Reverse Engineering Paul deGrandis Applications Software - - PowerPoint PPT Presentation

reverse engineering
SMART_READER_LITE
LIVE PREVIEW

Reverse Engineering Paul deGrandis Applications Software - - PowerPoint PPT Presentation

Aug 02, 2023 97 likes •320 views

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and Documentation Engineering Virus Analysis Malware Virus Needs a vector for propagation Worm No vector needed Can spread by

slide-1
SLIDE 1

Reverse Engineering

Paul deGrandis

slide-2
SLIDE 2

Applications

  • Software Maintenance
  • Source Code and Documentation

Engineering

  • Virus Analysis
slide-3
SLIDE 3

Malware

  • Virus
  • Needs a vector for propagation
  • Worm
  • No vector needed
  • Can spread by network shares, email,

security holes

slide-4
SLIDE 4

Malware

  • Trojan Horse
  • Performs unstated and undesirable

functions

  • Spyware, adware, logic bombs, backdoors,

rootkits

slide-5
SLIDE 5

Anti-Virus

  • Integrity Checking
  • Static AV Scanners
  • Dynamic AV Scanners
slide-6
SLIDE 6

Anti-Virus

  • Integrity Checking
  • Checksum comparison
  • Static AV Scanners
  • Program properties (registry, system calls)
  • Malware byte sequence extraction
slide-7
SLIDE 7

Anti-Virus

  • Dynamic AV Scanners
  • Intercepting system calls
  • Analyzing audit trails
  • Operation patterns
slide-8
SLIDE 8

Procedures For Analysis

  • Restrict Access
  • Save only disassembled files
  • Rename Extensions, prevents double-click
  • Password protect dangerous files and ZIPs
  • NEVER SEND MALWARE
slide-9
SLIDE 9

Procedures For Analysis

51&17'D*G'>)=#$/)I1)7 J17'%B')17K/$9'/G&1$=*7#/)'7//+& 5%)'B$/:$*I LG&1$=1')17K/$9'7$*<<#2 6E1)7#<,'&1$=#21&'$14%1&71E ;$1*71'MNJ'7*G+1& 5%)'&1$=#21&'/)'D#)%O LG&1$=1'B$/21&&'*27#/)& ;$1*71P$1=#&1'2+#1)7'/)'D#)%O J17'%B'B$/21&&'/G&1$=*7#/)'7//+& 5%)'2+#1)7 J7*7#2'()*+,&#&

slide-10
SLIDE 10

Tools

  • VMware
  • Isolate and restore snapshots
  • BinText
  • Extracts strings from binary files (code)
  • IRC commands, SMTP

, registry keys

slide-11
SLIDE 11

Tools

  • IDA Pro
  • Dissassembles executables into assembly

%-)-:P%-6/6

slide-12
SLIDE 12

Tools

  • UPX Decompression
  • Executable packer
  • To unpack:

upx.exe -d -o dest.exe source.exe

slide-13
SLIDE 13

Tools

  • SysInternals.com
  • FileMon - monitors file access
  • RegMon - monitors registry access
slide-14
SLIDE 14

Tools

  • RegShot
  • Records modifications to the registry, but

not reads

slide-15
SLIDE 15

Tools

  • ProcDump
  • Dumps a processes code from memory
  • Useful in detecting an analyzing

polymorphic viruses

slide-16
SLIDE 16

Tools

  • OllyDbg
  • Attaches to a process
  • Can actively manipulate memory and

registers during operation

  • Swiss Army Knife
slide-17
SLIDE 17

Tools

  • Network Activity
  • TCPView - displays open network ports
  • TDIMon - monitors network activity
  • Ethereal/Wireshark - Packet Sniffer
  • Snort - IDS / Packet Sniffer
  • netcat - Network swiss army knife
slide-18
SLIDE 18

Tools

  • SysInternals.com
  • TCPView - TCP and UDP endpoints and

processes

  • TDIMon - Logs all network activity, but

not packet contents

slide-19
SLIDE 19

Tools

  • Wireshark (formerly Ethereal)
  • Captures and displays all packet contents
  • One of your best friends
slide-20
SLIDE 20

Tools

  • Netcat - reads and writes across data

connections using TCP/IP

  • Great for probing, listening, debugging, or

exploring unknown network behavior

  • The other one of your best friends
slide-21
SLIDE 21

The Assignment

  • Beagle.J (and its cousin Beagle.K)
  • Static analysis (BinText, IDA)
  • Dynamic Analysis
  • Host Side (Registry, process, files)
  • Networking (Ports, connections, traffic)
  • Propagation, Backdoors