mov esp, ebp EBP
EBP v1.0
pop ebp
ret
0xFFFFFFFF
57
Passing arguments
myfunc:
push ebp
mov ebp, esp
sub esp, 4 EBP ESP
mov [ebp-4],0x10 EBP v2.0
mov eax, [ebp-4] Return addr
mov edx, [ebp+8]
add eax, edx 0x00000008
mov esp, ebp
EBP v1.0
pop ebp
ret
0xFFFFFFFF
58
Passing arguments
myfunc:
push ebp
mov ebp, esp ESP
sub esp, 4 EBP
mov [ebp-4],0x10 EBP v2.0
mov eax, [ebp-4] Return addr
mov edx, [ebp+8]
add eax, edx 0x00000008
mov esp, ebp
EBP v1.0
pop ebp
ret
0xFFFFFFFF
59
Passing arguments
myfunc:
push ebp
mov ebp, esp ESP
0x00000010
sub esp, 4 EBP
mov [ebp-4],0x10 EBP v2.0
mov eax, [ebp-4] Return addr
mov edx, [ebp+8]
add eax, edx 0x00000008
mov esp, ebp
EBP v1.0
pop ebp
ret
0xFFFFFFFF
60
Passing arguments
myfunc:
push ebp
ESP
mov ebp, esp 0x00000010
sub esp, 4 EBP
mov [ebp-4],0x10 EBP v2.0
mov eax, [ebp-4] Return addr
mov edx, [ebp+8]
add eax, edx 0x00000008
mov esp, ebp
EBP v1.0
pop ebp
ret
0xFFFFFFFF
61
Passing arguments
myfunc:
push ebp
ESP
mov ebp, esp 0x00000010
sub esp, 4 EBP
mov [ebp-4],0x10 EBP v2.0
mov eax, [ebp-4] Return addr
mov edx, [ebp+8]
add eax, edx 0x00000008
mov esp, ebp
EBP v1.0
pop ebp
ret
0xFFFFFFFF
62
Passing arguments
myfunc:
push ebp
mov ebp, esp ESP
0x00000010
sub esp, 4 EBP
mov [ebp-4],0x10 EBP v2.0
mov eax, [ebp-4] Return addr
mov edx, [ebp+8]
add eax, edx 0x00000008
mov esp, ebp
EBP v1.0
pop ebp
ret
0xFFFFFFFF
63
Passing arguments
myfunc:
push ebp
mov ebp, esp
sub esp, 4 EBP ESP
mov [ebp-4],0x10 EBP v2.0
mov eax, [ebp-4] Return addr
mov edx, [ebp+8]
add eax, edx 0x00000008
mov esp, ebp
EBP v1.0
pop ebp
ret
0xFFFFFFFF
64
Passing arguments
myfunc:
push ebp
mov ebp, esp
sub esp, 4
mov [ebp-4],0x10
mov eax, [ebp-4] ESP
Return addr
mov edx, [ebp+8]
add eax, edx 0x00000008
mov esp, ebp EBP
EBP v1.0
pop ebp
ret
0xFFFFFFFF
65
Passing arguments
myfunc2:
push ebp
mov ebp, esp
push 8
call myfunc
mov esp, ebp
pop ebp ESP
ret 0x00000008
EBP
EBP v1.0
0xFFFFFFFF
66
Passing arguments
myfunc2:
push ebp
mov ebp, esp
push 8
call myfunc
mov esp, ebp
pop ebp
ret
EBP ESP
EBP v1.0
0xFFFFFFFF
67
Passing arguments
myfunc2:
push ebp
mov ebp, esp
push 8
call myfunc
mov esp, ebp
pop ebp
ret
ESP
0xFFFFFFFF
68
If then
C++ ASM
int ReturnMax(int a, int b)
{ mov eax, [ebp+arg_0]
if (a>b) cmp eax, [ebp+arg_4]
return a; jle short loc_4122DD
else mov eax, [ebp+arg_0]
return b; jmp short loc_4122E0
}
loc_4122DD:
mov eax, [ebp+arg_4]
loc_4122E0:
...
ret
69
Case switch
C++ ASM
char * DoSwitch(int MyNumber) mov ecx, [ebp+arg_0]
{ sub ecx, 1
char * result; cmp ecx, 4
switch (MyNumber) ja short loc_4132F7
{ jmp ds:off_413308[ecx*4]
case 1: loc_4132DC:
result="one"; mov [ebp+var_8], offset aOne
break; jmp short loc_4132FE
case 2: loc_4132E5:
result="two"; mov [ebp+var_8], offset aTwo
break; jmp short loc_4132FE
case 3: loc_4132EE:
case 4: mov [ebp+var_8], offset aMany
case 5: jmp short loc_4132FE
result="many"; loc_4132F7:
break; mov [ebp+var_8], offset aDonTKnow
default: loc_4132FE:
result="don't know"; mov eax, [ebp+var_8]
}
return result; off_413308 dd offset loc_4132DC
} dd offset loc_4132E5
dd offset loc_4132EE
dd offset loc_4132EE
dd offset loc_4132EE
70
Prologue
int main()
{
char buf[100];
printf("Input your string:\n");
scanf("%s", &buf);
if (strlen(buf) <= 5)
printf("Too short\n");
else
printf("%s\n", buf);
return 0
}
71
Assignment
int main()
{
char buf[100];
printf("Input your string:\n");
scanf("%s", &buf);
if (strlen(buf) <= 5)
printf("Too short\n");
else
printf("%s\n", buf);
return 0
}
72
Branching
int main()
{
char buf[100];
printf("Input your string:\n");
scanf("%s", &buf);
if (strlen(buf) <= 5)
printf("Too short\n");
else
printf("%s\n", buf);
return 0
}
73
Call
int main()
{
char buf[100];
printf("Input your string:\n");
scanf("%s", &buf);
if (strlen(buf) <= 5)
printf("Too short\n");
else
printf("%s\n", buf);
return 0
}
74
Epilogue
int main()
{
char buf[100];
printf("Input your string:\n");
scanf("%s", &buf);
if (strlen(buf) <= 5)
printf("Too short\n");
else
printf("%s\n", buf);
return 0
}
75
Call
Assigment Calls
78
v1
79
v1
Hex Rays
Source code
80
v2
v2
Hex Rays Source code
82
v3
83
v3
Hex Rays Source code
84
v4
85
v4
86
v5
87
v5
88
PE format
89
File Header
90
Optional Header
91
Section headers
92
Export directory
93
Import directory
94
Resource editor
95
Most important things in PE
PE signature
• MZ (4D 5A)
DOS STUB
• “This program cannot be run in MS-DOS mode.”
TimeDateStamp
• The time that the linker produced this file
ImageBase
• When the linker creates an executable, it assumes that the file will be memory-mapped to a specific location in memory. Default base address for Win32 executables is
0x400000
AddressOfEntryPoint
• the address where the loader will begin execution
Section headers
• they should be repaired for correct dumping
96
Import table
97
Malware functions
98
Using MSDN
99
Understanding WinApi
100
Understanding WinApi
101
Understanding WinApi
102
Handles
103
Handles
104
Return Value
105
Creating new threads
• StartAddress
• Sub_402530
• Sub_404030
106
Creating new threads
• SetThreadPriority - sets the priority value for the specified thread.
This value, together with the priority class of the thread's process,
determines the thread's base priority level.
107
Working with registry
• HKEY_CURRENT_USER\\Software\\0
108
Set registry value
109
Delete registry key
• RegDeleteKeyA - Deletes a subkey and its values. Note that key
names are not case sensitive.
110
Find Files
• FindFirstFile - Searches a directory for a file or
subdirectory with a name that matches a specific
name
• FindNextFile - Continues a file search from a
previous call to the FindFirstFile
• FindClose - Closes a file search handle opened by
the FindFirstFile
111
Reading Files
• CreateFileW - Creates or opens a file or I/O
device. The function returns a handle that can
be used to access the file or device for various
types.
112
Writing files
113
Get functions
114
Sleeping
115
Sockets
• Socket - creates a socket that is bound to a specific
transport service provider. Af = 2, so it is The Internet
Protocol version 4 (IPv4) address family.
116
Socket structure
117
Api hooks
Manipulate
Rootkits
application Self spreading
activities
data
Stealing
Persistence
credentials
118
Api hooking (splicing)
VirtualProtect() WriteProcessMemory()
• Get address of • Save first bytes • Restore original
function • Set memory of function • Overwrite first permissions
permissions to bytes to jmp
read/write <offset
handler>
GetProcAddress() ReadProcessMemory() VirtualProtect()
119
Api hooks
plaintext
Windows
Call CryptEncrypt
CryptEncrypt
ciphertext
120
Api hooks (splicing)
Store Data
(evil code)
plaintext
Call windows
CryptEncrypt CryptEncrypt
Jmp to evil
code
121
Find hooks
122
Hooks handlers
123
Inject techniques
Hide Get
malicious application
code data
Persistance
124
Classic injection
VirtualAllocEx CreateRemoteThread()
• Get handle to • Write payload
target process • Allocate a new into target • Start a new
chunk of process as thread
memory in separate RWE
target process
OpenProcess() WriteProcessMemory
125
DLL injection
VirtualAllocEx() GetProcAddress()
• Take handle to • Write DLL name • Instruct the target
target process of DLL path into process to
• Allocate a new allocated chunk • Find address of LoadLibraryA()
chunk of memory LoadLibraryA() malicious DLL
in target process
126
DLL hijacking
Place a malicious DLL into working directory with the same name as DLL used by the application
Make sure that the malicious DLL can run functions from the original to prevent the application
from crashing
127
Process Hollowing
128
Process Hollowing
WriteProcessMemory() ResumeThread()
• Create • Set up
suspended • Write payload execution • Resume process
process instead of with malicious
original process code
code
CreateProcessW() SetThreadContext()
129
Process Hollowing
130
Process Hollowing
131
Reflective DLL Injectoin
https://github.com/stephenfewer/ReflectiveDLLInjection
132
Reflective DLL Injectoin
Call ReflectiveLoader()
133
Reflective DLL Injection
134
Persistence via registry
HKLM\SOFTWARE\Microsoft\Windows
NT\Current Version\Windows\Appinit_Dlls
135
Process memory structure
136
RWE sections
137
RWE sections
138
Protected malware
139
Packers
140
Packers
Original executable before packing Unpacked executable in memory
PE Header PE Header
141
Protected malware
Packed EP Unpacked EP
142
Protected malware
Packed Unpacked
143
Protected malware
Packed
Unpacked
144
Self modified code
145
Encrypted strings
146
Anti-debug tricks
147
Anti-VM tricks
148
Anti-VM tricks
149
Anti-sandbox tricks
150
Api hash
151
Hidden configuration files
Read encrypted
Take C&C from
config from Decrypt config
config
registry
152
Encrypted payload
153
Сheck availability of the Internet
154
Сheck Internet history
155
Trifonov Vitalii
trifonov@group-ib.com