Reverse Engineering - agz.esagz.es/Reverse-Engineering/Basic/Reverse Engineering [Security... · © 2008 Security Awareness Korea - i - Reverse Engineering Table of Content Module 1 ⎯ RCE 란? ...

Download Reverse Engineering - agz.esagz.es/Reverse-Engineering/Basic/Reverse Engineering [Security... ·   © 2008 Security Awareness Korea - i - Reverse Engineering Table of Content Module 1 ⎯ RCE 란? ...

Post on 31-Jan-2018

255 views

Category:

Documents

33 download

TRANSCRIPT

http://www.securitya.kr 2008 Security Awareness Korea - i -Reverse Engineering Table of Content Module 1 RCE ?..................................................................................................................................1 1-1. RCE ? ............................................................................................................................................2 1-2. RCE .................................................................................................................................4 1-3. RCE ..................................................................................................................................6 Module 2 RCE ...............................................................................................................................9 2-1. CPU ................................................................................................................................10 2-2. CPU ................................................................................................................................12 2-3. Assembly.........................................................................................................................................17 2-4. STACK ...................................................................................................................................21 2-5. (Calling Convention).............................................................................................23 2-6. SEH(Structured Exception Handling).............................................................................................26 2-7. C ........................................................................................34 2-8. API ..............................................................................................40 Module 3 PE ........................................................................................................................43 3-1. PE ..................................................................................................................................44 3-2. DOS DOS Stub Code ........................................................................................................49 3-3. PE File Header ................................................................................................................................51 3-4. Optional Header ..............................................................................................................................54 3-5. Section Table...................................................................................................................................59 3-6. Import Table....................................................................................................................................62 3-7. Export Table....................................................................................................................................69 Module 4 ..............................................................................................................................75 4-1. ...............................................................................................................................76 4-2. CrackMe ........................................................................................................................84 4-3. KeygenMe .....................................................................................................................94 Module 5 MUP(Manual UnPack) .....................................................................................................101 5-1. Packing / Unpacking .....................................................................................................................102 5-2. Packing .................................................................................................................................103 5-3. MUP .....................................................................................................................................105 5-4. MUP Ollydbg script ...............................................................................................114 Module 6 Anti-Reverse ..............................................................................................................121 6-1. .........................................................................................................................122 6-2. BreakPoint ...................................................................................................................133 6-3. TLS Callback ................................................................................................................................145 6-4. Process Attach ......................................................................................................................150 Module 7 ............................................................................................................................155 7-1. ........................................................................................................156 7-2. - shadowbot .........................................................................................................173 http://www.securitya.kr 2008 Security Awareness Korea - ii - Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 1 -Module 1 RCE ? Objectives Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 2 -1-1. RCE ? Student Notes . . (EXE, DLL, SYS ) C . . RCE?Reverse Code Engineering , Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 3 - . . PC , HEX , . . , C . VC gcc () . CPU . VC, VB, () C . VB . () . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 4 -1-2. RCE Student Notes 12 2 () . 1 1 . 1. 3 2. [ 2001.1.16][[ 2001.7.17]] RCE (Competition) (Copyrightlaw) The Digital Millennium Copyright Act (DMCA) RIAA Felten ebook SunnComm CD Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 5 - 2001 1 16 7 17 , . 2000 , 2001 , . . . DMCA(The Digital Millennium Copyright Act) . DMCA HTML , , , , , , , , . DMCA . DMCA Sony-BMG "" Sony-BMG CD "(root kit)" Secure Digital Music Initiative(SDMI) , . SDMI . . SunnComm CD SunnComm . SunnComm . pdf . pdf . . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 6 -1-3. RCE Student Notes . . / . / ( ) . exe PC . PC PC . . RCE DRM RCE Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 7 - . . . . DRM DRM . . . API . . . . . . . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 8 - Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 9 -Module 2 RCE Objectives CPU CPU / STACK (Calling Convention) SEH(Structured Exception Handling) C API Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 10 -2-1. CPU Student Notes CPU , . CPU . CPU , , , . CPU . , (ALU: arithmetic logic unit), (control unit) . . . . . - - CPU BUS InterfaceALU(Arithmetic Logic Unit)Control UnitRegister SetCPU (Central Processing Unit)MemoryI/O BUSKeyboard Monitor NIC HDDMonitor Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 11 - CPU Control Unit ALU ALU . ALU() : (, ) ( , , ) . . Register : . . - . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 12 -2-2. CPU Student Notes CPU , , EFLAGS , CIP . 32 (4 ) 16 8 . CPU Register Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 13 - 00000000 FFFFFFFF . (General-Purpose Register) , , . EAX(Extended Accumulator Register) : EBX(Extended Base Register) : DS ( ) ECX(Extended Counter Register) : EDX(Extended Data Register) : ESI(Extended Source Index) : EDI(Extended Destination Index) : ESP(Extended Stack Pointer) : , TOP EBP(Extended Base Pointer) : , (Segment Register) 16 . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 14 - CS : - . SS : - . DS : ES : , FS/GS : , IA32 . Flat Segmented . Segmented . EFLAGS EFLAGS , , 1, 3, 5, 15, 22 ~ 31 . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 15 -LAHF, SAHF, PUSHF, PUSHFD, POPF, POPPFD EAX . EFLAGS (BT, BTS, BTR, BTC) . (Status Flags) : (ADD, SUB, MUL, DIV) . CF(bit 0) Carry flag : - 0 : - 1 : PF(bit 2) Parity flag AF(bit 4) Adjust flag ZF(bit 6) Zero flag : - 0 : 0 - 1 : 0 SF(bit 7) Sign flag OF(bit 11) Overflow flag : - 0 : - 1 : ( ) (Control Flags) DF(bit 10) Direction flag (System Flags) TF(bit 8) Trap flag IF(bit 9) Interrupt enable flag IOPL(bit 12, 13) I/O privilege level field NT(bit 14) Nested task flag RF(bit 16) Resume flag VM(bit 17) Virtual-8086 mode flag AC(bit 18) Alignment check flag VIF(bit 19) Virtual interrupt flag VIP(bit 20) Virtual interrupt pending flag ID(bit 21) Identification flag ZF, OF, CF . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 16 -EIP . EIP . 16 EIP( 16 0), 32 EIP . EIP CALL, JMP, RET control-transfer . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 17 -2-3. Assembly Student Notes . . . Assembly Arithmetic Instruction Data Transfer Instruction Logical Instruction String Instruction Control Transfer Instruction Processor Control Instruction Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 18 -Arithmetic Instruction ADD SUB ADC SBB CMP INC 1 DEC 1 NEG 2 , AAA AL UNPACK 10 DAA AL PACK 10 AAS AL UNPCAK 10 DAS AL PCAK 10 MUL AX AX DX:AX IMUL AAM AX UNPACK 10 DIV AX DX:AX . AL, AX AH, DX IDIV AAD AX UNPACK 10 CBW AL AX CWD AX DX:AX Data Transfer Instruction MOV () PUSH POP XCHG XLAT BX:AL AL LEA LDS REG (MEM), DS (MEM+2) LES REG (MEM), ES (MEM+2) LAHF AH SAHF AH PUSHF POPF Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 19 -Logical Instruction NOT 1 , SHL/SAL ( 0) SHR ( 0) SAR , ROL/ROR / RCL/RCR / AND AND TEST AND OR OR XOR (OR) String Instruction REP REP CS 0 MOVS DS:DI ES:DI COMPS DS:DI ES:DI SCAS AL AX ES:DI LODS SI AL AX STOS AL AX ES:DI Control Transfer Instruction CALL JMP RET CALL PUSH JE/JZ 0 ZF=1 JL/JNGE ( ) SF != OF JB/JNAE ( ) CF=1 JLE/JNG ( ) ZF=1 or SF != OF JBE/JNA ( ) CF=1 or ZF=1 JP/JPE 1 PF=1 JO OF=1 JS 1 SF=1 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 20 -JC CF=1 JNE/JNZ 0 ZF=0 JNL/JGE ( ) SF=OF JNB/JAE ( ) CF=0 JNLE/JG ( ) ZF=0 and SF=OF JNBE/JA ( ) CF=0 and ZF=0 JNP/JPO 0 PF=0 JNO OF=0 JNS 0 SF=0 JNC CF=0 LOOP CX 1 , 0 LOOPZ/LOOPE CX 0 ZF=1 LOOPNZ/LOOPNE CX 0 ZF=0 JCXZ CX 0 CX=0 INT INTO IRET () Processor Control Instruction CLC CMC CLD CLI HLT STC NOP STD STI WAIT ESC Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 21 -2-4. STACK Student Notes . PUSH POP . LIFO(Last In First Out) . . Full Stack : TOP PUSH Empty Stack : TOP Ascending Stack : Descending Stack : STACK Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 22 - Full Descending Stack . , TOP . EBP, ESP, EIP . EBP ESP ESP . ESP TOP . EIP . . F1 func1 . func1 . func1 func1 . func1 func2 . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 23 -2-5. (Calling Convention) Student Notes . , . , , , . (Stack Frame) . (Calling Convention) Argument Stack : C , cdecl, stdcall, Pascal Register : fastcall Argument Right to Lest : cdecl, stdcall Left to Right Stack Clearing Caller : cdecl Callee : stdcall Return Value __stdcall, __cdecl, __fastcall Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 24 - . . Fame Pointer( Base Pointer) . EBP . 5 (stdcall, cdecl, thiscall, fastcall, naked) stdcall cdecl . __stdcall stdcall API . stdcall , (Callee) , eax . . call ret n . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 25 -__cdecl cdecl C C++ , . cdecl , (Caller) , eax . cdecl , . call add esp, n . stdcall cdecl . stdcall (Callee) (Caller) Callee cdecl Caller Callee . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 26 -2-6. SEH(Structured Exception Handling) Student Notes SEH(Structured Exception Handling) . . 0 , . TIB . TIB TIB FS:[0] ERR(Exception Registration Record) . ERR ERR Exception Handler . SEH (Structured Exception Handling) TIB (Thread Information Block) : Thread ERR Next ERR Exception Handler FS:[1]FS:[2]...FS:[0]SEHNEXTFSTIBERRSEHFFFFFFERR Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 27 -Exception Handler . __cdecl _except_handler( struct _EXCEPTION_RECORD *ExceptionRecord, void * EstablisherFrame, struct _CONTEXT *ContextRecord, void * DispatcherContext ); _CONTEXT . EAX 0, ret . +0 context (GetThreadContext API ) +8C gs register +90 fs register +94 es register +98 ds register +4 debug register #0 +8 debug register #1 +C debug register #2 +10 debug register #3 +14 debug register #6 +18 debug register #7 +9C edi register +A0 esi register +A4 ebx register +A8 edx register +AC ecx register +B0 eax register Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 28 -FPU / MMX +1C ControlWord +20 StatusWord +24 TagWord +28 ErrorOffset +2C ErrorSelector +30 DataOffset +34 DataSelector +38 FP registers * 8 ( 10 ) +88 Cr0NpxState +B4 ebp register +B8 eip register +BC cs register +C0 eflags register +C4 esp register +C8 ss register Winnt.h EXCEPTION_RECORD . typedef struct _EXCEPTION_RECORD { DWORD ExceptionCode; DWORD ExceptionFlags; struct _EXCEPTION_RECORD *ExceptionRecord; PVOID ExceptionAddress; DWORD NumberParameters; UINT_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; } EXCEPTION_RECORD; ExceptionCode : C0000005h : Read/Write C0000094h : 0 C0000095h : DIV C00000FDh : 80000001h : Guard Page C0000025h : Exception C0000026h : ExceptionCode 80000003h : INT3 80000004h : Trap ExceptionFlags : 0 : Exception 1 : Exception 2 : Unwinding SEH . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 29 - Ollydbg . . SEH chain Stack . ERR Next SEH 0007FFE0 00B13313 . 00B13313 SEH . Shift + F9 . Shift + F9 . 00B13313 . . . ExceptionRecord, EstablishedFrame, Context, DispatchContext . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 30 -0007FBC8 7C968752 RETURN to ntdll.7C968752 // Return 0007FBCC 0007FCA8 // ExceptionRecord, 0007FBD0 0007FF90 // Frame, ERR 0007FBD4 0007FCC4 // Context 0007FBD8 0007FC84 // DispatchContext . 00B13321 JMP SHORT 00B13324 00B13324 00B13324 . NOP(0x90) . ( CTRL + E) . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 31 - . . SEH . /*B13313*/ PUSH 0B1331C /*B13318*/ INC DWORD PTR SS:[ESP] /*B1331B*/ RETN /*B1331C*/ NOP 0B1331C ESP 1 . JMP 0B1331D . /*B1331D*/ MOV EAX,DWORD PTR SS:[ESP+C] ESP+C EAX . ESP+C 0007FD4 0007FCC4 . CONTEXT . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 32 - /*B13321*/ JMP SHORT 00B13324 /*B13324*/ ADD DWORD PTR DS:[EAX+B8],2 EAX+B8 CONTEXT EIP . , EIP 2 . /*B1332B*/ JMP SHORT 00B13347 00B13347 /*B1332D*/ MOV ESP,EBE817EB /*B13332*/ ADC AL,0E8 /*B13334*/ JMP SHORT 00B13347 /*B13336*/ CALL EC994226 /*B1333B*/ OR EBP,EAX /*B1333D*/ JMP SHORT 00B13347 /*B1333F*/ INT 20 /*B13341*/ JMP SHORT 00B13347 00B13347 /*B13347*/ XOR EAX,EAX /*B13349*/ RETN EAX SEH . SEH SEH . SEH SEH . F9 . SEH . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 33 - EIP SEH . SEH SEH . SEH EIP 2 SEH . XOR EAX, EAX EAX 0 SEH . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 34 -2-7. C Student Notes C . . . C . C for, while, if String strcpy strcmp strlen . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 35 -Example #1. for #include main(int argc, char *argv[]) { int i=0; int sum=0; for(i=0; i . 0040103D 00401048 (CMP ) 00401059 00401057 0040103F . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 36 -Example #2. if, strcpy, strcmp, strlen if (strcpy, strcmp, strlen) . #include void main( int argc, char *argv[] ) { char src[] = "ForEducationbydemantos"; char *dst=(char *)malloc( 30 * sizeof(char)); int cnt=0; printf("Input the password : "); fgets(dst, 30, stdin); dst[strlen(dst)-1] = '\0'; if( strlen(dst) != strlen(src) ) { printf("Not match!!\n"); exit(0); } else { if( !strcmp(dst, src) ) { printf("Good\n"); exit(0); } else printf("Not match!!\n"); exit(0); } } . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 37 -4 . EAX F8 EAX . . 0040109E 004010B9 Not match!! . .(004010B9) EAX EDX strcmp . strcmp (F7 ) . 4 . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 38 - . SHR . 0x10 10 16 16 . , 2 4 . 4 ECX EDX 4 4 . F8 . RETN CTRL+F8 4 . . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 39 -Example #3. while #include #include int main(void) { char ch; ch = getche(); while(ch!='q') { ch=getche(); } printf("found the q"); return 0; } getche q found the q . while . 00401034 00401043 . Hex dump v ^ , > . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 40 -2-8. API Student Notes exe API . API . API . , , , , . API CreateFile, ReadFile, WriteFile, SetFilePointer, CopyFile, GetFileAttribute, SetFileAttribute, FindFirstFile, FindNextFile, GetModuleFileName, GetSystemDirectory, GetWindowsDirectory, GetCommandLine, SetCurrentDirectory RegCreateKey, RegOpenKeyEx, RegSetValueEx, RegQueryValueEx WSAStartup, WSAAPI socket, recv, send, listen, accept, gethostbyname, ntohs, inet_addr, WNetOpenEnum, WNetEnumResource, InternetGetConnectedState, ioctlsocket RtlZeroMemory, GlobalAlloc ShellExecute, GetProcAddress, CreateThread Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 41 -CreateFile : . ReadFile : . WriteFile : . SetFilePointer : . CopyFile : . GetFileAttribute : . SetFileAttribute : . FindFirstFile : . FindNextFile : . FindFirstFile . GetModuleFileName : . GetSystemDirectory : . GetWindowsDirectory : . GetCommandLine : commandline . SetCurrentDirectory : . RegCreateKey : . RegOpenKeyEx : . RegSetValueEx : . RegQueryValueEx : . WSAStartup : WS2_32.DLL . socket : . recv : . send : . listen : . accept : . gethostbyname : . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 42 -ntohs : network byte order host byte order . inet_addr : IN_ADDR . WNetOpenEnum : . WNetEnumResource : WNetOpenEnum . InternetGetConnectedState : . ioctlsocket : . RtlZeroMemory : 0 . GlobalAlloc : Heap . ShellExecute : . GetProcAddress : SLL CreateThread : . WIN32.HLP . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 43 -Module 3 PE Objectives PE DOS DOS Stub Code PE File Header Optional Header Section Tables Import Table Export Table Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 44 -3-1. PE Student Notes PE (Portable Executable File Format) (File) (Portable) (Executable) (Format) . Win32 PE . EXE EXE PE . DLL PE . PE Win32 . , CPU Win32 PE . Win32 Platform SDK Winnt.h PE . PE PE HeaderSection #n...Section #2Section #1Section TableDOS Stub CodeDOS HeaderPE HeaderSection #n...Section #2Section #1Section TableDOS Stub CodeDOS HeaderDISK MEMORY40byte x 248byte24 + optional header( 224)ImageBase Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 45 - (Image) PE . PE . PE DOS Header DOS Stub Code PE Header Section Table Section DOS Header PE DOS . ImageBase DOS ImageBase . Stub_PE . ImageBase 0x01000000 . DOS 4D 5A(MZ) . MZ DOS Mark Zbikowski DOS . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 46 -PE Header PE PE . , optional ImageBase, , , , PE , . PE DOS e_lfanew . e_lfanew DOS 4byte . Section Table , , , . PE PE PE . PE 248bytes . 40bytes . 4 40bytes * 4 = 160bytes . Section . . VirtualAddress PointerToRawData . offset Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 47 - . . .text offset 0x400 .text 0x400 . Winhex 0x400 . PointerToRawData . . .text VirtualAddress . VirtualAddress 0x1000 ImageBase offset . offset RVA(Relative Virtual Address) . .text ImageBase VirtualAddress 0x01001000 . 0x01001000 HEX . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 48 - .text 493AD377 .text FAF4F377 . . PE . SectionAlignment FileAlignment . . Optional Header . FileAlignment SectionAlignment Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 49 -3-2. DOS DOS Stub Code Student Notes DOS DOS . PE DOS DOS 64bytes . 2byte e_magic 4byte e_lfanew . Winnt.h IMAGE_DOS_HEADER . typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed DOS DOS Stub CodePE signaturePE File HeaderSection #n...Section #2Section #1Section TableOptional HeaderDOS Stub CodeDOS HeaderPE signatureDOS Stub CodeDOS Headere_lfanewIMAGE_DOS_HEADER(64byte)MZ Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 50 - WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words LONG e_lfanew; // File address of new exe header } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; e_magic DOS 4D 5A(MZ) . e_lfanew PE . DOS Stub Code . . This program cannot be run in DOS mode . STUB . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 51 -3-3. PE File Header Student Notes Winnt.h IMAGE_NT_HEADERS . typedef struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader; } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; IMAGE_NT_HEADERS PE IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER . PE 50 45 00 00 IMAGE_FILE_HEADER 20bytes . IMAGE_OPTIONAL_HEADER 224bytes . PE File HeaderPE signaturePE File HeaderSection #n...Section #2Section #1Section TableOptional HeaderDOS Stub CodeDOS HeaderMachineNumberOfSectionsTimeDateStampPointerToSymbolTableNumberOfSymbolsSizeOfOptionalHeaderCharacteristicsPE\0\0IMAGE_FILE_HEADER(20byte)4byte Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 52 -Data Directory Data Directory Optional . Winnt.h IMAGE_FILE_HEADER . typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; Winhex . PE DOS e_lfanew . File 4 . Machine : CPU ID . IA32 0x14C IA64 0x200 . NumberOfSections : . SizeOfOptionalHeader : optional . 224bytes data directory 96bytes . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 53 - Characteristics : . 0x10F . Winnt.h . #define IMAGE_FILE_RELOCS_STRIPPED 0x0001 #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 #define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 #define IMAGE_FILE_32BIT_MACHINE 0x0100 #define IMAGE_FILE_DEBUG_STRIPPED 0x0200 #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 #define IMAGE_FILE_SYSTEM 0x1000 #define IMAGE_FILE_DLL 0x2000 #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 0x10F IMAGE_FILE_RELOCS_STRIPPED(0x0001), IMAGE_FILE_EXECUTABLE_IMAGE(0x0002), IMAGE_FILE_LINE_NUMS_STRIPPED(0x0004), IMAGE_FILE_LOCAL_SYMS_STRIPPED(0x0008), IMAGE_FILE_32BIT_MACHINE(0x0100) . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 54 -3-4. Optional Header Student Notes Optional PE . . optional 30 1 . . . Winnt.h IMAGE_OPTIONAL_HEADER . typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; Optional HeaderPE signaturePE File HeaderSection #n...Section #2Section #1Section TableOptional HeaderDOS Stub CodeDOS Header...IMAGE_DATA_DIRECTORY #1IMAGE_DATA_DIRECTORY #0IMAGE_DATA_DIRECTORY #15MagicAddressOfEntryPointImageBaseSectionAlignmentFileAlignmentSizeOfImageSizeOfHeaderNumberOfRvaAndSizes...IMAGE_OPTIONAL_HEADER(224byte)Data Directory(128byte) Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 55 - DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; Winhex . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 56 - Machine : optional optional . 0x10B . AddressOfEntryPoint : PE . RVA . , ImageBase . ImageBase : PE . EXE ImageBase DLL ImageBase . DLL . EXE 0x00400000 , DLL 0x10000000 . SectionAlignment : . SectionAlignment . 0x1000(4096byte). FileAlignment : . FileAlignment . 0x200(512byte) 2 n . SizeOfImage : PE SectionAlignment . SizeOfHeader : : FileAlignment . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 57 -Data Directory Optional 128bytes IMAGE_DATA_DIRECTORY . Winnt.h . typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 Optional NumberOfRvaAndSize 16 . Export table, Import table PE (VirtualAddresS) (Size) . 16 15 0x00 . 15 . IMAGE_DIRECTORY_ENTRY_EXPORT : EXPORT . EXPORT DLL . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 58 - IMAGE_DIRECTORY_ENTRY_IMPORT : IMPORT . IMAGE_DIRECTORY_ENTRY_BASERELOC : . . IMAGE_DIRECTORY_ENTRY_TLS : Thread Local Storage . TLS Callback . IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT : DLL . IMAGE_DIRECTORY_ENTRY_IAT : (IAT) . DLL IAT . IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT : . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 59 -3-5. Section Table Student Notes IMAGE_SECTION_HEADER . . . access violation . , , , . . Section TablePE signaturePE File HeaderSection #n...Section #2Section #1Section TableOptional HeaderDOS Stub CodeDOS Header...NameVirtualAddressSizeOfRawDataPointerToRawDataCharacteristicsNameVirtualAddressSizeOfRawDataPointerToRawDataCharacteristicsNameVirtualAddressSizeOfRawDataPointerToRawDataCharacteristicsSection #1Section #2Section #n Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 60 - , . Winnt.h IMAGE_SECTION_HEADER . typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; Winhex . Name : . 8byte NULL 8byte . 8byte 8byte . VirtualAddress : (RVA ). SizeOfRawData : . FileAlignment . PointerToRawData : . Characteristics : . PointerToRawData SizeOfRawData VirtualAddress Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 61 - Characteristics . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 62 -3-6. Import Table Student Notes Import PE (DLL) . USER32.DLL KERNEL32.DLL . DLL EXE DLL . DLL DLL Import Table . PE .idata . IMAGE_IMPORT_DESCRIPTOR DLL NULL . Import TableOriginalFirstThunkTimeDateStampForwarderChainNameFirstThunkForwarderChainNameNULLFirstThunkTimeDateStampOriginalFirstThunkIMAGE_DIRECTORY_ENTRY_IMPORTSizeVirtualAddress IMAGE_THUNK_DATAIMAGE_THUNK_DATAhint func1IMAGE_IMPORT_BY_NAMEILT #1IAT #1func1USER32.DLLILT #2IAT #2KERNEL32.DLLIMAGE_IMPORT_DESCRIPTORIMPORT TABLEBinding Binding Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 63 -Winnt.h IMAGE_IMPORT_DESCRIPTOR . typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; DWORD OriginalFirstThunk; }; DWORD TimeDateStamp; DWORD ForwarderChain; DWORD Name; DWORD FirstThunk; } IMAGE_IMPORT_DESCRIPTOR; OriginalFirstThunk : ILT(Import Lookup Table) RVA . ILT IMAGE_THUNK_DATA . IMAGE_THUNK_DATA IMAGE_IMPORT_BY_NAME . TimeDateStamp : 0 -1 . ForwarderChain : 0 -1 . Name : DLL RVA . FirstThunk : IAT(Import Address Table) RVA . IAT ILT IMAGE_THUNK_DATA ILT . PE DLL . IAT . IMAGE_THUNK_DATA . typedef struct _IMAGE_THUNK_DATA32 { union { PBYTE ForwarderString; PDWORD Function; DWORD Ordinal; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; } IMAGE_THUNK_DATA32; IMAGE_THUNK_DATA ILT, IAT . ILT - OriginalFirstThunk . - . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 64 -- IMAGE_IMPORT_BY_NAME Ordinal . - Ordinal IMAGE_IMPRT_BY_NAME RVA . - . IAT - FirstThunk . - AddressOfData Ordinal . - IMAGE_THUNK_DATA IMAGE_IMPORT_BY_NAME AddressOfData . IMAGE_IMPORT_BY_NAME . - 1 ordinal , 0 AddressOfData . - . IMAGE_THUNK_DATA AddressOfData . IMAGE_THUNK_DATA Ordinal . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 65 -Winhex . NULL . 6 DLL . Import Table IMAGE_DIRECTORY_ENTRY_IMPORT Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 66 -VirtualAddress . , PE . Stud_PE . PE . Import Table Raw . PE RVA VirtualAddress Size . RVA 0x12FD4 .text . .text RawOffset 0x400 0x123D4 . ( RVA) ( VirtualOffset) + RawOffset Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 67 - . calc.exe .text . . PE IAT(Import Address Table) . IMAGE_DIRECTORY_ENTRY_IMPORT . DLL IMAGE_IMPORT_DESCRIPTOR DLL . . RVA 0x12FD4 .text . , ( 0x12FD4 0x1000 ) + 0x400 = 0x123D4 . Winhex . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 68 -calc.exe DLL RVA 0x134D6. RVA . Stud_PE 0x134D6 .text . Name 0x134D6 0x1000 + 0x400 = 0x128D6 . KERNEL32.dll . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 69 -3-7. Export Table Student Notes Import Export . Export Data Directory 0 IMAGE_DIRECTORY_ENTRY_EXPORT VirtualAddress Size . Export Import . Winnt.h . typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; Export TableNameBaseNumberOfFunctionsNumberOfNamesAddressOfFunctionsAddressOfNamesAddressOfNameOrdinals...AddressOfNamesAddressOfNameOrdinals...NumberOfFunctionsNumberOfNamesAddressOfFunctionsBaseNameIMAGE_DIRECTORY_ENTRY_EXPORTSizeVirtualAddressRVARVARVAEXPORT TABLEMYDLL.DLLRVARVAordinalordinalcodecodeKernel32.OpenProcessMyfunc2MyFunc1 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 70 - DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; // RVA from base of image DWORD AddressOfNames; // RVA from base of image DWORD AddressOfNameOrdinals; // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; Name : DLL ASCII RVA Base : NumberOfFunctions : AddressOfFunctions RVA NumberOfNames : AddressOfNames RVA AddressOfFunctions : (RVA ) AddressOfNames : (RVA ) AddressOfNameOrdinals : . Base . DLL (RVA ), . Export Table . 1. IMAGE_DIRECTORY_ENTRY_EXPORT VirtualAddress VirtualAddress 0x00016A1C Size 0x00004B9A. 2. VirtualAddress RawOffset ( RVA) ( VirtualOffset) + RawOffset 0x00016A1C 0x00001000 + 0x00000400 = 0x00015E1C Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 71 - RVA 0x16A1C .text . .text RawOffset 0x400 0x15E1C . Winhex . . Name : 0x000186D2 Base : 1 NumberOfFuntions : 0x000002DB NumberOfNames : 0x000002DB AddressOfFunctions : 0x00016A44 AddressOfNames : 0x000175B0 AddressOfNameOrdinals : 0x0001811C offset RVA . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 72 -Name : 0x000186D2 0x1000 + 0x400 = 0x00017AD2 USER32.dll . NULL ( \0 ) . 1 (Base : 1), 731 (NumberOfFuntions : 0x2DB), 731 . (NumberOfNames : 0x2DB) AddressOfNames . AddressOfNames : 0x000175B0 0x1000 + 0x400 = 0x000169B0 0x000186DD RVA offset 0x00017ADD. ActivateKeyboardLayout . AddressOfFunctions 0x00016A44 0x1000 + 0x400 = 0x00015E44. Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 73 -AddressOfNameOrdinals : 0x0001811C 0x1000 + 0x400 = 0x0001751C 0x1751C NumberOfNameOrdinals . 1 Base . USER32.dll 731(0x2DB) AddressOfNameOrdinals 731(0x2DB) . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 74 - Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 75 -Module 4 Objectives CrackMe / KeygenMe Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 76 -4-1. Student Notes , , , . . . Debugger Ollydbg Disassembler IDA W32DASM File Analyzer Stud PE PEiD ImportREConstruction HEX Editor WinHex Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 77 -Ollydbg http://www.ollydbg.de/ , . File : . View : . Debug : . Plugins : . Options : . Window, Help : () . restart, close, run . . . E : Executable modules, M : Memory map, H : Handles, C : CPU main htread, / : Patches, K : Call stack of main thread B : Breakpoints, R : References, ... : Run trace Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 78 - . A OP . , OP , , . . B . A offset , . C . . D CPU . . E Stack . Ollydbg . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 79 - Option Appearance udd plugins . Option Debugging Option CPU : jump . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 80 - Exception . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 81 -Stud PE PE http://www.cgsoftlabs.ro/studpe.html . PEiD PE Stud PE . http://www.peid.info/ . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 82 -ImportREC IAT . IAT IAT . ImportREC . http://vault.reversers.org/ImpRECDef . IAT . IAT . 0000 0000 IAT 0000 0000 ImportREC . IAT . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 83 -Winhex HEX . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 84 -4-2. CrackMe Student Notes Crackme . Crackme , . Keygen Keygen . . CrackMe Key Keyfile Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 85 -Crackme #1 . Invalid Password . Invalid Password . . Search for All reference text strings . The password is %s . The password is xxxxxxxxxx Invalid Password . Invalid Password . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 86 -Invalid Password 004010DA . 004010DA 0040109C The password is %s . JNB 004010DC The password is %s . , . . PUSH Crackme#.00407030 Please enter the password: CALL . CALL . . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 87 - . /*40102C*/ ADD ESP,4 // /*40102F*/ PUSH 10 // 10 /*401031*/ PUSH 0 // 0 /*401033*/ LEA EAX,DWORD PTR SS:[EBP-34] // EBP-34 () EAX /*401036*/ PUSH EAX // EAX /*401037*/ CALL Crackme#.00401150 // 00401150 /*40103C*/ ADD ESP,0C // /*40103F*/ MOV DWORD PTR SS:[EBP-1C],0 // EBP-1C 0 /*401046*/ MOV DWORD PTR SS:[EBP-20],0 // EBP-20 0 /*40104D*/ MOV DWORD PTR SS:[EBP-24],0 // EBP-24 0 . . . 00401054 00401140 . . EAX . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 88 -Disassembly . , 00401054 00401084 . . /*401059*/ MOV BYTE PTR SS:[EBP-4],AL // AL EBP-4 1 /*40105C*/ MOV ECX,DWORD PTR SS:[EBP-1C] // EBP-1C ECX /*40105F*/ MOV DL,BYTE PTR SS:[EBP-4] // EBP-4 DL /*401062*/ MOV BYTE PTR SS:[EBP+ECX-34],DL // DL EBP+ECX-34 /*401066*/ MOV EAX,DWORD PTR SS:[EBP-1C] // EBP-1C EAX /*401069*/ ADD EAX,1 // EAX 1 /*40106C*/ MOV DWORD PTR SS:[EBP-1C],EAX // EAX EBP-1C /*40106F*/ MOVSX ECX,BYTE PTR SS:[EBP-4] // EBP-4 ECX /*401073*/ CMP ECX,0A // ECX 0x0A /*401076*/ JE SHORT Crackme#.00401086 // 00401086 /*401078*/ MOVSX EDX,BYTE PTR SS:[EBP-4] // EBP-4 EDX /*40107C*/ TEST EDX,EDX // EDX EDX AND /*40107E*/ JE SHORT Crackme#.00401086 // 00401086 /*401080*/ CMP DWORD PTR SS:[EBP-1C],10 // EBP-1C 0x10 /*401084*/ JB SHORT Crackme#.00401054 // EBP-1C 0x10 00401054 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 89 - . 4 . CALL 00401140 EAX . [EBP-1C] [EBP+ECX-34] . [EBP-4] . BYTE PTR SS (1 ) . ECX [EBP-4] 0x0A . [EBP-4] 0x72( r ) 0x0A . 0x0A LF(Line Feed) . [EBP-1C] 0x10 [EBP-1C] 16 (0x10) . 16 00401054 . , 16 . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 90 - . EAX (0x0B) ESP . Crackme#1 16 EAX . EAX . EAX . . EBP-34 EAX EAX [EBP-8] . [EBP-20] [EBP-24] 0 3 . . [EBP-34] 0013FF4C . 004010AE . 004010AE . [EBP-20] 0x0D [EBP-20] 0x0D 004010DC . , [EBP-20] 0x0D . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 91 -[EBP-20] 0 . 004010B4 . /*4010B4*/ MOV EAX,DWORD PTR SS:[EBP-20] // EBP-20 EAX /*4010B7*/ SHR EAX,2 // EAX 2 /*4010BA*/ MOV ECX,DWORD PTR SS:[EBP-8] // EBP-8 ECX /*4010BD*/ MOV EDX,DWORD PTR SS:[EBP-24] // EBP-24 EDX /*4010C0*/ MOV EAX,DWORD PTR DS:[ECX+EAX*4] // ECX+EAX*4 EAX /*4010C3*/ CMP EAX,DWORD PTR SS:[EBP+EDX*4-18] // EBP+EDX*4-18 EAX 4 . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 92 - 004010B4 004010C3 ECX EAX 0 .([EBP-20] 0 ) EDX [EBP-24] 3 . , EBP+EDX*4-18 0013FF80 + 3 * 4 18 = 0x0013FF80 + 0xC 0x18 = 0x0013FF74 . , qwer powe . 004010DA 004010C9 . 004010C9 Invalid Password . 4 powe . . . 4 004010DA 0040109C . /*40109C*/ MOV ECX,DWORD PTR SS:[EBP-20] // EBP-20 ECX /*40109F*/ ADD ECX,4 // ECX 4 /*4010A2*/ MOV DWORD PTR SS:[EBP-20],ECX // ECX EBP-20 /*4010A5*/ MOV EDX,DWORD PTR SS:[EBP-24] // EBP-24 EDX /*4010A8*/ SUB EDX,1 // EDX 1 /*4010AB*/ MOV DWORD PTR SS:[EBP-24],EDX // EDX EBP-24 /*4010AE*/ CMP DWORD PTR SS:[EBP-20],0D // EBP-20 0x0D Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 93 - [EBP-20] 0 ECX 0 4 [EBP-20] . [EBP-24] EDX 1 [EBP-24] . [EBP-20] ECX 4 [EBP-24] EDX 2 . [EBP-20] 4 0x0D 13 0x0D(13) 004010DC . 004010B4 004010C3 [EBP-20] 4 EAX SHR 1 . [EBP-8] ECX [EBP-24] EDX . . ECX + EAX*4 = 0x0013FF4C + 1 * 4 = 0x0013FF50 EBP + EDX*4 18 = 0x0013FF80 + 2 * 4 0x18 = 0x0013FF80 + 0x08 0x18 = 0x0013FF70 . 4 4 . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 94 -4-3. KeygenMe Student Notes Keygenme . keygenme C C++ . . KeygenMe Key Key Key Keygen Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 95 -keygenme#1 . . . . . Nope, thats not it! Try again . . . Search for All referenced text strings . (Good boy...) . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 96 - 0040128A OR EAX, EAX. lstrcmpA ( ) . . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 97 -00401248 F9 . Check It 00401248 . F8 00401252 . /*401252*/ PUSH keygenme.00406584 . . . . 00401285 lstrcmp 1234567890 JXCS-USIQ-XNUI-CPRU . OR EAX, EAX . 0040128E 004012A8 . . . ? Nope, thats not it! Try again . MessageBoxA 4 . API . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 98 -int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box ); . . /*4012A8*/ PUSH 10 /*4012AA*/ PUSH keygenme.00406337 /*4012AF*/ PUSH keygenme.00406318 /*4012B4*/ PUSH DWORD PTR SS:[EBP+8] /*4012B7*/ CALL 00406337 00406318 . 00406318 . lstrcmpA . 00406B84 . . . /*4012AA*/ PUSH keygenme.00406337 /*4012AF*/ PUSH keygenme.00406318 /*4012AA*/ PUSH keygenme.0040630C /*4012AF*/ PUSH keygenme.00406B84 Copy to executable All modifications Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 99 -. Copy all . Save file . . . . C . URL . http://dual5651.hacktizen.com/new/87 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 100 - Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 101 -Module 5 MUP(Manual UnPack) Objectives Packgin / Unpacking Packing MUP MUP Ollydbg script Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 102 -5-1. Packing / Unpacking Student Notes Pack , . . . . Entry Point Entry Point(OEP) . Packing / Unpacking Packing (EXE, DLL) Unpacking ( ) Unpack StubPE Header......Code SectionPE HeaderEntry PointOEPEntry Point Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 103 -5-2. Packing Student Notes ( ) . . PEiD EXEInfo . 100% . . . Packing UPX, ASPack, FSG Packer Packer . () () Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 104 - EXEInfo SVK-Protector v1.32 demo PEiD yodas cryptor 1.x / modified . Stud_PE yodas cryptor 1.x / modified . yodas cryptor . A B A . B . () OEP . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 105 -5-3. MUP Student Notes MUP OEP IAT . . IAT . IAT . UPX . MUP 1. Packing PEiD EXEInfo 2. OEP .3. unpack 4. IAT Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 106 - . Compressed code? . . PUSHAD . . . OEP POPAD . PUSHAD . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 107 -POPAD JMP . JMP F8 OEP . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 108 - . OEP . Dump debugged process . Olly Dump . . Entry Point 20C40 12475 . OEP . Rebuild Import . IAT . IAT IAT IAT ? . IAT ImportREConstructor . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 109 -ImportREC Attach to an Active Process MUP . calc_upx.exe IAT . IAT IAT . OEP 1 AuthoSearch Get Imports . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 110 - Fix Dump IAT . calc_dump_.exe IAT . . calc_dump.exe IAT . IAT PE . NULL (00000000) . . ImportREC IAT 00000000 IAT 00000000 . ? . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 111 - IAT IAT . IAT read . IAT . ImportREC IAT RVA Size . RVA 00025190 00425190 . . . ImportREC 0xCC . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 112 -0xCC . 00000000 . . . IAT . ImportREC IAT . IAT 0x425190 0x4252C0 0x130 . OEP Get Import IAT . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 113 -Fix Dump IAT . (OEP) . IAT ImportREC . . Before Packing After Packing Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 114 -5-4. MUP Ollydbg script Student Notes MUP . . MUP . MUP . Olly Script . . MUP . MUP Ollydbg script MUP Ollydbg script , 16 (10 . ex. 10=16.) [] ! # DWORD +, -, *, /, &, |, ^, >, Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 115 -Olly Script $result EAX $version Ollyscript ex) cmp, $version, 1.47 //1.47 ? # INC filename ex) # INC text.txt # LOG LOG OllyDbg Log ADD dst, src dst ex) add y, Times Alloc size size $result ex) alloc 1000, free $result 1000 AI / AO Animate into / animate over STI / STO Step into / step over ESTI / ESTO Shift + F7 / Shift + F8 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 116 -TI / TO Trace into / trace over TC Close Run Trace TICND / TOCND Trace into / trace over ex) TICND eip>40100A BC Address / BP Address Breakpoint Clear / BreakPoint BPCND Address, Condition BP ex) bpcnd 40100A, EAX==1 BPHWC Address / BPHWCALL BP HW Clear / BP HW Clear All BPHWS Address, pattern BP HW Set r() w() x() /BPHWS Address ex) BPHWS 40100A, r BPL Address, Expression BP of Logging ex) bpl 40100A, EAX BPLCND Address, Expression, Condition BP of Logging Condition ex) bplcnd 40100A, EAX, ECX==0 BPMC BP Memory Clear Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 117 -BPRM Address, size / BPWM Address, size BP on Read Memory / BP on Write Memory ex) BRPM 40100A, FF ex) BPWM 40100A, FF AN Address Ollydbg analyse ASM Address, Instruction Ollydbg assemble $result ex) asm 40100A, xor eax, eax CMT address, comment(string of character) Ollydbg ex) cmt eip, Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 118 -OR dst, src / XOR dst, src Or/xor EOB Label / EOE Label Excute On Breakpoint / Excute On Exception ex) EOB Label / EOE Label1 FILL Address, Length, Value ex) fill 40100A,10,90 Find Address, Content $result , 0 ex) find eip, # 6A??E8 # FINDOP Address, Content $result ex) findop 401000, #61# // find next POPAD findop 401000, #6A??# // find next PUSH FINDMEM what [, Start Address] $result , 0 ex) findmem #6A00E8# findmem #6A00E8#, 00400000 REPL Address, Find, Replace, Length find ( ) ex) repl eip, #??00 #, #??01 #, 10 RET REV val Val $result ex) rev 01020304 // $result == 04030201 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 119 -EXEC/ENDE EXECute / END Excute, {} ex) var x var y mov x, "eax mov y, "0DEADBEEF exec mov {x}, {y} mov ecx, {x} ende ex) exec push 0 call ExitProcess ende ret JA LABEL / JAE LABEL Cmp , ja / jae JB LABEL / JNB LABEL Cmp , ja / jae JE LABEL / JNE LABEL Cmp , ja / jae JMP LABEL JMP LEN str Str ex) len NiceJump msg $RESULT Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 120 -MUP . UPX . PUSHAD POPAD OEP . OEP . OEP Step Over(F8) OEP . OEP ? ESP . OEP . . STI // Step into(F7), PUSHAD . BPHWS esp, r // PUSHAD POPAD BP RUN // (F9) BPHWC // BP BP STO // Step over(F8), OEP CMT eip, Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 121 -Module 6 Anti-Reverse Objectives Breakpoint TLS Callback Process Attach Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 122 -6-1. Student Notes . . . . . . . kernel32!OutputDebugStringACtrl-CRogue Int3"Ice" BreakpointInterrupt 2DhTimestamp countersPopf and the trap flagStack Segment registerDebug registers manipulationContext modificationTLS-callbackCC scanningEntryPoint RVA set to 0kernel32!IsDebuggerPresentPEB!IsDebuggedPEB!NtGlobalFlagsHeap flagsVista anti-debug (no name)NtQueryInformationProcesskernel32!CheckRemoteDebuggerPresentUnhandledExceptionFilterNtSetInformationThreadkernel32!CloseHandle and NtCloseSelf-debuggingKernel-mode timersUser-mode timers : http://www.securityfocus.com/infocus/1893 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 123 -kernel32!IsDebuggerPresent PEB(Process Environment Block) BeingDebugged . IsDebuggerPresent() . IsDebuggerPresent Debugger not found! . Debugger found! . . IsDebuggerPresent() EAX . IsDebuggerPresent() 1 0 . CMP . (IsDebugg.0040101F) . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 124 -call IsDebuggerPresent test eax, eax jne @DebuggerDetected CALL F7 . TEB(Thread Environment Block) PEB PEB PEB + 2 BeingDebugged . BeingDebugged 0 IsDebuggerPresent . F9 Debugger not found! . PEB!IsDebugged PEB . IsDebuggerPresent . . mov eax, fs:[30h] mov eax, byte [eax+2] test eax, eax jne @DebuggerDetected Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 125 -PEB!NtGlobalFlags PEB 68 NtGlobalFlags . NtGlobalFlags 0x70 0x00 . ntdll . Heap . FLG_HEAP_ENABLE_TAIL_CHECK (Heap Tail Checking) : 0x10 FLG_HEAP_ENABLE_FREE_CHECK (Heap Free Checking) : 0x20 FLG_HEAP_VALIDATE_PARAMETERS (Heap Parameter Checking) : 0x40 NtGlobalFlags . FS:[30] PEB . PEB 0x68 NtGlobalFlags . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 126 -PEB 0x68 70 . 70 . NtQueryInformationProcess . NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess( IN HANDLE ProcessHandle, IN PROCESS_INFORMATION_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength ); ProcessDebugPort 7 ProcessInformationClass ProcessInformation -1 . , ProcessInformation 0 -1 . NtQueryInformationProcess . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 127 -NtQueryInformationProcess CALL DWORD PTR DS:[40306C] NtQueryInformationProcess . . eax . 0 TEST 0 . 0x00401035 Step into(F7) . . 0x7FFE0300 . 0x0013FFC0 ProcessInformation FFFFFFFF . ProcessInformation . . POP EAX FFFFFFFF . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 128 -NtQueryinformationProcess ProcessInformation 0 . 7 . 9 . RETN 14 . ESP+C ProcessInformation 0 . . 00000000 . TEST . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 129 -kernel32!CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent . BOOL CheckDebugger(HANDLE hProcess) { BOOL Retval = 0; CheckRemoteDebuggerPresent(hProcess,&Retval); return Retval; } NtQueryInformationProcess . . CALL EAX Step into(F7) . EBP+8 0 NtQueryInformationProcess NtQueryInformationProcess . NtQueryInformationProcess ProcessInformation 0 . NtQueryInformationProcess . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 130 - 0, 4, 7 PUSH EAX EBP+8 PUSH NtQueryInformationProcess . ProcessInformation NtQueryInformationProcess . /*7C85C09C*/ CMP DWORD PTR SS:[EBP+8],0 EBP+8 . F9 Debugger not found! . ProcessInformation NtQueryInformationProcess . Timing Check . . RDTSC(Read Time Stamp Counter) . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 131 - . . GetTickCount . Olly Advanced . Olly Advanced . 1. 4 (CR4) TSD(Time Stamp Disable) bit 1 . TSD bit 1 Ring0 RDTSC GP(General Protection) . 2. GP GPF . GPF 0xD GPF IDT 0xD * 4byte . 3. Olly Advanced IDT GPF GPF RDTSC RDTSC timing check . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 132 -kernel32!OutputDebugStringA ASCII OutputDebugStringA . . 1 . Ollydbg . 1.10 . . . Olly Advanced . HideDebugger Olly Invisible, IsDebuggerPresent . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 133 -6-2. BreakPoint Student Notes . . . . . Break Point Hardware Breakpoint DR0 ~ DR3 DR7 Software Breakpoint 0xCC (INT 3) Instruction Breakpoint Memory Breakpoint Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 134 -Hardware Breakpoint DR0 ~ DR3 DR7 . . Software Breakpoint . 0xCC(INT 3) . Instruction Breakpoint . / . Memory Breakpoint . / Hardware Breakpoint Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 135 -IA32 . DR0 ~ DR7 8 . DR0 ~ DR3 : DR4 ~ DR5 : DR6 : , . DR7 : , . R/W0 ~ R/W3 . 00 01 11 . DR7 . . IA32 Ring0 . SEH Ring3 . 2-6 SEH ContextRecord . _CONTEXT . , Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 136 - Ring3 . . 1. SEH 2. 3. SEH 4. ContextRecord . . SEH . . Debug Hardware breakpoints . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 137 - F9 . . Access violation . Shift + F7/F8/F9 . Shift + F9 Shift + F8 . Shift + F9 . . Shift + F9 Shift + F7 . . F7 . Shift + F7 SEH Chain . View SEH chain SEH . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 138 - 0x0040103E . . F9 . ! DR0 ~ DR3 . 0 0x0040109A . 0x0040109A . SEH DR0 ~ DR3 0 . . CMP DWORD PTR DS:[EAX+4h],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+8h],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+0Ch],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+10h],0 JNE @hardware_bpx_found Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 139 - MOV 0 . MOV DWORD PTR DS:[EAX+4h],0 MOV DWORD PTR DS:[EAX+8h],0 MOV DWORD PTR DS:[EAX+0Ch],0 MOV DWORD PTR DS:[EAX+10h],0 ? NOP . . NOP . . . SEH . EBP+0x10 ContextRecord . ContextRecord . ESP+0x0C ContextRecord . SEH chain . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 140 -Software Breakpoint 1 0xCC(INT 3) . . 1byte 0xCC . . . . good job . Step over(F8) . (CALL softbp.exit) (ADD ESP, 0C) . 00401005 . . ProtectedFunc F2 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 141 - . 0xCC . 0xCC . code permutation . ECX . EAX 0x660 . SHR EAX 3 0xCC . 0x660 0110 0110 0000 3 000011001100 . 16 0xCC . (4 1100 10 12 . , 16 C ) , 0xCC(INT 3) . EDI EAX . 0xCC ECX 0 0 . TEST ECX, ECX Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 142 -ECX 0 004010A4 . RETN . RETN . RETN POP EIP . POP EIP . B58C7BB6 . RETN . . . . ProtectedFunc . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 143 -ProtectedFunc F9 . . 0xCC F8 . Import . , . F9 . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 144 - .( CTRL+N) MessageBoxA . F9 . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 145 -6-3. TLS Callback Student Notes TLS Callback . TLS Callback . , . TLS Callback . TLS Callback , OEP . TLS CallbackTLS (Thread Local Storage) Callback TLS Callback . PE Data Directory 10IMAGE_DIRECTORY_ENTRY_TLS . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 146 - . . . TLS TLS Callback . , TLS Callback . PE Data Directory TLS . TLS 10 . Stud_PE . Data Dir IMAGE_DIR_ENTRY_TLS TLS . RVA, Size, Raw . PE Raw Stud-PE PE . RVA . TLS RVA TLS VirtualOffset + RawOffset = 3060 3000 + 800 = 860 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 147 -TLS 0x860 . Winnt.h IMAGE_TLS_DIRECTORY . typedef struct _IMAGE_TLS_DIRECTORY32 { DWORD StartAddressOfRawData; DWORD EndAddressOfRawData; PDWORD AddressOfIndex; PIMAGE_TLS_CALLBACK *AddressOfCallBacks; DWORD SizeOfZeroFill; DWORD Characteristics; } IMAGE_TLS_DIRECTORY32; AddressOfCallBacks TLS Callback . Winhex . TLS Callback 0x00403084 . RVA . TLS Callback . 0x00403084 RVA ImageBase 0x3084 . (3084 3000 + 800 = 884) TLS 884 . Winhex . TLS Callback 0040101B . Entry Point System breakpoint . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 148 - System breakpoint . TLS Callback 0040101B . CTRL+G . 0040101B . 0040101B F9 . IsDebuggerPresent . TLS Callback , . TLS Callback IMAGE_DIRECTORY_ENTRY_TLS TLS AddressOfCallbacks 00000000 . TLS Callback IDA . IDA CTRL+E . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 149 - Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 150 -6-4. Process Attach Student Notes DLL OCX . DLL . DLL Injection dll DLL attach . . Process Attach dll ocx Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 151 - File Attach . Attach . explorer.exe . Pause . Start . . Executable modules . dll . dll dll View names . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 152 - . Conditioinal log breakpoint on import . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 153 -dll . View Log . Log . . ntdll.dll ZwContinue CALL . Anti-Attach ZwContinue (Anti-Debugging ) . Ollydbg AttachAnyway ZwContinue . ZwContinue . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 154 - Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 155 -Module 7 Objectives - shadowbot Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 156 -7-1. Student Notes KISA . 2007 4 8 . 8 8 : . . ID: stage8, PASSWORD: KISA 4 Unpacking Steganography Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 157 - . . . . PEiD Nothing found . ? Hardcore Scan . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 158 - nSPack 2.2 North Star/Liu Xing Ping . PEiD userdb.txt nSPack . . . . !packed by nspack$@ Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 159 -nspack . . Memory map . View Memory ALT+M . PE 006E0000 ImageBase . . F9 . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 160 - ImageBase 00400000 . . . CTRL+F2 VirtualAlloc 00400000 . VirtualAlloc . LPVOID VirtualAlloc( LPVOID lpAddress, // address of region to reserve or commit DWORD dwSize, // size of region DWORD flAllocationType, // type of allocation DWORD flProtect // type of access protection ); . . Command bar . VirtualAlloc 7C8245A9 . F9 00400000 . F9 VirtualAlloc . Address NULL . Address 00400000 . F9 Address 00400000 . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 161 -F8 VirtualAlloc . . CTRL+A . . . . write . (write) . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 162 - F9 . 00400000 . write . RETN . ( ) F9 . RETN 0C F8 . F8 0045972C . PUSHAD POPAD . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 163 - POPAD POP JMP EAX 0045972C . OEP . OEP ImportREC IAT . IAT . IAT . Dump debugged process OEP . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 164 -IAT . 00459737 00406120 CALL 00406050 . . Follow in Dump Memory address . Long Address IAT . , IAT . 0000 0000 . 0000 0000 . ImportREC IAT 0000 0000 IAT . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 165 -IAT 0045D118 0045D6D0 . IAT OEP OEP 0045972C . IAT CTRL+F2 VirtualAlloc . . IAT . . IAT 0045D118 . (Breakpoint Hardware, on write DWROD) F9 . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 166 -F8 IAT . IAT . IAT . 0045D118 0045D6D0 . 0045D6D0 0045D730 . IAT . 0045D730 . ( Binary Binary copy) . View Hardware breakpoint . IAT OEP . OEP IAT IAT . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 167 - . ( Binary Binary paste) IAT . . Dump . Backup Save data to file . RVA . PEvoyeur RVA . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 168 -PEvoyeur More Plugins Sections Fixer . FIX . fixed-sections.exe . . Borland Delphi 6.0 . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 169 - / . . Resource Hacker RCData TFORM1 . TabVisible False . Picture.Data 16 . Picture.Data . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 170 - TabVisible True Compile Script . . . . Picture.Data 16 Winmerge . ( diff ) 0101010101000000010100000000010101010001010100000101000001010101010100010100000001000000010100010101000101000001010000000100010001010100010001010101000000010000010100000101010001000000010001000101010001010001010100000000010101010000000100000101000001010101010100000101010101010001010000000101000000000101010100000001000001010000010100010101010100010001010101000000010101010101010000010101010100010001010101000100000001010100010001010101010101000001010101000101010101010001000100000100000001000101 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 171 - 2 Picture.Data 16 . Winhex . 0xF7(247) . 01 1 , 00 0 . 11111000 11000011 11011100 11001111 11011000 10001101 11011001 10001010 11101011 11000100 11001110 10001010 11101101 11000011 11000100 11001111 11001111 11011000 11000011 11000100 11001101 11110101 11100011 11111001 11110101 11101000 11101011 11111001 11101111 11010100 10001011 1 10 ASCII . 16 31 . 16 . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 172 - Rivers And Gineering_IS_BASE~! . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 173 -7-2. - shadowbot Student Notes . . . . VMware VirtualPC . VMware shadowbot . shadowbot URL . http://kr.ahnlab.com/info/smart2u/virus_detail_7404.html http://kr.ahnlab.com/info/smart2u/virus_detail_7405.html Filemon, Regmon, TDImon, TCPView, Wireshark Process Explorer Winalysis PEiD, LordPE Ollydbg, Windbg, IDA ImportREC, Revival Strings, BinText Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 174 - shadowbot . VMware . , . , VMware . VMware VM Settings Ethernet Host-only . . VMware Host-only . shadowbot DNS . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 175 -shadowbot , , . Wireshark Filemon : . Regmon : . TDImon : TCP/UDP . TCPView : . Process Explorer : DLL Winalysis : . BinText : . Ollydbg, PEiD, ImportREC . . Wireshark Ethereal . . . PEiD . IDA IDA . PEiD . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 176 -PEiD shadowbot UPX . . UPX upx . UPX . shadowbot_unpack.exe . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 177 - BinText . BinText . . Browse Go . . Save . . WriteProcessMemory // Load DLL CreateToolhelp32Snapshot // snapshot . CreateRemoteThread // DLL Injection 4 LoadLibrary ? RegSetValueExA // RegCreateKeyExA // CoInitialize // com CloseClipboard // OpenClipboard // Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 178 -CloseServiceHandle // . . EnumServicesStatusA // OpenSCManagerA // InternetReadFile // InternetOpenUrlA // http://~~, ftp://~~ InternetOpenA CreateMutexA // Explorer.exe // PRIVMSG %s :pstore %s %s:%s \n // private message darkjester.xplosionirc.net // irc server . lol lol lol :shadowbot // PING, PONG, JOIN, PRIVMSG // IRCBot . rdshost.dll // dll ? \\photo album.zip // ? shadowbot IRCBot DLL Injection . DLL Injection explorer.exe COM Object . rdshost.dll . . . shadowbot.exe shadowbot_unpack.exe . . . md5sum.exe . c . , . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 179 -Filemon Regmon Exclude Process . Filemon . Exclude Process . Regmon . Filemon Exclude Process . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 180 -Winalysis Snapshot .. Start File Service System . . . shadowbot shadowbot VMware Snapshot . VMware . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 181 - . . . (shadowbot) . Wireshark . . shadowbot . Start . shadowbot . . . shadowbot explore.exe . . VMware . Process Explorer explorer.exe explorer.exe explorer.exe . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 182 -explorer.exe File Run explore.exe . explorer.exe procexp.exe explorer.exe . shadowbot . VMware . ( ) shadowbot . shadowbot.exe . Winalysis . shadowbot Test . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 183 - Start . File Registry . Filemon Regmon . . Filemon (CREATE) (WRITE) . CREATE C:\WINDOWS\photo album.zip SUCCESS Options: OverwriteIf Access: All WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 0 Length: 30 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 30 Length: 19 READ C:\malware\shadowbot.exe SUCCESS Offset: 0 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 49 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 1024 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 1073 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 2048 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 2097 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 3072 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 3121 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 4096 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 4145 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 5120 Length: 1024 Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 184 -WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 5169 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 6144 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 6193 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 7168 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 7217 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 8192 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 8241 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 9216 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 9265 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 10240 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 10289 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 11264 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 11313 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 12288 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 12337 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 13312 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 13361 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 14336 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 14385 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 15360 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 15409 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 16384 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 16433 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 17408 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 17457 Length: 1024 READ C:\malware\shadowbot.exe SUCCESS Offset: 18432 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 18481 Length: 512 READ C:\malware\shadowbot.exe END OF FILE Offset: 18944 Length: 1024 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 18993 Length: 46 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 19039 Length: 19 WRITE C:\WINDOWS\photo album.zip SUCCESS Offset: 19058 Length: 22 CLOSE C:\WINDOWS\photo album.zip SUCCESS CLOSE C:\malware\shadowbot.exe SUCCESS CREATE C:\WINDOWS\system32\rdshost.dll SUCCESS Options: OverwriteIf Access: All OPEN C:\WINDOWS\system32\SUCCESS Options: Open Directory Access: 00000000 WRITE C:\WINDOWS\system32\rdshost.dll SUCCESS Offset: 0 Length: 14848 CLOSE C:\WINDOWS\system32\rdshost.dll SUCCESS QUERY INFORMATION C:\WINDOWS\system32\rdshost.dll SUCCESS Attributes: A OPEN C:\WINDOWS\system32\rdshost.dll SUCCESS Options: Open Access: Execute QUERY INFORMATION C:\WINDOWS\system32\rdshost.dll SUCCESS Length: 14848 CLOSE C:\WINDOWS\system32\rdshost.dll SUCCESS QUERY INFORMATION C:\WINDOWS\system32\rdshost.dll SUCCESS Attributes: A OPEN C:\WINDOWS\system32\rdshost.dll SUCCESS Options: Open Access: Execute CLOSE C:\WINDOWS\system32\rdshost.dll SUCCESS C:\WINDOWS photo album.zip shadowbot.exe photo album.zip . C:\WINDOWS\system32 rdshost.dll . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 185 - Regmon Filemon rdshost.dll photo album.zip . SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad\rdshost SUCCESS rdshost.dll . Filemon Regmon shadowbot.exe C:\WINDOWS\photo album.zip C:\WINDOWS\system32\rdshost.dll . Wireshark . darkjester.xplosionirc.net . DNS IP . URL . DNS hosts . hosts Wireshark 8080 . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 186 -8080 8080 RST . 8080 . 8080 netcat . nc . IRC . shadowbot darkjester.xplosionirc.net IRC test . IRC . IRC UnrealIRCD . unrealircd.conf unrealIRCD . IRC . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 187 -shadowbot IRC . shadowbot IRC . Filemon Regmon rdshost.dll . rdshost.dll explorer.exe DLL Injection . . dll Process Explorer . Find Find Handle or DLL . rdshost.dll . rdshost.dll explorer.exe . explorer.exe rdshost.dll . explorer.exe rdshost.dll . , shadownot rdshost.dll explorer.exe DLL Injection . DLL Injection . CreateRemoteThread WriteProcessMemory VirtualAllocEx OpenProcess LoadLibraryA DLL Injection . . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 188 - shadowbot.exe rdshost.dll . IRCBot . shadowbot.exe . shadowbot.exe . DLL Injection CreateFileA . F9 . BP shadowbot.exe CreateFileA . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 189 - BP C:\WINDOWS photo album.zip CreateFileA . BP photo album.zip CreateFileA (WriteFile) . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 190 - rdshost.dll . rdshost.dll . F9 OpenProcess . OpenProcess rdshost.dll DLL Injection . (3 ) Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 191 - ProcessId 0x258 . 10 600 . explorer.exe . WriteProcessMemory DLL Injection DLL . DLL . 0012FA84 . C:\WINDOWS\system32\rdshost.dll . EAX . . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 192 -F9 CreateRemoteThread DLL Injection . rdshost.dll explorer.exe . . explorer.exe .( explorer.exe !) explorer.exe rdshost.dll . Process Explorer explorer.exe Threads . rdshost.dll DLL Injection explorer.exe rdshost.dll IRCBot . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 193 -IRCBot shadowbot.exe rdshost.dll . DLL rdshost.dll explorer.exe attach . File Attach explorer.exe . CPU Pause . View Executable modules . ( ALT+E) rdshost.dll View names ( CTRL+N) rdshost conditional log breakpoint . Conditional log breakpoint on import . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 194 - View Log ALT+L . . IRCBot . IRC . . IRC IRCBot . shadowbot imstart, pstore, msnfuck, dlexec . dlexec URL . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 195 - imstart shadowbot MSN photo album.zip . photo album.zip photo album2007.pif shadowbot.exe . shadowbot.exe . IAT shadowbot.exe . Reverse Engineering http://www.securitya.kr 2008 Security Awareness Korea - 196 - CreateRemoteThread DLL Injection IRC-BOT . Kill . IRC DNS Query . %systemroot%system32\rdshost.dll . MSN (photo album.zip) . photo album.zip photo album2007.pif shadowbot.exe . .

Recommended

View more >