Temporal Reverse EngineeringTemporal Reverse Engineering€¦ · Temporal Reverse EngineeringTemporal Reverse Engineering Danny Quist Colin AmesColin Ames Bl kh t USA 2008 1 Blackhat

Temporal Reverse EngineeringTemporal Reverse Engineering

Danny QuistColin AmesColin Ames

Bl kh t USA 20081

Blackhat USA 2008

Danny QuistDanny Quist

• Co-founder Offensive Computing LLCCo-founder Offensive Computing, LLC

• Ph D Candidate at New Mexico Tech• Ph.D. Candidate at New Mexico Tech

R E i i I• Reverse Engineering InstructorInfosec Institute

• [email protected]

2

Colin AmesColin Ames

• Security Researcher Offensive ComputingSecurity Researcher, Offensive Computing• Steganography Research

i i• Penetration Testing• Reverse Engineering• Malware Analysis• amesc@offensivecomputing [email protected]

3

Overview of TalkOverview of Talk

• Current TechniquesCurrent Techniques– Where they work

Where they fail– Where they fail• What is Temporal Reverse Engineering?• Process pausing techniques• Visualization Methods• Applications and Demos

4

Reverse EngineeringReverse Engineering

• RE is hardRE is hard• Goal: Figure out how program works in

minimal amount of timeminimal amount of time• Expensive (We don’t work cheap)• Time consuming

5

Dominant StrategiesDominant Strategies

• Static AnalysisStatic Analysis

IDA Pro dumpbin– IDA Pro, dumpbin– Figure out program flow

Search for strings– Search for strings– API Call graphing

6

Dominant StrategiesDominant Strategies

• Dynamic AnalysisDynamic Analysis

W t h f h th t– Watch for changes on the system• Registry, files, network

M it S t ll– Monitor System calls– Tools more accessible to unskilled people

S i l Wi l i– Sysinternals, Winanalysis, etc.

7

ProsPros

Static Analysis Dynamic AnalysisStatic Analysis• Details• Precision, full code reversal

Dynamic Analysis• Fast• Lower barrier to entryPrecision, full code reversal

possible• Good tools available

Lower barrier to entry• High level overview• Good tools

• Lots of source level static analysis programs

• Antivirus

– Sysinternals– Winanalysis– CWSandbox• Antivirus

– It’s profitable

CWSandbox

8

ConsCons

Static Analysis Dynamic AnalysisStatic Analysis• Too much detail• Full code reversing not

Dynamic Analysis• Misses details

Full code reversing not necessary

• Tools cumbersome, take hil l

• Encourages “next->next->next” analysis

awhile to learn• Source level analysis full of

false positives• Tools easily subverted

false positives• Antivirus

– Doesn’t scale

9

Bridging the GapBridging the Gap

• Fundamental problem:Fundamental problem:– Know when to analyze, not what

Data changes need to track and respond to– Data changes, need to track and respond to those changes

• Techniques• Techniques– Debuggers

P f l i d d b i (S ff )– Pagefault assisted debugging (Saffron)– Dynamic Translation

10

– Sandboxing

Monitoring Program ExecutionMonitoring Program Execution

• Intel PINIntel PIN– Dynamic instrumentation library

Extensible– Extensible– Awesome API

S ff• Saffron– Covert monitoring– Limited back tracking

11

VisualizationVisualization

• Monitor program execution withMonitor program execution with visualization techniques

• Valuable insight into process monitoring• Valuable insight into process monitoring• Integration with IDA and Olly

12

What about program flow tracing?What about program flow tracing?

• Visualization should be able to answer aVisualization should be able to answer a question quickly

• How can we apply this to reverse• How can we apply this to reverse engineering?Fi d i kl i f i• Find a way to quickly represent information

13

Find the Unpacking LoopsFind the Unpacking Loops

• Simple hello world programSimple hello world program

int main(int argc, char **argv)( g g ){

printf(“Hello, world\n”);return 0;;

}

P k d• Packers used– ASPack, FSG, PECompact, UPX

14

15Hello WorldInst., No Packing

16Hello WorldBasic Block, No Packing

Adding PackersAdding Packers

• Should be able to find the following:Should be able to find the following:

Packing loop– Packing loop– Main program

• Minimize extraneous information• Reducing analyst time is the key

17

18Hello WorldASPack 2.12

19Hello WorldASPack 2.12

Hello WorldPECompact 1.68

20

Hello WorldPECompact 1.68

21

Hello WorldUPX 1.20

22

23Hello WorldUPX 1.20

24Hello WorldFSG 1.0

25Hello WorldFSG 1.0

Temporal Control of ExecutionTemporal Control of Execution

• Previous methodsPrevious methods– Virtual machines

Debuggers– Debuggers– Simple restart

P bl• Problems– Time intensive– Algorithmic analysis does not need full system

restore

26

SnapshottingSnapshotting

• Determine when to snapshotDetermine when to snapshot

Instruction– Instruction

– Basic blockBasic block

– Page accessPage access

27

SnapshottingSnapshotting

• Preservation of statePreservation of state

Register contents– Register contents– Stack contents

CPU State– CPU State– Memory

28

Existing Snapshot ToolsExisting Snapshot Tools

• OS SuspendOS Suspend

• Cryopid• Cryopid

M P i• Memory Paging

• OS Scheduler

29

Isolating Important DataIsolating Important Data

• Memory mapsMemory maps

• Memory hotspots• Memory hotspots

C l i i li i• Colometric memory visualization

• Data motion with silhouette hulls

30

Rebuilding PE files for IDARebuilding PE files for IDAHow IDA creates its import section .idata and

populates subviews Imports Namespopulates subviews Imports, Names

IMAGE DIRECTORY ENTRY IMPORT– IMAGE_DIRECTORY_ENTRY_IMPORT• RVA (Relative Virtual Address) to Import Directory

– IMAGE IMPORT DESCRIPTOR’sIMAGE_IMPORT_DESCRIPTOR s• OriginalFirstThunk

– RVA to INT (Import Names Table)Fi Th k• FirstThunk

– RVA to IAT (Import Address Table)

– Scan’s Code for call’s in INT31

Scan s Code for call s in INT• Prepends internal functions to .idata section

Rebuilding PE files for IDARebuilding PE files for IDA

Recovering INT from packed or encrypted PERecovering INT from packed or encrypted PE

– Unpack using SaffronUnpack using Saffron• Discover OEP

– Enumerate Loaded Modules• CreateToolhelp32Snapshot, Module32First

– Scan Process heaps for Module Address • Translate Virtual Address into RVA

– Rebuild INT and IATD P

32

• Dump Process memory

Malware DemoMalware Demo

33

Information Protection DemoInformation Protection Demo

34

ConclusionConclusion

• Quick way to check memory changesQuick way to check memory changes

• Shortens analyst time• Shortens analyst time

I i h i i• Integrate with existing apps

• Visualization adds clarity

35

ReferencesReferences• Visualization Grand Challenges: Illuminating the Path

http://nvac.pnl.gov/docs/RD Agenda NVAC chapter1.pdfp p g _ g _ _ p p• Dynamic Data Visualization of Meteorological Data

ASA-JSM Data Exposition, 2006• Visual Signatures in Video Visualization

IEEE Transactions on Visualization and Computer Graphics, Vol.12, No. 5, September/October 2006• Static Visualization of Dynamic Data Flow Visual Program Executiony g

Proceedings of the Sixth International Conference on Information Visualization, IV 2002• Hoglound, G., McGraw, G., Exploiting Software: How to Break Code, Chapter 3, Addison Wesley,

2004• Amini, P., Process Stalker, OpenRCE, http://pedram.redhive.com/code/process_stalker/• Amini, P., PaiMei, OpenRCE http://www.openrce.org/downloads/details/208/PaiMei, , , p p p g• Eagle, C., x86emu, http://ida-x86emu.sourceforge.net/• P. Ferrie, Attacks on Virtual Machines, Symantec Advanced Threat Research, 2007• C. Luck, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V.J. Reddi, K. Hazelwood,

Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation, Proceedings of the 2005 Conference on Programming and Language Design and Implementation, 2005f g g g g g p ,

• Oreas GDE, http://www.oreas.com/index_en.php

Latest slides and code can be found on ff i ti t

36

offensivecomputing.net