Transcript ppt
Reverse Engineering
Paul deGrandis
Applications
• Software Maintenance
• Source Code and Documentation
Engineering
• Virus Analysis
Malware
• Virus
• Needs a vector for propagation
• Worm
• No vector needed
• Can spread by network shares, email,
security holes
Malware
• Trojan Horse
• Performs unstated and undesirable
functions
• Spyware, adware, logic bombs,
backdoors, rootkits
Anti-Virus
• Integrity Checking
• Static AV Scanners
• Dynamic AV Scanners
Anti-Virus
• Integrity Checking
• Checksum comparison
• Static AV Scanners
• Program properties (registry, system
calls)
• Malware byte sequence extraction
Anti-Virus
• Dynamic AV Scanners
• Intercepting system calls
• Analyzing audit trails
• Operation patterns
Procedures For
Analysis
• Restrict Access
• Save only disassembled files
• Rename Extensions, prevents doubleclick
• Password protect dangerous files and
ZIPs
• NEVER SEND MALWARE
Procedures For
Analysis
Tools
• VMware
• Isolate and restore snapshots
• BinText
• Extracts strings from binary files (code)
• IRC commands, SMTP, registry keys
Tools
• IDA Pro
• Dissassembles executables into
assembly
Tools
• UPX Decompression
• Executable packer
• To unpack:
upx.exe -d -o dest.exe source.exe
Tools
• SysInternals.com
• FileMon - monitors file access
• RegMon - monitors registry access
Tools
• RegShot
• Records modifications to the registry,
but not reads
Tools
• ProcDump
• Dumps a processes code from
memory
• Useful in detecting an analyzing
polymorphic viruses
Tools
• OllyDbg
• Attaches to a process
• Can actively manipulate memory and
registers during operation
• Swiss Army Knife
Tools
• Network Activity
• TCPView - displays open network
ports
• TDIMon - monitors network activity
• Ethereal/Wireshark - Packet Sniffer
• Snort - IDS / Packet Sniffer
• netcat - Network swiss army knife
Tools
• SysInternals.com
• TCPView - TCP and UDP endpoints
and processes
• TDIMon - Logs all network activity, but
not packet contents
Tools
• Wireshark (formerly Ethereal)
• Captures and displays all packet
contents
• One of your best friends
Tools
• Netcat - reads and writes across data
connections using TCP/IP
• Great for probing, listening, debugging,
or exploring unknown network behavior
• The other one of your best friends
The Assignment
• Beagle.J (and its cousin Beagle.K)
• Static analysis (BinText, IDA)
• Dynamic Analysis
• Host Side (Registry, process, files)
• Networking (Ports, connections,
traffic)
• Propagation, Backdoors