Week 4

Agenda

  • GDB/EDB
  • Packers
  • Dynamic Analysis
  • But first, QUIZ #1

GDB/EDB

GDB 

Gnu Debugger -- Very powerful and is the most popular dynamic analysis tool!

 

What do we want from gdb? 

  • Disassembly
  • Register contents
  • Memory contents
  • Step debug

 

I wish it could step backwards...

Emacs in GDB mode, Pretty cool, not good for RE. 

EDB

gdb GUI makes life so much easier for us!

 

I love CLI, but here GUI is so much less struggle! 

 

There are still quirks, but we get much more!

 

 

Lets look at an example!

Packers

Packers

What is a packer?

 

 

Why might a program be packed?

 

 

What about this makes our job hard?

 

 

Packers change/hide the original binary code by compressing or operating on the bytes

Company trying to hide their product, Malware trying to stay undetected,

Trying to make Reverse engineers hate life

No static analysis, need to learn how the packer works/tools to unpack.

Detecting packers?

Can we detect these nasty things?

/usr/bin/yes

upx yes

Yes, we can run it and see that is unpacking, but that can take time! 

 

Visual Binary Analysis makes all the difference!!

 

 binvis.io

Chris Domas 

Packers may try to fight back

It possible that the packers have some checks to stop us, maybe it knows its in a VM or a debugger, then it may change its execution path and fail. 

UPX

UPX - Ultimate Packer for Executables

 

What does this packer do?

Relocates sections!

Removes section table

Packs all sections with UCL

All imports become statically linked

Adds stub code

Lets Step through yesupx and see what this looks like!

Dynamic Analysis

What issues did we have with Static Analysis?

Function detection was not complete

Useless against packers and Obfuscators (next week :D )

Difficult to reason about everything at the same time

Stripped binaries are difficult to work with

What does Dynamic Analysis have to offer?

On top of having a solution to the previous problems, we can reason about:

Code Coverage - testing  various inputs to reveal paths and learn about the binary.

Symbolic Execution

More powerful with the aid of dynamically executing the binaries and concrete values

Memory usage - valgrind is a dynamic tool that detects memory errors and much more!

How do we improve our Dynamic analysis?

Next time on RE...

INTERMEDIATE

Made with Slides.com