Changing How You Reverse Engineer
Download
Report
Transcript Changing How You Reverse Engineer
Changing How You Reverse Engineer
Angel M. Villegas
Outline
• Background
• FIRST
• System Overview
• Server Framework
• Client Components
• IDA Pro Integration
• Demo
2
The Problem
• Current reverse engineering process
• Get a sample, analyze sample
• Get next sample, analyze sample
• Get next sample, analyze sample
• Rinse and repeat…
• Analysis work can be duplicated
• For the analyst and others
3
What is FIRST
• FIRST: Function Identification and Recovery Signature Tool
• Streamlines code research
• prevents duplicate effort
• improves analysis time
• Flexible
• Modular framework made for expanding
4
System Overview
ABI
API
REST API
DB Manager
Framework
Authentication
Integrations
Server
Engine
Engine Manager
Web Site
5
Engine Manager
Initialization
DB Manager
Installed Engines
Operational Engines
Add
Add
REST API Data
Scan
Engine Manager
6
⋱
Scan
∀𝑥 ∈ 𝑂
∀𝑥 ∈ 𝑂
Send Data to Each Engine
Engine Example
class ExampleEngine(AbstractEngine):
_name = 'ExampleEngineName'
_description = 'Example Engine Description'
_required_db_names = []
def _add(self, function): pass
def scan(self, opcodes, architecture, apis): pass
def intall(self): pass
def uninstall(self): pass
7
DB Manager
API
FIRST DB
API
API
DB Manager
DB Object
8
Engine Example
class ExampleDB(AbstractDB):
_name = 'ExampleDBName’
def __init__(self):
pass
# Additional functions the class provides
#----------------------------------------------------def func1(self):
pass
9
Authentication
• Beta makes use of Google OAuth2
10
The Data
11
Client Components
• Application Programming Interface
• Application Binary Interface
• Integrations
12
Integration: IDA Pro: Plugin
Plugin
Custom GUI
Built-in Windows
IDA Pro
IDB
13
Main Thread
Server
Integration: IDA Pro: Installing
REQUIREMENTS
pip install requests
Python Requests Module
https://pypi.python.org/pypi/requests
OPTIONAL:
Requests-kerberos (if kerberos authentication is required)
GET THE PLUG-IN
Download Python Plug-in from
https://github.com/vrtadmin/FIRST-plugin-ida
Copy plug-in to IDA Pro plug-ins folder
Run IDA Pro
14
Integration: IDA Pro: Installing
Windows:
pip install first-plugin-ida
C:\Python27\Scripts\first-plugin-ida
Mac:
pip install first-plugin-ida
/usr/local/bin/first-plugin-ida
15
Integration: IDA Pro: Configuration
OPTION 1
Enter configuration at the Welcome Screen
(appears only when FIRST is not configured)
OPTION 2
• IDA Pro View Window
Press ‘1’
• IDA Pro’s menu
Edit > Plugins > FIRST
• Select Configuration
16
Integration: IDA Pro: Operations
• Right Click Menu
•
•
•
•
Check [All]
Add [Multiple]
Update
View History
• Other Operations
• View History
• Currently Applied
• Manage Added Annotations
17
Integration: IDA Pro: Check
Check for a single function or all at once
Plug-in sends the server the opcodes, architecture, and APIs called by function
18
Integration: IDA Pro: Add
Adding a function
or many at once
Plug-in sends the
server the opcodes,
architecture, APIs
called by function and
metadata (function’s
name, prototype, and
repeatable comment)
19
Integration: IDA Pro: View History
Viewing Annotation History
Right Click on function with
metadata from FIRST to see its
history
Tracks metadata changes over time
for each function for each user
20
Integration: IDA Pro: Managing
Deleting created annotations
Right click metadata and select delete, or select the metadata and hit the delete
key.
21
Integration: IDA Pro: Currently Applied
Viewing annotations applied
Right click menu provides a way to view history or go to the function.
22
FIRST Demo
Integration: Hex Rays’ IDA Pro
23
Questions
Register to use FIRST
http://first-plugin.us
Get the code
https://github.com/vrtadmin/FIRST
https://github.com/vrtadmin/FIRST-server
https://github.com/vrtadmin/FIRST-plugin-ida
Read the docs
http://first-server.readthedocs.io/
http://first-plugin-ida.readthedocs.io/
Submit issues:
https://github.com/vrtadmin/FIRST/issues/new
24
talosintel.com
blogs.cisco.com/talos
@talossecurity
25