OpenRCE: Blog

Update IDACompare for IDA Pro 5.4

Thu, 05 Mar 2009 11:01:09 -0600

Binary Library File, source files and patch file are in the following archive file located here:
https://www.openrce.org/repositories/users/apridgen/IDACompare5.4_patched.zip

Reassembling Sniffed Firmware or a Binary With Scapy

Fri, 06 Jun 2008 03:50:21 -0500

So, I got bored one night (or morning depending on your perspective), and I decided to sniff the firmware upgrade process for my network printer, Fun! :) I used Wireshark (yeah my tcpdump foo is bar) to isolate the TCP stream between the VM upgrading the firmware and the printer and saved the pcap.

I have been meaning to play with Scapy for quite some time, so I fired up ipython and in about 20 minutes I had a quick script to extract the data I needed. The script is pretty basic and may not work in all cases, but I figured I'd document somewhere just in case or someone else might need it in the future.



# IP Address of the VM sending the upgrade

src="192.168.44.128" 

f = "captured_firmware_upgrade.pcap"

pcap = rdpcap(f)





data = ""

for packet in pcap:

  il = packet.getlayer("IP")

  if il.src != src:

    continue

  tl = packet.getlayer("TCP")

  # check for data in the payload, if not skip the packet

  if isinstance(tl.payload,scapy.NoPayload):

    continue

  data += str(tl.payload)

# write our raw data file

f = open("raw_data.dat", 'w')

f.write(data)

f.close()

Hope it helps someone in the future :)

Basic tutorial about how to dump a process and update the IAT using Immunity Debug, LordPE, and ImpRec

Tue, 06 May 2008 16:06:06 -0500

Basic tutorial about how to dump a process and update the IAT using Immunity Debug, LordPE, and ImpRec
AKA: Dumping RBot.clj to a usable binary for analysis

This tutorial is quick and mostly, so I can remember how to use PE Dump,
LordPE, and then ImpRec.  This work is not any type of new hotness.  There is
actually a tutorial similar to this one [1], but it lacked the details I needed
to dump and convert the file into a usable executable, so I am writing this one.

What you will need:
1) Immunity Debug:  http://debugger.immunityinc.com/register.html
2) PE Dumper:  http://www.woodmann.com/collaborative/tools/index.php/PE_Dumper
2) LordPE:  http://www.woodmann.com/collaborative/tools/index.php/LordPE
3) ImpRec:  http://www.woodmann.com/collaborative/tools/index.php/ImpREC
4) An account on Offensive Computing to get the sample:  http://offensivecomputing.net

Once you get your account to Offensive Computing, perform a search for the following
malware md5sum:

59c661ba0c7c485f4480f7b142a9c084.

Save the file to disk and unzip the archive, supplying the archive password.

Make sure PE Dumper was installed in the Immunity Debug directory, so start Immunity
Debug and check the Plugins menu for "OllyDbg PE Dumper", if its not there, make sure
the plugin is in the right directory for example:

C:\Program Files\Immunity Inc\Immunity Debugger

Step 0: Unpack the Malware

Moving forward do File->Open and select the malware.exe.  Now first we need to unpack
the binary.  The Evilcodecave's Blog was helpful here [2].  First we will perform a
search for a sequence of commands:  Right Click in the CPU Window,
"Search for.."->"Sequence of Commands" or Ctrl+S.  Type in

POPAD<enter>
POPFD<enter>

These two instructions reverse the PUSHFD, PUSHAD, you should have seen when Immunity Dbg
first started and attached to the program.  Now, hit the down until you get to the 'jmp'
instruction.  Press <F9>, and the program should stop execution on this instruction.

Now, hit <enter> to go to the next instruction, this will not execute the instruction,
but it will jump the view down to the next instruction.  Now hit <Ctrl-A>, which will
analyze the data and treat is as code.  It was not treated as code previously, because before
this was all data.  When the unpacker executed, the code was written to these memory locations.

We still need to let the program execute a little more before we can dump it (Did you notice
the PUSHAD we landed on?).  Scroll down a little bit (Page Down 5 times, and place a break point
on the 'jmp' instruction (address = 0x004DCA84).  If you look up a little bit, youll notice the
POPAD ;).  Press <F9> again, and the execution should stop at the instruction.  Hit <F7>, and now
we are at the OEP of our binary, so now its time to dump it.

Step 2: Dump the Process
In Immunity Debug goto PE Dumper: Plugins->"OllyDbg PE Dumper"->"Make Dump of Process"

1) Make sure your target process is selected.
2) Click "Get EIP as OEP"
3) Put a check box in "Fix Raw sizes"
3) Put a check box in "Fix Raw sizes"
4) Put a check box in "Make header size 0x1000"
5) Click the Dump butten and save the file.
6) Leave the process paused.

Step 3: Rebuild the PE Image with LordPE
1) Start LordPE
2) Click the Options button and put a check mark next to "Full Dump: rebuild image"
3) Click the "Rebuild PE" Button and select the file that was just save in the previous step.

Step 4: Rebuild the IAT with ImpRec
Note:  Identifying the IAT can be tricky, but in this case, I simply looked at the address of a
function call for a known Windows API and jumped to that address.  Immunity Debug should resolve
the names to the function call, so it should be pretty easy to spot in the CPU Window.  Look for

CALL DWORD PTR DS:[42319C]               ;  kernel32.GetVersion

In the dump window, go to the expression (Ctrl+G) 0x42319C.  Make sure the data is being viewed as
Long-Addresses (Right Click in the Dump Window Long->Addresses).  Scroll up until the first import
can be seen.  Now open ImpRec.

1)  Select the target process that is open in the first step.
2)  Click on Options and check the "Import All By Ordinal," "Rebuild Original FT,"
"Fix EP to OEP," and "Create New IAT" Checkboxes
3)  Under the "RVAS Infos Needed" Section, enter the RVA of the program's IAT and OEP:
    Address of the IAT - Image Base, in this case 0x00423000 - 0x00400000 = 0x00023000
    Address of the EIP - Image Base, in this case 0x0041A4E3 - 0x00400000 = 0x0001A4E3
4)  Hit the Get Imports button.
5)  Click the "Show Invalid," and remove anthing that is invalid by
Right Clicking in the Window -> Cut Thunks.
6)  Check the Add New Section
7)  Click on Fix Dump and select the previously saved file.

Final: Test in VMWare.
If it runs with out an exception, then you are likely now infected, cheers :)

Conclusion
Like I said, I know this has been done by several folks, but I can never find it when I need it, so
I figured I'd Document it once more for good measure.  I hope someone else finds this useful in the
future.  I know I will ;), Cheers.

1.  MUP With OllyDbg for Really Beginner
http://www.geocities.com/r_etarded/ollydump/ollydump.html

2.  [Malware] Backdoor.Win32.Rbot.clj Reversing,
http://evilcodecave.wordpress.com/2007/12/01/malware-backdoorwin32rbotclj-reversing/

PyVix, Python Bindings for the VMWare VIX SDK

Tue, 22 Apr 2008 20:32:48 -0500

I am not sure how many people use PyVix, but I took some time to go through and update the project.  The project was originally developed by David S. Rushby, and the project provides Python Bindings for VMWare's VIX SDK.

It looks like the API has not been updated in a while, so rather than just throwing a patch somewhere on the web just to be lost, I posted my updates on Google Code.  The source code can be downloaded from here:

svn checkout http://randomizedcode.googlecode.com/svn/trunk/pyvix-branch pyvix

or in tar ball form here:

http://randomizedcode.googlecode.com/files/latest-pyvix-4.22.2008.tgz

I have only installed this on Linux, but it should install in Windows too.

Prerequisites:

VMWare's VIX SDK
C/C++ compiler (MinGW/GCC)

To Install, drop prompt:

sudo python setup.py install

Updates:

1) I ran into some problems building on Windows Vista for 6.03 using mingw32, so I am still trying to figure out how to build them at this time,

2) Adam35413 pointed this out, and the path needs to be updated to include the _vixmodule.so's path, or it can simply be added to /lib.

Sorry if anyone ran into problems.

Random Thoughts

Tue, 17 Apr 2007 01:50:38 -0500

A new acronym -- ~ RE related but it was on my mind && I needed to say it somewhere && I don't have a real blog

I propose the following acronym: HDLD

High Dose [of caffiene], Low Dose [of sleep]:

To be used like this.

I am running on HDLD but I have never felt better.

eh...Maybe not, it sounded cool.