CreateMutex
까보면 다나와~
분류 전체보기 (216)

Python 2.7 Unicode 관련

>>> import sys


#터미널 인코딩 확인

>>> sys.stdin.encoding

'utf-8'


>>> han = '한글'

>>> uhan = u'한글'


>>> type(han)

<type 'str'>

>>> type(uhan)

<type 'unicode'>


#utf-8 일때, cp949는 다른 결과값이 나옴

>>> han

'\xed\x95\x9c\xea\xb8\x80'

>>> uhan

u'\ud55c\uae00'


#터미널이 'cp949'인 경우 han.decode('utf-8')시 에러

#터미널이 'utf-8'인 경우 han.decode('cp949')시 에러

>>> han.decode('utf-8')

u'\ud55c\uae00'

>>> uhan.encode('utf-8')

'\xed\x95\x9c\xea\xb8\x80'



  Comments,     Trackbacks

x64dbg에 그래프 기능이 추가되었군요.



IDA 연동 플러그인도 괜찮은거 같고...

좋은거 같네요.ㅋ

  Comments,     Trackbacks

리버싱툴 모음

https://www.pelock.com/articles/reverse-engineering-tools-review#x64dbg


KEEP


----------------------------


Tools

Review of reverse engineering (i.e. software reversing) tools. Advantages and disadvantages, alternative solutions.

Reverse engineering or software reversing, is a set of techniques use to analyze closed source software in order to extract seemingly unavailable information, e.g. algorithms, hidden access passwords (e.g. to databases), information on how certain files are encrypted, and so on.

Reverse engineering is used for example in the fields of software analysis for potential security vulnerabilites (exploitation), malware analysis (antivirus developers) or software and games localization.

Advanced software analysis requires the knowledge of examined files structure, so most often a knowledge of executable files formats is required, Portable Executablefor Windows system or ELF format for Linux type systems. It is also required to know basis of assembler for 32 and 64 bit platforms, in order to understand properly compiled code in closed-source software, its structure and widely used conceptions and software constructions transformed into binary data.

Even having appropriate knowledge we will not be able to use it without proper tools. In this article I'd like to present dedicated tools, used in reverse engineering, divided into categories. Majority of dedicated tool, divided into categories, that are presented here, qualify as a material for separate article, however it was my idea to present as many types of software as possible, to show a variety of uses.

Complicated character of reverse engineering software as well as the process of its creation is often connected with the fact that those programs are also expensive, but I tried to present alternative solutions and free equivalents of presented examples.

Identifiers

There is a wide variety of both programming languages and compilers. Apart from applications created in script languages, we can differentiate applications compiled to processor's native code. Apart from that there is a number of methods of protecting applications and their resources and all of that affects the final result of binary file image on disk.

If we are not sure what the software that we are looking at was created with, as we have no expertise in distinguishing characteristic features in compiled files (section names, imported libraries, etc.), using identification (or detectors), tools that have signature base of popular compilers, program and cryptographic libraries or application security systems, is worth trying. Quick analysis will let us decide what our next step should be (e.g. unpacking the application)

Detect It Easy

DIE detector has a database of most popular security systems, including exe-packersexe-protectors as well as signatures of popular compilers and linkers. Additionally it has a simple built-in script language, that allows us to add new signature definitions quickly. A PE executable file structure viewer is also available.

File detector Detect It Easy
Image 1.File detector Detect It Easy
Websitehttp://ntinfo.biz
LicenceFreeware
Advantages
  • Built-in script language
  • PE file structure viewer
  • Plug-ins system
  • Updated regularly
  • Plug-ins for HIEW i CFF Explorer editors
  • Windows, Mac OS X and Linux versions
Disadvantages
  • Small signature base
Alternatives

ProtectionID

Detector ProtectionID was created to detect games security systems, it has a vast base of signatures from all possible security systems, compilers and linkers. Despite the fact that user interface my not be the best looking, it does the job perfectly and is updated very often.

ProtectionID file detector
Image 2.ProtectionID file detector
Websitehttp://pid.gamecopyworld.com
LicenceFreeware
Advantages
  • Large signature base
  • Updated very often
Disadvantages
  • Hardly intuitive interface

Disassemblers and decompilers

With knowledge about what we are dealing with or, to be precise, what programming language and compiler this application was created with, we begin analysis in disassembler or decompiler. It is their task to analyze compiled, binary file and display its code and structure in a way easy for a human to understand.

Thanks to the process of disassembling and decompiling we will know all the functions of application, what text strings are inside and what fragments of code references to them, what outside functions of operating system are used by application or which functions are exported (e.g. in the case of DLL dynamic libraries).

Disassemblers job is to depict application's code in the for of low-level assembler, so if analyzed software was written in C++, Delphi, Visual Basic or any other high level language compiled to native code, disassembler will show us its object code in the form of x86 or x64 assembler code.

Decompilers are able or try really hard to recreate original high level code from the code of compiled applications. As you can guess, recreating a high level language code, e.g. C++ with recognition of data structures, types and construction of programming language from compiled code of assembler is a very complicated process, so the amount of tools that allow such action is very small and if they are good, they are in the same time very expensive.

Decompilers can be divided basing on categories of software that they are able to analyze. Compilers of languages like e.g. C# (.NET Framework family), Visual Basic, Java generate object code in the intermediate form, meaning that this code is not directly executed by processor like x86 code, it is a pseudo code (so called P-Code), that is executed by a virtual machine of those programming systems (to run we need e.g. .NET Framework or JVM installed).

Such output code, because of its simplicity and most information stored in the form of pseudo instructions and metadata, resulted in the fact that decompiling in such cases is much more simple than decompiling x86 or x64 code. This caused creation of many dedicated decompilers, that became a nightmare of programmers writing in those languages, as it was very easy for anyone to take a peek at unprotected software, practically it's the version with source code wide open.

That was short introduction, now it is time for a list of most popular disassemblers and decompilers and their usage examples.

IDA and Hex-Rays

IDA that is Interactive DisAssembler in an undpisupted king among tools used in reverse engineering. IDA is a disassembler and debugger with built-in code analysis for over 60 types of processors. It has its own script language, large base of signatures of the most popular programming libraries as well as support for plug-ins that additionally enhance functionality e.g. by support for Python scripts.

IDA's disassembler and decompiler's window
Image 3.IDA's disassembler and decompiler's window

The most known and valued plugin for IDA is Hex-Rays decompiler, that supports decompilation of x86, x64 and ARM codes, which is invaluable analysis tool.

IDA also has built-in debuggers for many hardware platforms, which makes this a perfect multitool for analysis of various executable files.

Websitehttps://www.hex-rays.com
LicenceCommercial from 449 EUR and free demo version.
Advantages
  • Supports large numbers of processor types
  • Built-in signatures of popular programming libraries
  • Large configuration possibilities
  • Built-in debuggers
  • Plugins system
  • Script language
  • Windows, Mac OS X and Linux versions
Disadvantages
  • Price
  • Lack of good, free alternative solutions
Plugins

.NET Reflector

When you must face analysis of software created in programming language based on .NET Framework, e.g. C# or VB#, .NET Reflector decompiler will prove invaluable help. With its help you will be able to quickly and efficiently take a peek at application's structure and code.

Reflector's big advantage is the fact that it has a small, but very useful plugin base, with available for example a plugin that allows recreating of whole project for Visual Studio, from decompiled application. In addition, integration with Microsoft Visual Studio allows for simultaneous debugging of own code and code of closed libraries.

Because of simplicity of decompiling programs created for .NET Framework, many security tools were created, of course we are talking here about obfuscators that remove meta data from compiled programs, are able to modify IL code, encrypt text strings etc. If we come across such a program, we should familiarize ourselves with de4dot deobfuscator, that is able to automatically remove protections used by dozens of obfuscator types.

.NET Reflector decompiler window
Image 4..NET Reflector decompiler window
Websitehttp://www.red-gate.com/products/dotnet-development/reflector/
LicenceCommercial from 99 USD and free limited time trial
Advantages
  • Excellent presentation and navigation over decompiled code
  • Decompiling to many output languages C#, VB#, IL
  • Decompiling and debugging straight from Microsoft Visual Studio
  • Many useful plugins, e.g. Reflexil patcher
Disadvantages
  • No support for protected applications (no deobfuscator)
  • Slow start (online licence check)
Plugins

dnSpy new

A real workhorse for .NET decompilation, with built-in IL code editor and debugger. Above all of that, it's free with intuitive and modern interface design.

dnSpy decompiler and debugger window
Image 25.dnSpy decompiler and debugger window
Websitehttps://github.com/0xd4d/dnSpy
LicenceGNU GPL v3
Advantages
  • Excellent work speed
  • Simple IL code editor
  • Built-in debugger
  • Modern look
Disadvantages
  • None

Java Decompiler

JD-GUI or Java Decompiler is a decompiler for Java applications, hence its name. It allows for viewing of compiled units code*.class or whole *.jar bundles.

It contains very useful search engine with filters that allow for searching by names, types, constructors, fields, methods and text strings.

Apart from stand alone application there are also plugins for programming environment Eclipse and IntelliJ IDEA, that allow for viewing code of compiled modules.

If you've ever used or you keep using well-known decompiler JAD (that was discontinued in 2001) then it's about time for an update, not only does JD-GUIsupport new elements of Java language, but also navigation over decompiled project is very easy and fun.

It also needs to be mentioned that, just like with .NET applications, that have been protected with obfuscators, Java applications can be protected and then decompiler functioning is limited or even impossible.

Java Decompiler (aka JD-GUI)
Image 5.Java Decompiler (aka JD-GUI)
Websitehttp://jd.benow.ca
LicenceFreeware
Advantages
  • Intuitive navigation over decompiled code
  • Plugins for Eclipse and IntelliJ IDEAenvironment
Disadvantages
  • No support for protected application (no deobfuscator)
  • No disassembly to IL in case of finding errors

JustDecompile

Free alternative for commercial.NET Reflector developed by Telerik known for UIcomponents. Free doesn't mean worse, it has built-in reference search engine, generating projects from decompiled sources ability as well as support for plugins, including de4dot deobfuscator plugin.

Just Decompile Decompiler
Image 6.Just Decompile Decompilatior
Websitehttp://www.telerik.com/download/justdecompile
LicenceFreeware
Advantages
  • Support for own plugins
  • Generating output code in C#, VB# and IL
  • Visual Studio plugin
Disadvantages
  • It is a bit robust comparing to .NET Reflector
Alternatives

ReFox

Decompiler for applications created with database programming environmentVisual FoxPro from Microsoft. This is a very niche solution for equally niche environment, but there are no alternative solutions that would allow for analysis of those application and those that do exist have been discontinued and don't support latest versions of VFP applications. ReFox allows for decompiling of classes, viewing forms and built-in data.

ReFox Decompiler
Image 7.ReFox decompiler
Website

http://www.refox.net

LicenceCommercial from 290 EUR and demo version.
Advantages
  • Decompiling of classes
  • Form viewer
  • Restoration of Visual FoxPro projects
Disadvantages
  • A bit outdated interface
  • Sometimes can't handle decompiling of code

VB Decompiler

Applications created with Visual Basic 5 and 6 are all in the past now, however internal structure of code based on P-Code was a cradle for .NET technology and from the very beginning it's been causing problems with code analyze, as there were no dedicated tool for its analyze. We can say that VB Decompiler was created a bit too late for the market's needs, but is irreplaceable when analyzing Visual Basic applications (EXEDLL as well as OCX controls) compiled to P-Code (Visual Basic also allowed from compiling to x86 code).

VB Decompiler
Image 8.VB Decompiler
Websitehttps://www.vb-decompiler.org
LicenceCommercial from 99 EUR, as well as lite version.
Advantages
  • View on code forms and events
  • Plugins system
  • Disassembly of native code x86
Disadvantages
  • Limited navigation for decompiled code
Alternatives

IDR

Disassembler and decompiler IDR or Interactive Delphi Reconstructor is a tool meant only for application analysis in popular Delphi environment. It is a very useful tool comparing to e.g. IDA because it can analyze internal structures of Delphi application, has built-in form viewer, that allows for fast and easy finding of events assigned to controls on the form (e.g. button1.OnClick). IDR has vast databases of signatures of standard Delphi environment libraries in all available versions, so in output deadlisting we will see friendly function names.

Disassembler and decompiler for Delphi - IDR
Image 9.Disassembler and decompiler for Delphi - IDR
Websitehttp://kpnc.org/idr32/en/
LicenceFreeware with optional paid current copy (unknown terms and conditions, author couldn't be contacted).
Advantages
  • Delphi form viewer with controls events browser
  • Export of map with names of functions and variables (e.g. forIDA or debugger)
  • Built-in signatures of all versions of Delphi environment
Disadvantages
  • Irregular updates
  • Unclear terms of access to latest versions

Debuggers

Every programmer sooner or later gets to know the functioning of a debugger in his favourite programming environment. Thanks to debugger we are able to track application running in real time, see how instructions affect contents of memory or variables and detect potential errors. However debugging of our own software, when we have access to information about source code and usually debug high-level code, straight from programming environment, is a piece of cake compared to debugging of application without access to source code. This is where dedicated debuggers, with advanced analysis of binary application structures, come in handy, but their use requires knowledge of low-level languages as well as basis of functioning of processor, for which this application was compiled.

OllyDbg

This is de facto a standard debugger for Windows in the world of reverse engineering (alongside built-in debugger for IDA disassembler). It has capabilities of application code analysis and allows for interference with almost every aspect of application running.

Other interesting functions include OllyDbg that allows for conditional code tracing, has vast plugins database, including those hiding its presence from anti-debug methods (Phant0m plugin), or plugins that allow for controlling of debugger running from the script level (ODbgScript plugin), while those scripts, most often used for unpacking of unprotected applications, come in hundreds.

Popularity of OllyDbg is obvious with the fact, that no other debugger, including legendary SoftICE system debugger has had so many plugins and modified versions like OllyDbg. It is interesting that a special version OllyDbg was created under the name of Immunity Debugger with built-in Python script support, meant for analyzing malware and creating exploits

There are currently two versions of OllyDbg, old with number 1.10, that has the most extensions and new version 2.01 that is becoming more and more popular. It is good news that a new 64-bit version is being developed because of popularity of 64-bit operating systems.

OllyDbg v1.10 Debugger
Image 10.OllyDbg v1.10 Debugger
The same code in OllyDbg 2.01 debugger
Image 11.The same code in OllyDbg 2.01 debugger
Websitehttp://www.ollydbg.de
LicenceShareware for free, according to website (upcoming freeware?)
Advantages
  • Outstanding analysis of application code
  • Many configuration options
  • Vast database of plugins and scripts
Disadvantages
  • 64 bit version is still being developed
Plugins
Alternatives

x64dbg new

x64dbg are basically two debuggers, one dedicated for 64 bit software debugging and second for 32 bit applications. It features modern interface, plenty of configuration options, internal engine based on modern programming libraries likeTitanEngineCapstone EngineKeystone Engine.

Number of supported features is really impressing, plugins, built-in scripting language, Yara signatures scanning, built-in decompiler and many more. And it's development is very active. Taking the fact that 64 bit OllyDbg never left the development stage, x64dbg has become de facto standard debugger for 64 bit applications.

x64dbg debugger
Image 26.Debugger x64dbg
Websitehttp://x64dbg.com
Sourceshttps://github.com/x64dbg/x64dbg
LicenseGNU GPL v3
Advantages
  • Modern interface
  • Modern programming libraries used
  • Configuration flexibility
  • Plugins
  • Built-in scripting language
  • Build-in decompiler (Snowman)
Disadvantages
  • It doesn't have as many plugins as OllyDbg
  • Popular scripting language ODBScript with thousands of scripts is not supported
Plugins
Alternatives

DILE

Debugger for .NET Framework applications. It is quite a robust tool, but sometimes invaluable. It looks a bit like Visual Studio built-in debugger, I'm mentioning it only because it is one of very few debuggers for .NET applications without access to source codes, there are also plugins for .NET Reflector for the purpose of debugging (Deblector plugin).

.NET – DILE application debugger
Image 12. .NET – DILE application debugger.
Websitehttp://sourceforge.net/projects/dile/
LicenceGNU GPL
Advantages
  • It exists
Disadvantages
  • Lots of it
  • Complicated user interface

Hex editors

If you have analyzed your application in disassembler, traced its running in debugger, there may be a need to interfere with program code in order to input corrections or to change some text strings, fix values or other information included in application's binary file.

For that purpose hex editors are used. At times when I used to read games magazine Top Secret, I associated hex editors only with save games modification, as readers were sending numerous offsets (addresses in a file) as well as values that needed to be changed in save files, e.g. to get certain amount of cash or other resources in the game.

There are many hex editors on the market, with numerous different functions and applications, like e.g. built-in view over data structure (meaning that this hex editor is able to visually display for example bitmap elements or internal structure of exe file). An example of such an editor is e.g. well known WinHex, that is used in data retrieval (it contains built-in support for many system files), however in my opinion it is not very good for works connected with 'digging' in application's binary files, despite the fact that it has appropriate functions.

HIEW

This is my number one for hex editors, I cannot imagine my work without it. It is seemingly an old console application, but in reality it is a true beast. HIEW (byHacker’s View) is a hexeditor, disassembler that supports architecture of x86, x64, ARM V6 processors, it also supports NELEPE/PE32+ELF/ELF64 files. This program has vast user database has been developed since 1991 and updates are regular.

Thanks to HIEW we are able not only to edit binary file data, but if that is an application, also its code. Built-in disassembler allows for navigation over the code and its functions as well as to easily modify existing instructions with the help of built-in assembler, which means that you don't have to know hex codes by heart, instead it is enough to write e.g. mov eax,edx and HIEW will automatically compile that instruction and insert it into binary file.

HIEW is also able to repeatedly replace tools like IDA, if we have a simple task to do, its greatest advantages are its ability to operate very fast and built-in code analysis and direct modification options.

HIEW hex editor and disassembler
Image 13.HIEW hex editor and disassembler
Websitehttp://www.hiew.ru
LicenceCommercial from 19 USD and demo version.
Advantages
  • Built-in disassembler and assembler for many types of processor architectures
  • Support for many formats of exe files
  • Plugins system
Disadvantages
  • No overlaps
Alternatives

Hex Workshop

Windows hex editor with many useful options, file comparison, bit operations on code blocks, generating checksums, contains structure view for the most popular types of files.

Hex Workshop hex editor
Image 14.Hex Workshop hex editor
Websitehttp://www.bpsoft.com
LicenceCommercial from 89.95 USD and time-limited version.
Advantages
  • Advanced bit operations on data blocks
  • Possibility of disc editing
  • Built-in checksum and cryptographic shortcut calculator
  • Automatic search for all text strings
Disadvantages
  • Messed up graphic interface
  • Expensive, compared to alternatives
Alternatives

HxD

Free hex editor with basic functions and options like edition, search, file comparison. It allows for simultaneous work with multiple files, it is also possible to open memory of different processes and to gain direct access to discs.

HxD Hex editor
Image 15.HxD Hex editor
Websitehttp://mh-nexus.de/en/hxd/
LicenceFreeware
Advantages
  • Simplicity
  • Simultaneous editing of multiple files
  • Ability to edit memory processes and disk data
  • Data export to format of programming files
  • Built-in checksum and cryptographic shortcut calculator
Disadvantages
  • No advanced modification options (like e.g. XOR operations on data blocks)
  • Minimalistic interface
Alternatives

Resource editors

Characteristic feature of Windows applications is the fact all resources like icons, images, forms, localized texts, as well as other information, can be saved in PE file structure, within special area called resources. Those data are saved when linking. As all application files are saved in one EXE or DLL output file, if there is a need to change those information and if their size is unchanged, we will be able to modify them using hex editor, however if we need to add new data or set different that have larger size (e.g. longer text or another image), because of structure of those data we will have to use proper resource editor.

Apart from modifications in application's resources, resource editors are also used just for taking a peek what additional data are stored in application's file.

Resource Hacker FX

Resource Hacker used to be one of the most popular resource editor, but it has been discontinued for a long time, despite that fact of its popularity, new patches have been created that gave this editor a new life.

Resource Hacker FX resource editor
Image 15.Resource Hacker FX resource editor
Websitehttp://rammichael.com/resource-hacker-fx
LicenceFreeware
Advantages
  • Processing speed
  • Ability to manipulate data on script language resource level.
Disadvantages
  • Patches don't change outdated functions
  • No preview of Delphi forms
  • No coloring syntax for XML elements (like e.g. manifests)
Alternatives

Resource Tuner

Excellent resource editor from the creators of PE Explorer. It contains built-in unpackers, e.g. for UPX or FSG compressor, resource edition can be also done with use of friendly wizards. Resource Tuner has also built-in scanner that allows for scanning of any given catalogue for resources of a specific type.

Resource Tuner resource editor
Image 16.Resource Tuner resource editor
Websitehttp://www.heaventools.com/resource-tuner.htm
LicenceCommercial from 49.95 USD and 30 days trial version.
Advantages
  • Friendly user interface
  • Support in the form of wizards
  • Built-in unpacker
Disadvantages
  • No low-level structure resources (script) edition
Alternatives

Editors and support tools

Reverse engineering requires specialized tools for specific purposes, other than standard ones like disassemblers, decompilers and debuggers – there are many dedicated tools that help in analysis of applications as well as editors, some of them you will find below.

PE-Bear

Excellent browser and file structure editor, with built-in simple disassembler, PE file compare basing on values from all structures (solution that is unique on a world scale), detection of popular exe-packers / exe-protectors, hex editor and graphic visualization of section structure.

Tool created by a Polish programmer (yes, you got it right) is perfect for low-level analysis of PE/PE32+ files, created mostly for the purpose of malware analysis.

PE-Bear editor
Image 18.PE-Bear editor
Websitehttps://hshrzd.wordpress.com/pe-bear/
LicenceFreeware
Advantages
  • Unique functions
  • Simple edition of PE/PE32+ file structure
  • Detection of popular exe-packers and exe-protectors based on signatures
  • Windows and Linux versions
Disadvantages
  • Simple disassembler (too simple)
  • No configuration options
Alternatives

PeStudio

An interesting tool that apart from displaying basic information about exe file, has also a set of rules that can detect incorrect elements in the structure of exe file (all sorts of anomalies) as well as elements that can potentially indicate that the file has been infected. Very useful tool for those who work with PE files every day.

PeStudio executable files analyzer
Image 19.PeStudio executable files analyzer
Websitehttps://www.winitor.com
LicenceFree for non-commercial use.
Advantages
  • Detection of anomalies in exe files
  • Convenient PE file structure viewer
Disadvantages
  • Some rules are too strict

dirtyJOE

Advanced editor for compiled Java files. Unique tool, developed by Polish author, for code modifying, with built-in disassembler and assembler, this editor allows also for modifying all structures within compiled *.class files. dirtyJOE is useful when we want to modify protected files (after using obfuscator for Java), when traditional methods of decompilation, modification and recompilation fail, dirtyJOE proves irreplacable.

dirtyJOE - Java files editor
Image 20.dirtyJOE Java files editor
Websitehttp://dirty-joe.com
LicenceFree for non-commercial use.
Advantages
  • Instructions disassembler and assemblerJVM
  • Adding and editing fields like e.g. text strings
  • 32 and 64 bit versions
  • Plugin for Total Commander
Disadvantages
  • Raw interface
  • Uncomfortable code editor

Extractors and rippers

Application files, just like application bundles can contain additional information, like e.g. hidden icons, sound files, libraries, etc. If we want to have a quick check of what's inside the application or e.g. inside the whole installation package of a software, we must use appropriate extractor or ripper.

Universal Extractor

This software allows for extraction of files from archives, self unpacking archives and installers. This is very useful when we want to learn what's inside the installer package, where often we can find some additional installation scripts or auxiliary libraries, without actually running the installation process.

Universal Extractor
Image 21.Universal Extractor
Websitehttp://legroom.net/software/uniextract
LicenceFreeware
Advantages
  • Support for archives (including unpacking)
  • File extraction from popular installing systems
Disadvantages
  • Haven't been updated for a long time
  • Sometimes alternative solutions are needed for newer versions of installing systems
Alternatives

MultiExtractor

Extractor of all kinds of multimedia files, like graphic files, icons, sound files, movies, 3D models, Flash animations. Dynamic data unpacking from processes memory and simple viewer make this software a very interesting tool, when we want to take a quick peek what's inside application files.

MultiExtractor
Image 22.MultiExtractor
Websitehttp://www.multiextractor.com
LicenceCommercial from 19 USD and demo version.
Advantages
  • Extraction of numerous graphic file formats
  • Extraction from processes' memory
  • Recognising popular file formats
Disadvantages
  • No new file formats added for quite a long time
  • Can sometimes freeze, especially with large number of files.
Alternatives



  Comments,     Trackbacks

IDA Plugin list

https://github.com/onethawt/idaplugins-list



  Comments,     Trackbacks

안티VM 악성코드 - 사이즈 확인도

최근에 분석한 악성코드.


VMWARE, VirtualBox, VM HDD Size 확인


1. VMWARE magic number ('VMXh') 체크 (이미지 생략)


2. VirtualBox 체크 

- \\\.\\VBoxMiniRdrDn

- VboxHook.dll


3. HDD 용량 체크

GetLogicalDrives로 드라이브를 찾고

GetDiskFreeSpaceExW로 용량 정보를 얻어온다.

특이하게 2부터 7까지 5번 돌면서 G_bytes(위그림의..) 변수에 각 드라이브 용량 합을 20Gbyte와 비교한다.

20G 미만 VM으로 판단


이부분은 처음 봐서 정리함. 


tag - e77d2f10a34

  Comments,     Trackbacks

코닝사 고릴라 글래스(Gorilla Glass) 균열

검색해도 골릴라 글래스 단점에 대해 글 올린게 없어서 올림. 


고릴라 글래스(Gorilla Glass)가 좋다는 구글 검색 결과를 보고 (그것도 4인가 얇고 강도도 좋다고..)

구매하였으나 스스로 균열이 가는 문제가 있었다. 

정확한 원인은 모르겠다. 하지만 분명한건 큰 충격이 없었다. 

처음 균열은 사진상 왼쪽 중간에 있는 부분이다. 구매 후 한달 정도 사용하고 금이 갔지만 그래도 화면 보이고 유리가루가 위험하지는 않을거 같아서 사용은 계속했다.


그리고 두달 쯤 사용했나.. 아래 부분에 두분 작은 금이 또 가 있었다. 이번에도 침대위에 있던 폰이 자고 일어나니 저렇게 금이 간 것이다. 단순 필름보다 터치감도 좋고 해서 비싼값하내.. 하고 주변 자랑까지 했는데.. 찾아보니 저절로 금간다는 후기가 많이 있었다. 


강도가 안좋나.. 해서 때어내기 전에 금속으로 치고 해도 금은 가지 않았다. 

아무리 충격을 가해도 안가는데 금간다는 건, 유추해보건데 스스로 금이 가는 거 같다..-_-



이후 때어내서 구부렸더니 첫번째 사진 오른쪽 같이 비산방지? 기능이 동작하며 잘게 쪼개짐.

그리고 금간 부분은 유리고 아래부분이 플라스틱 재질로 보였음. 저절로 금간 부분은 역시 잘개 쪼개지지 않아서 위험할 수도 있겠다..라는 생각도 했다.


비싼 돈 주고 구매했는데 이런 단점에 대한 내용은 찾기 힘들어 글로 남겨 봄.





  Comments,     Trackbacks

가상머신탐지 코드

https://damagelab.org/lofiversion/index.php?t=24538


매우 오래된 자료네요.


VirtualMachineDetect.h
Code://------------------------------------------------------------------------
//Функции для определения факта запуска приложения под виртуальной машиной
//   определяются VirtualBox, VMware, VirtualPC и Parallels Workstation
//------------------------------------------------------------------------
#include <windows.h>
#include <Tlhelp32.h>
#include <iphlpapi.h>

#pragma comment(lib, "IPHLPAPI.lib")

//обнаружение VMware с помощью backdoor-порта
bool VMwareDetect();

//обнаружение VirtualPC с помощью "неправильных" команд процессора
bool VirtualPCDetect();

//обнаружение VMware имени окна "VMSwitchUserControlClass"
bool VMwareWindowDetect();

//обнаружение VirtualBox имени окна "VBoxTrayToolWndClass"
bool VirtualBoxWindowDetect();

//обнаружение VMware по версии BIOS в реестре
bool VMwareBIOSDetect();

//обнаружение VirtualBox по версии BIOS видеоадаптера в реестре
bool VirtualBoxBIOSDetect();

//обнаружение Parallels Workstatin по наличию ключа PRLSACPI в реестре
bool ParallelsRegDetect();

//обнаружение VirtualBox по имени процесса "VBoxTray.exe"
bool VirtualBoxProcessDetect();

//обнаружение VirtualPC по имени процесса "vmusrvc.exe"
bool VirtualPCProcessDetect();

//обнаружение VMware по имени процесса "vmtoolsd.exe"
bool VMwareProcessDetect();

//обнаружение VirtualBox по имени объекта "Device\VBoxMiniRdrDN" и "Device\VBoxGuest"
bool VirtualBoxDevObjDetect();

//обнаружение VirtualPC по имени объекта "Device\\VMDRV"
bool VirtualPCDevObjDetect();

//обнаружение VirtualBox по идентификатору процессора
bool VirtualBoxCPUIDDetect();

//обнаружение VMware по идентификатору процессора
bool VMwareCPUIDDetect();

//обнаружение Parallels Workstatin по идентификатору процессора
bool ParallelsCPUIDDetect();

//обнаружение VirtualPC по MAC-адресу
bool VirtualPCMACDetect();

//обнаружение VirtualBox по MAC-адресу
bool VirtualBoxMACDetect();

//обнаружение VMware по MAC-адресу
bool VMwareMACDetect();

//обнаружение Parallels Workstatin по MAC-адресу
bool ParallelsMACDetect();

//обнаружение виртуальной машины по идентификатору жесткого диска
//для VirtualPC IDDisk - "DiskVirtual"
//для VirtualBox IDDisk - "DiskVBOX_HARDDISK"
//для VMware IDDisk - "Prod_VMware_Virtual"
bool VirtualMachineIDDiskDetect(char* IDDisk);

//обнаружение Parallels Workstatin по видеоадаптеру
bool ParallelsVideoCardDetect();

//обнаружение VirtualBox по видеоадаптеру
bool VirtualBoxVideoCardDetect();

//обнаружение VirtualPC по видеоадаптеру
bool VirtualPCVideoCardDetect();


VirtualMachineDetect.cpp
Code:#include "VirtualMachineDetect.h"

//----------------------------------------------------------------------
bool VMwareDetect()
{
__try
{
__asm
 {
 mov eax, 0x564d5868
 mov ecx, 0x0A
 mov edx, 0x5658
 in eax, dx 
 }
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER) 
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualPCDetect()
{
__try
{
__asm
 {
 xor ebx, ebx
 mov eax, 1
 __emit(0x0F)
 __emit(0x3F)
 __emit(0x07)
 __emit(0x0B)  
 }
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER) 
{
 return false;
}
}
//----------------------------------------------------------------------
bool VMwareWindowDetect()
{
HWND VMwareWindow = NULL;
VMwareWindow = FindWindowA("VMSwitchUserControlClass",NULL);
if(VMwareWindow != NULL)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxWindowDetect()
{
HWND VBoxWindow = NULL;
VBoxWindow = FindWindowA("VBoxTrayToolWndClass",NULL);
if(VBoxWindow != NULL)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VMwareBIOSDetect()
{
HKEY rKey;
wchar_t RegKey[256];
wchar_t RegVMware[] = {L"VMware Virtual Platform"};
DWORD RegPath = sizeof(RegKey);

RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"HARDWARE\\DESCRIPTION\\System\\BIOS",
   0,
   KEY_QUERY_VALUE,
   &rKey);

RegQueryValueEx(rKey,
   L"SystemProductName",
   NULL,
   NULL,
   (BYTE*)RegKey,
   &RegPath);

RegCloseKey(rKey);

if (memcmp(RegKey, RegVMware, 48) == 0)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxBIOSDetect()
{
HKEY rKey;
wchar_t RegKey[256];
wchar_t RegVBox[] = {L"Oracle VM VirtualBox"};
DWORD RegPath = sizeof(RegKey);

RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"HARDWARE\\DESCRIPTION\\System",
   0,
   KEY_QUERY_VALUE,
   &rKey);

RegQueryValueEx(rKey,
   L"VideoBiosVersion",
   NULL,
   NULL,
   (BYTE*)RegKey,
   &RegPath);

RegCloseKey(rKey);

if (memcmp(RegKey, RegVBox, 40) == 0)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool ParallelsRegDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"HARDWARE\\ACPI\\DSDT\\PRLS__\\PRLSACPI",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxProcessDetect()
{
wchar_t VBoxProcessName[] = {L"VBoxTray.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VBoxProcessName, 24) == 0)
{
 CloseHandle(hSnapShot);
 return true;
}
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VirtualPCProcessDetect()
{
wchar_t VirtualPCProcessName[] = {L"vmusrvc.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VirtualPCProcessName, 22) == 0)
{
 CloseHandle(hSnapShot);
 return true;
}
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VMwareProcessDetect()
{
wchar_t VMwareProcessName[] = {L"vmtoolsd.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VMwareProcessName, 24) == 0)
{
 CloseHandle(hSnapShot);
 return true;
}
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxDevObjDetect()
{
if ((CreateFile(L"\\\\.\\VBoxMiniRdrDN",0,0,0,OPEN_EXISTING,0,0) !=
INVALID_HANDLE_VALUE)||
(CreateFile(L"\\\\.\\VBoxGuest",0,0,0,OPEN_EXISTING,0,0) !=
INVALID_HANDLE_VALUE))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualPCDevObjDetect()
{
if (CreateFile(L"\\\\.\\VMDRV",0,0,0,OPEN_EXISTING,0,0) !=
INVALID_HANDLE_VALUE)
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualBoxCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
{
mov eax, 0x1
cpuid
mov eax, 0x40000000
cpuid
mov ID_1, ebx
mov ID_2, ecx
mov ID_3, edx
}
if ((ID_1 == 0x00000340)&&(ID_2 == 0x00000340))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VMwareCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
{
mov eax, 0x1
cpuid
mov eax, 0x40000000
cpuid
mov ID_1, ebx
mov ID_2, ecx
mov ID_3, edx
}
if ((ID_1 == 0x61774d56)&&(ID_2 == 0x4d566572)&&(ID_3 == 0x65726177))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool ParallelsCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
{
mov eax, 0x1
cpuid
mov eax, 0x40000000
cpuid
mov ID_1, ebx
mov ID_2, ecx
mov ID_3, edx
}
if ((ID_1 == 0x70726c20)&&(ID_2 == 0x68797065)&&(ID_3 == 0x72762020))
{
return true;
}
else
{
return false;
}
}
//----------------------------------------------------------------------
bool VirtualPCMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x03) &&
((BYTE)AdapterInfo->Address[2] == 0xff) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x12) &&
((BYTE)AdapterInfo->Address[2] == 0x5a) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x1d) &&
((BYTE)AdapterInfo->Address[2] == 0xd8) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x15) &&
((BYTE)AdapterInfo->Address[2] == 0x5d) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x22) &&
((BYTE)AdapterInfo->Address[2] == 0x48) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x0d) &&
((BYTE)AdapterInfo->Address[2] == 0x3a) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x17) &&
((BYTE)AdapterInfo->Address[2] == 0xfa) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x25) &&
((BYTE)AdapterInfo->Address[2] == 0xae) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x50) &&
((BYTE)AdapterInfo->Address[2] == 0xf2) ||
((BYTE)AdapterInfo->Address[0] == 0x28) &&
((BYTE)AdapterInfo->Address[1] == 0x18) &&
((BYTE)AdapterInfo->Address[2] == 0x78) ||
((BYTE)AdapterInfo->Address[0] == 0x60) &&
((BYTE)AdapterInfo->Address[1] == 0x45) &&
((BYTE)AdapterInfo->Address[2] == 0xbd) ||
((BYTE)AdapterInfo->Address[0] == 0x7c) &&
((BYTE)AdapterInfo->Address[1] == 0x1e) &&
((BYTE)AdapterInfo->Address[2] == 0x52) ||
((BYTE)AdapterInfo->Address[0] == 0x7c) &&
((BYTE)AdapterInfo->Address[1] == 0xed) &&
((BYTE)AdapterInfo->Address[2] == 0x8d) ||
((BYTE)AdapterInfo->Address[0] == 0xdc) &&
((BYTE)AdapterInfo->Address[1] == 0xb4) &&
((BYTE)AdapterInfo->Address[2] == 0xc4))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------
bool VirtualBoxMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x08) &&
((BYTE)AdapterInfo->Address[1] == 0x00) &&
((BYTE)AdapterInfo->Address[2] == 0x27) ||
((BYTE)AdapterInfo->Address[0] == 0x08) &&
((BYTE)AdapterInfo->Address[1] == 0x00) &&
((BYTE)AdapterInfo->Address[2] == 0x20))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------

bool VMwareMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x05) &&
((BYTE)AdapterInfo->Address[2] == 0x69) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x0c) &&
((BYTE)AdapterInfo->Address[2] == 0x29) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x1c) &&
((BYTE)AdapterInfo->Address[2] == 0x14) ||
((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x50) &&
((BYTE)AdapterInfo->Address[2] == 0x56))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------
bool ParallelsMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
((BYTE)AdapterInfo->Address[1] == 0x1c) &&
((BYTE)AdapterInfo->Address[2] == 0x42))
{
delete(AdapterInfo);
return true;
}
else
{
delete(AdapterInfo);
return false;
}  
}
//----------------------------------------------------------------------
bool VirtualMachineIDDiskDetect(char* IDDisk)
{
HKEY rKey;
char RegKey[4096];
DWORD RegPath = sizeof(RegKey);
DWORD Type = REG_SZ;

RegOpenKeyExA(HKEY_LOCAL_MACHINE,
   "SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum",
   0,
   KEY_QUERY_VALUE,
   &rKey);

RegQueryValueExA(rKey,
   "0",
   NULL,
   &Type,
   (LPBYTE)RegKey,
   &RegPath);

RegCloseKey(rKey);

if (strstr(RegKey, IDDisk) != 0)
{
return true;
}
return false;
}
//----------------------------------------------------------------------
bool ParallelsVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AB8&DEV_4005&SUBSYS_04001AB8&REV_00",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------
bool VirtualPCVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
   L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00",
   0,
   KEY_QUERY_VALUE,
   &rKey) == ERROR_SUCCESS)
{
RegCloseKey(rKey);
return true;
}
return false;
}
//----------------------------------------------------------------------


  Comments,     Trackbacks

Plugin contest 정보

https://hex-rays.com/contests/2015/index.shtml


사실 이런게 있는 지 처음 알게 되었네요...


날 잡아서 하나씩 체험해봐얄 듯 ㅋ

  Comments,     Trackbacks

IDA를 판매하는 회사는 어떻게 생겼을까

IDA를 사용하면서 참 대단하다.. 생각은 많이 했지만

회사가 궁금한적은 없었는데 불현듯 궁굼해져 검색을 해보았다.

 

굉장히 큰 회사일 거라 생각하고 구글링해보자

자료가 그다지 많지 않았다.

 

위키에 따르면 다음과 같이 설명되어 있다.

Created as a shareware application by Ilfak Guilfanov, IDA was later sold as a commercial product by DataRescue, a Belgian company, who improved it and sold it under the name IDA Pro. In 2005, Guilfanov founded Hex-Rays to pursue the development of the Hex-Rays Decompiler IDA extension. In January 2008, Hex-Rays assumed the development and support of DataRescue's IDA Pro.

 

최초 Guilfanov에 의해 쉐어웨어로 만들어졌고 이후 벨기에 DataRescue라는 회사에서 판매하였다.

2005년에 Guilfanov는 Hex-Rays를 설립했고 2008년 1월, Hex-Rays는 IDA 개발과 지원을 인수하였다.

 

결론은 DataRescue라는 회사에서 Guilfanov씨의 IDA를 판매(만?)하다가 Guilfanov씨가 Hex-Rays회사를 직접 만들어 현재 판매하고 있는거 같네요.

 

https://www.hex-rays.com/about.shtml

 

회사는 작은듯...(프로필 이미지가 작음)

 

참고로 이 회사 들어가고 싶으면 이 정도 스펙이 요구 된다. (2009년도 기준, CEO님께서 올리셨네 ㅎ)

 

 

 

'툴 정보 및 사용법 > IDA' 카테고리의 다른 글

IDA Plugin list  (0) 2016.05.10
Plugin contest 정보  (0) 2015.09.24
ida XREF, cross reference reconfiguration  (0) 2014.11.25
IDA 바이너리 분석시 Type Libraries 추가할 것들  (0) 2014.07.22
IDA window(창) 위치 조정  (0) 2012.03.29
  Comments,     Trackbacks

import hashing

https://www.mandiant.com/blog/tracking-malware-import-hashing/


imhash라고도 하는데 IAT의 API를 활용하여 hash값을 메타 데이터로 제공한다.


virustotal metadata :



하지만 정적으로 IAT의 API를 파싱해서 뽑으면 이게 과연 얼마나 효율적일지??ㅎ

예전에도 그랬지만 많은 악성코드들이 API를 그냥 사용하지 않고

난독화하여 문자열 그대로를 노출하지 않는다. 


링크 본문과 같이 분류 보조용으로 low-cost, efficient and valuable way가 적당한 의미가 아닐까 싶다.





  Comments,     Trackbacks