malware packers for dummies
play

Malware Packers For Dummies Joan Calvet j04n.calvet@gmail.com - PowerPoint PPT Presentation

Jun 29, 2023 •5 likes •435 views

Tripoux: Reverse-Engineering Of Malware Packers For Dummies Joan Calvet j04n.calvet@gmail.com Deepsec 2010 The Context (1) A lot of malware families use home-made packers to protect their binaries, following a standard model: EP OEP

  1. Tripoux: Reverse-Engineering Of Malware Packers For Dummies Joan Calvet – j04n.calvet@gmail.com Deepsec 2010

  2. The Context (1) • A lot of malware families use home-made packers to protect their binaries, following a standard model: EP OEP Original Unpacking code binary • The unpacking code is automatically modified for each new distributed binary. Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 2

  3. The Context (2) • Usually people are only interested into the original binary : 1. It’s where the “real” malware behaviour is. 2. It’s hard to understand packers. Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 3

  4. The Context (3) • But developing an understanding of the unpacking code helps to: – Get an easy access to the original binary (sometimes “generic unpacking algorithm” fails..!) – Build signatures (malware writers are lazy and there are often common algorithms into the different packer’s instances) – Find interesting pieces of code: checks against the environment, obfuscation techniques,... Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 4

  5. The Question Why the human analysis of such packers is difficult, especially for beginners ? Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 5

  6. When trying to understand a packer, we can not just sit and observe the API calls made by the binary: • This is only a small part of the packer code • There can be useless API calls (to trick emulators,sandboxes...) We have to dig into the assembly code, that brings the first problem... Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 6

  7. Problem 1: x86 Semantic • The x86 assembly language is pretty hard to learn and manipulate. • Mainly because of inexplicit side-effects and different operation semantics depending on the machine state (operands, flags): MOVSB Read ESI, Read EDI, Read [ESI], Write [EDI] If the DF flag is 0 , the ESI and EDI register are incremented If the DF flag is 1 , the ESI and EDI register are decremented Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 7

  8. Problem 1: x86 Semantic • When playing with standard code coming from a compiler, you only have to be familiar with a small subset of the x86 instruction set. • But we are in a different world... Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 8

  9. Problem 1: x86 Semantic Example : Win32.Waledac’s packer Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 9

  10. Problem 2: Amount Of Information • Common packed binaries have several million instructions executed into the protection layers. • Unlike standard code, we can not say that each of these line has a purpose. • It’s often very hard to choose the right abstraction level when looking at the packed binary: “Should I really understand all these lines of code ?” Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 10

  11. Problem 2: Amount Of Information Example : Win32.Swizzor’s packer Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 11

  12. Problem 3: Absence Of (easily seen) High-Level Abstractions • We like to “divide and conquer” complicated problems. • In a standard binary: ... This is a function! We can thus consider the code inside it as a “block” that shares a common purpose Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 12

  13. Problem 3: Absence Of (easily seen) High-Level Abstractions • But in our world, we can have: Win32.Swizzor’s packer Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 13

  14. Problem 3: Absence Of (easily seen) High-Level Abstractions • No easy way left to detect functions and thus divide our analysis in sub-parts. • Also true for data: no more high-level structures , only a big array called memory. Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 14

  15. The Good News • Most of the time there is only one “interesting” path inside the protection layers (the one that actually unpacks the original binary). • It’s pretty easy to detect that we have taken the “good” path : suspicious behaviour (network packets, registry modifications...) that indicate a successful unpacking. Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 15

  16. Proposed Solution • Let’s use this fact and adopt a pure dynamic analysis approach : – Trace the packed binary and collect the x86 side- effects (address problem 1) – Define an intermediate representation with some high level abstractions (address problem 3) – Build some visualization tools to easily navigate through the collected information (address problem 2) Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 16

  17. Project Architecture Static instructions High level Timeline view Dynamic instructions TRACER CORE ENGINE Execution details IDA Pro Program environment Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 17

  18. How to collect a maximum of information about the malware execution ? STEP 1: THE TRACER 18

  19. Tracing Engine (1) • Pin : dynamic binary instrumentation framework: – Insert arbitrary code (C++) in the executable (JIT compiler) – Rich library to manipulate assembly instructions, basic blocks, library functions … – Deals with self-modifying code • Check it at http://www.pintool.org/ • But what information do we want to gather at run- time ? Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 19

  20. Tracing Engine (2) 1. Detailed description of the executed x86 instructions – Binary code, address, size – Instruction “type”: • (Un)Conditional branch • (In)Direct branch • Stack related Make post-analysis easier • Throws an exception • API call • ... – Data-flow information : • Memory access (@ + size) • Register access Make side-effects explicit (Problem 1!) – Flags access: read and possibly modified 20

  21. Tracing Engine (3) 2. Interactions with the operating system: – The “official” way: API function calls • We only trace the malware code thanks to API calls detection (dynamically and statically linked libraries). • We dump the IN and OUT arguments of each API call , plus the return value, thanks to the knowledge of the API functions prototypes. – The “unofficial” way: direct access to user land Windows structures like the PEB and the TEB : • We gather their base address at runtime (randomization!) 21

  22. Tracing Engine (4) 3. Output: 1: Dynamic instructions file Time Address Hash Effects RR_ebx_eax 1 0x40100a 0x397cb40 WR_ebx RM_419c51_1 2 0x40100b 0x455e010 RR_ebx ... 2: Static instructions file Binary Hash Length Type W Flags R Flags code 0x397cb40 1 0 0 8D4 43 0x455e010 1 60 0 0 5E ... Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 22

  23. Tracing Engine (5) 3. Output: 3: Program environment Type Module name Address DOSH ADVAPI32.DLL 77da0000 PE32H ADVAPI32.DLL 77da00f0 PE32H msvcrt.dll 77be00e8 DOSH DNSAPI.dll 76ed0000 PEB 0 7ffdc000 TEB 0 7ffdf000 ... Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 23

  24. STEP 2: THE CORE ENGINE 24

  25. The Core Engine (1) • Translate the tracer output into something usable. • Set up some high-level abstractions onto the trace (Problem 3): – Waves – Loops 25

  26. The Core Engine (2) 1. Waves: • Represent a subset of the trace where there is no self-modification code : Two instructions i and j are in the same wave if i doesn’t modify j and j doesn’t modify i . • Easy to detect in the trace: – Store the written memory by each instruction. – If we execute a written instruction: end of the current wave and start of a new wave. 26

  27. The Core Engine (3) 2. Loops: • Instructions inside a loop have a common goal : memory decryption, research of some specific information, anti-emulation... • Thus they are good candidate for abstraction! • But how to detect loops ? 27

  28. The Core Engine (4) 2. Loops: TRACE POINT OF VIEW (SIMPLIFIED) STATIC POINT OF VIEW EXECUTED TIME INSTRUCTION1 1 INSTRUCTION2 2 INSTRUCTION3 3 INSTRUCTION1 4 INSTRUCTION2 5 … … When tracing a binary, can we just define a loop as the repetition of an instruction ? 28

  29. The Core Engine (5) 2. Loops: TRACE POINT OF VIEW (SIMPLIFIED) STATIC POINT OF VIEW EXECUTED TIME INSTRUCTION1 1 INSTRUCTION5 2 INSTRUCTION6 3 INSTRUCTION2 4 … … INSTRUCTION3 5 INSTRUCTION5 6 INSTRUCTION6 7 This is not a loop ! So what’s a loop ? 29

  30. The Core Engine (6) 2. Loops: (SIMPLIFIED) STATIC POINT OF VIEW TRACE POINT OF VIEW EXECUTED TIME INSTRUCTION1 1 INSTRUCTION2 2 INSTRUCTION3 3 INSTRUCTION1 4 INSTRUCTION2 5 INSTRUCTION3 6 INSTRUCTION1 7 … … What actually define the loop, is the back edge between instructions 3 and 1. 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%)

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%)

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%) 80% of new malware are packed with various packers Malware Obfuscation Techniques: Packing 2 Malware and packing Not packed (20%) 80%

985 views • 51 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
Do dummies pay off? Limits of dummy traffic protection in anonymous communication systems Simon

Do dummies pay off? Limits of dummy traffic protection in anonymous communication systems Simon

Do dummies pay off? Limits of dummy traffic protection in anonymous communication systems Simon Oya , Carmela Troncoso and Fernando Prez-Gonzlez Introduction Anonymous channels hide correspondences (input/output). Dummies are a common

402 views • 18 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Qualitative and Quantitative Evaluation of Software Packers Mar a Baz guez , Jos us,

Qualitative and Quantitative Evaluation of Software Packers Mar a Baz guez , Jos us,

Qualitative and Quantitative Evaluation of Software Packers Mar a Baz guez , Jos us, Ricardo J. Rodr e Merseguer All wrongs reversed rjrodriguez@unizar.es @RicardoJRdez www.ricardojrodriguez.es Department of Computer

505 views • 47 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

Ein Blick in die Hexenkche der Exploit Entwickler aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2 27/03/2018 // Exploit Development for Dummies

613 views • 48 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
Local Council Finance and Public Perceptions of Spending in Local Areas Mo Baines Head of

Local Council Finance and Public Perceptions of Spending in Local Areas Mo Baines Head of

Local Council Finance and Public Perceptions of Spending in Local Areas Mo Baines Head of Communication and Coordination www.apse.org.uk The big picture on finance www.apse.org.uk Reductions in spending Headline on core spending 0.5%

560 views • 24 slides
Community Service Grant 101 Kate Arno Director, TV CSG Policy & Review Andrew Charnik

Community Service Grant 101 Kate Arno Director, TV CSG Policy & Review Andrew Charnik

Community Service Grant 101 Kate Arno Director, TV CSG Policy & Review Andrew Charnik Director, Radio CSG Policy & Administration 576 CSG radio and TV grantees operating 1,488 stations Photos courtesy The Nebraska Network 2 170 TV

984 views • 45 slides
Revenue Estimates 2017-2022 Lorraine Gore Executive Director Finance Services Cllr Nick

Revenue Estimates 2017-2022 Lorraine Gore Executive Director Finance Services Cllr Nick

Revenue Estimates 2017-2022 Lorraine Gore Executive Director Finance Services Cllr Nick Daubney, Leader and Cabinet (Section 151 Officer) Member for Resources www.west-norfolk.gov.uk The Budget 2018-2022 will be considered by Cabinet in

523 views • 35 slides
FINANCIAL POLICY PANEL 2 FEBRUARY 2017 2017/18 BUDGET AND COUNCIL TAX REPORT PRESENTATION Report

FINANCIAL POLICY PANEL 2 FEBRUARY 2017 2017/18 BUDGET AND COUNCIL TAX REPORT PRESENTATION Report

FINANCIAL POLICY PANEL 2 FEBRUARY 2017 2017/18 BUDGET AND COUNCIL TAX REPORT PRESENTATION Report of the: Head of Financial Services Contact: Lee Duffy Annexes/Appendices (attached): Annexe 1: Overview of 2017/18 Estimates Annexe 2:

191 views • 15 slides
Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for .NET are easy to reverse engineer. This is not in any way a fault in the design of .NET; it is simply a reality of modern, intermediate-compiled

132 views • 10 slides
Reverse-engineering CAN bus messages using OBD-II and correlation coefficients Bram

Reverse-engineering CAN bus messages using OBD-II and correlation coefficients Bram

Reverse-engineering CAN bus messages using OBD-II and correlation coefficients Bram Blaauwendraad & Vincent Kieberl Supervisors: Ruben Koeze & Sander Ubink, KPMG What is OBD-II? On-Board Diagnostics II High level protocol that

419 views • 23 slides
Approximate Congruence Detection of Model Features for Reverse Engineering C. H. Gao, F. C.

Approximate Congruence Detection of Model Features for Reverse Engineering C. H. Gao, F. C.

Approximate Congruence Detection of Model Features for Reverse Engineering C. H. Gao, F. C. Langbein, A. D. Marshall and R. R. Martin ralph@cs.cf.ac.uk Department of Computer Science, Cardiff University, Wales, UK Congruence Detection

388 views • 28 slides
Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland National Cybersecurity and Communications Integration Center Security whoami Cyber Threat Analyst at Northrop Grumman Performed wide range of

550 views • 20 slides

More recommend