Professional Documents
Culture Documents
(For Dummies)
Dynamic Analysis of Windows Binaries
Johnny Long
johnny@
johnny@ihackstuff.com
ihackstuff.com
The Problem
Windows
Windows XPXP
running
running inside
inside
VirtualPC
VirtualPC for
for
Mac
Mac
Write-Protect
Both
Both products
products allow
allow us
us to
to
write-protect
write-protect our
our
environment,
environment, preventing
preventing
permanent
permanent changes.
changes.
Write-Protect
Changes
Changes cancan be
be
discarded
discarded when
when thethe
VirtualPC
VirtualPC is
is powered
powered
down.
down. Vmware
Vmware calls
calls this
this
nonpersistent
nonpersistent mode.
mode.
Write-Protect
Our
Our evil
evil code
code
consists
consists of of
three
three files.
files.
Notice
Notice there
there isis
no
no EXE
EXE file.
file.
The Cast
The
The INI
INI file
file
isn’t
isn’t much
much to to
write
write home
home
about,
about, yet…
yet…
A note on the strings command
Running
Running strings
strings -8 -8
on
on our
our DLL
DLL file
file
reveals
reveals possible
possible
functions.
functions.
Remember:
Remember: text text
could
could bebe faked.
faked. File
File
this
this away
away forfor later…
later…
Strings
Certain
Certain strings
strings can
can
lead
lead to
to aa wild
wild
goose
goose chase.
chase. Be Be
careful
careful what
what you
you
connect
connect to.…
to.…
Strings
Usage
Usage
information
information aboutabout
the
the tool
tool is
is often
often
found
found with
with
strings….
strings….
Dependency Walker
These
These function
function
names
names are are
important.
important. We’ll
We’ll need
need
these
these when
when itit comes
comes
time
time to
to run
run the
the
hacker
hacker tool…
tool…
Google
Filemon,
Filemon, available
available fromfrom
www.sysinternals.com
www.sysinternals.com
shows
shows all
all file
file activity
activity
on
on aa Windows
Windows system.
system.
Filemon
Entry
Entry Request:
Request: Open,
Open, Details
Details of
of file
file
Number.
Number. Close,
Close, Directory,
Directory, access
access result
result (if
(if
Sequential.
Sequential. Write,
Write, etc
etc available)
available)
Time
Time Path
Path of
of file
file
captured
captured accessed
accessed
Result
Result of
of file
file or
or
(or
(or delta)
delta) directory
Process
Process directory
name
name andand access
access or
or error
error
ID
ID description
description
Filemon
Toggle
Toggle Apply
Apply Search
Search
Capture
Capture Filter
Filter Results
Results
(start
(start // stop)
stop)
Clear
Clear Number
Number ofof result
result lines
lines
Results
Results to
to keep
keep (history)
(history)
Filemon
Filemon
Filemon and and regmon
regmon allow
allow
filters
filters to
to narrow
narrow the
the ‘signal’
‘signal’
from
from the
the ‘noise’.
‘noise’.
Regmon
Regmon,
Regmon, from
from
www.sysinternals.com,
www.sysinternals.com,
monitors
monitors registry
registry access
access
Sniffing
Tcpview
Tcpview from
from
www.sysinternals.com
www.sysinternals.com
shows
shows network
network
connections
connections to
to and
and from
from
your
your machine
machine
TCPView
Toggle
Toggle resolve
resolve
Save
Save addresses
addresses
capture
capture Toggle
Toggle ‘show
‘show
connected
connected endpoints’
endpoints’
refresh
refresh
Our
Our address
address Connection
Connection
process
process protocol
protocol state
state
Their
Their address
address
TCPView
Rundll32
Rundll32 expects
expects thethe
name
name of
of aa DLL.
DLL.
However,
However, we we don’t
don’t
get
get much
much response
response
running
running itit this
this way.
way.
We’re
We’re missing
missing
something…
something…
Brute Force
Let’s
Let’s try
try
some
some
random
random
option
option to
to the
the
program….
program….
Hey!
Hey! ItIt didn’t
didn’t do
do
much,
much, but but the
the
program
program “spoke”
“spoke”
to
to us
us with
with this
this
dialog
dialog box!
box! =)
=)
rundll32
Instead
Instead of of brute
brute forcing
forcing options
options
to
to the
the program,
program, think
think back
back toto
Dependency
Dependency Walker.
Walker. Let’s
Let’s try
try
these
these function
function names
names as as
parameters
parameters to to our
our tool
tool run
run
through
through rundll32…
rundll32…
Rundll32
AA simple
simple directory
directory
listing…
listing…
Let’s
Let’s run
run the
the
program
program withwith Inj
Inj
(the
(the first
first
function)…
function)… What What
happens?
happens?
Files
Files Disappear!
Disappear!
Rundll32 / TCPView
That
That last
last function
function also
also
caused
caused aa packet
packet toto be
be
sent
sent to
to aa POP
POP email
email
port…
port…
TCPView
TCPView let let us
us down
down
and
and didn’t
didn’t capture
capture more
more
data…
data…
Rundll32
Files
Files are
are hidden…
hidden…
Run
Run with
with “clean”
“clean” option…
option…
Files
Files Re-Appear.
Re-Appear. This
This
isis the
the opposite
opposite ofof the
the
hiding
hiding function…
function…
We’re
We’re getting
getting
somewhere…
somewhere…
Option test
This
This option
option
creates
creates
some
some
interesting
interesting
results….
results….
Our
Our first
first real
real
usage
usage statement,
statement,
and
and aa cool
cool pop-up
pop-up
window!
window! Lots
Lots ofof
options
options to to
explore…
explore…
Server run…
This
This run…
run…
Creates
Creates another
another pop-up
pop-up
window,
window, and
and launches
launches aa
listening
listening server
server on
on our
our
machine!
machine!
Client run
This
This run…
run…
Creates
Creates another
another
pop-up
pop-up window,
window, and
and
launches
launches aa client
client
that
that connects
connects to
to our
our
listening
listening server!
server!
Client to Server
Typing
Typing in
in our
our client
client window…
window…
…echoes
…echoes in
in the
the server
server window!
window!
What next?
• General Features
– Windows 2000 and XP capable (at least)
– One file could be used as a client or server
– Not an exploit, a backdoor only (where’s the exploit?)
• Backdoor Functions
– Remote command shell
– File transfer
– Process control
• Network Features
– IP-based or Key-based authentication
– Encoded network communication
– Phone-home capability
• Rootkit Capabilities
– Basic File, Registry, and Process Hiding
Conclusion
• VMWare: www.vmware.com
• Tons of tools: www.sysinternals.com
• Virtual PC: Google "virtual PC"
• Fport: Google “Fport”
• Ethereal: Google “Ethereal”
• Tcpdump: Google... You get the idea =)
• My site: http://johnny.ihackstuff.com