Upload
others
View
54
Download
0
Embed Size (px)
Citation preview
Temporal Reverse EngineeringTemporal Reverse Engineering
Danny QuistColin AmesColin Ames
Bl kh t USA 20081
Blackhat USA 2008
Danny QuistDanny Quist
• Co-founder Offensive Computing LLCCo-founder Offensive Computing, LLC
• Ph D Candidate at New Mexico Tech• Ph.D. Candidate at New Mexico Tech
R E i i I• Reverse Engineering InstructorInfosec Institute
2
Colin AmesColin Ames
• Security Researcher Offensive ComputingSecurity Researcher, Offensive Computing• Steganography Research
i i• Penetration Testing• Reverse Engineering• Malware Analysis• amesc@offensivecomputing [email protected]
3
Overview of TalkOverview of Talk
• Current TechniquesCurrent Techniques– Where they work
Where they fail– Where they fail• What is Temporal Reverse Engineering?• Process pausing techniques• Visualization Methods• Applications and Demos
4
Reverse EngineeringReverse Engineering
• RE is hardRE is hard• Goal: Figure out how program works in
minimal amount of timeminimal amount of time• Expensive (We don’t work cheap)• Time consuming
5
Dominant StrategiesDominant Strategies
• Static AnalysisStatic Analysis
IDA Pro dumpbin– IDA Pro, dumpbin– Figure out program flow
Search for strings– Search for strings– API Call graphing
6
Dominant StrategiesDominant Strategies
• Dynamic AnalysisDynamic Analysis
W t h f h th t– Watch for changes on the system• Registry, files, network
M it S t ll– Monitor System calls– Tools more accessible to unskilled people
S i l Wi l i– Sysinternals, Winanalysis, etc.
7
ProsPros
Static Analysis Dynamic AnalysisStatic Analysis• Details• Precision, full code reversal
Dynamic Analysis• Fast• Lower barrier to entryPrecision, full code reversal
possible• Good tools available
Lower barrier to entry• High level overview• Good tools
• Lots of source level static analysis programs
• Antivirus
– Sysinternals– Winanalysis– CWSandbox• Antivirus
– It’s profitable
CWSandbox
8
ConsCons
Static Analysis Dynamic AnalysisStatic Analysis• Too much detail• Full code reversing not
Dynamic Analysis• Misses details
Full code reversing not necessary
• Tools cumbersome, take hil l
• Encourages “next->next->next” analysis
awhile to learn• Source level analysis full of
false positives• Tools easily subverted
false positives• Antivirus
– Doesn’t scale
9
Bridging the GapBridging the Gap
• Fundamental problem:Fundamental problem:– Know when to analyze, not what
Data changes need to track and respond to– Data changes, need to track and respond to those changes
• Techniques• Techniques– Debuggers
P f l i d d b i (S ff )– Pagefault assisted debugging (Saffron)– Dynamic Translation
10
– Sandboxing
Monitoring Program ExecutionMonitoring Program Execution
• Intel PINIntel PIN– Dynamic instrumentation library
Extensible– Extensible– Awesome API
S ff• Saffron– Covert monitoring– Limited back tracking
11
VisualizationVisualization
• Monitor program execution withMonitor program execution with visualization techniques
• Valuable insight into process monitoring• Valuable insight into process monitoring• Integration with IDA and Olly
12
What about program flow tracing?What about program flow tracing?
• Visualization should be able to answer aVisualization should be able to answer a question quickly
• How can we apply this to reverse• How can we apply this to reverse engineering?Fi d i kl i f i• Find a way to quickly represent information
13
Find the Unpacking LoopsFind the Unpacking Loops
• Simple hello world programSimple hello world program
int main(int argc, char **argv)( g g ){
printf(“Hello, world\n”);return 0;;
}
P k d• Packers used– ASPack, FSG, PECompact, UPX
14
Adding PackersAdding Packers
• Should be able to find the following:Should be able to find the following:
Packing loop– Packing loop– Main program
• Minimize extraneous information• Reducing analyst time is the key
17
Temporal Control of ExecutionTemporal Control of Execution
• Previous methodsPrevious methods– Virtual machines
Debuggers– Debuggers– Simple restart
P bl• Problems– Time intensive– Algorithmic analysis does not need full system
restore
26
SnapshottingSnapshotting
• Determine when to snapshotDetermine when to snapshot
Instruction– Instruction
– Basic blockBasic block
– Page accessPage access
27
SnapshottingSnapshotting
• Preservation of statePreservation of state
Register contents– Register contents– Stack contents
CPU State– CPU State– Memory
28
Existing Snapshot ToolsExisting Snapshot Tools
• OS SuspendOS Suspend
• Cryopid• Cryopid
M P i• Memory Paging
• OS Scheduler
29
Isolating Important DataIsolating Important Data
• Memory mapsMemory maps
• Memory hotspots• Memory hotspots
C l i i li i• Colometric memory visualization
• Data motion with silhouette hulls
30
Rebuilding PE files for IDARebuilding PE files for IDAHow IDA creates its import section .idata and
populates subviews Imports Namespopulates subviews Imports, Names
IMAGE DIRECTORY ENTRY IMPORT– IMAGE_DIRECTORY_ENTRY_IMPORT• RVA (Relative Virtual Address) to Import Directory
– IMAGE IMPORT DESCRIPTOR’sIMAGE_IMPORT_DESCRIPTOR s• OriginalFirstThunk
– RVA to INT (Import Names Table)Fi Th k• FirstThunk
– RVA to IAT (Import Address Table)
– Scan’s Code for call’s in INT31
Scan s Code for call s in INT• Prepends internal functions to .idata section
Rebuilding PE files for IDARebuilding PE files for IDA
Recovering INT from packed or encrypted PERecovering INT from packed or encrypted PE
– Unpack using SaffronUnpack using Saffron• Discover OEP
– Enumerate Loaded Modules• CreateToolhelp32Snapshot, Module32First
– Scan Process heaps for Module Address • Translate Virtual Address into RVA
– Rebuild INT and IATD P
32
• Dump Process memory
ConclusionConclusion
• Quick way to check memory changesQuick way to check memory changes
• Shortens analyst time• Shortens analyst time
I i h i i• Integrate with existing apps
• Visualization adds clarity
35
ReferencesReferences• Visualization Grand Challenges: Illuminating the Path
http://nvac.pnl.gov/docs/RD Agenda NVAC chapter1.pdfp p g _ g _ _ p p• Dynamic Data Visualization of Meteorological Data
ASA-JSM Data Exposition, 2006• Visual Signatures in Video Visualization
IEEE Transactions on Visualization and Computer Graphics, Vol.12, No. 5, September/October 2006• Static Visualization of Dynamic Data Flow Visual Program Executiony g
Proceedings of the Sixth International Conference on Information Visualization, IV 2002• Hoglound, G., McGraw, G., Exploiting Software: How to Break Code, Chapter 3, Addison Wesley,
2004• Amini, P., Process Stalker, OpenRCE, http://pedram.redhive.com/code/process_stalker/• Amini, P., PaiMei, OpenRCE http://www.openrce.org/downloads/details/208/PaiMei, , , p p p g• Eagle, C., x86emu, http://ida-x86emu.sourceforge.net/• P. Ferrie, Attacks on Virtual Machines, Symantec Advanced Threat Research, 2007• C. Luck, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V.J. Reddi, K. Hazelwood,
Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation, Proceedings of the 2005 Conference on Programming and Language Design and Implementation, 2005f g g g g g p ,
• Oreas GDE, http://www.oreas.com/index_en.php
Latest slides and code can be found on ff i ti t
36
offensivecomputing.net