reversing java malware with radare
play

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About - PowerPoint PPT Presentation

Feb 06, 2023 •206 likes •868 views

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

  1. Reversing Java (Malware) with Radare Adam Pridgen April 2014

  2. About me • Rice SecLab, a PhD Student • Independent InfoSec Consultant/Contractor

  3. Overview • Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win? • Java Malware: Fail!

  4. Overview Has this happened to you?

  5. Overview • IDA Pro 6.4 does not include meta-data

  6. Overview ● Malicious code analysis is hard ● Relevant information is key ● Tools assume code is complete or correct

  7. Overview ● Reversing JVM Bytecode viewed as a “simple” problem ○ Until you need to actually do it ○ Or you need to extract some type of information ● Too Long Didn’t Listen (tldl;) ○ Radare now supports basic class file manipulations ○ Hooking by rewriting class and method names ○ Manipulation of Access Flags ○ Inserting values in constant pool ○ More detailed inspection of files

  8. Extendible Multi-Language Multiple Command Components w/ Ctypes Architectures Based Open Source IL in progress Cross 2048 Platform Supports IO GDB Interface Hex Editor Web UI Layers

  9. Agenda • Discuss Java Class File and Format • Discuss Java Malware and Obfuscation • Introduce Java Reversing with Radare • Discuss Some Techniques • Conclude with Future Work

  10. Java Overview

  11. JVM Bytecode • ~203 Operations • Fairly easy to disassemble o Except for the built in “switch-tables” • JVM is Stack Based • Local Variables are stored in a local variable position

  12. JVM Bytecode • Caller copy the entire thread stack to caller • JVM resolves Class Name, Method Name, and argument types • Types are not important until they are important

  13. Java Malware Obfuscation • Static Obfuscation Techniques • Dynamic Techniques

  14. Java Malware via Static Obfuscation • Flatten Classes and Package Hierarchy • Homogenous type signatures • Make class names uninterpretable • Exploit compiler features • Dead code • Local variable Type overloading • Hiding strings or files in strange places

  15. Java Malware via Dynamic Obfuscation • Reflection or Custom Class loaders • Starting a new process • Scripting Engine • String Manipulation • Encryptions

  16. Java Malware Reversing • Not easily decompilable (if at all) • No standard tools for inspections • Modification is tedious to do by hand

  17. What Radare can do with Java? • Basic hooking of class methods • Change constant pool Values • Modify method and field access flags • Disassemble code • Load classes from strings • Open the JAR and view all the files • Yank a file to disk or insert it in the JAR

  18. Class File Organization

  19. Class File Organization

  20. Class File Organization ● Magic Bytes ● Version Information

  21. Class File Organization ● Constant Values ○ Long, Integers ○ Float, Doubles ○ Strings ● Class Definitions ● Field Definitions ● Method Definitions

  22. Class File Organization ● Omitted, but worth Mentioning ● Class Definition ● Super Class Info

  23. Class File Organization ● Interface Information

  24. Class File Organization ● Access Flags ● Name and Description ● Attributes ○ Runtime Annotations ○ Constant Value

  25. Class File Organization ● Access Flags ● Name and Description ● Attributes ○ Runtime Annotations ○ Code & Exceptions ○ Stack Map Table ○ Local Variable Tables ○ Inner Classes ○ ...

  26. Class File Organization ● Class File Attributes ○ Runtime Annotations ○ Source File ○ User defined ○ ...

  27. Hooking Java Methods • Easiest all references to a class o Write an implementation that wraps the target class o Rewrite all of the strings o Modify access flags o Put the class in the class path o Run the JAR File

  28. Hooking the Easy Way Swap StringBuilder with sb class

  29. Hooking the Easy Way Swap StringBuilder with sb class

  30. Hooking the Easy Way Swap StringBuilder with sb class

  31. Hooking the Easy Way ClassNotFound exception: 1

  32. Hooking the Easy Way ClassNotFound exception: 2.

  33. Hooking the Easy Way Copy classes to path and it works.

  34. Hooking the Easy Way Wrapper classes

  35. Hooking Java Methods +1 Complexity • Insert CP Objects o Append the CP Objects to define the new class o Class Info, Method Info, and Descriptor Info o Update the CP Object Counts o Modify code section and update the reference o Put the class in the class path o Run the JAR File

  36. Primer Constant Pool Definition class FooClass { String getItMethod (); }

  37. Primer Constant Pool Definition Assume tag idx = 2

  38. Constant Pool Definition Resolving the Class Name: FooClass

  39. Constant Pool Definition Resolving the Method Name: getItMethod

  40. Constant Pool Definition Resolving the Method Type: ()Ljava/lang/String;

  41. Constant Pool Definition class FooClass { String getItMethod (); }

  42. Hooking Java Methods ++1 Complexity • Direct code insertion o Extend the code section attribute o Update attribute size o Modify code section and insert the code o Update the exception handling table

  43. Changing Access Flags Target Java Function: exploitAnnotations

  44. Changing Access Flags Insight is good, note the flag values.

  45. Changing Access Flags Apply some Radare Magic Sauce

  46. Changing Access Flags Here is what JD-Gui shows.

  47. Changing Access Flags

  48. Extracting jCrypt Classloader Key List Files: zip://zip_file.whatevs Access Files with: ::[index] or //path/

  49. Extracting jCrypt Classloader Key List Files: zip://zip_file.whatevs Access Files with: ::[index] or //path/

  50. Extracting jCrypt Classloader Key Loading /c.dat from the archive, whats that?

  51. Extracting jCrypt Classloader Key Loading /c.dat from the archive, whats that?

  52. Extracting jCrypt Classloader Key

  53. Extracting the Encrypted JAR File

  54. Using Prototypes

  55. Using Prototypes

  56. Using Prototypes

  57. Using Prototypes a type is an Enum, created from the string this.a.z

  58. Using CFR Decompiler CFR Decompiler to extract Java code Problems with the Exception table? [=] Lets dump it

  59. CFR Decompiler Augmentation Use prototypes: ‘java prototypes a’ Use exc: ‘java exc 0x937’

  60. Future Work • Enable some more static conveniences • Tie into a JVM for run-time information • Enable code instrumentation via Code Attribute • Look at reversing native code with JVM code • Move on to other managed code implementations

  61. Conclusion • Discussed some basic constructs in Java classfile • Introduced improvements to Radare • Talked about how an analyst could use them

  62. Questions and Contact Info Thanks For Your Time. email: adam.pridgen@thecoverofnight.com twitter: @apridgen github/bitbucket: deeso

  63. Java Reversing Tools

  65. Radare Architecture

  66. Recent Additions to Radare • Testing Framework • Gameboy Reversing and Emulation • Java Support • Loading/reloading binaries from buffer • Extending (inserting bytes in the middle) • Opening multiple files • Zip URI support

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reversing on the Edge Jason Jones Jasiel Spelman Arbor ASERT HPSR ZDI 1 Jason Jones Sr Sec

Reversing on the Edge Jason Jones Jasiel Spelman Arbor ASERT HPSR ZDI 1 Jason Jones Sr Sec

Reversing on the Edge Jason Jones Jasiel Spelman Arbor ASERT HPSR ZDI 1 Jason Jones Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug hunting

759 views • 32 slides
FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant with focus on incident handling, forensics and malware analysis Not a dedicated reverser RE is just part of my job => I avoid RE as much as

670 views • 15 slides
Git Your YARA For Nothing and Your Malware for Free Automating Scanning with thousands of YARA

Git Your YARA For Nothing and Your Malware for Free Automating Scanning with thousands of YARA

<location, date> < Location , date> Reversing Labs // June 2020 Git Your YARA For Nothing and Your Malware for Free Automating Scanning with thousands of YARA rules Cooper Quintin - Senior Security Researcher - EFF Threat Lab

1.01k views • 22 slides
radare Easing binary analysis for fun and profit Overview IO with plugins Basic file

radare Easing binary analysis for fun and profit Overview IO with plugins Basic file

radare Easing binary analysis for fun and profit Overview IO with plugins Basic file input/output access wrapped with plugins: Posix IO W32 IO Remote TCP IO EWF (Encase disk images) Debugger Haret ... Hexadecimal

695 views • 12 slides
Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Reversing a firmware uploader & Others NFC stories 1

Reversing a firmware uploader & Others NFC stories 1

7/1/2019 Reversing a Firmware uploader & others NFC stories Reversing a firmware uploader & Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader & others NFC stories

920 views • 41 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Introduction to IR Systems: Supporting Boolean Text Search Chapter 27, Part A Database

Introduction to IR Systems: Supporting Boolean Text Search Chapter 27, Part A Database

Introduction to IR Systems: Supporting Boolean Text Search Chapter 27, Part A Database Management Systems, R. Ramakrishnan 1 Information Retrieval A research field traditionally separate from Databases Goes back to IBM, Rand and

386 views • 6 slides
SPU gameplay Joe Valenzuela joe@insomniacgames.com GDC 2009 glossary mobys class

SPU gameplay Joe Valenzuela joe@insomniacgames.com GDC 2009 glossary mobys class

SPU gameplay Joe Valenzuela joe@insomniacgames.com GDC 2009 glossary mobys class instances update classes AsyncMobyUpdate Guppys Async aggregateupdate spu gameplay difficulties multiprocessor NUMA

1.19k views • 79 slides
AND, OR and NOT Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College

AND, OR and NOT Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College

Introduction Truth Tables Switch Diagrams Actual Circuits Arbitrary Connectives Algebraic Rules AND, OR and NOT Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science AND, OR and NOT

2.49k views • 200 slides
1 Common Features in NPs NP Architectural Challenges Application-specific architecture

1 Common Features in NPs NP Architectural Challenges Application-specific architecture

Outline Introduction Application Partitioning Generic Networking Equipment Introduction to Network Processors Network Processor Focus Network Processor Challenges Fitting the Architecture to the Problem Space

385 views • 13 slides
Enterprise Storage Architecture Fall 2019 Storage devices Tyler Bletsch Duke University Slides

Enterprise Storage Architecture Fall 2019 Storage devices Tyler Bletsch Duke University Slides

ECE566 Enterprise Storage Architecture Fall 2019 Storage devices Tyler Bletsch Duke University Slides include material from Vince Freeh (NCSU) Basic storage device history From

665 views • 41 slides
4x High Performance for Drupal Presented by Fabian Franz Step by Step Your BOSS is calling! It

4x High Performance for Drupal Presented by Fabian Franz Step by Step Your BOSS is calling! It

4x High Performance for Drupal Presented by Fabian Franz Step by Step Your BOSS is calling! It happens to the best of us Especially during DrupalCon or during elections. The site goes down, the site is slow, grab a tut,

1.88k views • 152 slides
Refining the Contrastivist Hypothesis Daniel Currie Hall Saint Marys University &

Refining the Contrastivist Hypothesis Daniel Currie Hall Saint Marys University &

Refining the Contrastivist Hypothesis Daniel Currie Hall Saint Marys University & University of Toronto CRC-Sponsored Summer Phonetics/Phonology Workshop, University of Toronto, 16 June 2011 D. C. Hall (SMU & U of T) Refining the

1.05k views • 65 slides
with www.MichelleBrubaker.com Michelle Brubaker Cash ash i in on n on Craz azy C Coo

with www.MichelleBrubaker.com Michelle Brubaker Cash ash i in on n on Craz azy C Coo

How to Create and Publish Unique Cookbooks that Sell! with www.MichelleBrubaker.com Michelle Brubaker Cash ash i in on n on Craz azy C Coo ookbooks www.MichelleBrubaker.com About out M Michel chelle 11x Amazon Best-Seller

927 views • 60 slides

More recommend