Difference between revisions of "Reverse-Engineering"

From YobiWiki
Jump to navigation Jump to search
m
m
Line 10: Line 10:
 
* [http://www.hexblog.com/ Hex Blog]
 
* [http://www.hexblog.com/ Hex Blog]
 
* http://www.reverse-engineering.info
 
* http://www.reverse-engineering.info
=Tools=
+
=Static Analysis Tools=
 
==IDA Pro==
 
==IDA Pro==
 
''IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.''
 
''IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.''
Line 36: Line 36:
 
*functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack)
 
*functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack)
   
==Intel PIN tools==
+
==Packers==
* [http://software.intel.com/en-us/articles/pintool Official page]
+
* [http://upx.sourceforge.net/ UPX]
  +
upx -d myfile
** [http://software.intel.com/sites/landingpage/pintool/docs/61206/Pin/html/ User guide]
 
  +
==Poor man's tools==
* Windows, Linux, Mac OS X, Android
 
  +
File, -z to uncompress, -s to inspect non-files, e.g. /dev/sda1
* x86-32, x86-64 (only Intel platforms obviously)
 
  +
file -k [-z] [-s] mybin
* binary instrumentation
 
  +
Strings
''The best way to think about Pin is as a "just in time" (JIT) compiler. The input to this compiler is not bytecode, however, but a regular executable. Pin intercepts the execution of the first instruction of the executable and generates ("compiles") new code for the straight line code sequence starting at this instruction. It then transfers control to the generated sequence. The generated code sequence is almost identical to the original one, but Pin ensures that it regains control when a branch exits the sequence. After regaining control, Pin generates more code for the branch target and continues execution. Pin makes this efficient by keeping all of the generated code in memory so it can be reused and directly branching from one sequence to another.''
 
  +
strings [-n min_length] -a -e [s|S|b|l|B|L] mybin
''In JIT mode, the only code ever executed is the generated code. The original code is only used for reference. When generating code, Pin gives the user an opportunity to inject their own code (instrumentation).''
 
  +
==ELF==
==[http://visi.kenshoto.com/viki/Vdb Vdb/Vtrace] / [http://visi.kenshoto.com/viki/Vivisect Vivisect]==
 
  +
man elf
* debugger, static analysis
 
  +
===readelf===
* Windows, Linux, Android
 
  +
readelf -a -g -t --dyn-syms -W mybin
* Intel, ARM
 
  +
===elfedit===
''vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it''
 
  +
===objdump===
<br>''vivisect is a Python based static analysis and emulation framework''
 
  +
objdump -C -g -F -x -T --special-syms mybin
==[http://www.cuckoosandbox.org/ Cuckoo Sandboxing]==
 
  +
objdump -d -l -r -R -S mybin
Currently only supporting Windows binaries.
 
  +
objdump -D -l -r -R -S mybin
<br>''Cuckoo Sandbox is a malware analysis system. You can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.''
 
  +
===nm===
''Cuckoo generates a handful of different raw data which include:''
 
  +
nm -a -C -S -s --special-syms mybin
* ''Native functions and Windows API calls traces''
 
  +
===ldd===
* ''Copies of files created and deleted from the filesystem''
 
  +
Shared library dependencies:
* ''Dump of the memory of the selected process''
 
  +
ldd -v mybin
* ''Full memory dump of the analysis machine''
 
* ''Screenshots of the desktop during the execution of the malware analysis''
 
* ''Network dump generated by the machine used for the analysis''
 
   
==Lib preloading==
+
==PE==
  +
===[https://code.google.com/p/pefile/ Pefile]===
  +
A Python module to read and work with PE (Portable Executable) files, see [https://code.google.com/p/pefile/wiki/UsageExamples usage examples]
  +
<source lang=python>
  +
#!/usr/bin/env python
  +
import sys, pefile
  +
pe = pefile.PE(sys.argv[1])
  +
pe.dump_info()
  +
open('out.txt', 'w').write(pe.dump_info())
  +
</source>
  +
Can run under Linux
  +
===PEiD===
  +
Can run with Wine
  +
===[http://pe-tools.sourceforge.net/ PETools]===
  +
Can run with Wine
  +
===[http://www.angusj.com/resourcehacker/ Resource Hacker]===
  +
Can run with Wine
  +
===[http://www.dependencywalker.com Dependency Walker]===
  +
Can run with Wine
  +
===[http://wjradburn.com/software/ PEview]===
  +
Can run with Wine
  +
===[http://www.nirsoft.net DLL Export Viewer]===
  +
Can run with Wine
  +
<br>Under Wine, require absolute path to DLL so: click on gears, "load functions from the following DLL file", Browse
  +
===[http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html PEBrowse Pro]===
  +
Can run with Wine
  +
=Dynamic Analysis Tools=
  +
==ELF==
  +
===ltrace/strace===
  +
Tracing library calls and system calls.
  +
<br>Getting a summary:
  +
ltrace -f -S mybin 2>&1|grep '(.*)'|sed 's/(.*//'|sort|uniq -c
  +
Getting more:
  +
ltrace -f -i -S -n 4 -s 1024 mybin
  +
===Lib preloading===
 
<source lang=c>
 
<source lang=c>
 
#define _GNU_SOURCE
 
#define _GNU_SOURCE
Line 120: Line 152:
 
export LD_PRELOAD=patch.so
 
export LD_PRELOAD=patch.so
 
export LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH
 
export LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH
==Packers==
+
==Intel PIN tools==
* [http://upx.sourceforge.net/ UPX]
+
* [http://software.intel.com/en-us/articles/pintool Official page]
  +
** [http://software.intel.com/sites/landingpage/pintool/docs/61206/Pin/html/ User guide]
upx -d myfile
 
  +
* Windows, Linux, Mac OS X, Android
==Poor man's tools==
 
  +
* x86-32, x86-64 (only Intel platforms obviously)
File, -z to uncompress, -s to inspect non-files, e.g. /dev/sda1
 
  +
* binary instrumentation
file -k [-z] [-s] mybin
 
  +
''The best way to think about Pin is as a "just in time" (JIT) compiler. The input to this compiler is not bytecode, however, but a regular executable. Pin intercepts the execution of the first instruction of the executable and generates ("compiles") new code for the straight line code sequence starting at this instruction. It then transfers control to the generated sequence. The generated code sequence is almost identical to the original one, but Pin ensures that it regains control when a branch exits the sequence. After regaining control, Pin generates more code for the branch target and continues execution. Pin makes this efficient by keeping all of the generated code in memory so it can be reused and directly branching from one sequence to another.''
Strings
 
  +
''In JIT mode, the only code ever executed is the generated code. The original code is only used for reference. When generating code, Pin gives the user an opportunity to inject their own code (instrumentation).''
strings [-n min_length] -a -e [s|S|b|l|B|L] mybin
 
  +
==[http://visi.kenshoto.com/viki/Vdb Vdb/Vtrace] / [http://visi.kenshoto.com/viki/Vivisect Vivisect]==
==ELF==
 
  +
* debugger, static analysis
man elf
 
  +
* Windows, Linux, Android
===readelf===
 
  +
* Intel, ARM
readelf -a -g -t --dyn-syms -W mybin
 
  +
''vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it''
===elfedit===
 
  +
<br>''vivisect is a Python based static analysis and emulation framework''
===objdump===
 
  +
==[http://www.cuckoosandbox.org/ Cuckoo Sandboxing]==
objdump -C -g -F -x -T --special-syms mybin
 
  +
Currently only supporting Windows binaries.
objdump -d -l -r -R -S mybin
 
  +
<br>''Cuckoo Sandbox is a malware analysis system. You can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.''
objdump -D -l -r -R -S mybin
 
  +
''Cuckoo generates a handful of different raw data which include:''
===nm===
 
  +
* ''Native functions and Windows API calls traces''
nm -a -C -S -s --special-syms mybin
 
  +
* ''Copies of files created and deleted from the filesystem''
===ldd===
 
  +
* ''Dump of the memory of the selected process''
Shared library dependencies:
 
  +
* ''Full memory dump of the analysis machine''
ldd -v mybin
 
  +
* ''Screenshots of the desktop during the execution of the malware analysis''
===ltrace/strace===
 
  +
* ''Network dump generated by the machine used for the analysis''
Tracing library calls and system calls.
 
<br>Getting a summary:
 
ltrace -f -S mybin 2>&1|grep '(.*)'|sed 's/(.*//'|sort|uniq -c
 
Getting more:
 
ltrace -f -i -S -n 4 -s 1024 mybin
 
 
==PE==
 
===[https://code.google.com/p/pefile/ Pefile]===
 
A Python module to read and work with PE (Portable Executable) files, see [https://code.google.com/p/pefile/wiki/UsageExamples usage examples]
 
<source lang=python>
 
#!/usr/bin/env python
 
import sys, pefile
 
pe = pefile.PE(sys.argv[1])
 
pe.dump_info()
 
open('out.txt', 'w').write(pe.dump_info())
 
</source>
 
Can run under Linux
 
===PEiD===
 
Can run with Wine
 
===[http://pe-tools.sourceforge.net/ PETools]===
 
Can run with Wine
 
===[http://www.angusj.com/resourcehacker/ Resource Hacker]===
 
Can run with Wine
 
===[http://www.dependencywalker.com Dependency Walker]===
 
Can run with Wine
 
===[http://wjradburn.com/software/ PEview]===
 
Can run with Wine
 
===[http://www.nirsoft.net DLL Export Viewer]===
 
Can run with Wine
 
<br>Under Wine, require absolute path to DLL so: click on gears, "load functions from the following DLL file", Browse
 
===[http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html PEBrowse Pro]===
 
Can run with Wine
 

Revision as of 15:06, 5 October 2013

Books

Resources

Static Analysis Tools

IDA Pro

IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.

Hex-Rays

The most expensivepowerful IDA Pro plugin is the Hex-Rays decompiler

  • x86 and ARM
  • decompiler

Limitations specific to ARM:

  • floating point instructions are not supported
  • VFP/SIMD/Neon/... instructions are not supported
  • functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack)

Packers

upx -d myfile

Poor man's tools

File, -z to uncompress, -s to inspect non-files, e.g. /dev/sda1

file -k [-z] [-s] mybin 

Strings

strings [-n min_length] -a -e [s|S|b|l|B|L] mybin

ELF

man elf

readelf

readelf -a -g -t --dyn-syms -W mybin

elfedit

objdump

objdump -C -g -F -x -T --special-syms mybin
objdump -d -l -r -R -S mybin
objdump -D -l -r -R -S mybin

nm

nm -a -C -S -s --special-syms mybin

ldd

Shared library dependencies:

ldd -v mybin

PE

Pefile

A Python module to read and work with PE (Portable Executable) files, see usage examples

#!/usr/bin/env python
import sys, pefile
pe = pefile.PE(sys.argv[1])
pe.dump_info()
open('out.txt', 'w').write(pe.dump_info())

Can run under Linux

PEiD

Can run with Wine

PETools

Can run with Wine

Resource Hacker

Can run with Wine

Dependency Walker

Can run with Wine

PEview

Can run with Wine

DLL Export Viewer

Can run with Wine
Under Wine, require absolute path to DLL so: click on gears, "load functions from the following DLL file", Browse

PEBrowse Pro

Can run with Wine

Dynamic Analysis Tools

ELF

ltrace/strace

Tracing library calls and system calls.
Getting a summary:

ltrace -f -S mybin 2>&1|grep '(.*)'|sed 's/(.*//'|sort|uniq -c

Getting more:

ltrace -f -i -S -n 4 -s 1024 mybin

Lib preloading

#define _GNU_SOURCE

#include <dlfcn.h>
#include <sys/types.h>
#include <unistd.h>
#include <errno.h>
#include <stdio.h>
#include <time.h>


// Kill nanosleep()
int nanosleep(const struct timespec *req, struct timespec *rem){
    printf("\n==== In our own nanosleep(), I dunnah want sleep\n");
    return 0;
}

// Kill usleep()
int usleep(useconds_t usec){
    printf("\n==== In our own usleep(), I dunnah want sleep\n");
    return 0;
}

// Fix time()
time_t time(time_t *t){
    printf("\n==== In our own time(), will return 1380120175\n");
    return 1380120175;
}

// Fix srand()
void srand(unsigned int seed){
    printf("\n==== In our own srand(), will do srand(0)\n");
    void (*original_srand)(unsigned int seed);
    original_srand = dlsym(RTLD_NEXT, "srand");
    unsigned int myseed = 0;
    return (*original_srand)(myseed);
}

#if 0
// Kill rand()
int rand(void){
    printf("\n==== In our own rand(), will return 0\n");
    return 0;
}
#else
// Intercept rand()
int rand(void){
    int (*original_rand)(void);
    original_rand = dlsym(RTLD_NEXT, "rand");
    int r = (*original_rand)();
    printf("\n==== In our own rand(), will return %04X\n", r);
    return r;
}
#endif
gcc -fPIC -shared -Wl,-soname,patch -o patch.so patch.c -ldl
export LD_PRELOAD=patch.so
export LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH

Intel PIN tools

  • Official page
  • Windows, Linux, Mac OS X, Android
  • x86-32, x86-64 (only Intel platforms obviously)
  • binary instrumentation

The best way to think about Pin is as a "just in time" (JIT) compiler. The input to this compiler is not bytecode, however, but a regular executable. Pin intercepts the execution of the first instruction of the executable and generates ("compiles") new code for the straight line code sequence starting at this instruction. It then transfers control to the generated sequence. The generated code sequence is almost identical to the original one, but Pin ensures that it regains control when a branch exits the sequence. After regaining control, Pin generates more code for the branch target and continues execution. Pin makes this efficient by keeping all of the generated code in memory so it can be reused and directly branching from one sequence to another. In JIT mode, the only code ever executed is the generated code. The original code is only used for reference. When generating code, Pin gives the user an opportunity to inject their own code (instrumentation).

Vdb/Vtrace / Vivisect

  • debugger, static analysis
  • Windows, Linux, Android
  • Intel, ARM

vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it
vivisect is a Python based static analysis and emulation framework

Cuckoo Sandboxing

Currently only supporting Windows binaries.
Cuckoo Sandbox is a malware analysis system. You can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment. Cuckoo generates a handful of different raw data which include:

  • Native functions and Windows API calls traces
  • Copies of files created and deleted from the filesystem
  • Dump of the memory of the selected process
  • Full memory dump of the analysis machine
  • Screenshots of the desktop during the execution of the malware analysis
  • Network dump generated by the machine used for the analysis