Week 4
Agenda
- GDB/EDB
- Packers
- Dynamic Analysis
- But first, QUIZ #1
GDB/EDB
GDB
Gnu Debugger -- Very powerful and is the most popular dynamic analysis tool!
What do we want from gdb?
- Disassembly
- Register contents
- Memory contents
- Step debug
I wish it could step backwards...
Emacs in GDB mode, Pretty cool, not good for RE.
EDB
gdb GUI makes life so much easier for us!
I love CLI, but here GUI is so much less struggle!
There are still quirks, but we get much more!
Lets look at an example!
Packers
Packers
What is a packer?
Why might a program be packed?
What about this makes our job hard?
Packers change/hide the original binary code by compressing or operating on the bytes
Company trying to hide their product, Malware trying to stay undetected,
Trying to make Reverse engineers hate life
No static analysis, need to learn how the packer works/tools to unpack.
Detecting packers?
Can we detect these nasty things?
/usr/bin/yes
upx yes
Yes, we can run it and see that is unpacking, but that can take time!
Visual Binary Analysis makes all the difference!!
Packers may try to fight back
It possible that the packers have some checks to stop us, maybe it knows its in a VM or a debugger, then it may change its execution path and fail.
UPX
UPX - Ultimate Packer for Executables
What does this packer do?
Relocates sections!
Removes section table
Packs all sections with UCL
All imports become statically linked
Adds stub code
Lets Step through yesupx and see what this looks like!
Dynamic Analysis
What issues did we have with Static Analysis?
Function detection was not complete
Useless against packers and Obfuscators (next week :D )
Difficult to reason about everything at the same time
Stripped binaries are difficult to work with
What does Dynamic Analysis have to offer?
On top of having a solution to the previous problems, we can reason about:
Code Coverage - testing various inputs to reveal paths and learn about the binary.
Symbolic Execution -
More powerful with the aid of dynamically executing the binaries and concrete values
Memory usage - valgrind is a dynamic tool that detects memory errors and much more!
How do we improve our Dynamic analysis?
Next time on RE...
INTERMEDIATE
Week 4
By Drake P
Week 4
GBD/EDB, Packers, Dynamic Analysis
- 172