reverse engineering
Post on 06-Jan-2016
23 Views
Preview:
DESCRIPTION
TRANSCRIPT
Reverse Engineering
Paul deGrandis
Applications
•Software Maintenance
•Source Code and Documentation Engineering
•Virus Analysis
Malware
•Virus
•Needs a vector for propagation
•Worm
•No vector needed
•Can spread by network shares, email, security holes
Malware
•Trojan Horse
•Performs unstated and undesirable functions
•Spyware, adware, logic bombs, backdoors, rootkits
Anti-Virus
•Integrity Checking
•Static AV Scanners
•Dynamic AV Scanners
Anti-Virus
•Integrity Checking
•Checksum comparison
•Static AV Scanners
•Program properties (registry, system calls)
•Malware byte sequence extraction
Anti-Virus
•Dynamic AV Scanners
•Intercepting system calls
•Analyzing audit trails
•Operation patterns
Procedures For Analysis
•Restrict Access
•Save only disassembled files
•Rename Extensions, prevents double-click
•Password protect dangerous files and ZIPs
•NEVER SEND MALWARE
Procedures For Analysis
Tools•VMware
•Isolate and restore snapshots
•BinText
•Extracts strings from binary files (code)
•IRC commands, SMTP, registry keys
Tools•IDA Pro
•Dissassembles executables into assembly
Tools
•UPX Decompression
•Executable packer
•To unpack: upx.exe -d -o dest.exe source.exe
Tools
•SysInternals.com
•FileMon - monitors file access
•RegMon - monitors registry access
Tools
•RegShot
•Records modifications to the registry, but not reads
Tools•ProcDump
•Dumps a processes code from memory
•Useful in detecting an analyzing polymorphic viruses
Tools•OllyDbg
•Attaches to a process
•Can actively manipulate memory and registers during operation
•Swiss Army Knife
Tools
•Network Activity
•TCPView - displays open network ports
•TDIMon - monitors network activity
•Ethereal/Wireshark - Packet Sniffer
•Snort - IDS / Packet Sniffer
•netcat - Network swiss army knife
Tools•SysInternals.com
•TCPView - TCP and UDP endpoints and processes
•TDIMon - Logs all network activity, but not packet contents
Tools•Wireshark (formerly Ethereal)
•Captures and displays all packet contents
•One of your best friends
Tools•Netcat - reads and writes across data
connections using TCP/IP
•Great for probing, listening, debugging, or exploring unknown network behavior
•The other one of your best friends
The Assignment
•Beagle.J (and its cousin Beagle.K)
•Static analysis (BinText, IDA)
•Dynamic Analysis
•Host Side (Registry, process, files)
•Networking (Ports, connections, traffic)
•Propagation, Backdoors
top related