[2012 CodeEngn Conference 07] 퍼다우크 - Manual UnPack by Debugger
Manual Unpack By Debuggercodeengn.com/file/conference/07/2012_7th_CodeEngn...Title...
Transcript of Manual Unpack By Debuggercodeengn.com/file/conference/07/2012_7th_CodeEngn...Title...
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
Manual UnpackBy Debugger
2012-12-01A-FIRST고흥환책임연구원
www.CodeEngn.com7th CodeEngn ReverseEngineering Conference
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
Packer
Debugger Detection
Virtual Machine Detection
Anti Tracing
Manual Unpack UPX
Manual Unpack Themida 1.9.X
Manual Unpack Themida 2.1.8.0
Contents
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 3
Name Latest stable Software license x86-64 support
.netshrink 2.3 (March 29, 2012 (2012-03-29))[1] Proprietary Yes
Armadillo Packer 8.60 (July 6, 2011 (2011-07-06)) Proprietary Yes
ASPack 2.29 (August 3, 2011 (2011-08-03)) Proprietary ?
ASPR (ASProtect) 1.64 (September 1, 2011 (2011-09-01)) Proprietary ?
BoxedApp Packer 2.2 (June 16, 2009 (2009-06-16))[2] Proprietary Yes
CExe 1.0b (July 20, 2001 (2001-07-20)) GPL No
Enigma Protector 3.80 (August 2, 2012 (2012-08-02))[3] Proprietary Yes
EXE Bundle 3.11 (January 7, 2011 (2011-01-07))[4] Proprietary ?
EXE Stealth 4.14 (June 29, 2011 (2011-06-29))[5] Proprietary ?
eXPressor 1.8.0.1 (January 14, 2010 (2010-01-14)) Proprietary ?
MPRESS 2.19 (January 2, 2012 (2012-01-02)) Freeware Yes
Obsidium 1.4.6 (July 18, 2012 (2012-07-18))[6] Proprietary Yes
PELock 1.0.694 (January 23, 2012 (2012-01-23))[7] Proprietary No
PESpin 1.33 (May 3, 2011 (2011-05-03)) Freeware Yes
RLPack Basic 1.21 (October 31, 2008 (2008-10-31)) GPL No
Smart Packer Pro 1.7 (November 5, 2011 (2011-11-05)) Proprietary Yes
Themida 2.2.1.0 (July 25, 2012 (2012-07-25)) Proprietary ?
UPX 3.08 (December 12, 2011 (2011-12-12)) GPL No
VMProtect 2.1 (September 26, 2011 (2011-09-26)) Proprietary Yes
XComp/XPack 0.98 (February 18, 2007 (2007-02-18)) Freeware No
Executable compression= Runtime Packer= Packer
is any means of compressing an executable file and combining the compressed data with decompression code into a single executable.
I. EncryptionII. CompressionIII. RedirectionIV. SubstitutionV. ObfuscationVI. PolymorphismVII. MetamorphismVIII.ProtectionIX. Virtualization
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 4
2011 AhnLab 10,000,000 파일 대상
Invalid(21.1%)
Microsoft C(22.2%)
Nothing(14.2%)
UPX(7.8%)
PolyCryptor(6.4%)
Visual Basic(4.4%)
Nullsoft(2.1%)
Not a Valid PE(1.6%)
ASPack(1.5%)
Anti007(1.3%)
PeCompact(1.3%)
FSG(0.87%)
ASM(0.69%) MPRESS (0.45%)
ASProtect (0.40%)
Themida (0.38%)SFX (0.38%)nSPack (0.31%)Upack (0.21%)VMProtector(0.13%)Armadillo (0.12%)
etc(3.5%)
Delphi(8.0%)
Themida & UPX
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
BeingDebugged (PEB+0x2)
NtGlobalFlag (PEB+0x68)
ProcessHeap (PEB+0x18)
Flags(ProcessHeap+0x0C)
ForceFlags (ProcessHeap+0x10)
PEB_LDR_DATA(PEB+0x0C)
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
IsDebuggerPresent()
TEB (Thread Environment Block)
PEB (Process Environment Block)
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
CheckRemoteDebuggerPresent(ProcessId, &bPresent)
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
timeGetTime(), GetTickCount(), NtQueryPerformanceCounter(), RDTSC
Garbage Codes
Garbage Codes
timeGetTime()
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
SEH (Structured Exception Handler)
Stack
Exception Handler
Exception Handler
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
CreateFileA “\\.\SICE”
HANDLE WINAPI CreateFile(__in LPCTSTR lpFileName,__in DWORD dwDesiredAccess,__in DWORD dwShareMode,__in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes,__in DWORD dwCreationDisposition,__in DWORD dwFlagsAndAttributes,__in_opt HANDLE hTemplateFile
);
“\\.\SIWVID”
“\\.\NTICE”
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
FindWindow “FilemonClass”
“File Monitor – Sysinternals: www.sysinternals.com”
“Filem”
“DeepFrz”
“PROCMON_WINDOW_CLASS”
“Process Monitor – Sysinternals: www.sysinternals.com”
“PROCEXP”
“RegmonClass”
“Registry Monitor – Sysinternals: www.sysinternals.com”
“18467-41”
“REGMON”
“regsys”
“sysregm”
“PROCMON”
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
NtQuerySystemInformation “iceext.sys”
“ntice.sys”
“Syser.sys”
“HanOlly.sys”
“extrem.sys”
“FRDTSC.sys”
NTSTATUS WINAPI NtQuerySystemInformation( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,_Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength
);
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 14
LoadLibraryA "~\SoftIce\NMTRANS.DLL“
RegOpenKeyA "SOFTWARE\NuMega\DriverStudio"
RegQueryValueEx “InstallDir"
GetProcAddress “NmSymIsSoftICELoaded“
Call NmSymIsSoftICELoaded
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
DbgUiRemoteBreakin Patch
DbgBreakPoint Patch
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
I. Virtual Machine Artifacts in Processes, File System, and Registry
II. Virtual Machine Artifacts in Memory
III.Virtual Machine Specific Virtual Hardware
IV.Virtual Machine Specific Processor Instructions and Capabilities
< On the Cutting Edge : Thwarting Virtual Machine Detection 참조 >
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
RegOpenKeyA “Software\Wine”
LONG WINAPI RegOpenKey(__in HKEY hKey,__in_opt LPCTSTR lpSubKey,__out PHKEY phkResult
);
"HARDWARE\ACPI\DSDT\VBOX__"
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
RegOpenKeyA “HARDWARE\DESCRIPTION\System”
RegQueryValueEx “SystemBiosVersion"
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
010603FB B8 68584D56 MOV EAX,564D5868 // Magic Number "VMXh"01060400 B9 14000000 MOV ECX,14 // BACKDOOR_COMMAND_NUMBER01060405 66:BA 5856 MOV DX,5658 // Port Number01060409 ED IN EAX,DX // I/O command
0105F878 B9 0A000000 MOV ECX,0A0105F87D B8 04D75548 MOV EAX,4855D7040105F882 05 6481F70D ADD EAX,0DF781640105F887 BB 65D48586 MOV EBX,8685D4650105F88C BA 40B63400 MOV EDX,34B6400105F891 81EA E85F3400 SUB EDX,345FE80105F897 ED IN EAX,DX // I/O command0105F898 81FB 68584D56 CMP EBX,564D58680105F89E 75 0A JNZ SHORT 0105F8AA
Vmware
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
IAT Table
resource
Unpack Code
Packed Data
Extracted Data
.rsrc HEADER.UPX1 HEADER.UPX0 HEADER
IMAGE NT HEADERIMAGE DOS HEADER
EntryPoint
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
EntryPoint
Extracting
Initialize Decompress
E8 09 or E9 09Address Correction
Retrieves the API Address
JUMP OEP
Yes
No
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
UPX0 – Compressed Data / UPX1 – Decompressed Data
Extracting Algorithm
…
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
E8 09 (CALL) / E9 09 (JMP) Address Correction
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 31
Themida ?
l ThemidaAdvanced Windows SoftwareProtection System
l WinLicenseProfessional Software Protection & Licensing Management
l Code VirtualizerTotal Obfuscation against Reverse Engineering
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
IAT Table
SFX
.idata Section
.rsrc Section
Packed Data
.rsrc HEADER.UPX1 HEADER.UPX0 HEADER
IMAGE NT HEADERIMAGE DOS HEADER
EntryPoint
Version 1.9.X
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 34
VirtualAlloc, CreateFile, ReadFile “ADVAPI32.DLL”
VirtualAlloc, CreateFile, ReadFile “USER32.DLL”
VirtualAlloc, CreateFile, ReadFile “KERNEL32.DLL”
Subsystem Virtualization
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 36
Decode & ReEncode
Themida SFX
SFX (Self-Extracting Archive) Algorism
1’st Decoding & Processing
2’st Decoding & Processing
3’st Decoding & Processing
4’st Decoding & Processing
…
n’st Decoding & Processing
…
UnPacking
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
Decode Code
Encoded SFX
Extracted SFX
.idata Section
EntryPoint
.rsrc Section
Packed Data
.rsrc HEADER.UPX1 HEADER.UPX0 HEADER
IMAGE NT HEADERIMAGE DOS HEADER
Version 2.1.8.0
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
… 어렵다
www.CodeEngn.com7th CodeEngn ReverseEngineering Conference