You are on page 1of 20

Binary Analysis

John Davison

Binary Analysis Defined

The examination of a file to determine the authenticity and functionality of the file

Why Binary Analysis

In an Intrusion investigation, the unknown binary could be the key to the case It could be a benign file It could be a legitimate file Either way, for a case going to prosecution it is necessary to ensure thoroughness

Conducted In Addition
Operating System Analysis Registry Analysis Processes Analysis Reverse Engineering


Steps in Binary Analysis

Header Libraries Body Footer Strings Metadata Packers/Compressors

File Header
Signature Analysis Interested File Headers
4D 5A (MZ) 00 00 00 4D 5A (MZ)

File Libraries
Compare Dynamic Link Library Files (DLL) to known Files Hackers usually name Trojan Files to Legitimate Named Files

File Body
Compare a Known File to the Unknown File We are looking for HEX

File Footer
Compared Known File To Unknown File Verisign and Hotfix 1234 are normally a good sign

File Strings

Compare a Known File to the Unknown File Command line >strings filename
Strings v2.3 Copyright (C) 1999-2006 Mark Russinovich Sysinternals - script block VBScript !This program cannot be run in DOS mode. $Rich .text `.data .rsrc @.reloc B{N ADVAPI32.dll GDI32.dll KERNEL32.dll NTDLL.DLL MFC42.DLL msvcrt.dll ole32.dll OLEAUT32.dll USER32.dll

File Strings Continued

Compare two files using a program like diff for linux or cfdiff for Windows

Data that is used to describe other data Metadata is stored in plain text

Binary Packers/Compressors offers the Hacker numerous advantages:
1. Masks contents of file from our eyes 2. Smaller files = faster uploads 3. Can trick IDS due to signature differences

Types of Packers
Most common type is UPX. This is easily unpacked with the UPX Toolkits WinRar is great tool to unpack exe files

Static vs Runtime Analysis

Use Static analysis for object code (prelinking) Use Runtime analysis for executable code (post-linking)

Runtime Analysis
Many things may happen when a file is run:
1. Direct access to system resources (RAM, HDDs, etc) 2. Net Libraries may execute 3. Registry Changes may be made 4. May affect or disable other programs 5. May open system up for further attacks

A system that is closed and can be closely monitored Best sandbox is a virtual machine:
1. Easy to configure as needed 2. No risk of harming production machines/networks 3. Easy to pull the plug if something goes horribly wrong

Sandbox Continued
Two good Windows Virtual Machine Products
VMWare Virtual PC by Microsoft

Sandbox Continued
Need to monitor ports, registry, and new files added to system
1. 2. 3. 4. System Hash of Virtual PC file (vmdk files) Regmon from ZoneAlarm from or Use fport, pslist, netstat, and psservice

Running the Binary

Run the Binary IDA Pro running in the background will capture (
A debugger allows you to step through code A disassembler allows create maps of their execution Gets into reverse engineering