Слайд 2
![СПОСОБЫ ЗАЩИТЫ ПРИЛОЖЕНИЙ Упаковка / шифрование всего файла Обфускация отдельных](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-1.jpg)
СПОСОБЫ ЗАЩИТЫ ПРИЛОЖЕНИЙ
Упаковка / шифрование всего файла
Обфускация отдельных строк / машинного
кода
Виртуализация кода
Обнаружение отладчиков/эмуляторов/песочниц/виртуалок
Слайд 3
![DROPPER – STAGE 1](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-2.jpg)
Слайд 4
![DROPPER – STAGE 1 https://upx.github.io/ upx –d packed.exe_ –o unpacked.exe_](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-3.jpg)
DROPPER – STAGE 1
https://upx.github.io/
upx –d packed.exe_
–o unpacked.exe_
Слайд 5
![DROPPER – STAGE 2](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-4.jpg)
Слайд 6
![DROPPER – STAGE2 OllyDbg + Cmdbar / x64dbg / Immunity](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-5.jpg)
DROPPER – STAGE2
OllyDbg + Cmdbar / x64dbg / Immunity Debugger
bp VirtualAlloc
bp
VirtualProtect
bp VirtualFree
bp WriteProcessMemory
Слайд 7
![DROPPER – STAGE2](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-6.jpg)
Слайд 8
![DROPPER – STAGE3](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-7.jpg)
Слайд 9
![DROPPER – STAGE3](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-8.jpg)
Слайд 10
![DROPPER – STAGE3](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-9.jpg)
Слайд 11
![DROPPER – STAGE3](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-10.jpg)
Слайд 12
![DROPPER – STAGE3 data_0x00410e24 - relocs ? data_0x004718b4 - some](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-11.jpg)
DROPPER – STAGE3
data_0x00410e24 - relocs ?
data_0x004718b4 - some strings + archive
data_0x00471c33
- hashed import table
Слайд 13
![DROPPER – STAGE3 - ARCHIVE](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-12.jpg)
DROPPER – STAGE3 - ARCHIVE
Слайд 14
![UNPACKING ARCHIVE 6 files !!! BIOS IMAGE 16-bit shellcode (3x) Driver x32 Driver x64](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-13.jpg)
UNPACKING ARCHIVE
6 files !!!
BIOS IMAGE
16-bit shellcode (3x)
Driver x32
Driver x64
Слайд 15
![DRIVER Search for hash1 and exe_search_16bytes_by_hash functions](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-14.jpg)
DRIVER
Search for hash1 and exe_search_16bytes_by_hash functions
Слайд 16
![DRIVER – VIRTUAL CODE](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-15.jpg)
Слайд 17
![STRINGS ENCRYPTED WITH 4-BYTE KEYS For some encrypted strings could](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-16.jpg)
STRINGS ENCRYPTED WITH 4-BYTE KEYS
For some encrypted strings could not find
XREFs and decryption keys!
MAYBE they are decrypted from virtual code?
Слайд 18
![INTERPRETER CODE OBFUSCATED AND SPLITED INTO MABY CHUNKS](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-17.jpg)
INTERPRETER CODE OBFUSCATED AND SPLITED INTO MABY CHUNKS
Слайд 19
![VIRTUAL INSTRUCTIONS 4-byte arguments xored with 0x69B00B7A 2-byte arguments xored](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-18.jpg)
VIRTUAL INSTRUCTIONS
4-byte arguments xored with 0x69B00B7A
2-byte arguments xored with 0x13F1
1-byte arguments
xored with 0x57
Слайд 20
![SEARCHING FOR XREFS IN VIRTUAL CODE Prepare disassembler module for](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-19.jpg)
SEARCHING FOR XREFS IN VIRTUAL CODE
Prepare disassembler module for IDA –
too long and complex
XOR string address with 0x69B00B7A, search this in virtual code, and try nearby XORED 4-bytes blocks as decryption keys => easy profit
FINALLY DECRYPTED CC-server address and PORT
Слайд 21
![DGA ALGORITHM SEEMS DGA ALROTITHM ALSO EXISTS NO XREFS FROM](/_ipx/f_webp&q_80&fit_contain&s_1440x1080/imagesDir/jpg/351310/slide-20.jpg)
DGA ALGORITHM
SEEMS DGA ALROTITHM ALSO EXISTS
NO XREFS FROM NATIVE CODE TO
DGA strings
TODO – time to make IDA PRO processor module