Dynamic Binary Unpacking Using UndoPack Tool

executable unpacking using dynamic binary n.w
1 / 27
Embed
Share

Discover the UndoPack tool developed by Shubham Bansal for extracting packed code, learn about its motivation, key assumptions, and how it uses dynamic binary instrumentation to reveal hidden layers of code. Find out why PIN framework is preferred for such analysis.

  • Dynamic Binary Unpacking
  • UndoPack Tool
  • Shubham Bansal
  • Reverse Engineering
rayaanacharya
jete418 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1

  2. Who am I ? Under-graduate Student at IIIT-Hyderabad Security Researcher Currently pursuing B.Tech with honors in Computer Science Regular CTF (Capture the Flag) player Currently part of SegFault CTF team Fields of interest Reverse Engineering , Malware Analysis and Exploit Development UndoPack UndoPack 2

  3. What I did ? Wrote a small CLI tool named Undopack to extract the packed code UndoPack 3

  4. Motivation behind the tool Code Packing is one of the most used technique to hinder the code analysis and its usage is still growing UndoPack 4

  5. Original Binary UndoPack 5

  6. Packed Binary UndoPack 6

  7. Motivation behind the tool No unpacking unless we know the packing algorithm Common technique - Signature matching and Heuristics . What if we don t know the internal working of the packer? What if we found an executable, packed with an unknown packer ? Manual Unpacking UndoPack UndoPack 7

  8. Undopack Uses Intel s - Dynamic binary instrumentation framework Extracts multiple layers of packed code Gives Original Entry point (OEP) No additional information required Different packers -- Same Extraction method UndoPack UndoPack 8

  9. Why PIN ? Best framework for Dynamic Binary Analysis Works with both IA-32 and x86-64 ISA Easy & Well documented API Works in both windows and *nix systems UndoPack UndoPack 9

  10. Key Assumptions At certain point , Original hidden code will be present in the memory and get executed Instruction pointer will jump to OEP of the restored code at each layer of unpacking UndoPack UndoPack 10

  11. Approach Instrument memory write instructions Catch the transition point from restoration code to OEP of hidden code Hidden Code and data are the newly written memory address Written memory addresses are tracked using a very simple shadow memory implementation Extract each layer of unpacked code for further analysis about the packer UndoPack UndoPack 11

  12. System Design Emulated Environment Shadow Memory Extraction Engine UndoPack UndoPack 12

  13. System Design UndoPack UndoPack 13

  14. Emulated Environment Provided by Intel s Framework Instrument memory write instructions and build Shadow memory Instrument execution flow changing instructions to catch transition point Provides isolation between the extraction engine and the malicious program under analysis. UndoPack UndoPack 14

  15. s implementation for instrumenting memory write instructions UndoPack UndoPack 15

  16. s implementation for instrumenting execution flow changing instructions UndoPack UndoPack 16

  17. Shadow Memory Technique used to track and store information on computer memory read/written by program during its execution. Shadow memory consists of shadow bytes/bit that map to individual bits or one or more bytes in main memory. Newly written memory addresses are mapped as dirty(1) and others as clean(0) in shadow memory. UndoPack UndoPack 17

  18. Shadow Memory UndoPack UndoPack 18

  19. Extraction Engine Initializes the whole shadow memory with clean bit(0) UndoPack UndoPack 19

  20. Every write at some particular address in program memory changes the corresponding bit in shadow memory to dirty(1) UndoPack UndoPack 20

  21. Each time a dynamic linked library is loaded into the program memory, we set the corresponding shadow memory to clean(0) UndoPack UndoPack 21

  22. At the end of each Basic block, check if there is any dirty memory location present within the region covering the basic block. UndoPack UndoPack 22

  23. If it is then dumps the whole dirty memory address range which represents the next layer of packing and again initialises the shadow memory to clean(0) UndoPack UndoPack 23

  24. Undopack on GitHub https://github.com/3SLabs/undopack UndoPack 24

  25. Credits Special thanks to Abhisek Datta , 3S Labs Thanks to Intel s PIN framework UndoPack 25

  26. Questions ? UndoPack UndoPack 26 26

  27. Thank you!!! UndoPack UndoPack 27 27

Related


LLVM Instrumentation Overview

LLVM Instrumentation Overview

maude
Man Instrumentation System

Man Instrumentation System

arne
Advanced Instrumentation and Diagnostics for Superconducting Magnets at CERN

Advanced Instrumentation and Diagnostics for Superconducting Magnets at CERN

arnav
Comparison Between Static and Dynamic Program Instrumentation

Comparison Between Static and Dynamic Program Instrumentation

jadiel
Binary Number System and its Applications

Binary Number System and its Applications

meera
Importance of Unpacking Standards for Effective Learning

Importance of Unpacking Standards for Effective Learning

peridot
Generic Drugs and Brand Name Medications

Generic Drugs and Brand Name Medications

emmalyn
Binary Code and Color Conversion

Binary Code and Color Conversion

johannes
Binary Heaps: Efficient Data Structure for Priority Queue Operations

Binary Heaps: Efficient Data Structure for Priority Queue Operations

elea_53
Binary Logic Systems in Documentation

Binary Logic Systems in Documentation

jape412
Safe Handling of Hazardous Drugs: Training and Protocols

Safe Handling of Hazardous Drugs: Training and Protocols

cal_g
Executable and Linkable Format (ELF)

Executable and Linkable Format (ELF)

luer132
Program Execution in Linux

Program Execution in Linux

brun_yan
Binary Number System in Mathematics

Binary Number System in Mathematics

bond_eb
Introduction to Binary Arithmetic for Digital Electronics

Introduction to Binary Arithmetic for Digital Electronics

channell_j
Binary Codes and Character Coding Techniques

Binary Codes and Character Coding Techniques

feto324
SMT Solvers for Malware Unpacking

SMT Solvers for Malware Unpacking

ray_904
Binary Representation of Numbers with Fractions

Binary Representation of Numbers with Fractions

gra_m
Lessons Learned from Publishing Executable Papers in Heliophysics

Lessons Learned from Publishing Executable Papers in Heliophysics

dlor
Binary Numbers and Computer Data Representation

Binary Numbers and Computer Data Representation

kbozi
Generics

Generics

courtlynn
Conversion from Decimal Numeration to Binary, Octal, Hexadecimal

Conversion from Decimal Numeration to Binary, Octal, Hexadecimal

vira_69

More Related Content