Reverse Engineer a malicious GIF attachment
 Daniel (danielf184) <danielf184 yahoo com> |
Monday, June 16 2008 01:56.40 CDT |
I received an image attachment and want to analyze if it is a malicious attachment or not. I long time ago read about YAB (Yet Another Binder) and made some simple tests using that software, that attaches an image or any legitimate program with a malicious code, so am afraid that i recieved that kind of attachment that is why i want any body who can help me to analyse the attachment before i open it, at least if some one who can tell me an open software that can help to analyze an image before i open the image.
cheersssss
Horizon
Comments
 Sellmi |
Posted: Monday, June 16 2008 03:29.11 CDT |
|
>>Yet Another Binder ...that attaches an image yup but then it is STILL a exe with an gif icon and when you double click it it will execute your backdoor AND the gif. |
|
 GynvaelColdwind |
Posted: Monday, June 16 2008 03:48.58 CDT |
|
As Sellami said - first check if it's an EXE file (2 first bytes == MZ) or a GIF file (3 first bytes == GIF). (If You know that, please ignore this line ;p I mean no disrespect ;>) If the first - it's a simple case - if it pretends to be a GIF, then it's a malware ;p If the later: 1) faster version - check if there is some shellcode looking thing in a hexeditor 2) download the GIF standard and check each fields value - how much does it differ from what the standard says it has to be The best places to check would be: a) chunk sizes (larger then what the standard says they have to be) b) some bug in the compressed data (for example the max information chunk size is 12 bits in GIF, however it is technically possible to set the size larger - there were some buffer overflows regarding this - for example in SDL_image) c) picture coordinates on canvas (the GIF contains one canvas and a series of pictures - the pictures technically can be larger then canvas or placed beyond it - on a wrong implementation it's a boundary condition error vuln.) etc... If it's something from the above - it's interesting then, because the attachment has to target one specific application. It would be interesting to see what application. My guess is that it's a spam message in a GIF :DDD As for software that would help you - Get some GIF loader implementation and play with it to output data (I've used SDL_Image GIF loader for it, it's can be modified with ease). |
|
 sovietskicpu |
Posted: Monday, June 16 2008 15:45.39 CDT |
|
Here is a Pascal code i've made some year(s) ago, maybe it can help you :p PS : GynvaelColdwind hello ;) Function ScanMSGifExploit(Const Buffer : Pchar; Const BufferSize : DWORD) : Boolean; Type TGIFHeader = Packed Record Signature : Array[0..2] of BYTE; // magic ID 'GIF' Version : Array[0..2] of BYTE; // '87a' or '89a' end; PGIFHeader = ^TGIFHeader; TLogicalScreenDescriptor = Packed Record ScreenWidth : WORD; ScreenHeight : WORD; PackedFields : BYTE; BackgroundColorIndex : BYTE; AspectRatio: BYTE; end; PLogicalScreenDescriptor = ^TLogicalScreenDescriptor; TImageDescriptor = Packed Record Separator : BYTE; Left : WORD; Top : WORD; Width : WORD; Height: WORD; PackedFields : BYTE; end; PImageDescriptor = ^TImageDescriptor; CONST GIF_GLOBALCOLORTABLE = $80; GIF_COLORTABLESIZE = $07; GIF_PLAINTEXT = $01; GIF_GRAPHICCONTROLEXTENSION = $F9; GIF_COMMENTEXTENSION = $FE; GIF_APPLICATIONEXTENSION = $FF; GIF_IMAGEDESCRIPTOR = Ord(','); GIF_EXTENSIONINTRODUCER = Ord('!'); GIF_TRAILER = Ord(';'); GIF_HEADER_SIZE = SizeOf(TGIFHeader) + SizeOf(TLogicalScreenDescriptor); Function IterateBlock(Var GIFBlockID : Pchar; Const Limit : DWORD) : Pchar; begin Result := Nil; While (BYTE(GifBlockID^) <> GIF_IMAGEDESCRIPTOR) AND (BYTE(GifBlockID^) <> GIF_TRAILER) do begin Case BYTE(GifBlockID^) of GIF_EXTENSIONINTRODUCER : begin Inc(GifBlockID); if DWORD(GifBlockID) >= Limit then Exit; Case BYTE(GifBlockID^) of GIF_PLAINTEXT : While True do begin Inc(GifBlockID); if DWORD(GifBlockID) >= Limit then Exit else if GifBlockID^ = #00 then Break; end; GIF_COMMENTEXTENSION : While True do begin Inc(GifBlockID); if DWORD(GifBlockID) >= Limit then Exit else if GifBlockID^ = #00 then Break; end; GIF_GRAPHICCONTROLEXTENSION : begin Inc(GifBlockID,BYTE((GifBlockID+1)^)); if DWORD(GifBlockID) >= Limit then Exit; end; GIF_APPLICATIONEXTENSION : begin Inc(GifBlockID,BYTE((GifBlockID+1)^)); if DWORD(GifBlockID) >= Limit then Exit; end; end; end; end; Inc(GifBlockID); if DWORD(GifBlockID) >= Limit then Exit; end; Result := GifBlockID; end; Var P : Pchar; Limit : DWORD; Label Infected; begin Result := False; if (Buffer = Nil) OR (BufferSize <= GIF_HEADER_SIZE * 4) then Exit else if not bla bla bla hehe... then Exit; Limit := DWORD(Buffer) + BufferSize; P := Buffer; Inc(P,SizeOf(TGIFHeader)); if PLogicalScreenDescriptor(P)^.ScreenWidth = 0 then Goto Infected else if (PLogicalScreenDescriptor(P)^.PackedFields AND GIF_GLOBALCOLORTABLE) <> 0 then Inc(P,(3 *(1 SHL ((PLogicalScreenDescriptor(P)^.PackedFields AND GIF_COLORTABLESIZE) + 1) ))); Inc(P,SizeOf(TLogicalScreenDescriptor)); if DWORD(P) >= Limit then Goto Infected else P := IterateBlock(P,Limit); if (P = Nil) OR (BYTE(P^) <> GIF_IMAGEDESCRIPTOR) then Goto Infected else if (PImageDescriptor(P)^.Width = 0) OR (PImageDescriptor(P)^.Height = 0) then begin Infected : Result := True; end; end; |
|
|
GynvaelColdwind |
Posted: Monday, June 16 2008 17:00.12 CDT |
|
Woah pascal.. hardcore ;D PS. sovietskicpu hiii ;> |
|