Flag: Tornado! Hurricane!

Blogs >> apridgen's Blog

Created: Thursday, March 5 2009 11:01.09 CST  
Direct Link, View / Make / Edit Comments
Update IDACompare for IDA Pro 5.4
Author: apridgen # Views: 7532

Binary Library File, source files and patch file are in the following archive file located here:
https://www.openrce.org/repositories/users/apridgen/IDACompare5.4_patched.zip

Created: Friday, June 6 2008 03:50.21 CDT  
Direct Link, View / Make / Edit Comments
Reassembling Sniffed Firmware or a Binary With Scapy
Author: apridgen # Views: 8446

So, I got bored one night (or morning depending on your perspective), and I decided to sniff the firmware upgrade process for my network printer, Fun! :)  I used Wireshark (yeah my tcpdump foo is bar) to isolate the TCP stream between the VM upgrading the firmware and the printer and saved the pcap.

I have been meaning to play with Scapy for quite some time, so I fired up ipython and in about 20 minutes I had a quick script to extract the data I needed.  The script is pretty basic and may not work in all cases, but I figured I'd document somewhere just in case or someone else might need it in the future.



# IP Address of the VM sending the upgrade
src="192.168.44.128"
f = "captured_firmware_upgrade.pcap"
pcap = rdpcap(f)


data = ""
for packet in pcap:
  il = packet.getlayer("IP")
  if il.src != src:
    continue
  tl = packet.getlayer("TCP")
  # check for data in the payload, if not skip the packet
  if isinstance(tl.payload,scapy.NoPayload):
    continue
  data += str(tl.payload)
# write our raw data file
f = open("raw_data.dat", 'w')
f.write(data)
f.close()



Hope it helps someone in the future :)


Created: Tuesday, May 6 2008 16:06.06 CDT  
Direct Link, View / Make / Edit Comments
Basic tutorial about how to dump a process and update the IAT using Immunity Debug, LordPE, and ImpRec
Author: apridgen # Views: 85053

Basic tutorial about how to dump a process and update the IAT using Immunity Debug, LordPE, and ImpRec
AKA: Dumping RBot.clj to a usable binary for analysis

This tutorial is quick and mostly, so I can remember how to use PE Dump,
LordPE, and then ImpRec.  This work is not any type of new hotness.  There is
actually a tutorial similar to this one [1], but it lacked the details I needed
to dump and convert the file into a usable executable, so I am writing this one.

What you will need:
1) Immunity Debug:  http://debugger.immunityinc.com/register.html
2) PE Dumper:  http://www.woodmann.com/collaborative/tools/index.php/PE_Dumper
2) LordPE:  http://www.woodmann.com/collaborative/tools/index.php/LordPE
3) ImpRec:  http://www.woodmann.com/collaborative/tools/index.php/ImpREC
4) An account on Offensive Computing to get the sample:  http://offensivecomputing.net


Once you get your account to Offensive Computing, perform a search for the following
malware md5sum:  

59c661ba0c7c485f4480f7b142a9c084.  

Save the file to disk and unzip the archive, supplying the archive password.

Make sure PE Dumper was installed in the Immunity Debug directory, so start Immunity
Debug and check the Plugins menu for "OllyDbg PE Dumper", if its not there, make sure
the plugin is in the right directory for example:  

C:\Program Files\Immunity Inc\Immunity Debugger


Step 0: Unpack the Malware

Moving forward do File->Open and select the malware.exe.  Now first we need to unpack
the binary.  The Evilcodecave's Blog was helpful here [2].  First we will perform a
search for a sequence of commands:  Right Click in the CPU Window,
"Search for.."->"Sequence of Commands" or Ctrl+S.  Type in

POPAD<enter>
POPFD<enter>

These two instructions reverse the PUSHFD, PUSHAD, you should have seen when Immunity Dbg
first started and attached to the program.  Now, hit the down until you get to the 'jmp'
instruction.  Press <F9>, and the program should stop execution on this instruction.

Now, hit <enter> to go to the next instruction, this will not execute the instruction,
but it will jump the view down to the next instruction.  Now hit <Ctrl-A>, which will
analyze the data and treat is as code.  It was not treated as code previously, because before
this was all data.  When the unpacker executed, the code was written to these memory locations.

We still need to let the program execute a little more before we can dump it (Did you notice
the PUSHAD we landed on?).  Scroll down a little bit (Page Down 5 times, and place a break point
on the 'jmp' instruction (address = 0x004DCA84).  If you look up a little bit, youll notice the
POPAD ;).  Press <F9> again, and the execution should stop at the instruction.  Hit <F7>, and now
we are at the OEP of our binary, so now its time to dump it.



Step 2: Dump the Process
In Immunity Debug goto PE Dumper: Plugins->"OllyDbg PE Dumper"->"Make Dump of Process"

1) Make sure your target process is selected.
2) Click "Get EIP as OEP"
3) Put a check box in "Fix Raw sizes"
3) Put a check box in "Fix Raw sizes"
4) Put a check box in "Make header size 0x1000"
5) Click the Dump butten and save the file.
6) Leave the process paused.



Step 3: Rebuild the PE Image with LordPE
1) Start LordPE
2) Click the Options button and put a check mark next to "Full Dump: rebuild image"
3) Click the "Rebuild PE" Button and select the file that was just save in the previous step.



Step 4: Rebuild the IAT with ImpRec
Note:  Identifying the IAT can be tricky, but in this case, I simply looked at the address of a
function call for a known Windows API and jumped to that address.  Immunity Debug should resolve
the names to the function call, so it should be pretty easy to spot in the CPU Window.  Look for

CALL DWORD PTR DS:[42319C]               ;  kernel32.GetVersion

In the dump window, go to the expression (Ctrl+G) 0x42319C.  Make sure the data is being viewed as
Long-Addresses (Right Click in the Dump Window Long->Addresses).  Scroll up until the first import
can be seen.  Now open ImpRec.

1)  Select the target process that is open in the first step.
2)  Click on Options and check the "Import All By Ordinal," "Rebuild Original FT,"
"Fix EP to OEP," and "Create New IAT" Checkboxes
3)  Under the "RVAS Infos Needed" Section, enter the RVA of the program's IAT and OEP:
    Address of the IAT - Image Base, in this case 0x00423000 - 0x00400000 = 0x00023000
    Address of the EIP - Image Base, in this case 0x0041A4E3 - 0x00400000 = 0x0001A4E3
4)  Hit the Get Imports button.
5)  Click the "Show Invalid," and remove anthing that is invalid by
Right Clicking in the Window -> Cut Thunks.
6)  Check the Add New Section
7)  Click on Fix Dump and select the previously saved file.


Final: Test in VMWare.
If it runs with out an exception, then you are likely now infected, cheers :)

Conclusion
Like I said, I know this has been done by several folks, but I can never find it when I need it, so
I figured I'd Document it once more for good measure.  I hope someone else finds this useful in the
future.  I know I will ;), Cheers.

1.  MUP With OllyDbg for Really Beginner
http://www.geocities.com/r_etarded/ollydump/ollydump.html

2.  [Malware] Backdoor.Win32.Rbot.clj Reversing,
http://evilcodecave.wordpress.com/2007/12/01/malware-backdoorwin32rbotclj-reversing/




Created: Tuesday, April 22 2008 20:32.48 CDT Modified: Friday, May 9 2008 21:31.18 CDT
Direct Link, View / Make / Edit Comments
PyVix, Python Bindings for the VMWare VIX SDK
Author: apridgen # Views: 14661

I am not sure how many people use PyVix, but I took some time to go through and update the project.  The project was originally developed by David S. Rushby, and the project provides Python Bindings for VMWare's VIX SDK.    

It looks like the API has not been updated in a while, so rather than just throwing a patch somewhere on the web just to be lost, I posted my updates on Google Code.  The source code can be downloaded from here:

svn checkout http://randomizedcode.googlecode.com/svn/trunk/pyvix-branch pyvix

or in tar ball form here:

http://randomizedcode.googlecode.com/files/latest-pyvix-4.22.2008.tgz

I have only installed this on Linux, but it should install in Windows too.

Prerequisites:

VMWare's VIX SDK
C/C++ compiler (MinGW/GCC)

To Install, drop prompt:

sudo python setup.py install

Updates:

1) I ran into some problems building on Windows Vista for 6.03 using mingw32, so I am still trying to figure out how to build them at this time,

2) Adam35413 pointed this out, and the path needs to be updated to include the _vixmodule.so's path, or it can simply be added to /lib.  

Sorry if anyone ran into problems.  

Created: Tuesday, April 17 2007 01:50.38 CDT  
Direct Link, View / Make / Edit Comments
Random Thoughts
Author: apridgen # Views: 9256

A new acronym -- ~ RE related but it was on my mind && I needed to say it somewhere && I don't have a real blog

I propose the following acronym: HDLD

High Dose [of caffiene], Low Dose [of sleep]:

To be used like this.

I am running on HDLD but I have never felt better.

eh...Maybe not, it sounded cool.






Archived Entries for apridgen
Subject # Views Created On
its a very happy pre-alpha to me, to you 3152     Tuesday, April 17 2007
Getting to where you need to with Memory break points 2645     Friday, March 30 2007
Brief Intro and Advice to Fellow Noobs 3360     Sunday, March 18 2007

There are 31,095 total registered users.


Recently Created Topics
How to view IDA Pro'...
Nov/02
reverse MC9S12DG128
Oct/07
Looking for an advan...
Mar/21
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15


Recent Forum Posts
Looking for an advan...
clightning
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit