Intro. to static analysis
•
2 likes•979 views
This document provides an introduction to static analysis techniques for malware analysis. It begins with an overview of static analysis and the information that can be gleaned without executing code, such as file structure, binary code, related modules, and suspicious strings. Common Linux tools for static analysis like strings, file, hexdump, and objdump are introduced. Disassembly, the process of converting binary machine code to assembly code, is explained. Reverse engineering disassembled code back into C code involves understanding variables, data movement, arithmetic, control flow, functions, and calling conventions. The document concludes by introducing IDA Pro as a popular disassembler and decompiler tool for static analysis.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (11)
Similar to Intro. to static analysis
Similar to Intro. to static analysis (20)
Recently uploaded
Recently uploaded (20)
Intro. to static analysis
- 1. Intro. To Sta+c Analysis C.K. Chen 2014.09.27
- 2. Who am I • C.K Chen (陳仲寬) – P.H.D Student in DSNS Lab, NCTU – BambooFox CTF – Research in • Reverse Engineering • Malware Analysis • Virtual Machine • About this work – CHI-‐WEI WANG, CHIA-‐WEI WANG, CHONG-‐KUAN CHEN 2
- 3. About DSNS • 謝續平教授 • 實驗室研究方向 – 惡意程式分析 – 虛擬機器 – 數位鑑識 – 網路安全 3
- 4. Outline • Intro. To Sta+c Analysis • Common Tools inLinux for Sta+c Analysis • Disassemble • Reverse Assambly to C – Fundamental ASM • IDA Pro – Prace+ce • Tips for Sta+c Analtsis
- 5. Intr. to Sta+c Analysis • Sta+c analysis – Analysis malware without execu+on • Dynamic analysis – Execute malware inside controllable environment and monitor it’s behavior
- 6. Informa+on from Sta+c Analysis • What informa+on we can get from sta+c analysis
- 7. Informa+on from Sta+c Analysis • What informa+on we can get from sta+c analysis – File Structure – Binary Code – Related Module – Suspicious String
- 8. Informa+on from Sta+c Analysis • What we cannot get? – Register Value – Memory Value – Packed Code – Encrypted Message
- 9. Usage of sta+c analysis • In normal case, there are some problems that sta+c analysis is involved – Reverse: Windows, Linux – Pwned(Exploit): Linux, Windows(rare) • Complement to the dynamic analysis
- 10. First step to Sta+c Analysis • There are some Linux commands that can give useful informa+on of file – Strings – Objdump – Hexdump – File
- 11. Linux Command • Strings – For each file given, GNU strings prints the printable character sequences that are at least 4 characters long and are followed by an unprintable character. – Get clues of file
- 12. Linux Command • File – File tests each argument in an a`empt to classify it. There are three sets of tests, performed in this order: filesystem tests, magic number tests, and language tests. The first test that succeeds causes the file type to be printed.
- 13. Linux Command • Hexdump – The hexdump u+lity is a filter which displays the specified files, or the standard input, if no files are specified, in a user specified format. – Hex, Oct, Char, …..
- 14. Linux Command • ldd -‐ print shared library dependencies – Loading library – Loca+on of library file – Loading address of library
- 15. Linux Command • Objdump – Dump informa+on of ELF file – Rich informa+on can be dumped – Can used to build simplest malware analysis system
- 16. Objdump
- 17. Disassemble • objdump -‐D
- 18. Global Offset Table • objdump –R – Key of sharing library in linux – GOT Hijack
- 19. Disassemble • Disassemble is a procedure to convert binary machine code into assembly code
- 20. Code Discovery Problem • In the binary file, instruc+ons and data may hybrid in the sec+on. – It is not easy to discover instruc+ons in the binary – Especial for variable-‐length instruc+on set like x86
- 21. Linear sweep • Starts usually to disassemble from the first byte of the code sec+on in a linear fashion • Disassembles one instruc+on afer another un+l the end of the sec+on is reached • Do not understand program flow • objdump
- 22. Recursive traversal • instruc+on classified as – Sequen+al flow: pass execu+on to the next instruc+on that immediately follows – Condi+onal branching: if the condi+on is true the branch is taken and the instruc+on pointer must change to reflect the target of the branch, otherwise it con+nues in a linear fashion (jnz, jne, . . . ). In sta+c context this algorithm disassemble both paths – Uncondi+onal branching: the branch is taken without any condi+on; the algorithm follows the (execu+on) flow (jmp) – Func+on call: are like uncondi+onal jumps but they return to the instruc+on immediately following the call – Return: every instruc+ons which may modify the flow of the program add the target address to a list of deferred disassembly. When a return instruc+on is reached an address is popped from the list and the algorithm con+nues from there (recursive algorithm). • Some issue – Indirect code invoca+ons – Does returning from a call always allow for a faithful disassembly
- 23. Problem of Disassembly • Remember that disassembler may not always true • Linear sweep • Recursive jmp .des+na+on db 0x6a ; garbage byte technique .des+na+on: pop eax traversal eb 01 jmp 0x401003 6a 58 push 0x58 push DWORD .des+na+on jmp DWORD [esp] db 0x6a ; garbage byte technique .des+na+on: pop eax push DWORD .des+na+on jmp DWORD [esp] push 0x58
- 24. Reverse Assambly to C • Registers Architecture • The EIP register contains the address of the next instruc+on to be executed if no branching is done.
- 25. Memory Layout • Stack – Not maintain in Executable – Local Variable • Heap – Not maintain in Executable – Dynamic Allocate Memory • BSS Sec+on – Unini+alized Data – Global variables and sta+c variables that are ini+alized to zero or do not have explicit ini+aliza+on in source code • Data Sec+on – Ini+alized Data – Global variables and sta+c variables
- 26. Variables • Disassembled code for local and global variables
- 27. Local Variables/Arguments • Caller push argument into stack • Caller push eip by call instruc+on • Callee save/push the caller’s ebp • Callee reserve space for local variables – sub Stack Growing Direc+on
- 28. Data Movement • MOV dst, src – Src <= dst • LEA dst, src – Load effec+ve address of operand into specified register – To calculate the address of a variable which doesn't have a fixed address • Example – mov eax, [ebp -‐ 4] <= get content in [ebp -‐ 4] – mov eax, ebp – 4 <= wrong, no such instruc+on – lea eax, [ebp -‐ 4] <= get address of [ebp -‐ 4]
- 29. Arithme+c Operator • add dest, src • sub dest, src • mul arg • div – DIV r/m8 – DIV r/m16 – DIV r/m32 • inc • dec
- 30. Control Instruc+ons • Flag, each instruc+on updates some field of flag for future branch • test – Performs a bit-‐wise logical AND – sets the ZF(zero), SF(sign) and PF(parity) flags • cmp – Performs a comparison opera+on between arg1 and arg2 – Set SF, ZF, PF, CF, OF and AF
- 31. Branch Instruc+on • JE Jump if Equal ZF=1 • JNE Jump if Not Equal ZF=0 • JG Jump if Greater (ZF=0) AND (SF=OF) • JGE Jump if Greater or Equal SF=OF • JL Jump if Less SF≠OF • JLE Jump if Less or Equal (ZF=1) OR (SF≠OF)
- 32. Stack Opera+on • Stack is the LIFO data structure – PUSH: put data into top of stack – POP: get data from top of stack
- 33. Func+on Call • Call – Similar to jmp, but a CALL stores the current EIP on the stack • RET – Load the address in esp, and jump to that address • RET num – Increase esp by num – Load the address in esp, and jump to that address
- 34. Func+on Pro • Func+on Prologue – Store current EBP – Save ESP to current EBP – Leave space for local variables • Func+on Epilogue – Set ESP to EBP – Restore EBP
- 35. Calling Conven+on • The transi+on of func+on arguments must be maintain by assembly programmer, but most case maintain by compiler • Stdcall – func+on arguments are passed from right to lef – the calleé is in charge of cleaning up the stack. – Return values are stored in EAX. • cdecl – The cdecl (short for c declara+on) is a calling conven+on that originates from the C programming language and is used by many C compilers for the x86 architecture. – The main difference of cdecl and stdcall is that in a cdecl, the caller, not the calleé, is responsible for cleaning up the stack. • pascal – The pascal calling conven+on origins from the Pascal programming language – The main difference between it and stdcall is that the parameters are pushed to the stack from lef to right. • fastcall – The fastcall is a non-‐standardized calling conven+on. – the fastcall conven+on tends to load them into registers. This results in less memory interac+on and increases the performance of a call.
- 36. Func+on Call Structure • Func+on Call Structure •
- 37. Branch Structure • Branch Structure
- 38. Do-‐For loop • Do-‐For loop
- 39. IDA Pro • IDA Pro is the most well-‐known dissemble/ decompile tool for reversing – Disassemble – Friendly GUI – Decopiler – Debugger
- 40. Overview Assembly and Control Flow View Message View Control Flow View
- 41. Func+onality(1) Convert Current Loca+on • DATA • Instruc+on • String • Self-‐defined Data Structure • Array Convert Oprand • Offset • Hex/Oct/Dec/Bin • Constant Char • Segment-‐based Var • Stack-‐based Var • …. Fun Call Window Xref Table Graph Once The disassemble make mistake, you can fix it yourself
- 42. Func+onality(2) Export Func+on • List func+ons export to other Binary • DLL, entry point Import Func+on • Func+ons included from other files • Import func+on can help you to guess the behavior of program Names • Func+on Name • Variable Names • Strings • For problem with debugger informa+on inside, names can be useful Strings • All strings use • For some easy problem, this can help you to get flag • For other problem, it s+ll give you quick look to program
- 43. Useful Hotkeys Func,on Hotkey 1 Strings Shif+F12 2 Jump to operand Enter 3 Jump to previous posi+on ESC 4 Jump to next posi+on Ctrl+Enter 5 Jump to address G 6 Jump to entry point Ctrl+E 7 Sequence of bytes Alt+B • List of useful hotkeys
- 44. Prac+ce • Reverse encryp+on algo in bot.exe – sub_418f50 – h`p://140.113.216.151/bot.exe
- 45. Decompiler • Decompiler can help you to transfer assembly into C code – More easy to read
- 46. But • Decompiler result is not perfect – Most of +me is buggy – Lack of source code level informa+on • May not support All playorm – Arm – X86 – X64 – …..
- 47. Reversing Concept • Iden+fy important part of program • Backward tracking user data • Forward tracking interes+ng API func+on • Convert back to C code
- 48. Iden+fy important part of program • Iden+fy what you interes+ng – Strings: ‘flag’, ‘key’, …. – Func+on to read input: scanf(), gets(),… – Func+on for network communica+on: recv(), send() – Read/Write file – …..
- 49. Backward tracking user data • Most program vulns must be trigger by user input – You can not(or difficult) a`ack a func+on independent to your input • Keep track about variables affected by your input – Data Propagate • Data Dependency
- 50. Forward tracking interes+ng API func+on • Most vulns are cause by some certain func+ons – strcpy() – memcpy() – scanf() – priny() – strcat() – ….. • Try to trigger these func+ons • Analysis control flow and make strategy to enforce program goto these func+ons
- 51. Convert back to C code 1. Gather informa+on – IAT – Strings – Dynamic analysis 2. Iden+fy func+on of interest 3. Iden+fy CALLs 4. Iden+fy algorithms and data structures 5. Pseudo-‐code it! 6. Rename func+on(s), argument(s), variable(s)
- 52. Problem of sta+c analysis • Encryp+on/Self Modified Code • Lack of run+me informa+on • Take a lot of +me to understand program L
- 53. Advantage • Why we s+ll needed sta+c analysis? – Give you very first concept of program – Overview of program flow – Hybrid with dynamic analysis
- 54. Summary • This course brings the basic idea of sta+c analysis • Intro. some tool for sta+c analysis • Basic ASM • How to reverse asm to c – Func+on call – Memory • Some +ps for sta+c analysis
- 55. Q&A