Code

 Visualization  

2
Code  Visualization  

! PaiMei  and  uDraw(Graph)  

3
Code  Visualization  

! OllyFlow  Plugin:  Function  graphs  

4
Code  Visualization  

! OllyFlow  Plugin:  Flow  graphs  

5
Microsoft  Symbols  

! Debug  Symbols  
" Windows  kernel  symbols  available  
! For  most  MS  executables  
" Windows  debug  symbols  available  at:  
! [Link]  

6
Configuring  OllyDbg  to  Use  
Symbols  

7
Symbols  in  IDA  

8
Windows  Kernel  Debugging  

! Install  Windows  Symbols  

" Specifically,  for  the  target  kernel  
! Install  Windows  SDK  
" Make  sure  to  install  “Debugging  Tools”  
! This  includes  WinDBG  

9
Windows  Kernel  Debugging  

! Crash  Dump  Analysis  

" Windows  “.dmp”  file  
! Snapshot  of  the  kernel  state  and  physical  memory  
! Windows  can  be  configured  to  create  a  crash  dump  
upon  blue  screening  
! WinDBG  handles  crash  dump  analysis  

10
Remote  Debugging  

! Remote  Debugging  
" Most  good  debuggers  have  a  remote  monitor  that  
they  can  connect  to  
" Some  virtual  machine  programs  incorporate  
remote  debugging  for  kernel  debugging  

11
Decoding  Structures  

! Structures  
" Good  debuggers/disassemblers  will  allow  the  user  
to  define  structures  
! Structure  decoding  is  implemented  in  OllyDbg  2.0  
! Currently,  user-­‐defined  structures  are  not  

12
Decoding  Structures  

13
Decoding  Structures  

14
Decoding  Structures  

15
IDA  Structures  

! Assembler  Structures  
" Structures  window  
! C  Structures  
" Local  types  window  

16
Function  Hooking  

! Hooking  
" Create  user-­‐defined  events  upon:  
! Function  calls  
! System  messages  
! IO  events  
! …  
" SetWindowsHookEx()
! Install  a  hook  
" UnhookWindowsHookEx()
! Uninstall  a  hook  
! Example:  [Link]
windows/desktop/ms632589(v=vs.85).aspx  

17
Differential  Reverse  
Engineering  
! Binary  Diffing  
! Code  Coverage  Diffing  
! Others  
" Memory  diffing  

18
Binary  Diffing  

! Binary  Diffing  
" Compare  two  similar  binary  executables  
" Useful  for  reverse  engineering  updates  and  
version  changes  
" Implemented  in  PaiMei  
! PAIMEIdiff  

19
Code  Coverage  Diffing  

! Code  Coverage  Diffing  

" Typically,  a  reverse  engineer  is  interested  in  only  a  
few  functions  
" Run  1:  Profile  program  by  running  it  and  activating  
all  features  you  aren’t  interested  in  
" Run  2:  Profile  program  by  running  just  the  
functionality  you  wish  to  locate  
" Perform  a  diff  on  which  functions  were  called  
between  the  two  runs  
" Great  for  reverse  engineering  large  or  GUI  
programs  
20
Code  Coverage  Diffing  

! Demo!  
" Let’s  find  the  function  in  Notepad++  that  invokes  
the  “About”  information  
! 3251  functions  /  28827  basic  blocks  
! 1  or  2  functions  are  dedicated  to  the  “About”  
window  

21
Code  Coverage  Diffing  

! PaiMei’s  pida_dump.py  in  idapython

22
Code  Coverage  Diffing  

! Generate  a  .pida  file  after  auto-­‐analysis  

23
Code  Coverage  Diffing  

! Create  Two  Tags  

" “Filter”  
! We  will  run  everything  we  don’t  want  
" “About”  
! We  will  run  just  what  we  want  
! Of  course,  other  GUI  functions  will  be  run  but  those  
should  have  occurred  in  our  “Filter”  tag  

24
Code  Coverage  Diffing  

! Use  “Filter”  for  stalking    

25
Code  Coverage  Diffing  

! Set  “Filter”  as  a  filter  tag,  stalk  “About”  

26
Code  Coverage  Diffing  

! Check  the  function  flow  graph  in  UDraw  

27
Code  Coverage  Diffing  

! Let’s  patch  the  “About”  function  

28
Code  Coverage  Diffing  

29
Questions/Comments?  

30