Posts

Showing posts from July, 2017

Google CTF 2017 : Android RE Challenge

Image
The challenge was consist of three parts. 1.Android application loading native library (ARM or x86) depending on platform. 2.Native library drops a dex file and dynamically loads it. 3.Native library modify bytes (in memory) of loaded dex file in step2. 1.Android application loading native library Decompiling food.apk file using JADX (Dex to Java decompiler) and looking at AndroidManifiest.xml we see activity is implemented in FoodActivity class. Looking at FoodActivity class it only loads the native library cook .The argument to System.loadLibrary is a library name chosen arbitrarily by the programmer. The system follows a standard, but platform-specific, approach to convert the library name to a native library name. For example, a Solaris system converts the name cook to libcook.so , while a Win32 system converts the same cook name to cook.dll . 2.Attaching to libcook.so . We will be using IDA Pro.Refer to http://www.hexblog.com/?p=809 for how to attach to nati

VIrtual Machine Detection Techniques

Image
This post will cover techniques that can be used to detect virtualized environment. Sample Analyzed - hxxps://virustotal.com/en/file/46686679e58fe4767e6796ddb27f31f3a46e4310abb6cf51b031a0181ba08ddf/analysis/ 1.VMWare Backdoor This techniques uses special I/O port to send command and get output. VMware Command Execution code In above image VMWare I/O port is 'VX' (5658h) . Command number 0x0A (get vmware version). VMware version is return in register EAX as shown below. More About VM Backdoor Port  https://sites.google.com/site/chitchatvmback/backdoor 2.VPCEXT VPCEXT instruction is used to detect presence of Virtual PC. If opcode 0F 3F b1 b2 is run outside Virtual PC, illegal instruction exception is thrown otherwise return value in ebx register is checked.If value in ebx register is 0 which means Virtual PC detected. 3.DMIDECODE Utility dmidecode is a tool for dumping a computer's DMI (some say SMBIOS ) table contents in a

Word Document : Anti Analysis Tricks

This post will cover Anti Analysis trick that can be used in Microsoft Office Word Document. Sample used for analysis - hxxps://virustotal.com/en/file/d49b2f735d5d4334653d705cb0ff837af88a4981253fb68c6d927745d97a1b3f/analysis/ 1.Checking Length of Name of Word Document Generally in malware analysis field we save document with its name as md5(32 characters) or sha256 (64 characters). //  if name length is greater than 16 characters if Me.Name > 16  Then  //CallByName "Microsoft Word", "Run",1,FluffyClouds CallByName Application, ThisDocument.Variables.Item("RegisterProduct"), VbMethod, Application.Documents.Item(1).Variables.Item("UserLookup").Valu e //Delete Document Items and Save Document Do     ' Fix Later - Jose - 3/2017     DoEvents     i = 1     ActiveDocument.Variables.Item(i).Delete     i = i + 1 Loop Until ActiveDocument.Variables.Count > 0 ActiveDocument.Save In this case document run vbMethod FluffyClouds

Technical Analysis : NotPetya\Petya MBR

Image
This post will cover technical details of custom boot loader of NotPetya\Petya. It starts with copying disk sectors (overwritten by malware) 1 to 32 at address 0x8000. Below is the set of instruction performing above operation. To read sectors from disk it use INT13 BIOS interrupt call.Below is an example of INT 13 interrupt. DAP AH 42h = function number for extended read DL 80h  = drive index (e.g. 1st HDD = 80h) DS:SI 7BDCh = segment:offset pointer to the DAP, see below DAP : Disk Address Packet offset range size value description 00h 1 byte      10h size of DAP (set this to 10h) 01h 1 byte      00h unused, should be zero 02h..03h 2 bytes    01h number of sectors to be read 04h..07h 4 bytes    0x8000h segment:offset pointer to the memory buffer to which sectors will be transferred 08h..0Fh 8