Você está na página 1de 36

Engenharia Engenharia reversa reversa de de cdigo cdigo malicioso malicioso

Italo Valcy1,2 1 CERT.Bahia ! "o"#B$/RN" 2 %niversi&a&e 'e&eral &a Bahia


italo()o)#*a.rn).*r
III EnSI CERT.Bahia, 29/Nov/201

Italo Valcy Engenharia Reversa

Engenharia reversa
O que e pra que serve

"rocesso &e &esco*erta &o +,nciona-ento &e ,)rogra-a &e co-),ta&or se- ter acesso ao c.&igo +onte. "o&e ser si-)les-ente e/ec,t0#lo o, -es-o analisar s,as instr,12es &e -03,ina 4ese5a#se sa*er6
7 3,e o )rogra-a +a89 :,al )arte &o )rogra-a +a8 acesso a re&e9 :,ais )ar;-etros9 Co-o < ativa&o9
Italo Valcy Engenharia Reversa
2 / 36

Engenharia reversa
O que e pra que serve

E/e-)los &e a)lica1=o6


4esenvolvi-ento &e &rivers 4esenvolvi-ento &e so+t>are livre a )artir &e )ro)riet0rio Enten&i-ento &e )rotocolos )ara co-)ati*ili&a&e 4oc,-enta1=o &e c.&igo lega&o $n0lise &e c.&igo -alicioso

Italo Valcy Engenharia Reversa

3 / 36

Ti)os &e )rogra-as -aliciosos


V?r,s Tro5an @orS)y>are RootAit

Italo Valcy Engenharia Reversa

4 / 36

'or-as &e ata3,e


Vetores &e ata3,e &e *ai/o n?vel6
Esto,ro &e *,++ers V,lnera*ili&a&es +or-ato &e string

Vetores &e ata3,e &e alto n?vel6


E/)lora1=o &e v,lnera*ili&a&es e- a)lica12es 'alhas e- con+ig,ra12es e )rote12es

$ta3,es &e -ais alto n?vel6


Engenharia social E#-ails e- -assa / )hishing
Italo Valcy Engenharia Reversa
5 / 36

Classi+ica1=o c.&igo -alicioso


C.&igo constante6 e/ec,ta &e +or-a constante
E/6 loo) &e coleta &e e#-ails, scan &e re&e

C.&igo reativo6 e/ec,ta&o e- res)osta a evento es)ec?+ico


E/6 :,an&o ,s,0rio acessa &eter-ina&a )0gina

C.&igo &or-ente6 e/ec,ta e- &ata &eter-ina&a


E/6 ata3,e 44oS coor&ena&o

Italo Valcy Engenharia Reversa

6 / 36

$-*iente &e an0lise


$n0lise Bao vivoC
E/ec,tar o )rogra-a e -onitor0#lo "er-ite i&enti+icar ra)i&a-ente o o*5etivo &o )rogra-a 4i+?cil &etectar a +or-a co-o o )rogra-a e/ec,ta

Engenharia reversa
$n0lise &o e/ec,t0vel &o )rogra-a "er-ite enten&er o +,nciona-ento, &esco*rir c.&igo &or-ente o, reativo $lta co-)le/i&a&e
Italo Valcy Engenharia Reversa
7 / 36

$-*iente &e an0lise


$-*iente instala&o co- +inali&a&e &e an0lise
'or-a -ais seg,ra Dasta -,ito te-)o e rec,rso "o&e#se ,sar har&>are/so+t>are &e clone e rec,)era1=o &e &isco

$-*iente virt,al
"o&e si-,lar ,- a-*iente co-)leto VE@are, Fen, GVE, etc. 'acilita rec,)era1=o &o esta&o inicial "o&e ser &etecta&o )elo c.&igo -alicioso
Italo Valcy Engenharia Reversa
8 / 36

'erra-entas
E03,inas virt,ais 'erra-entas &e an0lise &in;-ica 4e*,ggers 4eco-)ila&ores 4isasse-*lers 'erra-entas &e -ani),la1=o &e ar3,ivos e/ec,t0veis

Italo Valcy Engenharia Reversa

9 / 36

4e*,ggers
In+or-a12es so*re o esta&o &a C"% E/ec,1=o )asso#a#)asso "ontos &e )ara&a H*reaA#)ointsI "er-ite avan1ar e retroce&er Vis,ali8a1=o e -ani),la1=o &e -e-.ria e registra&ores Vis,ali8a1=o &e threa&s

Italo Valcy Engenharia Reversa

10 / 36

4e*,ggers
4e*,ggers )ara @in&o>s6 4e*,ggers )ara Jin,/6
Eicroso+t @in4BD 7lly4BD I4$ "ro "y4BD D4B 4BF Valgrin& H-e-.riaI

Italo Valcy Engenharia Reversa

11 / 36

4eco-)ila&or
Tentar tra&,8ir *in0rio e- ling,age- &e alto n?vel
Deral-ente a)resenta -,itas +alhas Ktil )ara &ei/ar o &isasse-*ly -ais leg?vel

E/e-)lo6
REC e REC St,&io 4es3,irr Boo-erang Le/#Rays 4eco-)iler

Italo Valcy Engenharia Reversa

12 / 36

4isasse-*ler
'erra-enta &e an0lise est0tica, trans+or-a *ytes e- ling,age- asse-*ly Deral-ente os &e*,ggers +a8e- isso 4esa+io6 &i+erenciar c.&igo &e &a&os I4$ "ro 7lly4BD 'enris "E Bro>ser
Italo Valcy Engenharia Reversa
13 / 36

7*5&,-) N&isas-

$nalisa&ores &e ar3,ivos


'or-ato )a&roni8a&o )ara o siste-a o)eracional
Jocal &o c.&igo, *i*liotecas, -a)ea-ento -e-.ria

'or-atos &e ar3,ivos e/ec,t0veis


"orta*le E/ec,ta*le "E H@in&o>s, 47SI EJ' HJin,/, %ni/I $BI Each#7 HEac7S FI

Italo Valcy Engenharia Reversa

14 / 36

$nalisa&ores &e ar3,ivos


Portable Executable

"or 3,e B)ort0velC9


S,)orta /MN 2 *its e NO *its S,)orta ar3,itet,ra EI"S, "o>er"C, $RE, 4EC

E/tens=o .e/e o, .&ll Se12es6


.te/t .&ata .i&ata, .e&ata

Italo Valcy Engenharia Reversa

15 / 36

$nalisa&ores &e ar3,ivos


ELF

E/ec,t0veis, share& li*s, c.&igo o*5eto %tili8a&o e- Jin,/, 'reeBS4, Solaris, "layStation, $n&roi&, etc. 4iversas +erra-entas &e -ani),la1=o6
Bin,tils El+,tils

Italo Valcy Engenharia Reversa

16 / 36

$nalisa&ores &e ar3,ivos


'erra-entas )ara Jin,/6
+ile strings ngre) stat

Italo Valcy Engenharia Reversa

17 / 36

$sse-*ly
$sse-*ly6 necess0rio )ara Engenharia reversa
/MN6 C"%, Ee-.ria, registra&ores e &isco Rec,)era, &eco&i+ica, e/ec,ta $)lica1=o6 con5,nto &e instr,12es asse-*ly

Italo Valcy Engenharia Reversa

18 / 36

$sse-*ly
Registra&ores
E$F, EBF, ECF, E4F, ESI, E4I, ES", etc.

StacA
"%SL / "7"

Instr,12es6
INC, 4EC, $44, S%B, E%J, 4IV E7V, JE$ C$JJ / RET, ENTER / JE$VE CE", TEST PE", PQ, PNQ, PD, PJ, PDE, etc. $N4, 7R, F7R, etc.
Italo Valcy Engenharia Reversa
19 / 36

$sse-*ly

Italo Valcy Engenharia Reversa

20 / 36

$sse-*ly
Exemplo de fluxo gerado pelo ID Pro

Italo Valcy Engenharia Reversa

21 / 36

Tr,3,es anti#engenharia reversa


4etec1=o &e &e*,gger E/ec,1=o &e c.&igo antes &o Entry "oint Re-o1=o &e se12es / s?-*olos Hstri)I C.&igos n=o alinha&os Eo&i+ica12es nos ca*e1alhos "E / EJ' / etc. 4etec1=o &e -03,inas virt,ais Co-)acta1=o o, cri)togra+ia &o *in0rio $r3,ivo -,t0vel

Italo Valcy Engenharia Reversa

22 / 36

E/e-)lo &e an0lise


E/e-)lo6 &esa+io &e seg,ran1a &o 4ragon Research Dro,)6
htt)s6//&ragonresearchgro,).org/challenges/

4esa+io Hago/201 I6 @hat is in this 8i) +ile9 @itho,t altering the original, ,n&erlying +ile, can yo, get it to sho> yo, so-ething -ythic9
htt)s6//&ragonresearchgro,).org/challenges/201 0M/2 01 0M.8i) Sol,1=o6 htt)s6//&ragonresearchgro,).org/challenges/201 0M/& rg.t/t
Italo Valcy Engenharia Reversa
23 / 36

4RD Challenge $go/201


"ri-eiro )asso6

Italo Valcy Engenharia Reversa

24 / 36

4RD Challenge $go/201


Seg,n&o )asso6

'ailR 6#H E se e/ec,tar-os9


Italo Valcy Engenharia Reversa
25 / 36

4RD Challenge $go/201


Terceiro )asso6 e/ec,1=o

'ailR Joo) in+inito HSTT t<cnica anti#eng reversaI


Italo Valcy Engenharia Reversa

26 / 36

4RD Challenge $go/201


"asso N6
Teste co- strace TU Joo) 4isasse-*ler TU 'ail strings6 h,--- VI
italo@oxente /t/drg201308> strings 201308 UPX! /lib nux.so.2 ... $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.05 Copyright (C) 1996-2010 the UPX Team. All Rights Reserved. $ PROT_EXEC|PROT_WRITE failed. ... B (hFso] _fi~O DjL1 (ox B`zY UPX!

Italo Valcy Engenharia Reversa

27 / 36

4RD Challenge $go/201


"asso NW16
%"F &eco&er W D4B

Italo Valcy Engenharia Reversa

28 / 36

4RD Challenge $go/201


T<cnicas anti ! engenharia reversa6
Checage- &o 'ile 4escri)tor &e ar3,ivos a*ertos Checage- +orAHI W )trace &etect Te-)o &e e/ec,1=o S,*rotinas &e &istra1=o

Italo Valcy Engenharia Reversa

29 / 36

4RD Challenge $go/201


T<cnicas anti ! engenharia reversa6
#include <stdio.h> #include <unistd.h> void detect_gdb(void) __attribute__((constructor)); void detect_gdb(void) { FILE *fd = fopen("/tmp", "r"); if (fileno(fd) > 5) { printf("fuck you gdb!\n"); _exit(1); } fclose(fd); } int main(void) { printf("do stuff outside gdb\n"); return 0; } Italo Valcy Engenharia Reversa
30 / 36

4RD Challenge $go/201


T<cnicas anti ! engenharia reversa6
void anti_ptrace(void) { pid_t child; if(getenv("LD_PRELOAD")) while(1); child = fork(); if (child) wait(NULL); else { pid_t parent = getppid(); if (ptrace(PTRACE_ATTACH, parent, 0, 0) < 0) while(1); sleep(1); ptrace(PTRACE_DETACH, parent, 0, 0); exit(0); } }

Italo Valcy Engenharia Reversa

31 / 36

4RD Challenge $go/201


7 3,e o )rogra-a +a86
804e9b5: 804e9ba: 804e9c1: 804e9c2: 804e9c5: 804e9ca: 804e9d1: 804e9d5: 804e9dc: 804e9e0: 804e9e3: 804e9ea: 804e9f1: 804e9f6: 804e9f8: e8 c7 00 89 e8 69 40 69 c0 8d 03 2b 3d 7f 89 d6 9d ff ff 44 24 04 00 00 00 1c e6 94 42 84 bd 04 84 84 c8 12 7c 24 9d 24 0f 24 f0 02 24 24 5e ff ff b0 01 00 00 00 b8 01 00 00 ff b4 01 00 00 bc 01 00 00 4c 00 call movl mov call imul imul lea add sub cmp jg mov 8048790 <uname@plt> $0x0,0x4(%esp) %ebx,(%esp) 80487b0 <gettimeofday@plt> $0xf4240,0x1b0(%esp),%edx $0xfff0bdc0,0x1b8(%esp),%eax (%edx,%eax,1),%eax 0x1b4(%esp),%eax 0x1bc(%esp),%eax $0x4c5ec8,%eax 804ea0a <exit@plt+0x618a> %edi,0x4(%esp)

24 04

Italo Valcy Engenharia Reversa

32 / 36

4RD Challenge $go/201


Scri)t hel)er )ara sol,1=o6
while read LINE; do NUM=$(echo "$LINE" | \ perl -ne 'if ($_ = /Factors are: (\d+) and (\d+)/) { print $1*$2}') if [ -n "$NUM" ]; then echo "drg$NUM" > /etc/hostname /etc/init.d/hostname.sh fi done

Italo Valcy Engenharia Reversa

33 / 36

4RD Challenge $go/201


E- res,-o6
:,e*ra &e senha &o ar3,ivo 8i) 4ese-)acotar co- %"F Navegar )elo &e*,gger +,gin&o &as ar-a&ilhas Encontrar a o)era1=o correta &e -,lti)lica1=o e co-)ara1=o Notar a string B&rgX&C nas strings &o *in0rio E/ec,tar o ar3,ivo original, -,&ar o hostna-e e o*ter o $SCII -?ticoR

Italo Valcy Engenharia Reversa

34 / 36

Concl,s2es
Engenharia reversa < ,-a 0rea -,ito interessante e &esa+ia&ora E/ige conheci-entos e- &iversas 0reas 7 )rocesso &e an0lise )recisa ser *e- &e+ini&o, )ois e/ige &e&ica1=o e te-)o
'eito )or organi8a12es es)eciali8a&as

"o&e revelar in+or-a12es e co-)orta-entos *e- interessantes na re&e


"rote1=o na re&e &a organi8a1=o 4etec1=o &e ata3,es n=o conheci&os
Italo Valcy Engenharia Reversa
35 / 36

Engenharia reversa de mal!are


D"vidas#

Perguntas#

Obrigado$$$ %&'

Italo Valcy Sitalo()o)#*a.rn).*rU


Italo Valcy Engenharia Reversa
36 / 36