Friday, October 16, 2020

Malware Dev 101:Reverse Engineering

 Hello reader,today we learn about malware!!yEY s00n we will be on APT(advenced persistance thread)level.Not yet....

Malware

How does one define malware? 

Wikipedia defines it as :"Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network[1][2] (by contrast, software that causes unintentional harm due to some deficiency is typically described as a software bug).[3] A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, and scareware." Now generally malware is developed by Red Teams in a pentest engagement or by some other hacker with bad intent.

Reverse Engineering

Now we as defenders or Blue Teamers are supossed to be able to unpack,decrypt and analyse the code of malware for incident response.But what is even reverse engineering?Again wikipedia helps us:"Reverse engineering, also called backwards engineering or back engineering, is the process by which an artificial object is deconstructed to reveal its designs, architecture, code or to extract knowledge from the object."

So,baisically reverse engineering is the analysis process in order for us to develop signatures for out IDS/IPS or Firewall.

Now for a malware analyst to do reverse engineering he must know how to do programming or computer science.

Reverse Engineering 101

Generally for us,the analysts to be able to understand the malware source code we must have special tools in order to unpack it's funcionallity.One of the newest and most commonly used such software is GHIDRA.GHIDRA is NSA's tool for reverse engineering.

When using ghidra it looks like this     


Generally in CTF's and industry a reverse engineer has to decrypt some encryption routine of create an interpeter/emulator for bypassing some sort of obfuscation.This skill is developed by practicing crackmes.Crackmes are cryptographic puzzles with the soley scope of generating a password in order to get to next level.


Simple crack me:

Before finishing this blog post i will solve as an introduction a crack me for the reader:

Here is the source code which i have prepared:

#include <stdio.h>

#include <string.h>

int main(int argc,char *argv[])

{

if(!strcmp("mama",argv[1]))

        {

printf("level bypassed,congrats!");

}

return 0;

}

compile it by using gcc like this : gcc name_of_source_code.c -o name_of_binary.
Now drag & drop in ghidra and it looks like this

on left we have assembly instructions and on right we have source code.
on simple analysis we can see there is a string comparisson if we provide the argument "mama" to the command line we bypass the level.Aweome lets try!


End 

That's a wrapp up

at

1 comment:

  1. TestOctober 16, 2020 at 7:33 AM

    Hi

    It seems that you have not worked upon the comments provided previous week at some the posts.
    Plesae focus on the topics and tasks on hand (as we have been discussing during the class) and utilise academic writing skills to score more in assessments.

    Many thanks
    Chirag

    ReplyDelete

Subscribe to: Post Comments (Atom)

libprotobuf&libfuzz Part 2.

 We just dissect the source code from this guy's repo:https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning we will use sam...

  • libprotobuf&libfuzz Part 1.
    0x1.Introduction Protocol Buffers        I s a protocol that serializes data structures.It was developed by Google, and it is a language-ind...
  • Fuzzing with libafl
     Introduction to libFuzzer libFuzzer is part of the LLVM package.It allows you to integrate the coverage-guided fuzzer logic into your C/C++...
  • ESSAY ON WHY DEVELOPERS SHOULD START HACKING
           In the previous years,we have seen a continuous growing of cyber breaches and attack.Most of them arose due to some coding mistake,ei...