Professional Documents
Culture Documents
Analysis and Visualization of Common Packers
Analysis and Visualization of Common Packers
Analysis and Visualization of Common Packers
Common Packers
PowerOfCommunity, Seoul
Ero Carrera - ero.carrera@gmail.com
Reverse Engineer at zynamics GmbH
Chief Research Officer at VirusTotal
Introduction
An historical perspective
VM detection.
VMWare, VirtualPC, etc
Techniques aimed against specific tools
OllyDBG, IDA, Softice, etc
Breaking tools
Code obfuscation
Adding junk code, using opaque predicates
Code transformation
Virtual machines
Flow obfuscation (SEH, Nanomites)
Tools
Bochs
Provides with a high-level view
No need to worry about most of the anti-* techniques
Windbg
Can do kernel-mode debugging, hook syscalls, look
deeper that user-mode tools
Inspection of physical/virtual memory
Memoryze, for the real hardcore
Obfuscation & Anti-Analysis
Basic trickery against
analysis algorithms
Most tools will linearly disassemble a chunk of code
Introduce and non-terminal flow branching instruction
(not a ret or jmp)
Make it point later in the code, to the middle of what
would be an instruction if disassembling linearly
Result => confusion
(latest IDA, 5.3, has some workarounds against this)
Also: indirect obfuscation through heavy optimization
Example: ASPack (original)
C3________ ret
Example: Linear
Disassembly
0DFE000000 or eax, 0FEh
75________ db 0x75
C3________ ret
Example: Opaque Predicate
7401______ jz $+3
C3________ ret
Example: Opaque Predicate
7401______ jz $+3
75________ db 0x75
C3________ ret
Executable Image Function
address instruction (operand, ...)
address instruction (operand, ...)
address instruction (operand, ...)
Memory Page ...
Function Chunk
Function Chunk
Function Chunk
address instruction (operand, ...)
Function Chunk address instruction (operand, ...)
Function Chunk address instruction (operand, ...)
Memory Page ...
Memory Page
address instruction (operand, ...)
address instruction (operand, ...)
address instruction (operand, ...)
...
address instruction (operand, ...)
address instruction (operand, ...)
address instruction (operand, ...)
...
Executable Image Function
address instruction (operand, ...)
address instruction (operand, ...)
address instruction (operand, ...)
...
Memory Page
Function Chunk
address instruction (operand, ...)
address instruction (operand, ...)
Function Chunk address instruction (operand, ...)
address instruction (operand, ...) ...
address instruction (operand, ...)
Memory Page address instruction (operand, ...)
...
Function Chunk
address instruction (operand, ...)
address instruction (operand, ...)
Memory Page address instruction (operand, ...)
...
address instruction (operand, ...) address instruction (operand, ...) address instruction (operand, ...)
address instruction (operand, ...) address instruction (operand, ...) address instruction (operand, ...)
address instruction (operand, ...) address instruction (operand, ...) address instruction (operand, ...)
... ... ...
Shared Blocks
pusha
popa
Non-Standard Branching
Junk JMP insertion
Exmple: Junk Code I
(Themida)
018900CE 48________ dec eax
01890101 loc_1890101:
Runs
Virtual CPU
Standard Code
Runs Runs
4 Update registers
Real CPU opcodes Registers
Execute handler
handler for opA Virtual CPU
3
2 Decode
handler for opB Decoder
Child's code
Transfer control
Parent catches it INT 3 push ebp
mov ebp, esp
push 0
push 0
call XYZ
Look up address cmp eax, 0
INT 3
.
.
.
Find target .
mov [UWZ], 0xff
pop ebp
ret
Debug
Resume child Child process
WRITE WRITE
TIME
Virtual Address Range A
Physical Memory
MMU
WRITE
Physical Memory
MMU
EXECUTE
Countermeasures
Oreans Themida/CodeVirtualizer
http://www.oreans.com
VMProtect
http://www.vmprotect.ru/
Memoryze, Mandiant
http://www.mandiant.com/software/memoryze.htm
Thanks to Vangelis and the
PoC crew!
Q&A