From Null Space Labs
Malware Friday is an event open to anyone who wishes to learn more about reverse-engineering as well as dissecting, understanding and de-fanging malware. It occurs on the last Friday of every month unless otherwise noted.
To participate in the malware analysis part of Malware Fridays, you need to meet the following pre-requisites:
- Knowledge of assembly.
- A majority of the samples will be for Windows, so knowledge of x86 is preferred.
- Navigating a binary through a debugger such as OllyDBG, WinDBG or IDA.
- Basic knowledge of the Windows PE file format.
- The PE format gets super-complicated (especially with packers), but basic understanding should be sufficient to navigate most situations.
- Basic understanding of the concepts behind reverse-engineering.
Optional things to know:
- Anti-debug techniques.
- Anti-reversing techniques.
- Compiler theory.
- Knowledge of compiler theory is EXTREMELY useful for reverse-engineering. If you at least meet this requirement, you can probably wing it.
To meet these pre-requisites, it's recommended you check out the links provided at the end of this article..
To participate in the learning half of Malware Friday, all you need is to bring yourself and a brain. Preferably you're going to want to bring something to take notes with, but other than that all you need is to take a seat and listen.
The first hour is dedicated to the basics of reverse-engineering and assembly. This is for those who wish to participate in the actual reverse-engineering and dissection of a given piece of nastiness but don't quite have the skills and knowledge. Since this event attracts such a wide audience with an immense interest in learning, this is necessary to bring everyone up to speed. During this hour, the following topics will be covered in an interactive lecture format:
- Assembly basics (x86, ARM, etc.)
- Deriving higher-level code from blocks of assembly
- Anti-debug techniques
- Anti-reversing techniques
- Unpacking binaries
- Patching binaries (colloquially: cracking)
After this hour, the real fun begins with the sample of the month, provided by Vyrus, frank^2, or anyone else who has a sample they wish to share for analysis. Once everyone has the sample, an open forum for discussion begins as people take apart the binary and learn what it does, most likely with KiLLeR TuNeZ playing in the background. We don't stop until we either get bored of reversing for the night or until the botnet gets taken over.
There are a plethora of tools at your disposal to dissect and understand what's going on in a given binary. This is a rudimentary list of the basics you may need when going about your business.
VMware Player is a free virtual machine host from VMware. For some reason, even though it's free, it requires you to register and enter a product key. I think they're just trying to give crackers something to do.
VirtualBox is another free virtual machine host made by Sun Microsystems. Even though it's tainted by this fact, the benefit of VirtualBox is that it's free and multi-platform.
Parallels Desktop is a virtual machine for OS X, but it unfortunately costs money. It's a dang good virtual machine, though-- it comes with snapshot management and has support for a surprisingly plentiful set of operating systems.
In this context, a "debugger" is any program that allows you to look at a compiled binary at the assembly level and step through it. Debuggers are literally intended to do what they're named to do-- find bugs-- but they're very useful for reverse-engineering in general.
- OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg is a shareware, but you can download and use it for free.
OllyDBG is considered the de-facto debugger in almost everyone's toolkit. It's got a whole lot of information to give you-- information on threads, data sections and more are all available to you as soon as you run the binary. Plus, with a robust plugin framework, OllyDBG is extended by the reverse-engineering community with features such as PE-header manipulation and anti-anti-debugging.
- IDA Pro is a Windows or Linux hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.
IDA Pro is considered the non-free analog to OllyDBG. It costs a shitload of money. And you can't buy it by yourself-- they're really, really strict about who can buy from them. Many suspect that Hex-Rays truly hates money. IDA is quite possibly the best static code analysis tool there is, though, with a robust graph view and the ability to directly annotate the assembly you're trying to understand. There's so much more to IDA than just that-- ask around the space for someone who knows the tool to get a good understanding of just how powerful this thing is.
Previous Malware Fridays
August 27, 2010
- First Malware Friday ever!
- Found out that not many people even knew assembly... whoops!
- Walk-thru of Israel Torres's simple crackme. (C-source: File:ITwin32LevelA-unpacked.c) (C++ source w/ shout out to DC949: ITwin32LevelA-unpacked.cpp)
- All you really care about here is the main() loop-- that's where all the content of the crackme is.
September 24, 2010
- Came prepared to give a lecture on assembly... no one here to lecture to! Well that makes things fast.
- Analyzed a malicious PDF which dropped an EXE. (Sample password: infected)
- Fuckin' electricity, how does it work?
- Unpacked it! (Sample password: infected)
- On top of being packed with UPX, this also uses a custom protector that eventually dumps a bunch of unpacking code to a randomly allocated space in memory via VirtualAllocEx. You can see this in action by setting a breakpoint on 0x00405860 after UPX has done its thing will allow you to figure out where it's going.
- Once in the memory section called by VirtualAllocEx, the first unpack loop ends at base+0x857. I can't remember where the rest of the unpack loop happens, though. Step over all the CALLs (optimizing and ignoring the various obfuscated loops you encounter) and wait until you reach a RETN call. This RETN call is actually an obfuscated CALL to something like ZwClearSystemMemory or some shit like that. When that function ends, you reach the OEP of 0x0040200D.
January 28, 2011
- Malware Friday has survived the holiday slaughter.
- STORM WORM 5000 BROUGHT TO YOU BY THE NUMBER ONE MALWARE TEAM IN THE GREATER LOS ANGELES AREA: *NULL SPACE LABS* (Sample password: infected)
- VM image now up on boobies: \\boobies\Malware Friday\Reversing Image.rar