nosymbols - defcon russia 20
TRANSCRIPT
No symbols =(
19/11/2014
DCG #7812
Saint Petersburg by @IntR0Py @evdokimovds
© 2002—2014, Digital Security
#whoami
‐ Dmitriy ‘D1g1’ Evdokimov ‐ Head of DSecRG ‐ Author of Python Arsenal for RE ‐ Section editor in the Xakep magazine ‐ Co-organizer of ZeroNights
‐ George Nosenko ‐ Security researcher at Digital Security ‐ Nominated at Pwnie awards
Agenda
- Symbols?!
- Approaches & ideas
Defcon Russia (DCG #7812) 3
Symbols
- Debug symbols
- Variable names
- Function names
Defcon Russia (DCG #7812) 4
With and without symbols
Defcon Russia (DCG #7812) 5
•
*ntdll.dll
Problems *
- We have much more code
- Need a starting point for RE
* in normal, non-obfuscated code
Defcon Russia (DCG #7812) 6
At first
- IDA can’t always define all functions
Defcon Russia (DCG #7812) 7
Fix functions
- Code template (PowerPC)
Defcon Russia (DCG #7812) 8
Approaches
- Logging functions
- Specific strings
- Meta information
- Context
- Function
- Relationship of functions
- Program
- …
Defcon Russia (DCG #7812) 9
A1: logging functions
- Need to find a logging function
- Backtrace
- Decompile (hex-rays)
Defcon Russia (DCG #7812) 10
Function
String
Code template
Defcon Russia (DCG #7812) 11
Example: WindowsPhone8
Defcon Russia (DCG #7812) 12
‐ Tips: Restore information from Event Tracing for Windows (ETW)
*InstallerWorker.exe
Example: Objective-C
Defcon Russia (DCG #7812) 13
‐ Idea: Restore xrefs from decompilation
‐ The decompiler backtraces parameters for you
Example: Objective-C
Defcon Russia (DCG #7812) 14
Need Hex-Rays…
Example: Objective-C
Defcon Russia (DCG #7812) 15
Patch binary!
Example: Objective-C
Defcon Russia (DCG #7812) 16
A1: logging functions
(+) good results
(-) Function log has to be identified
(-) need backtrace
(-) platform dependent
Defcon Russia (DCG #7812) 17
Function
String
A2: strings
- Main idea
Defcon Russia (DCG #7812) 18
Function
String
A2: strings
- Code template
Defcon Russia (DCG #7812) 19
Function
String
A2: strings
(+) platform independent
(+) forget about the log function
(+) general approach (relatively)
(+) small, simple, flexible
(-) need regexp (I hate them)
(-) may need to customize
(-) false positives
Defcon Russia (DCG #7812) 20
Function
String
A2: strings
- It works!
Defcon Russia (DCG #7812) 21
Function
String
Defcon Russia (DCG #7812)
A3: Meta information
22
Function
RTTI
- RTTI (Run-Time Type Identification)
- RTCI (Run Time Class Information)
Defcon Russia (DCG #7812)
A3: IDA Plugins
23
- http://sourceforge.net/projects/classinformer
- Only PE32, C++ RTTI
Function
RTTI
Defcon Russia (DCG #7812)
A3: Class Informer
24
Function
RTTI
A4.1: context of functions
- API wrappers
- special function
- DriverEntry
- RpcServerRegister
- CoRegisterClassObject (DllGetObject)
- …
- special instruction
- in/out
- vmcall, vmwrite…
- rdmsr, wrmsr
- sc, bcctrl
- switch
- crypto
Defcon Russia (DCG #7812) 25
A4.1: IDAScope
- fix function
- spot 'wrapper' functions
- tagging
- spot blocks of code that look like cryptography
- colorizing
- crypto signatures
Defcon Russia (DCG #7812) 26
A4.2: Relationship of functions
Defcon Russia (DCG #7812) 27
A3.2: Relationship of functions
‒ Renaming subroutine blocks
Defcon Russia (DCG #7812) 28
http://hooked-on-mnemonics.blogspot.ru/2012/07/renaming-subroutine-blocks-and.html
A3.3: context of program
- xN the most complex function
- CC - Cyclomatic complexity
- xN the largest function
- Parsers, etc.
- Four most frequently called functions, etc.
- Runtime identification
- …
Defcon Russia (DCG #7812) 29
Extra
‒ Binaries share the same codebase (pdb) —> idb —> pat —> sig —> idb
‒ IDA plugin ida2pat.py
Defcon Russia (DCG #7812) 30
http://www.idapro.ru/description/flirt
Plan
- Take all techniques
- Prioritize
- Launch
- Profit!
Defcon Russia (DCG #7812) 31
Conclusions
- All borders are in your head
- Invent your own heuristics depending on the program traits and functions
Defcon Russia (DCG #7812) 32