YobiWiki - User contributions [en]

Reverse-Engineering

2013-10-10T14:48:42Z

Haxelion: /* Packers */

=Books=
* [http://shop.oreilly.com/product/9781593272890.do The IDA Pro Book, 2nd Edition by Chris Eagle]
* [http://shop.oreilly.com/product/9781597492379.do Reverse Engineering Code with IDA Pro by Dan Kaminsky et al]
* [http://shop.oreilly.com/product/9781593272906.do Practical Malware Analysis by Michael Sikorski]
* [http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817 Reversing: Secrets of Reverse Engineering by Eldad Eilam]
* [http://shop.oreilly.com/product/9781886411791.do Crackproof Your Software by Pavol Cerven]
* [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection]
* Wikibooks [https://en.wikibooks.org/wiki/Subject:Software_reverse_engineering Subject:Software_reverse_engineering]
** [https://en.wikibooks.org/wiki/X86_Disassembly X86 Disassembly]
** [https://en.wikibooks.org/wiki/Reverse_Engineering Reverse Engineering]

=Resources=
* [http://reverseengineering.stackexchange.com/ Reverse-Engineering on StackExchange]
* [http://www.openrce.org/ OpenRCE]
* [http://www.hexblog.com/ Hex Blog]
* http://www.reverse-engineering.info
* [http://brundlelab.files.wordpress.com/2013/09/automating-re-with-python.pdf Automating RE with Python (slides)] by Carlos Prado
* [http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html Intel® 64 and IA-32 Architectures Software Developer Manuals]

=Static Analysis Tools=
==IDA Pro==
''IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.''
* [https://www.hex-rays.com/products/ida/index.shtml Official page]
* Windows, Linux, Mac OS X
* x86-32, x86-64, ARM and many others
* ELF, Java bytecode, Dalvik, ARM,...
* disassembler, some debugger
* extensible through plugins & python (anti-debugger, findcrypt,...)
** [http://thunkers.net/~deft/code/toolbag/docs.html#Installation IDA toolbag]
** [https://bitbucket.org/daniel_plohmann/simplifire.idascope/ IDAscope]
** [https://code.google.com/p/patchdiff2/ patchdiff2]
** [http://www.zynamics.com/bindiff.html Zynamics bindiff]
** [http://www.darungrim.org/ DarunGrim], another binary diff tool, opensource but discontinued?
** [http://www.idabook.com/x86emu/ x86emu], x86 Emulator plugin. Windows, Linux, OS X
** Plugin contests [https://www.hex-rays.com/contests/2012/index.shtml 2012], [https://www.hex-rays.com/contests/2011/index.shtml 2011], [https://www.hex-rays.com/contests/2010/index.shtml 2010], [https://www.hex-rays.com/contests/2009/index.shtml 2009]

==Hex-Rays==
The most <strike>expensive</strike>powerful IDA Pro plugin is the [https://www.hex-rays.com/products/decompiler/index.shtml Hex-Rays decompiler]
* x86 and ARM
* decompiler
Limitations specific to ARM:
*floating point instructions are not supported
*VFP/SIMD/Neon/... instructions are not supported
*functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack)
==[http://www.backerstreet.com/rec/rec.htm REC Studio]==
* x86, x64
* Windows, Linux, Mac OS X
* HLA disassembler
Useful commands:
help
strings
calltree
showprocs
decompile /tmp/myprog.c
click on a function in the "Project" function list to HLA disass it

==[http://radare.nopcode.org/y/ Radare]==
The reverse engineering framework

==Misc==
===[https://code.google.com/p/distorm/ Distorm]===
diStorm3 is really a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text, this is great for advanced binary code analysis
===[http://sourceforge.net/apps/trac/pypeelf PyPEELF]===
PyPEELF is a multi-platform binary editor written in Python, wxPython and BOA Constructor. It allows you to manage binary data in PE32, PE32+ (x64) and ELF binary files.

PyPEELF uses pefile to manage PE32 and PE32+ files and pyelf to manage ELF files. Besides, it uses winappdbg and pydasm in some others features like Task Running Viewer and Disassembling files.

PyPEELF was designed for Reverse Engineers who want to edit or visualize binary file data in multi-platforms. That is why PyPEELF runs under Windows and Unix/BSD operating systems

==Poor man's tools==
File, -z to uncompress, -s to inspect non-files, e.g. /dev/sda1
file -k [-z] [-s] mybin
Strings
strings [-n min_length] -a -e [s|S|b|l|B|L] mybin
==ELF==
man elf
===readelf===
readelf -a -g -t --dyn-syms -W mybin
===elfedit===
===objdump===
objdump -C -g -F -x -T --special-syms mybin
objdump -d -l -r -R -S mybin
objdump -D -l -r -R -S mybin
===nm===
nm -a -C -S -s --special-syms mybin
===ldd===
Shared library dependencies:
ldd -v mybin

==PE==
===[https://code.google.com/p/pefile/ Pefile]===
A Python module to read and work with PE (Portable Executable) files, see [https://code.google.com/p/pefile/wiki/UsageExamples usage examples]
<source lang=python>
#!/usr/bin/env python
import sys, pefile
pe = pefile.PE(sys.argv[1])
pe.dump_info()
open('out.txt', 'w').write(pe.dump_info())
</source>
Can run under Linux
===PEiD===
Can run with Wine
===[http://pe-tools.sourceforge.net/ PETools]===
Can run with Wine
===[http://www.angusj.com/resourcehacker/ Resource Hacker]===
Can run with Wine
===[http://www.dependencywalker.com Dependency Walker]===
Can run with Wine
===[http://wjradburn.com/software/ PEview]===
Can run with Wine
===[http://www.nirsoft.net DLL Export Viewer]===
Can run with Wine
 Under Wine, require absolute path to DLL so: click on gears, "load functions from the following DLL file", Browse
===[http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html PEBrowse Pro]===
Can run with Wine
===[http://www.ntcore.com/exsuite.php Explorer Suite]===
* CFF Explorer: Allows also to modify a PE
* Signature Explorer
* PE Detective
* Task Explorer (32 & 64)

===[http://icerbero.com/peinsider/ PE Insider]===
==Static protections==
===Packers===
* http://www.openrce.org/reference_library/packer_database
* [http://upx.sourceforge.net/ UPX]
upx -d myfile
* [http://www.crinkler.net/ Crinkler]: some insane PE packing tool coming from the demoscene world.

=Dynamic Analysis Tools=
==IDA Pro==
IDA Pro has some debugging capabilities too.
 Local debugging: win32, windbg
Remote debugging:
gdbserver --multi <client_ip>:<port> # default IDA port: 23946
Then on IDA: select Remote GDB debugger, paths should be paths on the gdbserver host.
 Tuning:
* Debugger / options / Stop on process entry point
* Compatible with lib preloading, cf below
* from 6.4, can make use of Intel PIN tools for diff debugging, see [https://www.hex-rays.com/products/ida/support/tutorials/pin/pin_tutorial.pdf tutorial (pdf)]

== OllyDBG ==

PE32 only dynamic disassembler and debugger: http://ollydbg.de/.

Support sofwtare and hardware breakpoint, binary patching and repacking, symbol analysis, advanced instruction pattern search, trace with conditional breaking, etc.

There is also a patched version with advanced python scripting ability called Immunity Debugger: http://www.immunityinc.com/products-immdbg.shtml

==Intel PIN tools==
* [http://software.intel.com/en-us/articles/pintool Official page]
** [http://software.intel.com/sites/landingpage/pintool/docs/61206/Pin/html/ User guide]
* Windows, Linux, Mac OS X, Android
* x86-32, x86-64 (only Intel platforms obviously)
* binary instrumentation
''The best way to think about Pin is as a "just in time" (JIT) compiler. The input to this compiler is not bytecode, however, but a regular executable. Pin intercepts the execution of the first instruction of the executable and generates ("compiles") new code for the straight line code sequence starting at this instruction. It then transfers control to the generated sequence. The generated code sequence is almost identical to the original one, but Pin ensures that it regains control when a branch exits the sequence. After regaining control, Pin generates more code for the branch target and continues execution. Pin makes this efficient by keeping all of the generated code in memory so it can be reused and directly branching from one sequence to another.''
''In JIT mode, the only code ever executed is the generated code. The original code is only used for reference. When generating code, Pin gives the user an opportunity to inject their own code (instrumentation).''
==Binary Instrumentation Framework for Android==
From http://mulliner.org/android/
 Slides [http://mulliner.org/android/feed/android_dbi_mulliner_breakpoint2012.pdf here]
* ARM
==DroidScope==
From https://code.google.com/p/decaf-platform/
 Slides [https://www.usenix.org/sites/default/files/conference/protected-files/yan_usenixsecurity12_slides.pdf here] and article [https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final107.pdf here]
* ARM

==injectso==
From http://stealth.openwall.net/local/
* x86-32, x86-64, ARM (since v0.52)
==Soot==
From http://www.sable.mcgill.ca/soot/
* Java, Dalvik (see [http://www.bodden.de/2013/01/08/soot-android-instrumentation/ here] and [http://www.abartel.net/dexpler/ here])

==[http://visi.kenshoto.com/viki/Vdb Vdb/Vtrace] / [http://visi.kenshoto.com/viki/Vivisect Vivisect]==
* debugger, static analysis
* Windows, Linux, Android
* Intel, ARM
''vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it''
 ''vivisect is a Python based static analysis and emulation framework''
* [https://github.com/pdasilva/vtrace_scripts vtrace script examples]

==[http://www.cuckoosandbox.org/ Cuckoo Sandboxing]==
Currently only supporting Windows binaries.
 ''Cuckoo Sandbox is a malware analysis system. You can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.''
''Cuckoo generates a handful of different raw data which include:''
* ''Native functions and Windows API calls traces''
* ''Copies of files created and deleted from the filesystem''
* ''Dump of the memory of the selected process''
* ''Full memory dump of the analysis machine''
* ''Screenshots of the desktop during the execution of the malware analysis''
* ''Network dump generated by the machine used for the analysis''
==ELF==
===ltrace/strace===
Tracing library calls and system calls.
 Getting a summary:
ltrace -f -S mybin 2>&1|grep '(.*)'|sed 's/(.*//'|sort|uniq -c
Getting more:
ltrace -f -i -S -n 4 -s 1024 mybin
===Lib preloading===
<source lang=c>
#define _GNU_SOURCE

#include <dlfcn.h>
#include <sys/types.h>
#include <unistd.h>
#include <errno.h>
#include <stdio.h>
#include <time.h>

// Kill nanosleep()
int nanosleep(const struct timespec *req, struct timespec *rem){
printf("\n==== In our own nanosleep(), I dunnah want sleep\n");
return 0;
}

// Kill usleep()
int usleep(useconds_t usec){
printf("\n==== In our own usleep(), I dunnah want sleep\n");
return 0;
}

// Fix time()
time_t time(time_t *t){
printf("\n==== In our own time(), will return 1380120175\n");
return 1380120175;
}

// Fix srand()
void srand(unsigned int seed){
printf("\n==== In our own srand(), will do srand(0)\n");
void (*original_srand)(unsigned int seed);
original_srand = dlsym(RTLD_NEXT, "srand");
unsigned int myseed = 0;
return (*original_srand)(myseed);
}

#if 0
// Kill rand()
int rand(void){
printf("\n==== In our own rand(), will return 0\n");
return 0;
}
#else
// Intercept rand()
int rand(void){
int (*original_rand)(void);
original_rand = dlsym(RTLD_NEXT, "rand");
int r = (*original_rand)();
printf("\n==== In our own rand(), will return %04X\n", r);
return r;
}
#endif
</source>
gcc -fPIC -shared -Wl,-soname,patch -o patch.so patch.c -ldl
export LD_PRELOAD=patch.so
export LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH
==PE==
===[http://technet.microsoft.com/en-us/sysinternals/bb896645 Process Monitor]===
===[http://technet.microsoft.com/en-us/sysinternals/bb896653 Process Explorer]===
===[http://sourceforge.net/projects/regshot/ RegShot]===
Computes diff between two registry snapshots
===[http://www.nirsoft.net HeapMemView]===
===[http://winappdbg.sourceforge.net/ WinAppDbg]===
The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.
====[https://brundlelab.wordpress.com/2012/08/19/small-and-cute-execution-tracer/ Tracer.py]====
Based on WinAppDbg, finds interesting bits in trace by dichotomy signal/noise
* run first time and try everything but not the interesting stuff -> use noise option
* then run again and try interesting stuff -> use signal option

====[https://github.com/carlosgprado/Python-to-the-rescue/blob/master/WTFDLL.py WTFDLL.py]====
Find libraries loaded at runtime and the functions called
==Dynamic protections==
* http://www.openrce.org/reference_library/anti_reversing

Reverse-Engineering

2013-10-10T14:46:44Z

Haxelion: /* OllyDBG */

=Books=
* [http://shop.oreilly.com/product/9781593272890.do The IDA Pro Book, 2nd Edition by Chris Eagle]
* [http://shop.oreilly.com/product/9781597492379.do Reverse Engineering Code with IDA Pro by Dan Kaminsky et al]
* [http://shop.oreilly.com/product/9781593272906.do Practical Malware Analysis by Michael Sikorski]
* [http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817 Reversing: Secrets of Reverse Engineering by Eldad Eilam]
* [http://shop.oreilly.com/product/9781886411791.do Crackproof Your Software by Pavol Cerven]
* [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection]
* Wikibooks [https://en.wikibooks.org/wiki/Subject:Software_reverse_engineering Subject:Software_reverse_engineering]
** [https://en.wikibooks.org/wiki/X86_Disassembly X86 Disassembly]
** [https://en.wikibooks.org/wiki/Reverse_Engineering Reverse Engineering]

=Resources=
* [http://reverseengineering.stackexchange.com/ Reverse-Engineering on StackExchange]
* [http://www.openrce.org/ OpenRCE]
* [http://www.hexblog.com/ Hex Blog]
* http://www.reverse-engineering.info
* [http://brundlelab.files.wordpress.com/2013/09/automating-re-with-python.pdf Automating RE with Python (slides)] by Carlos Prado
* [http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html Intel® 64 and IA-32 Architectures Software Developer Manuals]

=Static Analysis Tools=
==IDA Pro==
''IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.''
* [https://www.hex-rays.com/products/ida/index.shtml Official page]
* Windows, Linux, Mac OS X
* x86-32, x86-64, ARM and many others
* ELF, Java bytecode, Dalvik, ARM,...
* disassembler, some debugger
* extensible through plugins & python (anti-debugger, findcrypt,...)
** [http://thunkers.net/~deft/code/toolbag/docs.html#Installation IDA toolbag]
** [https://bitbucket.org/daniel_plohmann/simplifire.idascope/ IDAscope]
** [https://code.google.com/p/patchdiff2/ patchdiff2]
** [http://www.zynamics.com/bindiff.html Zynamics bindiff]
** [http://www.darungrim.org/ DarunGrim], another binary diff tool, opensource but discontinued?
** [http://www.idabook.com/x86emu/ x86emu], x86 Emulator plugin. Windows, Linux, OS X
** Plugin contests [https://www.hex-rays.com/contests/2012/index.shtml 2012], [https://www.hex-rays.com/contests/2011/index.shtml 2011], [https://www.hex-rays.com/contests/2010/index.shtml 2010], [https://www.hex-rays.com/contests/2009/index.shtml 2009]

==Hex-Rays==
The most <strike>expensive</strike>powerful IDA Pro plugin is the [https://www.hex-rays.com/products/decompiler/index.shtml Hex-Rays decompiler]
* x86 and ARM
* decompiler
Limitations specific to ARM:
*floating point instructions are not supported
*VFP/SIMD/Neon/... instructions are not supported
*functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack)
==[http://www.backerstreet.com/rec/rec.htm REC Studio]==
* x86, x64
* Windows, Linux, Mac OS X
* HLA disassembler
Useful commands:
help
strings
calltree
showprocs
decompile /tmp/myprog.c
click on a function in the "Project" function list to HLA disass it

==[http://radare.nopcode.org/y/ Radare]==
The reverse engineering framework

==Misc==
===[https://code.google.com/p/distorm/ Distorm]===
diStorm3 is really a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text, this is great for advanced binary code analysis
===[http://sourceforge.net/apps/trac/pypeelf PyPEELF]===
PyPEELF is a multi-platform binary editor written in Python, wxPython and BOA Constructor. It allows you to manage binary data in PE32, PE32+ (x64) and ELF binary files.

PyPEELF uses pefile to manage PE32 and PE32+ files and pyelf to manage ELF files. Besides, it uses winappdbg and pydasm in some others features like Task Running Viewer and Disassembling files.

PyPEELF was designed for Reverse Engineers who want to edit or visualize binary file data in multi-platforms. That is why PyPEELF runs under Windows and Unix/BSD operating systems

==Poor man's tools==
File, -z to uncompress, -s to inspect non-files, e.g. /dev/sda1
file -k [-z] [-s] mybin
Strings
strings [-n min_length] -a -e [s|S|b|l|B|L] mybin
==ELF==
man elf
===readelf===
readelf -a -g -t --dyn-syms -W mybin
===elfedit===
===objdump===
objdump -C -g -F -x -T --special-syms mybin
objdump -d -l -r -R -S mybin
objdump -D -l -r -R -S mybin
===nm===
nm -a -C -S -s --special-syms mybin
===ldd===
Shared library dependencies:
ldd -v mybin

==PE==
===[https://code.google.com/p/pefile/ Pefile]===
A Python module to read and work with PE (Portable Executable) files, see [https://code.google.com/p/pefile/wiki/UsageExamples usage examples]
<source lang=python>
#!/usr/bin/env python
import sys, pefile
pe = pefile.PE(sys.argv[1])
pe.dump_info()
open('out.txt', 'w').write(pe.dump_info())
</source>
Can run under Linux
===PEiD===
Can run with Wine
===[http://pe-tools.sourceforge.net/ PETools]===
Can run with Wine
===[http://www.angusj.com/resourcehacker/ Resource Hacker]===
Can run with Wine
===[http://www.dependencywalker.com Dependency Walker]===
Can run with Wine
===[http://wjradburn.com/software/ PEview]===
Can run with Wine
===[http://www.nirsoft.net DLL Export Viewer]===
Can run with Wine
 Under Wine, require absolute path to DLL so: click on gears, "load functions from the following DLL file", Browse
===[http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html PEBrowse Pro]===
Can run with Wine
===[http://www.ntcore.com/exsuite.php Explorer Suite]===
* CFF Explorer: Allows also to modify a PE
* Signature Explorer
* PE Detective
* Task Explorer (32 & 64)

===[http://icerbero.com/peinsider/ PE Insider]===
==Static protections==
===Packers===
* http://www.openrce.org/reference_library/packer_database
* [http://upx.sourceforge.net/ UPX]
upx -d myfile

=Dynamic Analysis Tools=
==IDA Pro==
IDA Pro has some debugging capabilities too.
 Local debugging: win32, windbg
Remote debugging:
gdbserver --multi <client_ip>:<port> # default IDA port: 23946
Then on IDA: select Remote GDB debugger, paths should be paths on the gdbserver host.
 Tuning:
* Debugger / options / Stop on process entry point
* Compatible with lib preloading, cf below
* from 6.4, can make use of Intel PIN tools for diff debugging, see [https://www.hex-rays.com/products/ida/support/tutorials/pin/pin_tutorial.pdf tutorial (pdf)]

== OllyDBG ==

PE32 only dynamic disassembler and debugger: http://ollydbg.de/.

Support sofwtare and hardware breakpoint, binary patching and repacking, symbol analysis, advanced instruction pattern search, trace with conditional breaking, etc.

There is also a patched version with advanced python scripting ability called Immunity Debugger: http://www.immunityinc.com/products-immdbg.shtml

==Intel PIN tools==
* [http://software.intel.com/en-us/articles/pintool Official page]
** [http://software.intel.com/sites/landingpage/pintool/docs/61206/Pin/html/ User guide]
* Windows, Linux, Mac OS X, Android
* x86-32, x86-64 (only Intel platforms obviously)
* binary instrumentation
''The best way to think about Pin is as a "just in time" (JIT) compiler. The input to this compiler is not bytecode, however, but a regular executable. Pin intercepts the execution of the first instruction of the executable and generates ("compiles") new code for the straight line code sequence starting at this instruction. It then transfers control to the generated sequence. The generated code sequence is almost identical to the original one, but Pin ensures that it regains control when a branch exits the sequence. After regaining control, Pin generates more code for the branch target and continues execution. Pin makes this efficient by keeping all of the generated code in memory so it can be reused and directly branching from one sequence to another.''
''In JIT mode, the only code ever executed is the generated code. The original code is only used for reference. When generating code, Pin gives the user an opportunity to inject their own code (instrumentation).''
==Binary Instrumentation Framework for Android==
From http://mulliner.org/android/
 Slides [http://mulliner.org/android/feed/android_dbi_mulliner_breakpoint2012.pdf here]
* ARM
==DroidScope==
From https://code.google.com/p/decaf-platform/
 Slides [https://www.usenix.org/sites/default/files/conference/protected-files/yan_usenixsecurity12_slides.pdf here] and article [https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final107.pdf here]
* ARM

==injectso==
From http://stealth.openwall.net/local/
* x86-32, x86-64, ARM (since v0.52)
==Soot==
From http://www.sable.mcgill.ca/soot/
* Java, Dalvik (see [http://www.bodden.de/2013/01/08/soot-android-instrumentation/ here] and [http://www.abartel.net/dexpler/ here])

==[http://visi.kenshoto.com/viki/Vdb Vdb/Vtrace] / [http://visi.kenshoto.com/viki/Vivisect Vivisect]==
* debugger, static analysis
* Windows, Linux, Android
* Intel, ARM
''vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it''
 ''vivisect is a Python based static analysis and emulation framework''
* [https://github.com/pdasilva/vtrace_scripts vtrace script examples]

==[http://www.cuckoosandbox.org/ Cuckoo Sandboxing]==
Currently only supporting Windows binaries.
 ''Cuckoo Sandbox is a malware analysis system. You can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.''
''Cuckoo generates a handful of different raw data which include:''
* ''Native functions and Windows API calls traces''
* ''Copies of files created and deleted from the filesystem''
* ''Dump of the memory of the selected process''
* ''Full memory dump of the analysis machine''
* ''Screenshots of the desktop during the execution of the malware analysis''
* ''Network dump generated by the machine used for the analysis''
==ELF==
===ltrace/strace===
Tracing library calls and system calls.
 Getting a summary:
ltrace -f -S mybin 2>&1|grep '(.*)'|sed 's/(.*//'|sort|uniq -c
Getting more:
ltrace -f -i -S -n 4 -s 1024 mybin
===Lib preloading===
<source lang=c>
#define _GNU_SOURCE

#include <dlfcn.h>
#include <sys/types.h>
#include <unistd.h>
#include <errno.h>
#include <stdio.h>
#include <time.h>

// Kill nanosleep()
int nanosleep(const struct timespec *req, struct timespec *rem){
printf("\n==== In our own nanosleep(), I dunnah want sleep\n");
return 0;
}

// Kill usleep()
int usleep(useconds_t usec){
printf("\n==== In our own usleep(), I dunnah want sleep\n");
return 0;
}

// Fix time()
time_t time(time_t *t){
printf("\n==== In our own time(), will return 1380120175\n");
return 1380120175;
}

// Fix srand()
void srand(unsigned int seed){
printf("\n==== In our own srand(), will do srand(0)\n");
void (*original_srand)(unsigned int seed);
original_srand = dlsym(RTLD_NEXT, "srand");
unsigned int myseed = 0;
return (*original_srand)(myseed);
}

#if 0
// Kill rand()
int rand(void){
printf("\n==== In our own rand(), will return 0\n");
return 0;
}
#else
// Intercept rand()
int rand(void){
int (*original_rand)(void);
original_rand = dlsym(RTLD_NEXT, "rand");
int r = (*original_rand)();
printf("\n==== In our own rand(), will return %04X\n", r);
return r;
}
#endif
</source>
gcc -fPIC -shared -Wl,-soname,patch -o patch.so patch.c -ldl
export LD_PRELOAD=patch.so
export LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH
==PE==
===[http://technet.microsoft.com/en-us/sysinternals/bb896645 Process Monitor]===
===[http://technet.microsoft.com/en-us/sysinternals/bb896653 Process Explorer]===
===[http://sourceforge.net/projects/regshot/ RegShot]===
Computes diff between two registry snapshots
===[http://www.nirsoft.net HeapMemView]===
===[http://winappdbg.sourceforge.net/ WinAppDbg]===
The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.
====[https://brundlelab.wordpress.com/2012/08/19/small-and-cute-execution-tracer/ Tracer.py]====
Based on WinAppDbg, finds interesting bits in trace by dichotomy signal/noise
* run first time and try everything but not the interesting stuff -> use noise option
* then run again and try interesting stuff -> use signal option

====[https://github.com/carlosgprado/Python-to-the-rescue/blob/master/WTFDLL.py WTFDLL.py]====
Find libraries loaded at runtime and the functions called
==Dynamic protections==
* http://www.openrce.org/reference_library/anti_reversing

Reverse-Engineering

2013-10-10T14:45:53Z

Haxelion: /* Dynamic Analysis Tools */

=Books=
* [http://shop.oreilly.com/product/9781593272890.do The IDA Pro Book, 2nd Edition by Chris Eagle]
* [http://shop.oreilly.com/product/9781597492379.do Reverse Engineering Code with IDA Pro by Dan Kaminsky et al]
* [http://shop.oreilly.com/product/9781593272906.do Practical Malware Analysis by Michael Sikorski]
* [http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817 Reversing: Secrets of Reverse Engineering by Eldad Eilam]
* [http://shop.oreilly.com/product/9781886411791.do Crackproof Your Software by Pavol Cerven]
* [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection]
* Wikibooks [https://en.wikibooks.org/wiki/Subject:Software_reverse_engineering Subject:Software_reverse_engineering]
** [https://en.wikibooks.org/wiki/X86_Disassembly X86 Disassembly]
** [https://en.wikibooks.org/wiki/Reverse_Engineering Reverse Engineering]

=Resources=
* [http://reverseengineering.stackexchange.com/ Reverse-Engineering on StackExchange]
* [http://www.openrce.org/ OpenRCE]
* [http://www.hexblog.com/ Hex Blog]
* http://www.reverse-engineering.info
* [http://brundlelab.files.wordpress.com/2013/09/automating-re-with-python.pdf Automating RE with Python (slides)] by Carlos Prado
* [http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html Intel® 64 and IA-32 Architectures Software Developer Manuals]

=Static Analysis Tools=
==IDA Pro==
''IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.''
* [https://www.hex-rays.com/products/ida/index.shtml Official page]
* Windows, Linux, Mac OS X
* x86-32, x86-64, ARM and many others
* ELF, Java bytecode, Dalvik, ARM,...
* disassembler, some debugger
* extensible through plugins & python (anti-debugger, findcrypt,...)
** [http://thunkers.net/~deft/code/toolbag/docs.html#Installation IDA toolbag]
** [https://bitbucket.org/daniel_plohmann/simplifire.idascope/ IDAscope]
** [https://code.google.com/p/patchdiff2/ patchdiff2]
** [http://www.zynamics.com/bindiff.html Zynamics bindiff]
** [http://www.darungrim.org/ DarunGrim], another binary diff tool, opensource but discontinued?
** [http://www.idabook.com/x86emu/ x86emu], x86 Emulator plugin. Windows, Linux, OS X
** Plugin contests [https://www.hex-rays.com/contests/2012/index.shtml 2012], [https://www.hex-rays.com/contests/2011/index.shtml 2011], [https://www.hex-rays.com/contests/2010/index.shtml 2010], [https://www.hex-rays.com/contests/2009/index.shtml 2009]

==Hex-Rays==
The most <strike>expensive</strike>powerful IDA Pro plugin is the [https://www.hex-rays.com/products/decompiler/index.shtml Hex-Rays decompiler]
* x86 and ARM
* decompiler
Limitations specific to ARM:
*floating point instructions are not supported
*VFP/SIMD/Neon/... instructions are not supported
*functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack)
==[http://www.backerstreet.com/rec/rec.htm REC Studio]==
* x86, x64
* Windows, Linux, Mac OS X
* HLA disassembler
Useful commands:
help
strings
calltree
showprocs
decompile /tmp/myprog.c
click on a function in the "Project" function list to HLA disass it

==[http://radare.nopcode.org/y/ Radare]==
The reverse engineering framework

==Misc==
===[https://code.google.com/p/distorm/ Distorm]===
diStorm3 is really a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text, this is great for advanced binary code analysis
===[http://sourceforge.net/apps/trac/pypeelf PyPEELF]===
PyPEELF is a multi-platform binary editor written in Python, wxPython and BOA Constructor. It allows you to manage binary data in PE32, PE32+ (x64) and ELF binary files.

PyPEELF uses pefile to manage PE32 and PE32+ files and pyelf to manage ELF files. Besides, it uses winappdbg and pydasm in some others features like Task Running Viewer and Disassembling files.

PyPEELF was designed for Reverse Engineers who want to edit or visualize binary file data in multi-platforms. That is why PyPEELF runs under Windows and Unix/BSD operating systems

==Poor man's tools==
File, -z to uncompress, -s to inspect non-files, e.g. /dev/sda1
file -k [-z] [-s] mybin
Strings
strings [-n min_length] -a -e [s|S|b|l|B|L] mybin
==ELF==
man elf
===readelf===
readelf -a -g -t --dyn-syms -W mybin
===elfedit===
===objdump===
objdump -C -g -F -x -T --special-syms mybin
objdump -d -l -r -R -S mybin
objdump -D -l -r -R -S mybin
===nm===
nm -a -C -S -s --special-syms mybin
===ldd===
Shared library dependencies:
ldd -v mybin

==PE==
===[https://code.google.com/p/pefile/ Pefile]===
A Python module to read and work with PE (Portable Executable) files, see [https://code.google.com/p/pefile/wiki/UsageExamples usage examples]
<source lang=python>
#!/usr/bin/env python
import sys, pefile
pe = pefile.PE(sys.argv[1])
pe.dump_info()
open('out.txt', 'w').write(pe.dump_info())
</source>
Can run under Linux
===PEiD===
Can run with Wine
===[http://pe-tools.sourceforge.net/ PETools]===
Can run with Wine
===[http://www.angusj.com/resourcehacker/ Resource Hacker]===
Can run with Wine
===[http://www.dependencywalker.com Dependency Walker]===
Can run with Wine
===[http://wjradburn.com/software/ PEview]===
Can run with Wine
===[http://www.nirsoft.net DLL Export Viewer]===
Can run with Wine
 Under Wine, require absolute path to DLL so: click on gears, "load functions from the following DLL file", Browse
===[http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html PEBrowse Pro]===
Can run with Wine
===[http://www.ntcore.com/exsuite.php Explorer Suite]===
* CFF Explorer: Allows also to modify a PE
* Signature Explorer
* PE Detective
* Task Explorer (32 & 64)

===[http://icerbero.com/peinsider/ PE Insider]===
==Static protections==
===Packers===
* http://www.openrce.org/reference_library/packer_database
* [http://upx.sourceforge.net/ UPX]
upx -d myfile

=Dynamic Analysis Tools=
==IDA Pro==
IDA Pro has some debugging capabilities too.
 Local debugging: win32, windbg
Remote debugging:
gdbserver --multi <client_ip>:<port> # default IDA port: 23946
Then on IDA: select Remote GDB debugger, paths should be paths on the gdbserver host.
 Tuning:
* Debugger / options / Stop on process entry point
* Compatible with lib preloading, cf below
* from 6.4, can make use of Intel PIN tools for diff debugging, see [https://www.hex-rays.com/products/ida/support/tutorials/pin/pin_tutorial.pdf tutorial (pdf)]

== OllyDBG ==

PE32 only dynamic disassembler and debugger: [http://ollydbg.de/].

Support sofwtare and hardware breakpoint, binary patching and repacking, symbol analysis, advanced instruction pattern search, trace with conditional breaking, etc.

There is also a patched version with advanced python scripting ability called Immunity Debugger: [http://www.immunityinc.com/products-immdbg.shtml]

==Intel PIN tools==
* [http://software.intel.com/en-us/articles/pintool Official page]
** [http://software.intel.com/sites/landingpage/pintool/docs/61206/Pin/html/ User guide]
* Windows, Linux, Mac OS X, Android
* x86-32, x86-64 (only Intel platforms obviously)
* binary instrumentation
''The best way to think about Pin is as a "just in time" (JIT) compiler. The input to this compiler is not bytecode, however, but a regular executable. Pin intercepts the execution of the first instruction of the executable and generates ("compiles") new code for the straight line code sequence starting at this instruction. It then transfers control to the generated sequence. The generated code sequence is almost identical to the original one, but Pin ensures that it regains control when a branch exits the sequence. After regaining control, Pin generates more code for the branch target and continues execution. Pin makes this efficient by keeping all of the generated code in memory so it can be reused and directly branching from one sequence to another.''
''In JIT mode, the only code ever executed is the generated code. The original code is only used for reference. When generating code, Pin gives the user an opportunity to inject their own code (instrumentation).''
==Binary Instrumentation Framework for Android==
From http://mulliner.org/android/
 Slides [http://mulliner.org/android/feed/android_dbi_mulliner_breakpoint2012.pdf here]
* ARM
==DroidScope==
From https://code.google.com/p/decaf-platform/
 Slides [https://www.usenix.org/sites/default/files/conference/protected-files/yan_usenixsecurity12_slides.pdf here] and article [https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final107.pdf here]
* ARM

==injectso==
From http://stealth.openwall.net/local/
* x86-32, x86-64, ARM (since v0.52)
==Soot==
From http://www.sable.mcgill.ca/soot/
* Java, Dalvik (see [http://www.bodden.de/2013/01/08/soot-android-instrumentation/ here] and [http://www.abartel.net/dexpler/ here])

==[http://visi.kenshoto.com/viki/Vdb Vdb/Vtrace] / [http://visi.kenshoto.com/viki/Vivisect Vivisect]==
* debugger, static analysis
* Windows, Linux, Android
* Intel, ARM
''vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it''
 ''vivisect is a Python based static analysis and emulation framework''
* [https://github.com/pdasilva/vtrace_scripts vtrace script examples]

==[http://www.cuckoosandbox.org/ Cuckoo Sandboxing]==
Currently only supporting Windows binaries.
 ''Cuckoo Sandbox is a malware analysis system. You can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.''
''Cuckoo generates a handful of different raw data which include:''
* ''Native functions and Windows API calls traces''
* ''Copies of files created and deleted from the filesystem''
* ''Dump of the memory of the selected process''
* ''Full memory dump of the analysis machine''
* ''Screenshots of the desktop during the execution of the malware analysis''
* ''Network dump generated by the machine used for the analysis''
==ELF==
===ltrace/strace===
Tracing library calls and system calls.
 Getting a summary:
ltrace -f -S mybin 2>&1|grep '(.*)'|sed 's/(.*//'|sort|uniq -c
Getting more:
ltrace -f -i -S -n 4 -s 1024 mybin
===Lib preloading===
<source lang=c>
#define _GNU_SOURCE

#include <dlfcn.h>
#include <sys/types.h>
#include <unistd.h>
#include <errno.h>
#include <stdio.h>
#include <time.h>

// Kill nanosleep()
int nanosleep(const struct timespec *req, struct timespec *rem){
printf("\n==== In our own nanosleep(), I dunnah want sleep\n");
return 0;
}

// Kill usleep()
int usleep(useconds_t usec){
printf("\n==== In our own usleep(), I dunnah want sleep\n");
return 0;
}

// Fix time()
time_t time(time_t *t){
printf("\n==== In our own time(), will return 1380120175\n");
return 1380120175;
}

// Fix srand()
void srand(unsigned int seed){
printf("\n==== In our own srand(), will do srand(0)\n");
void (*original_srand)(unsigned int seed);
original_srand = dlsym(RTLD_NEXT, "srand");
unsigned int myseed = 0;
return (*original_srand)(myseed);
}

#if 0
// Kill rand()
int rand(void){
printf("\n==== In our own rand(), will return 0\n");
return 0;
}
#else
// Intercept rand()
int rand(void){
int (*original_rand)(void);
original_rand = dlsym(RTLD_NEXT, "rand");
int r = (*original_rand)();
printf("\n==== In our own rand(), will return %04X\n", r);
return r;
}
#endif
</source>
gcc -fPIC -shared -Wl,-soname,patch -o patch.so patch.c -ldl
export LD_PRELOAD=patch.so
export LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH
==PE==
===[http://technet.microsoft.com/en-us/sysinternals/bb896645 Process Monitor]===
===[http://technet.microsoft.com/en-us/sysinternals/bb896653 Process Explorer]===
===[http://sourceforge.net/projects/regshot/ RegShot]===
Computes diff between two registry snapshots
===[http://www.nirsoft.net HeapMemView]===
===[http://winappdbg.sourceforge.net/ WinAppDbg]===
The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.
====[https://brundlelab.wordpress.com/2012/08/19/small-and-cute-execution-tracer/ Tracer.py]====
Based on WinAppDbg, finds interesting bits in trace by dichotomy signal/noise
* run first time and try everything but not the interesting stuff -> use noise option
* then run again and try interesting stuff -> use signal option

====[https://github.com/carlosgprado/Python-to-the-rescue/blob/master/WTFDLL.py WTFDLL.py]====
Find libraries loaded at runtime and the functions called
==Dynamic protections==
* http://www.openrce.org/reference_library/anti_reversing