Презентация - Реверс-инжиниринга обфусцированного и виртуализированного приложения

Методы РЕВЕРС-ИНЖИНИРИНГА ОБФУСЦИРОВАННОГО и ВИРТУАЛИЗИРОВАННОГО ПРИЛОЖЕНИЯ Алюшин Виктор

СПОСОБЫ Защиты приложений Упаковка / шифрование всего файла Обфускация отдельных строк / машинного кода Виртуализация кода Обнаружение отладчиков/эмуляторов/песочниц/виртуалок

Dro PPER – STAGE 1

Dro PPER – STAGE 1 https:// upx.github.io/ upx –d packed.exe – o unpacked.exe

Dropper – stage 2

DROPPER – STAGE2 Olly Dbg Cmdbar / x64dbg / Immunity Debugger bp Virtual Alloc bp Virtual Protect bp Virtual Free bp Write Process Memory

DROPPER – STAGE2

DROPPER – STAGE3

DROPPER – STAGE3

DROPPER – STAGE3

dropper – stage3

Dropper – stage3 data 0x00410e24 - relocs ? data 0x004718b4 - some strings archive data 0x00471c33 - hashed import table

DROPPER – STAGE3 - ARCHIVE

UNPACKING ARCHIVE 6 files !!! BIOS IMAGE 16-bit shellcode (3x) Driver x32 Driver x64

Driv ER Search for hash1 and exe search 16bytes by hash functions

DRIVER – VIRTUAL CODE

STRINGS ENCRYPTED WITH 4-BYTE keys For some encrypted strings could not find XREFs and decryption keys! MAYBE they are decrypted from virtual code?

INTERPRETER CODE OBFUSCATED a ND SPLITED INTO MABY CHUNKS

VIRTUAL INSTRUCTIONS 4-byte arguments xored with 0x69B00B7A 2-byte arguments xored with 0x13F1 1-byte arguments xored with 0x57

SEARCHING FOR XREFS IN VIRTUAL CODE Prepare disassembler module for IDA – too long and complex XOR string address with 0x69B00B7A, search this in virtual code, and try nearby XORED 4-bytes blocks as decryption keys easy profit FINALLY DECRYPTED CC-server address and PORT

DGA algorithm SEEMS DGA ALROTITHM ALSO EXISTS NO XREFS FROM NATIVE CODE TO DGA strings TODO – time to make IDA PRO processor module

Thanks! QUESTIONS ?