Reverse Engineering. Kwonyoup Kim. Digital Forensic Research Center Korea University

Size: px

Start display at page:

Download "Reverse Engineering. Kwonyoup Kim. Digital Forensic Research Center Korea University"

Roger Armstrong
5 years ago
Views:

Reverse Engineering Kwonyoup Kim kkyoup@gmail.

1 Reverse Engineering Kwonyoup Kim Digital Forensic Research Center Korea University

2 Software Reversing - Day 1: Background -

3 Day 1 Background From source to x86 Execution 3/110

4 Day 1 Background From source to x86 Execution 4/110

5 Day 1 Background From source to x86 Execution Registers 32-bit General-Purpose Registers EAX EBX ECX EDX EBP ESP ESI EDI EFLAGS 16-bit Segment Registers CS ES EIP SS DS FS GS 5/110

6 Day 1 Background From source to x86 Execution 6/110

7 Day 1 Background From source to x86 Execution 7/110

8 Day 1 Background From source to x86 Execution EFLAGS Register Bit Flag Description 0 CF Carry flag Carry flag 2 PF Parity flag Jump if (unsigned) above or equal 4 AF Adjust flag Carry of BCD numbers arithmetic operations 6 ZF Zero flag Set if the result of an operation is Zero (0) 7 SF Sign flag Set if the result of an operation is negative 8 TF Trap flag Set if step by step debugging 9 IF Interruption flag Set if interrupts are enabled 10 DF Direction flag 11 OF Overflow flag If set, string operations will decrement their point rather than incrementing it, reading memory backwards Set if signed arithmetic operations result in value too large for the register to contain 12,13 IOPL I/O Privilege field I/O Privilege level of the current process 14 NT Nested Task flag Set if the current process is linked to the next process 16 RF Resume flag Response to debug exceptions 17 VM Virtual-8086 Mode Set if in 8086 compatibility mode 18 AC Alignment Check Set if alignment checking in of memory references are done 19 VIF Virtual Interrupt flag 20 VIP Virtual Interrupt Pending flag Set if an interrupt is pending 21 ID Identification flag Support for CPUID instruction if can be set 8/110

9 Day 1 Background From source to x86 Execution 16-bit Segment Registers CS (Code Segment) SS (Stack Segment) DS (Data Segment) ES (Extra Segment) FS (Data Segment) SEH (Structured Exception Handling) TEB (Thread Environment Block) PEB (Process Environment Block) GS (Data Segment) 9/110

10 Day 1 Background From source to x86 Execution Caller-saved vs. Callee-saved Registers Platform Caller-Saved Registers (Volatile) Callee-saved Registers (Non-volatile) 16-bit Dos, Windows AX, BX, CX, DX, ES ST(0)~ST(7) SI, DI, BP, DS 32-bit Windows 64-bit Windows EAX, ECX, EDX, ST(0)~ST(7), XMM0~XMM7 RAX, RCX, RDX, R8~R11, ST(0)~ST(7), XMM0~XMM5, High half of XMM6~XMM15 EBX, ESI, EDI, EBP RBX, RSI,RDI, RBP, R12~R15, XMM6~XMM15 10/110

11 Day 1 Background From source to x86 Execution Other Registers FPU (Floating Pointer Unit) Registers MMX (Matrix Math extension) Registers 3DNow! Registers Control Registers Debug Registers (Hardware Breakpoints) DR0 ~ DR3 : Address DR4 ~ DR5 : Non-used DR6 : Debug state DR7 : Debug control 11/110

12 Day 1 Background From source to x86 Execution Control Registers CR0 : Enable paging, Monitor stack, Select protection mode CR1 : Reserved CR2 : Save page fault linear address CR3: PDBR (Page-Directory Base Register) CR4 : Extensible flags 12/110

13 Day 1 Background From source to x86 Execution Understanding Stack Definition The stack is an abstract data structure supported by a combination of hardware and software features. Stack operations are Last In First Out (LIFO) The PUSH instruction places a 32-bit value on the stack. The POP instruction removes a 32-bit value on the stack. The stack is used to pass parameters to functions The stack is used to maintain call chain state The Call instruction places a 32-bit value on the stack. In Windows, the stack is used to store the SEH (Structured Exception Handling) chain 13/110

14 Day 1 Background From source to x86 Execution Understanding Stack (1/21) 14/110

15 Day 1 Background From source to x86 Execution Understanding Stack (2/21) 15/110

16 Day 1 Background From source to x86 Execution Understanding Stack (3/21) 16/110

17 Day 1 Background From source to x86 Execution Understanding Stack (4/21) 17/110

18 Day 1 Background From source to x86 Execution Understanding Stack (5/21) 18/110

19 Day 1 Background From source to x86 Execution Understanding Stack (6/21) 19/110

20 Day 1 Background From source to x86 Execution Understanding Stack (7/21) push %next_address 20/110

21 Day 1 Background From source to x86 Execution Understanding Stack (8/21) 21/110

22 Day 1 Background From source to x86 Execution Understanding Stack (9/21) 22/110

23 Day 1 Background From source to x86 Execution Understanding Stack (10/21) 23/110

24 Day 1 Background From source to x86 Execution Understanding Stack (11/21) 24/110

25 Day 1 Background From source to x86 Execution Understanding Stack (12/21) 25/110

26 Day 1 Background From source to x86 Execution Understanding Stack (13/21) 26/110

27 Day 1 Background From source to x86 Execution Understanding Stack (14/21) 27/110

28 Day 1 Background From source to x86 Execution Understanding Stack (15/21) 28/110

29 Day 1 Background From source to x86 Execution Understanding Stack (16/21) 29/110

30 Day 1 Background From source to x86 Execution Understanding Stack (17/21) 30/110

31 Day 1 Background From source to x86 Execution Understanding Stack (18/21) 31/110

32 Day 1 Background From source to x86 Execution Understanding Stack (19/21) 32/110

33 Day 1 Background From source to x86 Execution Understanding Stack (20/21) 33/110

34 Day 1 Background From source to x86 Execution Understanding Stack (21/21) 34/110

35 Day 1 Background From source to x86 Execution Stack Frame Low address Stack int Func2(a, b) { return a*b; } Func2() int Func1(a, b) { return b + Func2(a, b); } main() {... int a, b, c; c = Func1(a, b);... } Func2() EBP Func1() EBP Func1() main() main() EBP High address 35/110

36 Day 1 Background From source to x86 Execution Calling Conventions (1/3) 32-bit Function calling conventions Calling convention Parameters in registers Parameter order on stack Stack cleanup by Comments cdecl X Right Left Caller default stdcall X Right Left Callee pascal X Left Right Callee fastcall (MS) fastcall (Gnu) fastcall (Borland) thiscall (MS) ecx, edx Right Left Callee ecx, edx Right Left Callee eax,edx, ecx Left Right Callee ecx Right Left Callee Return point on stack if not member function Default for member functions 36/110

37 Day 1 Background From source to x86 Execution Calling Conventions (2/3) cdecl #include stdio.h int add(int a, int b) { return (a + b); } int main(int argc, char* argv[]) { return add(1, 2); } add: PUSH EBP MOV EBP, ESP MOV EAX, DWORD PTR SS:[EBP+8] ADD EAX, DWORD PTR SS:[EBP+C] POP EBP RETN main: PUSH EBP MOV EBP, ESP PUSH 2 PUSH 1 CALL add ADD ESP, 8 POP EBP RETN?? 37/110

38 Day 1 Background From source to x86 Execution Calling Conventions (3/3) stdcall #include stdio.h int _stdcall add(int a, int b) { return (a + b); } int main(int argc, char* argv[]) { return add(1, 2); } add: PUSH EBP MOV EBP, ESP MOV EAX, DWORD PTR SS:[EBP+8] ADD EAX, DWORD PTR SS:[EBP+C] POP EBP RETN 8 main: PUSH EBP MOV EBP, ESP PUSH 2 PUSH 1 CALL add ADD ESP, 8 POP EBP RETN 38/110

39 Software Reversing - Day 1: Background (Assembly Patterns) -

40 Day 1 Background (Assembly Language) Intel vs. AT&T Style Intel AT&T Operator dest, src Operator src, dest mov eax, 1 movl $1, %eax Prefix mov ebx, 0ffh movl $0xff, %ebx int 80h int $0x80 Direction mov eax, [ecx] movl (%ecx),%eax Memory Operand mov eax, [ebx+3] movl 3(%ebx), %eax segreg:[base+index*scale+disp] %segreg:disp(base,index,scale) mov al, bl movb bl, al Suffix mov mov ax, bx eax, ebx movw movl bx, ax ebx, eax mov eax, dword ptr [ebx] movl (ebx), eax 40/110

41 Day 1 Background (Assembly Language) Instruction Format Operator vs. Operand Operator 1 Operand 2 Operand MOV EBP, ESP OP-code (Operation code) 41/110

42 Day 1 Background (Assembly Language) Instruction Format Addressing mode Instruction Prefixes Opcode Mod R/M SIB Displacement Immediate Addressing mode Conditions Immediate Register Displacement Base Register Base Register + Displacement Scale Index + Displacement Base + Index + Displacement Base + Scale + Displacement Constant value Register [Register + Displacement] [Register + Base] [Register + Base + Displacement] [Register + Index * Scale + Displacement] [Register + Base + Index + Displacement] [Register + Index * Scale + Base + Displacement] 42/110

43 Day 1 Background (Assembly Language) Memory Addressing Modes Register addressing Immediate addressing Direct addressing Register indirect addressing Base-Index addressing Base-Index with displacement addressing 43/110

44 Day 1 Background (Assembly Language) Memory Addressing Modes Register addressing Only using register Example INC MOV MOV AX CX, DX CH, CL Immediate addressing Using immediate value Example MOV MOV BL, 0x44 EAX, 0x72091BAC EBX EAX 0x12091E44 0x12091EF1 0x x72091BAC 44/110

45 Day 1 Background (Assembly Language) Memory Addressing Modes Direct addressing Using immediate address Example MOV AL, [0x12091EF4] EAX 0x ? 0x12091EF1 0x12091EF2 0x12091EF3 0x12091EF4 0x01 0x02 0x03 0x04 45/110

46 Day 1 Background (Assembly Language) Memory Addressing Modes Register indirect addressing Using address in register Example MOV AX, [EBX] EAX EBX 0x ? 0x12091EF3 0x12091EF1 0x12091EF2 0x12091EF3 0x12091EF4 0x01 0x02 0x03 0x04 46/110

47 Day 1 Background (Assembly Language) Memory Addressing Modes Based-Index addressing Simply combinations of the register indirect addressing mode Example MOV MOV AL, [ECX] AX, [ECX AL] EAX 0x EBX 0x12091EF0 ECX 0x12091FF4 0x12091EF0 0x12091EF1 0x12091EF2 0x12091EF3 0x12091EF4 0x00 0x01 0x02 0x03 0x x12091F56 0x12091F57 0x12091F58 0x12091F59 0x12091F5A 0x12091F5B 0x01 0x23 0x45 0x67 0x89 0xAB... 0x12091FF4 0x9B 47/110

48 Day 1 Background (Assembly Language) Memory Addressing Modes Based-Index with displacement addressing Using based-index addressing with 2 bytes immediate values Example MOV AL, [ECX 0x9B] EAX EBX ECX 0x x12091EF1 0x12091FF4 48/110 0x12091EF1 0x12091EF2 0x12091EF3 0x12091EF4 0x12091F56 0x12091F57 0x12091F58 0x12091F59 0x12091F5A 0x12091F5B 0x12091FF4 0x01 0x02 0x03 0x x01 0x23 0x45 0x67 0x89 0xAB... 0x9B

49 Day 1 Background (Assembly Language) Basic Instructions Arithmetic operation instructions INC, DEC, ADD, SUB, MUL, DIV Logical operation instructions AND, OR, XOR, NOT, NEG, SHL, SHR, Data move instructions MOV, LEA, XCHG, LDS Comparison operations instructions CMP, TEST Flow control instructions JMP, JZ, JNZ, JG, JL, JGE, 49/110

50 Day 1 Background (Assembly Language) Basic Instructions Data move instructions MOV (move) vs. LEA (Load effective address) Example EAX EBX ECX 0x x12091EF1 0x12091FF4 MOV EAX, EBX MOV EAX, [EBX] MOV AX, [EBX + 2] LEA EAX, EBX LEA EAX, [EBX] LEA EAX, [ECX + EBX] 0x12091EF1 0x12091EF2 0x12091EF3 0x12091EF4 0x12091F56 0x12091F57 0x12091F58 0x12091F59 0x12091F5A 0x12091F5B 0x12091FF4 0x01 0x02 0x03 0x x01 0x23 0x45 0x67 0x89 0xAB... 0x9B 50/110

51 Day 1 Background (Assembly Language) Basic Instructions Flow control instructions (1/2) Instruction Description Flag set JA Jump if (unsigned) above CF == 0 and ZF == 0 JAE Jump if (unsigned) above or equal CF == 0 JB Jump if (unsigned) below CF == 1 JBE Jump if (unsigned) below or equal CF == 1 or ZF == 1 JC Jump if carry flag set CF == 1 JCXZ Jump if CX is 0 CX == 0 JE Jump if equal ZF == 1 JECXZ Jump if ECX is 0 ECX == 0 JG Jump if (signed) greater ZF == 0 and SF == 0 JGE Jump if (signed) greater or equal SF == OF JL Jump if (signed) less SF!= OF JLE Jump if (signed) less or equal ZF == 1 and SF!= OF JNA Jump if (unsigned) not above CF == 1 or ZF == 1 JNAE Jump if (unsigned) not above or equal CF == 1 JNB Jump if (unsigned) not below CF == 0 JNBE Jump if (unsigned) not below or equal CF == 0 and ZF == 0 51/110

52 Day 1 Background (Assembly Language) Basic Instructions Flow control instructions (2/2) Instruction Description Flag set JNC Jump if carry flag not set CF == 0 JNE Jump if not equal ZF == 0 JNG Jump if (signed) not greater ZF == 1 or SF!= OF JNGE Jump if (signed) not greater or equal SF!= OF JNL Jump if (signed) not less SF == OF JNLE Jump if (signed) not less or equal ZF == 0 and SF == OF JNO Jump if overflow flag not set OF == 0 JNP Jump if parity flag not set PF == 0 JNS Jump if sign flag not set SF == 0 JNZ Jump if zero flag not set ZF == 0 JO Jump if overflow flag is set OF == 1 JP Jump if parity flag set PF == 1 JPE Jump if parity is equal PF == 1 JS Jump if sign flag is set SF == 1 JZ Jump if zero flag is set ZF == 1 52/110

53 Day 1 Background (Assembly Language) Basic Instructions Comparison Instructions CMP dest, src Modifies flags : AF, CF, OF, PF, SF, ZF dest src = result # not save result if (result == 0) ZF = 1 # equal if (result!= 0) ZF = 0 # not equal if (result < 0) CF = 1 # dest < src if (result > 0) CF = 0 # dest > src result ZF CF dest < src 0 1 dest > src 0 0 dest == src /110

54 Day 1 Background (Assembly Language) Basic Instructions Comparison Instructions TEST dest, src Modifies flags : CF, OF, PF, SF, ZF dest!= src bit pattern? dest == src true? false? dest & src = result # not save result if (result == 0) ZF = 1 # TRUE if (result!= 0) ZF = 0 # FALSE Example TURE? or FALSE? if (ZF == 1) exit FILE *fp; fp = fopen(path, r ); if (!fp) exit();... push eax; call fopen test eax, eax jz exit... 54/110

55 Day 1 Background (Assembly Language) EBP-Based Framing Traditional Recent OS DLLs push ebp mov ebp, esp sub esp, 0x100 mov edi, edi push ebp mov ebp, esp Optimized compiles may omit the frame pointer In which case, local variable are referenced from ESP mov edi, edi Effectively a 2-byte NOP Why didn t they just use NOP, NOP? Ref URL 55/110

56 Day 1 Background (Assembly Language) Return values Sample code push esi push edi push ecx call sub_ mov esi, eax add esp, 8 Value type Address type : Pointer, Array, Structure, 56/110

57 Day 1 Background (Assembly Language) Variable and Parameters of Procedure Local variable vs. Parameters, and Global variables [EBP + values] are typically arguments on the stack [EBP values] are typically local variables Really? Example C:\Reversing\Demos\Variable_Parameters_O2.exe C:\Reversing\Demos\Variable_Parameters_Od.exe C:\Reversing\Docs\Compiler Options in VS.pdf 57/110

58 Day 1 Background (Assembly Language) Variable and Parameters of Procedure Structure access Sample code push ebp mov ebp, esp mov eax, off_deadbeef push ebx mov ebx, [ebp + arg_0] push esi cmp ebx, [eax + 14h] push edi ja short loc_ cmp [eax + 8], ebx sbb esi, esi EAX is loaded from a global variable Also, [ ] is used with EAX, which means this global variable is a pointer 58/110

59 Day 1 Background (Assembly Language) Inline memcpy ( ) / strcpy ( ) Inline code memcpy ( ) / strcpy ( ) mov esi, source mov edi, [ebp-64] mov ebx, ecx shr ecx, 2 rep movsd mov ecx, ebx and ecx, 3 rep movsb rep movsd copies ECX dwords from ESI to EDI rep movsd copies the remainder of the bytes 59/110

60 Software Reversing - Day 1: Basic Analysis (PE Format) -

61 Day 1 Basic Analysis (PE File Format) PE (Portable Executable) History Microsoft based the PE file format on the Unix COFF file format As such it is sometimes referred to as PE / COFF Portable in PE means Supports both 32bit and 64bit Supports MIPS, DEC Alpha, PowerPC, and ARM File Extension EXE, DLL, OCX, SYS, LIB, 61/110

62 Day 1 Basic Analysis (PE File Format) PE (Portable Executable) PE Layout C:\Reversing\Docs\PE_Format_Layout.pdf 62/110

63 Day 1 Basic Analysis (PE File Format) PE (Portable Executable) Basic structure (notepad.exe) 63/110

64 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (1/30) DOS and NT Headers Overview Contain the very basic information to process PE files DOS stub This program cannot be run in DOS mode Contain the bulk of the information about the PE file Different set for headers will be present depending on the type of data the PE file represents 64/110

65 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (2/30) IMAGE_DOS_HEADER (size : 0x40) DOS reference : Mark Zbikowski ( 65/110

66 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (3/30) MyTiny_PE.exe DOS header & DOS stub DOS header e_magic : 0x00005A4D e_lfanew : 0x DOS stub ellipsis 66/110

67 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (4/30) PE (NT) headers : File header It s the first of the NT Headers and File Header follows immediately after the PE signature Contain some interesting fields Machine indicates the target architecture for this file NumberOfSections, the number of sections in the PE file. This value is needed when exploring the section headers TimeDataStamp is not of a critical importance, but some malware actually seems not to zero it so it might give some insight on the approximate release time but easily faked SizeofOptionalHeader is an important element. Provides the exact size of the Optional Header which is needed in order to properly parse the PE file 67/110

68 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (5/30) IMAGE_NT_HEADERS (size: 0xE0) 68/110

69 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (6/30) IMAGE_FILE_HEADER Machine Type 69/110

70 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (7/30) MyTiny_PE.exe NT Header (1/4) IMAGE_NT_HEADER signature : 0x IMAGE_FILE_HEADER Machine : 0x014C NumberOfSections : 0x0003 TimeDataStamp, PointerToSymbolTable, NumberOfSymbols : 0x00 SizeOfOptionalHeader : 0x00E0 Characteristics : 0x010F 70/110

71 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (8/30) PE (NT) headers : Optional header view (1/2) Magic : 0x10B AddressOfEntryPoint is where execution of the executable code will begin (it s possible for other code within the executable to gain control before the entry point) ImageBase. All relative address based on this one. It s also usually possible to find the PE header of the executable at this address in memory (unless it has been intentionally deleted) SectionAlignment is the alignment of the sections in memory FileAlignment is the alignment on disk 71/110

72 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (9/30) PE (NT) headers : Optional header view (2/2) Operating system related fields containing version specific information NumberofRvaAndSize is the number of directory entries in the following array. Depending on how many there are the size of the Option Header will vary, something that some tools sometimes forget (assuming a constant default size) RVA (Relative Virtual Address) DataDirectory is an array of structures pointing to additional information such as the Imports and Exports tables 72/110

73 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (10/30) IMAGE_OPTIONAL_HEADER32 (size : 0xE0) 73/110

74 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (11/30) MyTiny_PE.exe PE (NT) Header (1/2) DWORD Magic; 0x010B BYTE MajorLinkerVersion, MinorLinkerVersion; 0x00 DWORD SizeOfCode; 0x DWORD SizeOfInitialzedData, SizeOfUnintializedData; 0x DWORD AddressOfEntryPoint; 0x DWORD BaseOfCode; 0x DWORD BaseOfData; 0x DWORD ImageBase; 0x DWORD SectionAlignment; 0x DWORD FileAlignment; 0x WORD MajorOperatingSystemVersion ~ MinorSubsystemVersion; 0x0000 DWORD Win32VersionValue; 0x DWORD SizeOfImage; 0x DWORD SizeOfHeaders; 0x DWORD Checksum; 0x WORD Subsystem; 0x0002 WORD DllCharacteristics; 0x0000 DWORD SizeOfStackReserve, SizeOfHeapReserve; 0x DWORD SizeOfStackCommit, SizeOfHeapCommit; 0x DWORD LoaderFlags; 0x DWORD NumberOfRvaAndSizes; 0x /110

75 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (12/30) MyTiny_PE.exe PE (NT) Header (2/2) 75/110

76 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (13/30) IMAGE_DATA_DIRECTORY 0x00 IMAGE_DIRECTORY_ENTRY_EXPORT 0x01 IMAGE_DIRECTORY_ENTRY_IMPORT 0x02 IMAGE_DIRECTORY_ENTRY_RESOURCE 0x03 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x04 IMAGE_DIRECTORY_ENTRY_SECURITY 0x05 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x06 IMAGE_DIRECTORY_ENTRY_DEBUG 0x07 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x08 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x09 IMAGE_DIRECTORY_ENTRY_TLS 0x0A IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0B IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0C IMAGE_DIRECTORY_ENTRY_IAT 0x0D IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0E IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0F RESERVED 76/110

77 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (14/30) MyTiny_PE.exe PE (NT) Header IMAGE_DATA_DIRECTORY 8 bytes ⅹ 16 entry = 128 (0x80) bytes Fill with 0x00 77/110

78 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (15/30) Section Header view VirtualSize is the size of the section once loaded in memory (can be bigger than SizeofRawData, in that case it s zero padded) VirtualAddress is the address of the section in memory, relative to the ImageBase SizeofRawData is the size of the section on disk (can be bigger than VirtualSize due that it s size is rounded at a FileAlignment multiple) PointerToRawData is the offset within the file to contents to be loaded in memory (should be a multiple of VirtualSize) Characteristics contains flags with information such as whether the section can be executed, read, written into, etc 78/110

79 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (16/30) IMAGE_SECTION_HEADER (size : 0x28) 79/110

80 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (17/30) MyTiny_PE.exe Section Header (1/3) tinytext section BYTE Name[8]; tinytext DWORD VirtualSize; 0x DWORD VirtualAddress; 0x DWORD SizeOfRawData; 0x DWORD PointerToRawData; 0x DWORD Characteristics; 0x /110

81 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (18/30) MyTiny_PE.exe Section Header (2/3) tinydata section BYTE Name[8]; tinydata DWORD VirtualSize; 0x DWORD VirtualAddress; 0x DWORD SizeOfRawData; 0x DWORD PointerToRawData; 0x DWORD Characteristics; 0xC /110

82 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (19/30) MyTiny_PE.exe Section Header (3/3) tinyrdat section BYTE Name[8]; tinyrdat DWORD VirtualSize; 0x DWORD VirtualAddress; 0x DWORD SizeOfRawData; 0x DWORD PointerToRawData; 0x DWORD Characteristics; 0x /110

83 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (20/30) MyTiny_PE.exe tinytext section tinytext section 55 PUSH EBP 8B EC MOV EBP, ESP 6A 30 PUSH 0x30 // Style PUSH 0x // Caption PUSH 0x // Text 6A 00 PUSH 0x00 // hwnd E CALL 0x A // User32.MessageBox 8B E5 MOV ESP, EBP 5D POP EBP C3 RETN FF JMP DWORD PTR DS:[0x403030] 83/110

84 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (21/30) MyTiny_PE.exe tinydata section tinydata section 0x Reverse Engineering 0x My First PE!!! 84/110

85 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (22/30) Overview of the Import Address Table (IAT) The primary function of the Import Table is provide enough information to the loader the API function and other symbols needed by the executable It also provides us with a summary of the range of actions used by the executable Therefore hiding / obfuscating the IAT is a common technique in order to deprive analysts of a quick outlook The IAT can be rebuilt by different packers / obfuscators with varying degrees of complexity 85/110

86 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (23/30) Dynamic Linked Library (DLL) Not DLL in 16bit DOS Explicit linking declspec (dllimport) declspec (dllexport) Implicit linking LoadLibrary ( ) GetProcAddress ( ) FreeLibrary ( ) 86/110

87 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (24/30) IMAGE_IMPORT_DESCRIPTOR typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; DWORD OriginalFirstThunk; }; // RVA to original unbound IAT (IMAGE_THUNK_DATA) DWORD TimeDataStamp; DWORD ForwarderChain; DWORD Name; // library name string address (RVA) DWORD FirstThunk; // IAT (Import Address Table) address (RVA) } IMAGE_IMPORT_DESCRIPTOR; typedef struct _IMAGE_THUNK_DATA { union { DWORD ForwarderString; DWORD Function; DWORD Ordinal; DWORD AddressOfData; }; // IMAGE_IMPORT_BY_NAME } IMAGE_THUNK_DATA; typedef struct _IMAGE_IMPORT_BY_NAME { WORD Hint; // ordinal BYTE Name[1]; // function name string } IMAGE_IMPORT_BY_NAME; 87/110

88 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (25/30) IMAGE_IMPORT_DESCRIPTOR Before binding After binding 88/110

89 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (26/30) Example (notepad.exe) (1/2) IMAGE_OPTIONAL_HEADER DataDirectory[1] VirtualAddress Where is import table on file (notepad.exe)? RVA (Relative Virtual Address) RAW (File Offset) RVA (0x7604) VOffset(0x1000) = RAW(?) ROffset(0x400) RAW = RVA(0x7604) VOffset(0x1000) + ROffset(0x400) RAW = 0x6A04 89/110

90 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (27/30) Example (notepad.exe) (2/2) Structure IMAGE_OPTIONAL_HEADER IMAGE_IMPORT_DESCRIPTOR RVA RAW OriginalFirstThunk (INT) 0x7990 0x6D90 TimeDataStamp 0xFFFF FFFF ForwarderChain 0xFFFF FFFF Name 0x7AAC 0x6EAC FirstThunk (IAT) 0x12C4 0x06C4 90/110

91 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (28/30) MyTiny_PE.exe IAT (Import Address Table) tinyrdat section RAW (0x600) = RVA (0x3000) VOffset (0x3000) + ROffset (0x600) In memory A B C D E F 0x x x x OriginalFirstChunk (0x ) FirstChunk (0x ) IAT (0x ) ILT (0x ) Name (0x ) 0x x u s e r 3 2. d l l M e s s a g e B o x A 91/110

92 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (29/30) MyTiny_PE.exe IMAGE_DATA_DIRECTORY IMAGE_DIRECTORY_IMPORT_ENTRY RVA 0x Size 0x /110

93 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (30/30) MyTiny_PE.exe 93/110

94 Software Reversing - Day 2: Basic Analysis (Packing/Unpacking) -

95 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Encoding of code in section Compressed, Encrypt, Inserting decode code in section Uncompressed, Decrypt, Modifying entry-point in optional header Addressing decode in section Modifying characteristics in section header Writable in section 95/110

96 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Encoding of code in section (1/2) XOR encoding (with 0x4E) 96/110

97 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Encoding of code in section (2/2) XOR encoding (with 0x4E) 97/110

98 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Inserting decode code in section XOR decoding (with 0x4E) 98/110

99 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Modifying entry-point in optional header (1/2) 99/110

100 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Modifying entry-point in optional header (2/2) Editor Tools LoadPE 100/110

101 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Modifying characteristics in section header 101/110

102 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking notepad.exe vs. notepad_upx.exe 102/110

103 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking notepad.exe vs. notepad_upx.exe on file offset 0x x x000000E0 0x000001D8 0x x notepad.exe DOS Header DOS Stub NT Header Section Header (.text) Section Header (.data) Section Header (.rsrc) notepad_upx.exe DOS Header DOS Stub NT Header Section Header (UPX0) Section Header (UPX1) Section Header (.rsrc) offset 0x x x000000E0 0x000001D8 0x x x x00007C00 0x NULL Section (.text) 0x7800 NULL Section (.data) 0x800 NULL Section (.rsrc) 0x8400 NULL Section (UPX0) 0x0000 Section Header (UPX1) 0x4600 NULL Section (.rsrc) 0x7200 NULL 0x x x00004A00 0x0000BC00 0x NULL 103/110

104 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking notepad.exe vs. notepad_upx.exe on memory address 0x x x010000E0 0x010001D8 0x x Memory DOS Header DOS Stub NT Header Section Header (.text) Section Header (.data) Section Header (.rsrc) notepad_upx.exe DOS Header DOS Stub NT Header Section Header (UPX0) Section Header (UPX1) Section Header (.rsrc) address 0x x x010000E0 0x010001D8 0x x x NULL NULL 0x Entry Point 0x D 0x x0100B000 0x Section (.text) 0x7748 NULL Section (.data) 0x1B48 NULL Section (.rsrc) 0x8314 NULL Section (UPX0) 0x10000 Section Header (UPX1) 0x4600 NULL Section (.rsrc) 0x7200 NULL 0x x x Entry Point 0x /110

105 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking Tracing of decompressed code 105/110

106 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking IAT Table Recovery kernel32 GetProcAddress() 106/110

107 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking Finding OEP (Original Entry-Point) in notepad_upx.exe Step-Over (F8) 107/110

108 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking Process Dump (plugin ollydump) OllyDump Disable 108/110

$Unpacking Recovery of IAT (C:\Reversing\Tools\ImportREC) 1 2 3 4$

109 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking Recovery of IAT (C:\Reversing\Tools\ImportREC) /110

110 Reverse Engineering kkyoup (A) gmail.com 110/110

Reverse Engineering III: PE Format

Reverse Engineering III: PE Format Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Introduction to PE PE stands for Portable Executable Microsoft introduced