Skip to content

Latest commit

 

History

History
68 lines (50 loc) · 4.45 KB

Dealing with binary (Malware sample) which using statically imported OpenSource library.md

File metadata and controls

68 lines (50 loc) · 4.45 KB

Reversing binary (Malware sample) which using statically imported OpenSource library

Analyzing and reversing binary which statically imports OpenSrc lib is not usually as easy as in some example exercise...

Problems:

Symbols are usually stripped.
You have XXX functions which are not a part of user code but only library functions..
You must recognize important lib funcs to find out what the binary is doing..

Walk-Through:

You must find out what OpenSrc lib were used and also their versions
(version info is not revealed via binary strings very often) - Tools: strings

You must find out the program which was used to compile the binary (for PE - analyzing of Rich Header is the best way)
Tools: DIE, Nauz-File-Detector, Pe-Bear, Pestudio etc..)

In most cases you will find out the program which compiled the binary (Example: Visual Studio 2017)
You will usually find out the Opensrc lib which was used (but probably not the exact version)
Download some of the latest versions of the library and Compile the library (.lib, .a) with program
you find out that was used to compile the binary.
You can also later compile .dll for use of bindiffing tools. (After you find out the specific version)

Generate your own FLIRT sigs with IDA flair tools --> Generate pattern file (.pat) for funcs in lib (flair tools - pcf, pelf etc...) -->
Generate FLIRT signatures with tool sigmake to process the pattern file --> .sig file
Most of the time you will have to deal with collisions during FLIRT signatures creation (More functions in lib has same byte pattern and you must decide which one will be used to match the pattern)

Try to apply newly generated FLIRT signatures, for different versions of the OpenSource lib which was used, in IDA on your binary.
Find out which FLIRT signatures (the version of lib) is matching the most functions in your binary.

Now after applying the FLIRT signatures which matched the most functions - there is high chance that you finally have the info about version of lib which was used in binary.
If possible compile .dll of the opensource lib - the one specific version.
Open the compiled .dll id IDA and use debug symbols (.pdb) for analysis.
Use bindiffing tools like Diaphora plugin in IDA - binary vs .dll - to catch more matching functions (Diaphora is using more fuzzy algos than basic pattern match)
The same process as used with Diaphora could be applied using bindiffing tool called BinDiff - Zynamics.
After investigation of Diaphora/BinDiff results, apply newly revealed matched functions.

With version of tool CAPA 2.0 - CAPA implemented FLIRT signatures and new rules to identify OpenSrc lib functions:
CAPA is using FLIRT mostly to ignore lib functions for matching capabilities in interested user code...
But it is now possible to write new Capa rules against matched lib functions via FLIRT so there will be probably more and more new rules build on this. CAPA is also available as a IDA Plugin.
FireEye make available also free repo of already compiled FLIRT sigs for some common OpenSrc libs so one can use it.

One can also use IDA plugin called Rizzo on the analyzed .dll and apply later the rizzo signatures in binary.
The last thing could be pulling metadata from LUMINA.

Now you have still much to analyze but it will be far better than before.
Suggested Tools: Strings, File, DIE, Nauz-File-Detector, Pe-Bear, Pestudio, IDA flair tools, Diaphora plugin for IDA, BinDiff, CAPA, rizzo, Lumina...

References:

DIE - https://github.com/horsicq/Detect-It-Easy
Nauz-File-Detector - https://github.com/horsicq/Nauz-File-Detector
Pestudio - https://www.winitor.com/
PE-bear - https://github.com/hasherezade/pe-bear-releases
Strings Explorer Context - http://sandsprite.com/iDef/MAP/
FlareStrings - https://github.com/fireeye/stringsifter
IDA Free/Pro - https://hex-rays.com/ida-free/
IDA flair tools - https://hex-rays.com/products/ida/support/download/
Diaphora plugin for IDA - https://github.com/joxeankoret/diaphora
BinDiff - Zynamics - https://www.zynamics.com/bindiff.html
Rizzo plugin for IDA - https://github.com/tacnetsol/ida/tree/master/plugins/rizzo
CAPA - https://github.com/fireeye/capa
FireEye free repo of FLIRT sigs - https://github.com/fireeye/siglib

Happy Reversing :)