unpacking for dummies
play

Unpacking for Dummies Aka de-enmailloter sans ta mre tabarnac ! - PowerPoint PPT Presentation

Aug 05, 2023 •23 likes •803 views

Unpacking for Dummies Aka de-enmailloter sans ta mre tabarnac ! About Us Paul Jung, Excellium Services @_ _thanat0s_ _ Rmi Chipaux, iTrust @futex90 X86 aware anyone ?? Are you ready ? VM available online :

  1. Unpacking for Dummies Aka “de-enmailloter sans ta mère” tabarnac !

  2. About Us Paul Jung, Excellium Services @_ _thanat0s_ _ Rémi Chipaux, iTrust @futex90

  3. X86 aware anyone ??

  4. Are you ready ? ● VM available online : ○ http://hacklu.local/Unpacking_WorkShop_VmWare.ova ○ http://hacklu.local/Unpacking_WorkShop_VirtualBox.ova ● VM (vmware) from USB keys: ○ In UnRar folder choose the unrar binary for your Os unrar.exe x UnPacking_WorkShop_VMWare.rar the password is : “reverse”

  5. Why Packers

  6. What is a Packer ● You may name it packer, cryptor or protector ● Convert a single executable into “army” of executable ● You may see it as a kind of matrioska Packing

  7. Why packers ● To avoid AV detection ● Get more time during the infection campaign ● Obfuscate globally the payload

  8. Why un-packing ● After unpacking: ○ Identification of the real threat might be possible ● If still unknown: ○ You can reverse the unpacked sample

  9. Why un-packing ● If successful: ○ Dynamic analysis of sample becomes possible

  10. What kind of tools people use to pack ● Known tools/packer (upx, petite) ● Known “pro” packer (themida, vmprotect, ...) ● Dirty things, Self Extracting tools ( SFX Cabs, Msi ) ● Mostly, unknown packer/cryptor (??) …

  11. Concepts Needed Mandatory to no leave the room in 10 minutes

  12. Things to Know ● Mapping File to Memory ● Entry Point ● Import table ● Process Environment Block ● Traversing module list

  13. Entry Point & File Mapping _IMAGE_SECTION_HEADER File.exe DOS Header PE Header .idata .data .text MZ PE

  14. Sections typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

  15. Entry Point _IMAGE_OPTIONAL_HEADER File.exe DOS Header PE Header .idata .data .text MZ PE

  16. Entry Point typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; . . . DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;

  17. 0x00000000 File Mapping 0x00400000 MZ DOS Header PE PE Header 0x00401000 .text VIRTUAL MEMORY EIP 0x00402000 .data 0x00405000 .idata

  18. Import table Import table list required functions for the PE. A DLL is a PE

  19. 0x00000000 File Mapping 0x00400000 MZ DOS Header PE PE Header 0x00401000 mype.exe .text 0x00402000 VIRTUAL MEMORY .data 0x00405000 .idata 0x00410000 MZ DOS Header PE PE Header mydll.dll 0x00411000 .text 0x00412000 .data

  20. PEB (Process Environment Block) ● Memory structure with the process states ● Location ○ 32 Bits FS[0x30] ○ 64 Bits GS[0x60]

  21. PEB (Process Environment Block)

  22. Traversing module list LoaderData gives DLL memory offset in the current process 3 Chained lists; InLoadOrderModuleList ; DLL & PE at Start InMemoryOrderModuleList ; DLL & PE, current state InInitialisationOrderModuleList ; DLL loaded current state

  23. Traversing module list LoaderData gives DLL memory offset in the current process

  24. Traversing module list LoaderData gives DLL memory offset in the current process push 30h pop ecx mov esi, fs:[ecx] ; PEB (FS:[0x30]) mov esi, [esi+0Ch] ; ESI = LoaderData mov esi, [esi+1Ch] ; ESI = Flink InInitialisationOrderModuleList mov ebp, [esi+8] ; EBP = Base addresse de ntdll mov ds:ntdllbase, ebp

  25. Traversing module list LoaderData gives DLL memory offset in the current process ● First one is always: ntdll ● Second one is always: kernel32

  26. Traversing module list LoaderData gives DLL memory offset in the current process Parsing a PE ( DLL ) allows to find any function by hand. PEB LoaderData DLL mapping Offset DLL Dos Stub Function EAT DLL PE Stub Offset

  27. Packer families How does it work

  28. Mainly three kinds of techniques ● Unpack in the same process PE Differents “flavors” ○ ■ RWX native memory code segment in the PE: RWX Automodification of code, ● ● Fix IAT, Jump in it. ● ■ Allocate New RWX code segment: Fill with code, ● ● Fix IAT, Jump in it. ●

  29. Mainly three kinds of techniques PE PE Unpack in another process ● ○ Process hollowing aka RunPE Create new “suspended” process ■ ■ Unmap then replace all the segments Set origin EIP ■ ■ Release the Kraken ! exit ■

  30. RunPE D E D N E P Executable B S U S _ E T A E R C , s s e c o r P e t a e r C GetThreadContext : EBX -> PEB Packer A Malware B

  31. RunPE D E D N E P Executable B S U S _ E T A E R C , s s e c o r P e t a e r C GetThreadContext : EBX -> PEB NtUnmapViewOfSection Packer A Malware B

  32. RunPE D E D N E P Executable B S U S _ E T A E R C , s s e c o r P e t a e r C GetThreadContext : EBX -> PEB NtUnmapViewOfSection Packer A VirtualAllocEx Malware B

  33. RunPE D E D N E P Executable B S U S _ E T A E R C , s s e c o r P e t a e r C GetThreadContext : EBX -> PEB NtUnmapViewOfSection Packer A VirtualAllocEx Malware B WriteProcessMemory SetThreadContext ResumeThread

  34. RunPE • Running executable is « Legit » • No IAT fixing required Executable B • Artefact • No parents

  35. Mainly three kinds of techniques PE PE Unpack in another process ● ○ Create a new “thread” in another process Create a section in a running process ■ ■ Release the Kraken ! exit ■

  36. Malware analysis Injection Simple Executable B VirtualAllocEx WriteProcessMemory Packer A ResumeThread Malware B

  37. Malware analysis Injection simple • Running executable is « Legit ». Executable B • No IAT, direct function call required. • Ends when Executable B is stopped. • Multiple injections usually

  38. Malware analysis • They are other techniques Executable B • Using CreatefileMapping, etc … But it’s enought for today !

  39. On .NET, many kind of techniques .NET PE ● Load another module: Sort of loading a “.NET DLL” ○ ● Launch “Msil” code: Using “assembly.invoke” directive ○ ● Launch “Native” code: ○ Using “_ _asm {}” .NET based process hollowing: ● ○ Simple RunPE, launch another process

  40. RunPE Classical RUNPE In .NET code

  41. Where are the packed data ? .NET PE ● Wherever it’s possible ! In a Data segment ○ ○ In a code segment In a ressource ○ ● How ? Xor, Aes, Base64, Bzip… ○ ○ Or whatever it is possible to do Who cares ? ■

  42. Packer detection How to know if it’s packed

  43. Identifying that your sample is packed A bunch of clues: High section entropy (Above 6.5).. Maybe usual on ressources. ● ● Unusual small code segments. ● No clear strings in the whole PE. ● Few Import ( not relevant in .net ) Unusual segment names. ● ○ Home made scripts https://github.com/Th4nat0s/Chall_Tools ■

  44. Identify that your sample is packed ● A bunch of clues None or very few winnt API calls present in the IAT ○ $rabin2 -i mymalware.exe [Imports] ordinal=001 plt=0x00000000 bind=NONE type=FUNC name=kernel32.dll_GetModuleHandleA ordinal=002 plt=0x00000000 bind=NONE type=FUNC name=kernel32.dll_GetProcAddress ordinal=003 plt=0x00000000 bind=NONE type=FUNC name=kernel32.dll_ExitProcess ordinal=004 plt=0x00000000 bind=NONE type=FUNC name=kernel32.dll_LoadLibraryA ordinal=001 plt=0x00000000 bind=NONE type=FUNC name=user32.dll_MessageBoxA ordinal=001 plt=0x00000000 bind=NONE type=FUNC name=advapi32.dll_RegCloseKey ordinal=001 plt=0x00000000 bind=NONE type=FUNC name=oleaut32.dll_SysFreeString ordinal=001 plt=0x00000000 bind=NONE type=FUNC name=gdi32.dll_CreateFontA ordinal=001 plt=0x00000000 bind=NONE type=FUNC name=shell32.dll_ShellExecuteA ordinal=001 plt=0x00000000 bind=NONE type=FUNC name=version.dll_GetFileVersionInfoA ordinal=001 plt=0x00000000 bind=NONE type=FUNC name=mscoree.dll__CorExeMain 11 Imports

Recommend

Do dummies pay off? Limits of dummy traffic protection in anonymous communication systems Simon

Do dummies pay off? Limits of dummy traffic protection in anonymous communication systems Simon

Do dummies pay off? Limits of dummy traffic protection in anonymous communication systems Simon Oya , Carmela Troncoso and Fernando Prez-Gonzlez Introduction Anonymous channels hide correspondences (input/output). Dummies are a common

402 views • 18 slides
aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

Ein Blick in die Hexenkche der Exploit Entwickler aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2 27/03/2018 // Exploit Development for Dummies

613 views • 48 slides
Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr

Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr

Unpacking tips and tricks Samuel Chevet Presentation Process Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr http://www.lse.epita.fr 12 February 2013 Why this talk ? Unpacking tips and tricks

439 views • 26 slides
Theres nothing really they can do with this information: Unpacking How Users Manage

Theres nothing really they can do with this information: Unpacking How Users Manage

Theres nothing really they can do with this information: Unpacking How Users Manage Privacy Boundaries for Personal Fitness Information Michael Zimmer 2 , Priya Kumar 1 , Jessica Vitak 1 , Yuting Liao 1 , and Katie Chamberlain Kritikos

183 views • 17 slides
PDCA for Dummies Fishingen EQuiP open conference

PDCA for Dummies Fishingen EQuiP open conference

PDCA for Dummies Fishingen EQuiP open conference 23-25.04.2015 FIVE PRINCIPLES OF QI 1. Quality improvement is the science of process management.

441 views • 28 slides
Nevada Day Parade OR Parade Floats for DUMMIES Youre in the Parade.. YAY !!! NOW WHAT

Nevada Day Parade OR Parade Floats for DUMMIES Youre in the Parade.. YAY !!! NOW WHAT

So you want to be in the Nevada Day Parade OR Parade Floats for DUMMIES Youre in the Parade.. YAY !!! NOW WHAT ?????????????? Our customers are the wonderful folks who suffer silently waiting and hoping for something to happen that

363 views • 25 slides
UNPACKING T HE SMART CIT Y SCHE ME WIT H T HE E CONOMIC DE VE L OPME NT BOARD (E

UNPACKING T HE SMART CIT Y SCHE ME WIT H T HE E CONOMIC DE VE L OPME NT BOARD (E

UNPACKING T HE SMART CIT Y SCHE ME WIT H T HE E CONOMIC DE VE L OPME NT BOARD (E DB) MAURIT IUS A pr e se ntation by: Mr . Sac hin Mohabe e r , He ad Re al E state & Hospitality E c onomic De ve lopme nt Boar d ,

529 views • 13 slides
Unpacking authen.c academic texts: Approaches to the noun

Unpacking authen.c academic texts: Approaches to the noun

Unpacking authen.c academic texts: Approaches to the noun phrases on pre-sessional English language courses BALEAP Conference, No:ngham,

316 views • 31 slides
YOUR INTELLIGENCE? Unpacking the Black Box Nigel Cannings, CTO @intelligentvox

YOUR INTELLIGENCE? Unpacking the Black Box Nigel Cannings, CTO @intelligentvox

HOW ARTIFICIAL IS YOUR INTELLIGENCE? Unpacking the Black Box Nigel Cannings, CTO @intelligentvox www.intelligentvoice.com FOR $100! Can you see what this means? Antenna 88.7% Tree 6.9% Car 2.7% Cabbage 1.2% Tank 0.5%

716 views • 36 slides
Markets Unpacking some of the Issues and Challenges 17 TH CBFP Meeting of the Parties

Markets Unpacking some of the Issues and Challenges 17 TH CBFP Meeting of the Parties

Monitoring Legality for Domestic and Regional Markets Unpacking some of the Issues and Challenges 17 TH CBFP Meeting of the Parties Douala, Cameroon 26 th October, 2017 Richard NYIRENDA et Aurelian MBZIBAIN Centre for International

302 views • 14 slides
Unpacking the Black-Box of Causality: Learning about Causal Mechanisms from Experimental and

Unpacking the Black-Box of Causality: Learning about Causal Mechanisms from Experimental and

Unpacking the Black-Box of Causality: Learning about Causal Mechanisms from Experimental and Observational Studies Kosuke Imai Princeton University November 2, 2011 Joint work with L. Keele (Penn State) D. Tingley (Harvard) T. Yamamoto

445 views • 27 slides
Unpacking the Differences: Unpacking the Differences: Unpacking the Differences: Unpacking the

Unpacking the Differences: Unpacking the Differences: Unpacking the Differences: Unpacking the

25-Jul-19 Unpacking the Differences: Unpacking the Differences: Unpacking the Differences: Unpacking the Differences: Audit Audit - Audit Audit - - - Independent Review Independent Review Independent Review - Independent Review - -

322 views • 10 slides
DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies

DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies

DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies https://github.com/FrenchYeti/dexcalibur.git WHO AM I ? GEORGES-B. MICHEL @FrenchYeti yeti@0xff.ninja Aka @FrenchYeti Software Security Evaluator at Thales Day

925 views • 77 slides
Category Theory For Dummies Slides Available assistants for it, the different libraries available

Category Theory For Dummies Slides Available assistants for it, the different libraries available

Category Theory For Dummies Slides Available assistants for it, the different libraries available (HoTT Coq, Unimath, HoTT-Agda) Lawvere- Tierney Sheafification in Homotopy Type Theory slides, Andreas Nuyts, Altenkirsh, Univalence for

719 views • 3 slides
Unpacking key livelihood challenges and opportunities in energy crop cultivation: village level

Unpacking key livelihood challenges and opportunities in energy crop cultivation: village level

School of Earth and Environment INSTITUTE FOR CLIMATE AND ATMOSPHERIC SCIENCE Sustainability Research Institute (SRI) CCCEP Lunchtime Seminar Series, November 14th, 2012 Unpacking key livelihood challenges and opportunities in energy crop

284 views • 24 slides
Frontal Dummies Frontal Dummies Latest Developments Latest Developments Page 1 Hybrid III

Frontal Dummies Frontal Dummies Latest Developments Latest Developments Page 1 Hybrid III

Frontal Dummies Frontal Dummies Latest Developments Latest Developments Page 1 Hybrid III Adult Models Hybrid III Adult Models th percentile female Hybrid III 5 th percentile female Hybrid III 5 Latest release: v4.0 Latest

431 views • 5 slides
Section 3.3: Dummies and Interactions Jared S. Murray The University of Texas at Austin McCombs

Section 3.3: Dummies and Interactions Jared S. Murray The University of Texas at Austin McCombs

Section 3.3: Dummies and Interactions Jared S. Murray The University of Texas at Austin McCombs School of Business 1 Example: Detecting Sex Discrimination Imagine you are a trial lawyer and you want to file a suit against a company for salary

697 views • 31 slides
Unpacking Science Prac.ces: Explana.on and Modeling NSTA Professional

Unpacking Science Prac.ces: Explana.on and Modeling NSTA Professional

Unpacking Science Prac.ces: Explana.on and Modeling NSTA Professional Development Institute Wednesday, March 11, 2015 What we will do Explore the meaning of

197 views • 18 slides
Elasticsearch for dummies Jakub Kluvnek jakub.kluvanek@biddingfox.com @kluvi, @biddingfox_devs

Elasticsearch for dummies Jakub Kluvnek jakub.kluvanek@biddingfox.com @kluvi, @biddingfox_devs

Elasticsearch for dummies Jakub Kluvnek jakub.kluvanek@biddingfox.com @kluvi, @biddingfox_devs WTF database RESTful search and analytics engine APIs Index API Bulk API Get API Reindex API Delete API Multi

648 views • 31 slides
Unpacking the Learner- Selection Suitcase : A Synthesis of Evaluation Findings from Learner

Unpacking the Learner- Selection Suitcase : A Synthesis of Evaluation Findings from Learner

Unpacking the Learner- Selection Suitcase : A Synthesis of Evaluation Findings from Learner Directed Educational Improvement Initiatives. Benita Williams Mobile: +27 82 772 9709 bwilliams@feedbackpm.com Case Study Questions 1) You

243 views • 23 slides
11/10/16 STRATEGIC INTERVENTION SERVICES ASSOCIATES UNPACKING CULTURE IN FAMILY AND CHILD

11/10/16 STRATEGIC INTERVENTION SERVICES ASSOCIATES UNPACKING CULTURE IN FAMILY AND CHILD

11/10/16 STRATEGIC INTERVENTION SERVICES ASSOCIATES UNPACKING CULTURE IN FAMILY AND CHILD PROTECTION CONFLICT RESOLUTION Regina Odofle Thompson LLM (ADR), C.MED., ACC.FM, CP.MED. Tel: +1 (416) 826-3623 E-mail: sisa@rogers.com PRESENTER

678 views • 9 slides
Investigating conflicts and freedoms in the higher education environment: Unpacking

Investigating conflicts and freedoms in the higher education environment: Unpacking

Investigating conflicts and freedoms in the higher education environment: Unpacking the capabilities and capitals of first-in- family learners HERDSA Conference : [RE]VALUING HIGHER EDUCATION A/Prof Sarah OShea University of

531 views • 49 slides
Finding Words for It: Unpacking the Language of Engagement in Higher Education Dr. Kira

Finding Words for It: Unpacking the Language of Engagement in Higher Education Dr. Kira

Finding Words for It: Unpacking the Language of Engagement in Higher Education Dr. Kira Pasquesi University of Colorado, Boulder Engagement Scholarship Consortium October 9, 2019 Session Agenda I. Opening poem II. Study purpose and

192 views • 17 slides
Newbie Programming for Dummies (Or highly inexperienced experts) Who are We? Clyde Bazile John

Newbie Programming for Dummies (Or highly inexperienced experts) Who are We? Clyde Bazile John

Newbie Programming for Dummies (Or highly inexperienced experts) Who are We? Clyde Bazile John Anukem Sebastien Siclait Braxton Gunter Terence Jacobs Why Newbie? What can a Newbie do? Comment # Im such a noob # enter code below

326 views • 11 slides

More recommend