Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Similar presentations

Presentation on theme: "Pokas x86 Emulator for Generic Unpacking By Amr Thabet"— Presentation transcript:

1 Pokas x86 Emulator for Generic Unpacking By Amr Thabet

2 The Problem: Many packed worms : no time to reverse and step through the packers code Many polymorphic viruses around change their decryptor code and algorithm Need to write a detection algorithm for such viruses

3 The Solution Concept: We need an automatic unpacker Static Unpacker : very sensitive of any changes of the packer No Time for keeping up-to-date of every release of any Unpacker Dynamic Unpacker: not sensitive of the minor changes. It can unpack new packers. We need a Program runs the packed application until it unpacked and stop in the real OEP So we need a Debugger

4 Why not a Debugger? Easily to be detected Dangerous Cant monitor the memory Writes Allows only breakpoints on a specific place in memory

5 Previous Solutions: OllyBone: dangerous if its not a packer and could be fooled Its not scriptable and semi-automatic It could be easy detected Ida-x86emu: doesnt monitor memory writes and no conditional Breakpoints Pandoras Bochs: hard to be installed, hard to be customized very slow 200 secs for notepad.exe packed with PECompact 2 with a PC 3.14 GHz and 2.00 GB ram

6 Pokas x86 Emulator Its a Dynamic link library Easily to be customized Monitor all memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition. Support Dumping the PE File with correct File Alignment Support adding new APIs Has an assembler and a disassembler from and to mnemonics for debugging. Support seh and support tib, teb, peb and peb_ldr_data it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress,VirtualAlloc, VirtualFree and VirtualProtect it's FREE and open source

7 Reliability: It successfully unpack: 1. UPX 2. FSG 3. MEW 4. PECompact 5. Aspack 6. Morphine It surely still contains bugs

8 Getting The Emulator Download it from files: X86emu.dll : The Emulator itself ~ 580 kb X86emu.h : The header file (should be included in any project uses the emulator Pe.h, tib.h : included by x86emu.h and should be beside it.

9 Pokas x86 Emulator Design

10 Usage Steps 1.Initialize your Emulated OS and Cpu 2.Manage the dlls and Apis 3.Emulate the undefined Apis 4.Adding the Stop Condition 5.Emulate your Process 6.Handle the Unhandled Exceptions 7.Waiting for your Breakpoints to be triggered 8.Dump your Process to a File

11 Debugger Conditions: Similar to C conditions Not case-sensitive Doesnt decrease the performance Up to 10 Supported Functions inside the Debugger Allow adding new Functions with different types of variables including string You can Add up to 100 Breakpoint

12 Debugger Examples Int3 Breakpoint or Hardware on Execution: Eip==0x00401000 Memory on Access or Write: __lastaccessed()==0x00401000 __lastmodified()==0x00401000 Execution on Modified Data: __isdirty(eip) In.text section only: __isdirty(eip) && eip>=0x401000 && eip<=0x405000 Anti-unpackers trick: write ret on the real OEP and calls to it: __isdirty(eip) && (__read(eip) & 0xff) !=0xC3) API Hooking: __isapi() __isapiequal(Getprocaddress) //not case sensitive in the api name

13 Example : UPX How Easy this Emulator is : int main() { EnviromentVariables* vars= (EnviromentVariables*)malloc(sizeof(EnviromentVariables)); memset( vars,0,sizeof(EnviromentVariables)); vars->dllspath="C:\\Windows\\System32\\"; System* sys=new System(vars); Process* c=new Process(sys,upx.exe"); c->debugger->AddBp(__isdirty(eip)"); int x=c->emulate(); if (x==EXP_BREAKPOINT){ PEDump(c->GetThread(0)->Eip,c,"test.exe"); } Only 10 lines and very simple

14 Multi-Layer unpacker if we know the number of layers we can clear the dirty flag and continue If not we can add this breakpoint: __isdirty(eip) && Eip<=0x406000 // the.text size Notepad.exe : take less than 30 secs in a PC Intel Core 2 Duo 2.10 GHz with 2.00 GB ram Example : PECompact 1.33

15 TODO Support reconstructing the Import Table Fixing the bugs Create a Linux version Add cmovcc,setcc,bts instructions Support multithreading Support ELF File Formats Adding new Debugger Functions Allow saving the state

16 The End By Amr Hassan Thabet Any Questions?

Download ppt "Pokas x86 Emulator for Generic Unpacking By Amr Thabet"

Similar presentations

Ads by Google