tag:blogger.com,1999:blog-55866180975989133452024-03-14T02:36:09.996+00:00Finding VulnerabilitiesThis my personal blog where I share my learnings and hope to contribute to the community.Unknownnoreply@blogger.comBlogger23125tag:blogger.com,1999:blog-5586618097598913345.post-30769753434338393952019-02-27T07:39:00.000+00:002019-02-27T07:57:43.273+00:00Reversing C++ codes tutorial series: Virtual Functions and PolymorphismIn this post, I will be sharing how a key concept in OOP; Polymorphism. I will also share how to identify Virtual functions.<br />
<br />
Key takeaways:<br />
1. Identify the differences between static and virtual functions.<br />
<br />
<b>Assumptions</b><br />
The example code only has a single class and one child class. Both parent and child classes has one virtual function on top of the static ones.<br />
<br />
Let me begin with this C++ code:<br />
<script src="https://gist.github.com/peta909/fac507699397126069085863b8c66a52.js"></script><br />
<br />
<b>Explanation on what the above code does<br />
</b>The above code first define a "Animal" class. The "Animal" class contains 3 public variables "name", "food" and "legs". It also has 4 member functions. "Animal()" is the constructor while "~Animal()" is the destructor function. "Naming" is a member function implemented to interact with the "name" variable in the object of "Animal" class. "Eating" is also a member function but its a Virtual function that interact with variable "food".<br />
<br />
Next, is the definition of a "Cats" class which is a child class of "Animal".The "Cats" class contains variable "toys" and 4 member functions. "Cats()" is the constructor while "~Cats()" is the destructor function. "Playing" is a member function implemented to interact with the "toys" variable in the object of "Cats" class. "Eating" is also a member function but its a Virtual function that interact with variable "food".<br />
<br />
Use of virtual function allows the correct virtual function to be called based on the object type. In this example, the object of class "Animal" would use a different "Eating" function comparing to the one in "Cats". The following shows the output when the above C++ code is executed. Note the output string from "Eating" function for "Animal" object is different from the one for "Cats".<br />
<a href="https://2.bp.blogspot.com/-XtyjVCjG4jg/XHY3o0bP4II/AAAAAAAAA2U/FR6pod-b8Nsb15yeTF3oNFcjgPSgp2-aACLcBGAs/s1600/Code_output.PNG" imageanchor="1" ><img border="0" src="https://2.bp.blogspot.com/-XtyjVCjG4jg/XHY3o0bP4II/AAAAAAAAA2U/FR6pod-b8Nsb15yeTF3oNFcjgPSgp2-aACLcBGAs/s320/Code_output.PNG" width="320" height="221" data-original-width="291" data-original-height="201" /></a><br />
This demonstrate a key concept in OOP, Polymorphism.<br />
<br />
Next is the "Cats" class with 1 public variable "toys". It also have constructor and destructor functions. "Playing" is a member function implemented to interact with the "toys" variable in the object of "Cats" class.<br />
<br />
Inside the main function, an object "Generic_Animal" of type class "Animal" is created. And its member functions "Naming" and "Eating" are called. Then an object pointed by "pCat1" of type class "Cats" is created. The variables "name" and "food" are overwritten with different strings for the object. Finally, the member functions "Playing" and "Eating" are called.<br />
<br />
<b>Analysing the compiled version of the above C++ code<br />
</b>Let's begin by looking into the constructor of the "Animal" class<br />
<a href="https://3.bp.blogspot.com/-3eOLmsAsUd8/XHYjs6RhYPI/AAAAAAAAA14/X4NAAgU8qvAUb_QvT4eAsfMSu_OzsylNwCLcBGAs/s1600/Animal_Constructor.PNG" imageanchor="1" ><img border="0" src="https://3.bp.blogspot.com/-3eOLmsAsUd8/XHYjs6RhYPI/AAAAAAAAA14/X4NAAgU8qvAUb_QvT4eAsfMSu_OzsylNwCLcBGAs/s320/Animal_Constructor.PNG" width="320" height="225" data-original-width="645" data-original-height="453" /></a><br />
<br />
EBX contained the address of the object of type "Animal" class. The first value being initialized is the 'Vftable' or Virtual Function Table. This table contained the address of the virtual functions in the object. In this case its the "Eating" virtual function.<br />
<a href="https://1.bp.blogspot.com/-A2xuO2lxRRQ/XHYklqLqrUI/AAAAAAAAA2A/5dYh1zZej-MsMUwITNLks6aVGoqNGxcvgCLcBGAs/s1600/Animal_Vftable.PNG" imageanchor="1" ><img border="0" src="https://1.bp.blogspot.com/-A2xuO2lxRRQ/XHYklqLqrUI/AAAAAAAAA2A/5dYh1zZej-MsMUwITNLks6aVGoqNGxcvgCLcBGAs/s320/Animal_Vftable.PNG" width="320" height="32" data-original-width="676" data-original-height="67" /></a><br />
<br />
Now we will construct a struct to represent the members in "Animal" class. Take note how the start of the object will be pointer to the Virtual Function table (Vftable) if a virtual function is present.<br />
<a href="https://1.bp.blogspot.com/-AJwr2phT0Mc/XHY5oTVVTPI/AAAAAAAAA2g/zUOOYa_rmgAmAtxC0t85pbGOVII-tVTIwCLcBGAs/s1600/Animal_struct_Vftable.PNG" imageanchor="1" ><img border="0" src="https://1.bp.blogspot.com/-AJwr2phT0Mc/XHY5oTVVTPI/AAAAAAAAA2g/zUOOYa_rmgAmAtxC0t85pbGOVII-tVTIwCLcBGAs/s320/Animal_struct_Vftable.PNG" width="320" height="51" data-original-width="599" data-original-height="95" /></a><br />
<br />
I will skip over the constructor and struct for "Cats" class. However, if you need help just leave a comment below.<br />
<br />
<b>1. Identify the differences between static and virtual functions.<br />
</b>Now, I will go over the difference between static and virtual functions. The following code snipped at the late part of Main().<br />
<a href="https://3.bp.blogspot.com/-F9PLd8xW2ns/XHY9zQj4LlI/AAAAAAAAA3I/pt0QVE2VifEQw9M55KS9_NGVnOm0NbyQQCLcBGAs/s1600/Virtual_vs_Static_Func.PNG" imageanchor="1" ><img border="0" src="https://3.bp.blogspot.com/-F9PLd8xW2ns/XHY9zQj4LlI/AAAAAAAAA3I/pt0QVE2VifEQw9M55KS9_NGVnOm0NbyQQCLcBGAs/s320/Virtual_vs_Static_Func.PNG" width="320" height="49" data-original-width="415" data-original-height="63" /></a><br />
The first call is made to "FN_Cats_Playing" which is the "Playing" function in "Cats" class. Next, the Virtual Function table of "Cats" class is retrieve and the "Call" instruction is made to the first function in the Vftable. The first function is "Eating" in the object of type "Cats".<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-10712037575567547072019-02-25T05:56:00.001+00:002019-02-27T07:55:15.098+00:00Reversing C++ codes tutorial series: Inheritance and Dynamic memoryIn this post, I will be sharing a key concept in OOP; Inheritance. I will also make use of dynamic memory to store the new objects.<br />
<br />
Key takeaways:<br />
1. Identify the differences between object creation of parent from child class.<br />
2. Track the creation of objects using dynamic memory (Heap).<br />
<br />
<b>Assumptions</b><br />
The example code only has a single class and 1 child class. The member functions in class are all static.<br />
<br />
Let me begin with this C++ code:<br />
<script src="https://gist.github.com/peta909/93f701380c4d50df0309102b7b77e334.js"></script><br />
<br />
<b>Explanation on what the above code does</b><br />
Please ignore the commented out codes they will be un-commented for next blog post.<br />
<br />
<b>Explanation on what the above code does<br />
</b>The above code first define a "Animal" class. The "Animal" class contains 3 public variables "name", "food" and "legs". It also has 3 member functions. "Animal()" is the constructor while "~Animal()" is the destructor function. "Naming" is a member function implemented to interact with the "name" variable in the object of "Animal" class.<br />
<br />
Next is the "Cats" class with 1 public variable "toys". It also have constructor and destructor functions. "Playing" is a member function implemented to interact with the "toys" variable in the object of "Cats" class.<br />
<br />
Inside the main function, an object "Generic_Animal" of type class "Animal" is created. And its member function "Naming" is called. Then an object pointed by "pCat1" of type class "Cats" is created. Note that this object is created using the "new" keyword. Finally, the member functions "Naming" and "Playing" are called.<br />
<br />
<br />
<b>Analysing the compiled version of the above C++ code<br />
</b>Let's look at the main() of the binary.<br />
<a href="https://3.bp.blogspot.com/-2qS0SUNCfgI/XHNlY4DAcBI/AAAAAAAAA0A/-8KdokTJLmkIhGczXga5Px0Eool1rzzxQCLcBGAs/s1600/Main.PNG" imageanchor="1" ><img border="0" src="https://3.bp.blogspot.com/-2qS0SUNCfgI/XHNlY4DAcBI/AAAAAAAAA0A/-8KdokTJLmkIhGczXga5Px0Eool1rzzxQCLcBGAs/s320/Main.PNG" width="320" height="314" data-original-width="863" data-original-height="846" /></a><br />
<br />
I have gone ahead to label the constructor of Animal class as "FN_Constructor_Animal", functions related to using of std:string as "FN_String_stuff_XX", function related to use of "New" keyword as "FN_New" and mem copy as FN_MemCopy". If you have trouble understanding how/why I labeled these functions please leave a comment I will explain with more details.<br />
<br />
<b>1. Identify the differences between object creation of parent from child class.<br />
</b>For the object of type class "Animal", it is created in the "FN_Constructor_Animal" function. <br />
<br />
Next is the creation object of type class "Cats". Very soon after the "FN_New" the "FN_Constructor_Animal" is called. This is because "Cats" is the child class of "Animal". So the object of type "Cats" will first be populated with the members of class "Animal". This is the OOP concept, <i>Inheritance</i>.<br />
<br />
Following the "FN_Constructor_Animal" you will see the constructor of "Cats" where the member variables "name" and "food" are overwritten those in "Cats". An additional member variable, "toys" is appended to the object of type "Cats".<br />
This is where you can create the struct for "Animal" and "Cats".<br />
<a href="https://4.bp.blogspot.com/-7KnNSGbk084/XHNtobIqaqI/AAAAAAAAA0k/3_-vK5Deog8_vfQm5UuyrlZvZ2TKnLrLACLcBGAs/s1600/Animal_cats_struct.PNG" imageanchor="1" ><img border="0" src="https://4.bp.blogspot.com/-7KnNSGbk084/XHNtobIqaqI/AAAAAAAAA0k/3_-vK5Deog8_vfQm5UuyrlZvZ2TKnLrLACLcBGAs/s320/Animal_cats_struct.PNG" width="320" height="121" data-original-width="612" data-original-height="231" /></a><br />
<br />
<b>2. Track the creation of objects using dynamic memory (Heap).</b><br />
Zooming into the construction of object type "Cats"<br />
<a href="https://3.bp.blogspot.com/-uRYEWYiMr8k/XHNmDuqlk0I/AAAAAAAAA0Q/86Al7RZdZ6UPAJgq1M4e30yBVIIRkdwUwCLcBGAs/s1600/Cats_Construct.PNG" imageanchor="1" ><img border="0" src="https://3.bp.blogspot.com/-uRYEWYiMr8k/XHNmDuqlk0I/AAAAAAAAA0Q/86Al7RZdZ6UPAJgq1M4e30yBVIIRkdwUwCLcBGAs/s320/Cats_Construct.PNG" width="320" height="201" data-original-width="826" data-original-height="518" /></a><br />
We notice the use of "FN_New". Inside this function contains a call to malloc(), the key is to note the return address of "FN_New" is in the Heap memory which is used to store dynamically allocated memory. The other thing to note is the value 0x38 at 0x0040127C. This is the size of the object created. So we know the size and address of the object type "Cats".<br />
<br />
The following picture show the contents of object type "Cats" in the Heap memory. At 0x00401287 the value of EAX contained the address of the object created in Heap memory.<br />
<a href="https://2.bp.blogspot.com/-OA05OXtR02Q/XHOBAT8SFtI/AAAAAAAAA04/vu-z01WVeac5-6qzFBHeKLJtREHp721yQCLcBGAs/s1600/cats_heap1.PNG" imageanchor="1" ><img border="0" src="https://2.bp.blogspot.com/-OA05OXtR02Q/XHOBAT8SFtI/AAAAAAAAA04/vu-z01WVeac5-6qzFBHeKLJtREHp721yQCLcBGAs/s320/cats_heap1.PNG" width="320" height="43" data-original-width="677" data-original-height="92" /></a><br />
<br />
Next, the constructor of the "Animal" class is called and the member variables and functions are populated. The following happened at 0x00401295 after "FN_Constructor_Animal" is called.<br />
<a href="https://3.bp.blogspot.com/-Tr8FALBV-uA/XHOBYbgdEqI/AAAAAAAAA1A/3GwQ6YpT2RcmLNVj17Dw4Q59eTyOLxnkACLcBGAs/s1600/cats_heap2.PNG" imageanchor="1" ><img border="0" src="https://3.bp.blogspot.com/-Tr8FALBV-uA/XHOBYbgdEqI/AAAAAAAAA1A/3GwQ6YpT2RcmLNVj17Dw4Q59eTyOLxnkACLcBGAs/s320/cats_heap2.PNG" width="320" height="31" data-original-width="659" data-original-height="63" /></a><br />
<br />
Inside the constructor of the "Cats" class the "name" and "food" member variables are overwritten.(0x004012C4 and 0x004012D3). Do note the member variable "legs" remained unchanged but a new member variable "toys" is appended! (0x04012E1)<br />
<a href="https://4.bp.blogspot.com/-_JaZDM1tzgs/XHOCChKeXCI/AAAAAAAAA1g/axaq5YA_EEUgTMbPM1S0B9ku2lH1UKEHQCLcBGAs/s1600/cats_heap5_002812ec.PNG" imageanchor="1" ><img border="0" src="https://4.bp.blogspot.com/-_JaZDM1tzgs/XHOCChKeXCI/AAAAAAAAA1g/axaq5YA_EEUgTMbPM1S0B9ku2lH1UKEHQCLcBGAs/s320/cats_heap5_002812ec.PNG" width="320" height="45" data-original-width="666" data-original-height="93" /></a><br />
<br />
Knowing where the object of type "Cats" is created allowed us to trace the changes taken place inside it.<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-68858520485268444462019-02-25T02:01:00.000+00:002019-02-27T07:50:24.009+00:00Reversing C++ codes tutorial series: Classes and its membersIn this post, I will be sharing how C++ classes are constructed and its members are accessed.<br />
<br />
Key takeaways:<br />
1. Identifying functions written using C++<br />
2. Identifying constructor functions<br />
3. Rebuilding the Class structures using Struct in IDA<br />
4. Understanding how the member variables are accessed in an object.<br />
<br />
<b>Assumptions</b><br />
The example code has a single class. Member functions in the class are all static. All the objects created from the class are stored in local variable and not in the dynamic memory (Heap).<br />
<br />
Let me begin with this C++ code:<br />
<script src="https://gist.github.com/peta909/be3d7045255a77007c957023255e54d8.js"></script><br />
<br />
<b>Explanations on what the above code does<br />
</b>The above code first define a "Fighters" class. The "Fighters" class contains private variable "Stealth" which is only accessible by functions inside the "Fighters" class. The public variable "model","Health" and "Strength" are accessible from outside the "Fighters" class. There are two public member functions "add_steath" and "printinfo" that can be used to interact with the variables in the objects of the "Fighters" class. Finally is the constructor function that was used to initialize the variables in the objects of the "Fighters" class with default values.<br />
<br />
Inside the main function, a object class of type "Fighters" is created and its information is displayed via "printinfo". Next, a "F16" class is created and the "Health" variable is updated to 100. Finally, a "F35" class is created with the variables "Health" and "Strength" updated. The "Stealth" variable can only be updated indirectly via the "add_stealth" function. As the "Stealth" variable is private.<br />
<br />
<b>Analysing the compiled version of the above C++ code<br />
</b>Let's look at the main() of the binary.<br />
<a href="https://2.bp.blogspot.com/-zBFiePVjUao/XG4-CI0U01I/AAAAAAAAAyg/tokXTlymvwwOgVLT06Ybx1tUhaXHPw8OwCLcBGAs/s1600/unlabeled_main.PNG" imageanchor="1" ><img border="0" src="https://2.bp.blogspot.com/-zBFiePVjUao/XG4-CI0U01I/AAAAAAAAAyg/tokXTlymvwwOgVLT06Ybx1tUhaXHPw8OwCLcBGAs/s320/unlabeled_main.PNG" width="260" height="320" data-original-width="1090" data-original-height="1342" /></a><br />
<br />
<b>1. Identifying functions written using C++</b><br />
Let begin by locating those functions written with C++. These functions that have an argument passed into them via register ECX. This argument is the "This" pointer. The "This" pointer is used to referenced the instance of the object and its contents (member functions and variables).<br />
<br />
<b>2. Identifying constructor functions</b><br />
Among these C++ functions, we have to locate the constructor. This function is called whenever an instance of an object is created. Therefore, this function is called before the member functions of the class. The function that contained code that initializes the member variables would likely be the constructor.<br />
<br />
This is the constructor of the "Fighters" class.<br />
<a href="https://3.bp.blogspot.com/-zzyeeW3og0I/XG5ttl5M59I/AAAAAAAAAy8/l5gtVd3YJkIEHEDwlylfcMO1yyX75dodwCLcBGAs/s1600/before_label_construct.PNG" imageanchor="1" ><img border="0" src="https://3.bp.blogspot.com/-zzyeeW3og0I/XG5ttl5M59I/AAAAAAAAAy8/l5gtVd3YJkIEHEDwlylfcMO1yyX75dodwCLcBGAs/s320/before_label_construct.PNG" width="320" height="287" data-original-width="1298" data-original-height="1165" /></a><br />
<br />
<b>3. Rebuilding the Class structures using Struct in IDA</b><br />
The ECX register is passed into the constructor function from the caller. ECX contained the "This" pointer. The "This" pointer value is then stored in the local variable "var_10". Next you will observe how values are stored into offsets from "var_10". At this point it would be useful to re-create the struct of the objects of the "Fighters" class. <br />
To do so we can go to View->Open subviews->Structures or Shift+F9<br />
<br />
Given the offset values and the types of data being initialized at the various offsets. <br />
We will then create the structure of the "Fighers" class as shown below.<br />
<a href="https://4.bp.blogspot.com/-ZSjxPOWrimo/XG5u6j5b4TI/AAAAAAAAAzE/0rY8rykVZgcqebb-Xq-HQY2h8pYgnpPZQCLcBGAs/s1600/Struct_Created.PNG" imageanchor="1" ><img border="0" src="https://4.bp.blogspot.com/-ZSjxPOWrimo/XG5u6j5b4TI/AAAAAAAAAzE/0rY8rykVZgcqebb-Xq-HQY2h8pYgnpPZQCLcBGAs/s320/Struct_Created.PNG" width="320" height="53" data-original-width="1173" data-original-height="194" /></a><br />
<br />
We can compare the struct to the "Fighters" class definition code as shown below.<br />
<!-- HTML generated using hilite.me --><div style="background: #ffffff; overflow:auto;width:auto;border:solid gray;border-width:.1em .1em .1em .8em;padding:.2em .6em;"><table><tr><td><pre style="margin: 0; line-height: 125%">1
2
3
4
5
6</pre></td><td><pre style="margin: 0; line-height: 125%">Fighters() {
model <span style="color: #333333">=</span> <span style="background-color: #fff0f0">"Default Model"</span>;
Health <span style="color: #333333">=</span> <span style="color: #0000DD; font-weight: bold">50</span>;
Strength <span style="color: #333333">=</span> <span style="color: #0000DD; font-weight: bold">50</span>;
Stealth <span style="color: #333333">=</span> <span style="color: #0000DD; font-weight: bold">0</span>;
}
</pre></td></tr>
</table></div><br />
4. Understanding how the member variables are accessed in an object.<br />
We will apply the struct offsets to the constructor by Right clicking on the offset and choose "Structure offset".<br />
<a href="https://4.bp.blogspot.com/-6pJnvSj0OIk/XG5viEQLfBI/AAAAAAAAAzM/ah65zObPhDMY32G6AYHB-354Qi7qi2d1ACLcBGAs/s1600/After_label_struct.PNG" imageanchor="1" ><img border="0" src="https://4.bp.blogspot.com/-6pJnvSj0OIk/XG5viEQLfBI/AAAAAAAAAzM/ah65zObPhDMY32G6AYHB-354Qi7qi2d1ACLcBGAs/s320/After_label_struct.PNG" width="320" height="65" data-original-width="1292" data-original-height="263" /></a><br />
<br />
Next we can go on to label the offsets in main and other member functions of "Fighters" class.<br />
<a href="https://1.bp.blogspot.com/-qCrOeqV3l7M/XG5wAopolnI/AAAAAAAAAzU/p1aTIM_9xDQyzdQHDbBgEqJvQhcmf_wegCLcBGAs/s1600/labelled_main.PNG" imageanchor="1" ><img border="0" src="https://1.bp.blogspot.com/-qCrOeqV3l7M/XG5wAopolnI/AAAAAAAAAzU/p1aTIM_9xDQyzdQHDbBgEqJvQhcmf_wegCLcBGAs/s320/labelled_main.PNG" width="274" height="320" data-original-width="1107" data-original-height="1294" /></a><br />
<br />
After labeling the offsets and member functions we can have a better understanding of how the members of the class are accessed.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-4892881288517825742019-02-21T09:41:00.001+00:002019-03-02T00:53:20.482+00:00Reversing C++ codes tutorial series: IntroductionI realised reversing binaries written using C++ with OOP is pretty challenging to some (including myself). I hope to write a series of posts to explain the steps of reversing these binaries. I will make use of both the C++ source and compiled codes in my explanations. I will also include some of the OO concepts in my posts as they impact the behaviors of the binaries.<br />
<br />
I have no idea how many posts i will write for this series but I will try to keep each post short and focus on the key points.<br />
<br />
I am by no means and OOP expert but by writing these posts, I hope to strengthen my learning and share what I learned to the community. As always I welcome all comments and questions to my post. :)<br />
<br />
Tools I used:<br />
1. MS Visual Studio 2017 Professional<br />
2. IDA Pro<br />
<br />
Thanks to a tip from @ronindey to remind me to add urls to individual posts in this series.<br />
<br />
<a href="https://findingvulns.blogspot.com/2019/02/reversing-c-codes-tutorial-series_25.html"></a><a href="https://findingvulns.blogspot.com/2019/02/reversing-c-codes-tutorial-series_25.html" target="_blank">1. Classes and its members</a><br />
<a href="https://findingvulns.blogspot.com/2019/02/reversing-c-codes-tutorial-series_8.html" target="_blank">2. Inheritance and Dynamic memory</a><br />
<a href="https://findingvulns.blogspot.com/2019/02/reversing-c-codes-tutorial-series_27.html" target="_blank">3. Virtual Functions and Polymorphism</a><br />
<br />
<a href="https://findingvulns.blogspot.com/2019/02/reversing-c-codes-tutorial-series_25.html"></a><br />
<br />
<a href="https://findingvulns.blogspot.com/2019/02/reversing-c-codes-tutorial-series_8.html"></a> <br />
<br />
<a href="https://findingvulns.blogspot.com/2019/02/reversing-c-codes-tutorial-series_27.html"></a><br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-12181810194573344302019-01-18T03:10:00.001+00:002019-01-18T03:10:12.997+00:00Windows Internals: Windows process and their handlesIn this post, I will document a behavior of the Windows kernel structure, EProcess. EProcess is created whenever, a process is created in Windows. However, when a process terminate, we may assume EProcess just get cleaned up. However, this may not always be the case.<br />
<br />
I will show what happens if a process is terminated but handles to the process is still held (or opened) by another process.<br />
<br />
The following is a code that I will be using to explain this scenario:<br />
<br />
<script src="https://gist.github.com/peta909/2879f05b0e2074e5440c0ad5f032e397.js"></script><br />
<br />
The code is pretty simple. It used CreateProcessW() to launch a notepad process. Then, it calls WaitForSingleObject() to wait forever(infinite) till the notepad process is closed before the execution continues.<br />
<br />
Using Process Explorer, we can observe a parent process that was created after the code is executed and then a child process (notepad.exe) will be created.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-QjtPCtYHOC4/XEFB3YGW54I/AAAAAAAAAx0/JD8FZtYGCqATiLvzt_NHWvMhEY79KEU8QCLcBGAs/s1600/PPID_CPID.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="58" data-original-width="304" height="61" src="https://2.bp.blogspot.com/-QjtPCtYHOC4/XEFB3YGW54I/AAAAAAAAAx0/JD8FZtYGCqATiLvzt_NHWvMhEY79KEU8QCLcBGAs/s320/PPID_CPID.PNG" width="320" /></a></div>
<br />
To demonstrate what happened to the EProcess structure of the notepad process, I will use local kernel debugging with Windbg.<br />
<br />
First I will set a breakpoint at the following line.<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> CloseHandle(pi.hProcess);<span style="color: #008800; font-style: italic;">//Handles must be explicitly closed if not parent process will hold on to it even if child process is terminated.</span>
CloseHandle(pi.hThread);
</pre>
</td></tr>
</tbody></table>
</div>
<br />
<br />
I will let the code compile and start debugging (F5 in VS2017).<br />
<br />
A new EProcess structure for the notepad process will be created and let's see it in Windbg.<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #111111; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2
3
4
5</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: white;">lkd> !process 0 0 notepad.exe</span>
<span style="color: white;">PROCESS fffffa800cdfab30</span>
<span style="color: white;"> SessionId: 1 Cid: 0e40 Peb: 7efdf000 ParentCid: 0ee4</span>
<span style="color: white;"> DirBase: 1510a000 ObjectTable: fffff8a003fd9dc0 HandleCount: 91.</span>
<span style="color: white;"> Image: notepad.exe</span>
</pre>
</td></tr>
</tbody></table>
</div>
<br />
We can see this the only EProcess structure created for notepad.exe. At this point the code is waiting indefinitely till the notepad process is terminated (or signaled)<br />
<br />
Using Process Explorer, we can observed 2 handles inside the process that was generated by the code. These 2 handles were generated when the child process (notepad.exe) was created.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-zud4mRJIko8/XEE31U6U4eI/AAAAAAAAAxc/_Msy3ap9KuM3HtB798GrV6tANhc3CI7QQCLcBGAs/s1600/ProcessHandles.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="37" data-original-width="543" height="27" src="https://3.bp.blogspot.com/-zud4mRJIko8/XEE31U6U4eI/AAAAAAAAAxc/_Msy3ap9KuM3HtB798GrV6tANhc3CI7QQCLcBGAs/s400/ProcessHandles.PNG" width="400" /></a></div>
<br />
Now let's close the notepad.exe application. The notepad process will now be terminated and the code will execute till the breakpoint is hit. <br />
<br />
What we observed in Process Explorer:<br />
1. The notepad process is no longer present.<br />
2. The 2 handles to the notepad process is still present in the parent process.<br />
<br />
However, when we go to windbg the EProcess structure for the notepad process is also still present.<br />
<br />
Let's step over both lines of the following code in VS2017.<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> CloseHandle(pi.hProcess);<span style="color: #008800; font-style: italic;">//Handles must be explicitly closed if not parent process will hold on to it even if child process is terminated.</span>
CloseHandle(pi.hThread);
</pre>
</td></tr>
</tbody></table>
</div>
<br />
The EProcess structure for the notepad process is GONE!<br />
<br />
In summary,<br />
The EProcess structure for a Windows process will only be removed after all the handles to the process is closed.<br />
<br />
Please leave me any comments or questions below if you have any. :)<br />
<br />
Additional notes:<br />
The demo is done using Windows 7 x64, visual studio 2017 (VS2017), Windbg and Process Explorer.<br />
Windbg is running as a local kernel debugging. (Able to only READ the kernel memory.)<br />
Detail type information of the EProcess structure can be retrieved via this windbg command, dt nt!_EPROCESS<br />
In Windows, processes and threads, signaled means that they are terminated.<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-92097515276906084252018-05-04T08:32:00.000+01:002018-05-04T08:44:35.028+01:00Enabling Powershell 5 LOGGING for Windows 7<span style="font-family: inherit; font-size: large;">Powershell is a very common 'tool' used by attackers these days. Therefore, we need to monitor the use of it or be able to log it's activities during malware analysis. I found this <a href="https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" target="_blank">blog</a> from Fireeye that showed how to turn it on for Windows 7. However, its missing a few steps. After installing the necessary updates according to the </span><a href="https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" style="font-size: x-large;" target="_blank">blog</a>,<span style="font-family: inherit; font-size: large;"> I wasn't able to see the logging configurations in the GP editor. </span><br />
<span style="font-family: inherit; font-size: large;"><br /></span>
<span style="font-family: inherit; font-size: large;">Here I will document the steps needed to reveal the configurations in </span><span style="background-color: white; font-size: large;">GP editor in Windows 7.</span><span style="font-family: inherit; font-size: large;">.</span><br />
<span style="font-family: inherit; font-size: large;"><br /></span>
<span style="font-size: large;"><span style="font-family: inherit;">First you will need to download the </span>necessary<span style="font-family: inherit;"> administrative templates </span><a href="https://www.blogger.com/Administrative%20Templates%20(.admx)%20for%20Windows%208.1%20and%20Windows%20Server%202012%20R2:%20http://www.microsoft.com/en-us/download/details.aspx?id=41193" style="font-family: inherit;" target="_blank">here</a><span style="font-family: inherit;">.</span></span><br />
<span style="font-family: inherit; font-size: large;"><br /></span>
<span style="font-family: inherit; font-size: large;">After installing the templates, you will need to <span style="background-color: white;">locate the files “PowerShellExecutionPolicy.admx”, and the “PowerShellExecutionPolicy.adml”. They are copied to </span><span style="background-color: white;">“\Program Files (x86)\Microsoft Group Policy” by the installer</span><span style="background-color: white;"> . </span></span><br />
<span style="font-family: inherit; font-size: large;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: inherit; font-size: large;"><span style="background-color: white;">Then copy them </span><span style="background-color: white;"><i>into </i></span><span style="background-color: white;">%systemroot%\PolicyDefinitions.</span></span><br />
<span style="font-family: inherit; font-size: large;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: inherit; font-size: large;"><span style="background-color: white;">After the above steps finally, you will see this in the GP editor in Windows 7.</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-EWmLDXbPBqY/WuwL9ShtbWI/AAAAAAAAAtw/O01rTb68JbsfUx_ix4g2NZ47yZpNWyMeQCLcBGAs/s1600/Screen%2BShot%2B2018-05-04%2Bat%2B15.28.42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1503" data-original-width="1600" height="375" src="https://1.bp.blogspot.com/-EWmLDXbPBqY/WuwL9ShtbWI/AAAAAAAAAtw/O01rTb68JbsfUx_ix4g2NZ47yZpNWyMeQCLcBGAs/s400/Screen%2BShot%2B2018-05-04%2Bat%2B15.28.42.png" width="400" /></a></div>
<span style="font-family: inherit; font-size: large;"><span style="background-color: white;"><br /></span></span>
<span style="background-color: white; color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif; font-size: 14px;"><br /></span>
<span style="background-color: white;"><span style="color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif;"><span style="font-size: 14px;">Just to clarify here, I found the above steps from these blogs and forums.</span></span></span><br />
<span style="background-color: white;"><span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="color: #2a2a2a; font-family: segoe ui, lucida grande, verdana, arial, helvetica, sans-serif; font-size: 14px;">https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html</span></span></span><br />
<span style="background-color: white; font-size: 14px;"><span style="color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif;">https://www.blackhillsinfosec.com/powershell-logging-blue-team/</span></span><br />
<span style="background-color: white; font-size: 14px;"><span style="color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif;">https://social.technet.microsoft.com/Forums/ie/en-US/2f3c75ed-97e6-4b62-9157-2f7ef6766e19/powershell-gpo-settings-not-available-download-admx-file?forum=winserverGP</span></span><br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-54600321951209422222018-04-29T17:41:00.001+01:002018-05-01T09:49:48.201+01:00Using IDA Pro debugger and IDApython script to label indirect functions calls.One of the ways malware authors want to hide the intend of the malware he/she is writing is by keeping the Import Address Table small or filled with useless functions. To do so an IAT would be created during the execution of the malware. There would be many indirection function calls similar to the one below. (The boxes filled with <span style="background-color: yellow;">Yellow</span> are CALL instructions.)<br />
<br />
Without executing the malware, its hard to determine which function would be called by these indirect function calls.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-_dVM4KMp46Q/WuXtnKtO7gI/AAAAAAAAAsQ/2gm6dolZfQQDegAh72t1ZXkHHZl3KK2fQCLcBGAs/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="790" data-original-width="882" height="357" src="https://4.bp.blogspot.com/-_dVM4KMp46Q/WuXtnKtO7gI/AAAAAAAAAsQ/2gm6dolZfQQDegAh72t1ZXkHHZl3KK2fQCLcBGAs/s400/Capture.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
After executing the malware using the IDA debugger, we can see the in-direct function calls are pointing to addresses in a list of function pointers. The address of the function pointer is stored in the ESI register. E.g. Call [esi+3c]<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-UydL3Xe2tLg/WuXtmxR-OSI/AAAAAAAAAsk/WJxINV9IfIoEQ4ZlvT2AGoWV3kUZDaVMQCEwYBhgL/s1600/Func_ptrs.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="572" data-original-width="674" height="337" src="https://1.bp.blogspot.com/-UydL3Xe2tLg/WuXtmxR-OSI/AAAAAAAAAsk/WJxINV9IfIoEQ4ZlvT2AGoWV3kUZDaVMQCEwYBhgL/s400/Func_ptrs.PNG" width="400" /></a></div>
<br />
To speed up our analysis we could now find a means to help us label the addresses of the in-direct function calls with the function names that it is referencing.<br />
To do so we could use the following python script:<br />
<br />
<script src="https://gist.github.com/peta909/b19a84b6b33fd5f04b5b87e8f623259f.js"></script><br />
After running the script, we could see the address of the function pointers being renamed.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-lCFyemdVw0o/WuXtnWwkAII/AAAAAAAAAsk/JouoShKO5UkOZap6JnzpLFP9-77lYuDIQCEwYBhgL/s1600/Func_ptrs_renamed.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="574" data-original-width="1083" height="211" src="https://3.bp.blogspot.com/-lCFyemdVw0o/WuXtnWwkAII/AAAAAAAAAsk/JouoShKO5UkOZap6JnzpLFP9-77lYuDIQCEwYBhgL/s400/Func_ptrs_renamed.PNG" width="400" /></a></div>
<br />
We will need to create a struct from the function pointers.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-U6GJ2rWj0Pk/WuXtn9vqxFI/AAAAAAAAAsg/Z-45Yz8gmug5rIlGJ_l3Ja6GiRta5_tEACEwYBhgL/s1600/IAT_struct.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="628" data-original-width="752" height="333" src="https://4.bp.blogspot.com/-U6GJ2rWj0Pk/WuXtn9vqxFI/AAAAAAAAAsg/Z-45Yz8gmug5rIlGJ_l3Ja6GiRta5_tEACEwYBhgL/s400/IAT_struct.PNG" width="400" /></a></div>
<br />
Finally, we could right click and label the in-direct function calls with the function that it is going to call.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-tHRuraO4rmU/WuXtn2oi1lI/AAAAAAAAAsk/WKfau-Ie7ok502_uJbP9pGcnnrnmSpGwgCEwYBhgL/s1600/Labelled_Indirect_Func_Calls.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="668" data-original-width="676" height="395" src="https://2.bp.blogspot.com/-tHRuraO4rmU/WuXtn2oi1lI/AAAAAAAAAsk/WKfau-Ie7ok502_uJbP9pGcnnrnmSpGwgCEwYBhgL/s400/Labelled_Indirect_Func_Calls.PNG" width="400" /></a></div>
<br />
<br />
<br />
I know I have left out a few steps like how to use IDAPro debugger, create a struct and details of the functions used in the script. Just leave me a comment or question if you need more details. :)<br />
<br />
Thanks to @nullandnull's tweet reply, I have updated my script to support the following:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-QO9KkRlinkQ/Wugaxi4U5EI/AAAAAAAAAtA/4eJG3_i_gtIH7AB7ghmxnWhkgzOsSdpeACLcBGAs/s1600/Screen%2BShot%2B2018-05-01%2Bat%2B15.43.06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="294" data-original-width="1248" height="93" src="https://1.bp.blogspot.com/-QO9KkRlinkQ/Wugaxi4U5EI/AAAAAAAAAtA/4eJG3_i_gtIH7AB7ghmxnWhkgzOsSdpeACLcBGAs/s400/Screen%2BShot%2B2018-05-01%2Bat%2B15.43.06.png" width="400" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-rih8dOEuIKE/WugqIKtPQYI/AAAAAAAAAtY/z542VPBuaDMNlWaU4f08AAv9yaBeR5v7QCLcBGAs/s1600/Function_prototypes.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="858" data-original-width="1600" height="213" src="https://2.bp.blogspot.com/-rih8dOEuIKE/WugqIKtPQYI/AAAAAAAAAtY/z542VPBuaDMNlWaU4f08AAv9yaBeR5v7QCLcBGAs/s400/Function_prototypes.PNG" width="400" /></a></div>
<br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; text-align: right; font: 12.0px Helvetica}
p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
table.t1 {border-collapse: collapse}
td.td1 {border-style: solid; border-width: 1.0px 1.0px 1.0px 1.0px; border-color: #cbcbcb #cbcbcb #cbcbcb #cbcbcb; padding: 0.0px 5.0px 0.0px 5.0px}
</style>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-29061324591704025772017-02-23T16:49:00.004+00:002017-02-23T16:49:44.430+00:00Analysis of Rovnix Dropper 5/5 - Driver and Bootkit InstallationIn the final post on the my analysis of the Rovnix dropper, I will document how the sample install drivers and bootkits.<br />
<br />
After achieving HIGH integrity as documented in the previous <a href="https://findingvulns.blogspot.sg/2017/02/analysis-of-rovnix-dropper-bypassing.html" target="_blank">post</a>, the sample will first terminate its parent process which is likely to be the sysprep.exe process.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-ESddfk7cc9Q/WK8OK0G1vgI/AAAAAAAAAk4/xmO8BuW8foIAdL_zb3IrQxcMvz6fU3hywCEw/s1600/KillPPID.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="139" src="https://4.bp.blogspot.com/-ESddfk7cc9Q/WK8OK0G1vgI/AAAAAAAAAk4/xmO8BuW8foIAdL_zb3IrQxcMvz6fU3hywCEw/s640/KillPPID.png" width="640" /></a></div>
<br />
Next, the sample check for the use of volume encryption application such as Bitlocker and Truecrypt.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-5qcVeyh2jyc/WK8OK27OTiI/AAAAAAAAAk8/RlnCYvSXJ-8mwxKaXulaAwL8m80J0RxVwCEw/s1600/locateCrypt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="347" src="https://3.bp.blogspot.com/-5qcVeyh2jyc/WK8OK27OTiI/AAAAAAAAAk8/RlnCYvSXJ-8mwxKaXulaAwL8m80J0RxVwCEw/s640/locateCrypt.png" width="640" /></a></div>
<br />
Then the sample checks if it has sufficient privileges (SeLoadDriverPrivilege and SeShutdownPrevilege)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-CtVCALwNhcQ/WK8OK-3xXxI/AAAAAAAAAlA/TAAccgysmKAzR3BUIJMUxmDMcRdjS7REACEw/s1600/ChkPriv.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://4.bp.blogspot.com/-CtVCALwNhcQ/WK8OK-3xXxI/AAAAAAAAAlA/TAAccgysmKAzR3BUIJMUxmDMcRdjS7REACEw/s640/ChkPriv.png" width="513" /></a></div>
<br />
With sufficient previleges, the sample will now load and install the driver as a service. The service name is created with the string "BS" concat with the volume ID of the HDD of the victim machine.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-ypgJ54ZpJnA/WK8PiFU5YgI/AAAAAAAAAlU/AV8F0EJmwSgxmPszAeqZ6PYZBjK2bHFmACLcB/s1600/loadNTFS.sys.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="584" src="https://2.bp.blogspot.com/-ypgJ54ZpJnA/WK8PiFU5YgI/AAAAAAAAAlU/AV8F0EJmwSgxmPszAeqZ6PYZBjK2bHFmACLcB/s640/loadNTFS.sys.png" width="640" /></a></div>
<br />
After installing the NotMyFault driver, the bootkit will be injected next.<br />
<br />
A x64 driver payload would be decrypted first.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-vUyTzh_LqEg/WK8Qh_aFHlI/AAAAAAAAAlk/zMw0LZOpbpkZTePQVOEX-X7my4mwp9cBACLcB/s1600/DecyrptDrivPayload.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="457" src="https://4.bp.blogspot.com/-vUyTzh_LqEg/WK8Qh_aFHlI/AAAAAAAAAlk/zMw0LZOpbpkZTePQVOEX-X7my4mwp9cBACLcB/s640/DecyrptDrivPayload.png" width="640" /></a></div>
Next, the modified Initial Program Loader (IPL) in the Volume Boot Record (VBR) would be decrypted<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/--41xNw5jEbE/WK8Qh2VoBNI/AAAAAAAAAlg/a0FpdNXS5nkcxWos5YRmJXzSSiwqZ617QCEw/s1600/DecryptVBR.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="632" src="https://1.bp.blogspot.com/--41xNw5jEbE/WK8Qh2VoBNI/AAAAAAAAAlg/a0FpdNXS5nkcxWos5YRmJXzSSiwqZ617QCEw/s640/DecryptVBR.png" width="640" /></a></div>
Then both these payloads would be injected into the HDD sectors<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-uYpjv3YGvBc/WK8QhwgIplI/AAAAAAAAAlc/e1I0_niEYwcYa5QF9Hd_lk5j_bic0-I6ACEw/s1600/WriteintoHDDsectors.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://2.bp.blogspot.com/-uYpjv3YGvBc/WK8QhwgIplI/AAAAAAAAAlc/e1I0_niEYwcYa5QF9Hd_lk5j_bic0-I6ACEw/s640/WriteintoHDDsectors.png" width="640" /></a></div>
<br />
The driver payload would be written into sector 0x1600 (5632)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-p2rpIGztBMo/WK8RlqJ6bUI/AAAAAAAAAls/IQzP8kixfUcY8DgNQtufPFfxAjouxt5fgCLcB/s1600/DrvPayloadHDDsector.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://3.bp.blogspot.com/-p2rpIGztBMo/WK8RlqJ6bUI/AAAAAAAAAls/IQzP8kixfUcY8DgNQtufPFfxAjouxt5fgCLcB/s640/DrvPayloadHDDsector.png" width="640" /></a></div>
<br />
The IPL of the VBR is overwritten.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-ZHFdYnC-QpY/WK8RlnekVPI/AAAAAAAAAlw/vuCtsx62TEga5K7mrLQpLVUaYAeChky0gCEw/s1600/VBR.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://2.bp.blogspot.com/-ZHFdYnC-QpY/WK8RlnekVPI/AAAAAAAAAlw/vuCtsx62TEga5K7mrLQpLVUaYAeChky0gCEw/s640/VBR.png" width="640" /></a></div>
<br />
The driver payload and the IPL modification is now completed! The Rovnix dropped will cause a BSOD via the <a href="https://technet.microsoft.com/en-us/sysinternals/notmyfault.aspx" target="_blank">NotMyFault</a> driver.<br />
<br />
This concludes the long over due blog posts on my analysis of the Rovix dropper. I hope to document how the dynamic analysis from the execution of the modified IPL to the loading of the driver payload.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-89894125610148925612017-02-23T16:15:00.002+00:002017-02-23T16:24:40.215+00:00 Analysis of Rovnix Dropper 4/5- Bypassing UACIn the <a href="https://findingvulns.blogspot.sg/2017/02/analysis-of-rovnix-dropper-information.html" target="_blank">first</a> post, I mentioned that the sample always caused a BSOD after execution. The BSOD was due the execution of the <a href="https://technet.microsoft.com/en-us/sysinternals" target="_blank">Sysinternals</a> tool, <a href="https://technet.microsoft.com/en-us/sysinternals/notmyfault.aspx" target="_blank">NotMyFault</a>. In this post, I will cover how <a href="https://technet.microsoft.com/en-us/sysinternals/notmyfault.aspx" target="_blank">NotMyFault</a> was installed and executed by the sample.<br />
<br />
The sample works for both x86 and x64 Windows environments. In x64 Windows, drivers had to be signed before they could be loaded and executed. <a href="https://technet.microsoft.com/en-us/sysinternals/notmyfault.aspx" target="_blank">NotMyFault</a> was actually signed a driver that was signed by Sysinternals. This driver was considered legit and would be loaded by Windows x64.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-wU5p0wu0-Yc/WK77okx6PFI/AAAAAAAAAi0/8A2Yr73N-AsxyyFy5G-S1CiRmee2bsYFgCLcB/s1600/NotMyFaultsignature.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="143" src="https://4.bp.blogspot.com/-wU5p0wu0-Yc/WK77okx6PFI/AAAAAAAAAi0/8A2Yr73N-AsxyyFy5G-S1CiRmee2bsYFgCLcB/s400/NotMyFaultsignature.png" width="400" /></a></div>
<br />
However, the sample could not load drivers directly as it had only MEDIUM integrity. The User Access Control (UAC) would prompt users to ask for permission to load and install the driver. To bypass UAC the sample executed the following 4 steps.<br />
<br />
<ol>
<li>Write a modified cryptbase.dll into the temp directory.</li>
<li>Pack the modified cryptbase.dll into cryptbase.msu using makecab.exe</li>
<li>Extract cryptbase.msu into C:\Windows\system32\sysprep using wusa.exe</li>
<li>Execute C:\Windows\systems32\sysprep\sysprep.exe using command promp</li>
</ol>
<div>
As a result of the UAC bypass technique, the modified cryptbase.dll was used to execute the sample again with HIGH integrity to load and install the <a href="https://technet.microsoft.com/en-us/sysinternals/notmyfault.aspx" target="_blank">NotMyFault</a> driver.</div>
<div>
<br /></div>
<div>
Details on the UAC bypass technique could be found in this <a href="https://www.greyhathacker.net/?p=796" target="_blank">blog post</a> by <a href="https://twitter.com/ParvezGHH" target="_blank">Parvez Anwar</a>.</div>
<div>
<br /></div>
<div>
Next, I would document how cryptbase.dll was modified and then trace the modified code to execute the sample with HIGH integrity.</div>
<div>
<br /></div>
<div>
The sample would have to decode a blob of codes required to overwrite into cryptbase.dll</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-CG-3KpGxJnQ/WK8DXkRM0DI/AAAAAAAAAjQ/Dvk_3W5wBB40QVcf8663-J7G1kqSYFxdgCLcB/s1600/DecodeCryptbasedll.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="305" src="https://4.bp.blogspot.com/-CG-3KpGxJnQ/WK8DXkRM0DI/AAAAAAAAAjQ/Dvk_3W5wBB40QVcf8663-J7G1kqSYFxdgCLcB/s640/DecodeCryptbasedll.png" width="640" /></a></div>
<div>
<br /></div>
<div>
A loop to locate the .rsrc section in the cryptbase.dll was executed.</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Q1ffWhIebSg/WK8DoBU3ZAI/AAAAAAAAAjc/TgDO-3sFSZwU2m95q5YV76ZbLjDGEchQACLcB/s1600/LocateRsRc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="316" src="https://1.bp.blogspot.com/-Q1ffWhIebSg/WK8DoBU3ZAI/AAAAAAAAAjc/TgDO-3sFSZwU2m95q5YV76ZbLjDGEchQACLcB/s640/LocateRsRc.png" width="640" /></a></div>
<div>
<br /></div>
<div>
The strings and function addresses required were also written into cryptbase.dll.</div>
<div>
The Address of Entry Point (AOE) was also updated to point to the start of the .rsrc section.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Rt_I27jk4CA/WK8D83SIFuI/AAAAAAAAAjg/Qn_RUMxxJfAUFNKGIfYT75IZwUoNJUQmgCLcB/s1600/UpdateStringAddr.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="610" src="https://3.bp.blogspot.com/-Rt_I27jk4CA/WK8D83SIFuI/AAAAAAAAAjg/Qn_RUMxxJfAUFNKGIfYT75IZwUoNJUQmgCLcB/s640/UpdateStringAddr.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Finally the checksum was also calculated and updated into the PE header of cryptbase.dll</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-XCwLHgaKvH0/WK8ENQidF0I/AAAAAAAAAjo/IKzjpywabd0PLu7sBc5VcZjyNiSArevoACLcB/s1600/CalChkSum.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://3.bp.blogspot.com/-XCwLHgaKvH0/WK8ENQidF0I/AAAAAAAAAjo/IKzjpywabd0PLu7sBc5VcZjyNiSArevoACLcB/s640/CalChkSum.png" width="611" /></a></div>
<div>
<br /></div>
<div>
The following is the PE header of the original cryptbase.dll note its AOE.</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-If4GRKKNkFw/WK8FVbGM8DI/AAAAAAAAAj0/L3wOsKcuYXcNG2cg4etTGCE7UiCcA1uwwCLcB/s1600/OriCryptbase.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://4.bp.blogspot.com/-If4GRKKNkFw/WK8FVbGM8DI/AAAAAAAAAj0/L3wOsKcuYXcNG2cg4etTGCE7UiCcA1uwwCLcB/s640/OriCryptbase.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Next is the modified cryptbase.dll with a different AOE.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-PUlR1dKTQmY/WK8FQ-FVWhI/AAAAAAAAAjw/Z4jWGamRQGUGzOxd9dvK6zj_yXtnj2dgACEw/s1600/ModCryptbase.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://4.bp.blogspot.com/-PUlR1dKTQmY/WK8FQ-FVWhI/AAAAAAAAAjw/Z4jWGamRQGUGzOxd9dvK6zj_yXtnj2dgACEw/s640/ModCryptbase.png" width="640" /></a></div>
<div>
<br /></div>
<div>
After looking at how cryptbase.dll was modified. Let us trace how the modified cryptbase.dll was used to load and install the <a href="https://technet.microsoft.com/en-us/sysinternals/notmyfault.aspx" target="_blank">NotMyFault</a> driver. Do note that the cryptbase.dll was loaded by sysprep.exe. I used the <a href="http://x64dbg.com/" target="_blank">x64dbg</a> debugger to debug sysprep.exe in Windows x64.</div>
<div>
<br /></div>
<div>
Inside the DLL entry point of cryptbase.dll is a loop to locate the virtual address of the .rsrc section.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-DsFPGEFSLBc/WK8HDa7ureI/AAAAAAAAAkI/BnGj_RFQFmwA3YKJvnZ5V5MCtpu53fxygCLcB/s1600/LocateRSRCVA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://3.bp.blogspot.com/-DsFPGEFSLBc/WK8HDa7ureI/AAAAAAAAAkI/BnGj_RFQFmwA3YKJvnZ5V5MCtpu53fxygCLcB/s640/LocateRSRCVA.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Next a indirect call was made to the CreateThread function to start a new thread.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-uBS7ziAIsfw/WK8HDQCpzfI/AAAAAAAAAkM/9POYhd93mzEPEfuPb5VXOg_MWDdejt-DgCEw/s1600/CryptbaseCreatethread.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://1.bp.blogspot.com/-uBS7ziAIsfw/WK8HDQCpzfI/AAAAAAAAAkM/9POYhd93mzEPEfuPb5VXOg_MWDdejt-DgCEw/s640/CryptbaseCreatethread.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Finally, inside the new thread the CreateProcess function was called. The function created a new process using the sample path and an argument of "2"</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-6rpCWfqrjRQ/WK8HDQ-OVCI/AAAAAAAAAkM/11fObx-7wjYUIQc6Zny5vpX5x2-uAloowCEw/s1600/CreateProc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="32" src="https://4.bp.blogspot.com/-6rpCWfqrjRQ/WK8HDQ-OVCI/AAAAAAAAAkM/11fObx-7wjYUIQc6Zny5vpX5x2-uAloowCEw/s640/CreateProc.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Now the sample runs at HIGH integrity and it is ready to do some really nasty stuff!</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-CsXotLOC6LQ/WK8JtOhBNMI/AAAAAAAAAkg/PBgWdWzrt_kXnJCQ9TiUpM6WpkVjbBi-wCLcB/s1600/superramHIGH.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="45" src="https://4.bp.blogspot.com/-CsXotLOC6LQ/WK8JtOhBNMI/AAAAAAAAAkg/PBgWdWzrt_kXnJCQ9TiUpM6WpkVjbBi-wCLcB/s400/superramHIGH.png" width="400" /></a></div>
<div>
<br /></div>
<div>
In the next and final post of the series on analysing Rovnix dropper. I will copy how the <a href="https://technet.microsoft.com/en-us/sysinternals/notmyfault.aspx" target="_blank">NotMyFault</a> driver was load and executed. I will also document how the Bootkit is inserted.</div>
<br />
<ol class="ol1">
</ol>
<style type="text/css">
p.p2 {margin: 0.0px 0.0px 0.0px 18.0px; font: 11.0px Calibri; color: #000000; -webkit-text-stroke: #000000}
p.p3 {margin: 0.0px 0.0px 0.0px 18.0px; font: 11.0px Calibri; color: #000000; -webkit-text-stroke: #000000; min-height: 13.0px}
p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; text-indent: 18.0px; font: 11.0px Calibri; color: #000000; -webkit-text-stroke: #000000}
p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; text-indent: 18.0px; font: 11.0px Calibri; color: #000000; -webkit-text-stroke: #000000; min-height: 13.0px}
li.li1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Calibri; color: #000000; -webkit-text-stroke: #000000}
span.s1 {font: 12.0px Helvetica; color: #000000; -webkit-text-stroke: 0px #000000}
span.s2 {font-kerning: none}
span.s3 {font: 12.0px Helvetica; color: #000000}
ol.ol1 {list-style-type: decimal}
</style>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-80983926794254135382017-02-23T14:50:00.002+00:002017-02-23T16:19:17.255+00:00Analysis of Rovnix Dropper 3/5 - Anti Analysis (Static & Dynamic)In the previous <a href="https://findingvulns.blogspot.sg/2017/02/analysis-of-rovnix-dropper-unpacking.html" target="_blank">post</a>, I described how I unpacked the sample. In this post, I will focused on the anti analysis techniques used by the sample. I will first touch on the anti static analysis then the anti dynamic analysis.<br />
<br />
After the sample was unpacked, I noticed a number of strings were still obfuscated.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-76JsCREtmLM/WK7rnh6MyfI/AAAAAAAAAhc/CVpX59eBbgERljRnA0SwLT7AbmeOAOqwwCLcB/s1600/AVnamesEnc.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="435" src="https://1.bp.blogspot.com/-76JsCREtmLM/WK7rnh6MyfI/AAAAAAAAAhc/CVpX59eBbgERljRnA0SwLT7AbmeOAOqwwCLcB/s640/AVnamesEnc.JPG" width="640" /></a></div>
<br />
The strings were de-obfuscated into strings containing names of various security products during runtime:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-baJF6-DwAj4/WK7sic7reLI/AAAAAAAAAhk/mzCmSw5zIvkMmdZuJa2josm-STjcri9BACLcB/s1600/AVnamesDeEnc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="438" src="https://3.bp.blogspot.com/-baJF6-DwAj4/WK7sic7reLI/AAAAAAAAAhk/mzCmSw5zIvkMmdZuJa2josm-STjcri9BACLcB/s640/AVnamesDeEnc.png" width="640" /></a></div>
<br />
I did not found other anti static analysis techniques such as anti-disassembly. However, I notice quite a few anti dynamic analysis techniques.<br />
<br />
First, was a common anti VM technique to detect the use of VMware. The sample sent the VMware magic value of "VMXh" into the "VX" port using the 'IN' instruction. By reading and comparing the reply from the port the sample could detect the use of VMware.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-abL9Gr5CKZk/WK7w5ZRBGII/AAAAAAAAAh8/KJgGTmt8mYYVBBnxm3FgIZWjMU-ajW5IwCLcB/s1600/AntiVMware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://1.bp.blogspot.com/-abL9Gr5CKZk/WK7w5ZRBGII/AAAAAAAAAh8/KJgGTmt8mYYVBBnxm3FgIZWjMU-ajW5IwCLcB/s400/AntiVMware.png" width="400" /></a></div>
<br />
Next, was a less common anti VM technique to detect the use of VirtualBox. The less common "VPCEXT" instruction was executed to detect the use of VirtualBox.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-nBHC3dIcQs8/WK7ziLMXMzI/AAAAAAAAAiQ/cFJ1vQJqSIEU-D_KnNiHcg4zQSj34WyFQCLcB/s1600/AntiVMVbox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-nBHC3dIcQs8/WK7ziLMXMzI/AAAAAAAAAiQ/cFJ1vQJqSIEU-D_KnNiHcg4zQSj34WyFQCLcB/s1600/AntiVMVbox.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Then to detect the use of debuggers the "BeingDebugged" flag is checked in the PE.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-ittV2HTF7cc/WK7w527OSnI/AAAAAAAAAiI/jD4skwnzxXALQ2vS1MIvULl7uV3PMkNoACEw/s1600/BeingDebugged.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="https://3.bp.blogspot.com/-ittV2HTF7cc/WK7w527OSnI/AAAAAAAAAiI/jD4skwnzxXALQ2vS1MIvULl7uV3PMkNoACEw/s640/BeingDebugged.png" width="640" /></a></div>
<br />
Next to check for the use of various tools for instrumentation. The name of the parent process of the sample is compared against a fix list of strings.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-mWuQQtHZ4Sk/WK7w5eiENwI/AAAAAAAAAiI/QvEODd9mncgdffjYAC-ZeAXUjSw2EATwQCEw/s1600/AntiInstru.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-mWuQQtHZ4Sk/WK7w5eiENwI/AAAAAAAAAiI/QvEODd9mncgdffjYAC-ZeAXUjSw2EATwQCEw/s1600/AntiInstru.png" /></a></div>
<br />
The sample also created multiple threads to carried out its activities. The use of multi threading brought a little hurdle to overcome when debugging the sample.<br />
<br />
All in all the sample did not make use of many anti analysis techniques. In the next post, I will cover how the sample escalated its privilege to install a driver in x64 Windows.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-62259493685659929952017-02-12T22:51:00.001+00:002017-02-23T16:18:26.372+00:00Analysis of Rovnix Dropper 2/5 - UnpackingIn the previous <a href="https://findingvulns.blogspot.sg/2017/02/analysis-of-rovnix-dropper-information.html" target="_blank">post</a>, I documented how I begin with the analysis of the Rovnix dropper and I concluded with the guess that I am dealing with a packed binary. In this post I showed how I unpacked the sample.<br />
<br />
I begin by setting a breakpoint at 0x402038 which was contained a dynamic call.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-twDP8G-sGTk/WKDbbU-nGdI/AAAAAAAAAfs/pBtCtXg0hjwnRuvZuX3i8N-g0g1ybuAXQCLcB/s1600/Screen%2BShot%2B2017-02-13%2Bat%2B6.00.21%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="https://3.bp.blogspot.com/-twDP8G-sGTk/WKDbbU-nGdI/AAAAAAAAAfs/pBtCtXg0hjwnRuvZuX3i8N-g0g1ybuAXQCLcB/s640/Screen%2BShot%2B2017-02-13%2Bat%2B6.00.21%2BAM.png" width="640" /></a></div>
From Ollydbg, I observed the address 0x3AEE590 is located in the heap and the access rights was set to RWX. At this point, the sample is unpacked yeah \o/.<br />
<br />
After I dumped out the 'unpacked' heap memory segment and fixed the IAT. I import the 'unpacked' memory segment into IDA Pro. I noticed no strings pointing the URL that I obtained from FakeNet and no APIs were imported for accessing the internet. I guessed the sample is not unpack completely. :(<br />
<br />
I tried to let the execution of the sample continue hoping to see the RWE memory segments created by the unpacker codes but I end up with BSOD.<br />
I tried to hook the VirtualAlloc and HeapAlloc APIs to catch the sample dumping the unpacked binary.<br />
<br />
Both options failed :( I guess I can only TRY HARDER!<br />
<br />
At this point I knew, there was no short cut. I try to figure out what are the code in the heap memory segment doing. Then I noticed this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-sDhSTsZIHMA/WKDgfQjU0II/AAAAAAAAAgQ/0UaoOOzrumUrt8RqhSHGGnsWlD1eA_wVQCLcB/s1600/Screen%2BShot%2B2017-02-13%2Bat%2B6.21.53%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="https://2.bp.blogspot.com/-sDhSTsZIHMA/WKDgfQjU0II/AAAAAAAAAgQ/0UaoOOzrumUrt8RqhSHGGnsWlD1eA_wVQCLcB/s640/Screen%2BShot%2B2017-02-13%2Bat%2B6.21.53%2BAM.png" width="640" /></a></div>
Both the .text and .rdata sections of the binary(SUPERRAM) were set to RWE. The original memory access to these two sections were R_E not RWE. Now I understand how my hook attempts failed. The unpack was making using of SELF Modifying code. Next I set a hook at VirtualProtect and run the binary again. I noticed how the .text and rdata sections were changed from R_E to RWE.<br />
<br />
Now, I went back to IDA Pro to look at the CFG of the heap memory segments there was no import function of VirtualProtect. WHY ? This was due to a 'trick' used by the author of the binary. It used an indirect call access to VirtualProtect API via a function table that was pre-populated with function addresses.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-9Mopywo-tDE/WKDjIa7GbqI/AAAAAAAAAgk/TI3HI0hyVOMqHBioUTOnk4nYfT2LlUkHwCLcB/s1600/Screen%2BShot%2B2017-02-13%2Bat%2B6.34.25%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="372" src="https://2.bp.blogspot.com/-9Mopywo-tDE/WKDjIa7GbqI/AAAAAAAAAgk/TI3HI0hyVOMqHBioUTOnk4nYfT2LlUkHwCLcB/s640/Screen%2BShot%2B2017-02-13%2Bat%2B6.34.25%2BAM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Finally, I located an indirect call that goes to the unpacked code!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-dsH0Ccs_i8I/WKDkVIStgaI/AAAAAAAAAgw/Bu5sFsvgtnkPbeN53bjmyqFa6yVkjBGyACLcB/s1600/Screen%2BShot%2B2017-02-13%2Bat%2B6.38.12%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="https://3.bp.blogspot.com/-dsH0Ccs_i8I/WKDkVIStgaI/AAAAAAAAAgw/Bu5sFsvgtnkPbeN53bjmyqFa6yVkjBGyACLcB/s640/Screen%2BShot%2B2017-02-13%2Bat%2B6.38.12%2BAM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
Finally after fixing the IATs and executing a few functions to decode the strings, I could now dump the unpacked binary. I can now see the URL being accessed and the APIs used to access Internet.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-KaRvJtr2n64/WKDliUpXQGI/AAAAAAAAAg8/FRPTwwvxzXM55__jgG4t9vCt6Z1ygK1NwCEw/s1600/Screen%2BShot%2B2017-02-13%2Bat%2B6.44.25%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="https://3.bp.blogspot.com/-KaRvJtr2n64/WKDliUpXQGI/AAAAAAAAAg8/FRPTwwvxzXM55__jgG4t9vCt6Z1ygK1NwCEw/s640/Screen%2BShot%2B2017-02-13%2Bat%2B6.44.25%2BAM.png" width="640" /></a></div>
<br />
YES finally the binary is unpacked! \o/<br />
<br />
Next, I will cover some of the anti analysis techniques used by the sample.<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-50095792503505632782017-02-12T21:56:00.003+00:002017-02-26T06:29:12.361+00:00Analysis of the Rovnix Dropper 1/5 - Information GatheringThis post is the first of the 5 post series on how I analysed the Rovnix <a href="https://www.virustotal.com/en/file/d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae/analysis/" target="_blank">dropper</a>.<br />
<br />
<h3 class="post-title entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 22px; font-stretch: normal; font-weight: normal; line-height: normal; margin: 0.75em 0px 0px; position: relative;">
<a href="https://findingvulns.blogspot.sg/2017/02/analysis-of-rovnix-dropper-information.html" target="_blank">Analysis of the Rovnix Dropper 1/5 - Information Gathering</a></h3>
<h3 class="post-title entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 22px; font-stretch: normal; font-weight: normal; line-height: normal; margin: 0.75em 0px 0px; position: relative;">
<a href="http://findingvulns.blogspot.sg/2017/02/analysis-of-rovnix-dropper-unpacking.html" target="_blank">Analysis of Rovnix Dropper 2/5 - Unpacking</a></h3>
<div>
<h3 class="post-title entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 22px; font-stretch: normal; font-weight: normal; line-height: normal; margin: 0.75em 0px 0px; position: relative;">
<a href="https://findingvulns.blogspot.sg/2017/02/analysis-of-rovnix-dropper-anti.html" target="_blank">Analysis of Rovnix Dropper 3/5 - Anti Analysis (Static & Dynamic)</a></h3>
</div>
<div>
<h3 class="post-title entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 22px; font-stretch: normal; font-weight: normal; line-height: normal; margin: 0.75em 0px 0px; position: relative;">
<a href="https://findingvulns.blogspot.sg/2017/02/analysis-of-rovnix-dropper-bypassing.html" target="_blank">Analysis of Rovnix Dropper 4/5- Bypassing UAC</a></h3>
</div>
<div>
<h3 class="post-title entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 22px; font-stretch: normal; font-weight: normal; line-height: normal; margin: 0.75em 0px 0px; position: relative;">
<a href="https://findingvulns.blogspot.sg/2017/02/analysis-of-rovnix-dropper-55-driver.html" target="_blank">Analysis of Rovnix Dropper 5/5 - Driver and Bootkit Installation</a></h3>
</div>
<div>
<br /></div>
I always begin with static analysis of the binary sample. I would acquire information such MD5 and SHA1 hash of the sample. I would also need to know what sort of binary am I dealing with, for example, PE,ELF,.dot NET, or office documents. For this I would use CFF Explorer.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-52NwSf0MdeA/WKDJDP4PsRI/AAAAAAAAAdQ/TtHCmlWmstYMJXurAIJ_5rICykI_MX44QCLcB/s1600/BasicInfo.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="244" src="https://3.bp.blogspot.com/-52NwSf0MdeA/WKDJDP4PsRI/AAAAAAAAAdQ/TtHCmlWmstYMJXurAIJ_5rICykI_MX44QCLcB/s320/BasicInfo.JPG" width="320" /></a></div>
Usually at this point, if possible I would do a Google search using the hash values to check if the sample had been analysed. As this sample is pretty old (2015), there were much information related to the sample. From CFF Explorer, I knew I am likely dealing with a PE binary written using C++.<br />
<br />
Knowing that I am dealing with a PE binary, I would use PE Studio to determine what the sample does, for example does it connect to internet, download/upload files or collect information from the victim machine. I would also like to know if the binary is packed.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-ONYWfXVm1Tk/WKDOjs_8QlI/AAAAAAAAAd0/9XB8VkJpHTQ_S3Vgz00R-wMcp57S43zVQCLcB/s1600/Dlls.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://4.bp.blogspot.com/-ONYWfXVm1Tk/WKDOjs_8QlI/AAAAAAAAAd0/9XB8VkJpHTQ_S3Vgz00R-wMcp57S43zVQCLcB/s400/Dlls.PNG" width="400" /></a></div>
From PE Studio, I could not tell much information about the sample. There are only a few dlls being imported by the sample. There was a large number of strings but I could not see any URLs.<br />
<br />
Next, is the dynamic analysis phase. I will try to execute the sample in a VM with Sysmon and FakeNet running in the background. I could see some URLs being accessed by the binary via FakeNet. However, before I could take a closer look at the URLs the infamous BSOD happened.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-ZWA42Q9DlfU/WKDT-5FnXyI/AAAAAAAAAeU/dRpaLzacX-g41PAEalFUWPuWsOvt22elwCLcB/s1600/Screen%2BShot%2B2017-02-13%2Bat%2B5.30.08%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://4.bp.blogspot.com/-ZWA42Q9DlfU/WKDT-5FnXyI/AAAAAAAAAeU/dRpaLzacX-g41PAEalFUWPuWsOvt22elwCLcB/s320/Screen%2BShot%2B2017-02-13%2Bat%2B5.30.08%2BAM.png" width="320" /></a></div>
BSOD happened every time after running the sample I also tried to run it in a different VM and also Virtualbox.<br />
<br />
From FakeNet, it show a URL being accessed after the binary was executed. Some information related to the victim machine was also being uploaded to the URL.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-F8fsXBAWsAE/WKDWh6MAwRI/AAAAAAAAAew/-D3a_YKYAW4RUBzXKi5mjOwlx2ff3j5GACLcB/s1600/Screen%2BShot%2B2017-02-13%2Bat%2B5.38.03%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://2.bp.blogspot.com/-F8fsXBAWsAE/WKDWh6MAwRI/AAAAAAAAAew/-D3a_YKYAW4RUBzXKi5mjOwlx2ff3j5GACLcB/s320/Screen%2BShot%2B2017-02-13%2Bat%2B5.38.03%2BAM.png" width="320" /></a></div>
At this point, I am certain the sample will upload information gathered from the victim machine to a fixed URL. However, from the strings dumped using PE Studio, there was nothing related to the URL. In addition, PE Studio also did not showed any APIs that could be used to access internet.<br />
I guess the sample is packed. I opened up the sample in IDA Pro and I am greeted with this long WinMain() that seemed to be drawing dialog boxes.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-rAS91ya63Pc/WKDYUb1AwII/AAAAAAAAAfA/tiLROkXd_XUWsNB9_yWtpM_OiVp2vCspwCLcB/s1600/Screen%2BShot%2B2017-02-13%2Bat%2B5.47.02%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://4.bp.blogspot.com/-rAS91ya63Pc/WKDYUb1AwII/AAAAAAAAAfA/tiLROkXd_XUWsNB9_yWtpM_OiVp2vCspwCLcB/s320/Screen%2BShot%2B2017-02-13%2Bat%2B5.47.02%2BAM.png" width="199" /></a></div>
<br />
I scrolled through WinMain() and it ended this interesting dynamic call instruction.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-gJsYOg5xTdk/WKDZNog8BVI/AAAAAAAAAfU/QOt_8mZjT88irQjMqcXLI7C4STMcKfg6QCLcB/s1600/Screen%2BShot%2B2017-02-13%2Bat%2B5.50.47%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://4.bp.blogspot.com/-gJsYOg5xTdk/WKDZNog8BVI/AAAAAAAAAfU/QOt_8mZjT88irQjMqcXLI7C4STMcKfg6QCLcB/s640/Screen%2BShot%2B2017-02-13%2Bat%2B5.50.47%2BAM.png" width="640" /></a></div>
<br />
In the next post, I would document how I unpacked the sample using Ollydbg. :)<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-3958737786376615972016-09-08T09:46:00.005+01:002016-09-08T20:21:42.011+01:00Labyrenth CTF 2016 Documents track challenge 1This post was written to document some of my things I learned from analysing the word documents from the Labyrenth CTF 2016. Please leave me comments or questions if you have any. :)<br />
<div>
<br /></div>
<div>
This post has two sections, the first section focused on an interest observation on the challenge document. The second focused on solving the challenge.</div>
<div>
<br /></div>
<div>
<u><b>Anti Forensic Trick</b></u></div>
<div>
While solving the challenge, I noticed the document could only be executed once. After a single execution, the document failed to work. I also noticed the file size reduced after a single execution.</div>
<div>
<a href="http://4.bp.blogspot.com/-aqCgkKjMKfA/V9EhcM_wc0I/AAAAAAAAAaQ/QVuYmqaQqAMdFQk9l-0JG49vwMS6C3u8wCK4B/s1600/File_Size.JPG" imageanchor="1"><img border="0" height="50" src="https://4.bp.blogspot.com/-aqCgkKjMKfA/V9EhcM_wc0I/AAAAAAAAAaQ/QVuYmqaQqAMdFQk9l-0JG49vwMS6C3u8wCK4B/s400/File_Size.JPG" width="400" /></a></div>
<div>
<br /></div>
<div>
I went on to investigate why. I noticed the following lines of code.</div>
<div>
<a href="http://4.bp.blogspot.com/-r_jsAZp0_K0/V9Eh54IJZqI/AAAAAAAAAaY/shb5G2zXSSQiJPkhnfXDER04faZIdr1YQCK4B/s1600/Macro.JPG" imageanchor="1"><img border="0" height="75" src="https://4.bp.blogspot.com/-r_jsAZp0_K0/V9Eh54IJZqI/AAAAAAAAAaY/shb5G2zXSSQiJPkhnfXDER04faZIdr1YQCK4B/s400/Macro.JPG" width="400" /></a><br />
<div>
<br /></div>
<div>
The above macro is executed when the document is open. However, it only proceed to execute the function "BkAIuNwQNDkohBY" only if the variable "ppKzr" is NOT "toto". "BkAIuNwQNDkohBY" contained the key functions of the code. If "BkAIuNwQNDkohBY" is executed, the variable "ppKzr" is overwritten with "toto".</div>
<div>
<br /></div>
<div>
I compared the hexdump of the documents before and after execution.</div>
<div>
<a href="http://4.bp.blogspot.com/-7zHIULFHv8Q/V9Eiz6_ZNrI/AAAAAAAAAak/WZrID_MXv4Yr5dcdUfVIlfvCMmm22sj1wCK4B/s1600/ppkzr_before_run.JPG" imageanchor="1"><img border="0" height="208" src="https://4.bp.blogspot.com/-7zHIULFHv8Q/V9Eiz6_ZNrI/AAAAAAAAAak/WZrID_MXv4Yr5dcdUfVIlfvCMmm22sj1wCK4B/s400/ppkzr_before_run.JPG" width="400" /></a></div>
<div>
<br /></div>
<div>
<a href="http://2.bp.blogspot.com/-NCt4V9ldKHk/V9Ei4D9eZ-I/AAAAAAAAAas/mMkIQXrJ3i04TOTeNpzotQcw4OQKNjuCgCK4B/s1600/ppkzr_after_run.JPG" imageanchor="1"><img border="0" height="156" src="https://2.bp.blogspot.com/-NCt4V9ldKHk/V9Ei4D9eZ-I/AAAAAAAAAas/mMkIQXrJ3i04TOTeNpzotQcw4OQKNjuCgCK4B/s400/ppkzr_after_run.JPG" width="400" /></a></div>
<div>
<br /></div>
<div>
The long string stored in "ppKzr" was overwritten with "toto" which resulted in the document reducing in size.</div>
<div>
<br /></div>
<div>
With the long string overwritten the document could not be executed. Not only that we would not be able to de-obfuscate the strings in VB code. The long string is used as a dictionary in the de-obfuscation function "QklkhFEQNB". This 'trick' could be used by malware writer to prevent analysis from being done on the document after it is executed.</div>
<div>
<br /></div>
<div>
<u><b>Solving the challenge</b></u></div>
<div>
First, I choose to dump the macro using various tools. This <a href="https://zeltser.com/malicious-code-inside-office-documents/" target="_blank">blog post</a> by Lenny Zeltster contained a number of the tools. The following diagram showed how I used <a href="https://bitbucket.org/decalage/oletools/wiki/olevba" target="_blank">olevba</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-XoydWaFlxqc/V9G59oCbDmI/AAAAAAAAAbI/_ScL5iSXItUGQzJw8XYZG7FGsJscetnBACLcB/s1600/dumping_Macro.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://2.bp.blogspot.com/-XoydWaFlxqc/V9G59oCbDmI/AAAAAAAAAbI/_ScL5iSXItUGQzJw8XYZG7FGsJscetnBACLcB/s400/dumping_Macro.JPG" width="377" /></a></div>
<br />
<br />
After reading the code I realised many of the strings are obfuscated. Then I made use of the debugging function in Visual Basic for Applications (VBA) in Word 2010. The short cut to activate it is Alt+F11.</div>
<div>
<a href="http://4.bp.blogspot.com/-X_jbRPv6ZBw/V9Ecocbf15I/AAAAAAAAAZs/s-dO40QHqikpunzeifBx75XjP9k_yi4kwCK4B/s1600/VBA_debug.JPG" imageanchor="1"><img border="0" height="379" src="https://4.bp.blogspot.com/-X_jbRPv6ZBw/V9Ecocbf15I/AAAAAAAAAZs/s-dO40QHqikpunzeifBx75XjP9k_yi4kwCK4B/s640/VBA_debug.JPG" width="640" /></a></div>
<div>
<br /></div>
<div>
From the code, the function "QklkhFEQNB" was called many times to de-obfuscate strings. Without going into the details of how the function worked. I used added "MsgBox" to dump out the strings after de-obfuscation was done.</div>
<div>
<a href="http://2.bp.blogspot.com/-ZBtIy2hQYos/V9Eeq5p7BYI/AAAAAAAAAZ0/lnQd1HgjzRYCrNcSp7Lwx6dHB0SYOPlbQCK4B/s1600/Mod_VBS.JPG" imageanchor="1"><img border="0" height="96" src="https://2.bp.blogspot.com/-ZBtIy2hQYos/V9Eeq5p7BYI/AAAAAAAAAZ0/lnQd1HgjzRYCrNcSp7Lwx6dHB0SYOPlbQCK4B/s640/Mod_VBS.JPG" width="640" /></a></div>
<div>
After executing the document, the MsgBox would dump the de-obfuscated strings.</div>
<div>
<a href="http://3.bp.blogspot.com/-JHobPJZEy1E/V9Ef4noxu5I/AAAAAAAAAaE/tp26mJdwa4QXzlF4FZyocFrokFMiexnigCK4B/s1600/MsgBox_URL.JPG" imageanchor="1"><img border="0" height="150" src="https://3.bp.blogspot.com/-JHobPJZEy1E/V9Ef4noxu5I/AAAAAAAAAaE/tp26mJdwa4QXzlF4FZyocFrokFMiexnigCK4B/s400/MsgBox_URL.JPG" width="400" /></a></div>
<div>
From this URL, we can notice its going to "10.1.33.7". The long string seems to be base64 encoded. Given a clue "b64" from the URL. After decoding the string, it seems like a long string of hex values. Using the next clue "x58". XOR was performed on the string and it decoded into the flag.</div>
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-5586618097598913345.post-33334433063247070462016-08-15T15:43:00.001+01:002016-08-16T03:50:40.508+01:00Labyrenth CTF 2016 Windows track challenge 1For this CTF, I had a goal other than completing as many of the Windows challenges as possible. I wanted to explore different ways to solve the challenges other than using usual dynamic analysis with debuggers and state analysis with disassemblers.<br />
<br />
Do feel free to leave comments and questions, I would try my best to address them. Do point out any errors you noticed. Thanks!<br />
<br />
For Labyrenth CTF 2016 Windows track challenge 1, I used a binary analysis tool called <a href="http://angr.io/" target="_blank">Angr</a>. Yes its spelled A-n-g-r, anger without the 'e'. I will walk through how I solved the challenge and focused on how Angr was used. The key takeaway for this challenge for me was on learning how to use <a href="http://angr.io/" target="_blank">Angr</a>. For readers who just want to know how I used <a href="http://angr.io/" target="_blank">Angr</a>, just skip to <b>step six</b>.<br />
<br />
<b>The first step </b>was to find out as much as possible about the challenge binary provided. I used the Detect It Easy (DIE) tool and noticed the binary was packed using UPX.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<a href="http://1.bp.blogspot.com/-uOfqC_vo53M/V7G6dT_czgI/AAAAAAAAAWc/v3lE8-3YitcthHbCZ_1Dvo4Q9d9iTgU_QCK4B/s1600/DIE.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://1.bp.blogspot.com/-uOfqC_vo53M/V7G6dT_czgI/AAAAAAAAAWc/v3lE8-3YitcthHbCZ_1Dvo4Q9d9iTgU_QCK4B/s400/DIE.PNG" width="400" /></a><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>The second step </b>was to unpack the binary and locate the Original Entry Point (OEP) of the unpacked codes. The OEP in the PE header of the binary belonged to the packing codes. Using the Ollydbg debugger I located the 'ar jmp; at the end of the packing code. After executing the far jmp instruction the EIP would point to the OEP of the unpacked code.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Before debugging the binary in a debugger, a little trick I learnt was to remove the ASLR flag in the binary. This allowed the binary to be loaded in the same base address during every execution. This eases the references made to static analysis tool such as IDA Pro. Do note some malware may not execute if they detected modifications to PE header.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I used CFF explorer to modify the "DLL can move" or ASLR flag under Optional Headers-> Dll Characteristics. Remove the tick next to "DLL can move" to disable ASLR for this binary.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<a href="http://1.bp.blogspot.com/-VGdGcGDiVQQ/V7G-9RIIPOI/AAAAAAAAAW0/opfZb6fYYdEBwHnWbFukqJkKWqHo_jfmQCK4B/s1600/ASLR.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://1.bp.blogspot.com/-VGdGcGDiVQQ/V7G-9RIIPOI/AAAAAAAAAW0/opfZb6fYYdEBwHnWbFukqJkKWqHo_jfmQCK4B/s320/ASLR.JPG" width="320" /></a><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After removing the ASLR flag I debugged the binary in Ollydbg debugger and located the "Far Jmp" instruction.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<a href="http://2.bp.blogspot.com/-VgqRoVI9zE0/V7G74EHeXPI/AAAAAAAAAWk/GZVfZWAatfkPyZVpRd-KcsRuWKV2avBpACK4B/s1600/UnpackFarJmp.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="339" src="https://2.bp.blogspot.com/-VgqRoVI9zE0/V7G74EHeXPI/AAAAAAAAAWk/GZVfZWAatfkPyZVpRd-KcsRuWKV2avBpACK4B/s640/UnpackFarJmp.JPG" width="640" /></a><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
The reason I know to look for this far jmp was due to DIE detecting the use of the UPX packer. This packer typically consisted of a far jmp instruction at the end of the packing code. Do note this may not always be the case. Malware writer can write codes to fool tools like DIE. I placed a breakpoint at the far jmp instruction and let the packer code unpack the packed codes. I would step one instruction after the far jmp instruction to locate the OEP of the unpacked code.<br />
<br />
<b>In the third step</b>, after locating the OEP of the unpacked code, now I would dump the unpacked code for static analysis. I used the Scylla tool for this step. I would need to set the OEP as starting address of the unpacked code. Then locate the Import Address Table (IAT) of the unpacked code. Due to packing, the IAT was 'destroyed'. Using the "IAT Autosearch" function, Scylla could locate the IAT and rebuild it for ease of analysis in IDA Pro. Next was to Dump the unpacked binary and then Fix the dump with the IAT found by Scylla.<br />
<br />
<a href="http://4.bp.blogspot.com/-Fbu_CQ2VQys/V7HAyLVMW0I/AAAAAAAAAXA/CQW1wcWDSCkXCgVKcgU0NfUGfjE20PI-QCK4B/s1600/Scylla.JPG" imageanchor="1"><img border="0" height="640" src="https://4.bp.blogspot.com/-Fbu_CQ2VQys/V7HAyLVMW0I/AAAAAAAAAXA/CQW1wcWDSCkXCgVKcgU0NfUGfjE20PI-QCK4B/s640/Scylla.JPG" width="608" /></a><br />
<br />
<b>The fourth step </b>involved static analysis using IDA Pro. Now using IDA Pro we could understand the code flow of the unpacked code. To quickly zoom into interesting functions to analysis in malware analysis is very important. We do want want to analysis the code from the start to the end. We could using strings in IDA Pro to locate strings that could point to interesting functions. Error messages in binaries 'might' provide clues to these strings. We executed the binary and it displayed the following messages.<br />
<a href="http://3.bp.blogspot.com/-Ssh8SkLjvfc/V7HDG63E06I/AAAAAAAAAXM/6pCk5ikbwP8GqfRjBzRLgz_m3GeaUgl8gCK4B/s1600/ErrorMsg.JPG" imageanchor="1"><img border="0" height="82" src="https://3.bp.blogspot.com/-Ssh8SkLjvfc/V7HDG63E06I/AAAAAAAAAXM/6pCk5ikbwP8GqfRjBzRLgz_m3GeaUgl8gCK4B/s400/ErrorMsg.JPG" width="400" /></a><br />
<br />
We also located the same messages in the strings of the binary. These strings were original obfuscated due to the packer.<br />
<a href="http://2.bp.blogspot.com/--d38t07xYeI/V7HDaEdqk8I/AAAAAAAAAXU/NZcHd8cCq68hcsxSvyrjrUdWKk3RzA9lQCK4B/s1600/strings.JPG" imageanchor="1"><img border="0" height="144" src="https://2.bp.blogspot.com/--d38t07xYeI/V7HDaEdqk8I/AAAAAAAAAXU/NZcHd8cCq68hcsxSvyrjrUdWKk3RzA9lQCK4B/s640/strings.JPG" width="640" /></a><br />
<br />
Using the strings of error message we discovered interesting functions to analyse.<a href="http://4.bp.blogspot.com/-vn9zDxNNOP8/V7HD1BN4KHI/AAAAAAAAAXg/Kx_ca3-1ki4vRyCPSWbjdg_U788i82KrwCK4B/s1600/interestingFunc.JPG" imageanchor="1"><img border="0" height="128" src="https://4.bp.blogspot.com/-vn9zDxNNOP8/V7HD1BN4KHI/AAAAAAAAAXg/Kx_ca3-1ki4vRyCPSWbjdg_U788i82KrwCK4B/s640/interestingFunc.JPG" width="640" /></a><br />
<br />
All the strings pointed to a single interesting function!<br />
<a href="http://1.bp.blogspot.com/-_zmw1pTxFOY/V7HEOTvYv2I/AAAAAAAAAXw/B-zTvpWiqaQiQJTU0RbZ_v-7oa-lQBApwCK4B/s1600/TheFunc.JPG" imageanchor="1"><img border="0" height="336" src="https://1.bp.blogspot.com/-_zmw1pTxFOY/V7HEOTvYv2I/AAAAAAAAAXw/B-zTvpWiqaQiQJTU0RbZ_v-7oa-lQBApwCK4B/s640/TheFunc.JPG" width="640" /></a><br />
<br />
From the call graph, I observed user input that was stored into a 0x100 bytes local variable being passed as argument into the Sub_109110B function. The Sub_109110B function would likely be the validation function to decide if the user input is correct. This is where we would focus our effort on for the next steps.<br />
<br />
<b>The fifth step </b>would focus on the analysis of Sub_109110B function. The call graph showed the beginning of the function when it load local variables with lots of data. This a common trick by malware writer to use local variable to hide data from tools such as strings.<br />
<a href="http://3.bp.blogspot.com/-SrpGji2kTuI/V7HGHNt_UlI/AAAAAAAAAX8/LGcrNpTkys8JOC_qRp6MMJGdNGlu0ibIQCK4B/s1600/CipherText.JPG" imageanchor="1"><img border="0" height="400" src="https://3.bp.blogspot.com/-SrpGji2kTuI/V7HGHNt_UlI/AAAAAAAAAX8/LGcrNpTkys8JOC_qRp6MMJGdNGlu0ibIQCK4B/s400/CipherText.JPG" width="305" /></a><br />
<br />
Next we try to understand what the function was trying to do. We notice a check of the length of user input using Strlen function against 0x10. Next was a loop that would be executed 40 times. Inside the loop was 4 functions that was called. The return value of all 4 functions were used to determine the code flow. If the return value of any of the 4 functions was not zero, the loop would exit before executing 40 times.<br />
Diving into the 4 functions, I discovered the anti debugging checks.<br />
1. CheckRemoteDebuggerPresent function<br />
2. Find "Olldbg" window<br />
3. IsDebuggerPresent function<br />
4. RDTSC instruction<br />
An easy way to defeat the debugging checks was to patch the return value of the 4 functions containing the checks. The patch to AL register value to zero during run time using debugger would allow the loop to be fully executed (40 times).<br />
<br />
A check after the Strlen function seems to indicate the user input string had to be at most 16 bytes long. However, the loop executed 40 times. The return value of the Strlen had to be patched to allow the loop to finish execution.<br />
<div>
<br /></div>
From the code flow, I observe each character of the user input was manipulated before being validated. It seemed the user input was encrypted using a stream cipher before comparing with the encrypted data store in the local variables.<br />
<br />
<b>The sixth step</b> was to figure out the correct user input to display the message "Well done! A+! You get a gold star!" I considered several options:<br />
1. Brute force the user input using Winappdbg to inject user input string and patch anti debug checks<br />
2. Brute force the user input against an implementation of the validation function Sub_109110B using python<br />
3. Brute force the user input against a revered implementation of the validation function using python.<br />
4. Using Angr !<br />
<br />
I am not an expert on using Angr, I had help from my friend Ronald who spent a lot of time on reading the code in Angr and he even fixed some of its bugs.<br />
<br />
A few key considerations before using Angr.<br />
1. Angr's Windows loader could be buggy.<br />
2. Angr made us of the VEX simulation engine which had limited abilities in simulating Windows APIs.<br />
3. Need to determine the state of memory before the start point of analysis<br />
3. Need to determine the start point of the analysis<br />
4. Need to determine the constrains to the user input<br />
5.Need to determine the patches to the anti debug checks<br />
<div>
6. Need to determine the address of paths to avoid</div>
6. Need to determine the target address of the analysis<br />
<br />
1. Angr's Windows loader could be buggy.<br />
Angr might not work for all windows binaries I guess this comes with practice and experience to determine which binaries works. For this challange, Angr worked and now I am doing this write-up.<br />
<br />
2. Angr made us of the VEX simulation engine which had limited abilities in simulating Windows APIs.<br />
<div>
Angr works best in analyzing codes without Windows APIs. I inserted hooks to 'remove' Windows APIs and patched the return value.</div>
<div>
<br /></div>
<div>
Patch the Strlen function to always return 16 to pass the check:</div>
<div>
<a href="http://3.bp.blogspot.com/-qS0n39UTEvY/V7HPZlTBtNI/AAAAAAAAAYM/MnjTwtPLxhE_iE2oC_83_PMHWw1A8InqgCK4B/s1600/StrlenPatch.JPG" imageanchor="1"><img border="0" height="107" src="https://3.bp.blogspot.com/-qS0n39UTEvY/V7HPZlTBtNI/AAAAAAAAAYM/MnjTwtPLxhE_iE2oC_83_PMHWw1A8InqgCK4B/s400/StrlenPatch.JPG" width="400" /></a></div>
<br />
Patch the security cookie check function:<br />
<a href="http://1.bp.blogspot.com/-4odQRdWUsFE/V7HP84KKInI/AAAAAAAAAYU/S41IxfKW4WMLGFbj2oO0U5-mh5XS4ebQgCK4B/s1600/secCookie.JPG" imageanchor="1"><img border="0" height="72" src="https://1.bp.blogspot.com/-4odQRdWUsFE/V7HP84KKInI/AAAAAAAAAYU/S41IxfKW4WMLGFbj2oO0U5-mh5XS4ebQgCK4B/s400/secCookie.JPG" width="400" /></a><br />
<br />
3. Need to determine the state of memory before the start point of analysis<br />
3. Need to determine the start point of the analysis<br />
<a href="http://3.bp.blogspot.com/-Er2AJUEGhe4/V7HQbjfpnZI/AAAAAAAAAYg/-hjW3sCBApk18lgk-Y_6X2jFBZ8iUxjUwCK4B/s1600/start.JPG" imageanchor="1"><img border="0" height="135" src="https://3.bp.blogspot.com/-Er2AJUEGhe4/V7HQbjfpnZI/AAAAAAAAAYg/-hjW3sCBApk18lgk-Y_6X2jFBZ8iUxjUwCK4B/s400/start.JPG" width="400" /></a><br />
The start point of the analysis would be the address when the user input string would be passed into the Sub_109110B function. The user input would be setup as an symbol value of 40 bytes (loop 40 times) ending with a null byte. The pointer to the user input would have to be pre-loaded into register ecx due to instruction "Push ECX" which load the pointer to user input as argument to Sub_1099110B.<br />
<br />
4. Need to determine the constrains to the user input<br />
<a href="http://1.bp.blogspot.com/-aE7HpqqwTHk/V7HRjvQHDBI/AAAAAAAAAYo/2kNIPTEZnto-f0eo-Z3IvjbuMsKiFyjBwCK4B/s1600/constrains.JPG" imageanchor="1"><img border="0" height="108" src="https://1.bp.blogspot.com/-aE7HpqqwTHk/V7HRjvQHDBI/AAAAAAAAAYo/2kNIPTEZnto-f0eo-Z3IvjbuMsKiFyjBwCK4B/s400/constrains.JPG" width="400" /></a><br />
User input print was determined to be printable ASCII ending with a null byte which was set as an constrain.<br />
<br />
5.Need to determine the patches to the anti debug checks<br />
<a href="http://3.bp.blogspot.com/-_MwXUp87mY8/V7HSI_sAWVI/AAAAAAAAAYw/aM2wP2cveOYVFYHqaT4R1MzLLb8XcnzbwCK4B/s1600/antiD.JPG" imageanchor="1"><img border="0" height="183" src="https://3.bp.blogspot.com/-_MwXUp87mY8/V7HSI_sAWVI/AAAAAAAAAYw/aM2wP2cveOYVFYHqaT4R1MzLLb8XcnzbwCK4B/s400/antiD.JPG" width="400" /></a><br />
Hooks were placed to return zero for the 4 functions of anti debugging<br />
<br />
<div>
6. Need to determine the address of paths to avoid</div>
6. Need to determine the target address of the analysis<br />
<a href="http://4.bp.blogspot.com/-hNTbRMZ8Qto/V7HSkMQcu6I/AAAAAAAAAY8/w7iWYZRy970GcLAPWhxDMTkWRYR6pFwvACK4B/s1600/end.JPG" imageanchor="1"><img border="0" height="38" src="https://4.bp.blogspot.com/-hNTbRMZ8Qto/V7HSkMQcu6I/AAAAAAAAAY8/w7iWYZRy970GcLAPWhxDMTkWRYR6pFwvACK4B/s640/end.JPG" width="640" /></a><br />
Finally, set the address of code when the validation is correct and address when validation is wrong.<br />
<br />
After correcting the bugs in my python script, I used Angr to solve the correct user input for challenge 1.<br />
<a href="http://3.bp.blogspot.com/-egshm_G914I/V7HTle8GWwI/AAAAAAAAAZM/U9kjx8e7MM4poFN0IKlOBmTN2kTBlgrrQCK4B/s1600/Kali-Linux-2016.1-vm-amd64-2016-08-07-15-07-32.png" imageanchor="1"><img border="0" height="140" src="https://3.bp.blogspot.com/-egshm_G914I/V7HTle8GWwI/AAAAAAAAAZM/U9kjx8e7MM4poFN0IKlOBmTN2kTBlgrrQCK4B/s640/Kali-Linux-2016.1-vm-amd64-2016-08-07-15-07-32.png" width="640" /></a><br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-47217297372588709812015-10-27T05:44:00.001+00:002015-10-27T05:44:21.957+00:00Unbricking Onda V975w tabletI got this bricked <a href="http://www.onda-tablet.com/onda-v975w-quad-core-win-8-tablet-9-7-inch-retina-screen-ram-2gb-wifi-32gb.html" target="_blank">tablet</a> from my friend @Sirpoot. The tablet was bricked because he tried to flash it from Windows 8.1 to Android. The tablet refused to boot up and no sign of life when you press the power button.<br />
<br />
I Googled on how to unbrick the tablet. I found this <a href="http://www.ondaforum.com/topic/2663-flash-bios-on-a-dead-tablet/" target="_blank">URL</a>. The guy used a used a <a href="http://www.ebay.co.uk/itm/24-25-Series-EEPROM-Flash-BIOS-USB-Programmer-CH341A-Module-Software-Driver-/400841941718?pt=LH_DefaultDomain_3&hash=item5d540aa2d6" target="_blank">EEPROM programmer</a> to reflash the BIOS chip in the dead tablet. I was thinking I could either buy the same <a href="http://www.ebay.co.uk/itm/24-25-Series-EEPROM-Flash-BIOS-USB-Programmer-CH341A-Module-Software-Driver-/400841941718?pt=LH_DefaultDomain_3&hash=item5d540aa2d6" target="_blank">EEPROM programmer</a> to reflash the BIOS chip or I could use something else. I Googled and I discovered this <a href="http://ao2.it/en/blog/2014/12/30/teclast-x98-air-3g-unbricking-bay-trail-tablet" target="_blank">blog post</a>. In this blog <span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;">Antonio, used a Beagle Board Black to reflash the BIOS chip. The key idea is to have a device that speaks the <a href="http://en.wikipedia.org/wiki/Serial_Peripheral_Interface_Bus" target="_blank">SPI</a> protocol. </span><br />
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;"><br /></span>
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;">I thought why not use a Raspberry Pi. So I borrowed a Raspberry Pi from @Sirpoot. The following would be the steps required to unbrick Onda V975w tablet using Raspberry Pi.</span><br />
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;"><br /></span>
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;">Equipment required:</span><br />
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;">1. Raspberry Pi installed with <a href="http://www.raspberrypi-spy.co.uk/2014/08/enabling-the-spi-interface-on-the-raspberry-pi/" target="_blank">flashrom</a></span><br />
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;">2. SOIC 8 Pin test clip (Either <a href="http://www.ebay.co.uk/itm/281530905193?_trksid=p2057872.m2749.l2649&var=580555524154&ssPageName=STRK%3AMEBIDX%3AIT" target="_blank">this</a> or <a href="http://www.amazon.com/Pomona-5250-SOIC-Adapter-8-Pin/dp/B00SDTJBNM" target="_blank">this</a>)</span><br />
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;">3 <a href="https://www.adafruit.com/products/266" target="_blank">Female - Female Jumper cables</a> to connect Raspberry Pi to SOIC test clip</span><br />
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;"><br /></span>
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;">First step is to gain access to Raspberry Pi via ssh. You can refer to this <a href="http://www.interlockroc.org/2012/12/06/raspberry-pi-macgyver/" target="_blank">excellent blog post</a> on how to do so.</span><br />
<br />
<span style="background-color: white; line-height: 22.4px;"><span style="font-family: Georgia, Cambria, serif;"><br /></span></span>
<span style="background-color: white; line-height: 22.4px;"><span style="font-family: Georgia, Cambria, serif;">Second step is to <a href="https://www.youtube.com/watch?v=242HcvYRwqI" target="_blank">open</a> up the tablet and gain access to the flash chip. You would have to pry open the metal shielding after opening the back cover of the tablet. Once you do that you could <a href="http://imgur.com/a/GVrAT#Rp6HUF7" target="_blank">see</a> the Intel CPU and the flash chip next to it. </span></span><br />
<span style="background-color: white; line-height: 22.4px;"><span style="font-family: Georgia, Cambria, serif;"><br /></span></span>
<span style="background-color: white;"><span style="font-family: Georgia, Cambria, serif;"><span style="line-height: 22.4px;">Third step is to connect the SOIC test clip to the raspberry Pi. For this I referred to this <a href="https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi" target="_blank">blog post.</a></span></span></span><br />
<br />
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;">However, this <a href="https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi" target="_blank">blog post</a> is about flashing a laptop. To flash the BIOS chip in the tablet we have to leave Pin 3 and Pin 7 unconnected. The blog post mentioned the need to build a 'bridge' connection for Pin 3,7 and 8. For our case we can leave Pin 3 and 7 unconnected.</span><br />
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;"><br /></span>
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;">Fourth step is to identify the flash chip using flashrom.</span><br />
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Rqr7HHjnwfI/Vi8Kutd8C7I/AAAAAAAAAS4/DnBVsWp90Mw/s1600/CheckingChipName.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="153" src="http://1.bp.blogspot.com/-Rqr7HHjnwfI/Vi8Kutd8C7I/AAAAAAAAAS4/DnBVsWp90Mw/s640/CheckingChipName.png" width="640" /></a></div>
<span style="background-color: white; font-family: Georgia, Cambria, serif; line-height: 22.4px;"><br /></span>
<span style="background-color: white;"><span style="font-family: Georgia, Cambria, serif;"><span style="line-height: 22.4px;">This is necessary to confirm the previous steps are done correctly.</span></span></span><br />
<span style="background-color: white;"><span style="font-family: Georgia, Cambria, serif;"><span style="line-height: 22.4px;"><br /></span></span></span>
<span style="background-color: white;"><span style="font-family: Georgia, Cambria, serif;"><span style="line-height: 22.4px;">Fifth step is to read out the contents in the flash chip. You may want to skip this step if you just want to unbrick the tablet and not keep the existing contents of the flash chip.</span></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Y3ORy7O_hIg/Vi8KvjZvSgI/AAAAAAAAATc/31V50qu7wBk/s1600/ReadingFrmFlash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="http://2.bp.blogspot.com/-Y3ORy7O_hIg/Vi8KvjZvSgI/AAAAAAAAATc/31V50qu7wBk/s640/ReadingFrmFlash.png" width="640" /></a></div>
<br />
Sixth step is to upload the correct BIOS in the flash chip. For Onda V97w I used this <a href="http://onda.cn/Tablet/ProductInfo.aspx?ProductId=276&d=down" target="_blank">v975w_v3_WinBios-0926.rar</a> to unbrick the tablet successfully. Just replace the "X98_Air_II.bin" file with the firmware you downloaded.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/--ZRUDsGK3SM/Vi8KutZcqII/AAAAAAAAAS8/jMhL-bTDCZA/s1600/Cmd2Write2Flash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="http://3.bp.blogspot.com/--ZRUDsGK3SM/Vi8KutZcqII/AAAAAAAAAS8/jMhL-bTDCZA/s640/Cmd2Write2Flash.png" width="640" /></a></div>
<br />
Finally, after a few minutes you will see this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-5MioUX2xXYY/Vi8KvojGuHI/AAAAAAAAATU/KpYxio9MThU/s1600/FlashDone.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="408" src="http://3.bp.blogspot.com/-5MioUX2xXYY/Vi8KvojGuHI/AAAAAAAAATU/KpYxio9MThU/s640/FlashDone.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Georgia, Cambria, serif;"><span style="background-color: white; line-height: 22.4px;">You can power up the tablet and see if it is unbricked :)</span></span><br />
I have left out details like how to install flashrom in Raspberry Pi and Flashrom cant detect the chip.<br />
Just post a question if any I will try to help.<br />
<br />
Do leave any comments or questions.Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-5586618097598913345.post-91820268685424367872014-04-12T09:49:00.000+01:002014-04-13T08:46:52.324+01:00Practical Reverse Engineering Chapter 1 Page 69 Exercise 41. Explain two methods to get the instruction pointer on x64. At least one of the methods must use RIP addressing.<br />
lea rax,[rip]<br />
<br />
call NextLine<br />
NextLine:<br />
pop eax <br />
<br />
<br />
<br />
2. Perform a virtual-to-physical address translation on x64. Were there any major differences compared to x86?<br />
<br />
There are many differences when performing virtual-to-physical address translation between x64 and x86. E.g. x86 has 4 sub sections which x64 have 5.<br />
<br />
<a href="http://blogs.microsoft.co.il/sasha/2013/09/23/an-exercise-in-virtual-to-physical-memory-translation/" target="_blank">This</a> blogpost that showed the differences.<br />
<br />
Do note that you need to have kernel debugging setup using Windbg. Let me via comments if you have trouble with this step. I have tried kernel debugging via Windows host and VMware and OS X host and VM fusion. There are slight differences in configuring the vmx file.<br />
<br />
<br />
Feel free to leave me comments for the answers above. :)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-60424395419961854032014-04-12T09:45:00.000+01:002014-04-13T08:46:40.611+01:00Practical Reverse Engineering Chapter 1 Page 64 Exercise 3All the samples used in the book can be downloaded <a href="https://grsecurity.net/malware_research/" target="_blank">here</a>.<br />
<br />
1. Repeat the walk-through by yourself. Draw the stack layout, including parameters and local variables.<br />
<br />
An interesting instruction @07: sidt fword ptr [ebp-8] save 6-byte IDT register [ebp-8]<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-YrQ4rGeqLDM/U0j8f_kLXEI/AAAAAAAAAQo/iuK8DEI6HUk/s1600/Slide1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-YrQ4rGeqLDM/U0j8f_kLXEI/AAAAAAAAAQo/iuK8DEI6HUk/s1600/Slide1.jpg" height="270" width="320" /></a></div>
<br />
<br />
2. In the example walk-through, we did a nearly one-to-one translation of the assembly code to C. As an exercise, re-decompile this whole function so that it looks more natural. What can you say about the developer's skill level/experience? Explain your reasons. Can you do a better job?<br />
<br />
The codes did not include any anti-debug or anti disassemble features. It only has one anti virtualisation feature. The developer does not have very high skill. I would include obstruction tricks to increase difficulty of disassembling the codes.<br />
<br />
3. In some of the assembly listings, the function name has a @ prefix followed by a number. Explain when and why this decoration exists.<br />
<br />
<span style="color: #2a2a2a; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18px;">The function is making use of FastCall convention. At sign (@) is prefixed to names; an at sign followed by the number of bytes (in decimal) in the parameter list is suffixed to names.</span><br />
<br />
4. Implement the following functions in x86 assembly: strlen, strchr, memcpy, memset, strcmp, strset.<br />
<br />
<u>Answer to this question is Work In Process</u><br />
<br />
5. Decompile the following kernel routines in Windows:<br />
KeInitializeDpc<br />
KeInitializeApc<br />
ObFastDereferenceObject (and explain its calling convention)<br />
KeInitializeQueue<br />
KxWaitForLockChainValid<br />
KeReadyThread<br />
KiInitializeTSS<br />
RtlValidateUnicodeString<br />
<br />
All of them make use of _stdcall calling convention where the callee clear the stack before exiting the routines.<br />
<br />
6. Sample H. The function sub_13846 references several structures whose types are not entirely clear. Your task is to first recover the function prototype and then try to reconstruct the structure fields. After reading Chapter 3, return to this exercise to see if your understanding has changed. (Note: This sample is targeting Windows XP x86.)<br />
<br />
<u>Answer to this question is Work In Process</u><br />
<u><br /></u>
Note: The hash value for sample H in the book has error and the right sample H can be downloaded <a href="https://grsecurity.net/malware_research/" target="_blank">here</a>. I loaded the sample H in IDA Pro 6 and the function names are -4 bytes from the ones mentioned in the book.<br />
<div>
<u><br /></u></div>
<br />
7. Sample H. The function sub_10BB6 has a loop searching for something. First recover the function prototype and then infer the types based on the context. Hint: You should probably have a copy of the PE specification nearby.<br />
<br />
sub_10BB6 (int1,int2)<br />
<br />
Note: The hash value for sample H in the book has error and the right sample H can be downloaded <a href="https://grsecurity.net/malware_research/" target="_blank">here</a>. I loaded the sample H in IDA Pro 6 and the function names are -4 bytes from the ones mentioned in the book.<br />
<br />
8. Sample H. Decompile sub_11732 and explain the most likely programming construct used in the original code.<br />
<br />
Switch Cases.<br />
<br />
Note: The hash value for sample H in the book has error and the right sample H can be downloaded <a href="https://grsecurity.net/malware_research/" target="_blank">here</a>. I loaded the sample H in IDA Pro 6 and the function names are -4 bytes from the ones mentioned in the book.<br />
<br />
9. Sample L. Explain what function sub_1000CEA0 does and then decompile it back to C.<br />
<br />
Sub_1000CEA0 has 2 parameters ,an address of a string and a character.<br />
Sub_1000CEA0 begin with search the location of the null character at the string with the first "scasb" instruction. Then I look 'backward' to locate a character with the second "scasb" instruction.<br />
<br />
<br />
10. If the current privilege level is encoded in CS, which is modifiable by user-mode code, why can't user-mode code modify CS to change CPL?<br />
<br />
The CS register cannot be modified using load instructions. Only instructions that affect the flow of the routine can change it. To increase CPL one can use the IRET instructions but to decrease the CPL one need to make use of call gates or SYSENTER instructions to enter Ring 0.<br />
<br />
<br />
11. Read the Virtual Memory chapter in Intel Software Developer Manual, Volume 3 and AMD64 Architecture Programmer's Manual, Volume 2: System Programming. Perform a few virtual address to physical address translations yourself and verify the result with a kernel debugger. Explain how data execution prevention (DEP) works.<br />
<br />
DEP is implemented using XD bit in the Extended Feature Enable Register of the Intel CPU.<br />
Instructions cannot be fetch from PAE pages with XD bit set.<br />
<br />
Do note Windows kernel debugging using Windbg is needed before embarking on this question.<br />
<br />
12. Bruce's favorite x86/x64 disassembly library is BeaEngine by BeatriX (www.beaengine.org). Experiment with it by writing a program to disassemble a binary at its entry point.”<br />
<br />
<u>Answer to this question is Work In Process</u><br />
<div>
<u><br /></u></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-21418185163233293602014-04-12T09:40:00.001+01:002014-04-12T09:47:01.549+01:00Practical Reverse Engineering Page 33 Chapter 1 Exercises 21. Given what you learned about CALL and RET, explain how you would read the value of EIP? Why can't you just do MOV EAX, EIP?<br />
<br />
call next<br />
next: pop eax<br />
<br />
EIP is a special register that can't be accessed directly for x86 CPU. For x64 RIP can be read directly.<br />
<br />
<br />
2. Come up with at least two code sequences to set EIP to 0xAABBCCDD.<br />
<br />
JMP 0xAABBCCDD<br />
<br />
PUSH 0xAABBCCDD<br />
RET<br />
<br />
<br />
3. In the example function, addme, what would happen if the stack pointer were not properly restored before executing RET?<br />
<br />
Nothing will happen as ESP is not changed during the function flow.<br />
There is no instructions in the function that cause changes to the stack.<br />
<br />
4. In all of the calling conventions explained, the return value is stored in a 32-bit register (EAX). What happens when the return value does not fit in a 32-bit register? Write a program to experiment and evaluate your answer. Does the mechanism change from compiler to compiler?”<br />
<br />
“int<br />
__cdecl addme(short a, short b)<br />
{<br />
return a*b;<br />
}”<br />
<div>
<br /></div>
<div>
Answer to this question is not complete yet.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Feel free to leave me comments for my answers. :)</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-35114353760501893562014-04-12T09:34:00.000+01:002014-04-12T09:47:26.083+01:00Practical Reverse Engineering Page 22 Chapter 1 Exercise 11. This function uses a combination SCAS and STOS to do its work. First, explain what is the type of the [EBP+8] and [EBP+C] in line 1 and 8, respectively. Next, explain what this snippet does.<br />
01: 8B 7D 08 mov edi, [ebp+8]<br />
02: 8B D7 mov edx, edi<br />
03: 33 C0 xor eax, eax<br />
04: 83 C9 FF or ecx, 0FFFFFFFFh<br />
05: F2 AE repne scasb<br />
06: 83 C1 02 add ecx, 2<br />
07: F7 D9 neg ecx<br />
08: 8A 45 0C mov al, [ebp+0Ch]<br />
09: 8B FA mov edi, edx<br />
10: F3 AA rep stosb<br />
11: 8B C2 mov eax, edx”<br />
<br />
[EBP+8] is pointing to a string.<br />
[ebp+0Ch] is pointing to a character.<br />
The above pointers are likely to be arguments passed into the function. <br />
<br />
Line 1-5 is check length of the string before it is NULL terminated. Count will be in ECX.<br />
Line 6-7 Prepare the count in ECX for use in the 2nd part of the function.<br />
Line 8-10 over write the string pointed by [ebp+8] with character pointed by [ebp+0Ch].<br />
Line 11 the pointer to the overwritten string is returned by Eax.<br />
<div>
<br /></div>
<div>
Feel free to leave comments on my answers. :)</div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-5586618097598913345.post-78700846012415824122014-04-12T09:28:00.001+01:002014-04-12T09:29:22.696+01:00Practical Reverse EngineeringI finally received this long awaited <a href="http://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315" target="_blank">book</a> by some of the best people in the business of reverse engineering codes. I am going to take this book like a intermediate level text book for reverse engineering. I will also post my answers to the exercises from the book.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-_B2A9Sp_CsI/U0j5JFhasaI/AAAAAAAAAQc/vajNcMxfALo/s1600/Practical.Reverse.Engineering.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-_B2A9Sp_CsI/U0j5JFhasaI/AAAAAAAAAQc/vajNcMxfALo/s1600/Practical.Reverse.Engineering.jpg" height="320" width="255" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-62145571429010546302012-04-18T06:39:00.003+01:002021-01-10T00:50:44.351+00:00How to find a vuln?Ok maybe before trying to write an exploit maybe I need to find a vuln first ? There are a few ways to go about doing this depending on your skill level.<br />
<br />
1. Use vulns that are found by others and published. Search the target application in the vulnerability database.<br />
<a href="http://www.cvedetails.com/">An collection of vulns from various sources</a><br />
<a href="http://cve.mitre.org/">A official source of vulns.</a><br />
<br />
2. Use a vulnerability scanner to scan the target application. Do note that no product is the best, all of them have their pros and cons, the more you know about the topic of vulnerability assessment the more you realise how limited they are.<br />
<a href="http://www.tenable.com/products/nessus">Nessus</a><br />
<a href="http://www.iss.net/">Internet Security Scanner</a><br />
<a href="http://www.rapid7.com/products/nexpose-community-edition.jsp">Nexpose</a><br />
<br />
3. Fuzzing the target application to find the vuln(s). Fuzzing is a complex topic and there are various books and papers published on this topic. Lets just say its easy to do fuzzing but its not easy to fuzz and find vulns.<br />
<a href="http://grey-corner.blogspot.com/2010_12_01_archive.html">A blog post on fuzzing by LUPIN</a><br />
<br />
4. Reverse Engineering(RE) the target application to find the vuln(s). Reverse Engineering is a very very complex topic. There are many sites and book on this topic. However, my short experince on RE tell me one thing, JUST DO IT. The more RE you do the better you get.<br />
<a href="http://www.openrce.org/articles/">Excellent site to find info on RE</a><br />
<br />
5. Source Code review. This method only work if you have access to the source code and you are able to understand the code very well. This method can take alot of time and its a challenge to be comprehensive.<br />
I have no experience in this but I know someone who is good at this. I will put a link to this blog on his thoughts for code review when he start blogging.Unknownnoreply@blogger.com7tag:blogger.com,1999:blog-5586618097598913345.post-5712242231028093042012-04-18T06:18:00.001+01:002012-04-18T06:40:56.850+01:00How to write an exploit ?I personally has heard many people asked "How to write an exploit ?" including myself. I begin my journey of answering this question. I can recommend the following sites which I rely on to guide me on this journey.<br />
<br />
<br />
<a href="http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html">A list to help people in process of learning exploit </a><br />
This an excellent place to start if you are a complete noob.<br />
<br />
<a href="http://www.corelan.be/index.php/category/security/exploit-writing-tutorials/">Corelan Exploit Writing Tutorials</a><br />
This site contains step by step guide to write exploits. Corelan provides additional theory and explanations needed to write exploits.<br />
<br />
<a href="http://grey-corner.blogspot.com/search/label/tutorial">Exploit writing tutorials by LUPIN</a><br />
This site contains step by step guide to write exploits. Another great source to go to learn how to write exploits<br />
<br />
<br />
<a href="https://code.google.com/p/it-sec-catalog/wiki/Exploitation">Wiki on writing exploits</a><br />
This wiki contains a lot of references on articles related to exploit writing. I don't recommend to start here if you are a complete noob.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5586618097598913345.post-58161921403499346612012-04-18T05:53:00.000+01:002012-04-18T05:53:34.040+01:00The road ahead....<div class="separator" style="clear: both; text-align: center;"><a href="http://ashleysclay.files.wordpress.com/2011/06/road-ahead.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://ashleysclay.files.wordpress.com/2011/06/road-ahead.jpg" width="320" /></a></div>This is the first blog post to document all my personal learnings on how to find vulns. My work is focused on vulns in Windows OS. I hope my blog can be contribute to the security community, whether you are a newbie wondering how to start or an expert who need a tip or two. I pray that my blog will be of help to you. God BlessUnknownnoreply@blogger.com0