Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.
-
Upload
alvin-oscar-sanders -
Category
Documents
-
view
219 -
download
2
Transcript of Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.
![Page 1: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/1.jpg)
Executable Unpacking using Dynamic Binary Instrumentation
Shubham Bansal (iN3O)
Feb 2015
UndoPack 1
![Page 2: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/2.jpg)
Who am I ? Under-graduate Student at IIIT-Hyderabad
Security Researcher
Currently pursuing B.Tech with honors in Computer Science
Regular CTF (Capture the Flag) player
Currently part of SegFault CTF team
Fields of interest – Reverse Engineering , Malware Analysis and Exploit Development
UndoPackUndoPack 2
![Page 3: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/3.jpg)
What I did ?
Wrote a small CLI tool named Undopack to extract the packed code
UndoPack 3
![Page 4: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/4.jpg)
Motivation behind the tool
Code Packing is one of the most used technique to hinder the code analysis and its usage is still growing…
UndoPack 4
![Page 5: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/5.jpg)
Original Binary
UndoPack 5
![Page 6: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/6.jpg)
Packed Binary
UndoPack 6
![Page 7: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/7.jpg)
Motivation behind the tool
No unpacking unless we know the packing algorithm
Common technique - Signature matching and Heuristics .
What if we don’t know the internal working of the packer?
What if we found an executable, packed with an unknown packer ?
Manual Unpacking
UndoPack 7UndoPack
![Page 8: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/8.jpg)
Undopack
Uses Intel’s - Dynamic binary instrumentation framework
Extracts multiple layers of packed code
Gives Original Entry point (OEP)
No additional information required
Different packers -- Same Extraction method
UndoPack 8UndoPack
![Page 9: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/9.jpg)
Why PIN ?
Best framework for Dynamic Binary Analysis Works with both IA-32 and x86-64 ISA Easy & Well documented API Works in both windows and *nix systems
UndoPack 9UndoPack
![Page 10: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/10.jpg)
Key Assumptions
At certain point , Original hidden code will be present in the memory and get executed
Instruction pointer will jump to OEP of the restored code at each layer of unpacking
UndoPack 10UndoPack
![Page 11: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/11.jpg)
Approach
Instrument memory write instructions
Catch the transition point from restoration code to OEP of hidden code
Hidden Code and data are the newly written memory address
Written memory addresses are tracked using a very simple shadow memory implementation
Extract each layer of unpacked code for further analysis about the packer
UndoPack 11UndoPack
![Page 12: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/12.jpg)
System Design
Emulated Environment
Shadow Memory
Extraction Engine
UndoPack 12UndoPack
![Page 13: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/13.jpg)
System Design
UndoPackUndoPack 13
![Page 14: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/14.jpg)
Emulated Environment Provided by Intel’s Framework
Instrument memory write instructions and build Shadow memory
Instrument execution flow changing instructions to catch transition point
Provides isolation between the extraction engine and the malicious program under analysis.
UndoPackUndoPack 14
![Page 15: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/15.jpg)
‘s implementation for instrumenting memory write instructions
UndoPackUndoPack 15
![Page 16: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/16.jpg)
‘s implementation for instrumenting execution flow changing instructions
UndoPack 16UndoPack
![Page 17: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/17.jpg)
Shadow Memory
Technique used to track and store information on computer memory read/written by program during its execution.
Shadow memory consists of shadow bytes/bit that map to individual bits or one or more bytes in main memory.
Newly written memory addresses are mapped as dirty(1) and others as clean(0) in shadow memory.
UndoPack 17UndoPack
![Page 18: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/18.jpg)
Shadow Memory
UndoPack 18UndoPack
![Page 19: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/19.jpg)
Extraction Engine
Initializes the whole shadow memory with clean bit(0)
UndoPack 19UndoPack
![Page 20: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/20.jpg)
Every write at some particular address in program memory changes the corresponding bit in shadow memory to dirty(1)
UndoPack 20UndoPack
![Page 21: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/21.jpg)
Each time a dynamic linked library is loaded into the program memory, we set the corresponding shadow memory to clean(0)
UndoPack 21UndoPack
![Page 22: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/22.jpg)
At the end of each Basic block, check if there is any dirty memory location present within the region covering the basic block.
UndoPack 22UndoPack
![Page 23: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/23.jpg)
If it is then dumps the whole dirty memory address range which represents the next layer of packing and again initialises the shadow memory to clean(0)
UndoPack 23UndoPack
![Page 24: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/24.jpg)
Undopack on GitHub
https://github.com/3SLabs/undopack
UndoPack 24
![Page 25: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/25.jpg)
Credits
● Special thanks to Abhisek Datta , 3S Labs● Thanks to Intel’s PIN framework
UndoPack 25
![Page 26: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/26.jpg)
Questions ?
UndoPack 26UndoPack 26
![Page 27: Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.](https://reader035.fdocuments.us/reader035/viewer/2022062802/56649ee85503460f94bfa0bc/html5/thumbnails/27.jpg)
Thank you!!!
UndoPack 27UndoPack 27