If you can't read please download the document
Upload
ange-albertini
View
3.812
Download
4
Embed Size (px)
DESCRIPTION
After being trapped by a malware, I went back to the basics, studied ASM and PE from scratch, and failed all tools I tried in the process. This presentation introduces the complete details that are shared on Corkami.com, and highlights some of the most interesting cases.
Citation preview
2. (if you read this without the presentation)
3. why correct disassembly is important for analysis,
a few examples of undocumented opcodes and CPU weirdness 4. theory-only sucks, so I created CoST for practicing and testing. 5. CoST also tests PE, but it's not enough by itself 6. So I documented PE separately, and give some examples. 7. [version: release 1] HIDDEN SLIDE 8. presented by...
9. Corkami.com 10. Mame (the arcade emulator) a malware analyst 11. Corka-what ?
12. free to:
13. test, modify, compile updated 14. useful daily 15. but.... only a hobby ! 16. what is in Corkami ?
17. many PoCs
18. binaries available on PDF, x86, PE... 19. 100% open
20. Story
21. tricked by a malware 22. back to the basics 23. documented on Corkami 24. this presentation 25. Achievement unlocked WinDbg 6.12.0002.633 Odbg 2.1a4 Hiew 8.15 IDA 6.1 (Authors notified, and most bugs already fixed) 26. Agenda
a bunch of tricks
27. a bit more of PE 28. 29. from C to binary 30. inside the binary 31. our code, 'translated' 32. opcodes assembly 33. 34. Assembly
35. executed directly by the CPU 36. the only code information in a standard binary
disassembly is only for humans
37. let's mess a bit now... 38. let's insert 'something' 39. 40. What did we do?
41. not even documented nor identified !! it could only crash... 42. the CPU doesn't care 43. what happened ?
44. AL = CF ? -1 : 0 trivial, but not documented
45. Intel: 'do what I do...' Intel's XED F1int1 D6salc F7C890909090test eax, 0x90909090 0F1E84C090909090nop dword ptr [eax+eax*8-0x6f6f6f70], eax 0F2090mov eax, cr2 660FC8bswap ax MS' WinDbg ?? ?? ?? ?? ?? bswap eax 46. the problem
47. if we/our tools don't know what's next, we're blind. 48. no exhaustive or clean test set
49. scattered 50. let's start the real stuff... 51. a multi-generation CPU: standard... English let's go! you win sandwich hello f*ck Assembly push mov call retn jmp 52. ...old-style... thou porpentine enmity hither unkennel aaa xlat verr smsw lsl 53. 54. ...newest generation tweet poke google pwn apps crc32 aesenc pcmpistrm vfmsubadd132ps rcpss andMOVBE , the rejected offspring 55. registers
gs =
Complex relations
56. smsw
higher word of reg32 'undefined' 57. under XP
58. eventually reverts 59. GS
60. eventually reset
61. wait 62. timings 63. nop
.. .. .. ..01 23 45 67=>00 00 00 00 01 23 45 67
64. can trigger exception 65. mov
movsxd eax, ecx mov eax, ecx
mov eax, cs movzx eax,cs
66. bswap rax 12 34 56 78 90 ab cd ef=>ef cd ab 90 78 56 34 12 eax .. .. .. ..01 23 45 67=>00 00 00 00 67 45 23 01 ax .. .. .. .. .. ..01 23=>.. .. .. .. .. ..00 00 67. push + ret 68. 69. ...and so on...
too much theory for now... 70. Co rkamiS tandardT est 71. CoST
72. testing opcodes 73. in a hardened PE
74. more than 150 tests
75. jumps (JMP to IP, IRET, ) 76. undocumented (IceBP, SetALc...) 77. cpu-specific (MOVBE, POPCNT,...) 78. os-dependant, anti-VM/debugs 79. exceptions triggers, interrupts, OS bugs,... 80. ... 81. a documented binary exports + VEH = self commented assembly a lot of DbgOutput 82. 32+64 = ... 83. same opcodes, different code 84. CoST vs WinDbg & Hiew WinDbg 6.12.0002.633 Hiew 8.15 85. a hardened PE Top PE 'footer' 86. CoST vs IDA 87. CoST vs Dumpbin Microsoft (R) COFF/PE Dumper Version 10.00.30319.01 Copyright (C) Microsoft Corporation.All rights reserved. Dump of file CoST.exe File Type: EXECUTABLE IMAGE LINK : fatal error LNK1248: image size (9B097F81) exceeds maximum allowable size (80000000) HIDDEN SLIDE 88. a bit more of PE... 89. PE on corkami
90. a wiki page
91. not finished 92. more than 100 PoCs 93. good enough to break 94. virtual section table vs Hiew 95. Folded header 96. Weird export names
97. 65535 sections vs OllyDbg 98. one last...
99. Import are parsed until Name is 0 100. under XP, overwritten after imports
under W7, before
same PE, loaded differently under different Windows 101. conclusion
102. still some gray areas of PE or x86
official documentations lead to FAILURE
104. fix the bugs ;) 105. Thanks
106. Candid West Adam Baszczyk, BeatriX, Bruce Dang, Cathal Mullaney, Czerno, Daniel Reynaud, Elias Bachaalany, Ero Carrera, Eugeny Suslikov, Georg Wicherski, Gil Dabah, Guillaume Delugr, Gunther, Igor Skochinsky, Ilfak Guilfanov, Ivanlef0u, Jean-Baptiste Bdrune, Jim Leonard, Jon Larimer, Joshua J. Drake, Markus Hinderhofer, Mateusz Jurczyk, Matthieu Bonetti, Moritz Kroll, Oleh Yuschuk, Renaud Tabary, Rewolf, Sebastian Biallas, StalkR, Yoann Guillot,... Questions ? 107. Such a weird processor messing with opcodes (...and a little bit of PE) Ange Albertini 28 thOctober 2011 @ange4771 @corkami(news only) Creative Commons BY