Scribd
Upload
11 views

Reverse Engineering Machine Code 3

Wkjw

Uploaded by

Dave Wright
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views

Reverse Engineering Machine Code 3

Wkjw

Uploaded by

Dave Wright
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Code

 Visualization  

2
Code  Visualization  

! PaiMei  and  uDraw(Graph)  

3
Code  Visualization  

! OllyFlow  Plugin:  Function  graphs  

4
Code  Visualization  

! OllyFlow  Plugin:  Flow  graphs  

5
Microsoft  Symbols  

! Debug  Symbols  
" Windows  kernel  symbols  available  
! For  most  MS  executables  
" Windows  debug  symbols  available  at:  
! http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx#f  

6
Configuring  OllyDbg  to  Use  
Symbols  

7
Symbols  in  IDA  

8
Windows  Kernel  Debugging  

! Install  Windows  Symbols  


" Specifically,  for  the  target  kernel  
! Install  Windows  SDK  
" Make  sure  to  install  “Debugging  Tools”  
! This  includes  WinDBG  

9
Windows  Kernel  Debugging  

! Crash  Dump  Analysis  


" Windows  “.dmp”  file  
! Snapshot  of  the  kernel  state  and  physical  memory  
! Windows  can  be  configured  to  create  a  crash  dump  
upon  blue  screening  
! WinDBG  handles  crash  dump  analysis  

10
Remote  Debugging  

! Remote  Debugging  
" Most  good  debuggers  have  a  remote  monitor  that  
they  can  connect  to  
" Some  virtual  machine  programs  incorporate  
remote  debugging  for  kernel  debugging  

11
Decoding  Structures  

! Structures  
" Good  debuggers/disassemblers  will  allow  the  user  
to  define  structures  
! Structure  decoding  is  implemented  in  OllyDbg  2.0  
! Currently,  user-­‐defined  structures  are  not  

12
Decoding  Structures  

13
Decoding  Structures  

14
Decoding  Structures  

15
IDA  Structures  

! Assembler  Structures  
" Structures  window  
! C  Structures  
" Local  types  window  

16
Function  Hooking  

! Hooking  
" Create  user-­‐defined  events  upon:  
! Function  calls  
! System  messages  
! IO  events  
! …  
" SetWindowsHookEx()
! Install  a  hook  
" UnhookWindowsHookEx()
! Uninstall  a  hook  
! Example:  http://msdn.microsoft.com/en-­‐us/library/
windows/desktop/ms632589(v=vs.85).aspx  

17
Differential  Reverse  
Engineering  
! Binary  Diffing  
! Code  Coverage  Diffing  
! Others  
" Memory  diffing  

18
Binary  Diffing  

! Binary  Diffing  
" Compare  two  similar  binary  executables  
" Useful  for  reverse  engineering  updates  and  
version  changes  
" Implemented  in  PaiMei  
! PAIMEIdiff  

19
Code  Coverage  Diffing  

! Code  Coverage  Diffing  


" Typically,  a  reverse  engineer  is  interested  in  only  a  
few  functions  
" Run  1:  Profile  program  by  running  it  and  activating  
all  features  you  aren’t  interested  in  
" Run  2:  Profile  program  by  running  just  the  
functionality  you  wish  to  locate  
" Perform  a  diff  on  which  functions  were  called  
between  the  two  runs  
" Great  for  reverse  engineering  large  or  GUI  
programs  
20
Code  Coverage  Diffing  

! Demo!  
" Let’s  find  the  function  in  Notepad++  that  invokes  
the  “About”  information  
! 3251  functions  /  28827  basic  blocks  
! 1  or  2  functions  are  dedicated  to  the  “About”  
window  

21
Code  Coverage  Diffing  

! PaiMei’s  pida_dump.py  in  idapython

22
Code  Coverage  Diffing  

! Generate  a  .pida  file  after  auto-­‐analysis  

23
Code  Coverage  Diffing  

! Create  Two  Tags  


" “Filter”  
! We  will  run  everything  we  don’t  want  
" “About”  
! We  will  run  just  what  we  want  
! Of  course,  other  GUI  functions  will  be  run  but  those  
should  have  occurred  in  our  “Filter”  tag  

24
Code  Coverage  Diffing  

! Use  “Filter”  for  stalking    

25
Code  Coverage  Diffing  

! Set  “Filter”  as  a  filter  tag,  stalk  “About”  

26
Code  Coverage  Diffing  

! Check  the  function  flow  graph  in  UDraw  

27
Code  Coverage  Diffing  

! Let’s  patch  the  “About”  function  

28
Code  Coverage  Diffing  

29
Questions/Comments?  

30

You might also like