reverse engineering with hardware debuggers
DESCRIPTION
Reverse Engineering with Hardware Debuggers. 11 Mar 10. JASON RABER and JASON CHEATHAM ATSPI Assessment Science Team RYTA Air Force Research Laboratory. Public release authorization 88 ABW-10-1497. Outline. Architecture Breakpoints Macros Hypervisors. The Hard Way. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/1.jpg)
Reverse Engineeringwith Hardware Debuggers
JASON RABER and JASON CHEATHAMATSPI Assessment Science Team
RYTAAir Force Research Laboratory
11 Mar 10
Public release authorization 88 ABW-10-1497
![Page 2: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/2.jpg)
2
Outline
• Architecture• Breakpoints• Macros• Hypervisors
![Page 3: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/3.jpg)
3
Socket
The Hard Way
Hardware debugger / in-target probe (ITP) / in-circuit emulator (ICE)
CPU
![Page 4: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/4.jpg)
4
Friends with Benefits
• Hardware debuggers can see almost everything
• They live outside the OS, so even kernel mode rootkits can’t hide
• Rewriting firmware
• They’re OS independent– Just needs a compatible x86 processor
![Page 5: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/5.jpg)
5
The Softer Side
![Page 6: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/6.jpg)
6
Outline
• Architecture• Breakpoints• Macros• Hypervisors
![Page 7: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/7.jpg)
7
Ways to Break Things
• Hardware Breakpoints– DR registers
• Software Breakpoints– ICEBP (0xF1) instruction + DR7 bit 12
• Infinite loops– Steal a couple bytes and replace with 0xEBFE
![Page 8: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/8.jpg)
8
Infinite Breakpoints
• EB FE is a jump to the same address (jmp $)– Inject the infinite loop (0xEBFE) into the application or
driver– Halt the CPU when the system freezes, and there you
are
• They’re very easy to use with an ICE– No worries about freezing the system– Don’t have to deal with virtual memory
• Checksums can detect these, so place them carefully
![Page 9: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/9.jpg)
9
Outline
• Architecture• Breakpoints• Macros• Hypervisors
![Page 10: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/10.jpg)
10
define proc pcrange(startaddr, endaddr)
define ord4 startaddr define ord4 endaddr{ while (1) { if (EIP >= startaddr && EIP <= endaddr) { break } else { step 4 } }}
More Power…
• Macros can make an emulator very powerful– Implement complex or repetitive
tasks– Detailed control of ICE
• SourcePoint uses a C like scripting language– Variables, functions, control
flow– Types have well-defined widths
• ord1, int4, real8, …
– Control statements for ICE
![Page 11: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/11.jpg)
11
Range Breakpoint
![Page 12: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/12.jpg)
12
Run Traceflist (“tracelog.txt”, 1)
define ord4 lasteip = EIP
softremove
while (1) {
if (EIP >= 0xC0000000 && lasteip < 0xC0000000) {
softbreak = location=lasteip+2
softbreak = location=lasteip+3
softbreak = location=lasteip+4
softbreak = location=lasteip+5
softbreak = location=lasteip+6
lasteip = EIP
go
}
if (EIP != endaddr) {
asm eip
printf("eax: “); eval eax virtual
printf("ebx: “); eval ebx virtual
printf("ecx: "); eval ecx virtual
printf("edx: "); eval edx virtual
printf("esi: "); eval esi virtual
printf("edi: "); eval edi virtual
printf("esp: "); eval esp virtual
lasteip = EIP
step
} else {
nolog
stop
}
}
![Page 13: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/13.jpg)
13
From the Outside In
• Emulator access is pretty raw, so we wrote some simple forensic macros– list_procs()– get_ssdt()– get_syscall_addr(name)– hook_syscall(name)– list_mods()
![Page 14: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/14.jpg)
14
get_syscall_addr
define proc pointer get_syscall_addr(syscall_name) define nstring syscall_name{ if (syscall_name == "NtCreateProcessEx") { return ssdt_index_to_addr(0x30, 0) } else if (syscall_name == "NtCreateSection") { return ssdt_index_to_addr(0x32, 0) } else { printf("Unknown system call\n"); return 0 }}
define proc pointer ssdt_index_to_addr(index, table) define ord4 index{ define pointer ssdt = get_ssdt() define pointer service_table_base = ord4 ssdt return ssdt_service(service_table_base, index)}
define proc pointer get_ssdt(){ define pointer gdi_addr = find_gdi_proc() define pointer tlh_flink = proc_thread_list_head(gdi_addr) define pointer thread_list_head = flink_to_thread_addr(tlh_flink) define pointer ssdt = thread_ssdt(thread_list_head) return ssdt}
define proc pointer find_gdi_proc() { define pointer PsActiveProcessHead = get_head_proc()
define pointer first_proc = flink_to_proc_addr(PsActiveProcessHead)
define pointer current_flink = next_proc_flink(first_proc) define pointer current_proc = flink_to_proc_addr(current_flink)
while (current_flink != PsActiveProcessHead) { define ord1 type = proc_type(current_proc) if (type != 0x03) { printf("Non-process type: %x\n", type); break; }
define ord4 w32proc = proc_win32process(current_proc)
if (w32proc != 0x0) return current_proc
current_flink = next_proc_flink(current_proc) current_proc = flink_to_proc_addr(current_flink) }}
![Page 15: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/15.jpg)
15
Outline
• Architecture• Breakpoints• Macros• Hypervisors
![Page 16: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/16.jpg)
16
Blue…Something
• ICE runs below hypervisors
• You can go far with a few simple macros– vmx_is_enabled– vmx_goto_resume– vmx_guest_eip– vmx_exit_reason
![Page 17: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/17.jpg)
17
Down We Go…
![Page 18: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/18.jpg)
18
Nobody’s Perfect
• You can’t single step or trace across the ring -1/0 boundary
• Finding the hypervisor is tricky
• Newer VM instructions can cause problems
![Page 19: Reverse Engineering with Hardware Debuggers](https://reader036.vdocuments.net/reader036/viewer/2022062323/56815b1f550346895dc8d424/html5/thumbnails/19.jpg)
19
Summary
The Debuginator