Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacking Obfuscated Code with IDA Pro

Published byRosa Azenha Covalski Modified over 5 years ago

Similar presentations

Presentation on theme: "Attacking Obfuscated Code with IDA Pro"— Presentation transcript:

1 Attacking Obfuscated Code with IDA Pro
Chris Eagle

2 11/11/2018 Outline Introduction Operation Demos Summary

3 First Order Of Business
11/11/2018 First Order Of Business MOVE UP AND IN! There is plenty of room up front I can't increase the font size in IdaPro

4 Background IDA Pro Premier disassembly tool for reverse engineers
11/11/2018 Background IDA Pro Interactive Disassembler Professional Premier disassembly tool for reverse engineers Handles many families of assembly language Runs on Windows Linux console version newly available.

5 11/11/2018 What? ida-x86emu is a plugin for IDA Pro that allows for emulated execution of x86 instruction set Written in C++ Currently packaged as VC project Available here:

6 11/11/2018 Why? Hand tracing assembly language is difficult to do in large or complex programs Anti-reverse engineering techniques attempt to obfuscate code paths Allows automated unpacking/decrypting of "protected" binaries UPX, burneye, shiva, tElock, ASPack, …

7 Primary Motivation Getting at protected executables
11/11/2018 Primary Motivation Getting at protected executables Most viruses/worms are protected in some way Often UPX, tElock, ASPack Challenge for static reverse engineering is getting past the protection ida-x86emu allows you to "run" through the decryption routine within IDA Pro

8 11/11/2018 Outline Introduction Operation Demos Summary

9 IDA Pro Load the binary of interest
11/11/2018 IDA Pro Load the binary of interest IDA builds a database to characterize each byte of the binary Performs detailed analysis of code Recognizes function boundaries and library calls Recognizes data types for known library calls

10 Obfuscated Code Challenging for IDA
11/11/2018 Obfuscated Code Challenging for IDA Usually only get sensible output for entry point function Protected program appears as data rather than code because it is obfuscated/encrypted Jumps into middle of instructions confuse flow analysis

11 The Plugin Two pieces User interface x86 emulator
11/11/2018 The Plugin Two pieces User interface Windows-specific gui code Handles dialog boxes x86 emulator Platform independent (mostly!) Executes a single instruction at a time Reads from IDA database or user-supplied memory block

12 11/11/2018 Console

13 Using It Alt-F8 launches control console
11/11/2018 Using It Alt-F8 launches control console eip initialized to cursor location (1st time only) Step and go The plugin tells IDA to reorganize its code display based on ACTUAL code paths Defeats jump into the middle of an instruction type obfuscation

14 Features Run to Cursor Plugin supplies its own stack
11/11/2018 Features Run to Cursor No breakpoints yet Plugin supplies its own stack Stack push places arguments on the stack Useful if you want to setup a function call Plugin supplies its own heap Redirect library functions to plugin provided equivalents

15 Limitations Slow Can't follow calls into dynamically linked functions
11/11/2018 Limitations Slow Because of emulated execution and IDA interactions Can't follow calls into dynamically linked functions Can't follow system calls in statically linked functions

16 Emulator Memory Code and static data must be fetched from IDA database
11/11/2018 Emulator Memory Code and static data must be fetched from IDA database Other references must be directed to either stack or heap Every memory reference checked Could easily add Valgrind type memory analysis

17 Memory Layout Emulation options allow you to specify memory layout
11/11/2018 Memory Layout Emulation options allow you to specify memory layout

18 Emulated Stack Used by all stack operations in the program
11/11/2018 Emulated Stack Used by all stack operations in the program Stack contents displayed in main emulation window Auto scrolls to most recent reference Allows pushing data onto stack outside of program control Useful to setup and run individual functions

19 Emulated Stack Pushed right to left per C calling conventions
11/11/2018 Emulated Stack Pushed right to left per C calling conventions

20 Emulated Heap Simple linked list memory allocator
11/11/2018 Emulated Heap Simple linked list memory allocator Does not emulate any specific allocation algorithm Specifically, no in-band control info Won't mimic heap overflow problems Can detect access outside allocated blocks

21 Function Hooking Two methods
11/11/2018 Function Hooking Two methods Manual invocation of emulator equivalent function Result in eax, actual call statement in code must be "skipped" Automatic, hooked invocation of emulator equivalent function call statement redirected to emulated library function

22 Manual Function Hooking
11/11/2018 Manual Function Hooking Required parameters, if any, taken from stack Result into eax No change to eip

23 Automatic Function Hooking
11/11/2018 Automatic Function Hooking Step through hooked call statement causes emulator equivalent to be executed instead

24 Automatic Function Hooking
11/11/2018 Automatic Function Hooking Functions available for hooking Windows VirtualAlloc, VirtualFree GetProcAddress GetModuleHandle, LoadLibrary Standard library malloc, calloc, realloc, free

25 Windows Structured Exception Handling (SEH)
11/11/2018 Windows Structured Exception Handling (SEH) Work in progress tElock for example uses SEH as an anti-RE technique Point FS register at dummy Thread Environment Block (TEB) Only a few recognized exceptions Divide by zero, INT3, single step, Debug registers

26 SEH (continued) Emulated program must setup an exception handler
11/11/2018 SEH (continued) Emulated program must setup an exception handler Emulator does not offer a default exception handler Emulator creates SEH data structures, pushes them on the stack and jumps to user defined exception handler

27 11/11/2018 Outline Introduction Operation Demos Summary

28 UPX Demo One of the most common obfuscators
11/11/2018 UPX Demo One of the most common obfuscators Reversible using UPX itself UPX corruptors exist that break UPX's reversing capability Simple unpacking loop, no tricks No problem for the plugin Doesn't rebuild import table yet

29 ASPack Demo ASPack requires
11/11/2018 ASPack Demo ASPack requires LoadLibrary, GetProcAddress Used to retrieve VirtualAlloc and VirtualFree Currently emulator mimics VirtualAlloc and VirtualFree Hook LoadLibrary and GetProcAddress calls

30 ASPack Demo Hooked LoadLibrary reports to message window
11/11/2018 ASPack Demo Hooked LoadLibrary reports to message window Hooked GetProcAddress returns unique id for each function lookup Automatic hooking by GetProcAddress will create hooks for VirtualAlloc and VirtualFree Could use returned id to hook VirtualAlloc and VirtualFree calls

31 11/11/2018 tElock Demo Sets up Windows exception handlers, then generates exceptions to jump into handlers Grab some memory for TEB and point FS register at it Execute a malloc or manually push a bunch of data SEH only enabled when a Windows PE is loaded

32 Burneye Demo Early ELF protector by Team TESO
11/11/2018 Burneye Demo Early ELF protector by Team TESO Embeds the entire protected ELF binary within a protective unwrapper Offers layers of obfuscation/encryption Once decrypted, the protected binary can be dumped out of the IDA database Plugin provides a "dump block to file" capability

33 Shiva Demo Shiva is a binary protector
11/11/2018 Shiva Demo Shiva is a binary protector Similar goals to Burneye Multilevel encryption protects binary Polymorphic stage 1 decryptor Embedded key generation functions for last stage decryption

34 11/11/2018

35 11/11/2018 Shiva Key Recovery Shiva contains 5 different types of encrypted blocks Each block gets its own key Blocks of same type share the same key In this case we need to generate 5 keys in order to decrypt all of the types of blocks

36 11/11/2018 Key Obfuscation Shiva contains a key generation function for each type of crypt block Block decryption sequence Identify block type (0-IV) Call appropriate key generation function Decrypt block Clear the key

37 Key Generation Functions are obfuscated But Similar to layer 1 decrypt
11/11/2018 Key Generation Functions are obfuscated Similar to layer 1 decrypt Differ from one binary to the next Resistant to script-based recovery But They are easy to locate A table points to the start of each function

38 11/11/2018 Key Recovery The plugin can be used to run the functions and collect the keys! Setup desired parameters on the stack Pointer parameters need to point to valid memory blocks Grab memory on stack Manually invoke malloc Point eip at the function and step

39 11/11/2018 Using the Keys With 5 keys in hand it is possible to decrypt all of the crypt blocks The plugin can be used to invoke Shiva's decryption function Setup the stack Pointer to the block Pointer to the key Step through the decryption function

40 11/11/2018 Outline Introduction Operation Demos Summary

41 To Do Breakpoints More library calls Better memory displays
11/11/2018 To Do Breakpoints More library calls Better memory displays Memory use reporting Improved exception handling

42 11/11/2018 Summary Acts as something of a "universal" decryption script for protected binaries Dramatically reduces time to reverse protected binaries Emulator code can be used independently of gui code to create automated unwrappers Combine with ELF or PE parser Suggestions welcome

43 Questions? Thanks for coming
11/11/2018 Questions? Thanks for coming Contact info: Chris Eagle

44 11/11/2018 References Armouring the ELF: Binary encryption on the UNIX platform, grugq & scut, Shiva: Advances in ELF Runtime Binary Encryption, Clowes & Mehta, Black Hat USA 2003, Strike/Counter Strike: Reverse Engineering Shiva, Eagle, Black Hat Federal 2003,

45 11/11/2018 References Shiva-0.96, Clowes & Mehta, Burneye-1.0.1, scut, IDA Pro, Data Rescue, The Ultimate Packer for eXecutables

Download ppt "Attacking Obfuscated Code with IDA Pro"

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Pokas x86 Emulator for Generic Unpacking By Amr Thabet
Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.

Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Shiva Advances in ELF Binary Encryption Shaun Clowes Neel Mehta

Shiva Advances in ELF Binary Encryption Shaun Clowes Neel Mehta
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Run time vs. Compile time

Run time vs. Compile time
OllyDbg Debuger.

OllyDbg Debuger.
1 Introduction to Tool chains. 2 Tool chain for the Sitara Family (but it is true for other ARM based devices as well) A tool chain is a collection of.

1 Introduction to Tool chains. 2 Tool chain for the Sitara Family (but it is true for other ARM based devices as well) A tool chain is a collection of.
F13 Forensic tool analysis Dr. John P. Abraham Professor UTPA.

F13 Forensic tool analysis Dr. John P. Abraham Professor UTPA.
System Calls 1.

System Calls 1.
Application Security Tom Chothia Computer Security, Lecture 14.

Application Security Tom Chothia Computer Security, Lecture 14.
Practical Malware Analysis Ch 8: Debugging Rev. 10-13-14.

Practical Malware Analysis Ch 8: Debugging Rev
1 Chapter 9 Writing, Testing, and Debugging Access Applications.

1 Chapter 9 Writing, Testing, and Debugging Access Applications.
Microsoft Visual Basic 2008 CHAPTER 8 Using Procedures and Exception Handling.

Microsoft Visual Basic 2008 CHAPTER 8 Using Procedures and Exception Handling.
Python: An Introduction

Python: An Introduction
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
CS 390- Unix Programming Environment CS 390 Unix Programming Environment Topics to be covered: Distributed Computing Fundamentals.

CS 390- Unix Programming Environment CS 390 Unix Programming Environment Topics to be covered: Distributed Computing Fundamentals.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.

Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Unit-1 Introduction Prepared by: Prof. Harish I Rathod

Unit-1 Introduction Prepared by: Prof. Harish I Rathod

Similar presentations

Ads by Google