Skip to content

Instantly share code, notes, and snippets.

@Brae

Brae/Reverse Engineering Techniques.md

Last active July 7, 2016 15:02
Show Gist options
  • Save Brae/5ce17bb0f6bb29bc3e696a4f7b64e205 to your computer and use it in GitHub Desktop.
Save Brae/5ce17bb0f6bb29bc3e696a4f7b64e205 to your computer and use it in GitHub Desktop.
Download ZIP
Summary of tools and approaches for RE purposes
Raw
Reverse Engineering Techniques.md

##Packers:

  • PEiD - Packer detection, runs on Windows (can't find a Linux version)
  • UPX - Common packer software

##Section Analysis:

  • PEView - Show info from the PE header
  • PE Explorer - Similar to PE View
  • Resource Hacker - Browser the .rsrc section
    • Icon section lists image shown when the executable is in a file listing
    • Menu section stores all menus that appear in various windows, suh as the File, Edit and View menus. This section contains the names of all the menus, as well as the text shown for each. The names should give you a good idea of their functionality.
    • Dialog section contains the program's dialog menus. Popups show what the user will see when running the executable. If we knew nothing else about the executable, we could identify it sinly by looking at this dialog menu.
    • String table section stores strings
    • Version Info section contains a version number and often the company name and a copyright statement

##Linking:

  • Dependency Walker - Scans Windows module and outputs a list of all dependencies required by the binary

##Function Suffixes:

  • W/A - Implies the function take a wide string or an ASCII string as input
  • Ex - Function which has had a new version which isn't backwards compatible. Can be chained if this has happened multiple times

##PE File Sections

  • .text - Contains the executable code
  • .rdata - Holds read-only data that is globally accessible within the program
  • .data - Stores global data acccessed throughout the program
  • .idata - Sometimes present and stores the import function information; if this section is not present, the export function information is stored in the .rdata section
  • .pdata - Present only in 64 bit executables and stores exception-handling information
  • .rsrc - Stores resources needed by the executable
  • .reloc - Contains information for relocation of library files

##Compiler Indicators:

  • Delphi - always uses a compile time of June 19th 1992

##Static Analysis on Linux:

  • objdump - tool for examining binary files. Also capable of basic disassembly to Assembly code.
    • -f : Shows file header
    • -x : Shows all headers
    • -p : Shows section headers
    • objdump -p [file] | grep "Time/Date" - returns the compile time from the header
  • strings - returns list of string values found within the file
    • Encoding will affect what is returned. This can be set with the '-e' option. The various types are:
      • 's' - 7 bit
      • 'S'- 8 bit
      • 'b' - 16 bit big-endian
      • 'l' - 16 bit little-endian
      • 'B' - 32 bit big-endian
      • 'L' - 32 bit little endian
    • To detect all strings a variety of these should be chained to find all possiblities

##Common DLL Imports:

  • Kernel32.dll - This is a very common DLL that contains core functionality, such as access and manipulation of memory, file, and hardware.
  • Advapi32.dll - This DLL provides access to advanced core Windows components such as the Service Manager and Registry
  • User32.dll - This DLL contains all the user-interface components, such as buttons, scroll bars, and components for controlling and reponding to user actions
  • Gdi32.dll - This DLL contains functions for displaying and manipulating graphics
  • Ntdll.dll - This DLL is the interface to the Windows kernel. Executables generally do not import this file directly, although it is always imported indirectly by Kernel32.dll. If an executable imports this file, it means that the author intended to use functionality not normally available to Windows programs. Some tasks, such as hiding functionality or manipulating processes, will use this interface.
  • WSock32.dll/Ws2_32.dll - These are networking DLLs. A program that accesses either of these most likely connects to a network or perfoms network related tasks.
  • Wininet.dll - This DLL contains higher-level networking functions that implement protocols such as FTP, HTTP and NTP.
  • Shell32.dll - Helps to keep track of objects such as files and folders, as well as virtual objects like network printers, network shares etc. Does not handle accesses to and from these, but maintains structures to track and organise them to present a consistent interface to software.
  • Msvcrt.dll - Static library import for the native C Runtime Library startup.

##Dynamic Analysis Tools:

  • Procmon- Process monitor is an advanced monitoring tool for Windows. Provides a way to monitor registry, file system, network, process and thread activity. Shouldn't be used for network monitoring.
  • Filtering can be done within procmon to reduce the number of events displayed. This includes restricting to a single executable or specific system calls.
  • Process Explorer - Lists active processes, DLLs loaded by a process, various properties of a process and overall system information. Can also kill processes, log out users and launch/validate processes.
    • Verify allows the comparing of an image on disk to the Microsoft signature for the binary. Useful to check if malware has attached to a legitimate Microsoft program.
  • Regshot - Allows the capture and comparison of two snapshots of the registry to show up any changes made during the execution of a piece of malware.

##Spoofing a Network:

  • ApateDNS - Free tool from Mandiant. Captures DNS queries sent by a machine and redirects them to an IP address defined in te program. Can be used to mirror them back to the locahost or to another VM/host under the analyst's control.
  • Netcat - Used to pick up packets sent by malware. Good endpoint for the redirection from ApateDNS.
  • FakeNet - Fairly comprehensive set of functionality to redirect packets, spoof DNS, log traffic etc. Quite useful to trick malware into thinking it has network connectivity (presumably not likely to work against more advanced stuff though). It also stores it's own pcap files relating to traffic it handles. Edit: OK I've been using this for a while now and it's fucking boss, though it can make it tricky to set up traffic filters in capture files since everything shows as going from the locahost to the localhost. Difficult to filter out noise when a file is using a hard coded IP rather than a domain name. If it's using a domain though it's awesome.
  • INetSim - More established alternative to FakeNet. Linux based, and is capable of spoofing most protocols (FTP, SMTP, IRC, finger, TIME etc.). Best to run it on a remote host and use DNS redirection or other tricks to make the malware talk to this instead of the server it wants.
  • Microsoft Message Analyzer - Basically Microsoft's version of Wireshark, but it can pick up pretty much any kind of traffic (Network, Loopback interfaces, USB comms, OS events etc.). Useful for sorting stuff by PID or all sorts of other info.

##x86 Assembly:

  • lea destination source - Load Effective Address. Puts memory address into the destination rather than the contents of the address (like mov)
  • move destination source - Loads data into the destination. A source of [register] fetches the data from that address.
  • sub/add destination value - Subtracts/adds the value to/from the destination
  • inc/dec register - Increment/decrement the register by one
  • mul/div value - Multiple/divide the contents of the EAX register by the value defined
  • or/and/xor destination source - Perform logic operation on the values and store the result in destination
  • shl/shr register count - Shift left/right by the number of bits specified
  • ror/rol register count - Rotates the register left or right by the number of bits specified. Same as shl/shr except that bits which overflow are added to the opposite end of the value instead of being lost
  • push/pop/call/leave/enter/ret - Stack manipulation
  • repe cmpsb- Used to compare two data buffers. EDI and ESI must be set to the two buffer locations, and ECX must be set to the buffer length. The comparison wil continue until ECX = 0 or the buffers are not equal.
  • re stosb - Used to initialize all bytes of a buffer to a certain value. EDI will contain the buffer location, and AL must contain the initialization value. This instruction is often seen used with xor eax, eax.
  • rep movsb - Typically used to copy a buffer of bytes. ESI must be set to the source buffer address, EDI must be set to the destination buffer address, and ECX must contain the length to copy. Byte-by-byte copy will continue until ECX = 0
  • repne scasb - Used for searching a data buffer for a single byte. EDI must contain the address of the buffer, AL must contain the byte you are looking for, and ECX must be set to the buffer length. The comparison will continue until ECX = 0 or the byte is found.
  • and esp, 0xfffffff0 - Often used to align the stack pointer. Basically has the effect of rounding down to the nearest 16.

##Calling Conventions

  • cdecl -
    • Parameters are pushed onto the stack from right to left
    • Caller cleans up the stack when the function is complete
    • Return value is stored in EAX
  • stdcall -
    • Parameters pushed into the stack from left to right
    • Callee cleans up the stack when the function is complete
    • Return value is stored in EAX
    • Standard calling convention for the Windows API
  • fastcall -
    • First few arguments (normally 2) are passed in registers, most commonly EDX and ECX. Additional arguments passed from right to left
    • Calling function normally responsible for cleaning up the stack (if needed)
    • Often more efficient due to less use of the stack
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment