Changing How You Reverse Engineer Angel M. Villegas

Outline Background FIRST System Overview Server Framework Client Components IDA Pro Integration Demo

The Problem Current reverse engineering process Get a sample, analyze sample Get next sample, analyze sample Rinse and repeat… Analysis work can be duplicated For the analyst and others

What is FIRST FIRST: Function Identification and Recovery Signature Tool Streamlines code research prevents duplicate effort improves analysis time Flexible Modular framework made for expanding

System Overview ABI API IDA Plugin DB Manager REST API Framework Server Plugin IDA Integrations Authentication REST API Engine Manager Web Site Engine Manager

Engine Manager Installed Engines Initialization DB Manager Operational Engines DB Manager Initialization Scan ∀𝑥∈𝑂 Add ⋱ Send Data to Each Engine Add Scan REST API Data Engine Manager

Engine Example class ExampleEngine(AbstractEngine): _name = 'ExampleEngineName' _description = 'Example Engine Description' _required_db_names = [] def _add(self, function): pass def scan(self, opcodes, architecture, apis): pass def intall(self): pass def uninstall(self): pass

DB Manager API FIRST DB DB Manager API DB Object API DB Object

Engine Example class ExampleDB(AbstractDB): _name = 'ExampleDBName’ def __init__(self): pass # Additional functions the class provides #----------------------------------------------------- def func1(self):

Authentication Beta makes use of Google OAuth2

The Data OpenSSL 7zip aPLib ucl LibreSSL 2.3.1 Mimikatz aPackage UPX ClamWin Alina Spark Dexter Grum Pony Zeus HackingTeam RCS …

Client Components Application Programming Interface Application Binary Interface Integrations

Integration: IDA Pro: Plugin Custom GUI Built-in Windows IDA Pro Main Thread Server IDB

Integration: IDA Pro: Installing REQUIREMENTS pip install requests Python Requests Module https://pypi.python.org/pypi/requests OPTIONAL: Requests-kerberos (if kerberos authentication is required) GET THE PLUG-IN Download Python Plug-in from https://github.com/vrtadmin/FIRST-plugin-ida Copy plug-in to IDA Pro plug-ins folder Run IDA Pro

Integration: IDA Pro: Installing Windows: Mac: pip install first-plugin-ida C:\Python27\Scripts\first-plugin-ida pip install first-plugin-ida /usr/local/bin/first-plugin-ida

Integration: IDA Pro: Configuration OPTION 1 Enter configuration at the Welcome Screen (appears only when FIRST is not configured) OPTION 2 IDA Pro View Window Press ‘1’ IDA Pro’s menu Edit > Plugins > FIRST Select Configuration

Integration: IDA Pro: Operations Right Click Menu Check [All] Add [Multiple] Update View History Other Operations Currently Applied Manage Added Annotations

Integration: IDA Pro: Check Check for a single function or all at once Plug-in sends the server the opcodes, architecture, and APIs called by function

Integration: IDA Pro: Add Adding a function or many at once Plug-in sends the server the opcodes, architecture, APIs called by function and metadata (function’s name, prototype, and repeatable comment)

Integration: IDA Pro: View History Viewing Annotation History Right Click on function with metadata from FIRST to see its history Tracks metadata changes over time for each function for each user

Integration: IDA Pro: Managing Deleting created annotations Right click metadata and select delete, or select the metadata and hit the delete key.

Integration: IDA Pro: Currently Applied Viewing annotations applied Right click menu provides a way to view history or go to the function.

Integration: Hex Rays’ IDA Pro FIRST Demo Integration: Hex Rays’ IDA Pro

Questions Register to use FIRST Get the code Read the docs https://github.com/vrtadmin/FIRST Submit issues: https://github.com/vrtadmin/FIRST/issues/new Register to use FIRST http://first-plugin.us Read the docs http://first-server.readthedocs.io/ http://first-plugin-ida.readthedocs.io/ https://github.com/vrtadmin/FIRST-server https://github.com/vrtadmin/FIRST-plugin-ida

talosintel.com blogs.cisco.com/talos @talossecurity