Слайд 2СПОСОБЫ ЗАЩИТЫ ПРИЛОЖЕНИЙ
Упаковка / шифрование всего файла
Обфускация отдельных строк / машинного кода
Виртуализация кода
Обнаружение
отладчиков/эмуляторов/песочниц/виртуалок
Слайд 4DROPPER – STAGE 1
https://upx.github.io/
upx –d packed.exe_
–o unpacked.exe_
Слайд 6DROPPER – STAGE2
OllyDbg + Cmdbar / x64dbg / Immunity Debugger
bp VirtualAlloc
bp VirtualProtect
bp VirtualFree
bp
WriteProcessMemory
Слайд 12DROPPER – STAGE3
data_0x00410e24 - relocs ?
data_0x004718b4 - some strings + archive
data_0x00471c33 - hashed
import table
Слайд 14UNPACKING ARCHIVE
6 files !!!
BIOS IMAGE
16-bit shellcode (3x)
Driver x32
Driver x64
Слайд 15DRIVER
Search for hash1 and exe_search_16bytes_by_hash functions
Слайд 17STRINGS ENCRYPTED WITH 4-BYTE KEYS
For some encrypted strings could not find XREFs and
decryption keys!
MAYBE they are decrypted from virtual code?
Слайд 18INTERPRETER CODE OBFUSCATED AND SPLITED INTO MABY CHUNKS
Слайд 19VIRTUAL INSTRUCTIONS
4-byte arguments xored with 0x69B00B7A
2-byte arguments xored with 0x13F1
1-byte arguments xored with
0x57
Слайд 20SEARCHING FOR XREFS IN VIRTUAL CODE
Prepare disassembler module for IDA – too long
and complex
XOR string address with 0x69B00B7A, search this in virtual code, and try nearby XORED 4-bytes blocks as decryption keys => easy profit
FINALLY DECRYPTED CC-server address and PORT
Слайд 21DGA ALGORITHM
SEEMS DGA ALROTITHM ALSO EXISTS
NO XREFS FROM NATIVE CODE TO DGA strings
TODO
– time to make IDA PRO processor module