binary analysis

8/12/2019 Binary Analysis

1/20


2/20

Binary Analysis Defined

The examination of a file to determine theauthenticity and functionality of the file


3/20

Why Binary Analysis

In an Intrusion investigation, the unknownbinary could be the key to the case

It could be a benign file It could be a legitimate file

Either way, for a case going to prosecution it

is necessary to ensure thoroughness


4/20

Conducted In Addition

Operating System Analysis

Registry Analysis

Processes Analysis

Reverse Engineering

BINARY ANALYSIS IS ONLY ONE STEPIN THE PROCESS


5/20

Steps in Binary Analysis

Header

Libraries

Body

Footer

Strings

Metadata Packers/Compressors


6/20

File Header

Signature Analysis

Interested File Headers

4D 5A (MZ)

00 00 00 4D 5A (MZ)


7/20

File Libraries

Compare Dynamic Link Library Files (DLL) toknown Files

Hackers usually name Trojan Files to Legitimate

Named Files


8/20

File Body

Compare a Known File to the Unknown File

We are looking for HEX


9/20

File Footer

Compared Known File To Unknown File

Verisign and Hotfix 1234 are normally a good sign


10/20

File Strings

Compare a Known File to the Unknown File Command line >strings filename

Strings v2.3 Copyright (C) 1999-2006 Mark Russinovich Sysinternals - www.sysinternals.com

- script block VBScript !This program cannot be run in DOS mode. $Rich .text `.data .rsrc @.reloc B{N ADVAPI32.dll GDI32.dll KERNEL32.dll NTDLL.DLL MFC42.DLL msvcrt.dll ole32.dll OLEAUT32.dll USER32.dll


11/20

File Strings Continued

Compare two filesusing a program likediff for linux or cfdiff for

Windows


12/20

Metadata

Data that is used to describe other data

Metadata is stored in plain text


13/20

Packers/Compressors

Binary Packers/Compressors offers theHacker numerous advantages:

1. Masks contents of file from our eyes

2. Smaller files = faster uploads

3. Can trick IDS due to signature differences


14/20

Types of Packers

Most common type is UPX. This is easilyunpacked with the UPX Toolkits

upx.sourceforge.net

WinRar is great tool to unpack exe files


15/20

Static vs Runtime Analysis

Use Static analysis for object code (pre-linking)

Use Runtime analysis for executable code(post-linking)


16/20

Runtime Analysis

Many things may happen when a file isrun:

1. Direct access to system resources (RAM,HDDs, etc)

2. Net Libraries may execute

3. Registry Changes may be made

4. May affect or disable other programs

5. May open system up for further attacks


17/20

Sandbox

A system that is closed and can be closelymonitored

Best sandbox is a virtual machine:1. Easy to configure as needed

2. No risk of harming productionmachines/networks

3. Easy to pull the plug if something goeshorribly wrong


18/20

Sandbox Continued

Two good Windows Virtual MachineProducts

VMWare

Virtual PC by Microsoft


19/20

Sandbox Continued

Need to monitor ports, registry, and newfiles added to system

1. System Hash of Virtual PC file (vmdk files)

2. Regmon from www.sysinternals.com

3. ZoneAlarm from www.zonelabs.comor

4. Use fport, pslist, netstat, and psservice
http://www.sysinternals.com/http://www.zonelabs.com/http://www.zonelabs.com/http://www.sysinternals.com/


20/20

Running the Binary

Run the Binary

IDA Pro running in the background will

capture (www.datarescue.com)A debugger allows you to step through code

A disassembler allows create maps of theirexecution

Gets into reverse engineering
http://www.datarescue.com/http://www.datarescue.com/

binary analysis

Documents