Методы реверс-инжиниринга обфусцированного и виртуализированного приложения презентация

Июль 31, 2022

Главная
Информатика
Методы реверс-инжиниринга обфусцированного и виртуализированного приложения

Содержание

2. СПОСОБЫ ЗАЩИТЫ ПРИЛОЖЕНИЙ Упаковка / шифрование всего файла Обфускация отдельных строк / машинного кода Виртуализация кода
3. DROPPER – STAGE 1
4. DROPPER – STAGE 1 https://upx.github.io/ upx –d packed.exe_ –o unpacked.exe_
5. DROPPER – STAGE 2
6. DROPPER – STAGE2 OllyDbg + Cmdbar / x64dbg / Immunity Debugger bp VirtualAlloc bp VirtualProtect bp
7. DROPPER – STAGE2
8. DROPPER – STAGE3
9. DROPPER – STAGE3
10. DROPPER – STAGE3
11. DROPPER – STAGE3
12. DROPPER – STAGE3 data_0x00410e24 - relocs ? data_0x004718b4 - some strings + archive data_0x00471c33 - hashed
13. DROPPER – STAGE3 - ARCHIVE
14. UNPACKING ARCHIVE 6 files !!! BIOS IMAGE 16-bit shellcode (3x) Driver x32 Driver x64
15. DRIVER Search for hash1 and exe_search_16bytes_by_hash functions
16. DRIVER – VIRTUAL CODE
17. STRINGS ENCRYPTED WITH 4-BYTE KEYS For some encrypted strings could not find XREFs and decryption keys!
18. INTERPRETER CODE OBFUSCATED AND SPLITED INTO MABY CHUNKS
19. VIRTUAL INSTRUCTIONS 4-byte arguments xored with 0x69B00B7A 2-byte arguments xored with 0x13F1 1-byte arguments xored with
20. SEARCHING FOR XREFS IN VIRTUAL CODE Prepare disassembler module for IDA – too long and complex
21. DGA ALGORITHM SEEMS DGA ALROTITHM ALSO EXISTS NO XREFS FROM NATIVE CODE TO DGA strings TODO
23. Скачать презентацию

Слайд 2

СПОСОБЫ ЗАЩИТЫ ПРИЛОЖЕНИЙ
Упаковка / шифрование всего файла
Обфускация отдельных строк / машинного

кода
Виртуализация кода
Обнаружение отладчиков/эмуляторов/песочниц/виртуалок

Слайд 3

DROPPER – STAGE 1

Слайд 4

DROPPER – STAGE 1
https://upx.github.io/
upx –d packed.exe_
–o unpacked.exe_

Слайд 5

DROPPER – STAGE 2

Слайд 6

DROPPER – STAGE2
OllyDbg + Cmdbar / x64dbg / Immunity Debugger
bp VirtualAlloc
bp

VirtualProtect
bp VirtualFree
bp WriteProcessMemory

Слайд 7

DROPPER – STAGE2

Слайд 8

DROPPER – STAGE3

Слайд 9

DROPPER – STAGE3

Слайд 10

DROPPER – STAGE3

Слайд 11

DROPPER – STAGE3

Слайд 12

DROPPER – STAGE3
data_0x00410e24 - relocs ?
data_0x004718b4 - some strings + archive
data_0x00471c33

- hashed import table

Слайд 13

DROPPER – STAGE3 - ARCHIVE

Слайд 14

UNPACKING ARCHIVE
6 files !!!
BIOS IMAGE
16-bit shellcode (3x)
Driver x32
Driver x64

Слайд 15

DRIVER
Search for hash1 and exe_search_16bytes_by_hash functions

Слайд 16

DRIVER – VIRTUAL CODE

Слайд 17

STRINGS ENCRYPTED WITH 4-BYTE KEYS
For some encrypted strings could not find

XREFs and decryption keys!
MAYBE they are decrypted from virtual code?

Слайд 18

INTERPRETER CODE OBFUSCATED AND SPLITED INTO MABY CHUNKS

Слайд 19

VIRTUAL INSTRUCTIONS
4-byte arguments xored with 0x69B00B7A
2-byte arguments xored with 0x13F1
1-byte arguments

xored with 0x57

Слайд 20

SEARCHING FOR XREFS IN VIRTUAL CODE
Prepare disassembler module for IDA –

too long and complex
XOR string address with 0x69B00B7A, search this in virtual code, and try nearby XORED 4-bytes blocks as decryption keys => easy profit
FINALLY DECRYPTED CC-server address and PORT

Слайд 21

DGA ALGORITHM
SEEMS DGA ALROTITHM ALSO EXISTS
NO XREFS FROM NATIVE CODE TO

DGA strings
TODO – time to make IDA PRO processor module