Intro to Binary Analysis

Transcript

1. Executable Surgery Benjamin Scott tinyurl.com/coolbinarybro

2. Why Learn This ? • Learn how computers work at

   low level • Understand closed-source code • Forensically examine malicious software

3. Roadmap binary_intro |- architecture |- compilation |- interesting data in

   binaries

4. Basic Terms • Executable = file with instructions ◦ Specified

   in operating-system specific format ▪ i.e. ELF for Linux, PE for Windows • Assembly = binary instructions ◦ Generated for a particular CPU architecture ◦ Common mnemonics ▪ MV, ADD, MUL, STO, LD • Storage locations ◦ Random access memory = large but slow ▪ Addressed using pointers ◦ CPU Registers = small but fast ▪ 32-bit processors use 8 general purpose

5. Windows Portable Executable (PE) .exe - Executable file .dll -

   Dynamic Link Library .sys - System driver .ocx - ActiveX control .scr - Screensaver • All begin with the PE header ◦ Denotes target architecture and compiler ◦ Instructions and data needed to run the program

6. Executable Sections • Logical groupings for different types of data

   ◦ Viewable with tools like PEiD .text = Code that will load into memory .data = Data that is writable (global variables) .rdata = Data that is read-only (static strings) .bss = Data that is statically allocated (zero'd out initially)

7. Types of Instructions English: "Take 5, add it to 8,

   and save the result" Pseudocode: total = add (5, 8) // C-style: int total = 5 + 8; # Assembly: MOV EAX, 0x5 ADD EAX, 0x8 //save result in EAX register MOV byte ptr [total], EAX //store value of EAX in memory

8. Basics of the Stack • Data structure that stores data

   and pointers • Values are handled on "Last-In, First-Out" basis ◦ Pushed onto the stack ◦ Popped off the stack • Think of a Pez Dispenser Top

9. About Compilation • Compiler transforms source code into machine code

   ◦ Result is built for target processor architecture ◦ Output can be optimized for various performance needs Source Code Machine Code Compiler (simplified representation) Executable Linker

10. Common Assembly constructs Calling a function: // C-style: function1(int first,

    5); # Assembly: PUSH 5 PUSH [first] CALL _function1 ADD esp, 8 IF statement // C-style: if (variable == 9) { //inside_block } # Assembly: MV EDX, DWORD PTR [variable] CMP EDX, 9 JEQ <inside_block>

11. Common Assembly constructs While loop: // C-style: while (boolean !=

    false) { inside_loop} # Assembly: CMP DWORD PTR [boolean] , 0 JNE <inside_loop> Switch statement // C-style: switch (option): case 7: count++; case 13: count--; # Assembly: MV EAX, DWORD PTR [option] CMP EAX, 7 JEQ <increment_count> CMP EAX, 13 JEQ <decrement_count>

12. Compilation Example $ echo "int main() {int c = 37;

    return c;}" > prog.c $ gcc prog.c -o myprogram $ file myprogram ELF 64-bit LSB executable, x86-64, dynamically linked, for GNU/Linux 2.6.24, not stripped • Break it down ◦ ELF = executable and linker format for Linux ◦ x86-64 = built for 64-bit CPU on Intel x86 family ◦ dynamically linked = libraries are included at runtime ◦ for Linux 2.6.24 = using the C library for this kernel ◦ not stripped = debug symbols are present

13. Embedded Data • Executables contain metadata about the author and

    compilation suite • static strings ◦ .data section • compile time ◦ TimeDateStamp • filepaths ◦ Project Path In Stuxnet: Debug path: \myrtus\src\objfre_w2k_x86\i386\guava.pdb string: www.mypremierfutbol.com Compile time: Wed Apr 14 10:56:22 2010 https://www.symantec.com/content/en/us/ enterprise/media/security_response/white papers/w32_stuxnet_dossier.pdf

14. • Displays information about the binary ◦ Entrypoint, sections, section

    sizes, compiler, packer • Custom signatures ◦ https://code.google.com/p/reverse-engineering-scripts/downloads/deta Tool: PEiD Results from Aurora malware (HydraQ) Sections: .text, .rdata, .data Compiler: Visual C++ 6.0 contagiodump.blogspot.com

15. Tool: Strings • Locate ASCII and Unicode data in binary

    ◦ Included on *nix systems by default ◦ SysInternals program on Windows ▪ http://technet.microsoft.com/en-us/sysinternals/bb897439 Results from Aurora malware (HydraQ) Imports: SetKeyboardFilter (keylog) Project Path: 'AuroraVNC\..\VedioDriver.pdb' contagiodump.blogspot.com

16. Tool: CFF Explorer • Edit and view executable file internals

    ◦ Modify PE Header ◦ Dissemble instructions ◦ www.ntcore.com/exsuite.php Results from Aurora malware (HydraQ) TimeDateStamp: Thu, 16 Nov 2006 02:11:33 GMT Machine Type: 386 (Intel x86 architecture) contagiodump.blogspot.com

17. Other talks Intro to Malware Analysis tinyurl.com/coolmalwarebro Reversing Tetris tinyurl.com/eviltetris

    Life of Binaries http://opensecuritytraining.info/LifeOfBinaries.html

18. Executable Examination: CFF Explorer http://www.ntcore.com/exsuite.php PEiD http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/P EiD-updated.shtml Dissemblers: IDA

    Pro Free Edition (5.0) [GUI] http://www.hex-rays.com/products/ida/support/download_freeware.shtml Process Debugging: OllyDBG http://www.ollydbg.de/odbg110.zip Immunity Debugger http://www.immunitysec.com/products-immdbg.shtml Executable modification: Hex Editor Neo http://www.hhdsoftware.com/free-hex-editor 010 Editor

19. Referenced Tools Introduction to malware analysis from Lenny Zeltser http://zeltser.com/reverse-malware/malware-analysis-webcast.html

    http://zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html Highly technical open-source classes http://www.opensecuritytraining.info/Training.html Crimeware and targeted malware samples http://contagiodump.blogspot.com/2010/11/links-and-resources-for-malware-sam ples.html Challenges http://www.phreedom.org/blog/2010/csaw-reversing-challenge/ http://old.honeynet.org/scans/scan22/ http://www.woodmann.com/fravia/what_new.htm https://csawctf.poly.edu/writeups/