manual unpack by debuggercodeengn.com/file/conference/07/2012_7th_codeengn...title...

Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

Manual UnpackBy Debugger

2012-12-01A-FIRST고흥환책임연구원

www.CodeEngn.com7th CodeEngn ReverseEngineering Conference

http://www.CodeEngn.com

Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

Packer

Debugger Detection

Virtual Machine Detection

Anti Tracing

Manual Unpack UPX

Manual Unpack Themida 1.9.X

Manual Unpack Themida 2.1.8.0

Contents

Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 2

Packer


Name Latest stable Software license x86-64 support

.netshrink 2.3 (March 29, 2012 (2012-03-29))[1] Proprietary Yes

Armadillo Packer 8.60 (July 6, 2011 (2011-07-06)) Proprietary Yes

ASPack 2.29 (August 3, 2011 (2011-08-03)) Proprietary ?

ASPR (ASProtect) 1.64 (September 1, 2011 (2011-09-01)) Proprietary ?

BoxedApp Packer 2.2 (June 16, 2009 (2009-06-16))[2] Proprietary Yes

CExe 1.0b (July 20, 2001 (2001-07-20)) GPL No

Enigma Protector 3.80 (August 2, 2012 (2012-08-02))[3] Proprietary Yes

EXE Bundle 3.11 (January 7, 2011 (2011-01-07))[4] Proprietary ?

EXE Stealth 4.14 (June 29, 2011 (2011-06-29))[5] Proprietary ?

eXPressor 1.8.0.1 (January 14, 2010 (2010-01-14)) Proprietary ?

MPRESS 2.19 (January 2, 2012 (2012-01-02)) Freeware Yes

Obsidium 1.4.6 (July 18, 2012 (2012-07-18))[6] Proprietary Yes

PELock 1.0.694 (January 23, 2012 (2012-01-23))[7] Proprietary No

PESpin 1.33 (May 3, 2011 (2011-05-03)) Freeware Yes

RLPack Basic 1.21 (October 31, 2008 (2008-10-31)) GPL No

Smart Packer Pro 1.7 (November 5, 2011 (2011-11-05)) Proprietary Yes

Themida 2.2.1.0 (July 25, 2012 (2012-07-25)) Proprietary ?

UPX 3.08 (December 12, 2011 (2011-12-12)) GPL No

VMProtect 2.1 (September 26, 2011 (2011-09-26)) Proprietary Yes

XComp/XPack 0.98 (February 18, 2007 (2007-02-18)) Freeware No

Executable compression= Runtime Packer= Packer

is any means of compressing an executable file and combining the compressed data with decompression code into a single executable.

I. EncryptionII. CompressionIII. RedirectionIV. SubstitutionV. ObfuscationVI. PolymorphismVII. MetamorphismVIII.ProtectionIX. Virtualization


2011 AhnLab 10,000,000 파일 대상

Invalid(21.1%)

Microsoft C(22.2%)

Nothing(14.2%)

UPX(7.8%)

PolyCryptor(6.4%)

Visual Basic(4.4%)

Nullsoft(2.1%)

Not a Valid PE(1.6%)

ASPack(1.5%)

Anti007(1.3%)

PeCompact(1.3%)

FSG(0.87%)

ASM(0.69%) MPRESS (0.45%)

ASProtect (0.40%)

Themida (0.38%)SFX (0.38%)nSPack (0.31%)Upack (0.21%)VMProtector(0.13%)Armadillo (0.12%)

etc(3.5%)

Delphi(8.0%)

Themida & UPX


Debugger Detection


BeingDebugged (PEB+0x2)

NtGlobalFlag (PEB+0x68)

ProcessHeap (PEB+0x18)

Flags(ProcessHeap+0x0C)

ForceFlags (ProcessHeap+0x10)

PEB_LDR_DATA(PEB+0x0C)


IsDebuggerPresent()

TEB (Thread Environment Block)

PEB (Process Environment Block)


CheckRemoteDebuggerPresent(ProcessId, &bPresent)


timeGetTime(), GetTickCount(), NtQueryPerformanceCounter(), RDTSC

Garbage Codes

Garbage Codes

timeGetTime()


SEH (Structured Exception Handler)

Stack

Exception Handler

Exception Handler


CreateFileA “\\.\SICE”

HANDLE WINAPI CreateFile(__in LPCTSTR lpFileName,__in DWORD dwDesiredAccess,__in DWORD dwShareMode,__in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes,__in DWORD dwCreationDisposition,__in DWORD dwFlagsAndAttributes,__in_opt HANDLE hTemplateFile

);

“\\.\SIWVID”

“\\.\NTICE”


FindWindow “FilemonClass”

“File Monitor – Sysinternals: www.sysinternals.com”

“Filem”

“DeepFrz”

“PROCMON_WINDOW_CLASS”

“Process Monitor – Sysinternals: www.sysinternals.com”

“PROCEXP”

“RegmonClass”

“Registry Monitor – Sysinternals: www.sysinternals.com”

“18467-41”

“REGMON”

“regsys”

“sysregm”

“PROCMON”

http://www.sysinternals.com




NtQuerySystemInformation “iceext.sys”

“ntice.sys”

“Syser.sys”

“HanOlly.sys”

“extrem.sys”

“FRDTSC.sys”

NTSTATUS WINAPI NtQuerySystemInformation( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,_Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength

);


LoadLibraryA "~\SoftIce\NMTRANS.DLL“

RegOpenKeyA "SOFTWARE\NuMega\DriverStudio"

RegQueryValueEx “InstallDir"

GetProcAddress “NmSymIsSoftICELoaded“

Call NmSymIsSoftICELoaded


Anti Tracing


STI, INT 1

SetEvent, DelayExecution


Garbage Code - Linear Sweep Disassembly


DbgUiRemoteBreakin Patch

DbgBreakPoint Patch


Virtual Machine Detection


I. Virtual Machine Artifacts in Processes, File System, and Registry

II. Virtual Machine Artifacts in Memory

III.Virtual Machine Specific Virtual Hardware

IV.Virtual Machine Specific Processor Instructions and Capabilities

< On the Cutting Edge : Thwarting Virtual Machine Detection 참조 >


RegOpenKeyA “Software\Wine”

LONG WINAPI RegOpenKey(__in HKEY hKey,__in_opt LPCTSTR lpSubKey,__out PHKEY phkResult

);

"HARDWARE\ACPI\DSDT\VBOX__"


RegOpenKeyA “HARDWARE\DESCRIPTION\System”

RegQueryValueEx “SystemBiosVersion"


010603FB B8 68584D56 MOV EAX,564D5868 // Magic Number "VMXh"01060400 B9 14000000 MOV ECX,14 // BACKDOOR_COMMAND_NUMBER01060405 66:BA 5856 MOV DX,5658 // Port Number01060409 ED IN EAX,DX // I/O command

0105F878 B9 0A000000 MOV ECX,0A0105F87D B8 04D75548 MOV EAX,4855D7040105F882 05 6481F70D ADD EAX,0DF781640105F887 BB 65D48586 MOV EBX,8685D4650105F88C BA 40B63400 MOV EDX,34B6400105F891 81EA E85F3400 SUB EDX,345FE80105F897 ED IN EAX,DX // I/O command0105F898 81FB 68584D56 CMP EBX,564D58680105F89E 75 0A JNZ SHORT 0105F8AA

Vmware


Manual Unpack UPX 1.9.3


IAT Table

resource

Unpack Code

Packed Data

Extracted Data

.rsrc HEADER.UPX1 HEADER.UPX0 HEADER

IMAGE NT HEADERIMAGE DOS HEADER

EntryPoint


EntryPoint

Extracting

Initialize Decompress

E8 09 or E9 09Address Correction

Retrieves the API Address

JUMP OEP

Yes

No


UPX0 – Compressed Data / UPX1 – Decompressed Data

Extracting Algorithm

…


E8 09 (CALL) / E9 09 (JMP) Address Correction


Retrieves the address

UPX->IAT


Manual Unpack Themida 1.9.X


Themida ?

l ThemidaAdvanced Windows SoftwareProtection System

l WinLicenseProfessional Software Protection & Licensing Management

l Code VirtualizerTotal Obfuscation against Reverse Engineering


IAT Table

SFX

.idata Section

.rsrc Section

Packed Data



EntryPoint

Version 1.9.X


VirtualAlloc, CreateFile, ReadFile “ADVAPI32.DLL”

VirtualAlloc, CreateFile, ReadFile “USER32.DLL”

VirtualAlloc, CreateFile, ReadFile “KERNEL32.DLL”

Subsystem Virtualization


Multi-Thread


Decode & ReEncode

Themida SFX

SFX (Self-Extracting Archive) Algorism

1’st Decoding & Processing




…

n’st Decoding & Processing

…

UnPacking


Manual Unpack Themida 2.1.8.0


New Version 2.1.8.0


Decode Code

Encoded SFX

Extracted SFX

.idata Section

EntryPoint

.rsrc Section

Packed Data



Version 2.1.8.0


… 어렵다

www.CodeEngn.com7th CodeEngn ReverseEngineering Conference

http://www.CodeEngn.com

manual unpack by debuggercodeengn.com/file/conference/07/2012_7th_codeengn...title...

Documents