:wq - blog » binary http://writequit.org/blog Tu fui, ego eris Mon, 22 Dec 2014 14:54:59 +0000 en-US hourly 1 http://wordpress.org/?v=4.1.5 Get disass-cli working properly on OSX and Freebsd http://writequit.org/blog/2008/04/11/get-disass-cli-working-properly-on-osx-and-freebsd/ http://writequit.org/blog/2008/04/11/get-disass-cli-working-properly-on-osx-and-freebsd/#comments Fri, 11 Apr 2008 19:20:49 +0000 http://writequit.org/blog/?p=162 I’ve been digging into the world of exploit writing lately, working on Defcon‘s previous year’s CTF qualification programs, I ran into Atlas’ presentation on “Kiddie to Hacker in 5 sleepless nights”, which talks about some of his mindset when he first got into binary exploitation.

Atlas has written a tool call disass to aid in disassembly and analysis, which is a really cool tool, but can be kind of annoying to get running on different operating systems thanks to Python’s amazingly helpful error messages </sarcasm>

Firstly, make sure you install the dependencies, Python (duh), psyco, atlasutils (from Atlas’ blog), libdisassemble and vtrace (from the Kenshoto guys). Then, install disass-cli (also from Atlas’ blog) just like you would any other python program. You might need to symlink /usr/local/bin/python to /usr/bin/python since disass-cli’s sharp-bang is hardcoded for /usr/bin/python

The first time you run disass-cli, you’ll probably hit this error:

# disass-cli
Traceback (most recent call last):
File "/usr/local/bin/disass-cli", line 3, in <module>
from disass3 import *
File "/usr/local/lib/python2.5/site-packages/disass3/__init__.py", line 105, in <module>
import bsddb
File "/usr/local/lib/python2.5/bsddb/__init__.py", line 51, in <module>
import _bsddb
ImportError: No module named _bsddb

Cryptic eh? Googling is not so helpful on this one (“Recompile Python!”) Well, to fix the problem on FreeBSD, you need to install /usr/ports/databases/py-bsddb, which will rebuild Python with the necessary libraries, easy fix.

On OSX, you’ll need to download the newest Python distro .dmg from python.org (which will have the correct libraries). Now you can update the symlink by doing:

# rm /usr/bin/python
# ln -s /Library/Frameworks/Python.framework/Versions/2.5/bin/python /usr/bin/python

as root. Now you should be able to reinstall the dependencies for disass using the newer Python distribution and disass-cli shouldn’t complain anymore, silly broken Apple versions of Python.

Note: Alternatively, you can edit the disass-cli Python file (in /usr/local/bin/disass-cli) to use the Python distribution you installed directly without changing the symlink, that way everything else still uses Apple’s version of Python (don’t forget to install the dependency libraries for the newer version of Python also).

Hope this helps someone, exploit writing is new to me, coming from more of a network-side, always fun to learn new things :)

]]>
http://writequit.org/blog/2008/04/11/get-disass-cli-working-properly-on-osx-and-freebsd/feed/ 3
Tutorial: Finding the OEP of an Upacked binary file http://writequit.org/blog/2008/02/25/tutorial-finding-the-oep-of-an-upacked-binary-file/ http://writequit.org/blog/2008/02/25/tutorial-finding-the-oep-of-an-upacked-binary-file/#comments Mon, 25 Feb 2008 19:57:26 +0000 http://writequit.org/blog/?p=150 …because all the other tutorials I’ve been able to find on this subject are not so easy to read.

This is going to be a long post, but hey, at least it’ll have lots of pictures!

Alright, in this tutorial I’m going to attempt to explain how to find the OEP (Original Entry Point) of a binary executable that has been packed with the Upack/WinUpack packer. I just recently learned this myself, so please excuse any errors this tutorial might have. In this tutorial, the following tools are used:

Sadly, I haven’t figured out how to get this working the same way in Ollydbg yet, but perhaps for a later tutorial. Alright, let’s dive right in. In this example, I’ll be using the “calc.exe” application (Windows calculator) that I packed with WinUpack. The first thing to do is load the file into PEiD to try and determine what kind of packer was used on the file:

0peid.png

You can see in the red square above that this file was packed with WinUpack 0.39 final, which is good because that’s what this tutorial is about ;)

The next thing to do is load the executable into IDA-pro, IDA will complain about the file, but for the most part these complaints can be ignored, just click “ok” and “yes” until you see something similar to below:

1idastart.png

Here, you can see the start of the file, the line we’re most interested in is (in this file), the line at 0100101F, which is a "push dword ptr [esi+34h]” instruction. Select this line and hit F2 to toggle a breakpoint on this line. The line should highlight red just like the picture below:

2pushbp.png

Now, press F9 to run the file until it encounters the breakpoint. When IDA does encounter it, the display will change to the following style, take note of the IDA-view ESP box highlighted in red below, that’s what’s going to be important coming up:

3running.png

Right click on the ESP address (in this case 0007FFC0) and set a breakpoint, we want to set a hardware breakpoint or size 4 on this address, see the picture below for what I mean:

4hwbp.png

After setting it, the line will highlight red like this:

5hwbp2.png

When the breakpoint has been set, continue running the file by hitting ‘F9′ again. When IDA hits the breakpoint, you’ll see the following two windows:

6afterhwbp.png

Notice the red box, this is our new OEP: 01012475. Write this number down somewhere (or remember it). Now that we know our OEP, we need to dump the file and fix the imports, the first step to dump the file is to open up LordPE and select the running calc.exe process, as seen below:

7lordpe.png

Right-click on the file and click on “dump full”, as you see here (I saved my file as calc-dump.exe):

8lordpedump.png

Here you can see a comparison of the sizes of the packed and unpacked files:

9sizecmp.png

Let’s run the file and see what we get, oops, looks like we get the error below:

10iatmissing.png

This means the import table is all messed up, we’ll have to fix it. In order to do that, fire up ImpRec and point it at the active calc.exe process, in the OEP box, enter the OEP we found earlier (just the offset, which in this case is 12475):

11imprecnewoep.png

Then, click on “IAT Autosearch”, you should see a message like this:

12autosearch.png

Click on “Get Imports” and the window should be filled with a list of imports found in the file, like this:

13importsfound.png

In order to fix the dump, click on “Fix Dump” and select the file you dumped earlier (in my case it was calc-dump.exe), ImpRec will fix the dump and save a new file, if it works correctly, you should see these messages in the log:

14fixdump.png

Let’s compare these size of all 3 of these files:

15sizecmp2.png

And now, try and run the file:

16running.png

Hurray! It worked! From here you can do everything you need with the file, since it is no longer packed. I hope this helps someone, it certainly helped me understand unpacking a little bit better. Now I can get to unpacking that malware I captured earlier…

]]>
http://writequit.org/blog/2008/02/25/tutorial-finding-the-oep-of-an-upacked-binary-file/feed/ 3
Collaborative analysis efforts with simple to use interfaces http://writequit.org/blog/2008/02/12/collaborative-analysis-efforts-with-simple-to-use-interfaces/ http://writequit.org/blog/2008/02/12/collaborative-analysis-efforts-with-simple-to-use-interfaces/#comments Tue, 12 Feb 2008 22:55:23 +0000 http://writequit.org/blog/?p=146 You know what would be really helpful? I mean, actually helpful to people in the security industry as a whole? We need some kind of collaboration tool that allows many different users to view, download, analyze, tag, describe and ask questions about any and all kinds of malware, network captures and security logs. I’ve been talking to some of the #rawpacket guys/gals about how it would work, so now I’m stealing their ideas for a blog post ;)

For example, let’s say you discover a new binary malware that one of your honeypots caught, here’s how I envision this would work out:

  1. You register an account at the collaboration website, you can additionally assign your pgp key to your name, security people like to know who they’re actually talking with.
  2. You upload the file, in this case it’s a .exe file, tagging it with a basic description (“nepenthes honeypot caught this transferred over ftp, I think it’s a trojan, etc, etc”) and tags so it becomes searchable (exe, malware, binary, ftp).
  3. The file/pcap is anonymized (optional, but would be extremely nice)
  4. After the initial upload, the collaboration server performs super-basic, but good baseline analysis on the file, saving the results for later. For a .exe file, it could be things like md5sum, clamscan and strings. For other types of files, different tools could be used (*cough* an automated NSM-Console session *cough*), etc
  5. The malware is displayed on the page, security gurus log into their account, have the ability to download the binary to play with it themselves, and are encouraged to share what they found when doing their analysis (and how). They have the ability to upload screenshots, short video clips, textfiles, whatever would help with the analysis. This of it like a traditional website ‘shoutbox’, but with comments on a particular piece of malware or network capture.
  6. Users can also create correlations between different submissions, Example: “This is the link to the network capture for the worm exploiting this particular binary malware”, now we can draw pretty graphs!
  7. Discussion continues until the file has been “figure out”. Give people ‘karma’ or whatever to encourage posting.
  8. ????
  9. Profit!

In all seriousness, you know what I think would be great about this? The community as a whole benefits from the knowledge and talent of people who are good at an individual skill. For instance, I might suck at binary malware analysis, but I can help decode what’s going on with a network trace picked up by an IDS. Community is created, knowledge is shared, security can be improved, people become familiar with the parts of security in which they lack knowledge, everyone is happy.

Make the framework distributable, small groups of people can set up their own collaboration for working with extremely confidential files, think Trac, but instead of bug reports and svn tracking, malware/pcap collaboration and research.

There are projects already like this, I’m excited for the direction that OpenPacket is going with packet captures, upload a file and it’s automatically run through tshark, giving you a baseline to start working with. I think that if the idea is expanded, we can get a lot of different people involved. I know I’d certainly like to get better at doing binary analysis.

Does this sound interesting? It certainly does to me. I’m curious if anyone else is interested, leave me a comment and let me know if you’d be interested in something like this! (Maybe if 40 hours suddenly appear out of nowhere I’m start working on it…)

P.S. I didn’t think of all of this myself, thanks to all the people in #rawpacket for their ideas :) Just want to give credit where it’s due… ;)

]]>
http://writequit.org/blog/2008/02/12/collaborative-analysis-efforts-with-simple-to-use-interfaces/feed/ 3