Professional Documents
Culture Documents
(For Dummies)
Dynamic Analysis of Windows Binaries
Johnny Long
johnny@
johnny@ihackstuff.com
ihackstuff.com
The Problem
Requirements
The Process
Virtual Windows XP
Windows
Windows XP
XP
running
running inside
inside
VirtualPC
VirtualPC for
for
Mac
Mac
Write-Protect
Both
Both products
products allow
allow us
us to
to
write-protect
write-protect our
our
environment,
environment, preventing
preventing
permanent
permanent changes.
changes.
Write-Protect
Changes
Changes can
can be
be
discarded
discarded when
when the
the
VirtualPC
VirtualPC is
is powered
powered
down.
down. Vmware
Vmware calls
calls this
this
nonpersistent
nonpersistent mode.
mode.
Write-Protect
The Cast
Our
Our evil
evil code
code
consists
consists of
of
three
three files.
files.
Notice
Notice there
there isis
no
no EXE
EXE file.
file.
The Cast
The
The INI
INI file
file
isnt
isnt much
much to
to
write
write home
home
about,
about, yet
yet
Strings
Running
Running strings
strings -8
-8
on
on our
our DLL
DLL file
file
reveals
reveals possible
possible
functions.
functions.
Remember:
Remember: text
text
could
could be
be faked.
faked. File
File
this
this away
away for
for later
later
Strings
Certain
Certain strings
strings can
can
lead
lead to
to aa wild
wild
goose
goose chase.
chase. Be
Be
careful
careful what
what you
you
connect
connect to.
to.
Strings
Usage
Usage
information
information about
about
the
the tool
tool is
is often
often
found
found with
with
strings.
strings.
Dependency Walker
Dependency Walker
Simply
Simply loading
loading the
the DLL
DLL
file
file reveals
reveals available
available
functions
functions and
and external
external
DLLs
DLLs that
that are
are loaded.
loaded.
These
These function
function
names
names are
are
important.
important. Well
Well need
need
these
these when
when itit comes
comes
time
time to
to run
run the
the
hacker
hacker tool
tool
The monitors
Filemon
Filemon,
Filemon, available
available from
from
www.sysinternals.com
www.sysinternals.com
shows
shows all
all file
file activity
activity
on
on aa Windows
Windows system.
system.
Filemon
Filemon
Entry
Entry
Number.
Number.
Sequential.
Sequential.
Time
Time
captured
captured
(or
(or delta)
delta)
Request:
Request: Open,
Open,
Close,
Close, Directory,
Directory,
Write,
Write, etc
etc
Path
Path of
of file
file
accessed
accessed
Process
Process
name
name and
and
ID
ID
Details
Details of
of file
file
access
access result
result (if
(if
available)
available)
Result
Result of
of file
file or
or
directory
directory
access
access or
or error
error
description
description
Filemon
Scroll
Scroll
Results
Results
Toggle
Toggle
Capture
Capture
(start
(start // stop)
stop)
Toggle
Toggle time
time //
delta
delta
Apply
Apply
Filter
Filter
Clear
Clear
Results
Results
Jump
Jump to
to
Explorer
Explorer
Search
Search
Results
Results
Number
Number of
of result
result lines
lines
to
to keep
keep (history)
(history)
Filemon
Filemon
Filemon and
and regmon
regmon allow
allow
filters
filters to
to narrow
narrow the
the signal
signal
from
from the
the noise.
noise.
Regmon
Regmon,
Regmon, from
from
www.sysinternals.com,
www.sysinternals.com,
monitors
monitors registry
registry access
access
Sniffing
TCPView
Tcpview
Tcpview from
from
www.sysinternals.com
www.sysinternals.com
shows
shows network
network
connections
connections to
to and
and from
from
your
your machine
machine
TCPView
Toggle
Toggle resolve
resolve
addresses
addresses
Save
Save
capture
Toggle
capture
Toggle show
show
connected
connected endpoints
endpoints
refresh
refresh
process
process
protocol
protocol
Our
Our address
address
Their
Their address
address
Connection
Connection
state
state
TCPView
Rundll32
Warning!!!
Rundll32
Rundll32
Rundll32 expects
expects the
the
name
name of
of aa DLL.
DLL.
However,
However, we
we dont
dont
get
get much
much response
response
running
running itit this
this way.
way.
Were
Were missing
missing
something
something
Brute Force
Lets
Lets try
try
some
some
random
random
option
option to
to the
the
program.
program.
Hey!
Hey! ItIt didnt
didnt do
do
much,
much, but
but the
the
program
program spoke
spoke
to
to us
us with
with this
this
dialog
dialog box!
box! =)
=)
rundll32
Instead
Instead of
of brute
brute forcing
forcing options
options
to
to the
the program,
program, think
think back
back to
to
Dependency
Dependency Walker.
Walker. Lets
Lets try
try
these
these function
function names
names as
as
parameters
parameters to
to our
our tool
tool run
run
through
through rundll32
rundll32
Rundll32
AA simple
simple directory
directory
listing
listing
Lets
Lets run
run the
the
program
program with
with Inj
Inj
(the
(the first
first
function)
function) What
What
happens?
happens?
Files
Files Disappear!
Disappear!
Rundll32 / TCPView
That
That last
last function
function also
also
caused
caused aa packet
packet to
to be
be
sent
sent to
to aa POP
POP email
email
port
port
TCPView
TCPView let
let us
us down
down
and
and didnt
didnt capture
capture more
more
data
data
Rundll32
Files
Files are
are hidden
hidden
Run
Run with
with clean
clean option
option
Files
Files Re-Appear.
Re-Appear. This
This
isis the
the opposite
opposite of
of the
the
hiding
hiding function
function
Were
Were getting
getting
somewhere
somewhere
Option test
This
This option
option
creates
creates
some
some
interesting
interesting
results.
results.
Our
Our first
first real
real
usage
usage statement,
statement,
and
and aa cool
cool pop-up
pop-up
window!
window! Lots
Lots of
of
options
options to
to
explore
explore
Server run
This
This run
run
Creates
Creates another
another pop-up
pop-up
window,
window, and
and launches
launches aa
listening
listening server
server on
on our
our
machine!
machine!
Client run
This
This run
run
Creates
Creates another
another
pop-up
pop-up window,
window, and
and
launches
launches aa client
client
that
that connects
connects to
to our
our
listening
listening server!
server!
Client to Server
Typing
Typing in
in our
our client
client window
window
echoes
echoes in
in the
the server
server window!
window!
What next?
Tool Capabilities
General Features
Backdoor Functions
Network Features
Rootkit Capabilities
Basic File, Registry, and Process Hiding
Conclusion
Analysis Tips
References
VMWare: www.vmware.com
Tons of tools: www.sysinternals.com
Virtual PC: Google "virtual PC"
Fport: Google Fport
Ethereal: Google Ethereal
Tcpdump: Google... You get the idea =)
My site: http://johnny.ihackstuff.com